Just for the sake of completeness: we have this problem as well
and still have many systems with Debian Stretch that need Squid Icap
to communicate with Avira Savapi antivirus. Because this bugs hits
us as well, we are now holding on to version 3.5.23-5+deb9u1.
On Mon, 27 Jul 2020 00:15:18 +0200 Markus Koschany <a...@debian.org> wrote:
Hello Andreas,
On Tue, 14 Jul 2020 13:57:48 +0200 Andreas Schulz
<andreas.sch...@tds.fujitsu.com> wrote:
> Package: squid
> Version: 3.5.23-5+deb9u2.1
> Severity: important
> File: /usr/sbin/squid
>
> Dear Maintainer,
>
> We installed the security update deb9u2 and learned that no more
> http-access (with icap) was possible.
I am not the maintainer but I have prepared the security update for
squid3 in Stretch. So far you are the only one who reported this
problem. I had sent a request for testing but never received any
feedback. [1] Please note that Stretch is now supported by the LTS team.
We have a dedicated mailing list where you can report problems dedicated
to packages in Stretch called debian-...@lists.debian.org.
Could you set debug_options to ALL,9 (which should enable full debugging
according to the squid wiki) and reproduce the issue again? Please
attach the complete log either to this bug report or send it to me via
private email directly.
The patch for CVE-2019-12523 contains only one line that appears to
touch icap related code in src/adaptation/icap/ModXact.cc. I have
reverted this change and attached a new CVE-2019-12523.patch. Could you
apply it and report back if it makes any difference? Otherwise only the
debug log could help to narrow down the problem.
Regards,
Markus
[1] https://lists.debian.org/debian-lts/2020/07/msg00018.html
Best regards
Kevin Ivory (SerNet Support)
--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: 0551-370000-0, mailto:kont...@sernet.de
Gesch.F.: Dr. Johannes Loxen und Reinhild Jung
AG Göttingen: HR-B 2816 - http://www.sernet.de
