Debian Bug report logs -
#534982
squid - DoS in external auth header parser
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Luigi Gangitano <luigi@debian.org>:
Bug#534982; Package squid.
(Sun, 28 Jun 2009 18:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Bastian Blank <waldi@debian.org>:
New Bug report received and forwarded. Copy sent to Luigi Gangitano <luigi@debian.org>.
(Sun, 28 Jun 2009 18:21:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: squid
Version: 2.7.STABLE3-4.1
Severity: normal
My main squid reverse proxy suddenly stopped working after some days.
The last time it happened, I managed to dig a bit around and also got a
core dump and analyzed it as far as this works without debugging
symbols. This happened on my own rebuild with SSL enabled, but the
affected code region does not even consider SSL support.
Config excerpt:
| http_port 80 accel vhost defaultsite=example.com
| https_port 443 accel vhost defaultsite=example.com cert=/etc/squid/ssl/all options=NO_SSLv2
| icp_port 3130
|
| logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st %Ss %Sh/%<A "%{Referer}>h" "%{User-Agent}>h"
| cache_access_log /srv/squid/prod/log/access.log
| cache_access_log /srv/squid/prod/log/combined.log combined
| cache_log /srv/squid/prod/log/cache.log
| cache_store_log /srv/squid/prod/log/store.log
|
| acl accelerated_domains dstdomain example.com
| acl accelerated_protocols proto http https
|
| external_acl_type zope_auth ttl=0 %PATH %{Cookie:;__ac} /etc/squid/auth/auth /etc/squid/zope_auth.conf
| acl zope_auth external zope_auth
|
| http_access allow accelerated_domains accelerated_protocols zope_auth
| http_access deny all
Available threads:
| (gdb) info threads
| 17 process 17096 0x00002b7100488bc8 in strcspn () from /lib/libc.so.6
| 16 process 17138 0x00002b70ffd60d29 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/libpthread.so.0
| 15 process 17137 0x00002b70ffd60d29 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/libpthread.so.0
| 14 process 17136 0x00002b70ffd60d29 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/libpthread.so.0
| 13 process 17135 0x00002b70ffd60d29 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/libpthread.so.0
| 12 process 17134 0x00002b70ffd60d29 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/libpthread.so.0
| 11 process 17133 0x00002b70ffd60d29 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/libpthread.so.0
| 10 process 17132 0x00002b70ffd60d29 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/libpthread.so.0
| 9 process 17131 0x00002b70ffd60d29 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/libpthread.so.0
| 8 process 17130 0x00002b70ffd60d29 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/libpthread.so.0
| 7 process 17129 0x00002b70ffd60d29 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/libpthread.so.0
| 6 process 17128 0x00002b70ffd60d29 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/libpthread.so.0
| 5 process 17127 0x00002b70ffd60d29 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/libpthread.so.0
| 4 process 17126 0x00002b70ffd60d29 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/libpthread.so.0
| 3 process 17125 0x00002b70ffd60d29 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/libpthread.so.0
| 2 process 17124 0x00002b70ffd60d29 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/libpthread.so.0
| * 1 process 17123 0x00002b70ffd60d29 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/libpthread.so.0
So 16 threads suddenly waited for something shared and only the 17th did
something usefull.
Annotated backtrace of thread 17 (I had to reconstruct the function names from
a similar binary):
| (gdb) bt
| #0 0x00002b7100488bc8 in strcspn () from /lib/libc.so.6
| #1 0x0000000000456021 in ?? ()
0000000000455f80 g F .text 0000000000000191 strListGetItem
| #2 0x000000000045395e in ?? ()
00000000004538b0 g F .text 000000000000014a httpHeaderGetListMember
| #3 0x000000000043923a in ?? ()
0000000000438e60 l F .text 0000000000000648 makeExternalAclKey
| #4 0x0000000000439f6b in ?? ()
0000000000439e70 g F .text 000000000000048c aclMatchExternal
| #5 0x000000000040a24c in ?? ()
0000000000409f30 g F .text 0000000000000eef aclMatchAclList
| #6 0x000000000040ae61 in ?? ()
000000000040ae20 l F .text 000000000000044d aclCheck
| #7 0x000000000042652b in ?? ()
| #8 0x0000000000431105 in ?? ()
| #9 0x00000000004601a0 in ?? ()
| #10 0x00002b710042c1a6 in __libc_start_main () from /lib/libc.so.6
Register dump to show the parameters for strcspn:
| (gdb) info registers
| rax 0x0 0
| rbx 0x199d93d 26859837
| rcx 0x3 3
| rdx 0x199d93d 26859837
| rsi 0x700690 7341712
| rdi 0x199d93d 26859837
| rbp 0x0 0x0
| rsp 0x7fffab99df88 0x7fffab99df88
| r8 0x199d93d 26859837
| r9 0x1 1
| r10 0x353a39353a333220 3835440933431882272
| r11 0x2b71005153a0 47764336628640
| r12 0x7fffab99e130 140736072376624
| r13 0x7fffab99e128 140736072376616
| r14 0x3b 59
| r15 0x7fffab99e13c 140736072376636
| rip 0x2b7100488bc8 0x2b7100488bc8 <strcspn+24>
Parameters are in rsi and rdi:
| (gdb) print {char[5]}0x700690
| $14 = "\";,\000"
| (gdb) print {char[50]}0x199d93d
| $16 = ", 31-Dec-97 23:59:59 GMT; Max-Age=0", '\0' <repeats 14 times>
So it calls
| strcspn("\";,", ", 31-Dec-97 23:59:59 GMT; Max-Age=0")
But suddenly the value starts with ",", which is defined as a field
delimiter in the Cookie-header, but incorrectly used in this case.
More data:
| (gdb) print {char[100]}0x199d910
| $18 = "statusmessages=\"deleted\"; Path=/; Expires=Wed, 31-Dec-97 23:59:59 GMT; Max-Age=0", '\0' <repeats 19 times>
It loops around this strcspn call all the time. As far as I know always
with the same parameters.
Bastian
--
There is an order of things in this universe.
-- Apollo, "Who Mourns for Adonais?" stardate 3468.1
Information forwarded
to debian-bugs-dist@lists.debian.org, Luigi Gangitano <luigi@debian.org>:
Bug#534982; Package squid.
(Sun, 28 Jun 2009 18:48:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Bastian Blank <waldi@debian.org>:
Extra info received and forwarded to list. Copy sent to Luigi Gangitano <luigi@debian.org>.
(Sun, 28 Jun 2009 18:48:02 GMT) (full text, mbox, link).
Message #10 received at 534982@bugs.debian.org (full text, mbox, reply):
Digging into the code shows that this behaviour is clearly written
their[1]. It it only triggerable by either external auth or access log
formats which includes parts of headers with delimiters.
Bastian
[1]: src/HttpHeaderTools.c:239-283
--
Without facts, the decision cannot be made logically. You must rely on
your human intuition.
-- Spock, "Assignment: Earth", stardate unknown
Information forwarded
to debian-bugs-dist@lists.debian.org, Luigi Gangitano <luigi@debian.org>:
Bug#534982; Package squid.
(Mon, 06 Jul 2009 10:12:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Bastian Blank <waldi@debian.org>:
Extra info received and forwarded to list. Copy sent to Luigi Gangitano <luigi@debian.org>.
(Mon, 06 Jul 2009 10:12:06 GMT) (full text, mbox, link).
Message #15 received at 534982@bugs.debian.org (full text, mbox, reply):
severity 534982 important
tags 534982 security
thanks
No response from maintainer. As the cause is clear, I'm setting it to
appropriate values.
Bastian
--
There's coffee in that nebula!
-- Capt. Kathryn Janeway, Star Trek: Voyager, "The Cloud"
Severity set to `important' from `normal'
Request was from Bastian Blank <waldi@debian.org>
to control@bugs.debian.org.
(Mon, 06 Jul 2009 10:12:07 GMT) (full text, mbox, link).
Tags added: security
Request was from Bastian Blank <waldi@debian.org>
to control@bugs.debian.org.
(Mon, 06 Jul 2009 10:12:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#534982; Package squid.
(Mon, 06 Jul 2009 17:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Luigi Gangitano <luigi@debian.org>:
Extra info received and forwarded to list.
(Mon, 06 Jul 2009 17:15:03 GMT) (full text, mbox, link).
Message #24 received at 534982@bugs.debian.org (full text, mbox, reply):
forwarded 534982 http://www.squid-cache.org/bugs/show_bug.cgi?id=2704
thanks
Hi Bastian,
sorry for the late reply. I'm forwarding this bug upstream, since the
issue is better handled there.
Regards,
L
--
Luigi Gangitano -- <luigi@debian.org> -- <gangitano@lugroma3.org>
GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26
Information forwarded
to debian-bugs-dist@lists.debian.org, Luigi Gangitano <luigi@debian.org>:
Bug#534982; Package squid.
(Mon, 10 Aug 2009 18:30:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Bastian Blank <waldi@debian.org>:
Extra info received and forwarded to list. Copy sent to Luigi Gangitano <luigi@debian.org>.
(Mon, 10 Aug 2009 18:30:02 GMT) (full text, mbox, link).
Message #31 received at 534982@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
The attached patch fixes the problem by eliminating the additional ","
as seperator. I found no sign why this was added in the first place
after some code reconstruction. Also it makes the code reentrant.
Bastian
--
We have phasers, I vote we blast 'em!
-- Bailey, "The Corbomite Maneuver", stardate 1514.2
[diff (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Luigi Gangitano <luigi@debian.org>:
Bug#534982; Package squid.
(Wed, 19 Aug 2009 12:06:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Henrik Nordstrom <henrik@henriknordstrom.net>:
Extra info received and forwarded to list. Copy sent to Luigi Gangitano <luigi@debian.org>.
(Wed, 19 Aug 2009 12:06:05 GMT) (full text, mbox, link).
Message #36 received at 534982@bugs.debian.org (full text, mbox, reply):
The comma is there because comma is always a valid list separator in
HTTP headers due to rules on how multiple values of the same header may
be combined.
Regards
Henrik
Information forwarded
to debian-bugs-dist@lists.debian.org, Luigi Gangitano <luigi@debian.org>:
Bug#534982; Package squid.
(Wed, 19 Aug 2009 23:12:19 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Luigi Gangitano <luigi@debian.org>.
(Wed, 19 Aug 2009 23:12:19 GMT) (full text, mbox, link).
Message #41 received at 534982@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
CVE-2009-2855 was assigned to this issue, please make sure
to reference it in the changelog if you fix this bug.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Added tag(s) fixed-upstream.
Request was from bts-link-upstream@lists.alioth.debian.org
to control@bugs.debian.org.
(Mon, 24 Aug 2009 19:48:19 GMT) (full text, mbox, link).
Reply sent
to Luigi Gangitano <luigi@debian.org>:
You have taken responsibility.
(Sun, 20 Sep 2009 13:09:06 GMT) (full text, mbox, link).
Notification sent
to Bastian Blank <waldi@debian.org>:
Bug acknowledged by developer.
(Sun, 20 Sep 2009 13:09:06 GMT) (full text, mbox, link).
Message #50 received at 534982-close@bugs.debian.org (full text, mbox, reply):
Source: squid
Source-Version: 2.7.STABLE7-1
We believe that the bug you reported is fixed in the latest version of
squid, which is due to be installed in the Debian FTP archive:
squid-cgi_2.7.STABLE7-1_i386.deb
to pool/main/s/squid/squid-cgi_2.7.STABLE7-1_i386.deb
squid-common_2.7.STABLE7-1_all.deb
to pool/main/s/squid/squid-common_2.7.STABLE7-1_all.deb
squid_2.7.STABLE7-1.diff.gz
to pool/main/s/squid/squid_2.7.STABLE7-1.diff.gz
squid_2.7.STABLE7-1.dsc
to pool/main/s/squid/squid_2.7.STABLE7-1.dsc
squid_2.7.STABLE7-1_i386.deb
to pool/main/s/squid/squid_2.7.STABLE7-1_i386.deb
squid_2.7.STABLE7.orig.tar.gz
to pool/main/s/squid/squid_2.7.STABLE7.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 534982@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Luigi Gangitano <luigi@debian.org> (supplier of updated squid package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 20 Sep 2009 01:25:52 +0200
Source: squid
Binary: squid squid-common squid-cgi
Architecture: source all i386
Version: 2.7.STABLE7-1
Distribution: unstable
Urgency: low
Maintainer: Luigi Gangitano <luigi@debian.org>
Changed-By: Luigi Gangitano <luigi@debian.org>
Description:
squid - Internet object cache (WWW proxy cache)
squid-cgi - Squid cache manager CGI program
squid-common - Internet object cache (WWW proxy cache) - common files
Closes: 534982 541460 542723
Changes:
squid (2.7.STABLE7-1) unstable; urgency=low
.
* New upstream release
- Fixes DoS in exthernal auth header parser (Ref: CVE-2009-2855)
(Closes: #534982)
.
* debian/squid.rc
- Fixed init.d script dependencies, thanks to Petter Reinholdtsen
(Closes: #541460)
.
* debian/{control,rules}
- Added hardening build options (Closes: #542723)
.
* debian/control
- Bumped Standard-Version to 3.8.3, no change needed
.
* debian/rules
- Make link to squid-langpack directory relative
Checksums-Sha1:
d8f1acc9eb27c6abce8021e2590e37f5e9ffef33 1149 squid_2.7.STABLE7-1.dsc
94a385a494f50cf3394e226ce743ae3a3ad51440 1784325 squid_2.7.STABLE7.orig.tar.gz
224e01851db33de12922a23bac8db76376eb1540 300374 squid_2.7.STABLE7-1.diff.gz
8c8e1086d548cd9404a5219cf4f6e7fa7f46ec9f 351002 squid-common_2.7.STABLE7-1_all.deb
4ce3033cd50e4b41022a03fe263d87f894ddcb92 759998 squid_2.7.STABLE7-1_i386.deb
fab88dc10c8e7d40ea96b06bfbbb319d9870b956 121302 squid-cgi_2.7.STABLE7-1_i386.deb
Checksums-Sha256:
d12f3409fabd082461ca9e3f91bc92d7666dfb41307915a7cc3c2ec82d712542 1149 squid_2.7.STABLE7-1.dsc
2b926aece7d4beac0370d9b72899d3be7f48c29e973a1328666938a2e4c4ffa6 1784325 squid_2.7.STABLE7.orig.tar.gz
9c84ede0dbb25df4d6f628b62d967f7b4c264b097290d31f5ff0215d5a836fb9 300374 squid_2.7.STABLE7-1.diff.gz
e856b380dce72ae41bb6a8a05fe30fe3825b53d65c1263b7b5bad6b85670f331 351002 squid-common_2.7.STABLE7-1_all.deb
3ab49ccb3a922e1fa7e15d8b6e7a5c0ba6ffa926409015300c06fe3087509d1d 759998 squid_2.7.STABLE7-1_i386.deb
1516617bdf77a0b2f2cf401d74da6888d6d01a326591631acbe0fbbf436c5762 121302 squid-cgi_2.7.STABLE7-1_i386.deb
Files:
03b8ffc57fffb5afa81b891aa8888da1 1149 web optional squid_2.7.STABLE7-1.dsc
c506207f921a6da1878b4085e202e190 1784325 web optional squid_2.7.STABLE7.orig.tar.gz
8fcd6411b77bfc1c2d7061c4f9dfabcc 300374 web optional squid_2.7.STABLE7-1.diff.gz
401495f9e634e7ebfed42363c19cf0f8 351002 web optional squid-common_2.7.STABLE7-1_all.deb
139c822f0553cb03cd1c4cb3dc89f13b 759998 web optional squid_2.7.STABLE7-1_i386.deb
d3cb67378334c83132279663d584f3e4 121302 web optional squid-cgi_2.7.STABLE7-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)
iEYEARECAAYFAkq2Ix0ACgkQ8ZumGJJMDCbdtACfW+YqEE/BUJQ4ULW0B3BnOBes
8W0AoIDtAuw7D/6tp0IaN14jjCtDmJuL
=QcCl
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Luigi Gangitano <luigi@debian.org>:
Bug#534982; Package squid.
(Wed, 30 Sep 2009 16:21:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Terry Burton <tez@terryburton.co.uk>:
Extra info received and forwarded to list. Copy sent to Luigi Gangitano <luigi@debian.org>.
(Wed, 30 Sep 2009 16:21:10 GMT) (full text, mbox, link).
Message #55 received at 534982@bugs.debian.org (full text, mbox, reply):
reopen 534982
severity 534982 critical
This bug has recently hit us hard resulting in repeated DoS of a
production web service running on Debian Lenny.
What is the intended mitigation strategy for this DoS for users of
Debian Stable who rely on Squid support for external_acl_type? For the
time being I have had to rebuild appropriately patched squid packages
for Lenny to guard against this.
Since there will redoubtably be many production web servers running
Debian that are vulnerable to CVE-2009-2855 the patch should be
backported into the squid packages shipped with Lenny and released
through the security repository.
Thanks,
Terry
Information forwarded
to debian-bugs-dist@lists.debian.org, Luigi Gangitano <luigi@debian.org>:
Bug#534982; Package squid.
(Wed, 30 Sep 2009 17:30:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Luigi Gangitano <luigi@debian.org>.
(Wed, 30 Sep 2009 17:30:04 GMT) (full text, mbox, link).
Message #60 received at 534982@bugs.debian.org (full text, mbox, reply):
* Terry Burton:
> This bug has recently hit us hard resulting in repeated DoS of a
> production web service running on Debian Lenny.
Do you know if this was triggered accidentally or deliberately?
> Since there will redoubtably be many production web servers running
> Debian that are vulnerable to CVE-2009-2855 the patch should be
> backported into the squid packages shipped with Lenny and released
> through the security repository.
Luigi, do you plan to prepare an update for (old)stable?
Information forwarded
to debian-bugs-dist@lists.debian.org, Luigi Gangitano <luigi@debian.org>:
Bug#534982; Package squid.
(Wed, 30 Sep 2009 17:30:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Terry Burton <tez@terryburton.co.uk>:
Extra info received and forwarded to list. Copy sent to Luigi Gangitano <luigi@debian.org>.
(Wed, 30 Sep 2009 17:30:07 GMT) (full text, mbox, link).
Message #65 received at 534982@bugs.debian.org (full text, mbox, reply):
On Wed, Sep 30, 2009 at 5:49 PM, Florian Weimer <fw@deneb.enyo.de> wrote:
> * Terry Burton:
>
>> This bug has recently hit us hard resulting in repeated DoS of a
>> production web service running on Debian Lenny.
>
> Do you know if this was triggered accidentally or deliberately?
Florian,
Probably accidentally, though it may possibly have been deliberate.
(I will disclose further information privately as a follow up to this message.)
Many thanks,
Terry
Bug No longer marked as fixed in versions squid/2.7.STABLE7-1 and reopened.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 30 Sep 2009 17:33:41 GMT) (full text, mbox, link).
Severity set to 'critical' from 'important'
Request was from Terry Burton <tez@terryburton.co.uk>
to control@bugs.debian.org.
(Wed, 30 Sep 2009 17:33:42 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Luigi Gangitano <luigi@debian.org>:
Bug#534982; Package squid.
(Mon, 12 Oct 2009 22:30:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Amos Jeffries <squid3@treenet.co.nz>:
Extra info received and forwarded to list. Copy sent to Luigi Gangitano <luigi@debian.org>.
(Mon, 12 Oct 2009 22:30:03 GMT) (full text, mbox, link).
Message #74 received at 534982@bugs.debian.org (full text, mbox, reply):
I see "Bug No longer marked as fixed in versions squid/2.7.STABLE7-1 and
reopened." above.
Is this correct and 2.7.STABLE7 still showing the vulnerable behaviour?
Terry: If possible I'd like to see some details of the event, for my
interest.
Amos
Squid Team
Bug Marked as fixed in versions squid/2.7.STABLE7-1.
Request was from Luigi Gangitano <luigi@debian.org>
to control@bugs.debian.org.
(Thu, 03 Dec 2009 17:21:04 GMT) (full text, mbox, link).
Reply sent
to Steffen Joeris <white@debian.org>:
You have taken responsibility.
(Tue, 23 Feb 2010 20:18:05 GMT) (full text, mbox, link).
Notification sent
to Bastian Blank <waldi@debian.org>:
Bug acknowledged by developer.
(Tue, 23 Feb 2010 20:18:06 GMT) (full text, mbox, link).
Message #81 received at 534982-close@bugs.debian.org (full text, mbox, reply):
Source: squid
Source-Version: 2.6.5-6etch5
We believe that the bug you reported is fixed in the latest version of
squid, which is due to be installed in the Debian FTP archive:
squid-cgi_2.6.5-6etch5_i386.deb
to main/s/squid/squid-cgi_2.6.5-6etch5_i386.deb
squid-common_2.6.5-6etch5_all.deb
to main/s/squid/squid-common_2.6.5-6etch5_all.deb
squid_2.6.5-6etch5.diff.gz
to main/s/squid/squid_2.6.5-6etch5.diff.gz
squid_2.6.5-6etch5.dsc
to main/s/squid/squid_2.6.5-6etch5.dsc
squid_2.6.5-6etch5_i386.deb
to main/s/squid/squid_2.6.5-6etch5_i386.deb
squidclient_2.6.5-6etch5_i386.deb
to main/s/squid/squidclient_2.6.5-6etch5_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 534982@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steffen Joeris <white@debian.org> (supplier of updated squid package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 3 Feb 2010 13:07:51 +0000
Source: squid
Binary: squid squid-cgi squidclient squid-common
Architecture: source i386 all
Version: 2.6.5-6etch5
Distribution: oldstable-security
Urgency: high
Maintainer: Luigi Gangitano <luigi@debian.org>
Changed-By: Steffen Joeris <white@debian.org>
Description:
squid - Internet Object Cache (WWW proxy cache)
squid-cgi - Squid cache manager CGI program
squid-common - Internet Object Cache (WWW proxy cache) - common file
squidclient - Command line URL extractor that talks to (a) squid
Closes: 534982
Changes:
squid (2.6.5-6etch5) oldstable-security; urgency=high
.
* Non-maintainer upload by the security team
* Fix denial of service via invalid DNS header-only packets
Fixes: CVE-2010-0308
* Fix denial of service via a crafted auth header with certain comma
delimiters (Closes: #534982)
Fixes: CVE-2009-2855
Files:
2e53013dd1d22bc98d694c4b0775a715 678 web optional squid_2.6.5-6etch5.dsc
f35fba0ebbd63b22786d04c8775aacf6 274283 web optional squid_2.6.5-6etch5.diff.gz
69401a11436668a2e47c1886ed671d97 439698 web optional squid-common_2.6.5-6etch5_all.deb
d63eacb8a0dec6db6f789e40bbcbc404 654880 web optional squid_2.6.5-6etch5_i386.deb
6688fcc15664c2eb7c8326bac53188bb 86030 web optional squidclient_2.6.5-6etch5_i386.deb
1a907bd4666d4de8298b99a6b97d8b9c 117372 web optional squid-cgi_2.6.5-6etch5_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAktpd1kACgkQ62zWxYk/rQfpwACfezXjR/f51W3MEwaNO3Sao7r3
Q9IAoJsdaxSIH3+yPtTJdCsXSOQn41OH
=AYM8
-----END PGP SIGNATURE-----
Reply sent
to Luigi Gangitano <luigi@debian.org>:
You have taken responsibility.
(Thu, 30 Sep 2010 02:00:03 GMT) (full text, mbox, link).
Notification sent
to Bastian Blank <waldi@debian.org>:
Bug acknowledged by developer.
(Thu, 30 Sep 2010 02:00:03 GMT) (full text, mbox, link).
Message #86 received at 534982-close@bugs.debian.org (full text, mbox, reply):
Source: squid
Source-Version: 2.7.STABLE3-4.1lenny1
We believe that the bug you reported is fixed in the latest version of
squid, which is due to be installed in the Debian FTP archive:
squid-cgi_2.7.STABLE3-4.1lenny1_i386.deb
to main/s/squid/squid-cgi_2.7.STABLE3-4.1lenny1_i386.deb
squid-common_2.7.STABLE3-4.1lenny1_all.deb
to main/s/squid/squid-common_2.7.STABLE3-4.1lenny1_all.deb
squid_2.7.STABLE3-4.1lenny1.diff.gz
to main/s/squid/squid_2.7.STABLE3-4.1lenny1.diff.gz
squid_2.7.STABLE3-4.1lenny1.dsc
to main/s/squid/squid_2.7.STABLE3-4.1lenny1.dsc
squid_2.7.STABLE3-4.1lenny1_i386.deb
to main/s/squid/squid_2.7.STABLE3-4.1lenny1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 534982@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Luigi Gangitano <luigi@debian.org> (supplier of updated squid package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 14 Jan 2010 23:10:06 +0100
Source: squid
Binary: squid squid-common squid-cgi
Architecture: source all i386
Version: 2.7.STABLE3-4.1lenny1
Distribution: stable-security
Urgency: high
Maintainer: Luigi Gangitano <luigi@debian.org>
Changed-By: Luigi Gangitano <luigi@debian.org>
Description:
squid - Internet object cache (WWW proxy cache)
squid-cgi - Squid cache manager CGI program
squid-common - Internet object cache (WWW proxy cache) - common files
Closes: 534982
Changes:
squid (2.7.STABLE3-4.1lenny1) stable-security; urgency=high
.
* Urgency high due to security fixes
.
* debian/patches/71-CVE-2009-2855
- Fix DoS vuln (Ref: CVE-2009-2855)(Closes: #534982)
.
[Steffen Joeris]
* Fix denial of service via invalid DNS header-only packets
Fixes: CVE-2010-0308
Checksums-Sha1:
ab93a45f872d6a2e35331c587d0b10b83e617227 1165 squid_2.7.STABLE3-4.1lenny1.dsc
0c99054d5fd6537da467acbf299ffe5f1a542ae3 1782040 squid_2.7.STABLE3.orig.tar.gz
18646954a58b9429955a7debe953af8294580e74 304919 squid_2.7.STABLE3-4.1lenny1.diff.gz
d3695cc6bb47f272b182e6e7a457aca8e4766e07 493526 squid-common_2.7.STABLE3-4.1lenny1_all.deb
f489a0cfe3b1850928bded323a5561bb2b0a970a 688540 squid_2.7.STABLE3-4.1lenny1_i386.deb
948c43ac408a887055da4925ac5baa83d7f10b77 117732 squid-cgi_2.7.STABLE3-4.1lenny1_i386.deb
Checksums-Sha256:
c3fc3dbe7375a94e6cf26c06c6558333318ba0f438eab0b61780a3d4daa353fe 1165 squid_2.7.STABLE3-4.1lenny1.dsc
d987578c6ca26ca8c8d6fad920580cc39b6ebe95c8ff727b1b6d3c5625fe428d 1782040 squid_2.7.STABLE3.orig.tar.gz
733555967e6cbd9c1b1cc6f6653a4b84b53a819676c7236badbfa58dc328ef47 304919 squid_2.7.STABLE3-4.1lenny1.diff.gz
43069bf07797f0a95e674a1f96deaf5bc22aed687111537e110f8791d7caa9af 493526 squid-common_2.7.STABLE3-4.1lenny1_all.deb
ea094591664aa9b1e2af44e554928ca12333080f302d5b34140849cdcfcd313c 688540 squid_2.7.STABLE3-4.1lenny1_i386.deb
71e23af41990dd19c43c39ff8bdf52b86d906f1409041b942f8ce2cfb95fc6ba 117732 squid-cgi_2.7.STABLE3-4.1lenny1_i386.deb
Files:
3d00959e8a0e1b88d81a1c3bdaef1676 1165 web optional squid_2.7.STABLE3-4.1lenny1.dsc
a4d7608696e2b617aa5853c7d23e25b0 1782040 web optional squid_2.7.STABLE3.orig.tar.gz
c9b0294c475b0d3118d25a60e8bb17d1 304919 web optional squid_2.7.STABLE3-4.1lenny1.diff.gz
812524fc4efa57618ed4d1def3dcc720 493526 web optional squid-common_2.7.STABLE3-4.1lenny1_all.deb
30387d06ef752feb274c3e3171028296 688540 web optional squid_2.7.STABLE3-4.1lenny1_i386.deb
ae221ec979f6984ca5ed89b76239df13 117732 web optional squid-cgi_2.7.STABLE3-4.1lenny1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAktpcPUACgkQ62zWxYk/rQeR2QCdGpM/AVZGiWPOEzDzNoN8PdJZ
dnEAnj53gWrrg7c+OjHLk2Qts8nmjtUu
=aRrj
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 28 Nov 2010 07:33:48 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:16:55 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon