ports/150366: [Maintainer] [security] www/squid30: fix a denial of service vulnerability
Thomas-Martin Seck
tmseck at web.de
Tue Sep 7 21:20:02 UTC 2010
>Number: 150366
>Category: ports
>Synopsis: [Maintainer] [security] www/squid30: fix a denial of service vulnerability
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: maintainer-update
>Submitter-Id: current-users
>Arrival-Date: Tue Sep 07 21:20:01 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: Thomas-Martin Seck
>Release: FreeBSD 8.1-RELEASE amd64
>Organization:
a private site in Germany
>Environment:
FreeBSD ports collection as of September 7, 2010.
>Description:
Integrate vendor patches for various bugs. Fix a denial of service
vulnerability as reported in Squid Advisory 2010:3.
See ports/150364 (www/squid31 update request) for the proposed VuXML entry.
Removed files:
files/patch-lib-rfc1738.c
>How-To-Repeat:
>Fix:
Apply this patch:
Index: Makefile
===================================================================
--- Makefile (.../www/squid30) (Revision 1875)
+++ Makefile (.../local/squid30) (Revision 1875)
@@ -61,7 +61,7 @@
PORTNAME= squid
PORTVERSION= 3.0.${SQUID_STABLE_VER}
-PORTREVISION= 2
+PORTREVISION= 3
CATEGORIES= www
MASTER_SITES= ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \
http://mirrors.ccs.neu.edu/Squid/ \
@@ -92,7 +92,9 @@
http://www1.jp.squid-cache.org/%SUBDIR%/ \
http://www2.tw.squid-cache.org/%SUBDIR%/
PATCH_SITE_SUBDIR= Versions/v3/3.0/changesets
-PATCHFILES=
+PATCHFILES= squid-3.0-9183.patch squid-3.0-9184.patch squid-3.0-9185.patch \
+ squid-3.0-9186.patch squid-3.0-9187.patch squid-3.0-9188.patch \
+ squid-3.0-9189.patch
MAINTAINER= tmseck at web.de
COMMENT= HTTP Caching Proxy
Index: distinfo
===================================================================
--- distinfo (.../www/squid30) (Revision 1875)
+++ distinfo (.../local/squid30) (Revision 1875)
@@ -1,3 +1,24 @@
MD5 (squid3.0/squid-3.0.STABLE25.tar.bz2) = 6a29be1e4900470aebe93654f9be03e0
SHA256 (squid3.0/squid-3.0.STABLE25.tar.bz2) = d1040a17f3c904372c180e1e6a432be798a26c3689831a329bd2a5ab38bbc05e
SIZE (squid3.0/squid-3.0.STABLE25.tar.bz2) = 1758969
+MD5 (squid3.0/squid-3.0-9183.patch) = 118b37eb39487bc1bbf30b64998e07df
+SHA256 (squid3.0/squid-3.0-9183.patch) = 61b6b2d7619705db83b5f66a57b64f7c00b9e02c7707c473f3f1f4ad8abf9b9f
+SIZE (squid3.0/squid-3.0-9183.patch) = 1542
+MD5 (squid3.0/squid-3.0-9184.patch) = 0559191736bd31801bb22ad14bb60a2d
+SHA256 (squid3.0/squid-3.0-9184.patch) = a32f91fa85a401039e173458bbb137a7e2d61e4e1ca465fa4857071b906712ca
+SIZE (squid3.0/squid-3.0-9184.patch) = 2240
+MD5 (squid3.0/squid-3.0-9185.patch) = f707437a1c05f39effb29b6bf485e1b9
+SHA256 (squid3.0/squid-3.0-9185.patch) = f2fa4d2b0e1d7fbd3bdb85e980d83e0bf60a73c0b362dc148369843f6480ede7
+SIZE (squid3.0/squid-3.0-9185.patch) = 1680
+MD5 (squid3.0/squid-3.0-9186.patch) = 379333cc6542ab61a97015366253e4ad
+SHA256 (squid3.0/squid-3.0-9186.patch) = 0d9917539a3fe6075292b5927c61324222cb09a11eeeffc99af5c169f65b31a5
+SIZE (squid3.0/squid-3.0-9186.patch) = 1646
+MD5 (squid3.0/squid-3.0-9187.patch) = 1b4681b2b60a81327ee6b5667d60f597
+SHA256 (squid3.0/squid-3.0-9187.patch) = e7c0c1b365413c786ed78fcc6b4113e0783458b4137d3d47d4cb707730ee388b
+SIZE (squid3.0/squid-3.0-9187.patch) = 1338
+MD5 (squid3.0/squid-3.0-9188.patch) = 7897fef3efd6e646e288111d1fa52de3
+SHA256 (squid3.0/squid-3.0-9188.patch) = 4fc959e0bd570d4e8e19a0732181836b49086c98e78d1bc37f3fa739763ff753
+SIZE (squid3.0/squid-3.0-9188.patch) = 1455
+MD5 (squid3.0/squid-3.0-9189.patch) = de0e4236955b66aba92117130a175dc0
+SHA256 (squid3.0/squid-3.0-9189.patch) = a5abc0cda7016b00673e0f3bf91a5af2aeece09480bbaae90df34afb0e6fba04
+SIZE (squid3.0/squid-3.0-9189.patch) = 4192
Index: files/patch-lib-rfc1738.c
===================================================================
--- files/patch-lib-rfc1738.c (.../www/squid30) (Revision 1875)
+++ files/patch-lib-rfc1738.c (.../local/squid30) (Revision 1875)
@@ -1,12 +0,0 @@
---- lib/rfc1738.c.orig 2010-04-16 14:36:23.000000000 +0200
-+++ lib/rfc1738.c 2010-04-16 14:37:11.000000000 +0200
-@@ -203,8 +203,7 @@ rfc1738_unescape(char *s)
- j++; /* Skip % */
- } else {
- /* decode */
-- char v1, v2;
-- int x;
-+ int v1, v2, x;
- v1 = fromhex(s[j + 1]);
- if (v1 < 0)
- continue; /* non-hex or \0 */
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list