Created attachment 158410 [details] patch Hi! Here is the patch to update our www/squid to latest version. I've been running it since release (~3 days) and got no problems.
Created attachment 158411 [details] poudriere log
Thanks Tim, nice work
Created attachment 158423 [details] vuxml to document 2015 squid issues So I saw this go by today on oss-security and it was good to see the PR already in for an update. - http://openwall.com/lists/oss-security/2015/07/06/8 Amos Jeffries, the Squid-3 release manager, has requested CVE's for two security fixes in 3.5.6. There is no CVE yet and the referenced Squid security advisory has yet to be published. For now, this documents everything from the request and should be revised at a later date. - http://www.squid-cache.org/Advisories/SQUID-2015_1.txt Second, the 2015:1 advisory from earlier this year wasn't documented. This only matters with the SSL option is on so I've added the verbiage "The FreeBSD port does not use SSL by default and is not vulnerable in the default configuration." to the second entry for this. This also documents all the versions out there in case someone is still using www/squid32 or www/squid33. This entry should not have to change after being added. == Validation == % make validate /bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy" >>> Validating... /usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml >>> Successful. Checking if tidy differs... ... seems okay Checking for space/tab... ... seems okay /usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml % env PKG_DBDIR=/usr/ports/security/vuxml pkg audit squid-3.5.3 squid-3.5.3 is vulnerable: squid -- multiple vulnerabilities WWW: https://vuxml.FreeBSD.org/freebsd/150d1538-23fa-11e5-a4a5-002590263bf5.html squid-3.5.3 is vulnerable: squid -- client-first SSL-bump does not correctly validate X509 server certificate CVE: CVE-2015-3455 WWW: https://vuxml.FreeBSD.org/freebsd/b6da24da-23f7-11e5-a4a5-002590263bf5.html 1 problem(s) in the installed packages found. % env PKG_DBDIR=/usr/ports/security/vuxml pkg audit squid-3.5.5 squid-3.5.5 is vulnerable: squid -- multiple vulnerabilities WWW: https://vuxml.FreeBSD.org/freebsd/150d1538-23fa-11e5-a4a5-002590263bf5.html 1 problem(s) in the installed packages found. % env PKG_DBDIR=/usr/ports/security/vuxml pkg audit squid-3.5.6 0 problem(s) in the installed packages found.
vuxml entries are in
A commit references this bug: Author: feld Date: Mon Jul 6 17:31:22 UTC 2015 New revision: 391429 URL: https://svnweb.freebsd.org/changeset/ports/391429 Log: Document recent squid vulnerabilities PR: 201374 Changes: head/security/vuxml/vuln.xml
commits are in, PR numbers were mistakenly left out head: https://svnweb.freebsd.org/changeset/ports/391431 2015Q3: https://svnweb.freebsd.org/changeset/ports/391432 Thanks all!
Pavel, Mark, Do either of you have any quips about re-opening this PR for the purpose of revisiting the VuXML when the official advisory mentioned by the Squid release manager gets posted to http://www.squid-cache.org/Advisories/SQUID-2015_2.txt? It feels like we are 90% of the way there until we cover the final advisory with the CVE info and full range of versions that are impacted.
Comment on attachment 158423 [details] vuxml to document 2015 squid issues Obsolete the initial VuXML based on the CVE request and set maintainer-feedback+ since it was committed.
(In reply to Jason Unovitch from comment #7) Sounds fair to me.
(In reply to Jason Unovitch from comment #7) Ok, no problem. Should I track SQUID-2015_2.txt? What should I do next time?
(In reply to timp87 from comment #10) I'm not too picky. If I see it pop up on oss-security I'll try to address it right away otherwise I'll check back every now and then. If you happen to catch it before I do feel free to generate a VuXML patch based on the entry for 2015:1 below it otherwise just ask for help here and we'll work it out together.
(In reply to timp87 from comment #10) As far as the "for next time", looking at http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.6.patch it isn't clear from the change log they were considering any of the fixes to be security issues and planning on doing CVE/security advisory for it. I think you did everything you could do.
Created attachment 158575 [details] security/vuxml update with Squid 2015:2 advisory info Short log for SVN: - Revise Squid entry based off 2015:2 security advisory Details: - Neck the entry down to just the one security issue -- remove the following verbiage from the pre-release announcement "apparently vulnerable to DoS .... This has not been verified as it also seems to require outdated (0.9.8l and older) OpenSSL libraries." - Expand impacted version range to match up with the official advisory. "Affected versions: Squid 0.x -> 3.5.5 - Update modified tag and references Other: - CVE request is still ongoing: http://www.openwall.com/lists/oss-security/2015/07/09/3
A commit references this bug: Author: feld Date: Fri Jul 10 13:53:59 UTC 2015 New revision: 391703 URL: https://svnweb.freebsd.org/changeset/ports/391703 Log: Update squid entry to reflect new range of affected versions Still waiting on CVE assignment PR: 201374 Security: 150d1538-23fa-11e5-a4a5-002590263bf5 Changes: head/security/vuxml/vuln.xml
I opened the patch from my email, read the advisory, and committed without realizing you had such a nice svn commit message waiting for me. :(
Close it?
(In reply to timp87 from comment #16) I'm using this PR has a reminder to keep checking for a CVE to attach to the vuxml entry. They haven't assigned one yet.
(In reply to Mark Felder from comment #17) I just noticed it got assigned CVE-2015-5400. I am only on a phone now but will do the patch later if you don't beat me to it.
committed, closing. (sorry, forgot to tag the PR) https://svnweb.freebsd.org/ports?view=revision&revision=392386