[Secure-testing-team] Bug#776464: squid3: Nonce replay vulnerability in Digest authentication

Wed Jan 28 10:11:18 UTC 2015

Package: squid3
Version: 3.4.8-5
Severity: grave
Tags: security patch upstream

Upstream fixed a security issue in digest_authentication that can allow disabled user or users
with changed password to access the squid service with old credentials.

See http://bugs.squid-cache.org/show_bug.cgi?id=4066 for upstream bug details.

-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: sysvinit (via /sbin/init)

Versions of packages squid3 depends on:
ii  adduser                  3.113+nmu3
ii  libc6                    2.19-13
ii  libcap2                  1:2.24-6
ii  libcomerr2               1.42.12-1
ii  libdb5.3                 5.3.28-9
ii  libecap2                 0.2.0-3
ii  libexpat1                2.1.0-6+b3
ii  libgcc1                  1:4.9.2-10
ii  libgssapi-krb5-2         1.12.1+dfsg-16
ii  libk5crypto3             1.12.1+dfsg-16
ii  libkrb5-3                1.12.1+dfsg-16
ii  libldap-2.4-2            2.4.40-3
ii  libltdl7                 2.4.2-1.11
ii  libnetfilter-conntrack3  1.0.4-1
ii  libnettle4               2.7.1-5
ii  libpam0g                 1.1.8-3.1
ii  libsasl2-2               2.1.26.dfsg1-12
ii  libstdc++6               4.9.2-10
ii  libxml2                  2.9.2+dfsg1-1+b1
ii  logrotate                3.8.7-1+b1
ii  lsb-base                 4.1+Debian13+nmu1
ii  netbase                  5.3
ii  squid3-common            3.4.8-5

squid3 recommends no packages.

Versions of packages squid3 suggests:
pn  resolvconf   <none>
ii  smbclient    2:4.1.13+dfsg-4
pn  squid-cgi    <none>
pn  squid-purge  <none>
pn  squidclient  <none>
pn  ufw          <none>
pn  winbindd     <none>

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: squid-3.4-13211.patch
Type: text/x-diff
Size: 2681 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20150128/8fa065f6/attachment-0001.patch>