tags 701123 + patch tags 701123 + pending thanks Hi Luigi,
I've prepared an NMU for squid3 (versioned as 3.1.20-2.2) and uploaded it to DELAYED/5. Please feel free to tell me if I should delay it longer. The reason I uploaded it already is, that with the previous NMU there was now a problem in cachemgr.cgi and upstream provided a patch to the BTS. In case you want to proceed yourself, please let me know, I can cancel the NMU. Regards, Salvatore
diff -Nru squid3-3.1.20/debian/changelog squid3-3.1.20/debian/changelog --- squid3-3.1.20/debian/changelog 2013-02-05 23:16:28.000000000 +0100 +++ squid3-3.1.20/debian/changelog 2013-02-23 15:07:26.000000000 +0100 @@ -1,3 +1,13 @@ +squid3 (3.1.20-2.2) unstable; urgency=low + + * Non-maintainer upload. + * Add fix-701123-regression-in-cachemgr.patch patch. + Fix missing bits in the fix for CVE-2012-5643 and CVE-2013-0189 causing + cachemgr.cgi crashing when authentication credentials are supplied. + Thanks to Amos Jeffries <a...@treenet.co.nz> (Closes: #701123) + + -- Salvatore Bonaccorso <car...@debian.org> Sat, 23 Feb 2013 13:44:48 +0100 + squid3 (3.1.20-2.1) unstable; urgency=high * Non-maintainer upload diff -Nru squid3-3.1.20/debian/patches/fix-701123-regression-in-cachemgr.patch squid3-3.1.20/debian/patches/fix-701123-regression-in-cachemgr.patch --- squid3-3.1.20/debian/patches/fix-701123-regression-in-cachemgr.patch 1970-01-01 01:00:00.000000000 +0100 +++ squid3-3.1.20/debian/patches/fix-701123-regression-in-cachemgr.patch 2013-02-23 15:07:26.000000000 +0100 @@ -0,0 +1,39 @@ +Description: Fix regression in cachemgr.cgi + Fix regression introduced by the patches for CVE-2012-5643 and + CVE-2013-0189. Apply further patch provided by upstream. +Origin: upstream, http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10486.patch +Bug: http://bugs.squid-cache.org/show_bug.cgi?id=3790 +Bug-Debian: http://bugs.debian.org/701123 +Forwarded: not-needed +Author: Reinhard Sojka <reinhard.so...@parlament.gv.at> +Last-Update: 2013-02-23 +Applied-Upstream: yes + +--- a/tools/cachemgr.cc ++++ b/tools/cachemgr.cc +@@ -1162,7 +1162,6 @@ + { + static char buf[1024]; + size_t stringLength = 0; +- const char *str64; + + if (!req->passwd) + return ""; +@@ -1171,15 +1170,12 @@ + req->user_name ? req->user_name : "", + req->passwd); + +- str64 = base64_encode(buf); +- +- stringLength += snprintf(buf, sizeof(buf), "Authorization: Basic %s\r\n", str64); ++ stringLength += snprintf(buf, sizeof(buf), "Authorization: Basic %s\r\n", base64_encode(buf)); + + assert(stringLength < sizeof(buf)); + +- snprintf(&buf[stringLength], sizeof(buf) - stringLength, "Proxy-Authorization: Basic %s\r\n", str64); ++ snprintf(&buf[stringLength], sizeof(buf) - stringLength, "Proxy-Authorization: Basic %s\r\n", base64_encode(buf)); + +- xxfree(str64); + return buf; + } + diff -Nru squid3-3.1.20/debian/patches/series squid3-3.1.20/debian/patches/series --- squid3-3.1.20/debian/patches/series 2013-02-05 22:53:05.000000000 +0100 +++ squid3-3.1.20/debian/patches/series 2013-02-23 15:07:26.000000000 +0100 @@ -3,3 +3,4 @@ 15-cachemgr-default-config.patch 20-ipv6-fix 30-CVE-2012-5643-CVE-2013-0189.patch +fix-701123-regression-in-cachemgr.patch
signature.asc
Description: Digital signature