ports/76364: [Maintainer/Security] www/squid: integrate vendor patches
Thomas-Martin Seck
tmseck at netcologne.de
Mon Jan 17 18:50:10 UTC 2005
>Number: 76364
>Category: ports
>Synopsis: [Maintainer/Security] www/squid: integrate vendor patches
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: maintainer-update
>Submitter-Id: current-users
>Arrival-Date: Mon Jan 17 18:50:08 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Thomas-Martin Seck
>Release: FreeBSD 4.10-STABLE i386
>Organization:
a private site in Germany
>Environment:
FreeBSD ports collection as of Jan 17, 2004.
>Description:
Integrate vendor patches as published on
<http://www.squid-cache.org/Versions/v2/2.5/bugs/>:
- Sanity check usernames in squid_ldap_auth (squid bug #1187),
classified as minor security issue by the vendor, see below for VuXML
information
- FQDN names truncated on compressed DNS responses (squid bug #1136)
- Internal DNS memory leak on malformed responses (squid bug #1197)
Proposed VuXML information, entry date left to be filled in:
<vuln vid="7a921e9e-68b1-11d9-9e1e-c296ac722cb3">
<topic>squid -- no sanity check of usernames in squid_ldap_auth</topic>
<affects>
<package>
<name>squid</name>
<range><lt>2.5.7_7</lt>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The LDAP authentication helper did not strip
leading or trailing spaces from the login name.
According to the squid patches page:</p>
<blockquote cite="http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-ldap_spaces">
<p>LDAP is very forgiving about spaces in search
filters and this could be abused to log in
using several variants of the login name,
possibly bypassing explicit access controls
or confusing accounting.</p>
<p>Workaround: Block logins with spaces</p>
<pre>
acl login_with_spaces proxy_auth_regex [:space:]
http_access deny login_with_spaces
</pre>
</blockquote>
</body>
</description>
<references>
<url>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-ldap_spaces</url>
<url>http://www.squid-cache.org/bugs/show_bug.cgi?id=1187</url>
</references>
<dates>
<discovery>2005-01-10</discovery>
<entry>YYYY-MM-DD</entry>
</dates>
</vuln>
>How-To-Repeat:
>Fix:
Apply this patch:
Index: distinfo
===================================================================
--- distinfo (.../www/squid) (revision 335)
+++ distinfo (.../local/squid) (revision 335)
@@ -26,3 +26,9 @@
SIZE (squid2.5/squid-2.5.STABLE7-gopher_html_parsing.patch) = 714
MD5 (squid2.5/squid-2.5.STABLE7-wccp_denial_of_service.patch) = 0c77d92efda39797eb7d59c8d2e942d0
SIZE (squid2.5/squid-2.5.STABLE7-wccp_denial_of_service.patch) = 1928
+MD5 (squid2.5/squid-2.5.STABLE7-dns_memleak.patch) = ee9c4b2a54fc721f67640e76d7e8b12f
+SIZE (squid2.5/squid-2.5.STABLE7-dns_memleak.patch) = 779
+MD5 (squid2.5/squid-2.5.STABLE7-fqdn_truncated.patch) = 1c38e69132cfc469f0aa6db47315d968
+SIZE (squid2.5/squid-2.5.STABLE7-fqdn_truncated.patch) = 4484
+MD5 (squid2.5/squid-2.5.STABLE7-ldap_spaces.patch) = 8c2eb269b16d757b562ee32a2eb7ef99
+SIZE (squid2.5/squid-2.5.STABLE7-ldap_spaces.patch) = 1974
Index: Makefile
===================================================================
--- Makefile (.../www/squid) (revision 335)
+++ Makefile (.../local/squid) (revision 335)
@@ -74,7 +74,7 @@
PORTNAME= squid
PORTVERSION= 2.5.7
-PORTREVISION= 6
+PORTREVISION= 7
CATEGORIES= www
MASTER_SITES= \
ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \
@@ -99,7 +99,10 @@
squid-2.5.STABLE7-close_other.patch \
squid-2.5.STABLE7-fakeauth_auth.patch \
squid-2.5.STABLE7-gopher_html_parsing.patch \
- squid-2.5.STABLE7-wccp_denial_of_service.patch
+ squid-2.5.STABLE7-wccp_denial_of_service.patch \
+ squid-2.5.STABLE7-dns_memleak.patch \
+ squid-2.5.STABLE7-fqdn_truncated.patch \
+ squid-2.5.STABLE7-ldap_spaces.patch
PATCH_DIST_STRIP= -p1
MAINTAINER= tmseck at netcologne.de
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list