[pkg-squid-devel] squid3_3.4.8-6+deb8u1 - Fix for CVE-2015-5400
Luigi Gangitano
luigi at debian.org
Mon Aug 10 09:44:24 UTC 2015
Ciao Salvatore,
> Il giorno 02/ago/2015, alle ore 17:07, Salvatore Bonaccorso <carnil at debian.org> ha scritto:
>
> Hi,
>
> On Thu, Jul 30, 2015 at 10:50:59PM +0200, Salvatore Bonaccorso wrote:
>> Hi,
>>
>> On Mon, Jul 27, 2015 at 10:30:13PM +0200, Moritz Mühlenhoff wrote:
>>> On Mon, Jul 27, 2015 at 10:04:15PM +0200, Salvatore Bonaccorso wrote:
>>>> It looks Raphael (buxy) tried to work on the backport, see
>>>> https://lists.debian.org/debian-lts/2015/07/msg00082.html . How woud
>>>> it be to slightly wait for an update/progress/confirmation from
>>>> upstream there and possibly as well the do the backport for the
>>>> wheezy-version? And if nothing happens within 1-2 days, just mark it
>>>> as <no-dsa> (Too intrusive to backport) for wheezy and only realease
>>>> the DSA for jessie-security?
>>>
>>> Sure.
>>
>> Luigi, I haven't looked closer but Raphael Hertzog prepared a backport
>> for squeeze-lts for an older version and Amos had revied it. Maybe it
>> would be based on that possible to backport as well for
>> wheezy-security the fix?
>>
>> Although I'm not clear exactly about the impact of the issue itself,
>> so cannot comment if it is worth of.
>
> I uploaded the attached debdiff (with patch now provided upstream in
> [1]) to security-master for the wheezy-security version, the patch
> needed only a refresh for offsets. It would be great to have it
> additionally tested, but Amos did so for the version in squeeze-lts
> (3.1.6-1.2+squeeze5) without noticing a problem, so we should be fine.
>
> [1] http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10494.patch
Thanks for taking care of this in my place.
Regards,
L
--
Luigi Gangitano -- <luigi at debian.org> -- <gangitano at lugroma3.org>
GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26
GPG: 4096R/2BA97CED: 8D48 5A35 FF1E 6EB7 90E5 0F6D 0284 F20C 2BA9 7CED
More information about the pkg-squid-devel
mailing list