Bug 209334 - www/squid(-devel)?: update to latest version (multiple vulnerabilities)
Summary: www/squid(-devel)?: update to latest version (multiple vulnerabilities)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Matthew Seaman
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-05-06 16:18 UTC by Pavel Timofeev
Modified: 2016-05-11 15:13 UTC (History)
1 user (show)

See Also:

Attachments
www/squid patch (1017 bytes, patch)
2016-05-11 09:43 UTC, Pavel Timofeev 		timp87: maintainer-approval+
Details | Diff
www/squid-devel patch (1017 bytes, patch)
2016-05-11 09:59 UTC, Pavel Timofeev 		timp87: maintainer-approval+
Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Pavel Timofeev 2016-05-06 16:18:20 UTC 
Here is a list obtained here http://www.squid-cache.org/Advisories/:
  SQUID-2016:9, May 06, 2016
    Fixed from 4.0.10, 3.5.18 
    Multiple Denial of Service issues in ESI Response processing.
  SQUID-2016:8, May 06, 2016
    Fixed from 4.0.10, 3.5.18 
    Header smuggling issue in HTTP Request processing.
  SQUID-2016:7, May 06, 2016
    Fixed from 4.0.10, 3.5.18 
    Cache poisoning issue in HTTP Request handling.


I'll provide patches a bit later.
Comment 1 commit-hook freebsd_committer freebsd_triage 2016-05-07 11:56:56 UTC 
A commit references this bug:

Author: matthew
Date: Sat May  7 11:56:27 UTC 2016
New revision: 414774
URL: https://svnweb.freebsd.org/changeset/ports/414774

Log:
  Document three security advisories for the squid and squid-devel
  ports.  CVE numbers are not yet available.

  PR:		209334
  Submitted by:	timp87@gmail.com (maintainer)

Changes:
  head/security/vuxml/vuln.xml
Comment 2 Pavel Timofeev 2016-05-11 09:43:15 UTC 
Created attachment 170203 [details]
www/squid patch
Comment 3 Pavel Timofeev 2016-05-11 09:59:30 UTC 
Created attachment 170207 [details]
www/squid-devel patch
Comment 4 Pavel Timofeev 2016-05-11 10:06:14 UTC 
Please, note CVE numbers are available now
Comment 5 Matthew Seaman freebsd_committer freebsd_triage 2016-05-11 10:54:07 UTC 
CVE Numbers have already been added to vuln.xml
Comment 6 commit-hook freebsd_committer freebsd_triage 2016-05-11 12:57:01 UTC 
A commit references this bug:

Author: matthew
Date: Wed May 11 12:56:26 UTC 2016
New revision: 414987
URL: https://svnweb.freebsd.org/changeset/ports/414987

Log:
  Security update to 3.5.19

  PR:		209334
  Submitted by:	timp87@gmail.com (maintainer)
  Security:	25e5205b-1447-11e6-9ead-6805ca0b3d42

Changes:
  head/www/squid/Makefile
  head/www/squid/distinfo
Comment 7 commit-hook freebsd_committer freebsd_triage 2016-05-11 13:44:08 UTC 
A commit references this bug:

Author: matthew
Date: Wed May 11 13:43:44 UTC 2016
New revision: 414993
URL: https://svnweb.freebsd.org/changeset/ports/414993

Log:
  Security update to 4.0.10

  PR:		209334
  Submitted by:	timp87@gmail.com (maintainer)
  MFH:		2016Q2
  Security:	25e5205b-1447-11e6-9ead-6805ca0b3d42

Changes:
  head/www/squid-devel/Makefile
  head/www/squid-devel/distinfo
Comment 8 commit-hook freebsd_committer freebsd_triage 2016-05-11 15:08:29 UTC 
A commit references this bug:

Author: matthew
Date: Wed May 11 15:07:26 UTC 2016
New revision: 415007
URL: https://svnweb.freebsd.org/changeset/ports/415007

Log:
  MFH: r414987

  Security update to 3.5.19

  PR:		209334
  Submitted by:	timp87@gmail.com (maintainer)
  Security:	25e5205b-1447-11e6-9ead-6805ca0b3d42

  Approved by:	ports-secteam (junovitch)

Changes:
_U  branches/2016Q2/
  branches/2016Q2/www/squid/Makefile
  branches/2016Q2/www/squid/distinfo
Comment 9 Matthew Seaman freebsd_committer freebsd_triage 2016-05-11 15:13:42 UTC 
Can't do a MFH for www/squid-devel sine that port is newer than the 2016Q2 branch.

Other than that: all committed, thanks!