Bug 207294 - www/squid: update to 3.5.14 (CVE-2016-2390/SQUID-2016:1)
Summary: www/squid: update to 3.5.14 (CVE-2016-2390/SQUID-2016:1)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Jason Unovitch
URL: http://www.squid-cache.org/Advisories...
Keywords: patch, patch-ready, security
Depends on:
Blocks:
 
Reported: 2016-02-18 02:03 UTC by Jason Unovitch
Modified: 2016-02-25 03:08 UTC (History)
2 users (show)

See Also:
junovitch: maintainer-feedback+
junovitch: merge-quarterly-

Attachments
port patch (1016 bytes, patch)
2016-02-18 08:42 UTC, Pavel Timofeev 		timp87: maintainer-approval+
Details | Diff
poudriere log (858.34 KB, text/x-log)
2016-02-18 08:49 UTC, Pavel Timofeev 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jason Unovitch freebsd_committer freebsd_triage 2016-02-18 02:03:35 UTC 
Maintainer of www/squid,
A security advisory has been posted that will need an update to the latest squid version.

http://www.squid-cache.org/Advisories/SQUID-2016_1.txt
Comment 1 commit-hook freebsd_committer freebsd_triage 2016-02-18 02:16:33 UTC 
A commit references this bug:

Author: junovitch
Date: Thu Feb 18 02:16:15 UTC 2016
New revision: 409082
URL: https://svnweb.freebsd.org/changeset/ports/409082

Log:
  Document Squid SSL/TLS processing remote DoS

  PR:		207294
  Security:	CVE-2016-2390
  Security:	https://vuxml.FreeBSD.org/freebsd/56562efb-d5e4-11e5-b2bd-002590263bf5.html

Changes:
  head/security/vuxml/vuln.xml
Comment 2 Jason Unovitch freebsd_committer freebsd_triage 2016-02-18 02:23:17 UTC 
Set merge-quarterly-

Per the advisory "All Squid-3.5.12 and older 3.5 versions are not vulnerable.".  We have 3.5.12 in quarterly so it's just head that needs the fix.

Also take PR.
Comment 3 Pavel Timofeev 2016-02-18 08:42:45 UTC 
Created attachment 167139 [details]
port patch
Comment 4 Pavel Timofeev 2016-02-18 08:49:27 UTC 
Created attachment 167140 [details]
poudriere log
Comment 5 commit-hook freebsd_committer freebsd_triage 2016-02-19 03:40:28 UTC 
A commit references this bug:

Author: junovitch
Date: Fri Feb 19 03:40:24 UTC 2016
New revision: 409148
URL: https://svnweb.freebsd.org/changeset/ports/409148

Log:
  www/squid: update 3.5.13 -> 3.5.14

  PR:		207294
  Submitted by:	Pavel Timofeev <timp87@gmail.com> (maintainer)
  Security:	CVE-2016-2390
  Security:	https://vuxml.FreeBSD.org/freebsd/56562efb-d5e4-11e5-b2bd-002590263bf5.html
  X-MFH-Note:	MFH not required, only 3.5.13 in ports/head is vulnerable

Changes:
  head/www/squid/Makefile
  head/www/squid/distinfo
Comment 6 Jason Unovitch freebsd_committer freebsd_triage 2016-02-19 03:41:44 UTC 
Pavel,
Thank you for the quick fix!
Comment 7 commit-hook freebsd_committer freebsd_triage 2016-02-25 03:08:56 UTC 
A commit references this bug:

Author: junovitch
Date: Thu Feb 25 03:08:09 UTC 2016
New revision: 409491
URL: https://svnweb.freebsd.org/changeset/ports/409491

Log:
  MFH: r406625, r409148, r409487

  www/squid: update 3.5.12 -> 3.5.15

  PR:             206127
  PR:             207294
  PR:             207454
  Submitted by:   Pavel Timofeev <timp87@gmail.com> (maintainer)
  Approved by:	ports-secteam (miwi)
  Security:       CVE-2016-2390
  Security:       https://vuxml.FreeBSD.org/freebsd/56562efb-d5e4-11e5-b2bd-002590263bf5.html
  Security:       https://vuxml.FreeBSD.org/freebsd/660ebbf5-daeb-11e5-b2bd-002590263bf5.html

Changes:
_U  branches/2016Q1/
  branches/2016Q1/www/squid/Makefile
  branches/2016Q1/www/squid/distinfo