Re: IMPORTEND squid3 stable needs update

[Chris Bannister]

On Fri, Jan 22, 2016 at 09:37:52PM +0300, Michael Tokarev wrote:
> 15.01.2016 22:47, startrekfan wrote:
> 
> > *squid3 Version 3.4.8* is deployed in the Jessie stable
> > repository.*This version is outdated and has some security risks!!*.
> > Version 3.5 is more secure but unfortunately it's only marked as
> > unstable
> 
> I wonder how many times this question should be asked.

Hopefully only once.

-- 
"If you're not careful, the newspapers will have you hating the people
who are being oppressed, and loving the people who are doing the 
oppressing." --- Malcolm X

Re: IMPORTEND squid3 stable needs update

[Charlie Kravetz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Tue, 26 Jan 2016 22:17:54 +1300
Chris Bannister  wrote:

>On Fri, Jan 22, 2016 at 09:37:52PM +0300, Michael Tokarev wrote:
>> 15.01.2016 22:47, startrekfan wrote:
>>   
>> > *squid3 Version 3.4.8* is deployed in the Jessie stable
>> > repository.*This version is outdated and has some security risks!!*.
>> > Version 3.5 is more secure but unfortunately it's only marked as
>> > unstable  
>> 
>> I wonder how many times this question should be asked.  
>
>Hopefully only once.
>
It has been posted to several mailing lists. Developers answered on at
least one.


- -- 
Charlie Kravetz
Linux Registered User Number 425914
[http://linuxcounter.net/user/425914.html]
Never let anyone steal your DREAM.   [http://keepingdreams.com]
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBAgAGBQJWp3RBAAoJEIqui46mydCApu8H/RNEgeAeT+/duQ6On16UOTwX
IDM/Dx4FCWjFRA9KvCttapax68j3dp+/91wCLwcKKTT8qNk4Avw3Tpw4eTbY3LQO
pxkxdkCnLjrrk9eElDjtAoRCy8xrmvkaD7MAwelZnP54veshlMeeSIlyR4zFb7FI
9wBPlRv/eSJalKVoIdSunnCeKo9Yc9BUO/hdYRs2oK33bRP45MFgscOU9ICS+IWs
sBCNmx5RH5VIMKsoe0RvHRQr5ReS0UbJefSZ1p60NkEJtYHoRgKeN8ehPwIpOwPG
IRR8BM4+vlfuCWv2NLt02wdTCSnPMHIm1ZcorvwoW9SbYtXgfIc2xlu7ayKLsSs=
=C8cE
-END PGP SIGNATURE-

Re: IMPORTEND squid3 stable needs update

[Michael Tokarev]

15.01.2016 22:47, startrekfan wrote:

> *squid3 Version 3.4.8* is deployed in the Jessie stable repository.*This 
> version is outdated and has some security risks!!*. Version 3.5 is more 
> secure but unfortunately it's only marked as unstable

I wonder how many times this question should be asked.
It has been answered multiple times previously.

/mjt

Re: IMPORTEND squid3 stable needs update

[Luigi Gangitano]

Hi,

The link you provided refers to an issue with proxy certificates for SSL 
interception. This feature is disabled in Debian squid3 package due to 
licensing issues with OpenSSL, thus this is not a bug in Debian squid3 packages.

The only way this bug could affect a Debian user would be if the user had 
recompiled squid3 with OpenSSL supporto. I’m sure you understand that we cannot 
provide support for any custom built package.

Is there any other security issue in Debian squid3 package that you are aware 
of?

Squid3 in Debian is in very good shape because Amos Jeffrey, one of the 
upstream developers is directly involved in packaging squid3 for Debian and is 
doing an excellent job keeping up with upstream fixes.

Best regards,

L

--
Luigi Gangitano -- > -- 
>
GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972  C24A F19B A618 924C 0C26
GPG: 4096R/2BA97CED: 8D48 5A35 FF1E 6EB7 90E5  0F6D 0284 F20C 2BA9 7CED

> Il giorno 22 gen 2016, alle ore 09:20, startrekfan  
> ha scritto:
> 
> I didn't subscribed to the mailing list. So please put my mail address into 
> cc. thanks.
> 
> I think I found a security issue that is not fixed in debian squid 3.4.8. 
> Squid 3.4 seems to use the sha1 algorithm for dynamic certificate generation. 
> Sha1 is unsafe. This seems to be fixed only in squid 3.5
> 
> ref: https://forum.pfsense.org/index.php?topic=99141.0 
>  (I think it's the same 
> problem with debian jessie. The certificates are only generated with sha1)
> 
> 2016-01-18 12:53 GMT+01:00 Martin Wuertele  >:
> 
> * startrekfan > 
> [2016-01-15 23:39]:
> 
> > squid3 3.4.8 has some security issues(risks)/bugs so an upgrade to 3.5 is
> > actually only a fix of this bugs/security issues. There is no patch for
> > 3.4.8 because it's outdated. Debian Jessie is the current active release.
> > So why not fixing squid3 in Debian Jessie with an stable 3.5 update?
> 
> Not the version in Debian. All bugfixes are backported. Check the
> changelog, security tracker,...
> 
> 
>  
> 
> Diese E-Mail wurde von einem virenfreien Computer gesendet, der von 
> Avast geschützt wird. 
> www.avast.com 
> 
>  

Re: IMPORTEND squid3 stable needs update

[startrekfan]

I didn't subscribed to the mailing list. So* please put my mail address
into cc*. thanks.

I think I found a security issue that is not fixed in debian squid 3.4.8.
Squid 3.4 seems to use the sha1 algorithm for dynamic certificate
generation. Sha1 is unsafe. This seems to be fixed only in squid 3.5

ref: https://forum.pfsense.org/index.php?topic=99141.0 (I think it's the
same problem with debian jessie. The certificates are only generated with
sha1)

2016-01-18 12:53 GMT+01:00 Martin Wuertele :

>
> * startrekfan  [2016-01-15 23:39]:
>
> > squid3 3.4.8 has some security issues(risks)/bugs so an upgrade to 3.5 is
> > actually only a fix of this bugs/security issues. There is no patch for
> > 3.4.8 because it's outdated. Debian Jessie is the current active release.
> > So why not fixing squid3 in Debian Jessie with an stable 3.5 update?
>
> Not the version in Debian. All bugfixes are backported. Check the
> changelog, security tracker,...
>
>

Diese
E-Mail wurde von einem virenfreien Computer gesendet, der von Avast
geschützt wird.
www.avast.com

<#DDB4FAA8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

Re: IMPORTEND squid3 stable needs update

[Axel Beckert]

Hi,

startrekfan wrote:
> *squid3 Version 3.4.8* is deployed in the Jessie stable repository.* This
> version is outdated and has some security risks!!*. Version 3.5 is more
> secure but unfortunately it's only marked as unstable

Have you checked
https://packages.qa.debian.org/s/squid3/news/20150804T214706Z.html?

> So I'd like to request to mark Version 3.5 as stable.(But Version 3.5 in
> stable state)

Please read
https://www.debian.org/doc/manuals/debian-faq/ch-getting.en.html#s-updatestable

Regards, Axel
-- 
 ,''`.  |  Axel Beckert , http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE
  `-|  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5

Re: IMPORTEND squid3 stable needs update

[Ben Hutchings]

On Fri, 2016-01-15 at 19:47 +, startrekfan wrote:
> Hello,
> 
> I'm not sure which mailing list I should chose. So I'll try my luck here.
> 
> I didn't subscribed to the mailing list. So* please put my mail address
> into cc*. thanks.
> 
> *squid3 Version 3.4.8* is deployed in the Jessie stable repository.* This
> version is outdated and has some security risks!!*. Version 3.5 is more
> secure but unfortunately it's only marked as unstable

You seem a bit confused about how Debian releases work.  Within any
stable release, we apply bug fixes only - unless it's impossible for us
to provide security support for the old upstream version.

Our package of squid 3.4.8 does have a security fix on top of the
upstream version: https://tracker.debian.org/news/702659

So far as we know, there are no important security issues still
affecting the version in jessie:
https://security-tracker.debian.org/tracker/source-package/squid3

Do you know otherwise?

Ben.

> So I'd like to request to mark Version 3.5 as stable.(But Version 3.5 in
> stable state)
> 
> thank you
-- 
Ben Hutchings
The program is absolutely right; therefore, the computer must be wrong.

signature.asc
Description: This is a digitally signed message part

Re: IMPORTEND squid3 stable needs update

[startrekfan]

squid3 3.4.8 has some security issues(risks)/bugs so an upgrade to 3.5 is
actually only a fix of this bugs/security issues. There is no patch for
3.4.8 because it's outdated. Debian Jessie is the current active release.
So why not fixing squid3 in Debian Jessie with an stable 3.5 update?

Ben Hutchings  schrieb am Fr., 15. Jan. 2016 um
21:26 Uhr:

> On Fri, 2016-01-15 at 19:47 +, startrekfan wrote:
> > Hello,
> >
> > I'm not sure which mailing list I should chose. So I'll try my luck here.
> >
> > I didn't subscribed to the mailing list. So* please put my mail address
> > into cc*. thanks.
> >
> > *squid3 Version 3.4.8* is deployed in the Jessie stable repository.* This
> > version is outdated and has some security risks!!*. Version 3.5 is more
> > secure but unfortunately it's only marked as unstable
>
> You seem a bit confused about how Debian releases work.  Within any
> stable release, we apply bug fixes only - unless it's impossible for us
> to provide security support for the old upstream version.
>
> Our package of squid 3.4.8 does have a security fix on top of the
> upstream version: https://tracker.debian.org/news/702659
>
> So far as we know, there are no important security issues still
> affecting the version in jessie:
> https://security-tracker.debian.org/tracker/source-package/squid3
>
> Do you know otherwise?
>
> Ben.
>
> > So I'd like to request to mark Version 3.5 as stable.(But Version 3.5 in
> > stable state)
> >
> > thank you
> --
> Ben Hutchings
> The program is absolutely right; therefore, the computer must be wrong.

Re: IMPORTEND squid3 stable needs update

[Carsten Schoenert]

Hello startrekfan,

please don't do top posting.

Am 15.01.2016 um 23:19 schrieb startrekfan:
> squid3 3.4.8 has some security issues(risks)/bugs so an upgrade to 3.5 is
> actually only a fix of this bugs/security issues.

Which issues do you refer? What bugs in detail? Have you looked into the
links Ben was providing? If you are talking about CVE-2015-5400 you will
it is fixed and there are no other open issues, but Ben was already
talking about that.

> There is no patch for 3.4.8 because it's outdated.

But it's not impossible to do such a patch, isn't it? And that's what
maintainer of Debian packages do on their own if upstream isn't very
helpful. This work ends in security updates. You use this feature in
your sources list to get them via apt?

> Debian Jessie is the current active release. So why not fixing squid3
> in Debian Jessie with an stable 3.5 update?>

Because this isn't needed if you can patch such issues and will probably
break other packages if you do such updates without further testing.
Please remind there are over 40.000 packages in the release which need
time to test all such side effects.
Of course not all other packages within Debian depending on squid but
there are enough. Try out yourself 'apt-cache rdepends squid3'.

-- 
Regards
Carsten Schoenert