Date: 7 Sep 2010 20:56:56 -0000 From: Thomas-Martin Seck <tmseck@web.de> To: FreeBSD-gnats-submit@FreeBSD.org Cc: ports-security@FreeBSD.org Subject: ports/150364: [Maintainer] [security] www/squid31: update to 3.1.8, fix denial of service vulnerability Message-ID: <20100907205656.5216.qmail@wcfields.tmseck.homedns.org> Resent-Message-ID: <201009072100.o87L0GxY046403@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 150364 >Category: ports >Synopsis: [Maintainer] [security] www/squid31: update to 3.1.8, fix denial of service vulnerability >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Tue Sep 07 21:00:15 UTC 2010 >Closed-Date: >Last-Modified: >Originator: Thomas-Martin Seck >Release: FreeBSD 8.1-RELEASE amd64 >Organization: a private site in Germany >Environment: FreeBSD ports collection as of September 7, 2010. >Description: Update to 3.1.8. This update fixes a denial of service vulnerability that can be triggered by specially crafted client requests. See Squid Security Advisory 2010:3 for details. Proposed VuXML entry: <vuln vid="7d7d3bc4-babb-11df-8d12-0019996bc1f7"> <topic>squid -- Denial of Service vulnerability in request handling</topic> <affects> <package> <name>squid</name> <range><ge>3.0.1</ge><lt>3.0.25_3</lt></range> <range><ge>3.1.0.1</ge><lt>3.1.8</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> <p>Squid security advisory 2010:3 reports:</p> <blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2010_3.txt"> <p>Due to an internal error in string handling Squid is vulnerable to a denial of service attack when processing specially crafted requests.</p> <p>This problem allows any trusted client to perform a denial of service attack on the Squid service.</p> </blockquote> </body> </description> <references> <url>http://www.squid-cache.org/Advisories/SQUID-2010_3.txt</url> </references> <dates> <discovery>2010-08-30</discovery> </dates> </vuln> >How-To-Repeat: >Fix: Apply this patch: Index: Makefile =================================================================== --- Makefile (.../www/squid31) (Revision 1872) +++ Makefile (.../local/squid31) (Revision 1872) @@ -88,7 +88,7 @@ LATEST_LINK= squid31 -SQUID_STABLE_VER= 7 +SQUID_STABLE_VER= 8 CONFLICTS= squid-2.[0-9].* squid-3.[^1].* cacheboy-[0-9]* lusca-head-[0-9]* GNU_CONFIGURE= yes @@ -181,7 +181,7 @@ zh-cn zh-tw \ templates -# XXX: this is probably a bug in 3.1.6: sr-latn should probably a symlink but +# XXX: this is probably a bug in 3.1.6+: sr-latn should probably a symlink but # is installed as a directory; if this is intentional the directory is # currently empty which is not really useful either. error_dirs+= sr-latn @@ -375,9 +375,6 @@ .endif .if defined(WITH_SQUID_ECAP) CONFIGURE_ARGS+= --enable-ecap --enable-loadable-modules -# XXX: work around issues with the bundled libtool from 3.1.5 onwards; -# we need to tell c++ where to find them explicitly -CFLAGS+= -I${WRKSRC}/libltdl LIB_DEPENDS+= ecap:${PORTSDIR}/www/libecap CFLAGS+= -I${LOCALBASE}/include LDFLAGS+= -L${LOCALBASE}/lib Index: distinfo =================================================================== --- distinfo (.../www/squid31) (Revision 1872) +++ distinfo (.../local/squid31) (Revision 1872) @@ -1,3 +1,3 @@ -MD5 (squid3.1/squid-3.1.7.tar.bz2) = 83e7aabc1b5bb5b7c83f6dc2f32ca418 -SHA256 (squid3.1/squid-3.1.7.tar.bz2) = 5252180a262bdd2cc4ab8afe40c1989c21035bdfe4eaa0bcb19589e3d316d4ac -SIZE (squid3.1/squid-3.1.7.tar.bz2) = 2422189 +MD5 (squid3.1/squid-3.1.8.tar.bz2) = a8160dfba55ab7c400c622b72d39fc13 +SHA256 (squid3.1/squid-3.1.8.tar.bz2) = 088d4e798ca49e11713facccbd7ef3e7f9b16fc6eb86d59d0c43aa14d66501fe +SIZE (squid3.1/squid-3.1.8.tar.bz2) = 2423617 >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100907205656.5216.qmail>