Your message dated Thu, 28 Feb 2013 20:49:13 +0000
with message-id <1362084553.32751.14.ca...@jacala.jungle.funky-badger.org>
and subject line Re: Bug#701930: unblock: squid3/3.1.20-2.2
has caused the Debian Bug report #701930,
regarding unblock: squid3/3.1.20-2.2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
701930: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701930
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Hi Release Team
Please unblock package squid3
The previous fix for CVE-2012-5643 and CVE-2013-0189 uploaded as
3.1.20-2.1 caused a cachemgr.cgi always crashing when supplying auth
credentials. Upstream provided a patch which was uploaded as
3.1.20-2.2.
See: #701123
The full debdiff against the current version in testing is attached.
Would it be possible to get a unblock for squid3?
unblock squid3/3.1.20-2.2
Regards,
Salvatore
Base version: squid3_3.1.20-2.1 from testing
Target version: squid3_3.1.20-2.2 from unstable
No hints in place.
Excuses:
changelog | 10 ++++++
patches/fix-701123-regression-in-cachemgr.patch | 39 ++++++++++++++++++++++++
patches/series | 1
3 files changed, 50 insertions(+)
gpgv: keyblock resource `/home/carnil/.gnupg/trustedkeys.gpg': file open error
gpgv: Signature made Tue 05 Feb 2013 10:18:19 PM UTC using RSA key ID 4AC8EE1D
gpgv: Can't check signature: public key not found
dpkg-source: warning: failed to verify signature on /tmp/tmpPcyNcv/squid3_3.1.20-2.1.dsc
gpgv: keyblock resource `/home/carnil/.gnupg/trustedkeys.gpg': file open error
gpgv: Signature made Sat 23 Feb 2013 02:13:52 PM UTC using RSA key ID 7FD863FE
gpgv: Can't check signature: public key not found
dpkg-source: warning: failed to verify signature on /tmp/tmpPcyNcv/squid3_3.1.20-2.2.dsc
diff -Nru squid3-3.1.20/debian/changelog squid3-3.1.20/debian/changelog
--- squid3-3.1.20/debian/changelog 2013-02-05 22:16:28.000000000 +0000
+++ squid3-3.1.20/debian/changelog 2013-02-23 14:07:26.000000000 +0000
@@ -1,3 +1,13 @@
+squid3 (3.1.20-2.2) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Add fix-701123-regression-in-cachemgr.patch patch.
+ Fix missing bits in the fix for CVE-2012-5643 and CVE-2013-0189 causing
+ cachemgr.cgi crashing when authentication credentials are supplied.
+ Thanks to Amos Jeffries <a...@treenet.co.nz> (Closes: #701123)
+
+ -- Salvatore Bonaccorso <car...@debian.org> Sat, 23 Feb 2013 13:44:48 +0100
+
squid3 (3.1.20-2.1) unstable; urgency=high
* Non-maintainer upload
diff -Nru squid3-3.1.20/debian/patches/fix-701123-regression-in-cachemgr.patch squid3-3.1.20/debian/patches/fix-701123-regression-in-cachemgr.patch
--- squid3-3.1.20/debian/patches/fix-701123-regression-in-cachemgr.patch 1970-01-01 00:00:00.000000000 +0000
+++ squid3-3.1.20/debian/patches/fix-701123-regression-in-cachemgr.patch 2013-02-23 14:07:26.000000000 +0000
@@ -0,0 +1,39 @@
+Description: Fix regression in cachemgr.cgi
+ Fix regression introduced by the patches for CVE-2012-5643 and
+ CVE-2013-0189. Apply further patch provided by upstream.
+Origin: upstream, http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10486.patch
+Bug: http://bugs.squid-cache.org/show_bug.cgi?id=3790
+Bug-Debian: http://bugs.debian.org/701123
+Forwarded: not-needed
+Author: Reinhard Sojka <reinhard.so...@parlament.gv.at>
+Last-Update: 2013-02-23
+Applied-Upstream: yes
+
+--- a/tools/cachemgr.cc
++++ b/tools/cachemgr.cc
+@@ -1162,7 +1162,6 @@
+ {
+ static char buf[1024];
+ size_t stringLength = 0;
+- const char *str64;
+
+ if (!req->passwd)
+ return "";
+@@ -1171,15 +1170,12 @@
+ req->user_name ? req->user_name : "",
+ req->passwd);
+
+- str64 = base64_encode(buf);
+-
+- stringLength += snprintf(buf, sizeof(buf), "Authorization: Basic %s\r\n", str64);
++ stringLength += snprintf(buf, sizeof(buf), "Authorization: Basic %s\r\n", base64_encode(buf));
+
+ assert(stringLength < sizeof(buf));
+
+- snprintf(&buf[stringLength], sizeof(buf) - stringLength, "Proxy-Authorization: Basic %s\r\n", str64);
++ snprintf(&buf[stringLength], sizeof(buf) - stringLength, "Proxy-Authorization: Basic %s\r\n", base64_encode(buf));
+
+- xxfree(str64);
+ return buf;
+ }
+
diff -Nru squid3-3.1.20/debian/patches/series squid3-3.1.20/debian/patches/series
--- squid3-3.1.20/debian/patches/series 2013-02-05 21:53:05.000000000 +0000
+++ squid3-3.1.20/debian/patches/series 2013-02-23 14:07:26.000000000 +0000
@@ -3,3 +3,4 @@
15-cachemgr-default-config.patch
20-ipv6-fix
30-CVE-2012-5643-CVE-2013-0189.patch
+fix-701123-regression-in-cachemgr.patch
Hints needed:
unblock squid3/3.1.20-2.2
--- End Message ---
--- Begin Message ---
On Thu, 2013-02-28 at 21:40 +0100, Salvatore Bonaccorso wrote:
> Please unblock package squid3
>
> The previous fix for CVE-2012-5643 and CVE-2013-0189 uploaded as
> 3.1.20-2.1 caused a cachemgr.cgi always crashing when supplying auth
> credentials. Upstream provided a patch which was uploaded as
> 3.1.20-2.2.
Unblocked and aged; thanks.
Regards,
Adam
--- End Message ---
