Debian Bug report logs -
#596086
CVE-2010-3072: DoS triggered by internal error in string handling
Reported by: Moritz Muehlenhoff <muehlenhoff@univention.de>
Date: Wed, 8 Sep 2010 15:18:04 UTC
Severity: grave
Tags: security
Fixed in versions squid3/3.1.6-1.1, squid3/3.0.STABLE8-3+lenny4
Done: Steffen Joeris <white@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Luigi Gangitano <luigi@debian.org>
:
Bug#596086
; Package squid3
.
(Wed, 08 Sep 2010 15:18:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Luigi Gangitano <luigi@debian.org>
.
(Wed, 08 Sep 2010 15:18:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: squid3
Severity: grave
Tags: security
Justification: user security hole
Please see http://www.squid-cache.org/Advisories/SQUID-2010_3.txt
Cheers,
Moritz
-- System Information:
Debian Release: 5.0.1
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.32-ucs11-amd64
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Information forwarded
to debian-bugs-dist@lists.debian.org, Luigi Gangitano <luigi@debian.org>
:
Bug#596086
; Package squid3
.
(Sun, 19 Sep 2010 05:00:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Steffen Joeris <steffen.joeris@skolelinux.de>
:
Extra info received and forwarded to list. Copy sent to Luigi Gangitano <luigi@debian.org>
.
(Sun, 19 Sep 2010 05:00:03 GMT) (full text, mbox, link).
Message #10 received at 596086@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
Please find the NMU diff attached.
Cheers,
Steffen
[nmu.diff (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Steffen Joeris <white@debian.org>
:
You have taken responsibility.
(Sun, 19 Sep 2010 05:03:04 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>
:
Bug acknowledged by developer.
(Sun, 19 Sep 2010 05:03:04 GMT) (full text, mbox, link).
Message #15 received at 596086-close@bugs.debian.org (full text, mbox, reply):
Source: squid3
Source-Version: 3.1.6-1.1
We believe that the bug you reported is fixed in the latest version of
squid3, which is due to be installed in the Debian FTP archive:
squid-cgi_3.1.6-1.1_amd64.deb
to main/s/squid3/squid-cgi_3.1.6-1.1_amd64.deb
squid3-common_3.1.6-1.1_all.deb
to main/s/squid3/squid3-common_3.1.6-1.1_all.deb
squid3-dbg_3.1.6-1.1_amd64.deb
to main/s/squid3/squid3-dbg_3.1.6-1.1_amd64.deb
squid3_3.1.6-1.1.diff.gz
to main/s/squid3/squid3_3.1.6-1.1.diff.gz
squid3_3.1.6-1.1.dsc
to main/s/squid3/squid3_3.1.6-1.1.dsc
squid3_3.1.6-1.1_amd64.deb
to main/s/squid3/squid3_3.1.6-1.1_amd64.deb
squidclient_3.1.6-1.1_amd64.deb
to main/s/squid3/squidclient_3.1.6-1.1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 596086@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steffen Joeris <white@debian.org> (supplier of updated squid3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 13 Sep 2010 17:07:51 +1000
Source: squid3
Binary: squid3 squid3-dbg squid3-common squidclient squid-cgi
Architecture: source all amd64
Version: 3.1.6-1.1
Distribution: unstable
Urgency: high
Maintainer: Luigi Gangitano <luigi@debian.org>
Changed-By: Steffen Joeris <white@debian.org>
Description:
squid-cgi - A full featured Web Proxy cache (HTTP proxy) - control CGI
squid3 - A full featured Web Proxy cache (HTTP proxy)
squid3-common - A full featured Web Proxy cache (HTTP proxy) - common files
squid3-dbg - A full featured Web Proxy cache (HTTP proxy) - Debug symbols
squidclient - A full featured Web Proxy cache (HTTP proxy) - control utility
Closes: 596086
Changes:
squid3 (3.1.6-1.1) unstable; urgency=high
.
* Non-maintainer upload by the security team
* Fix DoS due to wrong string handling (Closes: #596086)
Fixes: CVE-2010-3072
Checksums-Sha1:
0c30cdcdf2e2890feb82b8e459513a162f0d2a98 1269 squid3_3.1.6-1.1.dsc
166740246b6f8c077f1c31c7d5387e087caa36c8 18873 squid3_3.1.6-1.1.diff.gz
5351e7b3d5edeeea9b7542905b68f6a17d0b9319 193770 squid3-common_3.1.6-1.1_all.deb
a809e1c0ffd1dc400dcf85e99d673e3c5ead0faf 1502952 squid3_3.1.6-1.1_amd64.deb
cff1c3e2c4f10b7b395dd18827db0ca160f438c3 5614614 squid3-dbg_3.1.6-1.1_amd64.deb
87b60b8b60e3e95d027040235693c468764b3df5 105408 squidclient_3.1.6-1.1_amd64.deb
c2496198b1977c85cbf7aa926d0fe9c929103bcf 107808 squid-cgi_3.1.6-1.1_amd64.deb
Checksums-Sha256:
c76aaccfeba8724e6e466749c8c3c40597360098690aadf05e0fb602e4b0d5a1 1269 squid3_3.1.6-1.1.dsc
e7418f2318d514bcffa90037134b18dfc27dfac1bf1d556107abe2e25fb3df01 18873 squid3_3.1.6-1.1.diff.gz
aee9ecca60cb69012ed417d602316b4230411dfed5916f3557808fe8e70cee2f 193770 squid3-common_3.1.6-1.1_all.deb
220c2aae5eafc12e825c35e28fdb7a18415fc230a54f1f401a1fb46499d0148c 1502952 squid3_3.1.6-1.1_amd64.deb
6f8921fc645709ae29c3e9b663dcdbd3602e23d905e3b6debcfdd082e33bb991 5614614 squid3-dbg_3.1.6-1.1_amd64.deb
f07f80a643e618cc446e805d3212f84be07de214d926ca20fa8d3b67f587660f 105408 squidclient_3.1.6-1.1_amd64.deb
e5e3c932b1f0b3cbdf31dcd1c833431470697f3fd951182a58672b3e97df3a41 107808 squid-cgi_3.1.6-1.1_amd64.deb
Files:
19a5a6cca364601f75beddaddbf6c702 1269 web optional squid3_3.1.6-1.1.dsc
111416afbf32cf5f3dc606de91284bc7 18873 web optional squid3_3.1.6-1.1.diff.gz
59b45a42ca8f6f776b97c02160b10310 193770 web optional squid3-common_3.1.6-1.1_all.deb
bbeb3a554412ea963a92444f51592d11 1502952 web optional squid3_3.1.6-1.1_amd64.deb
39c6179a1b77cbf68873623aa6bf250a 5614614 debug extra squid3-dbg_3.1.6-1.1_amd64.deb
2023ab6817198c745ed8f73c58db8ab8 105408 web optional squidclient_3.1.6-1.1_amd64.deb
3270515530d4a6a00ccab7d22d735c72 107808 web optional squid-cgi_3.1.6-1.1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkyVlzsACgkQ62zWxYk/rQcs0wCeMeXREaciKoCpxjO7/oYVDQJh
ZWEAoLeedacUSR7of/meeXF822OLSz9C
=jo36
-----END PGP SIGNATURE-----
Reply sent
to Steffen Joeris <white@debian.org>
:
You have taken responsibility.
(Fri, 24 Sep 2010 20:03:06 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>
:
Bug acknowledged by developer.
(Fri, 24 Sep 2010 20:03:06 GMT) (full text, mbox, link).
Message #20 received at 596086-close@bugs.debian.org (full text, mbox, reply):
Source: squid3
Source-Version: 3.0.STABLE8-3+lenny4
We believe that the bug you reported is fixed in the latest version of
squid3, which is due to be installed in the Debian FTP archive:
squid3-cgi_3.0.STABLE8-3+lenny4_amd64.deb
to main/s/squid3/squid3-cgi_3.0.STABLE8-3+lenny4_amd64.deb
squid3-common_3.0.STABLE8-3+lenny4_all.deb
to main/s/squid3/squid3-common_3.0.STABLE8-3+lenny4_all.deb
squid3_3.0.STABLE8-3+lenny4.diff.gz
to main/s/squid3/squid3_3.0.STABLE8-3+lenny4.diff.gz
squid3_3.0.STABLE8-3+lenny4.dsc
to main/s/squid3/squid3_3.0.STABLE8-3+lenny4.dsc
squid3_3.0.STABLE8-3+lenny4_amd64.deb
to main/s/squid3/squid3_3.0.STABLE8-3+lenny4_amd64.deb
squidclient_3.0.STABLE8-3+lenny4_amd64.deb
to main/s/squid3/squidclient_3.0.STABLE8-3+lenny4_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 596086@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steffen Joeris <white@debian.org> (supplier of updated squid3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 18 Sep 2010 17:34:19 +1000
Source: squid3
Binary: squid3 squid3-common squidclient squid3-cgi
Architecture: source all amd64
Version: 3.0.STABLE8-3+lenny4
Distribution: stable-security
Urgency: high
Maintainer: Luigi Gangitano <luigi@debian.org>
Changed-By: Steffen Joeris <white@debian.org>
Description:
squid3 - A full featured Web Proxy cache (HTTP proxy)
squid3-cgi - A full featured Web Proxy cache (HTTP proxy) - control CGI
squid3-common - A full featured Web Proxy cache (HTTP proxy) - common files
squidclient - A full featured Web Proxy cache (HTTP proxy) - control utility
Closes: 596086
Changes:
squid3 (3.0.STABLE8-3+lenny4) stable-security; urgency=high
.
* Non-maintainer upload by the security team
* Fix DoS due to wrong string handling (Closes: #596086)
Fixes: CVE-2010-3072
Checksums-Sha1:
0a1383e3efcfa4d3f6e14e1f6ddfebd79e4ac8ad 1193 squid3_3.0.STABLE8-3+lenny4.dsc
00660cd64338e172b14a76a1bf1b149a2dd5ab74 20699 squid3_3.0.STABLE8-3+lenny4.diff.gz
0c46529de1430e9a5bca4561e8a498d7fb976a20 289406 squid3-common_3.0.STABLE8-3+lenny4_all.deb
6de2daa9f14fcc761ccf77e9244b1bb27ce976d8 1008578 squid3_3.0.STABLE8-3+lenny4_amd64.deb
338c55b0a18db3025d220a7de18077feba68689d 89072 squidclient_3.0.STABLE8-3+lenny4_amd64.deb
d105783ca03c17987b85bac50aa57656f93326d5 92634 squid3-cgi_3.0.STABLE8-3+lenny4_amd64.deb
Checksums-Sha256:
c8951b37df5b1d346fe39bef3a9e7ae948020028fc513b1bf7fa38a51d106408 1193 squid3_3.0.STABLE8-3+lenny4.dsc
663b6f6b44faf2e805e8f9a99a59cf02a4ad19fb79b929f8ca940c50a2347de7 20699 squid3_3.0.STABLE8-3+lenny4.diff.gz
eecefebd05dccd103a0a45284da64f4a71676583b9f3da9cd3a164d9f4ed2bd1 289406 squid3-common_3.0.STABLE8-3+lenny4_all.deb
1d6d0774bc4961955a2c740b4dc0df6945cd0a9ce552400220cfaddb1b8cb389 1008578 squid3_3.0.STABLE8-3+lenny4_amd64.deb
16942b87aff2caa0b1a553d0955b8d28ef151f26d96873946e7c117ce4bffea8 89072 squidclient_3.0.STABLE8-3+lenny4_amd64.deb
8d9a3792e585a205fa5546d051f3eec94097f78ac6d46646f8aab0a762638ee4 92634 squid3-cgi_3.0.STABLE8-3+lenny4_amd64.deb
Files:
c301ce03c043f892a1dab392b82f5454 1193 web optional squid3_3.0.STABLE8-3+lenny4.dsc
8660e684fab99044d17ee435cd8718d9 20699 web optional squid3_3.0.STABLE8-3+lenny4.diff.gz
954e5536f90c542c1fc7300fc9a6ad0e 289406 web optional squid3-common_3.0.STABLE8-3+lenny4_all.deb
55e7a138a3cf2ac850757bdb3dc80d65 1008578 web optional squid3_3.0.STABLE8-3+lenny4_amd64.deb
0c3df278512da844a33cc3e4294f0860 89072 web optional squidclient_3.0.STABLE8-3+lenny4_amd64.deb
13a26c111e3344c2e0bc2da0291c0b26 92634 web optional squid3-cgi_3.0.STABLE8-3+lenny4_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkyVlTcACgkQ62zWxYk/rQdjtwCffQRfq0hXgfywxEos5qxDsxks
UQ4AnRGqo+K1krtGaxFdEgYpxJwb3860
=u/dw
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 28 Nov 2010 07:34:07 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:45:52 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.