Debian Bug report logs - #553319
CVE-2009-3826, CVE-2009-3700

version graph

Package: squidguard; Maintainer for squidguard is Joachim Wiedorn <ad_debian@joonet.de>; Source for squidguard is src:squidguard.

Reported by: Giuseppe Iuculano <iuculano@debian.org>

Date: Fri, 30 Oct 2009 11:03:02 UTC

Severity: serious

Tags: patch, security

Fixed in version squidguard/1.2.0-9

Done: Sebastien Delafond <seb@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Víctor Pérez Pereira <vperez@debianvenezuela.org>:
Bug#553319; Package squidguard. (Fri, 30 Oct 2009 11:03:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Giuseppe Iuculano <iuculano@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Víctor Pérez Pereira <vperez@debianvenezuela.org>. (Fri, 30 Oct 2009 11:03:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <iuculano@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2009-3826, CVE-2009-3700
Date: Fri, 30 Oct 2009 09:08:32 +0100
Package: squidguard
Severity: serious
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for squidguard.

CVE-2009-3826[0]:
| Multiple buffer overflows in squidGuard 1.4 allow remote attackers to
| bypass intended URL blocking via a long URL, related to (1) the
| relationship between a certain buffer size in squidGuard and a certain
| buffer size in Squid and (2) a redirect URL that contains information
| about the originally requested URL.

CVE-2009-3700[1]:
| Buffer overflow in sgLog.c in squidGuard 1.3 and 1.4 allows remote
| attackers to cause a denial of service (application hang or loss of
| blocking functionality) via a long URL with many / (slash) characters,
| related to "emergency mode."

If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3826
    http://security-tracker.debian.org/tracker/CVE-2009-3826
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3700
    http://security-tracker.debian.org/tracker/CVE-2009-3700


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkrqnvwACgkQNxpp46476aosywCdG1RhnDUXFIt6fMam/qpeyhdy
C34AoIe1UrEymK7C9iJ6fZMe7WyT8oKu
=Lucd
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Víctor Pérez Pereira <vperez@debianvenezuela.org>:
Bug#553319; Package squidguard. (Tue, 30 Mar 2010 12:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam Cécile (Le_Vert)" <gandalf@le-vert.net>:
Extra info received and forwarded to list. Copy sent to Víctor Pérez Pereira <vperez@debianvenezuela.org>. (Tue, 30 Mar 2010 12:27:03 GMT) Full text and rfc822 format available.

Message #10 received at 553319@bugs.debian.org (full text, mbox):

From: "Adam Cécile (Le_Vert)" <gandalf@le-vert.net>
To: 553319@bugs.debian.org
Subject: #553319: squidguard: CVE-2009-3826, CVE-2009-3700
Date: Tue, 30 Mar 2010 14:16:58 +0200
Hello,

I made an updated package for my own use. It fixes a bunch of issues and 
should really be part of squeeze.
However, I don't have much time to care about squidguard and thus, won't 
maintain the package.

Hope this could help...
http://mentors.debian.net/debian/pool/main/s/squidguard/squidguard_1.4-0.1.dsc

Changelog:
* Non-maintainer upload.
* New upstream release (Closes: #535158).
* Add quilt patch system (and README.source).
* Drop all debian's patches (no patch system, no real way to see what they,
  do, porbably obsoletes).
* Include usptream's Patch-20091015 and Patch-20091019 to fix CVE-2009-3826
  and CVE-2009-3700 (Closes: #535158).
* Add 002-Makefile_DESTDIR_fix patch to use DESTDIR in Makefile.
* Improve debian/rules to avoid build running twice (+ minor improvements).
* Bump Standards-Version to 3.8.4.
* Bump DH COMPAT to 5.
* Fix debian/install (drop {}).
* Remove 'not cleaned' files to avoid having them in diff.gz.
* Add libdb4.4-dev alternative build dependency for Etch backporting


Regards, Adam.




Added tag(s) patch. Request was from "Adam Cécile (Le_Vert)" <gandalf@le-vert.net> to control@bugs.debian.org. (Tue, 30 Mar 2010 12:33:10 GMT) Full text and rfc822 format available.

Reply sent to Sebastien Delafond <seb@debian.org>:
You have taken responsibility. (Fri, 30 Apr 2010 11:21:09 GMT) Full text and rfc822 format available.

Notification sent to Giuseppe Iuculano <iuculano@debian.org>:
Bug acknowledged by developer. (Fri, 30 Apr 2010 11:21:09 GMT) Full text and rfc822 format available.

Message #17 received at 553319-close@bugs.debian.org (full text, mbox):

From: Sebastien Delafond <seb@debian.org>
To: 553319-close@bugs.debian.org
Subject: Bug#553319: fixed in squidguard 1.2.0-9
Date: Fri, 30 Apr 2010 11:17:51 +0000
Source: squidguard
Source-Version: 1.2.0-9

We believe that the bug you reported is fixed in the latest version of
squidguard, which is due to be installed in the Debian FTP archive:

squidguard_1.2.0-9.diff.gz
  to main/s/squidguard/squidguard_1.2.0-9.diff.gz
squidguard_1.2.0-9.dsc
  to main/s/squidguard/squidguard_1.2.0-9.dsc
squidguard_1.2.0-9_i386.deb
  to main/s/squidguard/squidguard_1.2.0-9_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 553319@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastien Delafond <seb@debian.org> (supplier of updated squidguard package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 30 Apr 2010 12:52:19 +0200
Source: squidguard
Binary: squidguard
Architecture: source i386
Version: 1.2.0-9
Distribution: unstable
Urgency: high
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Sebastien Delafond <seb@debian.org>
Description: 
 squidguard - filter, redirector and access controller plug for Squid
Closes: 553319
Changes: 
 squidguard (1.2.0-9) unstable; urgency=high
 .
   * Non-maintainer upload for security issues.
   * Security: fix buffer overflow in sgLog.c.
     Fixes: CVE-2009-3700.
   * Security: fix buffer overflow in sgDiv.c.
     Fixes: CVE-2009-3700.
   * Closes: #553319 (two security issues described above).
   * Setting maintained to QA.
Checksums-Sha1: 
 2338da46acaf2905372dd49b4b3a3ac98ae09ba3 1017 squidguard_1.2.0-9.dsc
 89956ed23996025b9ff00a471cddd15981760498 96433 squidguard_1.2.0-9.diff.gz
 5ea157d7cb72891fec727570f51565653e2ce5cc 136934 squidguard_1.2.0-9_i386.deb
Checksums-Sha256: 
 103fa932e73650f95f79630fccb7caa98a3fcc139c5c5988537084919fecc0ef 1017 squidguard_1.2.0-9.dsc
 ba49df774916226237d78baebd6a2b6f0b1a83004c6c520cc7e8b3f573c9037e 96433 squidguard_1.2.0-9.diff.gz
 83b399c0b456b8cbc006dfcad16879f4d59bd57884b9f21c51cde28ce3348c92 136934 squidguard_1.2.0-9_i386.deb
Files: 
 d850a6870812c261292f7c00e0849da1 1017 web optional squidguard_1.2.0-9.dsc
 3e1bb6c2fc9924828d804e777355966c 96433 web optional squidguard_1.2.0-9.diff.gz
 312a06cf6333ceee0612a7eb5a1f0a99 136934 web optional squidguard_1.2.0-9_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkvauNUACgkQiZgNKcDdyD8chACdGCKCGgXlt1ePitJHKUc01Wdm
C+MAnRB9ZlpVqdQvDbeAc7RRBW7uPdxT
=1zzn
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 27 Jun 2010 07:33:44 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 04:27:42 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.