ports/78446: [Maintainer] www/squid: integrate partly security relevant vendor patches
Thomas-Martin Seck
tmseck at netcologne.de
Sat Mar 5 14:10:18 UTC 2005
>Number: 78446
>Category: ports
>Synopsis: [Maintainer] www/squid: integrate partly security relevant vendor patches
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: maintainer-update
>Submitter-Id: current-users
>Arrival-Date: Sat Mar 05 14:10:17 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Thomas-Martin Seck
>Release: FreeBSD 4.11-STABLE i386
>Organization:
a private site in Germany
>Environment:
FreeBSD ports collection as of Mar 5, 2005.
>Description:
Integrate the following vendor patches as published on
<http://www.squid-cache.org/Versions/v2/2.5/bugs/>:
(security-team CC'ed)
- correct a race condition related to the Set-Cookie header
- correct the FTP parser with regards to the EPLF format
(squid bug #1252)
- correct FTP listing output when the URL was requested without a trailing
slash (squid bug #1253)
- make ACL configuration errors fatal (squid bug #1255)
Proposed VuXML data (I split this into two entries to avoid something
along the lines of "squid -- multiple issues"), entry date left to be filled
in:
<vuln vid="bdb546ec-8d7d-11d9-9e1e-c296ac722cb3">
<topic>squid -- configuration errors can lead to unexpected ACL results</topic>
<affects>
<package>
<name>squid</name>
<range><lt>2.5.9_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The squid patches page notes:</p>
<blockquote cite="http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE9-acl_error">
<p>On configuration errors involving wrongly defined or missing acls
the http_access results may be different than expected, possibly
allowing more access than intended. This patch makes such
configuration errors a fatal error, preventing the service from
starting until the access control configuration errors have been
corrected.</p>
</blockquote>
<p>Workaround: Verify your configuration with "squid -k parse" and
correct any errors reported before starting squid.</p>
</body>
</description>
<references>
<url>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE9-acl_error</url>
<url>http://www.squid-cache.org/bugs/show_bug.cgi?id=1255</url>
</references>
<dates>
<discovery>2005-03-04</discovery>
<entry></entry>
</dates>
</vuln>
<vuln vid="990f0b9e-8d7c-11d9-9e1e-c296ac722cb3">
<topic>squid -- possible information leakage</topic>
<affects>
<package>
<name>squid</name>
<range><lt>2.5.9_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The squid patches page notes:</p>
<blockquote cite="http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE9-setcookie">
<p>A race window has been discovered where Set-Cookie headers may
leak to another users if the requested server relies on the old
obsolete (since 1997) Netscape Set-Cookie specifications in how
caches should handle the Set-Cookie header on otherwise cacheable
content.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE9-setcookie</url>
</references>
<dates>
<discovery>2005-03-03</discovery>
<entry></entry>
</dates>
</vuln>
>How-To-Repeat:
>Fix:
Apply this patch:
Index: distinfo
===================================================================
--- distinfo (revision 427)
+++ distinfo (working copy)
@@ -2,3 +2,9 @@
SIZE (squid2.5/squid-2.5.STABLE9.tar.bz2) = 1057776
MD5 (squid2.5/squid-2.5.STABLE9-setcookie.patch) = f4abbc43af5251380b3caaa9b08d0572
SIZE (squid2.5/squid-2.5.STABLE9-setcookie.patch) = 5328
+MD5 (squid2.5/squid-2.5.STABLE9-ftp_EPLF.patch) = c4ae820794f301b909415e0f4728f1c9
+SIZE (squid2.5/squid-2.5.STABLE9-ftp_EPLF.patch) = 4108
+MD5 (squid2.5/squid-2.5.STABLE9-ftp_base_href.patch) = ddc034a2c2a002bfcf6bf97eb21e8b57
+SIZE (squid2.5/squid-2.5.STABLE9-ftp_base_href.patch) = 709
+MD5 (squid2.5/squid-2.5.STABLE9-acl_error.patch) = f70922d873ce73c7fdad8bf7156afeb4
+SIZE (squid2.5/squid-2.5.STABLE9-acl_error.patch) = 8499
Index: Makefile
===================================================================
--- Makefile (revision 427)
+++ Makefile (working copy)
@@ -87,7 +87,10 @@
DIST_SUBDIR= squid2.5
PATCH_SITES= http://www.squid-cache.org/Versions/v2/2.5/bugs/
-PATCHFILES= squid-2.5.STABLE9-setcookie.patch
+PATCHFILES= squid-2.5.STABLE9-setcookie.patch \
+ squid-2.5.STABLE9-ftp_EPLF.patch \
+ squid-2.5.STABLE9-ftp_base_href.patch \
+ squid-2.5.STABLE9-acl_error.patch
PATCH_DIST_STRIP= -p1
MAINTAINER= tmseck at netcologne.de
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list