Public bug reported:
Binary package hint: dansguardian
the current version ( 2.9.9.7) is "near" stable. The dansguadian team
has released several stable releases incluiding a security work around
to squid vulnerability in version DansGuardian 2.10.1.1(US-CERT
VU#435052)
except from dansguardian changelog:
Thu 11th September 2008 - DansGuardian 2.9.9.8
Assume that content with no Content-Type header is HTML, so that it doesn't
bypass the phrase filter. Fix some incorrect usage of integer types in
ListManager and ListContainer which can lead to crashes in some rare cases.
Escape certain characters in URLs when displaying the HTML template to prevent
XSS. Don't add responses other than "200 OK" to the clean URL cache.
Wed 8th October 2008 - DansGuardian 2.10 - STABLE!
Fixed handling of content with no MIME type: it will be phrase filtered, but no
Content-Type header will be inserted into the response, so a browser's own
automatic type detection doesn't get interfered with. Fixed a performance issue
with CONNECT requests being incorrectly marked s persistent, identified by
Jason Deasi. Updated the man page (Jens Wilke) and French messages file
(Jeanuel). Clarifications to some of the included documents (INSTALL,
UPGRADING). Considered stable (future planned changes are fairly wide reaching,
so work will continue in a new series of beta releases).
Tue 21st October 2008 - DansGuardian 2.10.0.1 - stable
Improve malformed URL detection (dc2008.de no longer incorrectly classed as
malformed). Improve persistent connection detection, correcting some situations
in which DG would return a blank page to browsers. Updated "proxies" weighted
phrase list. Updated Chinese Big-5 messages file from Vicente Chua.
Wed 26th November 2008 - DansGuardian 2.10.0.2 - stable
Fix persistent connection detection to resolve issues with HTTP 1.1 browsers
(Firefox), NTLM authentication and HTTPS websites. Change supported syntax for
blocking HTTPS site access by IP to match that documented in the default
bannedsitelist (use "*ips", as documented, NOT "**ips").
Wed 21st January 2009 - DansGuardian 2.10.0.3 - stable
uClibc++ compilation patch from Natanael Copa. Fix crash on exit when running
out of memory during phrase tree preparation, from Victor Stinner. Clean up
destructors for various objects, removing code duplication with reset()
methods. Compilation fixes from Jeffrey A. Young. Better handling of whitespace
(tab characters) in configuration files. Fix HTTPS access for unauthenticated
users when using basic or NTLM authentication plugins. Reload list files on
soft restart if cached (".processed") files have been updated directly, from
Harry Mason. Chop carriage return off useragent strings when "loguseragent" is
enabled. Don't force contents of dansguardianf*.conf files to lower-case on
loading, so as not to destroy the case of group names. Make temporary bypass
cookies valid for subdomains of the original bypassed domain, including
stripping "www.".
Fri 5th June 2009 - DansGuardian 2.10.1.1 - stable
Add "originalip" option to dansguardian.conf, for determining the original
destination IP in transparent proxy set-ups, and ensuring that the destination
domain of the request resolves to that IP. This can help to address a
particular transparent proxy security vulnerability (US-CERT VU#435052), but
because of certain limitations - only implemented on Linux/Netfilter; potential
breakage of websites using round-robin DNS - the code is not enabled by
default. Enable by passing "--enable-orig-ip" to the configure script. Fix a
crash which could occur when dealing with simultaneous incoming connections in
configurations using more than one listening socket. Fix a crash when checking
time limits on item lists. Fix potential usage of uninitialised memory during
phrase filtering.
** Affects: dansguardian (Ubuntu)
Importance: Undecided
Status: New
** Tags: wishlist
--
Wishlist - Please update dansguardian to stable release DansGuardian 2.10.1.1
or newer
https://bugs.launchpad.net/bugs/391090
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
