CVE-2010-2951 and CVE-2010-3072 still exists in Lucid and CVE-2010-2951 still exists in maverick

squid3 (3.1.6-1.2ubuntu1) natty; urgency=low

  * Merge from debian unstable. (LP: #717654) Remaining changes:
    - debian/squid3.ufw.profile: Provide ufw profile
  * debian/patches/18-fix-ftbfs-binutils-gold.dpatch: Add sasl2 and kerberos
    library in LDADD to fix FTBFS binutils-gold with --as-needed. (LP: #717653)

squid3 (3.1.6-1.2) unstable; urgency=low

  * Non-maintainer upload.
  * Fix DoS while processing large DNS replies with no IPv6 resolver present
    (CVE-2010-2951) (Closes: #599709)
 -- Mahyuddin Susanto <email address hidden> Sun, 13 Feb 2011 00:43:10 +0700

Subscribed ubuntu-security-sponsors since this is a security fix for a stable release at this point.

Mahyuddin, thanks for the debdiffs! The lucid debdiff should use a version of 3.0.STABLE19-1ubuntu0.1 as per https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update%20the%20packaging. More importantly, the lucid package FTBFS (fails to build from source). It looks like you just copied over the natty patches for these issues and created a source package for lucid. The 3.0 and 3.1 code bases are different and the 3.1 patch for CVE-2010-3072 needs to be adjusted. Please adjust and resubmit, detailing the testing performed.

NAK

ACK maverick patch.

Uploaded maverick package to security PPA. Will publish when it is done building.

Unsubscribing ubuntu-security-sponsors. Please resubscribe after updating the lucid patch.

This bug was fixed in the package squid3 - 3.1.6-1.1ubuntu1.1

---------------
squid3 (3.1.6-1.1ubuntu1.1) maverick-security; urgency=low

  * SECURITY UPDATE: Fix DoS while processing large DNS replies with no
    IPv6 resolver present. (LP: #718127)
    - debian/patches/17-CVE-2010-2951.dpatch
    - CVE-2010-2951
    - http://bugs.squid-cache.org/show_bug.cgi?id=3009
 -- Mahyuddin Susanto <email address hidden> Sun, 13 Feb 2011 19:41:58 +0700

2010-2951 is not relevant to the Lucid package (3.0 series) which does not attempt DNS over IPv6.

2010-3072 correct patch for Lucid package version as referenced by the upstream advisory can be found at http://www.squid-cache.org/Versions/v3/3.0/changesets/squid-3.0-9189.patch

Also,
  Please consider 3.1.10 package (now in Natty) for back-porting as a whole to Maverick. There are a great deal of related stability fixes over 3.1.6 which the user base require to prevent indirect problems even if the direct attack vulnerability is fixed.

Amos, squid3 is a community supported package. If you would like to see an update to 3.1.10 in maverick, please file a new bug and follow https://wiki.ubuntu.com/StableReleaseUpdates to prepare an update. Thanks!

applying patch 01-cf.data.debian to ./ ... ok.
applying patch 02-makefile-defaults to ./ ... ok.
applying patch CVE-2010-3072 to ./ ... ok.

Ready to upload

Mahyuddin, thank you for the updated patch. It should use 'lucid-security' for the distribution name and had whitespace changes when compared to the upstream patch. It is important to not introduce whitespace changes as future updates may not apply cleanly.

I have adjusted both of these and am uploading now.

This bug was fixed in the package squid3 - 3.0.STABLE19-1ubuntu0.1

---------------
squid3 (3.0.STABLE19-1ubuntu0.1) lucid-security; urgency=low

  * SECURITY UPDATE: Fix DoS due to wrong string handling. (LP: #718127)
    - debian/patches/CVE-2010-3072.dpatch
    - CVE-2010-3072
    - http://www.squid-cache.org/Advisories/SQUID-2010_3.txt
 -- Mahyuddin Susanto <email address hidden> Thu, 17 Feb 2011 00:06:24 +0700