From nobody@FreeBSD.org  Wed Apr 15 06:55:59 2009
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 3604110656CE
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 15 Apr 2009 06:55:59 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 23E848FC13
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 15 Apr 2009 06:55:59 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n3F6twWG044892
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 15 Apr 2009 06:55:58 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id n3F6twfM044891;
	Wed, 15 Apr 2009 06:55:58 GMT
	(envelope-from nobody)
Message-Id: <200904150655.n3F6twfM044891@www.freebsd.org>
Date: Wed, 15 Apr 2009 06:55:58 GMT
From: Pavel Pankov <pankov_p@mail.ru>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [maintainer update][patch]Update port: www/ziproxy to 2.7.0
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         133741
>Category:       ports
>Synopsis:       [maintainer update][patch]Update port: www/ziproxy to 2.7.0
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    miwi
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Wed Apr 15 07:00:08 UTC 2009
>Closed-Date:    Wed Apr 15 14:46:47 UTC 2009
>Last-Modified:  Wed Apr 15 15:20:04 UTC 2009
>Originator:     Pavel Pankov
>Release:        6.3-STABLE
>Organization:
PKD
>Environment:
FreeBSD vds.pankov.pp.ru 6.3-STABLE FreeBSD 6.3-STABLE #3: Sun Oct 26 05:11:53 CET 2008     root@dione.ispsystem.net:/root/src/sys/i386/compile/ISPSYSTEM_PAED  i386
>Description:
- Update to 2.7.0
>How-To-Repeat:

>Fix:
Apply the patch.

Patch attached with submission follows:

Index: ports/www/ziproxy/Makefile
===================================================================
RCS file: /home/ncvs/ports/www/ziproxy/Makefile,v
retrieving revision 1.13
diff -u -r1.13 Makefile
--- ports/www/ziproxy/Makefile	29 Nov 2008 20:58:44 -0000	1.13
+++ ports/www/ziproxy/Makefile	15 Apr 2009 06:50:51 -0000
@@ -5,7 +5,7 @@
 # $FreeBSD: ports/www/ziproxy/Makefile,v 1.13 2008/11/29 20:58:44 miwi Exp $
 
 PORTNAME=		ziproxy
-PORTVERSION=		2.6.0
+PORTVERSION=		2.7.0
 CATEGORIES=		www
 MASTER_SITES=		SF
 
@@ -20,7 +20,7 @@
 
 CFLAGS+=		-I${LOCALBASE}/include
 LDFLAGS+=		-L${LOCALBASE}/lib
-ERRORFILES=		400.html 404.html 407.html 408.html 409.html 500.html 503.html
+ERRORFILES=		400.html 403.html 404.html 407.html 408.html 409.html 500.html 503.html
 
 CONFIGURE_ENV+=		CFLAGS="${CFLAGS}" LDFLAGS="${LDFLAGS}"
 
@@ -47,9 +47,11 @@
 post-install:
 	@${MKDIR} ${PREFIX}/etc/ziproxy
 	@${INSTALL_DATA} ${WRKSRC}/etc/ziproxy/bo_exception.list ${PREFIX}/etc/ziproxy/bo_exception.list
+	@${INSTALL_DATA} ${WRKSRC}/etc/ziproxy/deny.list ${PREFIX}/etc/ziproxy/deny.list
 	@${INSTALL_DATA} ${WRKSRC}/etc/ziproxy/http.passwd ${PREFIX}/etc/ziproxy/http.passwd
 	@${INSTALL_DATA} ${WRKSRC}/etc/ziproxy/noprocess.list ${PREFIX}/etc/ziproxy/noprocess.list
 	@${INSTALL_DATA} ${WRKSRC}/etc/ziproxy/replace.list ${PREFIX}/etc/ziproxy/replace.list
+	@${INSTALL_DATA} ${WRKSRC}/etc/ziproxy/replace_ct.list ${PREFIX}/etc/ziproxy/replace_ct.list
 	@${INSTALL_DATA} ${WRKSRC}/etc/ziproxy/ziproxy.conf ${PREFIX}/etc/ziproxy/ziproxy.conf.sample
 	@if [ ! -f ${PREFIX}/etc/ziproxy/ziproxy.conf ]; then \
 		${CP} -p ${WRKSRC}/etc/ziproxy/ziproxy.conf ${PREFIX}/etc/ziproxy/ziproxy.conf ; \
Index: ports/www/ziproxy/distinfo
===================================================================
RCS file: /home/ncvs/ports/www/ziproxy/distinfo,v
retrieving revision 1.11
diff -u -r1.11 distinfo
--- ports/www/ziproxy/distinfo	29 Nov 2008 20:58:44 -0000	1.11
+++ ports/www/ziproxy/distinfo	15 Apr 2009 06:50:51 -0000
@@ -1,3 +1,3 @@
-MD5 (ziproxy-2.6.0.tar.bz2) = b7d57ace56a3be34446ef1b68ac85205
-SHA256 (ziproxy-2.6.0.tar.bz2) = 9f0c1f0cd5f424631c55e1e51a49562c50ca8d79ae108e337cd3ef5d32260289
-SIZE (ziproxy-2.6.0.tar.bz2) = 262943
+MD5 (ziproxy-2.7.0.tar.bz2) = cfc7d59d31bb889121dd9f1e77bc0124
+SHA256 (ziproxy-2.7.0.tar.bz2) = cd3e7cf6d4ca1faaf82867024486c72091968b9b9bd9ca41dac76fd76ad00d7a
+SIZE (ziproxy-2.7.0.tar.bz2) = 239929
Index: ports/www/ziproxy/pkg-plist
===================================================================
RCS file: /home/ncvs/ports/www/ziproxy/pkg-plist,v
retrieving revision 1.4
diff -u -r1.4 pkg-plist
--- ports/www/ziproxy/pkg-plist	29 Nov 2008 20:58:44 -0000	1.4
+++ ports/www/ziproxy/pkg-plist	15 Apr 2009 06:50:51 -0000
@@ -3,14 +3,17 @@
 bin/ziproxy_genhtml_stats.sh
 @exec mkdir -p %D/etc/ziproxy
 etc/ziproxy/bo_exception.list
+etc/ziproxy/deny.list
 etc/ziproxy/http.passwd
 etc/ziproxy/noprocess.list
 etc/ziproxy/replace.list
+etc/ziproxy/replace_ct.list
 @unexec if cmp -s %D/etc/ziproxy/ziproxy.conf.sample %D/etc/ziproxy/ziproxy.conf; then rm -f %D/etc/ziproxy/ziproxy.conf; fi
 @exec if [ ! -f %D/etc/ziproxy/ziproxy.conf ] ; then cp -p %D/%F %B/ziproxy.conf; fi
 etc/ziproxy/ziproxy.conf.sample
 @dirrmtry etc/ziproxy
 %%DATADIR%%/error/400.html
+%%DATADIR%%/error/403.html
 %%DATADIR%%/error/404.html
 %%DATADIR%%/error/407.html
 %%DATADIR%%/error/408.html
Index: ports/www/ziproxy/files/patch-ziproxy.conf
===================================================================
RCS file: /home/ncvs/ports/www/ziproxy/files/patch-ziproxy.conf,v
retrieving revision 1.5
diff -u -r1.5 patch-ziproxy.conf
--- ports/www/ziproxy/files/patch-ziproxy.conf	29 Nov 2008 20:58:44 -0000	1.5
+++ ports/www/ziproxy/files/patch-ziproxy.conf	15 Apr 2009 06:50:51 -0000
@@ -1,5 +1,5 @@
---- etc/ziproxy/ziproxy.conf.orig	2008-11-18 00:28:03.000000000 +0300
-+++ etc/ziproxy/ziproxy.conf	2008-11-18 00:29:22.000000000 +0300
+--- etc/ziproxy/ziproxy.conf.orig	2009-03-13 17:41:27.000000000 +0300
++++ etc/ziproxy/ziproxy.conf	2009-04-15 10:41:25.000000000 +0400
 @@ -12,12 +12,12 @@
  ## If you have more than one network interface,
  ## it's useful for restricting to which interface you want to bind to.
@@ -15,7 +15,7 @@
  
  ## Inactivity timeout before closing the daemon (0 = no timeout)
  ## default: 0 (no timeout)
-@@ -67,7 +67,7 @@
+@@ -82,7 +82,7 @@
  ## HTTP auth file
  ## Should contain user:pass pairs, lines no longer than 128 chars
  ## Password is unencrypted
@@ -24,7 +24,7 @@
  
  ## Forward everything to another proxy server.
  ## Modifications/compression is still applied.
-@@ -105,7 +105,7 @@
+@@ -120,7 +120,7 @@
  ## This option has no effect if BindOutgoing is not used.
  ## Default: empty, no hosts are exempted.
  ## See also: BindOutgoingExAddr
@@ -33,7 +33,7 @@
  
  ## Defines a specific IP to be bound to for hosts specified in BindOutgoingExList.
  ## As with BindOutgoing, this IP must be a local IP from the server running Ziproxy.
-@@ -391,7 +391,7 @@
+@@ -429,7 +429,7 @@
  ## *** THIS IS NOT SUPPOSED TO BE A DEFINITIVE SOLUTION TO INCOMPATIBILITIES ***
  ##
  ## Default: empty (no file specified, inactive)
@@ -42,21 +42,42 @@
  
  ## This option specifies a file containing a list of URLs which its
  ## data should be intercepted and replaced by another.
-@@ -409,7 +409,7 @@
- ## and cookies are transported) -- a stealthy ad-blocker, if you like.
+@@ -448,7 +448,7 @@
  ##
  ## Default: empty (no file specified, inactive)
+ ## See also: URLReplaceDataCT
 -# URLReplaceData = "/etc/ziproxy/replace.list"
 +# URLReplaceData = "%%PREFIX%%/etc/ziproxy/replace.list"
  
+ ## Same as URLReplaceData, except it will only replace the data
+ ## from matching URLs if the content-type matches
+@@ -462,7 +462,7 @@
+ ##
+ ## Default: empty (no file specified, inactive)
+ ## See also: URLReplaceDataCTList, URLReplaceData
+-# URLReplaceDataCT = "/etc/ziproxy/replace_ct.list"
++# URLReplaceDataCT = "%%PREFIX%%/etc/ziproxy/replace_ct.list"
+ 
+ ## List of content-types to use with the URLReplaceDataCT option.
+ ## Default: empty (no content-type specified, inactive)
+@@ -474,7 +474,7 @@
+ ## A "access denied" 403 error will be returned when trying to access
+ ## one of those URLs.
+ ## Default: empty (no file specified, inactive)
+-# URLDeny = "/etc/ziproxy/deny.list"
++# URLDeny = "%%PREFIX%%/etc/ziproxy/deny.list"
+ 
  ## Custom HTTP Error Messages
  ## Define here the full path to the HTML file which should be
-@@ -417,19 +417,19 @@
+@@ -482,21 +482,21 @@
  ## Note: The internal defaults give more precise error messages.
  ##
  ## 400 - Bad request (malformed URL, or unknown URL type)
 -# CustomError400="/var/ziproxy/error/400.html"
 +# CustomError400="%%DATADIR%%/error/400.html"
+ ## 403 - Forbidden
+-# CustomError403="/var/ziproxy/error/403.html"
++# CustomError403="%%DATADIR%%/error/403.html"
  ## 404 - Unknown host (Ziproxy will not issue 'page not found' errors itself)
 -# CustomError404="/var/ziproxy/error/404.html"
 +# CustomError404="%%DATADIR%%/error/404.html"


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->miwi 
Responsible-Changed-By: miwi 
Responsible-Changed-When: Wed Apr 15 07:35:00 UTC 2009 
Responsible-Changed-Why:  
I'll take it. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=133741 

From: "Pavel Pankov" <pankov_p@mail.ru>
To: bug-followup@freebsd.org
Cc:  
Subject: Re: ports/133741: [maintainer update][patch]Update port: www/ziproxy
 to 2.7.0
Date: Wed, 15 Apr 2009 12:22:26 +0400

 Not sure if it belongs here or should be sent to Security Officer, but here
 is the proposed change for the vuln.xml about the transparent mode
 advisory ( http://www.kb.cert.org/vuls/id/435052 ):
    <vuln vid="3c3a4d44-28ec-11de-9a9c-0030485c0ea4">
      <topic>ziproxy -- HTTP Host header incorrect relay behavior in  
 transparent mode</topic>
      <affects>
        <package>
 	<name>ziproxy</name>
 	<range><lt>2.7.0</lt></range>
        </package>
      </affects>
      <description>
        <body xmlns="http://www.w3.org/1999/xhtml">
 	<p>Ziproxy developers report:</p>
 	<blockquote cite="http://www.kb.cert.org/vuls/id/MAPG-7N9GN8">
 	  <p>In transparent mode, ziproxy trusts the host and port provided in
 	    the HTTP headers. This may be exploited using a hand-crafted HTTP
 	    request so to access arbitrary websites.
 	  </p>
 	</blockquote>
        </body>
      </description>
      <references>
 	<mlist  
 msgid="200902231322.55722.dancab@gmx.net">http://sourceforge.net/mailarchive/message.php?msg_name=200902231322.55722.dancab%40gmx.net</mlist>
 	<bid>33858</bid>
 	<cvename>CVE-2009-0804</cvename>
 	<certvu>435052</certvu>
      </references>
      <dates>
        <discovery>2009-02-23</discovery>
        <entry>2009-04-15</entry>
      </dates>
    </vuln>
State-Changed-From-To: open->closed 
State-Changed-By: miwi 
State-Changed-When: Wed Apr 15 14:46:46 UTC 2009 
State-Changed-Why:  
Committed. Thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=133741 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/133741: commit references a PR
Date: Wed, 15 Apr 2009 15:12:47 +0000 (UTC)

 miwi        2009-04-15 14:46:35 UTC
 
   FreeBSD ports repository
 
   Modified files:
     www/ziproxy          Makefile distinfo pkg-plist 
     www/ziproxy/files    patch-ziproxy.conf 
   Log:
   - Update to 2.7.0
   
   PR:             133741
   Submitted by:   Pavel Pankov <pankov_p@mail.ru> (maintainer)
   Approved by:    portmgr (flz)
   Security:       http://www.vuxml.org/freebsd/872ae5be-29c0-11de-bdeb-0030843d3802.html
   
   Revision  Changes    Path
   1.14      +4 -2      ports/www/ziproxy/Makefile
   1.12      +3 -3      ports/www/ziproxy/distinfo
   1.6       +29 -8     ports/www/ziproxy/files/patch-ziproxy.conf
   1.5       +3 -0      ports/www/ziproxy/pkg-plist
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
>Unformatted:
