Bug 75403

Summary: [Maintainer] www/squid: change handling of empty ACL declarations
Product: Ports & Packages Reporter: Thomas-Martin Seck <tmseck>
Component: Individual Port(s)Assignee: freebsd-ports-bugs (Nobody) <ports-bugs>
Status: Closed FIXED    
Severity: Affects Only Me CC: security-team
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
file.diff none

Description Thomas-Martin Seck 2004-12-22 17:50:29 UTC 
Integrate a vendor patch to change the way empty ACL definitions
are handled to avoid accidental foot-shooting (squid bug #1166).
Further details are available via the squid patch page
<http://www.squid-cache.org/Versions/v2/2.5/bugs/>.

security-team@ CC'ed since the vendor classified the problem as a minor(?)
security issue, proposed VuXML information follows (real entry date needs
to be filled in):

<vuln vid="a30e5e44-5440-11d9-9e1e-c296ac722cb3">
  <topic>squid -- confusing results results on empty acl declarations</topic>
    <affects>
	<package>
	  <name>squid</name>
	  <range><lt>2.5.7_5</lt></range>
	</package>
    </affects>
    <description>
	<body xmlns="http://www.w3.org/1999/xhtml">
	  <p>The squid-2.5 patches pages notes:</p>
	  <blockquote cite="http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-empty_acls">
	  <p>The meaning of the access controls becomes somewhat
	     confusing if any of the referenced acls is declared empty,
	     without an members.</p>
	  <p>[Administrators should] pay attention to warnings from "squid -k
	     parse" and do not use configurations where there are warnings about
	     access controls in production.</p>
	  </blockquote>
	</body>
    </description>
    <references>
	<url>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-empty_acls</url>
    </references>
    <dates>
	<discovery>2004-12-21</discovery>
	<entry>YYYY-MM-DD</entry>
    </dates>
</vuln>

Fix: Apply this patch:
Comment 1 Simon L. B. Nielsen freebsd_committer freebsd_triage 2004-12-23 01:02:41 UTC 
On 2004.12.22 17:50:24 -0000, Thomas-Martin Seck wrote:
> 
> >Number:         75403
> >Category:       ports
> >Synopsis:       [Maintainer] www/squid: change handling of empty ACL declarations

[...]
> security-team@ CC'ed since the vendor classified the problem as a minor(?)
> security issue, proposed VuXML information follows (real entry date needs
> to be filled in):


Thanks!  I committed the VuXML entry now, and I will try to get the
port update committed tomorrow (unless a ports committer beats me to
it).

-- 
Simon L. Nielsen
FreeBSD Security Team
Comment 2 Kirill Ponomarev freebsd_committer freebsd_triage 2004-12-23 12:15:34 UTC 
State Changed
From-To: open->closed

Committed, thanks!