1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 4122-1] squid3 security update

    From Salvatore Bonaccorso@1:229/2 to All on Fri Feb 23 00:50:02 2018
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-4122-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso February 23, 2018 https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : squid3
    CVE ID : CVE-2018-1000024 CVE-2018-1000027
    Debian Bug : 888719 888720

    Several vulnerabilities have been discovered in Squid3, a fully featured
    web proxy cache. The Common Vulnerabilities and Exposures project
    identifies the following issues:

    CVE-2018-1000024

    Louis Dion-Marcil discovered that Squid does not properly handle
    processing of certain ESI responses. A remote server delivering
    certain ESI response syntax can take advantage of this flaw to cause
    a denial of service for all clients accessing the Squid service.
    This problem is limited to the Squid custom ESI parser.

    http://www.squid-cache.org/Advisories/SQUID-2018_1.txt

    CVE-2018-1000027

    Louis Dion-Marcil discovered that Squid is prone to a denial of
    service vulnerability when processing ESI responses or downloading
    intermediate CA certificates. A remote attacker can take advantage
    of this flaw to cause a denial of service for all clients accessing
    the Squid service.

    http://www.squid-cache.org/Advisories/SQUID-2018_2.txt

    For the oldstable distribution (jessie), these problems have been fixed
    in version 3.4.8-6+deb8u5.

    For the stable distribution (stretch), these problems have been fixed in version 3.5.23-5+deb9u1.

    We recommend that you upgrade your squid3 packages.

    For the detailed security status of squid3 please refer to its security
    tracker page at:
    https://security-tracker.debian.org/tracker/squid3

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----

    iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlqPVb9fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RGOw//Yr5/j5S5xNQEM7HI+6mBcPEczGMFgUxYas9lQpaNlcD8Rxx+5sozlya7 pCr+SB0IcPfKzdB+1DhpmHUBr+AsAA6OHyf7xtgG0dPAq5SX+sHz1CbO3110k8j+ rdUotCf+xhLQ+2q8Cbi9YfQd5EPpdtzx/8cXVQomTcXt2nmHIlk91rNOZs0/gg2D WAAaeV3SEcR8mzLfWRqUSqSutdCGboOSbhHl7zeTdm9cPAYXrbRBmjjAisxcMSdy 1PeHmaoqlp1/dwMWUWu4qXeT2yT92BFjhj1dHvUlpbdJtvvRohD3WjORBIBe9Gc+ eWxKrpVR4d9lyb8ipsf2nt+/b+v5jkvrg9W3yL0HEKjPa54wr92kGArb948A3vPJ YWbomuwhhKW0DIqI1nES9R2XzZZgFo1DZpXmchYqM+sC2e8+rUBmfn9MUVOWG/9U X5JMhKiNHpIYTf9bKSqc4OSbtL+nJ5uY2g6+HrElwI/319CPxxdfr9iplP10ITVX ofjZecqjT24Nfra5ZvN6Pscpg9E34xgpd9fzOPgB7bq3BemYDT2GDaB/o3TXsVTO 4j84gg+9b68PICJgqsRdFAuiseycRZbXnzdvbBWB0mcKileFUIyZn+o9v4TQzWt+ +6Ebi7CpnEAttJ2Cyhw32B3XUuLQoBy/CWdruaFrEJu/EMr/ZxU=
    =mMK9
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)