svn commit: r462744 - in head/www/squid: . files
Cy Schubert
Cy.Schubert at cschubert.com
Fri Feb 23 21:20:51 UTC 2018
In message <201802232035.w1NKZDdd053962 at repo.freebsd.org>, "Danilo G.
Baio" wri
tes:
> Author: dbaio
> Date: Fri Feb 23 20:35:13 2018
> New Revision: 462744
> URL: https://svnweb.freebsd.org/changeset/ports/462744
>
> Log:
> www/squid: Fixes security vulnerabilities
>
> Add patches to fix CVE's:
> CVE-2018-1000024
> CVE-2018-1000027
>
> PR: 226139
> Submitted by: Yasuhiro KIMURA <yasu at utahime.org>
> Approved by: timp87 at gmail.com (maintainer)
> MFH: 2018Q1
> Security: d5b6d151-1887-11e8-94f7-9c5c8e75236a
>
> Added:
> head/www/squid/files/patch-src_client__side__request.cc (contents, props
> changed)
> head/www/squid/files/patch-src_esi_CustomParser.cc (contents, props chang
> ed)
> Modified:
> head/www/squid/Makefile
>
> Modified: head/www/squid/Makefile
> =============================================================================
> =
> --- head/www/squid/Makefile Fri Feb 23 20:23:26 2018 (r462743)
> +++ head/www/squid/Makefile Fri Feb 23 20:35:13 2018 (r462744)
> @@ -2,7 +2,7 @@
>
> PORTNAME= squid
> PORTVERSION= 3.5.27
> -PORTREVISION= 2
> +PORTREVISION= 3
> CATEGORIES= www ipv6
> MASTER_SITES= http://www.squid-cache.org/Versions/v3/${PORTVERSION:R}
> / \
> http://www2.us.squid-cache.org/Versions/v3/${PORTVERSION:R}/ \
>
> Added: head/www/squid/files/patch-src_client__side__request.cc
> =============================================================================
> =
> --- /dev/null 00:00:00 1970 (empty, because file is newly added)
> +++ head/www/squid/files/patch-src_client__side__request.cc Fri Feb 23 20:3
> 5:13 2018 (r462744)
> @@ -0,0 +1,23 @@
> +http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2018_2.patch
> +
> +commit 8232b83d3fa47a1399f155cb829db829369fbae9 (refs/remotes/origin/v3.5)
> +Author: squidadm <squidadm at users.noreply.github.com>
> +Date: 2018-01-21 08:07:08 +1300
> +
> + Fix indirect IP logging for transactions without a client connection (#1
> 29) (#136)
> +
> +--- src/client_side_request.cc.orig 2018-02-23 13:39:32 UTC
> ++++ src/client_side_request.cc
> +@@ -488,9 +488,9 @@ clientFollowXForwardedForCheck(allow_t answer, void *d
> + * Ensure that the access log shows the indirect client
> + * instead of the direct client.
> + */
> +- ConnStateData *conn = http->getConn();
> +- conn->log_addr = request->indirect_client_addr;
> +- http->al->cache.caddr = conn->log_addr;
> ++ http->al->cache.caddr = request->indirect_client_addr;
> ++ if (ConnStateData *conn = http->getConn())
> ++ conn->log_addr = request->indirect_client_addr;
> + }
> + request->x_forwarded_for_iterator.clean();
> + request->flags.done_follow_x_forwarded_for = true;
>
> Added: head/www/squid/files/patch-src_esi_CustomParser.cc
> =============================================================================
> =
> --- /dev/null 00:00:00 1970 (empty, because file is newly added)
> +++ head/www/squid/files/patch-src_esi_CustomParser.cc Fri Feb 23 20:3
> 5:13 2018 (r462744)
> @@ -0,0 +1,28 @@
> +http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2018_1.patch
> +
> +commit eb2db98a676321b814fc4a51c4fb7928a8bb45d9 (refs/remotes/origin/v3.5)
> +Author: Amos Jeffries <yadij at users.noreply.github.com>
> +Date: 2018-01-19 13:54:14 +1300
> +
> + ESI: make sure endofName never exceeds tagEnd (#130)
> +
> +--- src/esi/CustomParser.cc.orig 2018-02-23 13:37:52 UTC
> ++++ src/esi/CustomParser.cc
> +@@ -121,7 +121,7 @@ ESICustomParser::parse(char const *dataToParse, size_t
> +
> + char * endofName = strpbrk(const_cast<char *>(tag), w_space);
> +
> +- if (endofName > tagEnd)
> ++ if (!endofName || endofName > tagEnd)
> + endofName = const_cast<char *>(tagEnd);
> +
> + *endofName = '\0';
> +@@ -214,7 +214,7 @@ ESICustomParser::parse(char const *dataToParse, size_t
> +
> + char * endofName = strpbrk(const_cast<char *>(tag), w_space);
> +
> +- if (endofName > tagEnd)
> ++ if (!endofName || endofName > tagEnd)
> + endofName = const_cast<char *>(tagEnd);
> +
> + *endofName = '\0';
>
Can you apply this to squid-devel too, please?
--
Cheers,
Cy Schubert <Cy.Schubert at cschubert.com>
FreeBSD UNIX: <cy at FreeBSD.org> Web: http://www.FreeBSD.org
The need of the many outweighs the greed of the few.
More information about the svn-ports-head
mailing list