Package: squid-cgi Version: 2.6.5-6etch4 Debian GNU/Linux 4.0 \n \l Linux xxxx-web01 2.6.18-6-amd64 #1 SMP Sun Feb 10 17:50:19 UTC 2008 x86_64 GNU/Linux
There's a cross site scripting (XSS) bug in cachemgr.cgi. I raised this with the squid maintainers. The issue was known already, but they hadn't previously issued a patch for Squid 2.6 which is old and not officially supported by them. Now they have. Could this patch please be incorporated into the Debian distribution. Andrew -------------------------------- Andrew McNaughton | System Administration Support Officer Squiz Support | http://www.squiz.net.au/ ---------------------- snip -------------------------- Subject: Re: Heads Up: XSS security issue in cachemgr.cgi From: Henrik Nordstrom <[email protected]> Date: Wed, 28 Oct 2009 01:15:06 +0100 Thanks for your heads up. Fortunately for us it's just old news with a new heading. http://bugs.squid-cache.org/show_bug.cgi?id=2365 Fixed in 2.7.STABLE3 3.0.STABLE8 3.1.0.1 all released about a year ago. I have now back ported this change to 2.6 as well and the patch will shortly be available at http://www.squid-cache.org/Versions/v2/2.6/changesets/ will be exactly the same patch as what was published for 2.7 at http://www.squid-cache.org/Versions/v2/2.7/changesets/12244.patch Please note that 2.6 is no longer officially supported by squid-cache.org since last summer when 2.7 was released, but we still collect relevant bug fixes and release new 2.6 releases as we know many distributions for stupid policy reasons can not upgrade. Regards Henrik ---------------------- snip -------------------------- -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

