Date: Mon, 06 Jul 2015 16:36:49 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 201374] [MAINTAINER] www/squid: Update to 3.5.6 Message-ID: <bug-201374-13-kaOzYmOnFR@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-201374-13@https.bugs.freebsd.org/bugzilla/> References: <bug-201374-13@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=201374 Jason Unovitch <jason.unovitch@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jason.unovitch@gmail.com --- Comment #3 from Jason Unovitch <jason.unovitch@gmail.com> --- Created attachment 158423 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=158423&action=edit vuxml to document 2015 squid issues So I saw this go by today on oss-security and it was good to see the PR already in for an update. - http://openwall.com/lists/oss-security/2015/07/06/8 Amos Jeffries, the Squid-3 release manager, has requested CVE's for two security fixes in 3.5.6. There is no CVE yet and the referenced Squid security advisory has yet to be published. For now, this documents everything from the request and should be revised at a later date. - http://www.squid-cache.org/Advisories/SQUID-2015_1.txt Second, the 2015:1 advisory from earlier this year wasn't documented. This only matters with the SSL option is on so I've added the verbiage "The FreeBSD port does not use SSL by default and is not vulnerable in the default configuration." to the second entry for this. This also documents all the versions out there in case someone is still using www/squid32 or www/squid33. This entry should not have to change after being added. == Validation == % make validate /bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy" >>> Validating... /usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml >>> Successful. Checking if tidy differs... ... seems okay Checking for space/tab... ... seems okay /usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml % env PKG_DBDIR=/usr/ports/security/vuxml pkg audit squid-3.5.3 squid-3.5.3 is vulnerable: squid -- multiple vulnerabilities WWW: https://vuxml.FreeBSD.org/freebsd/150d1538-23fa-11e5-a4a5-002590263bf5.html squid-3.5.3 is vulnerable: squid -- client-first SSL-bump does not correctly validate X509 server certificate CVE: CVE-2015-3455 WWW: https://vuxml.FreeBSD.org/freebsd/b6da24da-23f7-11e5-a4a5-002590263bf5.html 1 problem(s) in the installed packages found. % env PKG_DBDIR=/usr/ports/security/vuxml pkg audit squid-3.5.5 squid-3.5.5 is vulnerable: squid -- multiple vulnerabilities WWW: https://vuxml.FreeBSD.org/freebsd/150d1538-23fa-11e5-a4a5-002590263bf5.html 1 problem(s) in the installed packages found. % env PKG_DBDIR=/usr/ports/security/vuxml pkg audit squid-3.5.6 0 problem(s) in the installed packages found. -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-201374-13-kaOzYmOnFR>