[Bug 1473691] Re: squid: Update to latest upstream release (3.5)
** Changed in: squid3 (Ubuntu) Status: Triaged => In Progress -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1473691 Title: squid: Update to latest upstream release (3.5) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/squid3/+bug/1473691/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1473691] Re: squid: Update to latest upstream release (3.5)
I'm hoping to get squid updated in Xenial within the next two weeks. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1473691 Title: squid: Update to latest upstream release (3.5) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/squid3/+bug/1473691/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1473691] Re: squid: Update to latest upstream release (3.5)
I will only add that even in the best of circumstances with perfect firewalling, a low privilege sysadmin or helpdesk member/troubleshooter could easily use this overflow as a hop to privilege escalation and/or willful damage. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1473691 Title: squid: Update to latest upstream release (3.5) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/squid3/+bug/1473691/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1473691] Re: squid: Update to latest upstream release (3.5)
e-Vent, we rated this issue "low" because: - snmp is not enabled by default - squid's snmp listener can listen on specific interfaces - local iptables / ufw rules probably already allow only specific services on the hosts that run squid - network firewalls / routers probably already allow only specific services on the networks that run squid In general allowing untrusted access to SNMP is not a good idea regardless if this is fixed. We have limited resources and we have to prioritize the work we do accordingly. If you have the time and inclination to prepare and test a patch for this issue, we'd be happy to sponsor updates. See https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation for more details. Thanks -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1473691 Title: squid: Update to latest upstream release (3.5) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/squid3/+bug/1473691/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1473691] Re: squid: Update to latest upstream release (3.5)
I would not consider a buffer overflow and code execution as low priority, especially when this program is likely to run on a firewall or network gateway. Is there a better timeline than when "we feel like there's a real issue" we'll update? We are now 2 generations depreciated... -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1473691 Title: squid: Update to latest upstream release (3.5) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/squid3/+bug/1473691/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs