© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
Message-Id: <email address hidden>
Date: Fri, 21 Oct 2005 01:08:55 +0200
From: Luigi Gangitano <email address hidden>
To: Martin Pitt <email address hidden>, <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: Bug#334882: squid: [CVE-2005-3258] remote FTP buffer overflow
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
notfound 334882 2.5.10-6
notfound 334882 2.5.9-10sarge2
thanks
Hi Martin,
thanks for reporting this. Actually this bug was introduced in a
patch to squid-2.5.STABLE10 that has never been applied to a debian
package. So Debian is not affected. I did not upload any package
based on squid-2.5.STABLE11 since upstream stated that this release
is known to be badly broken.
I just fixed the missing patch for the previous bug and will upload
it shortly.
Regards,
L
Il giorno 20/ott/05, alle ore 15:42, Martin Pitt ha scritto:
> Package: squid
> Version: 2.5.10-6
> Severity: critial
> Tags: security patch
>
> Hi Luigi!
>
> There is a new buffer overflow in Squid:
>
> | =======
> | Candidate: CVE-2005-3258
> | URL: http://
> | Reference: CONFIRM:http://
> bugs/#squid-
> |
> | The rfc1738_do_escape function in ftp.c for Squid 2.5 STABLE11 and
> | earlier allows remote FTP servers to cause a denial of service
> | (segmentation fault) via certain crafted responses.
>
> (Please note the recent Mitre name change, vulnerabilities now have
> the CVE prefix, not CAN any more).
>
> In addition, I just noticed that in version 2.5.10-6 you added a
> security patch 46-ntlm-
> applied in 00list. Please add it. (One of the reasons why I hate
> dpatch :-/ ).
- --
Luigi Gangitano -- <email address hidden> -- <email address hidden>
GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
iD8DBQFDWCOK8Zu
b1DFe5tCKz1i0Oe
=VAxc
-----END PGP SIGNATURE-----