Bug#1074284: marked as done (squid: CVE-2024-37894)

[Debian Bug Tracking System]

Your message dated Mon, 01 Jul 2024 10:36:06 +0000
with message-id <e1soeoe-003g13...@fasolo.debian.org>
and subject line Bug#1074284: fixed in squid 6.10-1
has caused the Debian Bug report #1074284,
regarding squid: CVE-2024-37894
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1074284: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074284
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: squid
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for squid.

CVE-2024-37894[0]:
| Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP,
| and more. Due to an Out-of-bounds Write error when assigning ESI
| variables, Squid is susceptible to a Memory Corruption error. This
| error can lead to a Denial of Service attack.

https://github.com/squid-cache/squid/security/advisories/GHSA-wgvf-q977-9xjg

https://github.com/squid-cache/squid/commit/920563e7a080155fae3ced73d6198781e8b0ff04
 (master)
https://github.com/squid-cache/squid/commit/67f5496f7b72e698ad0f5aa3512c83089424f27f
 (v6)


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-37894
    https://www.cve.org/CVERecord?id=CVE-2024-37894

Please adjust the affected versions in the BTS as needed.

--- End Message ---

--- Begin Message ---

Source: squid
Source-Version: 6.10-1
Done: Luigi Gangitano <lu...@debian.org>

We believe that the bug you reported is fixed in the latest version of
squid, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1074...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luigi Gangitano <lu...@debian.org> (supplier of updated squid package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon,  1 Jul 2024 12:04:20 +0200
Source: squid
Architecture: source
Version: 6.10-1
Distribution: unstable
Urgency: high
Maintainer: Luigi Gangitano <lu...@debian.org>
Changed-By: Luigi Gangitano <lu...@debian.org>
Closes: 1074284
Changes:
 squid (6.10-1) unstable; urgency=high
 .
   [ Amos Jeffries <amosjeffr...@squid-cache.org> ]
   * New Upstream Release 6.10
     Fixes: CVE-2024-37894. SQUID-2024:3 (Closes: #1074284)
Checksums-Sha1:
 1130544a3baf8e00d6b1c76ef02109de3a7a93f7 2923 squid_6.10-1.dsc
 97791240bf23b2a0e62fbf2bf694d7c5b81ee2bb 2637644 squid_6.10.orig.tar.xz
 72ae09f47a000bcc39c4dd32867ec7b053c564ad 647 squid_6.10.orig.tar.xz.asc
 5ffd346fab1e8252596eb4d336da3ea6217a47e9 43248 squid_6.10-1.debian.tar.xz
 c891fab97cb55884f4d9de8c81233d2b1c56e9ee 9805 squid_6.10-1_arm64.buildinfo
Checksums-Sha256:
 47df44e1375fc485924ea3d7da2f73913ee22891c8184113a2932d3a718072e2 2923 
squid_6.10-1.dsc
 62eae787da0b7066d12562500374c1b48b7aa88a01c00fff1eb54db3accc1556 2637644 
squid_6.10.orig.tar.xz
 32829a4e733daadef6e4d1d04d0e7cac63dd61adc1a7b1860f09390614a4ea66 647 
squid_6.10.orig.tar.xz.asc
 974f3715e06a88074023f73764702d8dcdbaad406a3a869c5a0f2ec9a7321857 43248 
squid_6.10-1.debian.tar.xz
 d55e7cfe99bfe147e226d913e30d4aba53643d3a6ce4fca63ad16b7c54cac649 9805 
squid_6.10-1_arm64.buildinfo
Files:
 23c5f6c2f7cffee222d19380ffba4e28 2923 web optional squid_6.10-1.dsc
 1d9a1e8b08e077ee9a42689191fd47c7 2637644 web optional squid_6.10.orig.tar.xz
 491578e47d6a7819573b0bd1ec9c1dfb 647 web optional squid_6.10.orig.tar.xz.asc
 0b95cd61b52230d209bb30df466c799e 43248 web optional squid_6.10-1.debian.tar.xz
 99c6dac2430f7ba072b8902b9982f0e0 9805 web optional squid_6.10-1_arm64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEjUhaNf8ebreQ5Q9tAoTyDCupfO0FAmaCg3sACgkQAoTyDCup
fO2MNQ/7BHRPdhNCbCaU6vUnra6uPvtPfWcICT5axWHIx3pLUOGycptoOLww0zGy
JwVe5mzmile/Ff6QtOZy2EPaoimqEPFjjtMOS/itAXkXz1BQvybsCILUXpv/5PIZ
7gj9BdqSWa1xjj4Maofd5nQFRpmnqF9QLFXotOEx3yy5LUQDAgRkzfTDEvll/Qaz
xP2cAGQiCfLjr+DST/UFG8EnLpJVGDpDrxbdRYwBHFcQzH7vEL1mRSgEN7145CdI
tIuGCpH4DizAsEIHZ2f9KdLJww3MQth4BVyFUcd6BGUrFKedwXYJsTZgLZoeNKZU
yvWtC3pWAixVEROytyTspy4wphjjLnIhNwMCcbv7CWM7B9CrAJpywlUJFwQV/vV/
fui57VMWrxPO+phgzN3EpXUd4MnZmcXdu8utM44U/FHOnQcVhTr6BAWLkSlvbiQZ
mGMTeVQbfhMOxcBDIj6FEkA4NQKAwWl7jkOSpgWRzlfizSUvhB7g0iXZjCGPvklQ
fIl2cGFwEvjjfHJ0Ww/vQX4ZlWbfyLT9G9v4kqUjk0ow8ZFVI7jzLHJrY/nuzqwB
T33Q9jl5oFdDRKix084nVHTNsncY9Ge/X8aIOqGN+9NJtGReRlSDqHZItwKrvb0U
nl7pA/eoHTLSXSpwcDpLts6hbjT+r49ZMMSgIBf6e5YbK2FEJ54=
=2PsB
-----END PGP SIGNATURE-----

pgpBgeAPXselO.pgp
Description: PGP signature

--- End Message ---