ports/143937: [Maintainer] [Security] www/squid, www/squid30: address Squid Advisory 2010:2

Thomas-Martin Seck tmseck at web.de
Sun Feb 14 17:00:16 UTC 2010 

>Number:         143937
>Category:       ports
>Synopsis:       [Maintainer] [Security] www/squid, www/squid30: address Squid Advisory 2010:2
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Sun Feb 14 17:00:15 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     Thomas-Martin Seck
>Release:        FreeBSD 8.0-RELEASE amd64
>Organization:
a private site in Germany
>Environment:
FreeBSD ports collection as of February 14, 2010.

	
>Description:
Integrate a vendor patch for www/squid and update www/squid30 to
3.0.STABLE24 to fix a DoS vulnerability in HTCP. HTCP support is not
enabled by default in the Squid ports but can be activated by setting
WITH_SQUID_HTCP.

www/squid31 is said to be not affected.

Proposed VuXML entry:
  
  <vuln vid="81d9dc0c-1988-11df-8e66-0019996bc1f7">
    <topic>squid -- Denial of Service vulnerability in HTCP</topic>
    <affects>
      <package>
        <name>squid</name>
        <range><ge>2.7.1</ge><lt>2.7.7_4</lt></range>
        <range><ge>3.0.1</ge><lt>3.0.24</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
        <p>Squid security advisory 2010:2 reports:</p>
        <blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2010_2.txt">
          <p>Due to incorrect processing Squid is vulnerable to a denial of service attack when receiving specially crafted HTCP packets.</p>
          <p>This problem allows any machine to perform a denial of service attack on the Squid service when its HTCP port is open.</p>
        </blockquote>
      </body>
    </description>
    <references>
      <url>http://www.squid-cache.org/Advisories/SQUID-2010_2.txt</url>
    </references>
    <dates>
      <discovery>2010-02-12</discovery>
    </dates>
  </vuln>
  
	
>How-To-Repeat:
	
>Fix:
Patch for www/squid:

Index: Makefile
===================================================================
--- Makefile	(.../www/squid)	(Revision 1769)
+++ Makefile	(.../local/squid)	(Revision 1769)
@@ -76,7 +76,7 @@
 
 PORTNAME=	squid
 PORTVERSION=	2.7.${SQUID_STABLE_VER}
-PORTREVISION=	3
+PORTREVISION=	4
 CATEGORIES=	www
 MASTER_SITES=	ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \
 		ftp://mirrors.24-7-solutions.net/pub/squid/%SUBDIR%/ \
@@ -107,7 +107,7 @@
 		http://www1.jp.squid-cache.org/%SUBDIR%/ \
 		http://www2.tw.squid-cache.org/%SUBDIR%/
 PATCH_SITE_SUBDIR=	Versions/v2/2.7/changesets
-PATCHFILES=
+PATCHFILES=	12600.patch
 PATCH_DIST_STRIP=	-p1
 
 MAINTAINER=	tmseck at web.de
Index: distinfo
===================================================================
--- distinfo	(.../www/squid)	(Revision 1769)
+++ distinfo	(.../local/squid)	(Revision 1769)
@@ -1,3 +1,6 @@
 MD5 (squid2.7/squid-2.7.STABLE7.tar.bz2) = c18b0371fca813d5e7c7e0baf87baa22
 SHA256 (squid2.7/squid-2.7.STABLE7.tar.bz2) = 6c4e50708ff9ed2d2f43acf3300cbc826749d7fdc722465654415b285d6f7015
 SIZE (squid2.7/squid-2.7.STABLE7.tar.bz2) = 1341869
+MD5 (squid2.7/12600.patch) = 4bf7fb22ef3715b50650c89f679bc47d
+SHA256 (squid2.7/12600.patch) = 828f386ba6468e3b810ec22691f9f920f57cf91548d2edb266c726b1e6b1b829
+SIZE (squid2.7/12600.patch) = 1194

Patch for www/squid30:

Index: Makefile
===================================================================
--- Makefile	(.../www/squid30)	(Revision 1769)
+++ Makefile	(.../local/squid30)	(Revision 1769)
@@ -99,7 +99,7 @@
 
 LATEST_LINK=	squid30
 
-SQUID_STABLE_VER=	23
+SQUID_STABLE_VER=	24
 
 CONFLICTS=	squid-2.[0-9].* squid-3.[^0].* cacheboy-[0-9]* lusca-head-[0-9]*
 GNU_CONFIGURE=	yes
Index: distinfo
===================================================================
--- distinfo	(.../www/squid30)	(Revision 1769)
+++ distinfo	(.../local/squid30)	(Revision 1769)
@@ -1,3 +1,3 @@
-MD5 (squid3.0/squid-3.0.STABLE23.tar.bz2) = ec9b6abf18128147e8559967aed62e37
-SHA256 (squid3.0/squid-3.0.STABLE23.tar.bz2) = 3a2a2195fa66d31df412f8befa49a921f34e619332557281ce69e12ed9b01a59
-SIZE (squid3.0/squid-3.0.STABLE23.tar.bz2) = 1757984
+MD5 (squid3.0/squid-3.0.STABLE24.tar.bz2) = 325c8977b64397666bf538d54bb6f128
+SHA256 (squid3.0/squid-3.0.STABLE24.tar.bz2) = 0f5cc68a861152a1ddbe53d0b704746f18f9563eb40a623877d7ba55dc6ce8f5
+SIZE (squid3.0/squid-3.0.STABLE24.tar.bz2) = 1758060

	


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list