From owner-freebsd-ports-bugs@FreeBSD.ORG Wed May 18 18:40:04 2005 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1189316A4CE for ; Wed, 18 May 2005 18:40:04 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9D87C43DC1 for ; Wed, 18 May 2005 18:40:03 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j4IIe1RP041749 for ; Wed, 18 May 2005 18:40:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j4IIe17F041748; Wed, 18 May 2005 18:40:01 GMT (envelope-from gnats) Resent-Date: Wed, 18 May 2005 18:40:01 GMT Resent-Message-Id: <200505181840.j4IIe17F041748@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Thomas-Martin Seck Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8CBB816A4CE for ; Wed, 18 May 2005 18:39:29 +0000 (GMT) Received: from smtp3.netcologne.de (smtp3.netcologne.de [194.8.194.66]) by mx1.FreeBSD.org (Postfix) with ESMTP id 871CD43D8C for ; Wed, 18 May 2005 18:39:28 +0000 (GMT) (envelope-from tmseck@netcologne.de) Received: from laurel.tmseck.homedns.org (xdsl-81-173-170-236.netcologne.de [81.173.170.236]) by smtp3.netcologne.de (Postfix) with SMTP id 4486A67518 for ; Wed, 18 May 2005 20:39:26 +0200 (CEST) Received: (qmail 1542 invoked by uid 1001); 18 May 2005 18:39:47 -0000 Message-Id: <20050518183947.1541.qmail@laurel.tmseck.homedns.org> Date: 18 May 2005 18:39:47 -0000 From: Thomas-Martin Seck To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: ports/81213: [Maintainer] www/squid: update to 2.5.STABLE10 X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Thomas-Martin Seck List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 May 2005 18:40:04 -0000 >Number: 81213 >Category: ports >Synopsis: [Maintainer] www/squid: update to 2.5.STABLE10 >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Wed May 18 18:40:01 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Thomas-Martin Seck >Release: FreeBSD 4.11-STABLE i386 >Organization: a private site in Germany >Environment: FreeBSD ports collection as of May 18, 2005. >Description: - Update to 2.5.STABLE10. See , section 12, for details. - Replace a dead mirror site - Cosmetic changes Note to committer: - Please 'cvs add' files/patch-src-Makefile.in - Please add the following entry to /usr/ports/UPDATING: 20050518: AFFECTS: users of www/squid AUTHOR: tmseck@netcologne.de Starting with 2.5.10, the cachemgr.cgi program uses a configuration file cachemgr.conf to control which hosts this program is allowed to manage. To prevent abuse, the configuration defaults to "localhost" only. Please see cachemgr.cgi(8) for further details. - Please add the following entries to security/vuxml/vuln.xml: squid -- possible abuse of cachemgr.cgi squid 2.5.10

The squid patches page notes:

This patch adds access controls to the cachemgr.cgi script, preventing it from being abused to reach other servers than allowed in a local configuration file.

 CVE-1999-0710 http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE9-cachemgr_conf http://www.squid-cache.org/bugs/show_bug.cgi?id=1094 19990729 TO BE FILLED IN squid -- DNS lookup spoofing vulnerability squid 2.5.10

The squid patches page notes:

Malicious users may spoof DNS lookups if the DNS client UDP port (random, assigned by OS as startup) is unfiltered and your network is not protected from IP spoofing.

 CAN-2005-1519 http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE9-dns_reply http://secunia.com/advisories/15294 20050511 TO BE FILLED IN >How-To-Repeat: >Fix: Apply this patch: Index: distinfo =================================================================== --- distinfo (.../www/squid) (revision 481) +++ distinfo (.../local/squid) (revision 481) @@ -1,48 +1,2 @@ -MD5 (squid2.5/squid-2.5.STABLE9.tar.bz2) = 5a34a303dcab8851c7ab20e24af69b61 -SIZE (squid2.5/squid-2.5.STABLE9.tar.bz2) = 1057776 -MD5 (squid2.5/squid-2.5.STABLE9-setcookie.patch) = f4abbc43af5251380b3caaa9b08d0572 -SIZE (squid2.5/squid-2.5.STABLE9-setcookie.patch) = 5328 -MD5 (squid2.5/squid-2.5.STABLE9-ftp_EPLF.patch) = c4ae820794f301b909415e0f4728f1c9 -SIZE (squid2.5/squid-2.5.STABLE9-ftp_EPLF.patch) = 4108 -MD5 (squid2.5/squid-2.5.STABLE9-ftp_base_href.patch) = ddc034a2c2a002bfcf6bf97eb21e8b57 -SIZE (squid2.5/squid-2.5.STABLE9-ftp_base_href.patch) = 709 -MD5 (squid2.5/squid-2.5.STABLE9-acl_error.patch) = f70922d873ce73c7fdad8bf7156afeb4 -SIZE (squid2.5/squid-2.5.STABLE9-acl_error.patch) = 8499 -MD5 (squid2.5/squid-2.5.STABLE9-date.patch) = 7ce5a1f82bf646f5c6fdd60be658ea3f -SIZE (squid2.5/squid-2.5.STABLE9-date.patch) = 5647 -MD5 (squid2.5/squid-2.5.STABLE9-reload_into_ims.patch) = 433dde5bbbd67eee5ca60cd2e0827263 -SIZE (squid2.5/squid-2.5.STABLE9-reload_into_ims.patch) = 852 -MD5 (squid2.5/squid-2.5.STABLE9-delay_access_doc.patch) = 6550fb36d16ea17067dbab43964a224a -SIZE (squid2.5/squid-2.5.STABLE9-delay_access_doc.patch) = 1258 -MD5 (squid2.5/squid-2.5.STABLE9-config_overflow.patch) = 8770c7900b1135a3ded7560ed4491887 -SIZE (squid2.5/squid-2.5.STABLE9-config_overflow.patch) = 591 -MD5 (squid2.5/squid-2.5.STABLE9-bzero.patch) = 90c46b9ba7ff62034c0ca63a70eb2c09 -SIZE (squid2.5/squid-2.5.STABLE9-bzero.patch) = 11326 -MD5 (squid2.5/squid-2.5.STABLE9-pid_t.patch) = 58e869d6d34fe4bff497271003da0916 -SIZE (squid2.5/squid-2.5.STABLE9-pid_t.patch) = 5576 -MD5 (squid2.5/squid-2.5.STABLE9-ctype.patch) = 039b4cf0e8c5b910be54da68952400e1 -SIZE (squid2.5/squid-2.5.STABLE9-ctype.patch) = 4698 -MD5 (squid2.5/squid-2.5.STABLE9-defer_digest_fetch.patch) = 437d440cc4cfeb37b636c998e124a5fe -SIZE (squid2.5/squid-2.5.STABLE9-defer_digest_fetch.patch) = 1026 -MD5 (squid2.5/squid-2.5.STABLE9-dup_content_length.patch) = 50da2e64f2b3a80b1a8ffdd94e2b4ef4 -SIZE (squid2.5/squid-2.5.STABLE9-dup_content_length.patch) = 1685 -MD5 (squid2.5/squid-2.5.STABLE9-excess_data.patch) = c9ab2d162574e44da51f4e14c653652e -SIZE (squid2.5/squid-2.5.STABLE9-excess_data.patch) = 1553 -MD5 (squid2.5/squid-2.5.STABLE9-aufs.patch) = db9e5a04e525da825e8d16764a996618 -SIZE (squid2.5/squid-2.5.STABLE9-aufs.patch) = 9317 -MD5 (squid2.5/squid-2.5.STABLE9-long_basic_auth.patch) = 38ba50f5fd44ba860cff7a4ddc67dac0 -SIZE (squid2.5/squid-2.5.STABLE9-long_basic_auth.patch) = 1328 -MD5 (squid2.5/squid-2.5.STABLE9-CONNECT_truncated.patch) = 76292a83e6f4c4d0b368522deac045ee -SIZE (squid2.5/squid-2.5.STABLE9-CONNECT_truncated.patch) = 4885 -MD5 (squid2.5/squid-2.5.STABLE9-disable_hostname_checks.patch) = dc3eb6e50a1c5e59beddad2e78d0743e -SIZE (squid2.5/squid-2.5.STABLE9-disable_hostname_checks.patch) = 2964 -MD5 (squid2.5/squid-2.5.STABLE9-aufs_shutdown.patch) = 2ab5c4eaa70d5236c867a68834e1ff4d -SIZE (squid2.5/squid-2.5.STABLE9-aufs_shutdown.patch) = 10649 -MD5 (squid2.5/squid-2.5.STABLE9-2GB.patch) = bd40083101352328694d2cd7f296b536 -SIZE (squid2.5/squid-2.5.STABLE9-2GB.patch) = 248552 -MD5 (squid2.5/squid-2.5.STABLE9-cachemgr_objects.patch) = cc3c6c61b46f50ea93271997e3002349 -SIZE (squid2.5/squid-2.5.STABLE9-cachemgr_objects.patch) = 2625 -MD5 (squid2.5/squid-2.5.STABLE9-extaclauth.patch) = b3c3282e6f1550e698e7a3f3ad87a7bc -SIZE (squid2.5/squid-2.5.STABLE9-extaclauth.patch) = 1799 -MD5 (squid2.5/squid-2.5.STABLE9-syslog.patch) = 80998c4bea14b0eacabc10065acb672e -SIZE (squid2.5/squid-2.5.STABLE9-syslog.patch) = 7439 +MD5 (squid2.5/squid-2.5.STABLE10.tar.bz2) = e6db8bdfc783b3baed7de803c9a39e55 +SIZE (squid2.5/squid-2.5.STABLE10.tar.bz2) = 1069922 Index: files/patch-src-Makefile.in =================================================================== --- files/patch-src-Makefile.in (.../www/squid) (revision 0) +++ files/patch-src-Makefile.in (.../local/squid) (revision 481) @@ -0,0 +1,11 @@ +--- src/Makefile.in.orig Tue May 17 22:06:43 2005 ++++ src/Makefile.in Tue May 17 22:05:39 2005 +@@ -377,7 +377,7 @@ + + DEFAULT_PREFIX = $(prefix) + DEFAULT_CONFIG_FILE = $(sysconfdir)/squid.conf +-DEFAULT_CACHEMGR_CONFIG = $(sysconfdir)/cachemgr.conf ++DEFAULT_CACHEMGR_CONFIG = $(sysconfdir)/cachemgr.conf.default + DEFAULT_MIME_TABLE = $(sysconfdir)/mime.conf + DEFAULT_DNSSERVER = $(libexecdir)/`echo dnsserver | sed '$(transform);s/$$/$(EXEEXT)/'` + DEFAULT_LOG_PREFIX = $(localstatedir)/logs Index: pkg-install =================================================================== --- pkg-install (.../www/squid) (revision 481) +++ pkg-install (.../local/squid) (revision 481) @@ -121,13 +121,14 @@ fi ;; POST-INSTALL) - for file in mime.conf squid.conf; do + for file in cachemgr.conf mime.conf squid.conf; do if [ ! -f ${squid_confdir}/${file} \ -a -f ${squid_confdir}/${file}.default ]; then - echo "Creating ${file} from default..." - install -c -o root -g ${squid_group} -m 0640 \ - ${squid_confdir}/${file}.default ${squid_confdir}/${file} - fi + echo "Creating ${file} from default..." + install -c -o root -g ${squid_group} -m 0640 \ + ${squid_confdir}/${file}.default \ + ${squid_confdir}/${file} + fi done echo "===> Post-installation informations for ${pkgname}" Index: Makefile =================================================================== --- Makefile (.../www/squid) (revision 481) +++ Makefile (.../local/squid) (revision 481) @@ -65,43 +65,20 @@ # PORTNAME= squid -PORTVERSION= 2.5.9 -PORTREVISION= 5 +PORTVERSION= 2.5.10 CATEGORIES= www MASTER_SITES= \ ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \ ftp://ftp.unimelb.edu.au/pub/cwis/servers/unix/squid/%SUBDIR%/ \ ftp://sunsite.auc.dk/pub/infosystems/squid/%SUBDIR%/ \ - ftp://ftp.leo.org/pub/comp/general/infosys/www/servers/squid/%SUBDIR%/ \ + ftp://ftp.mirrorservice.org/sites/ftp.squid-cache.org/pub/ \ ${MASTER_SITE_RINGSERVER:S,%SUBDIR%,net/www/squid/&,} MASTER_SITE_SUBDIR= squid-2/STABLE -DISTNAME= squid-2.5.STABLE9 +DISTNAME= squid-2.5.STABLE10 DIST_SUBDIR= squid2.5 PATCH_SITES= http://www.squid-cache.org/Versions/v2/2.5/bugs/ -PATCHFILES= squid-2.5.STABLE9-setcookie.patch \ - squid-2.5.STABLE9-ftp_EPLF.patch \ - squid-2.5.STABLE9-ftp_base_href.patch \ - squid-2.5.STABLE9-acl_error.patch \ - squid-2.5.STABLE9-date.patch \ - squid-2.5.STABLE9-reload_into_ims.patch \ - squid-2.5.STABLE9-delay_access_doc.patch \ - squid-2.5.STABLE9-config_overflow.patch \ - squid-2.5.STABLE9-bzero.patch \ - squid-2.5.STABLE9-pid_t.patch \ - squid-2.5.STABLE9-ctype.patch \ - squid-2.5.STABLE9-defer_digest_fetch.patch \ - squid-2.5.STABLE9-dup_content_length.patch \ - squid-2.5.STABLE9-excess_data.patch \ - squid-2.5.STABLE9-aufs.patch \ - squid-2.5.STABLE9-long_basic_auth.patch \ - squid-2.5.STABLE9-CONNECT_truncated.patch \ - squid-2.5.STABLE9-disable_hostname_checks.patch \ - squid-2.5.STABLE9-aufs_shutdown.patch \ - squid-2.5.STABLE9-2GB.patch \ - squid-2.5.STABLE9-cachemgr_objects.patch \ - squid-2.5.STABLE9-extaclauth.patch \ - squid-2.5.STABLE9-syslog.patch +PATCHFILES= PATCH_DIST_STRIP= -p1 MAINTAINER= tmseck@netcologne.de @@ -116,7 +93,7 @@ SQUID_UID?= squid SQUID_GID?= squid -MAN8= squid.8 +MAN8= cachemgr.cgi.8 squid.8 docs= QUICKSTART README RELEASENOTES.html doc/debug-sections.txt .if !defined(NOPORTDOCS) PORTDOCS= ${docs:T} @@ -148,7 +125,8 @@ SQUID_STACKTRACES "Create backtraces on fatal errors" off \ SQUID_RCNG "Install an rcNG startup script" on -etc_files= rc.d/squid.sh squid/mib.txt squid/mime.conf.default \ +etc_files= rc.d/squid.sh squid/cachemgr.conf.default \ + squid/mib.txt squid/mime.conf.default \ squid/msntauth.conf.default squid/squid.conf.default icon_files= anthony-binhex.gif anthony-bomb.gif anthony-box.gif \ @@ -307,7 +285,7 @@ # information. .if defined(WITH_SQUID_IPFILTER) .if (${OSVERSION} >= 470000 && ${OSVERSION} < 500000) || (${OSVERSION} > 500032 && ${OSVERSION} < 501101) -IGNORE= "IPFilter headers are not part of the base system" +IGNORE= IPFilter headers are not part of the base system .else CONFIGURE_ARGS+= --enable-ipf-transparent .endif @@ -375,7 +353,6 @@ post-patch: @${REINPLACE_CMD} -e 's|-lpthread|${PTHREAD_LIBS}|g' ${WRKSRC}/configure - @${REINPLACE_CMD} -e 's|/etc|${PREFIX}/etc|g' ${WRKSRC}/doc/squid.8 @${REINPLACE_CMD} -e 's|%%SQUID_UID%%|${SQUID_UID}|g' \ -e 's|%%SQUID_GID%%|${SQUID_GID}|g' ${WRKSRC}/src/cf.data.pre Index: pkg-deinstall =================================================================== --- pkg-deinstall (.../www/squid) (revision 481) +++ pkg-deinstall (.../local/squid) (revision 481) @@ -8,7 +8,7 @@ case $2 in DEINSTALL) cd ${PKG_PREFIX}/etc/squid || exit 1 - for f in squid.conf mime.conf msntauth.conf; do + for f in cachemgr.conf mime.conf msntauth.conf squid.conf; do cmp -s -z ${f} ${f}.default && rm ${f} done ;; >Release-Note: >Audit-Trail: >Unformatted: