From owner-freebsd-ports-bugs@FreeBSD.ORG  Tue Oct 18 19:20:16 2005
Return-Path: <owner-freebsd-ports-bugs@FreeBSD.ORG>
X-Original-To: freebsd-ports-bugs@hub.freebsd.org
Delivered-To: freebsd-ports-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id DDDA816A420
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Tue, 18 Oct 2005 19:20:16 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D3F1D43D48
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Tue, 18 Oct 2005 19:20:15 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j9IJKFND023214
	for <freebsd-ports-bugs@freefall.freebsd.org>;
	Tue, 18 Oct 2005 19:20:15 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j9IJKFAA023213;
	Tue, 18 Oct 2005 19:20:15 GMT (envelope-from gnats)
Resent-Date: Tue, 18 Oct 2005 19:20:15 GMT
Resent-Message-Id: <200510181920.j9IJKFAA023213@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-ports-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Thomas-Martin Seck <tmseck@netcologne.de>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 33BA716A41F
	for <FreeBSD-gnats-submit@freebsd.org>;
	Tue, 18 Oct 2005 19:16:25 +0000 (GMT)
	(envelope-from tmseck@netcologne.de)
Received: from smtp1.netcologne.de (smtp1.netcologne.de [194.8.194.112])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7505C43D4C
	for <FreeBSD-gnats-submit@freebsd.org>;
	Tue, 18 Oct 2005 19:16:21 +0000 (GMT)
	(envelope-from tmseck@netcologne.de)
Received: from laurel.tmseck.homedns.org (xdsl-87-78-52-150.netcologne.de
	[87.78.52.150])
	by smtp1.netcologne.de (Postfix) with SMTP id 546BA39011
	for <FreeBSD-gnats-submit@freebsd.org>;
	Tue, 18 Oct 2005 21:16:17 +0200 (MEST)
Received: (qmail 4218 invoked by uid 1001); 18 Oct 2005 19:16:39 -0000
Message-Id: <20051018191639.4217.qmail@laurel.tmseck.homedns.org>
Date: 18 Oct 2005 19:16:39 -0000
From: Thomas-Martin Seck <tmseck@netcologne.de>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Cc: secteam@FreeBSD.org
Subject: ports/87637: [Maintainer] [Security] www/squid: integrate vendor
	patches; fix an FTP parsing vulnerability
X-BeenThere: freebsd-ports-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Thomas-Martin Seck <tmseck@netcologne.de>
List-Id: Ports bug reports <freebsd-ports-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports-bugs>
List-Post: <mailto:freebsd-ports-bugs@freebsd.org>
List-Help: <mailto:freebsd-ports-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Oct 2005 19:20:17 -0000


>Number:         87637
>Category:       ports
>Synopsis:       [Maintainer] [Security] www/squid: integrate vendor patches; fix an FTP parsing vulnerability
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Tue Oct 18 19:20:15 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Thomas-Martin Seck
>Release:        FreeBSD 4.11-STABLE i386
>Organization:
a private site in Germany
>Environment:
FreeBSD ports collection as of Oct 18, 2005.

	
>Description:
Integrate the following vendor patches as published on
<http://www.squid-cache.org/Versions/v2/2.5/bugs/>:

- document that tcp_outgoing_xxx works badly in combination with
  server_persistent_connections (squid bug #454)
- add more tracing in test mode of squid_ldap_auth (squid bug #1395)
- fix breakage of accel_single_host when combined with
  server_persistent_connection (squid bug #1402)
- correctly implement the CACHE_HTTP_PORT configuration directive
  (squid bug #1403)
- fix the problem that CNAME addresses were remembered with a wrong TTL
  (squid bug #1404)
- fix incorrect handling of squid-internal-dynamic/netdb in conjunction with
  httpd_accel/transparent proxies (squid bug #1410)
- properly revalidate the cache on HEAD requests (squid bug #1411)
- correct handling of Set-Cookie headers on cache refreshes (squid bug #1419)
- fix a vulnerability in the FTP parsing code (squid bug #1426)

VuXML data for squid bug #1426 (please fill in <entry> date):

  <vuln vid="cf5d84d0-4007-11da-9e1e-c296ac722cb3">
    <topic>squid -- vulnerability in FTP parsing code</topic>
    <affects>
      <package>
	<name>squid</name>
	<range><lt>2.5.11_3</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>The squid patches page notes:</p>
	<blockquote cite="http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE11-rfc1738_do_escape">
	  <p>In certain odd FTP server responses Squid may crash with
	     a segmentation fault in rfc1738_do_escape.</p>
	  <p>Workaround: deny access to the ftp protocol via the proxy</p>
	</blockquote>
      </body>
    </description>
    <references>
      <url>http://www.squid-cache.org/bugs/show_bug.cgi?id=1426</url>
      <url>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE11-rfc1738_do_escape</url>
    </references>
    <dates>
      <discovery>2005-10-12</discovery>
      <entry>YYYY-MM-DD</entry>
    </dates>
  </vuln>


	
>How-To-Repeat:
	
>Fix:
Apply this patch:

Index: distinfo
===================================================================
--- distinfo	(.../www/squid)	(revision 600)
+++ distinfo	(.../local/squid)	(revision 600)
@@ -2,3 +2,23 @@
 SIZE (squid2.5/squid-2.5.STABLE11.tar.bz2) = 1075431
 MD5 (squid2.5/squid-2.5.STABLE11-delaypools_truncated.patch) = 73bd15ae4853d9b0f45ac4277b35ed15
 SIZE (squid2.5/squid-2.5.STABLE11-delaypools_truncated.patch) = 588
+MD5 (squid2.5/squid-2.5.STABLE11-tcp_outgoing_xxx.patch) = 18846f871032c4d7c496373c24b9f4d9
+SIZE (squid2.5/squid-2.5.STABLE11-tcp_outgoing_xxx.patch) = 1140
+MD5 (squid2.5/squid-2.5.STABLE11-ldap_auth.patch) = a22867a5be67b3ff2dd35ab338b05d9e
+SIZE (squid2.5/squid-2.5.STABLE11-ldap_auth.patch) = 4857
+MD5 (squid2.5/squid-2.5.STABLE11.accel_single_host_pconn.patch) = f6ad18183bb3df2da1c5e6287b7162ea
+SIZE (squid2.5/squid-2.5.STABLE11.accel_single_host_pconn.patch) = 944
+MD5 (squid2.5/squid-2.5.STABLE11-CACHE_HTTP_PORT.patch) = a43d8d7bed00dc0caebec7b440625a11
+SIZE (squid2.5/squid-2.5.STABLE11-CACHE_HTTP_PORT.patch) = 4010
+MD5 (squid2.5/squid-2.5.STABLE11-CNAME.patch) = 263c1a76d470ad4553e05e686e422de2
+SIZE (squid2.5/squid-2.5.STABLE11-CNAME.patch) = 3825
+MD5 (squid2.5/squid-2.5.STABLE11-httpd_accel-internal.patch) = fe88ab718a58e484bbf8ce6ce6111dd3
+SIZE (squid2.5/squid-2.5.STABLE11-httpd_accel-internal.patch) = 1736
+MD5 (squid2.5/squid-2.5.STABLE11-IMS-HEAD.patch) = 1e8ddcd080f431c8f3c059366e159765
+SIZE (squid2.5/squid-2.5.STABLE11-IMS-HEAD.patch) = 834
+MD5 (squid2.5/squid-2.5.STABLE11-redirect-CONNECT.patch) = 16e8a386cae25b5b0493adb66d89416f
+SIZE (squid2.5/squid-2.5.STABLE11-redirect-CONNECT.patch) = 1282
+MD5 (squid2.5/squid-2.5.STABLE11-setcookie.patch) = 0d1acad61df0ffb5224cb3910f25fb29
+SIZE (squid2.5/squid-2.5.STABLE11-setcookie.patch) = 531
+MD5 (squid2.5/squid-2.5.STABLE11-rfc1738_do_escape.patch) = 43094437e3d66aa1cb141ea4c776df19
+SIZE (squid2.5/squid-2.5.STABLE11-rfc1738_do_escape.patch) = 3302
Index: Makefile
===================================================================
--- Makefile	(.../www/squid)	(revision 600)
+++ Makefile	(.../local/squid)	(revision 600)
@@ -70,7 +70,7 @@
 
 PORTNAME=	squid
 PORTVERSION=	2.5.11
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES=	www
 MASTER_SITES=	\
 		ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \
@@ -83,7 +83,17 @@
 DIST_SUBDIR=	squid2.5
 
 PATCH_SITES=	http://www.squid-cache.org/Versions/v2/2.5/bugs/
-PATCHFILES=	squid-2.5.STABLE11-delaypools_truncated.patch
+PATCHFILES=	squid-2.5.STABLE11-delaypools_truncated.patch \
+		squid-2.5.STABLE11-tcp_outgoing_xxx.patch \
+		squid-2.5.STABLE11-ldap_auth.patch \
+		squid-2.5.STABLE11.accel_single_host_pconn.patch \
+		squid-2.5.STABLE11-CACHE_HTTP_PORT.patch \
+		squid-2.5.STABLE11-CNAME.patch \
+		squid-2.5.STABLE11-httpd_accel-internal.patch \
+		squid-2.5.STABLE11-IMS-HEAD.patch \
+		squid-2.5.STABLE11-redirect-CONNECT.patch \
+		squid-2.5.STABLE11-setcookie.patch \
+		squid-2.5.STABLE11-rfc1738_do_escape.patch
 PATCH_DIST_STRIP=	-p1
 
 MAINTAINER=	tmseck@netcologne.de
	


>Release-Note:
>Audit-Trail:
>Unformatted: