ports/87637: [Maintainer] [Security] www/squid: integrate vendor patches; fix an FTP parsing vulnerability

Thomas-Martin Seck tmseck at netcologne.de
Tue Oct 18 19:20:17 UTC 2005 

>Number:         87637
>Category:       ports
>Synopsis:       [Maintainer] [Security] www/squid: integrate vendor patches; fix an FTP parsing vulnerability
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Tue Oct 18 19:20:15 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Thomas-Martin Seck
>Release:        FreeBSD 4.11-STABLE i386
>Organization:
a private site in Germany
>Environment:
FreeBSD ports collection as of Oct 18, 2005.

	
>Description:
Integrate the following vendor patches as published on
<http://www.squid-cache.org/Versions/v2/2.5/bugs/>:

- document that tcp_outgoing_xxx works badly in combination with
  server_persistent_connections (squid bug #454)
- add more tracing in test mode of squid_ldap_auth (squid bug #1395)
- fix breakage of accel_single_host when combined with
  server_persistent_connection (squid bug #1402)
- correctly implement the CACHE_HTTP_PORT configuration directive
  (squid bug #1403)
- fix the problem that CNAME addresses were remembered with a wrong TTL
  (squid bug #1404)
- fix incorrect handling of squid-internal-dynamic/netdb in conjunction with
  httpd_accel/transparent proxies (squid bug #1410)
- properly revalidate the cache on HEAD requests (squid bug #1411)
- correct handling of Set-Cookie headers on cache refreshes (squid bug #1419)
- fix a vulnerability in the FTP parsing code (squid bug #1426)

VuXML data for squid bug #1426 (please fill in <entry> date):

  <vuln vid="cf5d84d0-4007-11da-9e1e-c296ac722cb3">
    <topic>squid -- vulnerability in FTP parsing code</topic>
    <affects>
      <package>
	<name>squid</name>
	<range><lt>2.5.11_3</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>The squid patches page notes:</p>
	<blockquote cite="http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE11-rfc1738_do_escape">
	  <p>In certain odd FTP server responses Squid may crash with
	     a segmentation fault in rfc1738_do_escape.</p>
	  <p>Workaround: deny access to the ftp protocol via the proxy</p>
	</blockquote>
      </body>
    </description>
    <references>
      <url>http://www.squid-cache.org/bugs/show_bug.cgi?id=1426</url>
      <url>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE11-rfc1738_do_escape</url>
    </references>
    <dates>
      <discovery>2005-10-12</discovery>
      <entry>YYYY-MM-DD</entry>
    </dates>
  </vuln>


	
>How-To-Repeat:
	
>Fix:
Apply this patch:

Index: distinfo
===================================================================
--- distinfo	(.../www/squid)	(revision 600)
+++ distinfo	(.../local/squid)	(revision 600)
@@ -2,3 +2,23 @@
 SIZE (squid2.5/squid-2.5.STABLE11.tar.bz2) = 1075431
 MD5 (squid2.5/squid-2.5.STABLE11-delaypools_truncated.patch) = 73bd15ae4853d9b0f45ac4277b35ed15
 SIZE (squid2.5/squid-2.5.STABLE11-delaypools_truncated.patch) = 588
+MD5 (squid2.5/squid-2.5.STABLE11-tcp_outgoing_xxx.patch) = 18846f871032c4d7c496373c24b9f4d9
+SIZE (squid2.5/squid-2.5.STABLE11-tcp_outgoing_xxx.patch) = 1140
+MD5 (squid2.5/squid-2.5.STABLE11-ldap_auth.patch) = a22867a5be67b3ff2dd35ab338b05d9e
+SIZE (squid2.5/squid-2.5.STABLE11-ldap_auth.patch) = 4857
+MD5 (squid2.5/squid-2.5.STABLE11.accel_single_host_pconn.patch) = f6ad18183bb3df2da1c5e6287b7162ea
+SIZE (squid2.5/squid-2.5.STABLE11.accel_single_host_pconn.patch) = 944
+MD5 (squid2.5/squid-2.5.STABLE11-CACHE_HTTP_PORT.patch) = a43d8d7bed00dc0caebec7b440625a11
+SIZE (squid2.5/squid-2.5.STABLE11-CACHE_HTTP_PORT.patch) = 4010
+MD5 (squid2.5/squid-2.5.STABLE11-CNAME.patch) = 263c1a76d470ad4553e05e686e422de2
+SIZE (squid2.5/squid-2.5.STABLE11-CNAME.patch) = 3825
+MD5 (squid2.5/squid-2.5.STABLE11-httpd_accel-internal.patch) = fe88ab718a58e484bbf8ce6ce6111dd3
+SIZE (squid2.5/squid-2.5.STABLE11-httpd_accel-internal.patch) = 1736
+MD5 (squid2.5/squid-2.5.STABLE11-IMS-HEAD.patch) = 1e8ddcd080f431c8f3c059366e159765
+SIZE (squid2.5/squid-2.5.STABLE11-IMS-HEAD.patch) = 834
+MD5 (squid2.5/squid-2.5.STABLE11-redirect-CONNECT.patch) = 16e8a386cae25b5b0493adb66d89416f
+SIZE (squid2.5/squid-2.5.STABLE11-redirect-CONNECT.patch) = 1282
+MD5 (squid2.5/squid-2.5.STABLE11-setcookie.patch) = 0d1acad61df0ffb5224cb3910f25fb29
+SIZE (squid2.5/squid-2.5.STABLE11-setcookie.patch) = 531
+MD5 (squid2.5/squid-2.5.STABLE11-rfc1738_do_escape.patch) = 43094437e3d66aa1cb141ea4c776df19
+SIZE (squid2.5/squid-2.5.STABLE11-rfc1738_do_escape.patch) = 3302
Index: Makefile
===================================================================
--- Makefile	(.../www/squid)	(revision 600)
+++ Makefile	(.../local/squid)	(revision 600)
@@ -70,7 +70,7 @@
 
 PORTNAME=	squid
 PORTVERSION=	2.5.11
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES=	www
 MASTER_SITES=	\
 		ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \
@@ -83,7 +83,17 @@
 DIST_SUBDIR=	squid2.5
 
 PATCH_SITES=	http://www.squid-cache.org/Versions/v2/2.5/bugs/
-PATCHFILES=	squid-2.5.STABLE11-delaypools_truncated.patch
+PATCHFILES=	squid-2.5.STABLE11-delaypools_truncated.patch \
+		squid-2.5.STABLE11-tcp_outgoing_xxx.patch \
+		squid-2.5.STABLE11-ldap_auth.patch \
+		squid-2.5.STABLE11.accel_single_host_pconn.patch \
+		squid-2.5.STABLE11-CACHE_HTTP_PORT.patch \
+		squid-2.5.STABLE11-CNAME.patch \
+		squid-2.5.STABLE11-httpd_accel-internal.patch \
+		squid-2.5.STABLE11-IMS-HEAD.patch \
+		squid-2.5.STABLE11-redirect-CONNECT.patch \
+		squid-2.5.STABLE11-setcookie.patch \
+		squid-2.5.STABLE11-rfc1738_do_escape.patch
 PATCH_DIST_STRIP=	-p1
 
 MAINTAINER=	tmseck at netcologne.de
	


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list