Accepted squid3 3.4.8-6+deb8u9 (source all amd64) into oldoldstable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 10 Dec 2019 13:03:24 +0100
Source: squid3
Binary: squid3 squid3-dbg squid3-common squidclient squid-cgi squid-purge
Architecture: source all amd64
Version: 3.4.8-6+deb8u9
Distribution: jessie-security
Urgency: high
Maintainer: Luigi Gangitano <luigi@debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
squid-cgi - Full featured Web Proxy cache (HTTP proxy) - control CGI
squid-purge - Full featured Web Proxy cache (HTTP proxy) - control utility
squid3 - Full featured Web Proxy cache (HTTP proxy)
squid3-common - Full featured Web Proxy cache (HTTP proxy) - common files
squid3-dbg - Full featured Web Proxy cache (HTTP proxy) - Debug symbols
squidclient - Full featured Web Proxy cache (HTTP proxy) - control utility
Changes:
squid3 (3.4.8-6+deb8u9) jessie-security; urgency=high
.
* Non-maintainer upload by the LTS team.
* Fix CVE-2019-12526:
URN response handling in Squid suffers from a heap-based buffer overflow.
When receiving data from a remote server in response to an URN request,
Squid fails to ensure that the response can fit within the buffer. This
leads to attacker controlled data overflowing in the heap.
* Fix CVE-2019-18677:
When the append_domain setting is used (because the appended characters do
not properly interact with hostname length restrictions), it can
inappropriately redirect traffic to origins it should not be delivered to.
This happens because of incorrect message processing.
* Fix CVE-2019-18678:
A programming error allows attackers to smuggle HTTP requests through
frontend software to a Squid instance that splits the HTTP Request pipeline
differently. The resulting Response messages corrupt caches (between a
client and Squid) with attacker-controlled content at arbitrary URLs.
Effects are isolated to software between the attacker client and Squid.
There are no effects on Squid itself, nor on any upstream servers. The
issue is related to a request header containing whitespace between a header
name and a colon.
* Fix CVE-2019-18679:
Due to incorrect data management, Squid is vulnerable to information
disclosure when processing HTTP Digest Authentication. Nonce tokens contain
the raw byte value of a pointer that sits within heap memory allocation.
This information reduces ASLR protections and may aid attackers isolating
memory areas to target for remote code execution attacks.
Checksums-Sha1:
e411d340ec335fc79f3ffcbeaf1a32b5fb1383aa 2497 squid3_3.4.8-6+deb8u9.dsc
c465ecd9c366f835c52f0be7c4c5a386532cc489 50524 squid3_3.4.8-6+deb8u9.debian.tar.xz
a8fe7c80f877aa7bc1f4abcb75867922480100b5 260284 squid3-common_3.4.8-6+deb8u9_all.deb
2798b47a50cb2b189ba0281c0dc0eaeffbb203f5 2073760 squid3_3.4.8-6+deb8u9_amd64.deb
aa3091f8e853f3258f55f371018d322279ee4405 8680006 squid3-dbg_3.4.8-6+deb8u9_amd64.deb
254f52f2bab5a44ec6e8f4a877f58a02d930b70d 142606 squidclient_3.4.8-6+deb8u9_amd64.deb
27699e0d3f212201f0f3463f0e47d90c301b6c20 147818 squid-cgi_3.4.8-6+deb8u9_amd64.deb
cbf4ab33cb73a0dcb0128287bfe5e06357b05baa 140402 squid-purge_3.4.8-6+deb8u9_amd64.deb
Checksums-Sha256:
56e5ce055bb515d40af1a5de5fbd66566243a3fc5514eebe046123979335ecd5 2497 squid3_3.4.8-6+deb8u9.dsc
fd0897c60e42d7f029b80c9281a05b74b3eddfa5469d8494cf800abf0cc54471 50524 squid3_3.4.8-6+deb8u9.debian.tar.xz
cb117616f37d1503cc9f8a5a578bc57ff59134cebd994902b5a5b3b6c53de42c 260284 squid3-common_3.4.8-6+deb8u9_all.deb
a690b736626b8980086ed4304347178997bc27c8e025929786cdf0104fefe23c 2073760 squid3_3.4.8-6+deb8u9_amd64.deb
9c25c2f2998c446984452fe55854664a8fd12e724cff5ea0833686e511099560 8680006 squid3-dbg_3.4.8-6+deb8u9_amd64.deb
e0db492acbb8c5d71d03c71dae15511ff935e94560bcca139a4613b4eefad6d2 142606 squidclient_3.4.8-6+deb8u9_amd64.deb
e5178ce400ed9823409037938f8c7e1d6fbf6cf14aea51e7a89e7e8c908229f7 147818 squid-cgi_3.4.8-6+deb8u9_amd64.deb
86d5e490179f62d6436bdfab6f5300de9024f81634e33ed2f3392f5ea45e93ad 140402 squid-purge_3.4.8-6+deb8u9_amd64.deb
Files:
153f1b07756345ae94005e017680f7fd 2497 web optional squid3_3.4.8-6+deb8u9.dsc
c7bd56f3bdb8f7627adf1d3f50fe8dce 50524 web optional squid3_3.4.8-6+deb8u9.debian.tar.xz
edf0cdf1762de623aceb84d5d28278c4 260284 web optional squid3-common_3.4.8-6+deb8u9_all.deb
c08020a806d9a99e02eff68784a12d3e 2073760 web optional squid3_3.4.8-6+deb8u9_amd64.deb
31fdee2fa13219c30e90b04e050ba4f3 8680006 debug extra squid3-dbg_3.4.8-6+deb8u9_amd64.deb
fce7a2c89bb01d10464d4cc85ac469d4 142606 web optional squidclient_3.4.8-6+deb8u9_amd64.deb
81af5554c1a5a5ef6f8b1eb5b7ecc0cf 147818 web optional squid-cgi_3.4.8-6+deb8u9_amd64.deb
bbbf221f7c1d63d4609133d5cb9bb965 140402 web optional squid-purge_3.4.8-6+deb8u9_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl3vjkBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1Hki14P/ip25ALoO1dHz9Su/e9OiNA+9Dgtw+GKWY/L
ePtSY76g9amYhyi3aRxrexwfg7eyFKIxhqkmN1oCuYEtRIM09KzQWK21Zwlv1P82
bUua0rMjZHQq0ZjuwfO9ifeyF+zoGvgFjWvizJ9bfAoK/GAVsfj8ZEqdZ+F4UsWp
YSBw/xMiijmZMLQuMZ1DRCz5YR71UMIbUhQoYzdu2Hv/Q12s+pKpqlhS3XHVrYQk
Ld+QEsr53rtSld2Sz0jw9Hu/s92OpAwE4uauqBVd97jI2o/fzdqwxP+R8fL7ByA4
rWxzX8yV2avLnhbv0XoX5MVnQQYd9e011N3/GwIgEcsidjUdnt9ox+kMT2H6np6b
uKNPnI+OjTNDb1nydnIGS1TT0/ibtQu92oFJhrSQwFQ4Gb4qRoGjUxE8XcWl3i8d
vqEUA46haG0iVdXVDhHsyOVOZ13vwQybBvYrSJCsP1tq4dpVxskmN1YmWiKi6QMA
mzzhxvwBBD1fCOmo83xx4uHEZypApPnWMNGRlBOWL4NYAQlZ6Q5hDfaqj+fx/jUp
IwlEdOUoGprtwIrSM+8E2Dmuv5rD8mw4aQ0cQ6JWkb2cllXvtZW4Pkkh//mqpFij
yI8Tf+3tHa8DdMJvXoVJBEPI174n5bVHoixFD/KlIevtYXtm+hgA6s17CLksPIuT
NXpbZC6j
=XSlm
-----END PGP SIGNATURE-----