On 23/07/2015 11:37 a.m., Ben Hutchings wrote: > On Thu, 2015-07-23 at 01:09 +0200, Luigi Gangitano wrote: >>> >>> Il giorno 23/lug/2015, alle ore 00:07, Ben Hutchings ha scritto: >>> >>> On Wed, 2015-07-22 at 23:02 +0200, Luigi Gangitano wrote: >>>> Hi Ben, >>>> >>>> Thanks for the heads up on LTS security issues in squid3. >>>> >>>> We’ve already prepared an update for CVE-2015-5400 for jessie and are >>>> willing to contribute an update for squeeze to. The link you sent me >>>> is not working so I’m unable to check if other security issues are >>>> open and co-ordinate a single package update. >>> >>> Sorry, I think this was the issue covered by >>> . >>> That was removed from the tracker by >>> >>> as it doesn't actually affect the Debian package. >> >> Ok, so no need for an updated squid3 in LTS? > > The squeeze-lts version does seem to be affected by CVE-2015-5400. > > Ben. >
Yes it is. All squid and squid3 packages older that 3.5.6 are affected. Just varies between packages about which part of the code is actively broken (src/tunnel.cc in Squid3, src/ssl.c in squid). FYI, the available fix patch depends on other bug fixes and a feature only added to Squid in 3.4. The older Squid versions need almost complete redesign of the patch during backport. That redesign has proven non-trivial and halted the (brief) two attempts I've made at it so far. Anyone wanting to dig in and assist is welcome. I can offer naming credits in the official Advisory document, and gratitude from all distros for a working Squid 3.3 or earlier patch. Amos Jeffries Squid Project (upstream) -- To UNSUBSCRIBE, email to debian-lts-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/55b11c0a.4010...@treenet.co.nz
