Date: 17 Jan 2005 18:43:04 -0000 From: Thomas-Martin Seck <tmseck@netcologne.de> To: FreeBSD-gnats-submit@FreeBSD.org Cc: security-team@FreeBSD.org Subject: ports/76364: [Maintainer/Security] www/squid: integrate vendor patches Message-ID: <20050117184304.15971.qmail@laurel.tmseck.homedns.org> Resent-Message-ID: <200501171850.j0HIo9q5034411@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 76364 >Category: ports >Synopsis: [Maintainer/Security] www/squid: integrate vendor patches >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Mon Jan 17 18:50:08 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Thomas-Martin Seck >Release: FreeBSD 4.10-STABLE i386 >Organization: a private site in Germany >Environment: FreeBSD ports collection as of Jan 17, 2004. >Description: Integrate vendor patches as published on <http://www.squid-cache.org/Versions/v2/2.5/bugs/>: - Sanity check usernames in squid_ldap_auth (squid bug #1187), classified as minor security issue by the vendor, see below for VuXML information - FQDN names truncated on compressed DNS responses (squid bug #1136) - Internal DNS memory leak on malformed responses (squid bug #1197) Proposed VuXML information, entry date left to be filled in: <vuln vid="7a921e9e-68b1-11d9-9e1e-c296ac722cb3"> <topic>squid -- no sanity check of usernames in squid_ldap_auth</topic> <affects> <package> <name>squid</name> <range><lt>2.5.7_7</lt> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; <p>The LDAP authentication helper did not strip leading or trailing spaces from the login name. According to the squid patches page:</p> <blockquote cite="http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-ldap_spaces">; <p>LDAP is very forgiving about spaces in search filters and this could be abused to log in using several variants of the login name, possibly bypassing explicit access controls or confusing accounting.</p> <p>Workaround: Block logins with spaces</p> <pre> acl login_with_spaces proxy_auth_regex [:space:] http_access deny login_with_spaces </pre> </blockquote> </body> </description> <references> <url>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-ldap_spaces</url>; <url>http://www.squid-cache.org/bugs/show_bug.cgi?id=1187</url>; </references> <dates> <discovery>2005-01-10</discovery> <entry>YYYY-MM-DD</entry> </dates> </vuln> >How-To-Repeat: >Fix: Apply this patch: Index: distinfo =================================================================== --- distinfo (.../www/squid) (revision 335) +++ distinfo (.../local/squid) (revision 335) @@ -26,3 +26,9 @@ SIZE (squid2.5/squid-2.5.STABLE7-gopher_html_parsing.patch) = 714 MD5 (squid2.5/squid-2.5.STABLE7-wccp_denial_of_service.patch) = 0c77d92efda39797eb7d59c8d2e942d0 SIZE (squid2.5/squid-2.5.STABLE7-wccp_denial_of_service.patch) = 1928 +MD5 (squid2.5/squid-2.5.STABLE7-dns_memleak.patch) = ee9c4b2a54fc721f67640e76d7e8b12f +SIZE (squid2.5/squid-2.5.STABLE7-dns_memleak.patch) = 779 +MD5 (squid2.5/squid-2.5.STABLE7-fqdn_truncated.patch) = 1c38e69132cfc469f0aa6db47315d968 +SIZE (squid2.5/squid-2.5.STABLE7-fqdn_truncated.patch) = 4484 +MD5 (squid2.5/squid-2.5.STABLE7-ldap_spaces.patch) = 8c2eb269b16d757b562ee32a2eb7ef99 +SIZE (squid2.5/squid-2.5.STABLE7-ldap_spaces.patch) = 1974 Index: Makefile =================================================================== --- Makefile (.../www/squid) (revision 335) +++ Makefile (.../local/squid) (revision 335) @@ -74,7 +74,7 @@ PORTNAME= squid PORTVERSION= 2.5.7 -PORTREVISION= 6 +PORTREVISION= 7 CATEGORIES= www MASTER_SITES= \ ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \ @@ -99,7 +99,10 @@ squid-2.5.STABLE7-close_other.patch \ squid-2.5.STABLE7-fakeauth_auth.patch \ squid-2.5.STABLE7-gopher_html_parsing.patch \ - squid-2.5.STABLE7-wccp_denial_of_service.patch + squid-2.5.STABLE7-wccp_denial_of_service.patch \ + squid-2.5.STABLE7-dns_memleak.patch \ + squid-2.5.STABLE7-fqdn_truncated.patch \ + squid-2.5.STABLE7-ldap_spaces.patch PATCH_DIST_STRIP= -p1 MAINTAINER= tmseck@netcologne.de >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050117184304.15971.qmail>