squid3: Buffer overflow in Gopher reply parser

Debian Bug report logs - #639755
squid3: Buffer overflow in Gopher reply parser

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Luciano Bello <luciano@debian.org>

To: submit@bugs.debian.org

Subject: squid3: Buffer overflow in Gopher reply parser

Date: Tue, 30 Aug 2011 00:21:50 +0200

Package: squid3
Severity: important
Tags: security

Hi,
   Recently upstream released a security advisory for squid 3.*: 
http://www.squid-cache.org/Advisories/SQUID-2011_3.txt

IMHO, the severity of the issue fixed doesn't worth a DSA and can be updated in 
a point update. Can you confirm that?

Cheers, luciano

Message #10 received at 639755@bugs.debian.org (full text, mbox, reply):

From: Amos Jeffries <squid3@treenet.co.nz>

To: 639755@bugs.debian.org

Subject: CVE-2011-3205: squid3: Buffer overflow in Gopher reply parser

Date: Thu, 01 Sep 2011 00:40:03 +1200

This one is far bigger than the popularity of Gopher would indicate.

Attack servers are trivial to setup and triggering takes out the web 
service with a few packets. If one served response fails to create a 
DoS, the result is an FTP-like file index which merely encourages the 
unwitting user to make a repeat request.

Amos

Message #15 received at 639755-close@bugs.debian.org (full text, mbox, reply):

From: Luigi Gangitano <luigi@debian.org>

To: 639755-close@bugs.debian.org

Subject: Bug#639755: fixed in squid3 3.1.15-1

Date: Sun, 04 Sep 2011 09:34:52 +0000

Source: squid3
Source-Version: 3.1.15-1

We believe that the bug you reported is fixed in the latest version of
squid3, which is due to be installed in the Debian FTP archive:

squid-cgi_3.1.15-1_i386.deb
  to main/s/squid3/squid-cgi_3.1.15-1_i386.deb
squid3-common_3.1.15-1_all.deb
  to main/s/squid3/squid3-common_3.1.15-1_all.deb
squid3-dbg_3.1.15-1_i386.deb
  to main/s/squid3/squid3-dbg_3.1.15-1_i386.deb
squid3_3.1.15-1.diff.gz
  to main/s/squid3/squid3_3.1.15-1.diff.gz
squid3_3.1.15-1.dsc
  to main/s/squid3/squid3_3.1.15-1.dsc
squid3_3.1.15-1_i386.deb
  to main/s/squid3/squid3_3.1.15-1_i386.deb
squid3_3.1.15.orig.tar.gz
  to main/s/squid3/squid3_3.1.15.orig.tar.gz
squidclient_3.1.15-1_i386.deb
  to main/s/squid3/squidclient_3.1.15-1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 639755@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luigi Gangitano <luigi@debian.org> (supplier of updated squid3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 02 Sep 2011 13:33:41 +0200
Source: squid3
Binary: squid3 squid3-dbg squid3-common squidclient squid-cgi
Architecture: source all i386
Version: 3.1.15-1
Distribution: unstable
Urgency: high
Maintainer: Luigi Gangitano <luigi@debian.org>
Changed-By: Luigi Gangitano <luigi@debian.org>
Description: 
 squid-cgi  - Full featured Web Proxy cache (HTTP proxy) - control CGI
 squid3     - Full featured Web Proxy cache (HTTP proxy)
 squid3-common - Full featured Web Proxy cache (HTTP proxy) - common files
 squid3-dbg - Full featured Web Proxy cache (HTTP proxy) - Debug symbols
 squidclient - Full featured Web Proxy cache (HTTP proxy) - control utility
Closes: 634765 639755
Changes: 
 squid3 (3.1.15-1) unstable; urgency=high
 .
   * Urgency high due to security fixes
 .
   * New upstream release
     - Fixes DoS issue in Gopher client (Closes: #639755)
       (Ref: CVE-2011-3205, SQUID-2011:3)
 .
   * debian/control
     - Removed hardcoded list of non-Linux architectures (Closes: #634765)
Checksums-Sha1: 
 0d5e574a2adfff6ecabab443d8def0f8a4e8c010 1233 squid3_3.1.15-1.dsc
 8b073ea86fb51bc9efe87903be4f69a135f78996 3398311 squid3_3.1.15.orig.tar.gz
 1bd26fbd83dfaf31cdc5414ac707306baf1a4d40 18680 squid3_3.1.15-1.diff.gz
 2608a3d72c908f8620bf09c09e6e64ce5781d182 199740 squid3-common_3.1.15-1_all.deb
 65ad292cb25ef6c660cca2916b600e4caf1ece67 1529854 squid3_3.1.15-1_i386.deb
 8bfae7925004c3acf62261eca62a7a26be9b2e09 5390398 squid3-dbg_3.1.15-1_i386.deb
 d648384582ac6f1eb2d4047f8653a37c1f29d612 118082 squidclient_3.1.15-1_i386.deb
 676e108cfb4a643d2f7964056dd91a9590fa697c 120006 squid-cgi_3.1.15-1_i386.deb
Checksums-Sha256: 
 a7ca88863c287561ea1bc8e272f67533efbeb9d0291514959fa1a7b6460f6b3a 1233 squid3_3.1.15-1.dsc
 dc79b99e682f4e934c29df747e8ddf85f89d6c8a2b8462f4dd5abc9ab403f3d9 3398311 squid3_3.1.15.orig.tar.gz
 7a09571309b200159454e329047952546661cad8ad65e33aece74346aa9c866b 18680 squid3_3.1.15-1.diff.gz
 84dc2568fa0394703cb8192f868e315be47763cc259d5cb70819274fe9c90abf 199740 squid3-common_3.1.15-1_all.deb
 15b43455d6372c48bdd84b9cdcad7bc604b0cf8ab131a9fcb375b0457d72615f 1529854 squid3_3.1.15-1_i386.deb
 4238a91951784e6c36f7d689914ba9d48e6aaa55e6c70ed704aaaa4ffdc56d89 5390398 squid3-dbg_3.1.15-1_i386.deb
 0863cd6110a776bfae62da427b8017af9e29ff04a7b21b6e260088b58e59a30f 118082 squidclient_3.1.15-1_i386.deb
 6d8b51e23236dc9049251903049f41b24310d4124859b2de01e63f52aa43abbb 120006 squid-cgi_3.1.15-1_i386.deb
Files: 
 fa780219f67c1dc70010ed26f4337b7c 1233 web optional squid3_3.1.15-1.dsc
 80e90102de360cbd56b4d98023977d65 3398311 web optional squid3_3.1.15.orig.tar.gz
 ba38bb3155c3c84e21e3b0144dd36ad8 18680 web optional squid3_3.1.15-1.diff.gz
 5cc2d646d68fc94f39d99e4d1a53ba25 199740 web optional squid3-common_3.1.15-1_all.deb
 db59708eef4b383866c10de0b8c0f051 1529854 web optional squid3_3.1.15-1_i386.deb
 df1d31c1f9d2c022a119adbe405cfca0 5390398 debug extra squid3-dbg_3.1.15-1_i386.deb
 6c508cc187a80dd0ea50eff10d8b4fb0 118082 web optional squidclient_3.1.15-1_i386.deb
 40eed9db0c8531472cc90eea96d58bdc 120006 web optional squid-cgi_3.1.15-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)

iEYEARECAAYFAk5jQfEACgkQ8ZumGJJMDCbarQCfXurXBNzP1FTFHnCu/Jwc7N5s
wgEAnjvgCpm8eZYEz2Rj/bcFLRT+RliC
=nmuy
-----END PGP SIGNATURE-----

Message #20 received at 639755-close@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 639755-close@bugs.debian.org

Subject: Bug#639755: fixed in squid3 3.0.STABLE8-3+lenny5

Date: Wed, 14 Sep 2011 19:56:52 +0000

Source: squid3
Source-Version: 3.0.STABLE8-3+lenny5

We believe that the bug you reported is fixed in the latest version of
squid3, which is due to be installed in the Debian FTP archive:

squid3-cgi_3.0.STABLE8-3+lenny5_amd64.deb
  to main/s/squid3/squid3-cgi_3.0.STABLE8-3+lenny5_amd64.deb
squid3-common_3.0.STABLE8-3+lenny5_all.deb
  to main/s/squid3/squid3-common_3.0.STABLE8-3+lenny5_all.deb
squid3_3.0.STABLE8-3+lenny5.diff.gz
  to main/s/squid3/squid3_3.0.STABLE8-3+lenny5.diff.gz
squid3_3.0.STABLE8-3+lenny5.dsc
  to main/s/squid3/squid3_3.0.STABLE8-3+lenny5.dsc
squid3_3.0.STABLE8-3+lenny5_amd64.deb
  to main/s/squid3/squid3_3.0.STABLE8-3+lenny5_amd64.deb
squidclient_3.0.STABLE8-3+lenny5_amd64.deb
  to main/s/squid3/squidclient_3.0.STABLE8-3+lenny5_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 639755@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated squid3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 10 Sep 2011 13:24:31 +0000
Source: squid3
Binary: squid3 squid3-common squidclient squid3-cgi
Architecture: source all amd64
Version: 3.0.STABLE8-3+lenny5
Distribution: oldstable-security
Urgency: high
Maintainer: Luigi Gangitano <luigi@debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 squid3     - A full featured Web Proxy cache (HTTP proxy)
 squid3-cgi - A full featured Web Proxy cache (HTTP proxy) - control CGI
 squid3-common - A full featured Web Proxy cache (HTTP proxy) - common files
 squidclient - A full featured Web Proxy cache (HTTP proxy) - control utility
Closes: 639755
Changes: 
 squid3 (3.0.STABLE8-3+lenny5) oldstable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix buffer overflow on long gopher server replies
     (CVE-2011-3205; Closes: #639755).
Checksums-Sha1: 
 0a2e2eda26059f0f4e6353e5c207d2642b4a8408 1193 squid3_3.0.STABLE8-3+lenny5.dsc
 1dd9f6a90e942f8cb77a2a2337de668084613684 21664 squid3_3.0.STABLE8-3+lenny5.diff.gz
 3d1fac5272fe7aad2e8ccbdd71241da521202974 289200 squid3-common_3.0.STABLE8-3+lenny5_all.deb
 453a8cb7c912acc105e202acbbc050790fbfae02 1012996 squid3_3.0.STABLE8-3+lenny5_amd64.deb
 c8000480d012cda1a97c4145b29c9fc67f5b64f4 89078 squidclient_3.0.STABLE8-3+lenny5_amd64.deb
 66eb7ada9a638bfb3f80d60720b8938172f22aef 93614 squid3-cgi_3.0.STABLE8-3+lenny5_amd64.deb
Checksums-Sha256: 
 5e496a908d6ade9d9646de62dc5d2b76aa3782b48c7fe4c68eeb9ddeb441ed21 1193 squid3_3.0.STABLE8-3+lenny5.dsc
 8656c8c90ca68c23386d0d27bd781831d4bd9fff8c9856bf73e435e40b1dafc4 21664 squid3_3.0.STABLE8-3+lenny5.diff.gz
 d22f6db67acd7df15e6ff1c103db0c7ce9a595f623ff8b80b8249fefd4298e0a 289200 squid3-common_3.0.STABLE8-3+lenny5_all.deb
 20939a9f65f11338b8d10c968e80ed618ab750e6729ce93b8f029bc191a6c4c0 1012996 squid3_3.0.STABLE8-3+lenny5_amd64.deb
 c432ced28e75976bcfde55b93a1073aa89862c30967dd7b9a799c8fd1f5eb324 89078 squidclient_3.0.STABLE8-3+lenny5_amd64.deb
 315bc2fdc8fb4d51f5bdb8ea2b78e7c8f5ab19431a49c86b4cea7c73f6102593 93614 squid3-cgi_3.0.STABLE8-3+lenny5_amd64.deb
Files: 
 01ed8f2aac73baf1f536bf8629cf169d 1193 web optional squid3_3.0.STABLE8-3+lenny5.dsc
 8dd347583b30b062965c372bdec40af1 21664 web optional squid3_3.0.STABLE8-3+lenny5.diff.gz
 eec9ee7142ba92f7a5d6a39a661386c4 289200 web optional squid3-common_3.0.STABLE8-3+lenny5_all.deb
 c88824a596f94affdd0de8e1c41ba223 1012996 web optional squid3_3.0.STABLE8-3+lenny5_amd64.deb
 a44953442e7c04959d5d27d919a133dd 89078 web optional squidclient_3.0.STABLE8-3+lenny5_amd64.deb
 20aff625b3e01a5e7fe67ad2cfab2b75 93614 web optional squid3-cgi_3.0.STABLE8-3+lenny5_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk5rbbwACgkQHYflSXNkfP9mpQCggyfUirGsQbZv+1nKGBA0i//z
WCMAn2j/X75COKoFK2cF8GEY0O/uqefE
=byQB
-----END PGP SIGNATURE-----

Message #25 received at 639755-close@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 639755-close@bugs.debian.org

Subject: Bug#639755: fixed in squid3 3.1.6-1.2+squeeze1

Date: Wed, 14 Sep 2011 19:57:05 +0000

Source: squid3
Source-Version: 3.1.6-1.2+squeeze1

We believe that the bug you reported is fixed in the latest version of
squid3, which is due to be installed in the Debian FTP archive:

squid-cgi_3.1.6-1.2+squeeze1_amd64.deb
  to main/s/squid3/squid-cgi_3.1.6-1.2+squeeze1_amd64.deb
squid3-common_3.1.6-1.2+squeeze1_all.deb
  to main/s/squid3/squid3-common_3.1.6-1.2+squeeze1_all.deb
squid3-dbg_3.1.6-1.2+squeeze1_amd64.deb
  to main/s/squid3/squid3-dbg_3.1.6-1.2+squeeze1_amd64.deb
squid3_3.1.6-1.2+squeeze1.diff.gz
  to main/s/squid3/squid3_3.1.6-1.2+squeeze1.diff.gz
squid3_3.1.6-1.2+squeeze1.dsc
  to main/s/squid3/squid3_3.1.6-1.2+squeeze1.dsc
squid3_3.1.6-1.2+squeeze1_amd64.deb
  to main/s/squid3/squid3_3.1.6-1.2+squeeze1_amd64.deb
squidclient_3.1.6-1.2+squeeze1_amd64.deb
  to main/s/squid3/squidclient_3.1.6-1.2+squeeze1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 639755@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated squid3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 10 Sep 2011 13:09:24 +0000
Source: squid3
Binary: squid3 squid3-dbg squid3-common squidclient squid-cgi
Architecture: source all amd64
Version: 3.1.6-1.2+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Luigi Gangitano <luigi@debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 squid-cgi  - A full featured Web Proxy cache (HTTP proxy) - control CGI
 squid3     - A full featured Web Proxy cache (HTTP proxy)
 squid3-common - A full featured Web Proxy cache (HTTP proxy) - common files
 squid3-dbg - A full featured Web Proxy cache (HTTP proxy) - Debug symbols
 squidclient - A full featured Web Proxy cache (HTTP proxy) - control utility
Closes: 639755
Changes: 
 squid3 (3.1.6-1.2+squeeze1) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix buffer overflow on long gopher server replies
     (CVE-2011-3205; Closes: #639755).
Checksums-Sha1: 
 719e5b11789d3802f1f68ea8153323291de226a6 1305 squid3_3.1.6-1.2+squeeze1.dsc
 b2bc188ec7ac99f830f8d88b45d3a41d3b9a74e8 3245533 squid3_3.1.6.orig.tar.gz
 cd12f2dbe3d3815fecc9f10a3774992f8e774caf 20478 squid3_3.1.6-1.2+squeeze1.diff.gz
 59d4184c91cb0a083b881a02ed1e8b11d54b50ae 193668 squid3-common_3.1.6-1.2+squeeze1_all.deb
 e8058222e16c13dc8bd236b3443e5df15286246e 1499800 squid3_3.1.6-1.2+squeeze1_amd64.deb
 0b1ce6094345e840565f541c12099b55ad728cca 5618232 squid3-dbg_3.1.6-1.2+squeeze1_amd64.deb
 14ccef3b069d846621354be95495dfd91de6a676 106216 squidclient_3.1.6-1.2+squeeze1_amd64.deb
 45bd268c9a52f3d302dff1a31b305b0eea39c5c8 108632 squid-cgi_3.1.6-1.2+squeeze1_amd64.deb
Checksums-Sha256: 
 04e0cec15bb0fae47f26d3a622fab65c5a818347f2f457adb4aa21f2d5313d08 1305 squid3_3.1.6-1.2+squeeze1.dsc
 22bbbd39dc52374bd42d01bf936ccf4d672545c3b84571d03bb44d399fc7db24 3245533 squid3_3.1.6.orig.tar.gz
 c60bba95b8d446c7474ecfecb6e3dd5339b02b42c3b8dbefe0386b3e6dffeb1d 20478 squid3_3.1.6-1.2+squeeze1.diff.gz
 ca617f0d8f0a2bbd2cf31679fd5eb8190e91e1724fae902053342727d9961020 193668 squid3-common_3.1.6-1.2+squeeze1_all.deb
 1deba3e37d2e1e628f30d0816e441b388412064f0aba99ac881bcbccb063b12d 1499800 squid3_3.1.6-1.2+squeeze1_amd64.deb
 482fbc373ea6b6b9049dfcf1061ca2489fbade8126e63e03c711bd7ec06c7852 5618232 squid3-dbg_3.1.6-1.2+squeeze1_amd64.deb
 7e1ae835036a313fddfafd450bd3f7bd584179939099c289edd3b288540b14fb 106216 squidclient_3.1.6-1.2+squeeze1_amd64.deb
 96c7905b8790232879ba99c8a4846d343f4e01e42d1644a583290316df5a5dd1 108632 squid-cgi_3.1.6-1.2+squeeze1_amd64.deb
Files: 
 445f4f3223ede2111e014f49225a819c 1305 web optional squid3_3.1.6-1.2+squeeze1.dsc
 93827099aaa04b6801df9f0fe16d262c 3245533 web optional squid3_3.1.6.orig.tar.gz
 cb464c62438c8a05190a2d3d7b5be928 20478 web optional squid3_3.1.6-1.2+squeeze1.diff.gz
 ac55fd4a812d34fe8632f7bca99b5bca 193668 web optional squid3-common_3.1.6-1.2+squeeze1_all.deb
 d832711918766d53e5fae59df4b7b83b 1499800 web optional squid3_3.1.6-1.2+squeeze1_amd64.deb
 78709fab8c629de0bc682bc605d407b5 5618232 debug extra squid3-dbg_3.1.6-1.2+squeeze1_amd64.deb
 f59c2f238bd6656db5738a8508dc57ee 106216 web optional squidclient_3.1.6-1.2+squeeze1_amd64.deb
 5c852ddd7f226b5bec186173ba177b61 108632 web optional squid-cgi_3.1.6-1.2+squeeze1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk5rZM0ACgkQHYflSXNkfP8xnACghHCxiLKgF1ARCFyogA1YrMo8
n64AniBu/ZMUUziBtFUcFhQnKFS4L9P2
=II4O
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.