Bug 207294 - www/squid: update to 3.5.14 (CVE-2016-2390/SQUID-2016:1)
Summary: www/squid: update to 3.5.14 (CVE-2016-2390/SQUID-2016:1)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Jason Unovitch
URL: http://www.squid-cache.org/Advisories...
Keywords: patch, patch-ready, security
Depends on:
Blocks:
 
Reported: 2016-02-18 02:03 UTC by Jason Unovitch
Modified: 2016-02-25 03:08 UTC (History)
2 users (show)

See Also:
junovitch: maintainer-feedback+
junovitch: merge-quarterly-


Attachments
port patch (1016 bytes, patch)
2016-02-18 08:42 UTC, timp87
timp87: maintainer-approval+
Details | Diff
poudriere log (858.34 KB, text/x-log)
2016-02-18 08:49 UTC, timp87
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jason Unovitch freebsd_committer 2016-02-18 02:03:35 UTC
Maintainer of www/squid,
A security advisory has been posted that will need an update to the latest squid version.

http://www.squid-cache.org/Advisories/SQUID-2016_1.txt
Comment 1 commit-hook freebsd_committer 2016-02-18 02:16:33 UTC
A commit references this bug:

Author: junovitch
Date: Thu Feb 18 02:16:15 UTC 2016
New revision: 409082
URL: https://svnweb.freebsd.org/changeset/ports/409082

Log:
  Document Squid SSL/TLS processing remote DoS

  PR:		207294
  Security:	CVE-2016-2390
  Security:	https://vuxml.FreeBSD.org/freebsd/56562efb-d5e4-11e5-b2bd-002590263bf5.html

Changes:
  head/security/vuxml/vuln.xml
Comment 2 Jason Unovitch freebsd_committer 2016-02-18 02:23:17 UTC
Set merge-quarterly-

Per the advisory "All Squid-3.5.12 and older 3.5 versions are not vulnerable.".  We have 3.5.12 in quarterly so it's just head that needs the fix.

Also take PR.
Comment 3 timp87 2016-02-18 08:42:45 UTC
Created attachment 167139 [details]
port patch
Comment 4 timp87 2016-02-18 08:49:27 UTC
Created attachment 167140 [details]
poudriere log
Comment 5 commit-hook freebsd_committer 2016-02-19 03:40:28 UTC
A commit references this bug:

Author: junovitch
Date: Fri Feb 19 03:40:24 UTC 2016
New revision: 409148
URL: https://svnweb.freebsd.org/changeset/ports/409148

Log:
  www/squid: update 3.5.13 -> 3.5.14

  PR:		207294
  Submitted by:	Pavel Timofeev <timp87@gmail.com> (maintainer)
  Security:	CVE-2016-2390
  Security:	https://vuxml.FreeBSD.org/freebsd/56562efb-d5e4-11e5-b2bd-002590263bf5.html
  X-MFH-Note:	MFH not required, only 3.5.13 in ports/head is vulnerable

Changes:
  head/www/squid/Makefile
  head/www/squid/distinfo
Comment 6 Jason Unovitch freebsd_committer 2016-02-19 03:41:44 UTC
Pavel,
Thank you for the quick fix!
Comment 7 commit-hook freebsd_committer 2016-02-25 03:08:56 UTC
A commit references this bug:

Author: junovitch
Date: Thu Feb 25 03:08:09 UTC 2016
New revision: 409491
URL: https://svnweb.freebsd.org/changeset/ports/409491

Log:
  MFH: r406625, r409148, r409487

  www/squid: update 3.5.12 -> 3.5.15

  PR:             206127
  PR:             207294
  PR:             207454
  Submitted by:   Pavel Timofeev <timp87@gmail.com> (maintainer)
  Approved by:	ports-secteam (miwi)
  Security:       CVE-2016-2390
  Security:       https://vuxml.FreeBSD.org/freebsd/56562efb-d5e4-11e5-b2bd-002590263bf5.html
  Security:       https://vuxml.FreeBSD.org/freebsd/660ebbf5-daeb-11e5-b2bd-002590263bf5.html

Changes:
_U  branches/2016Q1/
  branches/2016Q1/www/squid/Makefile
  branches/2016Q1/www/squid/distinfo