Date: 22 Dec 2004 17:50:24 -0000 From: Thomas-Martin Seck <tmseck@netcologne.de> To: FreeBSD-gnats-submit@FreeBSD.org Cc: security-team@FreeBSD.org Subject: ports/75403: [Maintainer] www/squid: change handling of empty ACL declarations Message-ID: <20041222175024.1912.qmail@laurel.tmseck.homedns.org> Resent-Message-ID: <200412221750.iBMHoT4m000759@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 75403 >Category: ports >Synopsis: [Maintainer] www/squid: change handling of empty ACL declarations >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Wed Dec 22 17:50:29 GMT 2004 >Closed-Date: >Last-Modified: >Originator: Thomas-Martin Seck >Release: FreeBSD 4.10-STABLE i386 >Organization: a private site in Germany >Environment: FreeBSD ports collection as of December 22, 2004. >Description: Integrate a vendor patch to change the way empty ACL definitions are handled to avoid accidental foot-shooting (squid bug #1166). Further details are available via the squid patch page <http://www.squid-cache.org/Versions/v2/2.5/bugs/>. security-team@ CC'ed since the vendor classified the problem as a minor(?) security issue, proposed VuXML information follows (real entry date needs to be filled in): <vuln vid="a30e5e44-5440-11d9-9e1e-c296ac722cb3"> <topic>squid -- confusing results results on empty acl declarations</topic> <affects> <package> <name>squid</name> <range><lt>2.5.7_5</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; <p>The squid-2.5 patches pages notes:</p> <blockquote cite="http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-empty_acls">; <p>The meaning of the access controls becomes somewhat confusing if any of the referenced acls is declared empty, without an members.</p> <p>[Administrators should] pay attention to warnings from "squid -k parse" and do not use configurations where there are warnings about access controls in production.</p> </blockquote> </body> </description> <references> <url>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-empty_acls</url>; </references> <dates> <discovery>2004-12-21</discovery> <entry>YYYY-MM-DD</entry> </dates> </vuln> >How-To-Repeat: >Fix: Apply this patch: Index: distinfo =================================================================== --- distinfo (.../www/squid) (revision 310) +++ distinfo (.../local/squid) (revision 310) @@ -16,3 +16,5 @@ SIZE (squid2.5/squid-2.5.STABLE7-httpd_accel_vport.patch) = 843 MD5 (squid2.5/squid-2.5.STABLE7-cachemgr_vmobjects.patch) = fdde57025dbfb8caf9154e24b4e1bf3e SIZE (squid2.5/squid-2.5.STABLE7-cachemgr_vmobjects.patch) = 6238 +MD5 (squid2.5/squid-2.5.STABLE7-empty_acls.patch) = 28423e8ee2359ec2537581fe2a79ecd6 +SIZE (squid2.5/squid-2.5.STABLE7-empty_acls.patch) = 4015 Index: Makefile =================================================================== --- Makefile (.../www/squid) (revision 310) +++ Makefile (.../local/squid) (revision 310) @@ -74,7 +74,7 @@ PORTNAME= squid PORTVERSION= 2.5.7 -PORTREVISION= 4 +PORTREVISION= 5 CATEGORIES= www MASTER_SITES= \ ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \ @@ -94,7 +94,8 @@ squid-2.5.STABLE7-blank_response.patch \ squid-2.5.STABLE7-dothost.patch \ squid-2.5.STABLE7-httpd_accel_vport.patch \ - squid-2.5.STABLE7-cachemgr_vmobjects.patch + squid-2.5.STABLE7-cachemgr_vmobjects.patch \ + squid-2.5.STABLE7-empty_acls.patch PATCH_DIST_STRIP= -p1 MAINTAINER= tmseck@netcologne.de >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041222175024.1912.qmail>