From owner-freebsd-ports-bugs@FreeBSD.ORG Tue Sep 7 21:00:16 2010 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A35DF10656C6 for ; Tue, 7 Sep 2010 21:00:16 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 652AD8FC19 for ; Tue, 7 Sep 2010 21:00:16 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o87L0GuC046414 for ; Tue, 7 Sep 2010 21:00:16 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o87L0GxY046403; Tue, 7 Sep 2010 21:00:16 GMT (envelope-from gnats) Resent-Date: Tue, 7 Sep 2010 21:00:16 GMT Resent-Message-Id: <201009072100.o87L0GxY046403@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Thomas-Martin Seck Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8D0F710656CB for ; Tue, 7 Sep 2010 20:56:58 +0000 (UTC) (envelope-from tmseck@netcologne.de) Received: from smtp5.netcologne.de (smtp5.netcologne.de [194.8.194.25]) by mx1.freebsd.org (Postfix) with ESMTP id 3AD338FC0C for ; Tue, 7 Sep 2010 20:56:57 +0000 (UTC) Received: from wcfields.tmseck.homedns.org (xdsl-89-0-188-83.netcologne.de [89.0.188.83]) by smtp5.netcologne.de (Postfix) with SMTP id 5863040CBEC for ; Tue, 7 Sep 2010 22:56:56 +0200 (CEST) Received: (qmail 5217 invoked by uid 1001); 7 Sep 2010 20:56:56 -0000 Message-Id: <20100907205656.5216.qmail@wcfields.tmseck.homedns.org> Date: 7 Sep 2010 20:56:56 -0000 From: Thomas-Martin Seck To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: ports-security@FreeBSD.org Subject: ports/150364: [Maintainer] [security] www/squid31: update to 3.1.8, fix denial of service vulnerability X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Thomas-Martin Seck List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Sep 2010 21:00:16 -0000 >Number: 150364 >Category: ports >Synopsis: [Maintainer] [security] www/squid31: update to 3.1.8, fix denial of service vulnerability >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Tue Sep 07 21:00:15 UTC 2010 >Closed-Date: >Last-Modified: >Originator: Thomas-Martin Seck >Release: FreeBSD 8.1-RELEASE amd64 >Organization: a private site in Germany >Environment: FreeBSD ports collection as of September 7, 2010. >Description: Update to 3.1.8. This update fixes a denial of service vulnerability that can be triggered by specially crafted client requests. See Squid Security Advisory 2010:3 for details. Proposed VuXML entry: squid -- Denial of Service vulnerability in request handling squid 3.0.13.0.25_3 3.1.0.13.1.8

Squid security advisory 2010:3 reports:

Due to an internal error in string handling Squid is vulnerable to a denial of service attack when processing specially crafted requests.

This problem allows any trusted client to perform a denial of service attack on the Squid service.

 http://www.squid-cache.org/Advisories/SQUID-2010_3.txt 2010-08-30 >How-To-Repeat: >Fix: Apply this patch: Index: Makefile =================================================================== --- Makefile (.../www/squid31) (Revision 1872) +++ Makefile (.../local/squid31) (Revision 1872) @@ -88,7 +88,7 @@ LATEST_LINK= squid31 -SQUID_STABLE_VER= 7 +SQUID_STABLE_VER= 8 CONFLICTS= squid-2.[0-9].* squid-3.[^1].* cacheboy-[0-9]* lusca-head-[0-9]* GNU_CONFIGURE= yes @@ -181,7 +181,7 @@ zh-cn zh-tw \ templates -# XXX: this is probably a bug in 3.1.6: sr-latn should probably a symlink but +# XXX: this is probably a bug in 3.1.6+: sr-latn should probably a symlink but # is installed as a directory; if this is intentional the directory is # currently empty which is not really useful either. error_dirs+= sr-latn @@ -375,9 +375,6 @@ .endif .if defined(WITH_SQUID_ECAP) CONFIGURE_ARGS+= --enable-ecap --enable-loadable-modules -# XXX: work around issues with the bundled libtool from 3.1.5 onwards; -# we need to tell c++ where to find them explicitly -CFLAGS+= -I${WRKSRC}/libltdl LIB_DEPENDS+= ecap:${PORTSDIR}/www/libecap CFLAGS+= -I${LOCALBASE}/include LDFLAGS+= -L${LOCALBASE}/lib Index: distinfo =================================================================== --- distinfo (.../www/squid31) (Revision 1872) +++ distinfo (.../local/squid31) (Revision 1872) @@ -1,3 +1,3 @@ -MD5 (squid3.1/squid-3.1.7.tar.bz2) = 83e7aabc1b5bb5b7c83f6dc2f32ca418 -SHA256 (squid3.1/squid-3.1.7.tar.bz2) = 5252180a262bdd2cc4ab8afe40c1989c21035bdfe4eaa0bcb19589e3d316d4ac -SIZE (squid3.1/squid-3.1.7.tar.bz2) = 2422189 +MD5 (squid3.1/squid-3.1.8.tar.bz2) = a8160dfba55ab7c400c622b72d39fc13 +SHA256 (squid3.1/squid-3.1.8.tar.bz2) = 088d4e798ca49e11713facccbd7ef3e7f9b16fc6eb86d59d0c43aa14d66501fe +SIZE (squid3.1/squid-3.1.8.tar.bz2) = 2423617 >Release-Note: >Audit-Trail: >Unformatted: