Debian Bug report logs -
#572553
CVE-2010-0639: HTCP DoS
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Thu, 4 Mar 2010 20:51:09 UTC
Severity: important
Tags: security
Found in version squid/2.7.STABLE7-1
Fixed in version squid/2.7.STABLE8-1
Done: Luigi Gangitano <luigi@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Luigi Gangitano <luigi@debian.org>:
Bug#572553; Package squid.
(Thu, 04 Mar 2010 20:51:12 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Luigi Gangitano <luigi@debian.org>.
(Thu, 04 Mar 2010 20:51:12 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: squid
Version: 2.7.STABLE7-1
Severity: important
Tags: security
http://www.squid-cache.org/Advisories/SQUID-2010_2.txt
Since this a non-default issues with limited local impact I don't
think this needs to be fixed in a DSA. Still, you could fix this
through a stable point update.
Cheers,
Moritz
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-2-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
Versions of packages squid depends on:
ii adduser 3.112 add and remove users and groups
ii debconf [debconf-2.0] 1.5.28 Debian configuration management sy
ii libc6 2.10.2-5 Embedded GNU C Library: Shared lib
ii libcomerr2 1.41.10-1 common error description library
pn libdb4.6 <none> (no description available)
pn libkrb53 <none> (no description available)
ii libldap-2.4-2 2.4.17-2.1 OpenLDAP libraries
ii libpam0g 1.1.1-2 Pluggable Authentication Modules l
ii logrotate 3.7.8-4 Log rotation utility
ii lsb-base 3.2-23 Linux Standard Base 3.2 init scrip
ii netbase 4.40 Basic TCP/IP networking system
pn squid-common <none> (no description available)
squid recommends no packages.
Versions of packages squid suggests:
pn logcheck-database <none> (no description available)
pn resolvconf <none> (no description available)
pn smbclient <none> (no description available)
pn squid-cgi <none> (no description available)
pn squidclient <none> (no description available)
pn winbind <none> (no description available)
Reply sent
to Luigi Gangitano <luigi@debian.org>:
You have taken responsibility.
(Mon, 15 Mar 2010 18:57:27 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Mon, 15 Mar 2010 18:57:27 GMT) (full text, mbox, link).
Message #10 received at 572553-close@bugs.debian.org (full text, mbox, reply):
Source: squid
Source-Version: 2.7.STABLE8-1
We believe that the bug you reported is fixed in the latest version of
squid, which is due to be installed in the Debian FTP archive:
squid-cgi_2.7.STABLE8-1_i386.deb
to main/s/squid/squid-cgi_2.7.STABLE8-1_i386.deb
squid-common_2.7.STABLE8-1_all.deb
to main/s/squid/squid-common_2.7.STABLE8-1_all.deb
squid_2.7.STABLE8-1.diff.gz
to main/s/squid/squid_2.7.STABLE8-1.diff.gz
squid_2.7.STABLE8-1.dsc
to main/s/squid/squid_2.7.STABLE8-1.dsc
squid_2.7.STABLE8-1_i386.deb
to main/s/squid/squid_2.7.STABLE8-1_i386.deb
squid_2.7.STABLE8.orig.tar.gz
to main/s/squid/squid_2.7.STABLE8.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 572553@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Luigi Gangitano <luigi@debian.org> (supplier of updated squid package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 15 Mar 2010 18:35:32 +0100
Source: squid
Binary: squid squid-common squid-cgi
Architecture: source all i386
Version: 2.7.STABLE8-1
Distribution: unstable
Urgency: medium
Maintainer: Luigi Gangitano <luigi@debian.org>
Changed-By: Luigi Gangitano <luigi@debian.org>
Description:
squid - Internet object cache (WWW proxy cache)
squid-cgi - Squid cache manager CGI program
squid-common - Internet object cache (WWW proxy cache) - common files
Closes: 547533 554950 559243 567935 572553
Changes:
squid (2.7.STABLE8-1) unstable; urgency=medium
.
* Urgency medium due to security issues
.
* New upstream release, fixes:
- Handle DNS header-only packets as invalid (Closes: #567935)
(Ref: SQUID-2010:1 CVE-2010-0308)
- Remote Denial of Service issue in HTCP (Closes: #572553)
(Ref: SQUID-2010:2 CVE-2010-0639)
- FTBFS with libcap2 usage on kernel >= 2.6.31 (Closes: #559243)
.
* debian/rules
- Set NUMJOBS to 1 by default (Closes: #547533, #554950)
- Update config.{sub,guess} at build time
.
* debian/README.Debian
- Fix typo
.
* debian/control
- Added dependency on autotools-dev
- Bumped Standard-Version to 3.8.4 (no change needed)
.
* debian/README.source
- Added standard source directions for dpatch
Checksums-Sha1:
d156b03a3d72e2579aeeab3ccdce969049eddcc5 1164 squid_2.7.STABLE8-1.dsc
f758e94c4d1517a508766dc44463f4c05095c148 1787654 squid_2.7.STABLE8.orig.tar.gz
824a12955e93133f858ceef0171cea26ee2537c6 300321 squid_2.7.STABLE8-1.diff.gz
e7c9f278b9afba5d24216f14ee65e5d6133bbcc3 351748 squid-common_2.7.STABLE8-1_all.deb
33b424e3157ddd8c6f57c583a9de485ab319c462 769776 squid_2.7.STABLE8-1_i386.deb
68e937373b2136926681faf508f43f6682e36d84 122184 squid-cgi_2.7.STABLE8-1_i386.deb
Checksums-Sha256:
c347efe7834db31fd5f0762c1dc9f6d6c8e68205226a4df6c8d43db5b213e9fc 1164 squid_2.7.STABLE8-1.dsc
4e0fa003d6421f9e88c4c1553ebf26329d1cd072b67c54a2cb1d5565c663aa15 1787654 squid_2.7.STABLE8.orig.tar.gz
a45d7cf2590da6320b8d9f3a7a0073326ede5855443e97f68043576696e80075 300321 squid_2.7.STABLE8-1.diff.gz
7e3bc33209c17d02d38e43f03d4dddf1b5752e764b2028e5d3615b2baccd21d2 351748 squid-common_2.7.STABLE8-1_all.deb
db20d798686686bdc5986498fa9e1d99aeb9bbbdc1ce8b6e4706b2f7a71d3ab3 769776 squid_2.7.STABLE8-1_i386.deb
75110cd26805e1596feb2037b9de3811c01239d0cdd67370a46502a9beca43b8 122184 squid-cgi_2.7.STABLE8-1_i386.deb
Files:
21c0221347a3eb1fcd31eaebf51bd46a 1164 web optional squid_2.7.STABLE8-1.dsc
ed170e3b36646feda5c63d0d95d1465a 1787654 web optional squid_2.7.STABLE8.orig.tar.gz
652c72040ee98dd5dc10730eccf3fb48 300321 web optional squid_2.7.STABLE8-1.diff.gz
1cf92bb6802551322d7ab08949f9c142 351748 web optional squid-common_2.7.STABLE8-1_all.deb
8acac7999b85c942c9ad60b23f9ef212 769776 web optional squid_2.7.STABLE8-1_i386.deb
4ff1dde17c06476de89c25d9387de7d2 122184 web optional squid-cgi_2.7.STABLE8-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)
iEYEARECAAYFAkuefQoACgkQ8ZumGJJMDCb3tQCeL8WeYxH2XaC82NsuPv256pRf
KvgAn3kEbtGMlzm7CcsP4AKwsKR9nI9f
=Ser5
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 18 Apr 2010 07:34:30 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:59:09 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon