ports/118430: [Maintainer] [Security] www/squid: update to 2.6.STABLE17

Thomas-Martin Seck tmseck at netcologne.de
Tue Dec 4 17:40:03 UTC 2007 

>Number:         118430
>Category:       ports
>Synopsis:       [Maintainer] [Security] www/squid: update to 2.6.STABLE17
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Tue Dec 04 17:40:02 UTC 2007
>Closed-Date:
>Last-Modified:
>Originator:     Thomas-Martin Seck
>Release:        FreeBSD 7.0-BETA3
>Organization:
a private site in Germany
>Environment:
FreeBSD ports collection as of December 4, 2007.

	
>Description:

- Update to 2.6.STABLE17 and fix a remote denial of service condition.
- Remove a no longer needed patch.

removed files:

files/patch-src_cf_gen.c

Please see the proposed VuXML entry below. Please check whether the
range specificator is correct (I mean to express that 2.* up to 2.6.16
is affected as well as 3.*. I am currently working on the update for
www/squid30, so it should be marked to be vulnerable in the meantime).

Note: I left the <entry> date to be filled.

<vuln vid="65378ea7-a288-11dc-8856-0048543d60ce">
  <topic>"Squid -- Denial of service in cache updates"</topic>
  <affects>
    <package>
      <name>squid</name>
      <range><lt>2.6.17</lt><ge>3.0.*</ge></range>
    </package>
  </affects>
  <description>
    <body xmlns="http://www.w3.org/1999/xhtml">
      <p>Squid advisory 2007:2 notes:</p>
      <blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2007_2.txt">
	<p>Due to incorrect bounds checking Squid is vulnerable to
	  a denial of service check[sic] during some cache update reply
	  processing.</p>
      </blockquote>
    </body>
  </description>
  <references>
    <url>http://www.squid-cache.org/Advisories/SQUID-2007_2.txt</url>
  </references>
  <dates>
    <discovery>2007-11-27</discovery>
    <entry>YYYY-MM-DD</entry>
  </dates>
</vuln>


	
>How-To-Repeat:
	
>Fix:

Apply this patch:

Index: distinfo
===================================================================
--- distinfo	(.../www/squid)	(revision 1275)
+++ distinfo	(.../local/squid)	(revision 1275)
@@ -1,3 +1,3 @@
-MD5 (squid2.6/squid-2.6.STABLE16.tar.bz2) = 849bee6f269e6c773f215fd4b41de0e3
-SHA256 (squid2.6/squid-2.6.STABLE16.tar.bz2) = 9e306c885c4a37b1a57e2e8c0cdac5c90e4cffa2801e30f3c78b1cca880a62c7
-SIZE (squid2.6/squid-2.6.STABLE16.tar.bz2) = 1293078
+MD5 (squid2.6/squid-2.6.STABLE17.tar.bz2) = e6face0dff4ea054d3ba94236eb56ea1
+SHA256 (squid2.6/squid-2.6.STABLE17.tar.bz2) = e6aaa26b40c5310b4047460c7dec81d73ccb5b18d19be3d088d3de4334748bfd
+SIZE (squid2.6/squid-2.6.STABLE17.tar.bz2) = 1303134
Index: files/patch-src_cf_gen.c
===================================================================
--- files/patch-src_cf_gen.c	(.../www/squid)	(revision 1275)
+++ files/patch-src_cf_gen.c	(.../local/squid)	(revision 1275)
@@ -1,16 +0,0 @@
-Index: src/cf_gen.c
-===================================================================
-RCS file: /cvsroot/squid/squid/src/cf_gen.c,v
-retrieving revision 1.52
-diff -u -p -r1.52 cf_gen.c
---- src/cf_gen.c	6 Sep 2007 09:33:36 -0000	1.52
-+++ src/cf_gen.c	16 Sep 2007 17:57:24 -0000
-@@ -183,7 +183,7 @@ main(int argc, char *argv[])
- 	t = (Type *) xcalloc(1, sizeof(*t));
- 	t->name = xstrdup(type);
- 	while ((dep = strtok(NULL, WS)) != NULL) {
--	    TypeDep *d = (TypeDep *) xcalloc(1, sizeof(*dep));
-+	    TypeDep *d = (TypeDep *) xcalloc(1, sizeof(*d));
- 	    d->name = xstrdup(dep);
- 	    d->next = t->depend;
- 	    t->depend = d;
Index: files/icap-2.6-bootstrap.patch
===================================================================
--- files/icap-2.6-bootstrap.patch	(.../www/squid)	(revision 1275)
+++ files/icap-2.6-bootstrap.patch	(.../local/squid)	(revision 1275)
@@ -7,10 +7,10 @@
 
 Please see icap-2.6-core.patch for further information.
 
-Patch last updated: 2007-09-06
+Patch last updated: 2007-11-26
 
---- configure.orig	Thu Sep  6 00:25:42 2007
-+++ configure	Thu Sep  6 21:22:04 2007
+--- configure.orig	Mon Nov 26 14:39:31 2007
++++ configure	Mon Nov 26 19:46:14 2007
 @@ -728,6 +728,8 @@
  ENABLE_PINGER_FALSE
  USE_DELAY_POOLS_TRUE
@@ -43,8 +43,8 @@
  
  # Define the identity of the package.
   PACKAGE='squid'
-- VERSION='2.6.STABLE16'
-+ VERSION='2.6.STABLE16+ICAP'
+- VERSION='2.6.STABLE17'
++ VERSION='2.6.STABLE17+ICAP'
  
  
  cat >>confdefs.h <<_ACEOF

Index: Makefile
===================================================================
--- Makefile	(.../www/squid)	(revision 1275)
+++ Makefile	(.../local/squid)	(revision 1275)
@@ -75,7 +75,7 @@
 #     Enable experimental multicast notification of cachemisses.
 
 PORTNAME=	squid
-PORTVERSION=	2.6.16
+PORTVERSION=	2.6.17
 CATEGORIES=	www
 MASTER_SITES=	ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \
 		ftp://mirrors.24-7-solutions.net/pub/squid/%SUBDIR%/ \
@@ -94,7 +94,7 @@
 		http://www1.jp.squid-cache.org/Versions/v2/2.6/ \
 		http://www2.tw.squid-cache.org/Versions/v2/2.6/
 MASTER_SITE_SUBDIR=	squid-2/STABLE
-DISTNAME=	squid-2.6.STABLE16
+DISTNAME=	squid-2.6.STABLE17
 DIST_SUBDIR=	squid2.6
 
 PATCH_SITES=	http://www.squid-cache.org/%SUBDIR%/ \
	


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list