Accepted squid3 3.5.23-5+deb9u5 (source) into oldstable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 02 Oct 2020 16:01:53 +0200
Source: squid3
Binary: squid3 squid squid-dbg squid-common squidclient squid-cgi squid-purge
Architecture: source
Version: 3.5.23-5+deb9u5
Distribution: stretch-security
Urgency: high
Maintainer: Luigi Gangitano <luigi@debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
squid - Full featured Web Proxy cache (HTTP proxy)
squid-cgi - Full featured Web Proxy cache (HTTP proxy) - control CGI
squid-common - Full featured Web Proxy cache (HTTP proxy) - common files
squid-dbg - Full featured Web Proxy cache (HTTP proxy) - Debug symbols
squid-purge - Full featured Web Proxy cache (HTTP proxy) - control utility
squid3 - Transitional package
squidclient - Full featured Web Proxy cache (HTTP proxy) - control utility
Changes:
squid3 (3.5.23-5+deb9u5) stretch-security; urgency=high
.
* Non-maintainer upload by the LTS team.
* Fix CVE-2020-15049:
An issue was discovered in http/ContentLengthInterpreter.cc in Squid. A
Request Smuggling and Poisoning attack can succeed against the HTTP cache.
The client sends an HTTP request with a Content-Length header containing
"+\ "-" or an uncommon shell whitespace character prefix to the length
field-value.
This update also includes several other improvements to the HttpHeader
parsing code.
* Fix CVE-2020-15810 and CVE-2020-15811:
Due to incorrect data validation, HTTP Request Smuggling attacks may
succeed against HTTP and HTTPS traffic. This leads to cache poisoning. This
allows any client, including browser scripts, to bypass local security and
poison the proxy cache and any downstream caches with content from an
arbitrary source. When configured for relaxed header parsing (the default),
Squid relays headers containing whitespace characters to upstream servers.
When this occurs as a prefix to a Content-Length header, the frame length
specified will be ignored by Squid (allowing for a conflicting length to be
used from another Content-Length header) but relayed upstream.
* Fix CVE-2020-24606:
Squid before allows a trusted peer to perform Denial of Service by
consuming all available CPU cycles during handling of a crafted Cache
Digest response message. This only occurs when cache_peer is used with the
cache digests feature. The problem exists because peerDigestHandleReply()
livelocking in peer_digest.cc mishandles EOF.
Checksums-Sha1:
7d6fdce48b61f9cd37e4d93cd294dc777adbad08 2733 squid3_3.5.23-5+deb9u5.dsc
3d4c67d92290f2350840cdeffbf59a5d84473e40 72068 squid3_3.5.23-5+deb9u5.debian.tar.xz
939e490449c5f46f603e0851adae86c9985d3eae 10117 squid3_3.5.23-5+deb9u5_amd64.buildinfo
Checksums-Sha256:
f623a88308fbd664dfb7b1414769287ca5b79e933b26e0a420a54d833e868485 2733 squid3_3.5.23-5+deb9u5.dsc
943159597dfca9d54493af667df1a63fbd04e90a297672fa6650f6b5e1e5a4ce 72068 squid3_3.5.23-5+deb9u5.debian.tar.xz
08935f1d7ad0d41a3a492b67a4949610603e2504ad1a1ad95e0e30113dd38d7e 10117 squid3_3.5.23-5+deb9u5_amd64.buildinfo
Files:
0b60c0bee808a05e59ed8196a0bcdb0f 2733 web optional squid3_3.5.23-5+deb9u5.dsc
409ce3a0182f833079885a61ff34be22 72068 web optional squid3_3.5.23-5+deb9u5.debian.tar.xz
ee779cc7deab18fd1fea2c9cc46c3b54 10117 web optional squid3_3.5.23-5+deb9u5_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl93PjZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1Hk3VAP/izXXycDODp9+SL6pZFyjO51xwUTWv3fLLZp
484Tzd7TqlM86Bq/OLq27vJJFZFokYgJNvhKXOVkIlBQJrNytdmKQDmS184J8TDS
7iaPRfb3FYQ7ilJQeSYmp8mLPDioUUIshtHuFEEUN8KgkUz5EcFV653RqmbWptpT
hqRAlmEBuUdCmB5Ndl5mBYaz5VLjDbop7ml+vu3yK4IeUhIwLARLMb4rQxg5fdz8
4HrSiJrAm3hMRnSIsJmaPuwv8CvppIqb6eASQKVwTbEEG8cnLpd5oz5KW2w/0DiT
0+QnX1rXkYtbW/AA8HEXluSzUvLhl8TJA30f/2z17fLFdJdt2//s21olqBnx+lMG
ZOB2IharPq4Ma4mj62g1bn2NEBG9DRI/s8eRPya6X8lgd5FEcy1RZx5aAUmgnx1g
plE38ujniKGZZmv5DDZelSjklLY2NKTpAJb/4Ilfo6isCDeF2+lZx2Po5dZ166aX
B2/9HGQhCf62pAkKmdLnva4H3mGxc2vFIkIJ+SNCL/v90c8k7bNeTX/bOrXbZzNA
oF+bClmcFDf7zfYPiSL+HDm3u2uSMQqyB17dHjITxwy+eFiSkLTghRJago4S5RV2
vfMRVUdQJwjejJoJyyb3595cSh+NG+nUrW0Vl930zLzSmTvKPy7VZsi8DBwlR5/b
yiJboZk9
=9F+S
-----END PGP SIGNATURE-----