Re: Squid-3.0.PRE4 release plan from Henrik Nordstrom on 2006-05-08 (squid-dev)

From: Henrik Nordstrom <henrik@dont-contact.us>
Date: Mon, 08 May 2006 22:43:55 +0200

mån 2006-05-08 klockan 10:32 +1200 skrev Doug Dixon:

> 1200 (HTTP Response Splitting attack) - patched in 2.5 - is this an
> easy port?

It's a bit of work, and not very important for the PRE4 release. It's
sufficient to have it documented as a known weakness, and thereby
discouraging people from running PRE4 in production as a Internet proxy
on "innocent" users who likes to visit "bad" sites..

> 1265 (httpReadReply: Excess data from ... can be silenced in many
> cases) - patched in 2.5 - is this an easy port?

Yes, but definitely not a blocker. It's about making Squid shut up about
non-compliant HTTP servers. A PRE release should be noisy about things
it doesn't like as these cases triggers code paths seldom exercised on
the normal traffic which means there is a high risk of bugs in related
areas..

If worried you can always chain with a 2.5.STABLE14 parent to fix this
class of HTTP pollution malware (both 1200 and 1265).

> First, I think we should probably push the ESI bugs forward to PRE5.

Sounds reasonable. Well, if 1088 (segfault in string handling) is easily
diagnosed it's probably beneficial to fix this, but 975 (long documents)
defenitely can be kicked forward if you ask me.

> * 1125 (although, is this really 1028 which is already in there?)

Looks the same to me to me.

> Bugs to potentially remove from the list:
> * 942 (squid-3.0-PRE3-20040309 uncached 304's broken)

defenitely. Should perhaps be kicked forward to 3.1 even.. unless I have
completely misunderstood the bug report.

> * 897 (Extra CRLF Added After Headers)

no problem to kick this forward to next PRE release for me, but it might
be a bit annoying to the users who get bitten by it (random images
broken etc.. usually but not always fixed by a forced reload)

> * 951 (Assert failure in ESIInclude.cc:563: "parent.getRaw()")

Natural per the above decision..

> Are we happy to defer ESI stuff (951, 975, 1088) to PRE5?

I am.

> Are we happy to defer 801

Yes.

> and 1494 to PRE5?

Not sufficient info in this report. Missing stack trace. So yes.

> Are we happy to remove 942 and 897 from PRE4?

What you mean by remove?

See above for my comments on these bugs.

Regards
Henrik

application/pgp-signature attachment: Detta �r en digitalt signerad meddelandedel

Received on Mon May 08 2006 - 14:44:18 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Jun 01 2006 - 12:00:04 MDT