Debian Bug report logs -
#848493
squid3: CVE-2016-10002: SQUID-2016:11: Information disclosure in HTTP Request processing
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 17 Dec 2016 15:57:04 UTC
Severity: grave
Tags: fixed-upstream, patch, security, upstream
Found in versions squid3/3.1.10-1, squid3/3.4.8-6
Fixed in versions squid3/3.5.23-1, squid3/3.4.8-6+deb8u4
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Luigi Gangitano <luigi@debian.org>:
Bug#848493; Package src:squid3.
(Sat, 17 Dec 2016 15:57:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Luigi Gangitano <luigi@debian.org>.
(Sat, 17 Dec 2016 15:57:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: squid3
Version: 3.4.8-6
Severity: important
Tags: security upstream patch fixed-upstream
Hi
>From http://www.squid-cache.org/Advisories/SQUID-2016_11.txt
> Problem Description:
>
> Due to incorrect HTTP conditional request handling Squid can
> deliver responses containing private data to clients it should
> not have reached.
A CVE has been requested in http://www.openwall.com/lists/oss-security/2016/12/17/1
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Luigi Gangitano <luigi@debian.org>:
Bug#848493; Package src:squid3.
(Sun, 18 Dec 2016 05:45:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Amos Jeffries <squid3@treenet.co.nz>:
Extra info received and forwarded to list. Copy sent to Luigi Gangitano <luigi@debian.org>.
(Sun, 18 Dec 2016 05:45:07 GMT) (full text, mbox, link).
Message #10 received at 848493@bugs.debian.org (full text, mbox, reply):
CVE-2016-10002 has been assigned for this.
Severity set to 'grave' from 'important'
Request was from Amos Jeffries <squid3@treenet.co.nz>
to control@bugs.debian.org.
(Sun, 18 Dec 2016 06:15:02 GMT) (full text, mbox, link).
Marked as found in versions squid3/3.1.10-1.
Request was from Amos Jeffries <squid3@treenet.co.nz>
to control@bugs.debian.org.
(Sun, 18 Dec 2016 06:15:04 GMT) (full text, mbox, link).
Changed Bug title to 'squid3: CVE-2016-10002 SQUID-2016:11: Information disclosure in HTTP Request processing' from 'squid3: SQUID-2016:11: Information disclosure in HTTP Request processing'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 18 Dec 2016 09:06:04 GMT) (full text, mbox, link).
Changed Bug title to 'squid3: CVE-2016-10002: SQUID-2016:11: Information disclosure in HTTP Request processing' from 'squid3: CVE-2016-10002 SQUID-2016:11: Information disclosure in HTTP Request processing'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 18 Dec 2016 09:06:06 GMT) (full text, mbox, link).
Reply sent
to Luigi Gangitano <luigi@debian.org>:
You have taken responsibility.
(Mon, 19 Dec 2016 00:09:11 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 19 Dec 2016 00:09:11 GMT) (full text, mbox, link).
Message #23 received at 848493-close@bugs.debian.org (full text, mbox, reply):
Source: squid3
Source-Version: 3.5.23-1
We believe that the bug you reported is fixed in the latest version of
squid3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 848493@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Luigi Gangitano <luigi@debian.org> (supplier of updated squid3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 18 Dec 2016 23:39:24 +0200
Source: squid3
Binary: squid3 squid squid-dbg squid-common squidclient squid-cgi squid-purge
Architecture: source amd64 all
Version: 3.5.23-1
Distribution: unstable
Urgency: high
Maintainer: Luigi Gangitano <luigi@debian.org>
Changed-By: Luigi Gangitano <luigi@debian.org>
Description:
squid - Full featured Web Proxy cache (HTTP proxy)
squid-cgi - Full featured Web Proxy cache (HTTP proxy) - control CGI
squid-common - Full featured Web Proxy cache (HTTP proxy) - common files
squid-dbg - Full featured Web Proxy cache (HTTP proxy) - Debug symbols
squid-purge - Full featured Web Proxy cache (HTTP proxy) - control utility
squid3 - Transitional package
squidclient - Full featured Web Proxy cache (HTTP proxy) - control utility
Closes: 793473 822952 848491 848493
Changes:
squid3 (3.5.23-1) unstable; urgency=high
.
[ Amos Jeffries <amosjeffries@squid-cache.org> ]
* New Upstream Release (Closes: #793473, #822952)
- Fixes security issue SQUID-2016:10 (CVE-2016-10003) (Closes: #848491)
- Fixes security issue SQUID-2016:11 (CVE-2016-10002) (Closes: #848493)
.
* debian/patches/
- Remove patch included upstream
.
* debian/tests/
- Use package build-deps when testing so the make commands will work
Checksums-Sha1:
197134d8ace06ae54284c6d4196019150be0082d 2397 squid3_3.5.23-1.dsc
6b0b2091896e7874024e5f1e28eeccb0acd7e962 4730792 squid3_3.5.23.orig.tar.gz
49f45d0160c7aa823fd23198cd5aaaee0db6ac78 25460 squid3_3.5.23-1.debian.tar.xz
5f2e8ae27cbb4c93eebf781013389737906c8b6c 164508 squid-cgi_3.5.23-1_amd64.deb
5acd567346d5f80b25011436debb99424be28807 284030 squid-common_3.5.23-1_all.deb
68f59153994461f5fd833427a7b29526f3c1f3bf 21562690 squid-dbg_3.5.23-1_amd64.deb
deebbb55e525a7efeebf47ec914453549d31e79d 157000 squid-purge_3.5.23-1_amd64.deb
386b2bca052a123a27fa9738e886f74adcae3c50 138348 squid3_3.5.23-1_all.deb
96125c04c3582c1e391f9023b6e1c536296c208a 8377 squid3_3.5.23-1_amd64.buildinfo
2ce1eb847e2392ed82a6b72b7dfb1d4972404f24 2311344 squid_3.5.23-1_amd64.deb
c8e0e90e1b9e862a37b89b93a43c0d4c4cb985e2 168126 squidclient_3.5.23-1_amd64.deb
Checksums-Sha256:
38d1ffe9c150c24c98705a5cf15ffa2775319995a18b3d45034e7c052e2bb0ae 2397 squid3_3.5.23-1.dsc
f81eeee0fb046ad636566b51fe4f72b8bc66d454d7082ef38e273c3f4b09f6db 4730792 squid3_3.5.23.orig.tar.gz
a143ad91de14a1eb9f1d822a26f2b77a91015897f3e06bbed0bdfa50bdcbc7cd 25460 squid3_3.5.23-1.debian.tar.xz
1038c7f95c6f764689781c150571f388194cca9a9b1687b7aa2d1cc8619c2940 164508 squid-cgi_3.5.23-1_amd64.deb
d632cdb07913459be218fdf09c8b9b661b176881848a4be5c9a8531cf3f58bc0 284030 squid-common_3.5.23-1_all.deb
ab6f1c4c846788d4a2329e81367c1e42ef5e4693b75e7a6ef5796a5fb4fcbd86 21562690 squid-dbg_3.5.23-1_amd64.deb
82c9d6468126d1b146d9c1f259d4e3989fd6f58e96158c4edf5f576696dbb650 157000 squid-purge_3.5.23-1_amd64.deb
9739ddddef3ba4780d577efd6cb09de81388c8ca1ce0037cff8cae83b9900b80 138348 squid3_3.5.23-1_all.deb
ea5f09d8ffc02c82f6177d7997487596307d46cfaeb203ba0c303adcc86992b6 8377 squid3_3.5.23-1_amd64.buildinfo
09f8a830164bc6f705dc786245222a00d8683fc1267899055c512ec02808aca3 2311344 squid_3.5.23-1_amd64.deb
6e92d0bc65177acd410b80caf864bb34af0c727beddaed32319f5d24c767bf80 168126 squidclient_3.5.23-1_amd64.deb
Files:
3da6149d1248ae7e24d7e95e27619ca8 2397 web optional squid3_3.5.23-1.dsc
49d790ddee8c611ee2992e66eb8e9ae9 4730792 web optional squid3_3.5.23.orig.tar.gz
afc0191c3af8ea1ef58254b1d832c9cd 25460 web optional squid3_3.5.23-1.debian.tar.xz
d2842282a031b893cbdda3634cada080 164508 web optional squid-cgi_3.5.23-1_amd64.deb
84be34482e662640e02cb0e6357d582e 284030 web optional squid-common_3.5.23-1_all.deb
e1649262c944019fbee49dd7b02f399f 21562690 debug extra squid-dbg_3.5.23-1_amd64.deb
e1a929456c79c177167c404e83059d28 157000 web optional squid-purge_3.5.23-1_amd64.deb
969b49f6e0d5f0cb413aa1977c65ac6c 138348 oldlibs extra squid3_3.5.23-1_all.deb
38ce40aa262827e466e12a42cb3819db 8377 web optional squid3_3.5.23-1_amd64.buildinfo
acc42f6db2c2a2044496ddfb3954169b 2311344 web optional squid_3.5.23-1_amd64.deb
0e13622997986323b0904b86d3859ecf 168126 web optional squidclient_3.5.23-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYVx76AAoJEAKE8gwrqXztssQQAKAhLZ7xeMqSN4lKX3kZuS1D
2CTj+56IsEigpJBzCHhEXN07so4F/4Qn0z8DdBctkBawFJwH7rWRWjM98Zzx40az
0G/QM4cCAjSCOWiNX57frWfVU10sd6/sSvwJ0jyvajlBIzIzgqJ6a0i5NG41JH0Z
CBQEE9fWajsP93iJY4JrVbSylUenBhkETdtVmBhHohHTqjAn8Wl6Pnjfs9+eCilG
NiNQEeMltqeR2A5aqC6JCu/7ytg3Jnd/xPgQWXq6VtynHhTRsFYLLgzGWZEZGgBM
g9nDMx9AhDYfc7xPmiFPnfStf+c7dExhqKEzHH5rLcKAUptvSM6wHYr8xVN+IEX9
V6wUGNDnZqv+lQNk5ZcXLc0uC25LXXyFKbRhcdviL44G3Zb/sy9YJtzxEIobDrHB
lYaAVgOUnFx/cCQdqCIhvHeOetUWgrAexbeskovQonPegCTLXIY467BsUtxB2cdF
wOmpDGju9gop2HCqIGbkty7Fa5HGbbqrveiDBqye4J2Tz9F856W/nS/iiLy0ma71
S5ClK+U/XFRDmyr0yhAKybaAI4EeiYjN3E+4LSqr++N0KhlawUgxIoQr4aEOXtsM
dD8MFIteaZQ5iFYaP3F3riNxiDTsSn43WxfIm07htDDSj9PyG5R78eIA7U3qroi5
KDMpL1rAP1T/uSyZUpAP
=A9jc
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sat, 24 Dec 2016 21:03:16 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 24 Dec 2016 21:03:16 GMT) (full text, mbox, link).
Message #28 received at 848493-close@bugs.debian.org (full text, mbox, reply):
Source: squid3
Source-Version: 3.4.8-6+deb8u4
We believe that the bug you reported is fixed in the latest version of
squid3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 848493@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated squid3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 18 Dec 2016 11:47:19 +0100
Source: squid3
Binary: squid3 squid3-dbg squid3-common squidclient squid-cgi squid-purge
Architecture: all source
Version: 3.4.8-6+deb8u4
Distribution: jessie-security
Urgency: high
Maintainer: Luigi Gangitano <luigi@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 819563 848493
Description:
squid-cgi - Full featured Web Proxy cache (HTTP proxy) - control CGI
squid-purge - Full featured Web Proxy cache (HTTP proxy) - control utility
squid3 - Full featured Web Proxy cache (HTTP proxy)
squid3-common - Full featured Web Proxy cache (HTTP proxy) - common files
squid3-dbg - Full featured Web Proxy cache (HTTP proxy) - Debug symbols
squidclient - Full featured Web Proxy cache (HTTP proxy) - control utility
Changes:
squid3 (3.4.8-6+deb8u4) jessie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix cache_peer login=PASS(THRU) after CVE-2015-5400.
Thanks to Amos Jeffries <squid3@treenet.co.nz> (Closes: #819563)
* CVE-2016-10002: Information disclosure in HTTP Request processing
(Closes: #848493)
Checksums-Sha1:
aea9d693617d9060f03d73e9ac97ce742459b4de 2501 squid3_3.4.8-6+deb8u4.dsc
f69b769ed103871e6ab767328713e8cb2585405a 41124 squid3_3.4.8-6+deb8u4.debian.tar.xz
fc9aa7470097df32de7aaf487ea9dc3b2179cb20 258548 squid3-common_3.4.8-6+deb8u4_all.deb
Checksums-Sha256:
3c19984d630de12dc191189c59255a15c70f86df5874fb56e812bb483d3648ae 2501 squid3_3.4.8-6+deb8u4.dsc
cd12f31bfd2d4ef5519cafb683713f5c63f25331bd64be6ce930fdd64b5d7a46 41124 squid3_3.4.8-6+deb8u4.debian.tar.xz
202e3452e24b057512b061001ba2970398540ce56fc56db978b5860343d00561 258548 squid3-common_3.4.8-6+deb8u4_all.deb
Files:
d8881b2709492ca294568e41a89dffab 2501 web optional squid3_3.4.8-6+deb8u4.dsc
1e8f56bc5c08232a0ba63d69f8ff262e 41124 web optional squid3_3.4.8-6+deb8u4.debian.tar.xz
f75d5c6ec82390569e0e98f7534971af 258548 web optional squid3-common_3.4.8-6+deb8u4_all.deb
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlhWa/1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EiNwP/069vEzhVduLvDjmTf8my5DqJa+YH1oz
Dwu33jWhhwiEhgo6MD3/f9miItj0yE2NfvhEyc2xF0OwA30gw0ZjyUqdSSiR7uD4
ZB3WPdg0iRZ9Yt7bEDjjB//U7P3GfnIsrRPvn5G2qhIAq3kTSWEjvwOC6FXCCPKq
tejwDcFwmShJrNd5Ra2XB5lpUYnfp7xjp1caQnDOPLla1ACxrLFAKKW3m1MrDF2N
c8kzYvNVBo2JR6G5UTq4Ik/JZxAfN/uha+KTPLSQiRkeMmExjHxM21lVnJmKRHFa
K+41LcJHPwMj322J9SK+4snjvjkQ+RdDWO67sliGIfye4t/aOpCqTAyAkGRFY8aM
EJI/mhfXvtfSEAzWB+eVwZXYLdCO81Lcq41o07bwthN8YbCueAevHARtzupF+jO8
SjSQYrB82LGH0WKAqhDZIpXQijJtqzyMOMOsGoqiCwvJKSUNv/Sx9bC3RjKuJWrG
CfL053UQ/sDGMIbTUa8jx4RIioYwVRf9IVWqiq1gKAL5zt5W1FbR9ZYNbVyjbXMw
33ypLebpZEDb9K/ZRDwtwiuBA703FaYrQvkJOdlS5kFLfNbAVH6jyWoJF1cp8WVX
UIMnybIy+jLqMc12bOsaljYbGbJO8BwtSNULAR1ryt3KnO9Ywv69V3AHYKy1QrB9
Fl7VXlPAQUEn
=v3Mk
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 27 Jan 2017 11:58:07 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:41:08 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon