Package: squid-cgi
Version: 2.6.5-6etch4

Debian GNU/Linux 4.0 \n \l
Linux xxxx-web01 2.6.18-6-amd64 #1 SMP Sun Feb 10 17:50:19 UTC 2008
x86_64 GNU/Linux


There's a cross site scripting (XSS) bug in cachemgr.cgi.  I raised this
with the squid maintainers.  The issue was known already, but they
hadn't previously issued a patch for Squid 2.6 which is old and not
officially supported by them.  Now they have.

Could this patch please be incorporated into the Debian distribution.


Andrew

--------------------------------
Andrew McNaughton | System Administration Support Officer
Squiz Support | http://www.squiz.net.au/



---------------------- snip --------------------------
Subject: Re: Heads Up: XSS security issue in cachemgr.cgi
From: Henrik Nordstrom <[email protected]>
Date: Wed, 28 Oct 2009 01:15:06 +0100

Thanks for your heads up. Fortunately for us it's just old news with a
new heading.

  http://bugs.squid-cache.org/show_bug.cgi?id=2365

Fixed in

   2.7.STABLE3
   3.0.STABLE8
   3.1.0.1

all released about a year ago.

I have now back ported this change to 2.6 as well and the patch will
shortly be available at

  http://www.squid-cache.org/Versions/v2/2.6/changesets/

will be exactly the same patch as what was published for 2.7 at

  http://www.squid-cache.org/Versions/v2/2.7/changesets/12244.patch


Please note that 2.6 is no longer officially supported by
squid-cache.org since last summer when 2.7 was released, but we still
collect relevant bug fixes and release new 2.6 releases as we know many
distributions for stupid policy reasons can not upgrade.

Regards
Henrik
---------------------- snip --------------------------







-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to