Univention Bugzilla – Bug 46392
squid3: Multiple issues (4.2)
Last modified: 2018-05-08 14:57:05 CEST
New Debian squid3 3.4.8-6+deb8u5A~4.2.3.201802251109 fixes: This update addresses the following issues: * ESI: make sure endofName never exceeds tagEnd (CVE-2018-1000024) * Fix indirect IP logging for transactions without a client connection (CVE-2018-1000027) CVE-2018-1000024 squid: Incorrect pointer handling when processing ESI Responses can lead to denial of service CVE-2018-1000027 squid: Incorrect pointer handling in HTTP processing and certificate download can lead to denial of service
r18027 | Bug #46392: squid3_3.4.8-6+deb8u5 Drop patch as it only was a work-around for the old tool chain - the patch no longer applies as debian/patches/series no longer matches. Package: squid3 Version: 3.4.8-6+deb8u5A~4.2.3.201802251653 Branch: ucs_4.2-0 Scope: errata4.2-3 ec32abc5cb Bug #46392: squid3_3.4.8-6+deb8u5 YAML
--- mirror/ftp/4.2/unmaintained/4.2-0/source/squid3_3.4.8-6+deb8u4A~4.2.0.201704011633.dsc +++ apt/ucs_4.2-0-errata4.2-3/source/squid3_3.4.8-6+deb8u5A~4.2.3.201802251653.dsc @@ -1,10 +1,17 @@ -3.4.8-6+deb8u4A~4.2.0.201704011633 [Sat, 01 Apr 2017 16:33:23 +0200] Univention builddaemon <buildd@univention.de>: +3.4.8-6+deb8u5A~4.2.3.201802251653 [Sun, 25 Feb 2018 17:07:39 +0100] Univention builddaemon <buildd@univention.de>: * UCS auto build. The following patches have been applied to the original source package - 000-fails-to-build-on-dimma 001-enable-ssl 003-posinst-config-change 005-squid-4-14311 + +3.4.8-6+deb8u5 [Sun, 18 Feb 2018 17:20:03 +0100] Salvatore Bonaccorso <carnil@debian.org>: + + * Non-maintainer upload by the Security Team. + * ESI: make sure endofName never exceeds tagEnd (CVE-2018-1000024) + (Closes: #888719) + * Fix indirect IP logging for transactions without a client connection + (CVE-2018-1000027) (Closes: #888720) 3.4.8-6+deb8u4 [Sun, 18 Dec 2016 11:47:19 +0100] Salvatore Bonaccorso <carnil@debian.org>:
* Obsolete UCS patch dropped: squid3/4.2-0-0-ucs/3.4.8-6+deb8u4/000-fails-to-build-on-dimma.patch * All other UCS specific patches applied during rebuilt * Comparison to previously shipped version ok * Binary package installation Ok * Advisory Ok
<http://errata.software-univention.de/ucs/4.2/401.html>