Bug#848493: marked as done (squid3: CVE-2016-10002: SQUID-2016:11: Information disclosure in HTTP Request processing)

2016-12-24 Thread Debian Bug Tracking System 
Your message dated Sat, 24 Dec 2016 21:02:20 +
with message-id 
and subject line Bug#848493: fixed in squid3 3.4.8-6+deb8u4
has caused the Debian Bug report #848493,
regarding squid3: CVE-2016-10002: SQUID-2016:11: Information disclosure in HTTP 
Request processing
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
848493: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848493
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: squid3
Version: 3.4.8-6
Severity: important
Tags: security upstream patch fixed-upstream

Hi

>From http://www.squid-cache.org/Advisories/SQUID-2016_11.txt

> Problem Description:
> 
>  Due to incorrect HTTP conditional request handling Squid can
>  deliver responses containing private data to clients it should
>  not have reached.

A CVE has been requested in 
http://www.openwall.com/lists/oss-security/2016/12/17/1

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: squid3
Source-Version: 3.4.8-6+deb8u4

We believe that the bug you reported is fixed in the latest version of
squid3, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 848...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso  (supplier of updated squid3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sun, 18 Dec 2016 11:47:19 +0100
Source: squid3
Binary: squid3 squid3-dbg squid3-common squidclient squid-cgi squid-purge
Architecture: all source
Version: 3.4.8-6+deb8u4
Distribution: jessie-security
Urgency: high
Maintainer: Luigi Gangitano 
Changed-By: Salvatore Bonaccorso 
Closes: 819563 848493
Description: 
 squid-cgi  - Full featured Web Proxy cache (HTTP proxy) - control CGI
 squid-purge - Full featured Web Proxy cache (HTTP proxy) - control utility
 squid3 - Full featured Web Proxy cache (HTTP proxy)
 squid3-common - Full featured Web Proxy cache (HTTP proxy) - common files
 squid3-dbg - Full featured Web Proxy cache (HTTP proxy) - Debug symbols
 squidclient - Full featured Web Proxy cache (HTTP proxy) - control utility
Changes:
 squid3 (3.4.8-6+deb8u4) jessie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix cache_peer login=PASS(THRU) after CVE-2015-5400.
 Thanks to Amos Jeffries  (Closes: #819563)
   * CVE-2016-10002: Information disclosure in HTTP Request processing
 (Closes: #848493)
Checksums-Sha1: 
 aea9d693617d9060f03d73e9ac97ce742459b4de 2501 squid3_3.4.8-6+deb8u4.dsc
 f69b769ed103871e6ab767328713e8cb2585405a 41124 
squid3_3.4.8-6+deb8u4.debian.tar.xz
 fc9aa7470097df32de7aaf487ea9dc3b2179cb20 258548 
squid3-common_3.4.8-6+deb8u4_all.deb
Checksums-Sha256: 
 3c19984d630de12dc191189c59255a15c70f86df5874fb56e812bb483d3648ae 2501 
squid3_3.4.8-6+deb8u4.dsc
 cd12f31bfd2d4ef5519cafb683713f5c63f25331bd64be6ce930fdd64b5d7a46 41124 
squid3_3.4.8-6+deb8u4.debian.tar.xz
 202e3452e24b057512b061001ba2970398540ce56fc56db978b5860343d00561 258548 
squid3-common_3.4.8-6+deb8u4_all.deb
Files: 
 d8881b2709492ca294568e41a89dffab 2501 web optional squid3_3.4.8-6+deb8u4.dsc
 1e8f56bc5c08232a0ba63d69f8ff262e 41124 web optional 
squid3_3.4.8-6+deb8u4.debian.tar.xz
 f75d5c6ec82390569e0e98f7534971af 258548 web optional 
squid3-common_3.4.8-6+deb8u4_all.deb

-BEGIN PGP SIGNATURE-

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlhWa/1fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EiNwP/069vEzhVduLvDjmTf8my5DqJa+YH1oz
Dwu33jWhhwiEhgo6MD3/f9miItj0yE2NfvhEyc2xF0OwA30gw0ZjyUqdSSiR7uD4
ZB3WPdg0iRZ9Yt7bEDjjB//U7P3GfnIsrRPvn5G2qhIAq3kTSWEjvwOC6FXCCPKq
tejwDcFwmShJrNd5Ra2XB5lpUYnfp7xjp1caQnDOPLla1ACxrLFAKKW3m1MrDF2N
c8kzYvNVBo2JR6G5UTq4Ik/JZxAfN/uha+KTPLSQiRkeMmExjHxM21lVnJmKRHFa
K+41LcJHPwMj322J9SK+4snjvjkQ+RdDWO67sliGIfye4t/aOpCqTAyAkGRFY8aM
EJI/mhfXvtfSEAzWB+eVwZXYLdCO81Lcq41o07bwthN8YbCueAevHARtzupF+jO8
SjSQYrB82LGH0WKAqhDZIpXQijJtqzyMOMOsGoqiCwvJKSUNv/Sx9bC3RjKuJWrG

Bug#848493: marked as done (squid3: CVE-2016-10002: SQUID-2016:11: Information disclosure in HTTP Request processing)

2016-12-18 Thread Debian Bug Tracking System 
Your message dated Mon, 19 Dec 2016 00:07:24 +
with message-id 
and subject line Bug#848493: fixed in squid3 3.5.23-1
has caused the Debian Bug report #848493,
regarding squid3: CVE-2016-10002: SQUID-2016:11: Information disclosure in HTTP 
Request processing
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
848493: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848493
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: squid3
Version: 3.4.8-6
Severity: important
Tags: security upstream patch fixed-upstream

Hi

>From http://www.squid-cache.org/Advisories/SQUID-2016_11.txt

> Problem Description:
> 
>  Due to incorrect HTTP conditional request handling Squid can
>  deliver responses containing private data to clients it should
>  not have reached.

A CVE has been requested in 
http://www.openwall.com/lists/oss-security/2016/12/17/1

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: squid3
Source-Version: 3.5.23-1

We believe that the bug you reported is fixed in the latest version of
squid3, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 848...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luigi Gangitano  (supplier of updated squid3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sun, 18 Dec 2016 23:39:24 +0200
Source: squid3
Binary: squid3 squid squid-dbg squid-common squidclient squid-cgi squid-purge
Architecture: source amd64 all
Version: 3.5.23-1
Distribution: unstable
Urgency: high
Maintainer: Luigi Gangitano 
Changed-By: Luigi Gangitano 
Description:
 squid  - Full featured Web Proxy cache (HTTP proxy)
 squid-cgi  - Full featured Web Proxy cache (HTTP proxy) - control CGI
 squid-common - Full featured Web Proxy cache (HTTP proxy) - common files
 squid-dbg  - Full featured Web Proxy cache (HTTP proxy) - Debug symbols
 squid-purge - Full featured Web Proxy cache (HTTP proxy) - control utility
 squid3 - Transitional package
 squidclient - Full featured Web Proxy cache (HTTP proxy) - control utility
Closes: 793473 822952 848491 848493
Changes:
 squid3 (3.5.23-1) unstable; urgency=high
 .
   [ Amos Jeffries  ]
   * New Upstream Release (Closes: #793473, #822952)
 - Fixes security issue SQUID-2016:10 (CVE-2016-10003) (Closes: #848491)
 - Fixes security issue SQUID-2016:11 (CVE-2016-10002) (Closes: #848493)
 .
   * debian/patches/
 - Remove patch included upstream
 .
   * debian/tests/
 - Use package build-deps when testing so the make commands will work
Checksums-Sha1:
 197134d8ace06ae54284c6d4196019150be0082d 2397 squid3_3.5.23-1.dsc
 6b0b2091896e7874024e5f1e28eeccb0acd7e962 4730792 squid3_3.5.23.orig.tar.gz
 49f45d0160c7aa823fd23198cd5aaaee0db6ac78 25460 squid3_3.5.23-1.debian.tar.xz
 5f2e8ae27cbb4c93eebf781013389737906c8b6c 164508 squid-cgi_3.5.23-1_amd64.deb
 5acd567346d5f80b25011436debb99424be28807 284030 squid-common_3.5.23-1_all.deb
 68f59153994461f5fd833427a7b29526f3c1f3bf 21562690 squid-dbg_3.5.23-1_amd64.deb
 deebbb55e525a7efeebf47ec914453549d31e79d 157000 squid-purge_3.5.23-1_amd64.deb
 386b2bca052a123a27fa9738e886f74adcae3c50 138348 squid3_3.5.23-1_all.deb
 96125c04c3582c1e391f9023b6e1c536296c208a 8377 squid3_3.5.23-1_amd64.buildinfo
 2ce1eb847e2392ed82a6b72b7dfb1d4972404f24 2311344 squid_3.5.23-1_amd64.deb
 c8e0e90e1b9e862a37b89b93a43c0d4c4cb985e2 168126 squidclient_3.5.23-1_amd64.deb
Checksums-Sha256:
 38d1ffe9c150c24c98705a5cf15ffa2775319995a18b3d45034e7c052e2bb0ae 2397 
squid3_3.5.23-1.dsc
 f810fb046ad636566b51fe4f72b8bc66d454d7082ef38e273c3f4b09f6db 4730792 
squid3_3.5.23.orig.tar.gz
 a143ad91de14a1eb9f1d822a26f2b77a91015897f3e06bbed0bdfa50bdcbc7cd 25460 
squid3_3.5.23-1.debian.tar.xz
 1038c7f95c6f764689781c150571f388194cca9a9b1687b7aa2d1cc8619c2940 164508 
squid-cgi_3.5.23-1_amd64.deb
 d632cdb07913459be218fdf09c8b9b661b176881848a4be5c9a8531cf3f58bc0 284030 
squid-common_3.5.23-1_all.deb
 ab6f1c4c846788d4a2329e81367c1e42ef5e4693b75e7a6ef5796a5fb4fcbd86 21562690 
squid-dbg_3.5.23-1_amd64.deb