[squid-users] [squid-announce] [ADVISORY] SQUID-2019:4 Multiple Issues in HTTP Request processing

Amos Jeffries squid3 at treenet.co.nz
Sun Apr 19 08:31:53 UTC 2020

On 19/04/20 8:18 pm, TarotApprentice wrote:
> I am not sure if you have any contact with the Debian maintainers. I
> raised a bug with Debian in March asking for 4.10 to get promoted to
> buster-backports on the grounds of security fixes. If we’re on the
> stable release (buster) we are stuck with 4.6 until the next stable
> release (up to 2 years), use the testing release which has other changes
> or we have to compile our own.

I am part of the Debian packaging team assisting Luigi. AFAIK this is in
the hands of the security team since it would be those grounds for backport.

Security have just been in contact after a review and update of the open
issues they are tracking against Debian Squid packages. Though I have
not heard if any decision has been made about this request.

What I do know is that many of the CVE with 4.x patches have had those
applied to the Debian package available in Buster. There are some which
do not backport easily, so not 100%, but the old package is not as
vulnerable as it may appear from just the number.


More information about the squid-users mailing list