[pkg-squid-devel] Squid 3.5.15
Amos Jeffries
squid3 at treenet.co.nz
Tue Mar 1 06:18:07 UTC 2016
Hi guys,
I have just now git push'ed the upstream patch for Bug 4447 which was
making me put the brakes on rollout of fixes to CVE-2016-2569, 2570,
2571, 2572.
As far as I know the code in the Debian repo is ready for upload and use.
Upstream we still have a small list of side effects to resolve. But that
is kind of normal for such a risky CVE fix and none of them seem major
in their impact.
As for backporting;
the CVE-2016-2570 patch was trivial, final for that issue and should
work well in any Squid providing class SBuf.
the other CVE fixes to 3.4 and older may be possible, but will require
someone to well test the result. The older Squid versions have
incrementaly less and less of the required exception catch and handling
the further back they go.
Upstream we are intending to focus resources on a better long-term fix
rather than backporting a fairly risky workaround.
Cheers,
Amos
More information about the pkg-squid-devel
mailing list