Re: CVE-2015-0881

[Amos Jeffries <squid3 () treenet co nz>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2/03/2015 8:08 p.m., Kurt Seifried wrote:
> So for those of us vendors/etc that need to backport security
> fixes and/or confirm our software is fixed how are we supposed to
> do this?
>
> How long will the patch/attack information be embargoed for?
>
> Also why has this been covered up for over 5 years and is now still
> a secret? I'm very confused and I have some grave concerns about
> how JVN/upstream is handling this.


Until today it seems:
 https://jvn.jp/en/jp/JVN64455813/index.html

Patch is
<http://www.squid-cache.org/Versions/v3/3.1/changesets/b9619.patch> if
you want to try back-porting. Take care though if you do, all the
earlier versions have different logics surrounding how the connection
data gets accounted.

I hope this one is better for you. Still outstanding on Mitre's
verdict about the CVE number though. JPCERT tell me that should be
next week, but you probably know more than me how reliable an estimate
that is.

Amos

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQIcBAEBAgAGBQJU+YDtAAoJEGvSOzfXE+nLAr0P/A2t1MnOAlMFdiWfaIekX3YU
3ONgvIXzBvI9jisBGO1PwREPhZ6M7CC8ogLwgyw07Em67aZ8BjKJg6CnbTE+7ioE
hxtU6YnvAP6zbhtsjHuJoYEX/os93WrfTcnLQ81leGoHRpff59AYrFZaxI4gR5oo
9FfjTkpZwwghVwcrFIGPlsQLgHVUg3YX+giDjdzGKJWCmr/kVq6dTuqkwKthyQC9
r7ITCdy4t8VRcT8mEpUolN/caNbcJyK+1JhLILDD8F6J713U9DHpCKdhODbK0dhQ
bDWmmUCjnUmpO+gCpoUqRovYODhq/80JbZlz1uI0aRmIc35SaPPGnjox58CN1gLs
pBxNED4vY+OmfO/FjOF4a6D6WFm1vgHekCjl2jOijtdiAH9NvJg049yhc/hNfq/t
Jkcbqtf7Soyu20GmVAdKqO0OAcF9Cban+Z7O5Ce3J5R6ipHzJDGFWXoZWGR3Kz2R
qRK2r1h9j4hKDuD1hMAUwI5o23BfpJ0zLPT7Fe94bqNhx6kB8ouWAH8Ey49Mz76e
FxDCWX597vu2ConCQG6pWM/XC36aEK/bBbgt2G1dARbwExKWUa8am3Up5PFlzqN8
oGAHK/Bf0iskDu8EFOMt7/8InI3tPC2aikRYBwdbQLBpv9sIErkNXn0WN/GnVTFW
1udFgNsQqloS4PAPDxdh
=E5sM
-----END PGP SIGNATURE-----