Bug 137184 - [Maintainer] www/squid30: update to 3.0.STABLE17
Summary: [Maintainer] www/squid30: update to 3.0.STABLE17
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Xin LI
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-07-27 19:20 UTC by Thomas-Martin Seck
Modified: 2009-07-27 20:50 UTC (History)
1 user (show)

See Also:

Attachments
file.diff (1.43 KB, patch)
2009-07-27 19:20 UTC, Thomas-Martin Seck 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas-Martin Seck 2009-07-27 19:20:01 UTC 
Update to 3.0.STABLE17.

This update adresses several remote denial of service vulnerabilities.

Proposed VuXML entry:

  <vuln vid="e1156e90-7ad6-11de-b26a-0048543d60ce">
    <topic>squid -- several remote denial of service vulnerabilities</topic>
    <affects>
      <package>
        <name>squid</name>
	<range><ge>3.0.1</ge><lt>3.0.17</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
        <p>Squid security advisory 2009:2 reports:</p>
	<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2009_2.txt">
	  <p>Due to incorrect buffer limits and related bound checks Squid
	    is vulnerable to a denial of service attack when processing
	    specially crafted requests or responses.</p>
	  <p>Due to incorrect data validation Squid is vulnerable to a
	    denial of service attack when processing specially crafted
	    responses.</p>
	  <p>These problems allow any trusted client or external server to
	    perform a denial of service attack on the Squid service.</p>
	</blockquote> 
	<p>Squid-2.x releases are not affected.</p>
      </body>
    </description>
    <references>
      <url>http://www.squid-cache.org/Advisories/SQUID-2009_2.txt</url>
    </references>
    <dates>
      <discovery>2009-07-27</discovery>
    </dates>
  </vuln>

Fix: Apply this patch:
Comment 1 Thomas-Martin Seck 2009-07-27 19:33:53 UTC 
Sorry, I forgot to list Squid-3.1.0.8 as vulnerable:

<range><ge>3.1.0.8</ge></range>

I see whether I can update www/squid31 to 3.1.0.12 but all versions past
3.1.0.8 failed in 'make install' and it does not seem that 3.1.0.12
adresses this specific problem.
Comment 2 Xin LI freebsd_committer freebsd_triage 2009-07-27 20:16:24 UTC 
Responsible Changed
From-To: freebsd-ports-bugs->delphij

Take.
Comment 3 dfilter service freebsd_committer freebsd_triage 2009-07-27 20:39:43 UTC 
delphij     2009-07-27 19:39:34 UTC

  FreeBSD ports repository

  Modified files:
    security/vuxml       vuln.xml 
  Log:
  Document squid remote denial of service vulnerabilities.
  
  Submitted by:   Thomas-Martin Seck <tmseck@web.de>
  PR:             ports/137184
  
  Revision  Changes    Path
  1.1986    +35 -1     ports/security/vuxml/vuln.xml
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 4 dfilter service freebsd_committer freebsd_triage 2009-07-27 20:40:38 UTC 
delphij     2009-07-27 19:40:29 UTC

  FreeBSD ports repository

  Modified files:
    www/squid30          Makefile distinfo 
  Log:
  Update to 3.0STABLE17.
  
  PR:             ports/137184
  Submitted by:   maintainer
  Security:       e1156e90-7ad6-11de-b26a-0048543d60ce
  
  Revision  Changes    Path
  1.228     +2 -2      ports/www/squid30/Makefile
  1.174     +3 -6      ports/www/squid30/distinfo
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 5 Xin LI freebsd_committer freebsd_triage 2009-07-27 20:40:41 UTC 
State Changed
From-To: open->closed

Committed, thanks!