Date: Mon, 27 Jul 2009 20:12:49 +0200 (CEST) From: Thomas-Martin Seck <tmseck@web.de> To: FreeBSD-gnats-submit@FreeBSD.org Cc: ports-security@FreeBSD.org Subject: ports/137184: [Maintainer] www/squid30: update to 3.0.STABLE17 Message-ID: <200907271812.n6RICn5d066307@hardy.tmseck.homedns.org> Resent-Message-ID: <200907271820.n6RIK144052619@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 137184
>Category: ports
>Synopsis: [Maintainer] www/squid30: update to 3.0.STABLE17
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: maintainer-update
>Submitter-Id: current-users
>Arrival-Date: Mon Jul 27 18:20:01 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator: Thomas-Martin Seck
>Release: FreeBSD 7.2-RELEASE i386
>Organization:
a private site in Germany
>Environment:
FreeBSD ports collection as of July 27, 2009.
>Description:
Update to 3.0.STABLE17.
This update adresses several remote denial of service vulnerabilities.
Proposed VuXML entry:
<vuln vid="e1156e90-7ad6-11de-b26a-0048543d60ce">
<topic>squid -- several remote denial of service vulnerabilities</topic>
<affects>
<package>
<name>squid</name>
<range><ge>3.0.1</ge><lt>3.0.17</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">;
<p>Squid security advisory 2009:2 reports:</p>
<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2009_2.txt">;
<p>Due to incorrect buffer limits and related bound checks Squid
is vulnerable to a denial of service attack when processing
specially crafted requests or responses.</p>
<p>Due to incorrect data validation Squid is vulnerable to a
denial of service attack when processing specially crafted
responses.</p>
<p>These problems allow any trusted client or external server to
perform a denial of service attack on the Squid service.</p>
</blockquote>
<p>Squid-2.x releases are not affected.</p>
</body>
</description>
<references>
<url>http://www.squid-cache.org/Advisories/SQUID-2009_2.txt</url>;
</references>
<dates>
<discovery>2009-07-27</discovery>
</dates>
</vuln>
>How-To-Repeat:
>Fix:
Apply this patch:
Index: Makefile
===================================================================
--- Makefile (.../www/squid30) (revision 1649)
+++ Makefile (.../local/squid30) (revision 1649)
@@ -92,14 +92,14 @@
http://www1.jp.squid-cache.org/%SUBDIR%/ \
http://www1.tw.squid-cache.org/%SUBDIR%/
PATCH_SITE_SUBDIR= Versions/v3/3.0/changesets
-PATCHFILES= b9052.patch
+PATCHFILES=
MAINTAINER= tmseck@web.de
COMMENT= HTTP Caching Proxy
LATEST_LINK= squid30
-SQUID_STABLE_VER= 16
+SQUID_STABLE_VER= 17
CONFLICTS= squid-2.[0-9].* squid-3.[^0].* cacheboy-[0-9]*
GNU_CONFIGURE= yes
Index: distinfo
===================================================================
--- distinfo (.../www/squid30) (revision 1649)
+++ distinfo (.../local/squid30) (revision 1649)
@@ -1,6 +1,3 @@
-MD5 (squid3.0/squid-3.0.STABLE16.tar.bz2) = aa039a2c75404a496f0e99a278599e00
-SHA256 (squid3.0/squid-3.0.STABLE16.tar.bz2) = a1da48a7b9824f05b67b900ff1317e755e7749a545db0c62db45219bf0f6ae3e
-SIZE (squid3.0/squid-3.0.STABLE16.tar.bz2) = 1796458
-MD5 (squid3.0/b9052.patch) = 8039be92fb6ca5a71dd11b7d99c841fa
-SHA256 (squid3.0/b9052.patch) = dc78622e992816f8808d83c79045eec6f64fc7c7fe5cd2bb593613af655d56be
-SIZE (squid3.0/b9052.patch) = 1488
+MD5 (squid3.0/squid-3.0.STABLE17.tar.bz2) = 68b4cdb2590f36e9475e7a8c1c4a4046
+SHA256 (squid3.0/squid-3.0.STABLE17.tar.bz2) = 78d31501933b8a9e63d143838703c1eabb03e933665c723f59c8909115b96c5e
+SIZE (squid3.0/squid-3.0.STABLE17.tar.bz2) = 1798957
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200907271812.n6RICn5d066307>