Date: 7 Sep 2010 20:56:56 -0000 From: Thomas-Martin Seck <tmseck@web.de> To: FreeBSD-gnats-submit@FreeBSD.org Cc: ports-security@FreeBSD.org Subject: ports/150364: [Maintainer] [security] www/squid31: update to 3.1.8, fix denial of service vulnerability Message-ID: <20100907205656.5216.qmail@wcfields.tmseck.homedns.org> Resent-Message-ID: <201009072100.o87L0GxY046403@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 150364
>Category: ports
>Synopsis: [Maintainer] [security] www/squid31: update to 3.1.8, fix denial of service vulnerability
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: maintainer-update
>Submitter-Id: current-users
>Arrival-Date: Tue Sep 07 21:00:15 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: Thomas-Martin Seck
>Release: FreeBSD 8.1-RELEASE amd64
>Organization:
a private site in Germany
>Environment:
FreeBSD ports collection as of September 7, 2010.
>Description:
Update to 3.1.8.
This update fixes a denial of service vulnerability that can be triggered
by specially crafted client requests. See Squid Security Advisory 2010:3
for details.
Proposed VuXML entry:
<vuln vid="7d7d3bc4-babb-11df-8d12-0019996bc1f7">
<topic>squid -- Denial of Service vulnerability in request handling</topic>
<affects>
<package>
<name>squid</name>
<range><ge>3.0.1</ge><lt>3.0.25_3</lt></range>
<range><ge>3.1.0.1</ge><lt>3.1.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">;
<p>Squid security advisory 2010:3 reports:</p>
<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2010_3.txt">;
<p>Due to an internal error in string handling Squid is vulnerable
to a denial of service attack when processing specially crafted
requests.</p>
<p>This problem allows any trusted client to perform a denial
of service attack on the Squid service.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.squid-cache.org/Advisories/SQUID-2010_3.txt</url>;
</references>
<dates>
<discovery>2010-08-30</discovery>
</dates>
</vuln>
>How-To-Repeat:
>Fix:
Apply this patch:
Index: Makefile
===================================================================
--- Makefile (.../www/squid31) (Revision 1872)
+++ Makefile (.../local/squid31) (Revision 1872)
@@ -88,7 +88,7 @@
LATEST_LINK= squid31
-SQUID_STABLE_VER= 7
+SQUID_STABLE_VER= 8
CONFLICTS= squid-2.[0-9].* squid-3.[^1].* cacheboy-[0-9]* lusca-head-[0-9]*
GNU_CONFIGURE= yes
@@ -181,7 +181,7 @@
zh-cn zh-tw \
templates
-# XXX: this is probably a bug in 3.1.6: sr-latn should probably a symlink but
+# XXX: this is probably a bug in 3.1.6+: sr-latn should probably a symlink but
# is installed as a directory; if this is intentional the directory is
# currently empty which is not really useful either.
error_dirs+= sr-latn
@@ -375,9 +375,6 @@
.endif
.if defined(WITH_SQUID_ECAP)
CONFIGURE_ARGS+= --enable-ecap --enable-loadable-modules
-# XXX: work around issues with the bundled libtool from 3.1.5 onwards;
-# we need to tell c++ where to find them explicitly
-CFLAGS+= -I${WRKSRC}/libltdl
LIB_DEPENDS+= ecap:${PORTSDIR}/www/libecap
CFLAGS+= -I${LOCALBASE}/include
LDFLAGS+= -L${LOCALBASE}/lib
Index: distinfo
===================================================================
--- distinfo (.../www/squid31) (Revision 1872)
+++ distinfo (.../local/squid31) (Revision 1872)
@@ -1,3 +1,3 @@
-MD5 (squid3.1/squid-3.1.7.tar.bz2) = 83e7aabc1b5bb5b7c83f6dc2f32ca418
-SHA256 (squid3.1/squid-3.1.7.tar.bz2) = 5252180a262bdd2cc4ab8afe40c1989c21035bdfe4eaa0bcb19589e3d316d4ac
-SIZE (squid3.1/squid-3.1.7.tar.bz2) = 2422189
+MD5 (squid3.1/squid-3.1.8.tar.bz2) = a8160dfba55ab7c400c622b72d39fc13
+SHA256 (squid3.1/squid-3.1.8.tar.bz2) = 088d4e798ca49e11713facccbd7ef3e7f9b16fc6eb86d59d0c43aa14d66501fe
+SIZE (squid3.1/squid-3.1.8.tar.bz2) = 2423617
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100907205656.5216.qmail>