[pkg-squid-devel] IMPORTEND squid3 stable needs update

Luigi Gangitano luigi at debian.org
Fri Jan 22 09:05:40 UTC 2016 

Hi,

The link you provided refers to an issue with proxy certificates for SSL interception. This feature is disabled in Debian squid3 package due to licensing issues with OpenSSL, thus this is not a bug in Debian squid3 packages.

The only way this bug could affect a Debian user would be if the user had recompiled squid3 with OpenSSL supporto. I’m sure you understand that we cannot provide support for any custom built package.

Is there any other security issue in Debian squid3 package that you are aware of?

Squid3 in Debian is in very good shape because Amos Jeffrey, one of the upstream developers is directly involved in packaging squid3 for Debian and is doing an excellent job keeping up with upstream fixes.

Best regards,

L

--
Luigi Gangitano -- <luigi at debian.org <mailto:luigi at debian.org>> -- <gangitano at lugroma3.org <mailto:gangitano at lugroma3.org>>
GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972  C24A F19B A618 924C 0C26
GPG: 4096R/2BA97CED: 8D48 5A35 FF1E 6EB7 90E5  0F6D 0284 F20C 2BA9 7CED

> Il giorno 22 gen 2016, alle ore 09:20, startrekfan <startrekfan75 at freenet.de> ha scritto:
> 
> I didn't subscribed to the mailing list. So please put my mail address into cc. thanks.
> 
> I think I found a security issue that is not fixed in debian squid 3.4.8. Squid 3.4 seems to use the sha1 algorithm for dynamic certificate generation. Sha1 is unsafe. This seems to be fixed only in squid 3.5
> 
> ref: https://forum.pfsense.org/index.php?topic=99141.0 <https://forum.pfsense.org/index.php?topic=99141.0> (I think it's the same problem with debian jessie. The certificates are only generated with sha1)
> 
> 2016-01-18 12:53 GMT+01:00 Martin Wuertele <martin at wuertele.net <mailto:martin at wuertele.net>>:
> 
> * startrekfan <startrekfan75 at freenet.de <mailto:startrekfan75 at freenet.de>> [2016-01-15 23:39]:
> 
> > squid3 3.4.8 has some security issues(risks)/bugs so an upgrade to 3.5 is
> > actually only a fix of this bugs/security issues. There is no patch for
> > 3.4.8 because it's outdated. Debian Jessie is the current active release.
> > So why not fixing squid3 in Debian Jessie with an stable 3.5 update?
> 
> Not the version in Debian. All bugfixes are backported. Check the
> changelog, security tracker,...
> 
> 
>  <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>	Diese E-Mail wurde von einem virenfreien Computer gesendet, der von Avast geschützt wird. 
> www.avast.com <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> <x-msg://5/#DDB4FAA8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-squid-devel/attachments/20160122/59c22a55/attachment.html>

More information about the pkg-squid-devel mailing list