[pkg-squid-devel] squid3_3.4.8-6+deb8u1 - Fix for CVE-2015-5400

[Luigi Gangitano]

Ciao Salvatore,

> Il giorno 02/ago/2015, alle ore 17:07, Salvatore Bonaccorso <carnil at debian.org> ha scritto:
> 
> Hi,
> 
> On Thu, Jul 30, 2015 at 10:50:59PM +0200, Salvatore Bonaccorso wrote:
>> Hi,
>> 
>> On Mon, Jul 27, 2015 at 10:30:13PM +0200, Moritz Mühlenhoff wrote:
>>> On Mon, Jul 27, 2015 at 10:04:15PM +0200, Salvatore Bonaccorso wrote:
>>>> It looks Raphael (buxy) tried to work on the backport, see
>>>> https://lists.debian.org/debian-lts/2015/07/msg00082.html . How woud
>>>> it be to slightly wait for an update/progress/confirmation from
>>>> upstream there and possibly as well the do the backport for the
>>>> wheezy-version? And if nothing happens within 1-2 days, just mark it
>>>> as <no-dsa> (Too intrusive to backport) for wheezy and only realease
>>>> the DSA for jessie-security?
>>> 
>>> Sure.
>> 
>> Luigi, I haven't looked closer but Raphael Hertzog prepared a backport
>> for squeeze-lts for an older version and Amos had revied it. Maybe it
>> would be based on that possible to backport as well for
>> wheezy-security the fix?
>> 
>> Although I'm not clear exactly about the impact of the issue itself,
>> so cannot comment if it is worth of.
> 
> I uploaded the attached debdiff (with patch now provided upstream in
> [1]) to security-master for the wheezy-security version, the patch
> needed only a refresh for offsets.  It would be great to have it
> additionally tested, but Amos did so for the version in squeeze-lts
> (3.1.6-1.2+squeeze5) without noticing a problem, so we should be fine.
> 
> [1] http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10494.patch

Thanks for taking care of this in my place.

Regards,

L

--
Luigi Gangitano -- <luigi at debian.org> -- <gangitano at lugroma3.org>
GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972  C24A F19B A618 924C 0C26
GPG: 4096R/2BA97CED: 8D48 5A35 FF1E 6EB7 90E5  0F6D 0284 F20C 2BA9 7CED