Your message dated Wed, 2 Nov 2005 16:07:10 +0100
with message-id <[EMAIL PROTECTED]>
and subject line Fwd: Bug#334882: squid: [CVE-2005-3258] remote FTP buffer
overflow
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 20 Oct 2005 13:42:23 +0000
>From [EMAIL PROTECTED] Thu Oct 20 06:42:23 2005
Return-path: <[EMAIL PROTECTED]>
Received: from box79162.elkhouse.de [213.9.79.162]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1ESagY-0000Ul-00; Thu, 20 Oct 2005 06:42:22 -0700
Received: from localhost.localdomain (unknown [195.227.105.178])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client CN "Martin Pitt (workstation)", Issuer "piware CA" (verified
OK))
by box79162.elkhouse.de (Postfix) with ESMTP id D48FFBC4B0
for <[EMAIL PROTECTED]>; Thu, 20 Oct 2005 15:41:50 +0200 (CEST)
Received: by localhost.localdomain (Postfix, from userid 1000)
id 7D17219BF0; Thu, 20 Oct 2005 15:42:00 +0200 (CEST)
Date: Thu, 20 Oct 2005 15:42:00 +0200
From: Martin Pitt <[EMAIL PROTECTED]>
To: Debian BTS Submit <[EMAIL PROTECTED]>
Subject: squid: [CVE-2005-3258] remote FTP buffer overflow
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="xXmbgvnjoT4axfJE"
Content-Disposition: inline
User-Agent: Mutt/1.5.9i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-5.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_SBLXBL,RCVD_IN_SBLXBL_CBL autolearn=no
version=2.60-bugs.debian.org_2005_01_02
--xXmbgvnjoT4axfJE
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: squid
Version: 2.5.10-6
Severity: critial
Tags: security patch
Hi Luigi!
There is a new buffer overflow in Squid:
| =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D
| Candidate: CVE-2005-3258
| URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2005-3258
| Reference: CONFIRM:http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid=
-2.5.STABLE11-rfc1738_do_escape
|=20
| The rfc1738_do_escape function in ftp.c for Squid 2.5 STABLE11 and
| earlier allows remote FTP servers to cause a denial of service
| (segmentation fault) via certain crafted responses.
(Please note the recent Mitre name change, vulnerabilities now have
the CVE prefix, not CAN any more).
In addition, I just noticed that in version 2.5.10-6 you added a
security patch 46-ntlm-scheme-assert.dpatch which is not actually
applied in 00list. Please add it. (One of the reasons why I hate
dpatch :-/ ).
Thanks,
Martin
--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
In a world without walls and fences, who needs Windows and Gates?
--xXmbgvnjoT4axfJE
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDV56oDecnbV4Fd/IRAt/lAKDcKIyRDDqKqbZzhOMG+isnlpFSagCeIgmG
0SF7GuMuG6Dap5U62n2EDNs=
=K9Pa
-----END PGP SIGNATURE-----
--xXmbgvnjoT4axfJE--
---------------------------------------
Received: (at 334882-done) by bugs.debian.org; 2 Nov 2005 15:07:50 +0000
>From [EMAIL PROTECTED] Wed Nov 02 07:07:50 2005
Return-path: <[EMAIL PROTECTED]>
Received: from ms004msg.fastwebnet.it [213.140.2.58]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1EXKDO-00052s-00; Wed, 02 Nov 2005 07:07:50 -0800
Received: from localhost.localdomain (23.21.172.54) by ms004msg.fastwebnet.it
(7.2.066)
id 4360FA1500125766 for [EMAIL PROTECTED]; Wed, 2 Nov 2005 16:07:15
+0100
Received: from [127.0.0.1] (localhost [127.0.0.1])
by localhost.localdomain (Postfix) with ESMTP id B17781A91B1
for <[EMAIL PROTECTED]>; Wed, 2 Nov 2005 16:07:14 +0100 (CET)
Mime-Version: 1.0 (Apple Message framework v746.2)
References: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-Id: <[EMAIL PROTECTED]>
Content-Transfer-Encoding: 7bit
From: Luigi Gangitano <[EMAIL PROTECTED]>
Subject: Fwd: Bug#334882: squid: [CVE-2005-3258] remote FTP buffer overflow
Date: Wed, 2 Nov 2005 16:07:10 +0100
To: [EMAIL PROTECTED]
X-Pgp-Agent: GPGMail 1.1.1 (Tiger)
X-Mailer: Apple Mail (2.746.2)
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-5.0 required=4.0 tests=BAYES_01,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This bug does not apply to any version of squid in debian.
Inizio messaggio inoltrato:
> Rinvia-Da: Luigi Gangitano <[EMAIL PROTECTED]>
> Da: Luigi Gangitano <[EMAIL PROTECTED]>
> Data: 21 ottobre 2005 1:08:55 GMT+02:00
> Rinvia-A: debian-bugs-dist@lists.debian.org
> A: Martin Pitt <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
> Rinvia-Cc: Luigi Gangitano <[EMAIL PROTECTED]>
> Cc: [EMAIL PROTECTED], [EMAIL PROTECTED]
> Oggetto: Bug#334882: squid: [CVE-2005-3258] remote FTP buffer overflow
> Rispondi a: Luigi Gangitano <[EMAIL PROTECTED]>,
> [EMAIL PROTECTED]
>
> notfound 334882 2.5.10-6
> notfound 334882 2.5.9-10sarge2
> thanks
>
> Hi Martin,
> thanks for reporting this. Actually this bug was introduced in a
> patch to squid-2.5.STABLE10 that has never been applied to a debian
> package. So Debian is not affected. I did not upload any package
> based on squid-2.5.STABLE11 since upstream stated that this release
> is known to be badly broken.
>
> I just fixed the missing patch for the previous bug and will upload
> it shortly.
>
> Regards,
>
> L
>
> Il giorno 20/ott/05, alle ore 15:42, Martin Pitt ha scritto:
>
>> Package: squid
>> Version: 2.5.10-6
>> Severity: critial
>> Tags: security patch
>>
>> Hi Luigi!
>>
>> There is a new buffer overflow in Squid:
>>
>> | ======================================================
>> | Candidate: CVE-2005-3258
>> | URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3258
>> | Reference: CONFIRM:http://www.squid-cache.org/Versions/v2/2.5/
>> bugs/#squid-2.5.STABLE11-rfc1738_do_escape
>> |
>> | The rfc1738_do_escape function in ftp.c for Squid 2.5 STABLE11 and
>> | earlier allows remote FTP servers to cause a denial of service
>> | (segmentation fault) via certain crafted responses.
>>
>> (Please note the recent Mitre name change, vulnerabilities now have
>> the CVE prefix, not CAN any more).
>>
>> In addition, I just noticed that in version 2.5.10-6 you added a
>> security patch 46-ntlm-scheme-assert.dpatch which is not actually
>> applied in 00list. Please add it. (One of the reasons why I hate
>> dpatch :-/ ).
- --
Luigi Gangitano -- <[EMAIL PROTECTED]> -- <[EMAIL PROTECTED]>
GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
iD8DBQFDaNYh8ZumGJJMDCYRAvwfAJ9zke4n8opDb7zigz5EZQS+AwGIOgCeKPol
MQqu8KvX68PGpt9i/Sk7BDE=
=f6AS
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
