From owner-freebsd-ports-bugs@FreeBSD.ORG Sat Mar 5 14:10:18 2005 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2001816A4CE for ; Sat, 5 Mar 2005 14:10:18 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7B1E343D4C for ; Sat, 5 Mar 2005 14:10:17 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.1/8.13.1) with ESMTP id j25EAH1K039599 for ; Sat, 5 Mar 2005 14:10:17 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.1/8.13.1/Submit) id j25EAHfn039598; Sat, 5 Mar 2005 14:10:17 GMT (envelope-from gnats) Resent-Date: Sat, 5 Mar 2005 14:10:17 GMT Resent-Message-Id: <200503051410.j25EAHfn039598@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Thomas-Martin Seck Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EFCC716A4CE for ; Sat, 5 Mar 2005 14:03:59 +0000 (GMT) Received: from smtp2.netcologne.de (smtp2.netcologne.de [194.8.194.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0467043D41 for ; Sat, 5 Mar 2005 14:03:59 +0000 (GMT) (envelope-from tmseck@netcologne.de) Received: from laurel.tmseck.homedns.org (xdsl-213-196-254-174.netcologne.de [213.196.254.174]) by smtp2.netcologne.de (Postfix) with SMTP id 73A6645E9 for ; Sat, 5 Mar 2005 15:03:56 +0100 (MET) Received: (qmail 13195 invoked by uid 1001); 5 Mar 2005 14:04:17 -0000 Message-Id: <20050305140417.13194.qmail@laurel.tmseck.homedns.org> Date: 5 Mar 2005 14:04:17 -0000 From: Thomas-Martin Seck To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 cc: security-team@FreeBSD.org Subject: ports/78446: [Maintainer] www/squid: integrate partly security relevant vendor patches X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Thomas-Martin Seck List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Mar 2005 14:10:18 -0000 >Number: 78446 >Category: ports >Synopsis: [Maintainer] www/squid: integrate partly security relevant vendor patches >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Sat Mar 05 14:10:17 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Thomas-Martin Seck >Release: FreeBSD 4.11-STABLE i386 >Organization: a private site in Germany >Environment: FreeBSD ports collection as of Mar 5, 2005. >Description: Integrate the following vendor patches as published on : (security-team CC'ed) - correct a race condition related to the Set-Cookie header - correct the FTP parser with regards to the EPLF format (squid bug #1252) - correct FTP listing output when the URL was requested without a trailing slash (squid bug #1253) - make ACL configuration errors fatal (squid bug #1255) Proposed VuXML data (I split this into two entries to avoid something along the lines of "squid -- multiple issues"), entry date left to be filled in: squid -- configuration errors can lead to unexpected ACL results squid 2.5.9_1

The squid patches page notes:

On configuration errors involving wrongly defined or missing acls the http_access results may be different than expected, possibly allowing more access than intended. This patch makes such configuration errors a fatal error, preventing the service from starting until the access control configuration errors have been corrected.

Workaround: Verify your configuration with "squid -k parse" and correct any errors reported before starting squid.

 http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE9-acl_error http://www.squid-cache.org/bugs/show_bug.cgi?id=1255 2005-03-04 squid -- possible information leakage squid 2.5.9_1

The squid patches page notes:

A race window has been discovered where Set-Cookie headers may leak to another users if the requested server relies on the old obsolete (since 1997) Netscape Set-Cookie specifications in how caches should handle the Set-Cookie header on otherwise cacheable content.

 http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE9-setcookie 2005-03-03 >How-To-Repeat: >Fix: Apply this patch: Index: distinfo =================================================================== --- distinfo (revision 427) +++ distinfo (working copy) @@ -2,3 +2,9 @@ SIZE (squid2.5/squid-2.5.STABLE9.tar.bz2) = 1057776 MD5 (squid2.5/squid-2.5.STABLE9-setcookie.patch) = f4abbc43af5251380b3caaa9b08d0572 SIZE (squid2.5/squid-2.5.STABLE9-setcookie.patch) = 5328 +MD5 (squid2.5/squid-2.5.STABLE9-ftp_EPLF.patch) = c4ae820794f301b909415e0f4728f1c9 +SIZE (squid2.5/squid-2.5.STABLE9-ftp_EPLF.patch) = 4108 +MD5 (squid2.5/squid-2.5.STABLE9-ftp_base_href.patch) = ddc034a2c2a002bfcf6bf97eb21e8b57 +SIZE (squid2.5/squid-2.5.STABLE9-ftp_base_href.patch) = 709 +MD5 (squid2.5/squid-2.5.STABLE9-acl_error.patch) = f70922d873ce73c7fdad8bf7156afeb4 +SIZE (squid2.5/squid-2.5.STABLE9-acl_error.patch) = 8499 Index: Makefile =================================================================== --- Makefile (revision 427) +++ Makefile (working copy) @@ -87,7 +87,10 @@ DIST_SUBDIR= squid2.5 PATCH_SITES= http://www.squid-cache.org/Versions/v2/2.5/bugs/ -PATCHFILES= squid-2.5.STABLE9-setcookie.patch +PATCHFILES= squid-2.5.STABLE9-setcookie.patch \ + squid-2.5.STABLE9-ftp_EPLF.patch \ + squid-2.5.STABLE9-ftp_base_href.patch \ + squid-2.5.STABLE9-acl_error.patch PATCH_DIST_STRIP= -p1 MAINTAINER= tmseck@netcologne.de >Release-Note: >Audit-Trail: >Unformatted: