ports/143937: [Maintainer] [Security] www/squid, www/squid30: address Squid Advisory 2010:2
Thomas-Martin Seck
tmseck at web.de
Sun Feb 14 17:00:16 UTC 2010
>Number: 143937
>Category: ports
>Synopsis: [Maintainer] [Security] www/squid, www/squid30: address Squid Advisory 2010:2
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: maintainer-update
>Submitter-Id: current-users
>Arrival-Date: Sun Feb 14 17:00:15 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: Thomas-Martin Seck
>Release: FreeBSD 8.0-RELEASE amd64
>Organization:
a private site in Germany
>Environment:
FreeBSD ports collection as of February 14, 2010.
>Description:
Integrate a vendor patch for www/squid and update www/squid30 to
3.0.STABLE24 to fix a DoS vulnerability in HTCP. HTCP support is not
enabled by default in the Squid ports but can be activated by setting
WITH_SQUID_HTCP.
www/squid31 is said to be not affected.
Proposed VuXML entry:
<vuln vid="81d9dc0c-1988-11df-8e66-0019996bc1f7">
<topic>squid -- Denial of Service vulnerability in HTCP</topic>
<affects>
<package>
<name>squid</name>
<range><ge>2.7.1</ge><lt>2.7.7_4</lt></range>
<range><ge>3.0.1</ge><lt>3.0.24</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Squid security advisory 2010:2 reports:</p>
<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2010_2.txt">
<p>Due to incorrect processing Squid is vulnerable to a denial of service attack when receiving specially crafted HTCP packets.</p>
<p>This problem allows any machine to perform a denial of service attack on the Squid service when its HTCP port is open.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.squid-cache.org/Advisories/SQUID-2010_2.txt</url>
</references>
<dates>
<discovery>2010-02-12</discovery>
</dates>
</vuln>
>How-To-Repeat:
>Fix:
Patch for www/squid:
Index: Makefile
===================================================================
--- Makefile (.../www/squid) (Revision 1769)
+++ Makefile (.../local/squid) (Revision 1769)
@@ -76,7 +76,7 @@
PORTNAME= squid
PORTVERSION= 2.7.${SQUID_STABLE_VER}
-PORTREVISION= 3
+PORTREVISION= 4
CATEGORIES= www
MASTER_SITES= ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \
ftp://mirrors.24-7-solutions.net/pub/squid/%SUBDIR%/ \
@@ -107,7 +107,7 @@
http://www1.jp.squid-cache.org/%SUBDIR%/ \
http://www2.tw.squid-cache.org/%SUBDIR%/
PATCH_SITE_SUBDIR= Versions/v2/2.7/changesets
-PATCHFILES=
+PATCHFILES= 12600.patch
PATCH_DIST_STRIP= -p1
MAINTAINER= tmseck at web.de
Index: distinfo
===================================================================
--- distinfo (.../www/squid) (Revision 1769)
+++ distinfo (.../local/squid) (Revision 1769)
@@ -1,3 +1,6 @@
MD5 (squid2.7/squid-2.7.STABLE7.tar.bz2) = c18b0371fca813d5e7c7e0baf87baa22
SHA256 (squid2.7/squid-2.7.STABLE7.tar.bz2) = 6c4e50708ff9ed2d2f43acf3300cbc826749d7fdc722465654415b285d6f7015
SIZE (squid2.7/squid-2.7.STABLE7.tar.bz2) = 1341869
+MD5 (squid2.7/12600.patch) = 4bf7fb22ef3715b50650c89f679bc47d
+SHA256 (squid2.7/12600.patch) = 828f386ba6468e3b810ec22691f9f920f57cf91548d2edb266c726b1e6b1b829
+SIZE (squid2.7/12600.patch) = 1194
Patch for www/squid30:
Index: Makefile
===================================================================
--- Makefile (.../www/squid30) (Revision 1769)
+++ Makefile (.../local/squid30) (Revision 1769)
@@ -99,7 +99,7 @@
LATEST_LINK= squid30
-SQUID_STABLE_VER= 23
+SQUID_STABLE_VER= 24
CONFLICTS= squid-2.[0-9].* squid-3.[^0].* cacheboy-[0-9]* lusca-head-[0-9]*
GNU_CONFIGURE= yes
Index: distinfo
===================================================================
--- distinfo (.../www/squid30) (Revision 1769)
+++ distinfo (.../local/squid30) (Revision 1769)
@@ -1,3 +1,3 @@
-MD5 (squid3.0/squid-3.0.STABLE23.tar.bz2) = ec9b6abf18128147e8559967aed62e37
-SHA256 (squid3.0/squid-3.0.STABLE23.tar.bz2) = 3a2a2195fa66d31df412f8befa49a921f34e619332557281ce69e12ed9b01a59
-SIZE (squid3.0/squid-3.0.STABLE23.tar.bz2) = 1757984
+MD5 (squid3.0/squid-3.0.STABLE24.tar.bz2) = 325c8977b64397666bf538d54bb6f128
+SHA256 (squid3.0/squid-3.0.STABLE24.tar.bz2) = 0f5cc68a861152a1ddbe53d0b704746f18f9563eb40a623877d7ba55dc6ce8f5
+SIZE (squid3.0/squid-3.0.STABLE24.tar.bz2) = 1758060
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list