squid3: CVE-2018-1000024: SQUID-2018:1 Denial of Service issue in ESI Response processing

Debian Bug report logs - #888719
squid3: CVE-2018-1000024: SQUID-2018:1 Denial of Service issue in ESI Response processing

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: squid3: CVE-2018-1000024: SQUID-2018:1 Denial of Service issue in ESI Response processing

Date: Mon, 29 Jan 2018 06:54:41 +0100

Source: squid3
Version: 3.5.23-5
Severity: important
Tags: security upstream

Hi,

the following vulnerability was published for squid3.

CVE-2018-1000024[0]:
SQUID-2018:1 Denial of Service issue in ESI Response processing

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-1000024
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000024
[1] http://www.squid-cache.org/Advisories/SQUID-2018_1.txt

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 888719-close@bugs.debian.org (full text, mbox, reply):

From: Luigi Gangitano <luigi@debian.org>

To: 888719-close@bugs.debian.org

Subject: Bug#888719: fixed in squid3 3.5.27-1

Date: Tue, 13 Feb 2018 16:06:23 +0000

Source: squid3
Source-Version: 3.5.27-1

We believe that the bug you reported is fixed in the latest version of
squid3, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 888719@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luigi Gangitano <luigi@debian.org> (supplier of updated squid3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 13 Feb 2018 15:31:24 +0100
Source: squid3
Binary: squid3 squid squid-dbg squid-common squidclient squid-cgi squid-purge
Architecture: source amd64 all
Version: 3.5.27-1
Distribution: unstable
Urgency: high
Maintainer: Luigi Gangitano <luigi@debian.org>
Changed-By: Luigi Gangitano <luigi@debian.org>
Description:
 squid      - Full featured Web Proxy cache (HTTP proxy)
 squid-cgi  - Full featured Web Proxy cache (HTTP proxy) - control CGI
 squid-common - Full featured Web Proxy cache (HTTP proxy) - common files
 squid-dbg  - Full featured Web Proxy cache (HTTP proxy) - Debug symbols
 squid-purge - Full featured Web Proxy cache (HTTP proxy) - control utility
 squid3     - Transitional package
 squidclient - Full featured Web Proxy cache (HTTP proxy) - control utility
Closes: 888719 888720
Changes:
 squid3 (3.5.27-1) unstable; urgency=high
 .
   [ Amos Jeffries <amosjeffries@squid-cache.org> ]
   * New Upstream Release
 .
   * debian/{control,rules}
     - Add temporary dependency on gcc-6 and g++-6 to workaround FTBFS in
       unstable
 .
   * debian/patches/
     - Fix security issue SQUID-2018:1 (CVE-2016-1000024) (Closes: #888719)
     - Fix security issue SQUID-2018:2 (CVE-2016-1000027) (Closes: #888720)
 .
   [ Luigi Gangitano <luigi@debian.org> ]
   * debian/control
     - Changed priority to optional for squid3 and squid-dbg
     - Removed unneeded Build-Dep on autotools-dev
 .
   * debian/rules
     - Include dpkg-architecture Makefile instead of invoking the binary at
       build time
 .
   * debian/squid.postinst
     - Remove recursive chown calls
Checksums-Sha1:
 34db42142759bb0c060862eeaece8b2095b0d122 2559 squid3_3.5.27-1.dsc
 0cebb9b7ca832994a1b2b440a5ae653a74bc3084 4837850 squid3_3.5.27.orig.tar.gz
 98e0fe8f1687296b7946b549268d6b6ede4fb2f9 27300 squid3_3.5.27-1.debian.tar.xz
 c38ec122c0fb9056dee19673c30bd39fb4608811 166484 squid-cgi_3.5.27-1_amd64.deb
 efdd25466c276b6733bb23d7822e37e590ff129b 285548 squid-common_3.5.27-1_all.deb
 f5a15abf17252df634ebe751fdaf90e874a824c6 21590720 squid-dbg_3.5.27-1_amd64.deb
 93a516ef257a1bacd5b0670a85ea79d0e7c0aedd 158900 squid-purge_3.5.27-1_amd64.deb
 69e172f1eec670b447e497a9d92b64bafa278e06 139844 squid3_3.5.27-1_all.deb
 8c257d412ec0e8926c4041a608be275b6af75610 8746 squid3_3.5.27-1_amd64.buildinfo
 112b4475d25a7f4c05bf7c22da2860ef88239829 2324000 squid_3.5.27-1_amd64.deb
 254d20c9f5cbab072c79703a88663feb2ddfd33f 170564 squidclient_3.5.27-1_amd64.deb
Checksums-Sha256:
 73d74d807328e10ca9ec42646360934d3252937d99fcdff02f27d804aad19294 2559 squid3_3.5.27-1.dsc
 f6a5f1272000b1c6365652b35f950fd77d091c14076d61812aecac4e90c73b39 4837850 squid3_3.5.27.orig.tar.gz
 d0276eccafa6eb5cf435bbe4128baa60d53997b58145a902acc4813b5c832b81 27300 squid3_3.5.27-1.debian.tar.xz
 58272d5c92ea7866a59737e9ce99f3a0ee24ddecd8363cbd5c71441266e465f6 166484 squid-cgi_3.5.27-1_amd64.deb
 72ca8467e4b22ff99b28334972bc995f4eb54f7e557b2375294d113b9c499b0d 285548 squid-common_3.5.27-1_all.deb
 f0a477685c1ded2667bae250e837555c29c28cc5296e7d9456970ee2e7eee195 21590720 squid-dbg_3.5.27-1_amd64.deb
 7af20cc5dd398704ccf5e9fe0f5a8103b04f0589e7054d550be4328549add3c5 158900 squid-purge_3.5.27-1_amd64.deb
 5aeb0773d26340118629d8dd985f4b9b831df9b8ff0485515444aa667ce5e4ad 139844 squid3_3.5.27-1_all.deb
 9bce04858d6e757d18316a049b7dc812417f7286e52ca1742a00264329ff7c92 8746 squid3_3.5.27-1_amd64.buildinfo
 1fb2af27980396a4a7fc4b5c398cec0dd340e9f0037fbb05157d55fd7640fcc2 2324000 squid_3.5.27-1_amd64.deb
 56eda566d7c83a9d4eb40cdb9c5921225dd5e8b9a9cdf26d4396abe6cb7b1639 170564 squidclient_3.5.27-1_amd64.deb
Files:
 d60d3d4d03aad88556826c8ef603aa7a 2559 web optional squid3_3.5.27-1.dsc
 97b1407772a53e2670274ac3b5f1d6c8 4837850 web optional squid3_3.5.27.orig.tar.gz
 4c13bad77bde2a4143849bb6b804e648 27300 web optional squid3_3.5.27-1.debian.tar.xz
 99098eeba23103007c1d003533eebe27 166484 web optional squid-cgi_3.5.27-1_amd64.deb
 dac55301a6ece8e5b349b7707ec19abc 285548 web optional squid-common_3.5.27-1_all.deb
 106a21107b3da99f11af112637b24c84 21590720 debug optional squid-dbg_3.5.27-1_amd64.deb
 15ab7349b1423cd544894f5e50133136 158900 web optional squid-purge_3.5.27-1_amd64.deb
 34017207a7bd11c37049b0e171fe6247 139844 oldlibs optional squid3_3.5.27-1_all.deb
 f9ca38777ca7606b9ba0ad7351f9c795 8746 web optional squid3_3.5.27-1_amd64.buildinfo
 7038ee45c2763eda65a132da03f217a7 2324000 web optional squid_3.5.27-1_amd64.deb
 b4698784a61aa56617254f6b2e3545a9 170564 web optional squidclient_3.5.27-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEjUhaNf8ebreQ5Q9tAoTyDCupfO0FAlqDBd0ACgkQAoTyDCup
fO1FNxAAkpvdPlq6cJ7I6UZ20f1UBqC8QYC+/eRPY4cEOj7ky4lfsEjTXzgG8IWs
TApYNK5EQC0N15SVB1d+nPwMq7A7l6phXYP8scTuFU6XzEAiwkxBXk3db+5QR7J8
snoikzrolcQ9Qq/eCQo94m2EaA/9/IV6/xkiZ9KA33rklGMVXjJVjbEf9Wyxywp2
PGBw9sH0aXKMEGjkDn7873QEU4NCr7XP+9CZHX1aKKaNxgmHE2DMpld9HoVG6w9C
Pa1jIdLiFfK79DvbJEo82bZWHvuhv93cA8MBIOc9x52KEIQqIOxOYZ+lLZjFK9eh
o3EJa747PJRrymHA5tUQSh4uvSgK1t2e+LG6ePINcSJPyUiOIyL207ecJ7uwHW4z
rXq2E8VAWggPCGAQYOd9RbmJg6884acuc5eitQPf29bHh/QyikBnfIE2Ad4CPpJF
JBasfSGosUcSbDPHn7FswknkS7FHhHBo6OaDQvU0O5sM3etYdu6ifAdCwTkLrJan
BJ4F/17UbTbxhPiLCz/eI4m6QJZt0UMqzPScBcFtMQcZGqxnIt/r0j+x1kLMz0R1
gAsvIqEjOm6GNe+zDR+FLtiNJYtqh9bgc3f6ojhlruIQMlQEWTOysh/QgS419PTx
dizqdYqAy8WvQv6HDTc5GzcuBLDpyt8u+SPx7DRRtGDkqAGnIrU=
=X1EA
-----END PGP SIGNATURE-----

Message #15 received at 888719-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 888719-close@bugs.debian.org

Subject: Bug#888719: fixed in squid3 3.5.23-5+deb9u1

Date: Fri, 23 Feb 2018 11:34:52 +0000

Source: squid3
Source-Version: 3.5.23-5+deb9u1

We believe that the bug you reported is fixed in the latest version of
squid3, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 888719@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated squid3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 11 Feb 2018 22:00:18 +0100
Source: squid3
Binary: squid3 squid squid-dbg squid-common squidclient squid-cgi squid-purge
Architecture: source
Version: 3.5.23-5+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Luigi Gangitano <luigi@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 888719 888720
Description: 
 squid      - Full featured Web Proxy cache (HTTP proxy)
 squid-cgi  - Full featured Web Proxy cache (HTTP proxy) - control CGI
 squid-common - Full featured Web Proxy cache (HTTP proxy) - common files
 squid-dbg  - Full featured Web Proxy cache (HTTP proxy) - Debug symbols
 squid-purge - Full featured Web Proxy cache (HTTP proxy) - control utility
 squid3     - Transitional package
 squidclient - Full featured Web Proxy cache (HTTP proxy) - control utility
Changes:
 squid3 (3.5.23-5+deb9u1) stretch-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * ESI: make sure endofName never exceeds tagEnd (CVE-2018-1000024)
     (Closes: #888719)
   * Fix indirect IP logging for transactions without a client connection
     (CVE-2018-1000027) (Closes: #888720)
Checksums-Sha1: 
 82e86a7b5eae757a25f61dbf85e9293dde81f5b2 2737 squid3_3.5.23-5+deb9u1.dsc
 6b0b2091896e7874024e5f1e28eeccb0acd7e962 4730792 squid3_3.5.23.orig.tar.gz
 181ecf53e77ce323941feab04c24d328ddcf7988 27200 squid3_3.5.23-5+deb9u1.debian.tar.xz
Checksums-Sha256: 
 b7e2dc4ff27cec592675ef9a6846ce989e51c8207d3e540a03e2292847842514 2737 squid3_3.5.23-5+deb9u1.dsc
 f81eeee0fb046ad636566b51fe4f72b8bc66d454d7082ef38e273c3f4b09f6db 4730792 squid3_3.5.23.orig.tar.gz
 b35cf4c628cd7a163a9c2e12076d2561b1e558265d97e777423e0a8b3b6dd37b 27200 squid3_3.5.23-5+deb9u1.debian.tar.xz
Files: 
 93fb63e96a457f2709324ddf327bfec3 2737 web optional squid3_3.5.23-5+deb9u1.dsc
 49d790ddee8c611ee2992e66eb8e9ae9 4730792 web optional squid3_3.5.23.orig.tar.gz
 fe6c5c9548c25fe08bf274b6a895a942 27200 web optional squid3_3.5.23-5+deb9u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlqG5OtfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EJKsQAIqhv5RrvHj6L5ozLSsNnRNebe1cphch
cIF+Vz6xsGqBRu04P7eMX/PzRAjJiPSgqDzQNC9msXJVjtLS9UNp5jH7huLadU9V
QPe8SxZ0xJxvQ5rHVvMJMw9ZC8M6cIQ41wMgPA1BPnO2LD68ZgC+PbZZhtJb2R5W
1nK0ILqXcWAN/5h07Vh4ZJR1paXDdlzKOBIWf8GAwI7tTpyOXMxpuXu0dvjGbqJj
a5lGXYDXuo5hw5vsd2d6tkjt/OCASxGqVzBnTqhIfaPeIarlQiZFoZxkJTLpdxA+
JUYeh6HmA1HtfRhheWn9hnCwM7/+mt3HC/wa9xKYIYx92zgetUF4bS7BkNiYWmKh
4GOEtsxr4ibLQMI/Famm4K+hjZPkrsv/qrv2bDeFktvFqgwiDdd/XKYeIk46AjeB
OVgr6i4+FFmCYhiklSz42XTfhmk1bDMTwbR6pz5fuj6hCp7WG1o/SbkRKtXwOxpz
coZ1ms5OvSlqzWdrTCWc+vLo6qWLQ6pv5TqFClej3P5flgNUqbj6xe5RAMigyFAY
TP50fedSAo1PMLty2VunBmzN5GczkGtdAF103jMcvQl0s3MWm0S/e0kooRd3e2gw
lgodU6BDlSYnwXax4bxlmz1/S1AF/mGEF/A8hqLwuNe8xxKTUb/BX6+vJbjbPeyz
rsjCA/BUV+HL
=wt1O
-----END PGP SIGNATURE-----

Message #20 received at 888719-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 888719-close@bugs.debian.org

Subject: Bug#888719: fixed in squid3 3.4.8-6+deb8u5

Date: Fri, 23 Feb 2018 16:47:59 +0000

Source: squid3
Source-Version: 3.4.8-6+deb8u5

We believe that the bug you reported is fixed in the latest version of
squid3, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 888719@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated squid3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 18 Feb 2018 17:20:03 +0100
Source: squid3
Binary: squid3 squid3-dbg squid3-common squidclient squid-cgi squid-purge
Architecture: all source
Version: 3.4.8-6+deb8u5
Distribution: jessie-security
Urgency: high
Maintainer: Luigi Gangitano <luigi@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 888719 888720
Description: 
 squid-cgi  - Full featured Web Proxy cache (HTTP proxy) - control CGI
 squid-purge - Full featured Web Proxy cache (HTTP proxy) - control utility
 squid3     - Full featured Web Proxy cache (HTTP proxy)
 squid3-common - Full featured Web Proxy cache (HTTP proxy) - common files
 squid3-dbg - Full featured Web Proxy cache (HTTP proxy) - Debug symbols
 squidclient - Full featured Web Proxy cache (HTTP proxy) - control utility
Changes:
 squid3 (3.4.8-6+deb8u5) jessie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * ESI: make sure endofName never exceeds tagEnd (CVE-2018-1000024)
     (Closes: #888719)
   * Fix indirect IP logging for transactions without a client connection
     (CVE-2018-1000027) (Closes: #888720)
Checksums-Sha1: 
 137587c8ae97e80fc6fa79a72552cd01a7c9d7c9 2501 squid3_3.4.8-6+deb8u5.dsc
 e08ada6fc5ee6bb2f81b66226909f96c606e5ffc 41736 squid3_3.4.8-6+deb8u5.debian.tar.xz
 43b054ce99041c0c4616a6d0392279f999f350ec 258654 squid3-common_3.4.8-6+deb8u5_all.deb
Checksums-Sha256: 
 912451725b69ef760bd78fa1d257d307fdce6ea00dcbc946c7b0c875c6b62b3c 2501 squid3_3.4.8-6+deb8u5.dsc
 fe530e459717e4079aebf945962e492f7394255f374c6b0af287db076dfc9338 41736 squid3_3.4.8-6+deb8u5.debian.tar.xz
 a098ec628df571c3f21f5f500290f3f655138d55af6a26d049ccf11f8a9d4aac 258654 squid3-common_3.4.8-6+deb8u5_all.deb
Files: 
 ebae40e54309fbad44a7c9f5b8913fba 2501 web optional squid3_3.4.8-6+deb8u5.dsc
 f3cca72fc077be94ad5e1f94fd4c30c0 41736 web optional squid3_3.4.8-6+deb8u5.debian.tar.xz
 38871935ae897f3a6f570eb1fd2de8ba 258654 web optional squid3-common_3.4.8-6+deb8u5_all.deb

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlqJq2RfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EtKkQAIuBQ7jwJFQphEhNMLiCo607J6RbQku0
vpYH7SbYhy2jn+mLtRsLI9eNJzi03eWOvRnetPuszVB1KlzZX8nC21Ugx3Pa/mdt
kdSTezoZe8HiJXeyBHMhUPeOWmda6AOEybZbiVetHHWsCFM1do0VnCW9SoWWdfPg
KNedcp89dVLhGOEYAGPr6A59EJ+qjHvWptlGc71UAHWS66SBbiMVKHF7vxkiBU5j
mT/xOSZa1ftotx2x0fm/MeqjdJ30QHdCkm4+3vJbaG7G1h+4MQWdTtCuyav0iMmy
HmItgfP+qiuyJOPciwHT8PeHuEWeBxBPb0D/0mzi6ob6ZZLWVhmIzPH48A1hzbrm
TEn7QCuOh6HIgnQTGgkjp5N1bbHO52zzIyk7ecq/tCCwH6q1lKnYWkf+iLZHIl3T
g28B9/Zi7YjOyKQztgaHSZmm0obSVTvKK267fKanBGJUThV14apS50swFNjKIipS
BWYF01rPThwDjh4Wwp4emTl2keT3f+gpVqPq0kY69Y4ucXtReKpVNioY7Mk7B2TO
+UKjKSgWq3eDeNp7RqrkPQjbbFbaLoMa0cKNsqb5klL3wII3EBsDLUPkuFP8dZIs
Kd8zBQJ2bTElAp4iOYwYjALMD/Wl4vHCSkvVUQ2MxASPte777SmXJhe6pPV2LzWY
KV6kZSWMj0Ev
=2u6E
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.