From tmseck@netcologne.de  Tue Sep  7 21:14:52 2010
Return-Path: <tmseck@netcologne.de>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id BEDEC10656BD
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  7 Sep 2010 21:14:52 +0000 (UTC)
	(envelope-from tmseck@netcologne.de)
Received: from smtp5.netcologne.de (smtp5.netcologne.de [194.8.194.25])
	by mx1.freebsd.org (Postfix) with ESMTP id 522258FC1E
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  7 Sep 2010 21:14:52 +0000 (UTC)
Received: from wcfields.tmseck.homedns.org (xdsl-89-0-142-241.netcologne.de [89.0.142.241])
	by smtp5.netcologne.de (Postfix) with SMTP id 7E26940C754
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  7 Sep 2010 23:14:51 +0200 (CEST)
Received: (qmail 5629 invoked by uid 1001); 7 Sep 2010 21:14:52 -0000
Message-Id: <20100907211452.5628.qmail@wcfields.tmseck.homedns.org>
Date: 7 Sep 2010 21:14:52 -0000
From: Thomas-Martin Seck <tmseck@web.de>
Reply-To: Thomas-Martin Seck <tmseck@web.de>
To: FreeBSD-gnats-submit@freebsd.org
Cc: ports-security@freebsd.org
Subject: [Maintainer] [security] www/squid30: fix a denial of service vulnerability
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         150366
>Category:       ports
>Synopsis:       [Maintainer] [security] www/squid30: fix a denial of service vulnerability
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    niels
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Tue Sep 07 21:20:01 UTC 2010
>Closed-Date:    Sat Sep 11 19:14:51 UTC 2010
>Last-Modified:  Sat Sep 11 19:14:51 UTC 2010
>Originator:     Thomas-Martin Seck
>Release:        FreeBSD 8.1-RELEASE amd64
>Organization:
a private site in Germany
>Environment:
FreeBSD ports collection as of September 7, 2010.
	
>Description:
Integrate vendor patches for various bugs. Fix a denial of service
vulnerability as reported in Squid Advisory 2010:3.

See ports/150364 (www/squid31 update request) for the proposed VuXML entry.

Removed files:

files/patch-lib-rfc1738.c
	
>How-To-Repeat:
	
>Fix:
Apply this patch:

Index: Makefile
===================================================================
--- Makefile	(.../www/squid30)	(Revision 1875)
+++ Makefile	(.../local/squid30)	(Revision 1875)
@@ -61,7 +61,7 @@
 
 PORTNAME=	squid
 PORTVERSION=	3.0.${SQUID_STABLE_VER}
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES=	www
 MASTER_SITES=	ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \
 		http://mirrors.ccs.neu.edu/Squid/ \
@@ -92,7 +92,9 @@
 		http://www1.jp.squid-cache.org/%SUBDIR%/ \
 		http://www2.tw.squid-cache.org/%SUBDIR%/
 PATCH_SITE_SUBDIR=	Versions/v3/3.0/changesets
-PATCHFILES=
+PATCHFILES=	squid-3.0-9183.patch squid-3.0-9184.patch squid-3.0-9185.patch \
+		squid-3.0-9186.patch squid-3.0-9187.patch squid-3.0-9188.patch \
+		squid-3.0-9189.patch
 
 MAINTAINER=	tmseck@web.de
 COMMENT=	HTTP Caching Proxy
Index: distinfo
===================================================================
--- distinfo	(.../www/squid30)	(Revision 1875)
+++ distinfo	(.../local/squid30)	(Revision 1875)
@@ -1,3 +1,24 @@
 MD5 (squid3.0/squid-3.0.STABLE25.tar.bz2) = 6a29be1e4900470aebe93654f9be03e0
 SHA256 (squid3.0/squid-3.0.STABLE25.tar.bz2) = d1040a17f3c904372c180e1e6a432be798a26c3689831a329bd2a5ab38bbc05e
 SIZE (squid3.0/squid-3.0.STABLE25.tar.bz2) = 1758969
+MD5 (squid3.0/squid-3.0-9183.patch) = 118b37eb39487bc1bbf30b64998e07df
+SHA256 (squid3.0/squid-3.0-9183.patch) = 61b6b2d7619705db83b5f66a57b64f7c00b9e02c7707c473f3f1f4ad8abf9b9f
+SIZE (squid3.0/squid-3.0-9183.patch) = 1542
+MD5 (squid3.0/squid-3.0-9184.patch) = 0559191736bd31801bb22ad14bb60a2d
+SHA256 (squid3.0/squid-3.0-9184.patch) = a32f91fa85a401039e173458bbb137a7e2d61e4e1ca465fa4857071b906712ca
+SIZE (squid3.0/squid-3.0-9184.patch) = 2240
+MD5 (squid3.0/squid-3.0-9185.patch) = f707437a1c05f39effb29b6bf485e1b9
+SHA256 (squid3.0/squid-3.0-9185.patch) = f2fa4d2b0e1d7fbd3bdb85e980d83e0bf60a73c0b362dc148369843f6480ede7
+SIZE (squid3.0/squid-3.0-9185.patch) = 1680
+MD5 (squid3.0/squid-3.0-9186.patch) = 379333cc6542ab61a97015366253e4ad
+SHA256 (squid3.0/squid-3.0-9186.patch) = 0d9917539a3fe6075292b5927c61324222cb09a11eeeffc99af5c169f65b31a5
+SIZE (squid3.0/squid-3.0-9186.patch) = 1646
+MD5 (squid3.0/squid-3.0-9187.patch) = 1b4681b2b60a81327ee6b5667d60f597
+SHA256 (squid3.0/squid-3.0-9187.patch) = e7c0c1b365413c786ed78fcc6b4113e0783458b4137d3d47d4cb707730ee388b
+SIZE (squid3.0/squid-3.0-9187.patch) = 1338
+MD5 (squid3.0/squid-3.0-9188.patch) = 7897fef3efd6e646e288111d1fa52de3
+SHA256 (squid3.0/squid-3.0-9188.patch) = 4fc959e0bd570d4e8e19a0732181836b49086c98e78d1bc37f3fa739763ff753
+SIZE (squid3.0/squid-3.0-9188.patch) = 1455
+MD5 (squid3.0/squid-3.0-9189.patch) = de0e4236955b66aba92117130a175dc0
+SHA256 (squid3.0/squid-3.0-9189.patch) = a5abc0cda7016b00673e0f3bf91a5af2aeece09480bbaae90df34afb0e6fba04
+SIZE (squid3.0/squid-3.0-9189.patch) = 4192
Index: files/patch-lib-rfc1738.c
===================================================================
--- files/patch-lib-rfc1738.c	(.../www/squid30)	(Revision 1875)
+++ files/patch-lib-rfc1738.c	(.../local/squid30)	(Revision 1875)
@@ -1,12 +0,0 @@
---- lib/rfc1738.c.orig	2010-04-16 14:36:23.000000000 +0200
-+++ lib/rfc1738.c	2010-04-16 14:37:11.000000000 +0200
-@@ -203,8 +203,7 @@ rfc1738_unescape(char *s)
-             j++;		/* Skip % */
-         } else {
-             /* decode */
--            char v1, v2;
--            int x;
-+            int v1, v2, x;
-             v1 = fromhex(s[j + 1]);
-             if (v1 < 0)
-                 continue;  /* non-hex or \0 */
	


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->niels 
Responsible-Changed-By: niels 
Responsible-Changed-When: Sat Sep 11 14:55:43 UTC 2010 
Responsible-Changed-Why:  
Thanks, working on it now 

http://www.freebsd.org/cgi/query-pr.cgi?pr=150366 
State-Changed-From-To: open->closed 
State-Changed-By: niels 
State-Changed-When: Sat Sep 11 19:14:17 UTC 2010 
State-Changed-Why:  
Committed.  Forgot to reference the PR so the commit log is not attached (sorry) 
Thanks! 
Niels 


http://www.freebsd.org/cgi/query-pr.cgi?pr=150366 
>Unformatted:
