Debian Bug report logs -
#823968
squid3: CVE-2016-4553 CVE-2016-4554 CVE-2016-4555 CVE-2016-4556
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 10 May 2016 20:12:01 UTC
Severity: important
Tags: fixed-upstream, security, upstream
Found in version squid3/3.5.17-1
Done: Amos Jeffries <squid3@treenet.co.nz>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Luigi Gangitano <luigi@debian.org>:
Bug#823968; Package src:squid3.
(Tue, 10 May 2016 20:12:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Luigi Gangitano <luigi@debian.org>.
(Tue, 10 May 2016 20:12:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: squid3
Version: 3.5.17-1
Severity: important
Tags: security upstream fixed-upstream
Hi
There is a new upstream version of squid3 to address CVE-2016-4553
CVE-2016-4554 CVE-2016-4555 CVE-2016-4556. But more information is
provided via the security-tracker:
[1] https://security-tracker.debian.org/CVE-2016-4553
[2] https://security-tracker.debian.org/CVE-2016-4554
[3] https://security-tracker.debian.org/CVE-2016-4555
[4] https://security-tracker.debian.org/CVE-2016-4556
[5] http://www.squid-cache.org/Advisories/SQUID-2016_7.txt
[6] http://www.squid-cache.org/Advisories/SQUID-2016_8.txt
[7] http://www.squid-cache.org/Advisories/SQUID-2016_9.txt
Please include CVE identifiers when fixing the issue, and could you
check the older versions and update affected version? Santiago Ruano
Rincón has as well already done some research.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Luigi Gangitano <luigi@debian.org>:
Bug#823968; Package src:squid3.
(Wed, 11 May 2016 03:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Amos Jeffries <squid3@treenet.co.nz>:
Extra info received and forwarded to list. Copy sent to Luigi Gangitano <luigi@debian.org>.
(Wed, 11 May 2016 03:15:03 GMT) (full text, mbox, link).
Message #10 received at 823968@bugs.debian.org (full text, mbox, reply):
CVE-2016-4553:
Patch for 3.4 and older is now available at
<http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13240.patch>.
CVE-2016-4554:
Additional changes are needed than those initially linked to. see the
advisory URL for updated patch links.
CVE-2016-4555:
Squid-3.1 in wheezy is not affected.
CVE-2016-4556:
Patch for 3.4 should also apply fairly easily to 3.1, but has not been
tested.
Also, the severity of this issue is much reduced for Debian since SSL
is not enabled.
Though it still remains an issue for CDN and reverse-proxy installations.
HTH
Amos
Information forwarded
to debian-bugs-dist@lists.debian.org, Luigi Gangitano <luigi@debian.org>:
Bug#823968; Package src:squid3.
(Wed, 11 May 2016 05:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Luigi Gangitano <luigi@debian.org>.
(Wed, 11 May 2016 05:15:03 GMT) (full text, mbox, link).
Message #15 received at 823968@bugs.debian.org (full text, mbox, reply):
Hi Amos,
On Wed, May 11, 2016 at 03:12:14PM +1200, Amos Jeffries wrote:
>
> CVE-2016-4553:
> Patch for 3.4 and older is now available at
> <http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13240.patch>.
>
> CVE-2016-4554:
> Additional changes are needed than those initially linked to. see the
> advisory URL for updated patch links.
>
> CVE-2016-4555:
> Squid-3.1 in wheezy is not affected.
>
> CVE-2016-4556:
> Patch for 3.4 should also apply fairly easily to 3.1, but has not been
> tested.
> Also, the severity of this issue is much reduced for Debian since SSL
> is not enabled.
> Though it still remains an issue for CDN and reverse-proxy installations.
>
>
> HTH
Yes, thanks for your feedback.
Regards,
Salvatore
Reply sent
to Amos Jeffries <squid3@treenet.co.nz>:
You have taken responsibility.
(Tue, 09 Aug 2016 14:39:19 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 09 Aug 2016 14:39:19 GMT) (full text, mbox, link).
Message #20 received at 823968-done@bugs.debian.org (full text, mbox, reply):
Control: fixed 823968 3.4.8-6+deb8u3
Control: fixed 823968 3.1.20-2.2+deb7u5
Control: fixed 823968 3.5.19-1
thanks
The fixes are now available in all repositories, but the uploads did not
mention this bug number so it has not been auto-updated.
Amos
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 07 Sep 2016 07:38:49 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:26:11 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon