78446 – [Maintainer] www/squid: integrate partly security relevant vendor patches

Bug 78446 - [Maintainer] www/squid: integrate partly security relevant vendor patches

Summary: [Maintainer] www/squid: integrate partly security relevant vendor patches

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	Normal Affects Only Me
Assignee:	freebsd-ports-bugs (Nobody)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2005-03-05 14:10 UTC by Thomas-Martin Seck
Modified:	2005-03-08 23:28 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
file.diff (1.27 KB, patch) 2005-03-05 14:10 UTC, Thomas-Martin Seck	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas-Martin Seck 2005-03-05 14:10:17 UTC

Integrate the following vendor patches as published on
<http://www.squid-cache.org/Versions/v2/2.5/bugs/>:

(security-team CC'ed)

- correct a race condition related to the Set-Cookie header
- correct the FTP parser with regards to the EPLF format
  (squid bug #1252)
- correct FTP listing output when the URL was requested without a trailing
  slash (squid bug #1253)
- make ACL configuration errors fatal (squid bug #1255)

Proposed VuXML data (I split this into two entries to avoid something
along the lines of "squid -- multiple issues"), entry date left to be filled
in:

  <vuln vid="bdb546ec-8d7d-11d9-9e1e-c296ac722cb3">
    <topic>squid -- configuration errors can lead to unexpected ACL results</topic>
    <affects>
      <package>
	<name>squid</name>
	<range><lt>2.5.9_1</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>The squid patches page notes:</p>
	<blockquote cite="http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE9-acl_error">
	  <p>On configuration errors involving wrongly defined or missing acls
	    the http_access results may be different than expected, possibly
	    allowing more access than intended. This patch makes such
	    configuration errors a fatal error, preventing the service from
	    starting until the access control configuration errors have been
	    corrected.</p>
	</blockquote>
        <p>Workaround: Verify your configuration with "squid -k parse" and
	 correct any errors reported before starting squid.</p>
      </body>
    </description>
    <references>
      <url>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE9-acl_error</url>
      <url>http://www.squid-cache.org/bugs/show_bug.cgi?id=1255</url>
    </references>
    <dates>
      <discovery>2005-03-04</discovery>
      <entry></entry>
    </dates>
  </vuln>

  <vuln vid="990f0b9e-8d7c-11d9-9e1e-c296ac722cb3">
    <topic>squid -- possible information leakage</topic>
    <affects>
      <package>
	<name>squid</name>
	<range><lt>2.5.9_1</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>The squid patches page notes:</p>
	<blockquote cite="http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE9-setcookie">
	  <p>A race window has been discovered where Set-Cookie headers may
	    leak to another users if the requested server relies on the old
	    obsolete (since 1997) Netscape Set-Cookie specifications in how
	    caches should handle the Set-Cookie header on otherwise cacheable
	    content.</p>
	</blockquote>
      </body>
    </description>
    <references>
      <url>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE9-setcookie</url>
    </references>
    <dates>
      <discovery>2005-03-03</discovery>
      <entry></entry>
    </dates>
  </vuln>

Fix: Apply this patch:

Comment 1 Thomas-Martin Seck 2005-03-05 14:21:51 UTC

Ack, I attached the wrong patch. Here is the correct one:

Index: distinfo
===================================================================
--- distinfo	(.../www/squid)	(revision 428)
+++ distinfo	(.../local/squid)	(revision 428)
@@ -1,2 +1,10 @@
 MD5 (squid2.5/squid-2.5.STABLE9.tar.bz2) = 5a34a303dcab8851c7ab20e24af69b61
 SIZE (squid2.5/squid-2.5.STABLE9.tar.bz2) = 1057776
+MD5 (squid2.5/squid-2.5.STABLE9-setcookie.patch) = f4abbc43af5251380b3caaa9b08d0572
+SIZE (squid2.5/squid-2.5.STABLE9-setcookie.patch) = 5328
+MD5 (squid2.5/squid-2.5.STABLE9-ftp_EPLF.patch) = c4ae820794f301b909415e0f4728f1c9
+SIZE (squid2.5/squid-2.5.STABLE9-ftp_EPLF.patch) = 4108
+MD5 (squid2.5/squid-2.5.STABLE9-ftp_base_href.patch) = ddc034a2c2a002bfcf6bf97eb21e8b57
+SIZE (squid2.5/squid-2.5.STABLE9-ftp_base_href.patch) = 709
+MD5 (squid2.5/squid-2.5.STABLE9-acl_error.patch) = f70922d873ce73c7fdad8bf7156afeb4
+SIZE (squid2.5/squid-2.5.STABLE9-acl_error.patch) = 8499
Index: Makefile
===================================================================
--- Makefile	(.../www/squid)	(revision 428)
+++ Makefile	(.../local/squid)	(revision 428)
@@ -74,6 +74,7 @@
 
 PORTNAME=	squid
 PORTVERSION=	2.5.9
+PORTREVISION=	1
 CATEGORIES=	www
 MASTER_SITES=	\
 		ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \
@@ -86,7 +87,10 @@
 DIST_SUBDIR=	squid2.5
 
 PATCH_SITES=	http://www.squid-cache.org/Versions/v2/2.5/bugs/
-PATCHFILES=
+PATCHFILES=	squid-2.5.STABLE9-setcookie.patch \
+		squid-2.5.STABLE9-ftp_EPLF.patch \
+		squid-2.5.STABLE9-ftp_base_href.patch \
+		squid-2.5.STABLE9-acl_error.patch
 PATCH_DIST_STRIP=	-p1
 
 MAINTAINER=	tmseck@netcologne.de

Comment 2 Pav Lucistnik freebsd_committer

2005-03-08 23:28:23 UTC

State Changed
From-To: open->closed

Committed, thanks!