Date: Tue, 4 Dec 2007 18:09:32 +0100 (CET) From: Thomas-Martin Seck <tmseck@netcologne.de> To: FreeBSD-gnats-submit@FreeBSD.org Cc: secteam@FreeBSD.org Subject: ports/118430: [Maintainer] [Security] www/squid: update to 2.6.STABLE17 Message-ID: <200712041709.lB4H9W3w011468@bledge.tmseck.homedns.org> Resent-Message-ID: <200712041740.lB4He3lB023523@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 118430 >Category: ports >Synopsis: [Maintainer] [Security] www/squid: update to 2.6.STABLE17 >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Tue Dec 04 17:40:02 UTC 2007 >Closed-Date: >Last-Modified: >Originator: Thomas-Martin Seck >Release: FreeBSD 7.0-BETA3 >Organization: a private site in Germany >Environment: FreeBSD ports collection as of December 4, 2007. >Description: - Update to 2.6.STABLE17 and fix a remote denial of service condition. - Remove a no longer needed patch. removed files: files/patch-src_cf_gen.c Please see the proposed VuXML entry below. Please check whether the range specificator is correct (I mean to express that 2.* up to 2.6.16 is affected as well as 3.*. I am currently working on the update for www/squid30, so it should be marked to be vulnerable in the meantime). Note: I left the <entry> date to be filled. <vuln vid="65378ea7-a288-11dc-8856-0048543d60ce"> <topic>"Squid -- Denial of service in cache updates"</topic> <affects> <package> <name>squid</name> <range><lt>2.6.17</lt><ge>3.0.*</ge></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> <p>Squid advisory 2007:2 notes:</p> <blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2007_2.txt"> <p>Due to incorrect bounds checking Squid is vulnerable to a denial of service check[sic] during some cache update reply processing.</p> </blockquote> </body> </description> <references> <url>http://www.squid-cache.org/Advisories/SQUID-2007_2.txt</url> </references> <dates> <discovery>2007-11-27</discovery> <entry>YYYY-MM-DD</entry> </dates> </vuln> >How-To-Repeat: >Fix: Apply this patch: Index: distinfo =================================================================== --- distinfo (.../www/squid) (revision 1275) +++ distinfo (.../local/squid) (revision 1275) @@ -1,3 +1,3 @@ -MD5 (squid2.6/squid-2.6.STABLE16.tar.bz2) = 849bee6f269e6c773f215fd4b41de0e3 -SHA256 (squid2.6/squid-2.6.STABLE16.tar.bz2) = 9e306c885c4a37b1a57e2e8c0cdac5c90e4cffa2801e30f3c78b1cca880a62c7 -SIZE (squid2.6/squid-2.6.STABLE16.tar.bz2) = 1293078 +MD5 (squid2.6/squid-2.6.STABLE17.tar.bz2) = e6face0dff4ea054d3ba94236eb56ea1 +SHA256 (squid2.6/squid-2.6.STABLE17.tar.bz2) = e6aaa26b40c5310b4047460c7dec81d73ccb5b18d19be3d088d3de4334748bfd +SIZE (squid2.6/squid-2.6.STABLE17.tar.bz2) = 1303134 Index: files/patch-src_cf_gen.c =================================================================== --- files/patch-src_cf_gen.c (.../www/squid) (revision 1275) +++ files/patch-src_cf_gen.c (.../local/squid) (revision 1275) @@ -1,16 +0,0 @@ -Index: src/cf_gen.c -=================================================================== -RCS file: /cvsroot/squid/squid/src/cf_gen.c,v -retrieving revision 1.52 -diff -u -p -r1.52 cf_gen.c ---- src/cf_gen.c 6 Sep 2007 09:33:36 -0000 1.52 -+++ src/cf_gen.c 16 Sep 2007 17:57:24 -0000 -@@ -183,7 +183,7 @@ main(int argc, char *argv[]) - t = (Type *) xcalloc(1, sizeof(*t)); - t->name = xstrdup(type); - while ((dep = strtok(NULL, WS)) != NULL) { -- TypeDep *d = (TypeDep *) xcalloc(1, sizeof(*dep)); -+ TypeDep *d = (TypeDep *) xcalloc(1, sizeof(*d)); - d->name = xstrdup(dep); - d->next = t->depend; - t->depend = d; Index: files/icap-2.6-bootstrap.patch =================================================================== --- files/icap-2.6-bootstrap.patch (.../www/squid) (revision 1275) +++ files/icap-2.6-bootstrap.patch (.../local/squid) (revision 1275) @@ -7,10 +7,10 @@ Please see icap-2.6-core.patch for further information. -Patch last updated: 2007-09-06 +Patch last updated: 2007-11-26 ---- configure.orig Thu Sep 6 00:25:42 2007 -+++ configure Thu Sep 6 21:22:04 2007 +--- configure.orig Mon Nov 26 14:39:31 2007 ++++ configure Mon Nov 26 19:46:14 2007 @@ -728,6 +728,8 @@ ENABLE_PINGER_FALSE USE_DELAY_POOLS_TRUE @@ -43,8 +43,8 @@ # Define the identity of the package. PACKAGE='squid' -- VERSION='2.6.STABLE16' -+ VERSION='2.6.STABLE16+ICAP' +- VERSION='2.6.STABLE17' ++ VERSION='2.6.STABLE17+ICAP' cat >>confdefs.h <<_ACEOF Index: Makefile =================================================================== --- Makefile (.../www/squid) (revision 1275) +++ Makefile (.../local/squid) (revision 1275) @@ -75,7 +75,7 @@ # Enable experimental multicast notification of cachemisses. PORTNAME= squid -PORTVERSION= 2.6.16 +PORTVERSION= 2.6.17 CATEGORIES= www MASTER_SITES= ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \ ftp://mirrors.24-7-solutions.net/pub/squid/%SUBDIR%/ \ @@ -94,7 +94,7 @@ http://www1.jp.squid-cache.org/Versions/v2/2.6/ \ http://www2.tw.squid-cache.org/Versions/v2/2.6/ MASTER_SITE_SUBDIR= squid-2/STABLE -DISTNAME= squid-2.6.STABLE16 +DISTNAME= squid-2.6.STABLE17 DIST_SUBDIR= squid2.6 PATCH_SITES= http://www.squid-cache.org/%SUBDIR%/ \ >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200712041709.lB4H9W3w011468>