[squid-users] cachemgr CGI version compatibility

Matus UHLAR - fantomas uhlar at fantomas.sk
Sun Mar 12 15:33:27 UTC 2017


On 11.03.17 22:54, Eliezer  Croitoru wrote:
>The title of the email was:
>"squid-4.0.18 error when running"

no, it was not, you mistook my email for someone else's

>On 10/03/2017 3:32 a.m., Matus UHLAR - fantomas wrote:
>> will older cachemgr.cgi work well with newer squid?

>Yes they should. Likewise the newer cachemgr.cgi should work as well with
> older Squid.  The tool and Squid are explicitly being kept both forward
> and backward compatible.

I'm happy to know that.

>But be aware that cachemgr.cgi older than 3.5.17 may be vulnerable to
><http://www.squid-cache.org/Advisories/SQUID-2016_5.txt>- which means they
>cannot safely handle some reports (as listed in the advisory).

luckily debian people take care of that:

squid3 (3.1.20-2.2+deb7u6) wheezy-security; urgency=medium

   * squid31-CVE-2016-4051-cachemgr-MemBuf.patch: make cachemgr use MemBuf.

>And if you are talking *very* old CGI version maybe
> <http://www.squid-cache.org/Advisories/SQUID-2012_1.txt> as well, which is
> somewhat worse.

squid3 (3.1.20-2.2) unstable; urgency=low

   * Non-maintainer upload.
   * Add fix-701123-regression-in-cachemgr.patch patch.
     Fix missing bits in the fix for CVE-2012-5643 and CVE-2013-0189 causing


...those are good reasons to use distribution with security updates
thanks for warnings anyway

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Christian Science Programming: "Let God Debug It!".


More information about the squid-users mailing list