Bug 81213 - [Maintainer] www/squid: update to 2.5.STABLE10
Summary: [Maintainer] www/squid: update to 2.5.STABLE10
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-ports-bugs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-05-18 19:40 UTC by Thomas-Martin Seck
Modified: 2005-05-19 15:17 UTC (History)
0 users

See Also:

Attachments
file.diff (8.84 KB, patch)
2005-05-18 19:40 UTC, Thomas-Martin Seck 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas-Martin Seck 2005-05-18 19:40:01 UTC 
- Update to 2.5.STABLE10.
  See
  <http://www.squid-cache.org/Versions/v2/2.5/squid-2.5.STABLE10-RELEASENOTES.html>,
  section 12, for details.

- Replace a dead mirror site
- Cosmetic changes

Note to committer:
- Please 'cvs add' files/patch-src-Makefile.in
- Please add the following entry to /usr/ports/UPDATING:

20050518:
  AFFECTS: users of www/squid
  AUTHOR: tmseck@netcologne.de

  Starting with 2.5.10, the cachemgr.cgi program uses a configuration file
  cachemgr.conf to control which hosts this program is allowed to manage.
  To prevent abuse, the configuration defaults to "localhost" only.
  Please see cachemgr.cgi(8) for further details.
  
- Please add the following entries to security/vuxml/vuln.xml:

  <vuln vid="a395397c-c7c8-11d9-9e1e-c296ac722cb3">
    <topic>squid -- possible abuse of cachemgr.cgi</topic>
    <affects>
      <package>
	<name>squid</name>
	<range><lt>2.5.10</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>The squid patches page notes:</p>
	<blockquote cite="http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE9-cachemgr_conf">
	  <p>This patch adds access controls to the cachemgr.cgi script,
	    preventing it from being abused to reach other servers than
	    allowed in a local configuration file.</p>
	</blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-1999-0710</cvename>
      <url>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE9-cachemgr_conf</url>
      <url>http://www.squid-cache.org/bugs/show_bug.cgi?id=1094</url>
    </references>
    <dates>
      <discovery>19990729</discovery>
      <entry>TO BE FILLED IN</entry>
    </dates>
  </vuln>

  <vuln vid="7e97b288-c7ca-11d9-9e1e-c296ac722cb3">
    <topic>squid -- DNS lookup spoofing vulnerability</topic>
    <affects>
      <package>
	<name>squid</name>
	<range><lt>2.5.10</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>The squid patches page notes:</p>
	<blockquote cite="http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE9-dns_query">
	  <p>Malicious users may spoof DNS lookups if the DNS client UDP port
	    (random, assigned by OS as startup) is unfiltered and your network
	    is not protected from IP spoofing.</p>
	</blockquote>
      </body>
    </description>
    <references>
      <cvename>CAN-2005-1519</cvename>
      <url>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE9-dns_reply</url>
      <url>http://secunia.com/advisories/15294</url>
    </references>
    <dates>
      <discovery>20050511</discovery>
      <entry>TO BE FILLED IN</entry>
    </dates>
  </vuln>

Fix: Apply this patch:
Comment 1 Pav Lucistnik freebsd_committer freebsd_triage 2005-05-19 15:17:10 UTC 
State Changed
From-To: open->closed

Committed, thanks!