Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Hi Release Team Please unblock package squid3 The previous fix for CVE-2012-5643 and CVE-2013-0189 uploaded as 3.1.20-2.1 caused a cachemgr.cgi always crashing when supplying auth credentials. Upstream provided a patch which was uploaded as 3.1.20-2.2. See: #701123 The full debdiff against the current version in testing is attached. Would it be possible to get a unblock for squid3? unblock squid3/3.1.20-2.2 Regards, Salvatore
Base version: squid3_3.1.20-2.1 from testing Target version: squid3_3.1.20-2.2 from unstable No hints in place. Excuses: changelog | 10 ++++++ patches/fix-701123-regression-in-cachemgr.patch | 39 ++++++++++++++++++++++++ patches/series | 1 3 files changed, 50 insertions(+) gpgv: keyblock resource `/home/carnil/.gnupg/trustedkeys.gpg': file open error gpgv: Signature made Tue 05 Feb 2013 10:18:19 PM UTC using RSA key ID 4AC8EE1D gpgv: Can't check signature: public key not found dpkg-source: warning: failed to verify signature on /tmp/tmpPcyNcv/squid3_3.1.20-2.1.dsc gpgv: keyblock resource `/home/carnil/.gnupg/trustedkeys.gpg': file open error gpgv: Signature made Sat 23 Feb 2013 02:13:52 PM UTC using RSA key ID 7FD863FE gpgv: Can't check signature: public key not found dpkg-source: warning: failed to verify signature on /tmp/tmpPcyNcv/squid3_3.1.20-2.2.dsc diff -Nru squid3-3.1.20/debian/changelog squid3-3.1.20/debian/changelog --- squid3-3.1.20/debian/changelog 2013-02-05 22:16:28.000000000 +0000 +++ squid3-3.1.20/debian/changelog 2013-02-23 14:07:26.000000000 +0000 @@ -1,3 +1,13 @@ +squid3 (3.1.20-2.2) unstable; urgency=low + + * Non-maintainer upload. + * Add fix-701123-regression-in-cachemgr.patch patch. + Fix missing bits in the fix for CVE-2012-5643 and CVE-2013-0189 causing + cachemgr.cgi crashing when authentication credentials are supplied. + Thanks to Amos Jeffries <a...@treenet.co.nz> (Closes: #701123) + + -- Salvatore Bonaccorso <car...@debian.org> Sat, 23 Feb 2013 13:44:48 +0100 + squid3 (3.1.20-2.1) unstable; urgency=high * Non-maintainer upload diff -Nru squid3-3.1.20/debian/patches/fix-701123-regression-in-cachemgr.patch squid3-3.1.20/debian/patches/fix-701123-regression-in-cachemgr.patch --- squid3-3.1.20/debian/patches/fix-701123-regression-in-cachemgr.patch 1970-01-01 00:00:00.000000000 +0000 +++ squid3-3.1.20/debian/patches/fix-701123-regression-in-cachemgr.patch 2013-02-23 14:07:26.000000000 +0000 @@ -0,0 +1,39 @@ +Description: Fix regression in cachemgr.cgi + Fix regression introduced by the patches for CVE-2012-5643 and + CVE-2013-0189. Apply further patch provided by upstream. +Origin: upstream, http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10486.patch +Bug: http://bugs.squid-cache.org/show_bug.cgi?id=3790 +Bug-Debian: http://bugs.debian.org/701123 +Forwarded: not-needed +Author: Reinhard Sojka <reinhard.so...@parlament.gv.at> +Last-Update: 2013-02-23 +Applied-Upstream: yes + +--- a/tools/cachemgr.cc ++++ b/tools/cachemgr.cc +@@ -1162,7 +1162,6 @@ + { + static char buf[1024]; + size_t stringLength = 0; +- const char *str64; + + if (!req->passwd) + return ""; +@@ -1171,15 +1170,12 @@ + req->user_name ? req->user_name : "", + req->passwd); + +- str64 = base64_encode(buf); +- +- stringLength += snprintf(buf, sizeof(buf), "Authorization: Basic %s\r\n", str64); ++ stringLength += snprintf(buf, sizeof(buf), "Authorization: Basic %s\r\n", base64_encode(buf)); + + assert(stringLength < sizeof(buf)); + +- snprintf(&buf[stringLength], sizeof(buf) - stringLength, "Proxy-Authorization: Basic %s\r\n", str64); ++ snprintf(&buf[stringLength], sizeof(buf) - stringLength, "Proxy-Authorization: Basic %s\r\n", base64_encode(buf)); + +- xxfree(str64); + return buf; + } + diff -Nru squid3-3.1.20/debian/patches/series squid3-3.1.20/debian/patches/series --- squid3-3.1.20/debian/patches/series 2013-02-05 21:53:05.000000000 +0000 +++ squid3-3.1.20/debian/patches/series 2013-02-23 14:07:26.000000000 +0000 @@ -3,3 +3,4 @@ 15-cachemgr-default-config.patch 20-ipv6-fix 30-CVE-2012-5643-CVE-2013-0189.patch +fix-701123-regression-in-cachemgr.patch Hints needed: unblock squid3/3.1.20-2.2
