lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1ZMMQ0-00033g-N6@master.debian.org>
Date: Mon, 03 Aug 2015 20:33:08 +0000
From: Salvatore Bonaccorso <carnil@...ian.org>
To: bugtraq@...urityfocus.com
Subject: [SECURITY] [DSA 3327-1] squid3 security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3327-1                   security@...ian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
August 03, 2015                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : squid3
CVE ID         : CVE-2015-5400
Debian Bug     : 793128

Alex Rousskov of The Measurement Factory discovered that Squid3, a fully
featured web proxy cache, does not correctly handle CONNECT method peer
responses when configured with cache_peer and operating on explicit
proxy traffic. This could allow remote clients to gain unrestricted
access through a gateway proxy to its backend proxy.

For the oldstable distribution (wheezy), this problem has been fixed
in version 3.1.20-2.2+deb7u3.

For the stable distribution (jessie), this problem has been fixed in
version 3.4.8-6+deb8u1.

For the unstable distribution (sid), this problem has been fixed in
version 3.5.6-1.

We recommend that you upgrade your squid3 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@...ts.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVv86kAAoJEAVMuPMTQ89EKdMP/3uVJrVDZAMdx7BNfQn9G+Pr
JkbXtWxwatbzvzErfWWEBBcom8muODusQ8z6qhjdArLwJ3UILdHpw1gYK7wn8HDR
F+/5VsvgclleVBfYPjvG24Uw7imWiD0Squfl2NVQDATdBv85gmQiiF8O0akSa0vc
VD30k/HbB4zc/OvmXiPV+vLNGbbpfWDbcLUuEjEHcEtK/VavVySvwfaDGAclwcJT
1L0Yy/c1grYcrdj5P/JmkSItB9x0+RLTwMfU4Q+dj7DAOKDSEgD/3umogb22S8rj
rn+JcIC7fxWZhQIZb/Q4+ZiePE27nk2hFICE1szkUtd55xSWt6rDtESuhWOkXBPG
NGL65xuQ35rai46X3jJ6XOLt22DORj4o/PpHrDk7ftInHfhPRxzL8rlV6xgfK+7M
Kxj1XOcUE+PyXe7vpzUb4XioO5e6EiJVpIUDLErMeccUFB3Dy6tHBiwkn7iXPu/b
jKt+gH8qVQgQKTgs2qI/ygnAYhU06ifnDRMfP06YaVHVjFE6h0zxYtvoMOjqFo5K
7jS95J+nQD5T6URFvFdeeFmetfNnUkb704e4pI0KXOypwq5MQUZJr56+DToDYDXj
760+sAsNZmB2jGZuzJEHdQRAB0wJxtLC7RiR84ZiYvmFhE2w1sSj3TnIhNPZI8t2
c1jHRhiJZT4Y8WfUl5l3
=ma/b
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ