Date: Tue, 4 Dec 2007 18:09:32 +0100 (CET) From: Thomas-Martin Seck <tmseck@netcologne.de> To: FreeBSD-gnats-submit@FreeBSD.org Cc: secteam@FreeBSD.org Subject: ports/118430: [Maintainer] [Security] www/squid: update to 2.6.STABLE17 Message-ID: <200712041709.lB4H9W3w011468@bledge.tmseck.homedns.org> Resent-Message-ID: <200712041740.lB4He3lB023523@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 118430
>Category: ports
>Synopsis: [Maintainer] [Security] www/squid: update to 2.6.STABLE17
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: maintainer-update
>Submitter-Id: current-users
>Arrival-Date: Tue Dec 04 17:40:02 UTC 2007
>Closed-Date:
>Last-Modified:
>Originator: Thomas-Martin Seck
>Release: FreeBSD 7.0-BETA3
>Organization:
a private site in Germany
>Environment:
FreeBSD ports collection as of December 4, 2007.
>Description:
- Update to 2.6.STABLE17 and fix a remote denial of service condition.
- Remove a no longer needed patch.
removed files:
files/patch-src_cf_gen.c
Please see the proposed VuXML entry below. Please check whether the
range specificator is correct (I mean to express that 2.* up to 2.6.16
is affected as well as 3.*. I am currently working on the update for
www/squid30, so it should be marked to be vulnerable in the meantime).
Note: I left the <entry> date to be filled.
<vuln vid="65378ea7-a288-11dc-8856-0048543d60ce">
<topic>"Squid -- Denial of service in cache updates"</topic>
<affects>
<package>
<name>squid</name>
<range><lt>2.6.17</lt><ge>3.0.*</ge></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">;
<p>Squid advisory 2007:2 notes:</p>
<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2007_2.txt">;
<p>Due to incorrect bounds checking Squid is vulnerable to
a denial of service check[sic] during some cache update reply
processing.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.squid-cache.org/Advisories/SQUID-2007_2.txt</url>;
</references>
<dates>
<discovery>2007-11-27</discovery>
<entry>YYYY-MM-DD</entry>
</dates>
</vuln>
>How-To-Repeat:
>Fix:
Apply this patch:
Index: distinfo
===================================================================
--- distinfo (.../www/squid) (revision 1275)
+++ distinfo (.../local/squid) (revision 1275)
@@ -1,3 +1,3 @@
-MD5 (squid2.6/squid-2.6.STABLE16.tar.bz2) = 849bee6f269e6c773f215fd4b41de0e3
-SHA256 (squid2.6/squid-2.6.STABLE16.tar.bz2) = 9e306c885c4a37b1a57e2e8c0cdac5c90e4cffa2801e30f3c78b1cca880a62c7
-SIZE (squid2.6/squid-2.6.STABLE16.tar.bz2) = 1293078
+MD5 (squid2.6/squid-2.6.STABLE17.tar.bz2) = e6face0dff4ea054d3ba94236eb56ea1
+SHA256 (squid2.6/squid-2.6.STABLE17.tar.bz2) = e6aaa26b40c5310b4047460c7dec81d73ccb5b18d19be3d088d3de4334748bfd
+SIZE (squid2.6/squid-2.6.STABLE17.tar.bz2) = 1303134
Index: files/patch-src_cf_gen.c
===================================================================
--- files/patch-src_cf_gen.c (.../www/squid) (revision 1275)
+++ files/patch-src_cf_gen.c (.../local/squid) (revision 1275)
@@ -1,16 +0,0 @@
-Index: src/cf_gen.c
-===================================================================
-RCS file: /cvsroot/squid/squid/src/cf_gen.c,v
-retrieving revision 1.52
-diff -u -p -r1.52 cf_gen.c
---- src/cf_gen.c 6 Sep 2007 09:33:36 -0000 1.52
-+++ src/cf_gen.c 16 Sep 2007 17:57:24 -0000
-@@ -183,7 +183,7 @@ main(int argc, char *argv[])
- t = (Type *) xcalloc(1, sizeof(*t));
- t->name = xstrdup(type);
- while ((dep = strtok(NULL, WS)) != NULL) {
-- TypeDep *d = (TypeDep *) xcalloc(1, sizeof(*dep));
-+ TypeDep *d = (TypeDep *) xcalloc(1, sizeof(*d));
- d->name = xstrdup(dep);
- d->next = t->depend;
- t->depend = d;
Index: files/icap-2.6-bootstrap.patch
===================================================================
--- files/icap-2.6-bootstrap.patch (.../www/squid) (revision 1275)
+++ files/icap-2.6-bootstrap.patch (.../local/squid) (revision 1275)
@@ -7,10 +7,10 @@
Please see icap-2.6-core.patch for further information.
-Patch last updated: 2007-09-06
+Patch last updated: 2007-11-26
---- configure.orig Thu Sep 6 00:25:42 2007
-+++ configure Thu Sep 6 21:22:04 2007
+--- configure.orig Mon Nov 26 14:39:31 2007
++++ configure Mon Nov 26 19:46:14 2007
@@ -728,6 +728,8 @@
ENABLE_PINGER_FALSE
USE_DELAY_POOLS_TRUE
@@ -43,8 +43,8 @@
# Define the identity of the package.
PACKAGE='squid'
-- VERSION='2.6.STABLE16'
-+ VERSION='2.6.STABLE16+ICAP'
+- VERSION='2.6.STABLE17'
++ VERSION='2.6.STABLE17+ICAP'
cat >>confdefs.h <<_ACEOF
Index: Makefile
===================================================================
--- Makefile (.../www/squid) (revision 1275)
+++ Makefile (.../local/squid) (revision 1275)
@@ -75,7 +75,7 @@
# Enable experimental multicast notification of cachemisses.
PORTNAME= squid
-PORTVERSION= 2.6.16
+PORTVERSION= 2.6.17
CATEGORIES= www
MASTER_SITES= ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \
ftp://mirrors.24-7-solutions.net/pub/squid/%SUBDIR%/ \
@@ -94,7 +94,7 @@
http://www1.jp.squid-cache.org/Versions/v2/2.6/ \
http://www2.tw.squid-cache.org/Versions/v2/2.6/
MASTER_SITE_SUBDIR= squid-2/STABLE
-DISTNAME= squid-2.6.STABLE16
+DISTNAME= squid-2.6.STABLE17
DIST_SUBDIR= squid2.6
PATCH_SITES= http://www.squid-cache.org/%SUBDIR%/ \
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200712041709.lB4H9W3w011468>