Your message dated Tue, 8 Mar 2011 23:46:53 +0100
with message-id <[email protected]>
and subject line Closing old bug
has caused the Debian Bug report #553084,
regarding Cross Site Scripting bug in squid-cgi
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
553084: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=553084
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: squid-cgi
Version: 2.6.5-6etch4
Debian GNU/Linux 4.0 \n \l
Linux xxxx-web01 2.6.18-6-amd64 #1 SMP Sun Feb 10 17:50:19 UTC 2008
x86_64 GNU/Linux
There's a cross site scripting (XSS) bug in cachemgr.cgi. I raised this
with the squid maintainers. The issue was known already, but they
hadn't previously issued a patch for Squid 2.6 which is old and not
officially supported by them. Now they have.
Could this patch please be incorporated into the Debian distribution.
Andrew
--------------------------------
Andrew McNaughton | System Administration Support Officer
Squiz Support | http://www.squiz.net.au/
---------------------- snip --------------------------
Subject: Re: Heads Up: XSS security issue in cachemgr.cgi
From: Henrik Nordstrom <[email protected]>
Date: Wed, 28 Oct 2009 01:15:06 +0100
Thanks for your heads up. Fortunately for us it's just old news with a
new heading.
http://bugs.squid-cache.org/show_bug.cgi?id=2365
Fixed in
2.7.STABLE3
3.0.STABLE8
3.1.0.1
all released about a year ago.
I have now back ported this change to 2.6 as well and the patch will
shortly be available at
http://www.squid-cache.org/Versions/v2/2.6/changesets/
will be exactly the same patch as what was published for 2.7 at
http://www.squid-cache.org/Versions/v2/2.7/changesets/12244.patch
Please note that 2.6 is no longer officially supported by
squid-cache.org since last summer when 2.7 was released, but we still
collect relevant bug fixes and release new 2.6 releases as we know many
distributions for stupid policy reasons can not upgrade.
Regards
Henrik
---------------------- snip --------------------------
--- End Message ---
--- Begin Message ---
This issue is fixed in every supported release, from oldstable until sid.
--
Luigi Gangitano -- <[email protected]> -- <[email protected]>
GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26
--- End Message ---
