Integrate a vendor patch to change the way empty ACL definitions are handled to avoid accidental foot-shooting (squid bug #1166). Further details are available via the squid patch page <http://www.squid-cache.org/Versions/v2/2.5/bugs/>. security-team@ CC'ed since the vendor classified the problem as a minor(?) security issue, proposed VuXML information follows (real entry date needs to be filled in): <vuln vid="a30e5e44-5440-11d9-9e1e-c296ac722cb3"> <topic>squid -- confusing results results on empty acl declarations</topic> <affects> <package> <name>squid</name> <range><lt>2.5.7_5</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> <p>The squid-2.5 patches pages notes:</p> <blockquote cite="http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-empty_acls"> <p>The meaning of the access controls becomes somewhat confusing if any of the referenced acls is declared empty, without an members.</p> <p>[Administrators should] pay attention to warnings from "squid -k parse" and do not use configurations where there are warnings about access controls in production.</p> </blockquote> </body> </description> <references> <url>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-empty_acls</url> </references> <dates> <discovery>2004-12-21</discovery> <entry>YYYY-MM-DD</entry> </dates> </vuln> Fix: Apply this patch:
On 2004.12.22 17:50:24 -0000, Thomas-Martin Seck wrote: > > >Number: 75403 > >Category: ports > >Synopsis: [Maintainer] www/squid: change handling of empty ACL declarations [...] > security-team@ CC'ed since the vendor classified the problem as a minor(?) > security issue, proposed VuXML information follows (real entry date needs > to be filled in): Thanks! I committed the VuXML entry now, and I will try to get the port update committed tomorrow (unless a ports committer beats me to it). -- Simon L. Nielsen FreeBSD Security Team
State Changed From-To: open->closed Committed, thanks!