Date: 15 Sep 2005 18:38:42 -0000 From: Thomas-Martin Seck <tmseck@netcologne.de> To: FreeBSD-gnats-submit@FreeBSD.org Cc: security-team@FreeBSD.org Subject: ports/86179: [Maintainer] [Security] www/squid: integrate vendor patches; fix a possible DOS condition Message-ID: <20050915183842.33944.qmail@laurel.tmseck.homedns.org> Resent-Message-ID: <200509151840.j8FIeGsg058089@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 86179 >Category: ports >Synopsis: [Maintainer] [Security] www/squid: integrate vendor patches; fix a possible DOS condition >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Thu Sep 15 18:40:16 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Thomas-Martin Seck >Release: FreeBSD 4.11-STABLE i386 >Organization: a private site in Germany >Environment: FreeBSD ports collection as of Sept 15, 2005. >Description: Integrate the following vendor patches as published on <http://www.squid-cache.org/Versions/v2/2.5/bugs/>: (Note: the IPFilter related patches were omitted because they did not apply cleanly on my (the maintainer's) development system and I had not yet time to investigate. squid-2.5.STABLE11 will contain them and is scheduled to be released soon.) - LDAP helpers do not work with TLS (-Z option) (squid bug #1389) - Incorrect store dir selection debug message on objects >2G (squid bug #1343) - Enums cannot be assumed to be signed ints (squid bug #1343) - Allow leaving core dumps on Linux (squid bug #1335) - Do not let clients bypass delay pools by faking a cache hit (squid bug #500) - Fix problems regarding CONNECT requests when squid is configured with "pipeline_prefetch on" - Fix a possible DOS condition which may be triggered by certain NTLM authentication requests (squid bug #1391) Remove a patch that is obsolete with the removal of security/pf and the related pre-patch actions. Note to committer: please 'cvs rm' files/pf_from_ports.patch.in VuXML information for the possible DOS condition regarding NTLM: <vuln vid="44e7764c-2614-11da-9e1e-c296ac722cb3"> <topic>squid -- possible denial of service condition regarding NTLM authentication</topic> <affects> <package> <name>squid</name> <range><lt>2.5.10_6</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; <p>The squid patches page notes:</p> <blockquote cite="http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE10-NTLM-scheme_assert">; <p>Squid may crash with the above error [FATAL: Incorrect scheme in auth header] when given certain request sentences.</p> <p>Workaround: disable NTLM authentication.</p> </blockquote> </body> </description> <references> <url>http://www.squid-cache.org/bugs/show_bug.cgi?id=1391</url>; <url>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE10-NTLM-scheme_assert</url>; </references> <dates> <discovery>2005-09-12</discovery> <entry>YYYY-MM-DD</entry> </dates> </vuln> >How-To-Repeat: >Fix: Apply this patch: Index: distinfo =================================================================== --- distinfo (.../www/squid) (revision 566) +++ distinfo (.../local/squid) (revision 566) @@ -50,3 +50,17 @@ SIZE (squid2.5/squid-2.5.STABLE10-cacheClientTable.patch) = 632 MD5 (squid2.5/squid-2.5.STABLE10-mail_from.patch) = 8a944c1d3f3bac0d1dadcb7aace0ad68 SIZE (squid2.5/squid-2.5.STABLE10-mail_from.patch) = 1863 +MD5 (squid2.5/squid-2.5.STABLE10-LDAP_TLS.patch) = be16c3bd42c1e72c84db9107d91fb1d7 +SIZE (squid2.5/squid-2.5.STABLE10-LDAP_TLS.patch) = 2466 +MD5 (squid2.5/squid-2.5.STABLE10-storedir_objsize_debug.patch) = 50c480674cc3cf8de7362e0a440c2753 +SIZE (squid2.5/squid-2.5.STABLE10-storedir_objsize_debug.patch) = 1289 +MD5 (squid2.5/squid-2.5.STABLE10-header_id_enum.patch) = df2c547c9390f060333683e7e60b6363 +SIZE (squid2.5/squid-2.5.STABLE10-header_id_enum.patch) = 628 +MD5 (squid2.5/squid-2.5.STABLE10-allow_coredump.patch) = 14184adb5452ddac77c8511ee1202689 +SIZE (squid2.5/squid-2.5.STABLE10-allow_coredump.patch) = 3496 +MD5 (squid2.5/squid-2.5.STABLE10-delay_pools.patch) = bd4e5d3d8fbea996d29cfe6d6132cb0a +SIZE (squid2.5/squid-2.5.STABLE10-delay_pools.patch) = 7782 +MD5 (squid2.5/squid-2.5.STABLE10-pipeline-CONNECT.patch) = 9e264ac64f93755ccfdce33f14a470c3 +SIZE (squid2.5/squid-2.5.STABLE10-pipeline-CONNECT.patch) = 6316 +MD5 (squid2.5/squid-2.5.STABLE10-NTLM-scheme_assert.patch) = e62ba264eaa7c248ef8d8cbb3777110c +SIZE (squid2.5/squid-2.5.STABLE10-NTLM-scheme_assert.patch) = 1203 Index: files/pf_from_ports.patch.in =================================================================== --- files/pf_from_ports.patch.in (.../www/squid) (revision 566) +++ files/pf_from_ports.patch.in (.../local/squid) (revision 566) @@ -1,20 +0,0 @@ ---- configure.orig Thu Jun 10 12:22:06 2004 -+++ configure Thu Jun 10 13:31:53 2004 -@@ -3781,7 +3781,7 @@ - memory.h \ - mount.h \ - net/if.h \ -- net/pfvar.h \ -+ %%PF_INCLUDEDIR%%/net/pfvar.h \ - netdb.h \ - netinet/if_ether.h \ - netinet/in.h \ -@@ -7604,7 +7604,7 @@ - echo $ac_n "checking if PF header file is installed""... $ac_c" 1>&6 - echo "configure:7606: checking if PF header file is installed" >&5 - # hold on to your hats... -- if test "$ac_cv_header_net_pfvar_h" = "yes"; then -+ if test "$ac_cv_header_%%PF_AC_INCLUDEPATH%%_net_pfvar_h" = "yes"; then - PF_TRANSPARENT="yes" - cat >> confdefs.h <<\EOF - #define PF_TRANSPARENT 1 Index: Makefile =================================================================== --- Makefile (.../www/squid) (revision 566) +++ Makefile (.../local/squid) (revision 566) @@ -66,7 +66,7 @@ PORTNAME= squid PORTVERSION= 2.5.10 -PORTREVISION= 5 +PORTREVISION= 6 CATEGORIES= www MASTER_SITES= \ ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \ @@ -103,7 +103,14 @@ squid-2.5.STABLE10-STORE_PENDING.patch \ squid-2.5.STABLE10-ldap_auth-U.patch \ squid-2.5.STABLE10-cacheClientTable.patch \ - squid-2.5.STABLE10-mail_from.patch + squid-2.5.STABLE10-mail_from.patch \ + squid-2.5.STABLE10-LDAP_TLS.patch \ + squid-2.5.STABLE10-storedir_objsize_debug.patch \ + squid-2.5.STABLE10-header_id_enum.patch \ + squid-2.5.STABLE10-allow_coredump.patch \ + squid-2.5.STABLE10-delay_pools.patch \ + squid-2.5.STABLE10-pipeline-CONNECT.patch \ + squid-2.5.STABLE10-NTLM-scheme_assert.patch PATCH_DIST_STRIP= -p1 MAINTAINER= tmseck@netcologne.de @@ -364,15 +371,6 @@ .endfor PLIST_DIRS+= etc/squid/errors etc/squid squid/logs squid/cache squid -pre-patch: -# Check whether we need to create the extra patch that makes pf(4) -# visible to squid's configure script: -.if defined(pf_includedir) - @${SED} -e 's|%%PF_INCLUDEDIR%%|${pf_includedir}|g' \ - -e 's|%%PF_AC_INCLUDEPATH%%|${pf_includedir:S,/,_,g}|g' \ - ${PATCHDIR}/pf_from_ports.patch.in >${WRKDIR}/pf_from_ports.patch -.endif - post-patch: @${REINPLACE_CMD} -e 's|-lpthread|${PTHREAD_LIBS}|g' ${WRKSRC}/configure @${REINPLACE_CMD} -e 's|%%SQUID_UID%%|${SQUID_UID}|g' \ >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050915183842.33944.qmail>