From tmseck@netcologne.de  Mon Jan  7 06:22:34 2013
Return-Path: <tmseck@netcologne.de>
Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115])
	by hub.freebsd.org (Postfix) with ESMTP id EBA4868B;
	Mon,  7 Jan 2013 06:22:34 +0000 (UTC)
	(envelope-from tmseck@netcologne.de)
Received: from cc-smtpout3.netcologne.de (cc-smtpout3.netcologne.de [IPv6:2001:4dd0:100:1062:25:2:0:3])
	by mx1.freebsd.org (Postfix) with ESMTP id B4796B79;
	Mon,  7 Jan 2013 06:22:34 +0000 (UTC)
Received: from cc-smtpin2.netcologne.de (cc-smtpin2.netcologne.de [89.1.8.202])
	by cc-smtpout3.netcologne.de (Postfix) with ESMTP id F0F3111E9D;
	Mon,  7 Jan 2013 07:22:32 +0100 (CET)
Received: from wcfields.tmseck.homedns.org (xdsl-89-0-162-81.netcologne.de [89.0.162.81])
	by cc-smtpin2.netcologne.de (Postfix) with ESMTPSA id D07C011D89;
	Mon,  7 Jan 2013 07:22:31 +0100 (CET)
Received: by wcfields.tmseck.homedns.org (Postfix, from userid 1001)
	id A9B45130D04; Mon,  7 Jan 2013 07:22:31 +0100 (CET)
Message-Id: <20130107062231.A9B45130D04@wcfields.tmseck.homedns.org>
Date: Mon,  7 Jan 2013 07:22:31 +0100 (CET)
From: Thomas-Martin Seck <tmseck@web.de>
Reply-To: Thomas-Martin Seck <tmseck@web.de>
To: FreeBSD-gnats-submit@freebsd.org
Cc: rea@freebsd.org
Subject: [Maintainer] [Security] www/squid31: integrate vendor fix for CVE-2012-5643
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         175084
>Category:       ports
>Synopsis:       [Maintainer] [Security] www/squid31: integrate vendor fix for CVE-2012-5643
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    rea
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jan 07 06:30:00 UTC 2013
>Closed-Date:    Tue Jan 15 08:41:14 UTC 2013
>Last-Modified:  Tue Jan 15 08:41:14 UTC 2013
>Originator:     Thomas-Martin Seck
>Release:        FreeBSD 8.3-RELEASE amd64
>Organization:
a private site in Germany
>Environment:
FreeBSD ports collection as of January 07, 2013.

	
>Description:
Add an additional vendor patch to fix the DoS condition in cachemgr.cgi
(SQUID-2012:1, CVE-2012-5643).
	
>How-To-Repeat:
	
>Fix:
Apply this patch:

Index: Makefile
===================================================================
--- Makefile	(.../www/squid31)	(Revision 2092)
+++ Makefile	(.../local/squid31)	(Revision 2092)
@@ -1,6 +1,9 @@
-# Created by: Adrian Chadd <adrian@FreeBSD.org>
-# $FreeBSD: ports/www/squid31/Makefile,v 1.268 2012/12/10 15:19:19 svnexp Exp $
+# New ports collection makefile for:	squid24
+# Date created:		Tue Mar 27 14:56:08 CEST 2001
+# Whom:			Adrian Chadd <adrian@FreeBSD.org>
 #
+# $FreeBSD: ports/www/squid31/Makefile,v 1.266 2012/11/18 16:55:52 svnexp Exp $
+#
 # Tunables not (yet) configurable via 'make config':
 # SQUID_{U,G}ID
 #   Which user/group Squid should run as (default: squid/squid).
@@ -78,7 +81,7 @@
 		http://www1.jp.squid-cache.org/%SUBDIR%/ \
 		http://www2.tw.squid-cache.org/%SUBDIR%/
 PATCH_SITE_SUBDIR=	Versions/v3/3.1/changesets
-PATCHFILES=	# empty
+PATCHFILES=	squid-3.1-10483.patch
 
 MAINTAINER=	tmseck@web.de
 COMMENT=	HTTP Caching Proxy
@@ -254,7 +257,7 @@
 libexec+=	digest_ldap_auth squid_ldap_auth squid_ldap_group
 .endif
 .if defined(WITH_SQUID_SASL_AUTH)
-LIB_DEPENDS+=	sasl2:${PORTSDIR}/security/cyrus-sasl2
+LIB_DEPENDS+=	sasl2.2:${PORTSDIR}/security/cyrus-sasl2
 CFLAGS+=	-I${LOCALBASE}/include
 CPPFLAGS+=	-I${LOCALBASE}/include
 LDFLAGS+=	-L${LOCALBASE}/lib
Index: distinfo
===================================================================
--- distinfo	(.../www/squid31)	(Revision 2092)
+++ distinfo	(.../local/squid31)	(Revision 2092)
@@ -1,2 +1,4 @@
 SHA256 (squid3.1/squid-3.1.22.tar.bz2) = 16fe2313f981ede1c945eebe3743d8f835e724c6dae296bfc1200af555549424
 SIZE (squid3.1/squid-3.1.22.tar.bz2) = 2560270
+SHA256 (squid3.1/squid-3.1-10483.patch) = ac871ad6e078ecc0f2ef0d32f7cbca26a1472d976e749177e60ee644878b0f42
+SIZE (squid3.1/squid-3.1-10483.patch) = 1746
	


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->rea 
Responsible-Changed-By: rea 
Responsible-Changed-When: Mon Jan 7 20:33:35 UTC 2013 
Responsible-Changed-Why:  
Will process it. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=175084 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/175084: commit references a PR
Date: Tue,  8 Jan 2013 05:21:18 +0000 (UTC)

 Author: rea
 Date: Tue Jan  8 05:21:05 2013
 New Revision: 310070
 URL: http://svnweb.freebsd.org/changeset/ports/310070
 
 Log:
   www/squid31: add new vendor patch for SQUID-2012:1
   
   PR:		ports/175084
   Submitted by:	Thomas-Martin Seck <tmseck@web.de> (maintainer)
   Security:	http://portaudit.freebsd.org/c37de843-488e-11e2-a5c9-0019996bc1f7.html
   QA page:	http://codelabs.ru/fbsd/ports/qa/www/squid31/3.1.22_2
 
 Modified:
   head/www/squid31/Makefile
   head/www/squid31/distinfo
 
 Modified: head/www/squid31/Makefile
 ==============================================================================
 --- head/www/squid31/Makefile	Tue Jan  8 05:18:55 2013	(r310069)
 +++ head/www/squid31/Makefile	Tue Jan  8 05:21:05 2013	(r310070)
 @@ -48,7 +48,7 @@
  
  PORTNAME=	squid
  PORTVERSION=	3.1.${SQUID_STABLE_VER}
 -PORTREVISION=	1
 +PORTREVISION=	2
  CATEGORIES=	www ipv6
  MASTER_SITES=	ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \
  		http://mirrors.ccs.neu.edu/Squid/ \
 @@ -78,7 +78,7 @@ PATCH_SITES=	http://www.squid-cache.org/
  		http://www1.jp.squid-cache.org/%SUBDIR%/ \
  		http://www2.tw.squid-cache.org/%SUBDIR%/
  PATCH_SITE_SUBDIR=	Versions/v3/3.1/changesets
 -PATCHFILES=	# empty
 +PATCHFILES=	squid-3.1-10483.patch
  
  MAINTAINER=	tmseck@web.de
  COMMENT=	HTTP Caching Proxy
 
 Modified: head/www/squid31/distinfo
 ==============================================================================
 --- head/www/squid31/distinfo	Tue Jan  8 05:18:55 2013	(r310069)
 +++ head/www/squid31/distinfo	Tue Jan  8 05:21:05 2013	(r310070)
 @@ -1,2 +1,4 @@
  SHA256 (squid3.1/squid-3.1.22.tar.bz2) = 16fe2313f981ede1c945eebe3743d8f835e724c6dae296bfc1200af555549424
  SIZE (squid3.1/squid-3.1.22.tar.bz2) = 2560270
 +SHA256 (squid3.1/squid-3.1-10483.patch) = ac871ad6e078ecc0f2ef0d32f7cbca26a1472d976e749177e60ee644878b0f42
 +SIZE (squid3.1/squid-3.1-10483.patch) = 1746
 _______________________________________________
 svn-ports-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-ports-all
 To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org"
 

From: Eygene Ryabinkin <rea@FreeBSD.org>
To: FreeBSD GNATS followup <bug-followup@freebsd.org>
Cc:  
Subject: Re: ports/175084: [Maintainer] [Security] www/squid31: integrate
 vendor fix for CVE-2012-5643
Date: Tue, 8 Jan 2013 09:51:53 +0400

 --kkcDP0v44wDpNmbp
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 Committed the part that is related to SQUID-2012:1 (also bumped
 port revision to make people to pick up this change on the next
 upgrade of Squid and to allow to differentiate vulnerable versions
 of Squid 3.1 from the patched ones).
 
 Thomas-Martin, two questions about the rest of the patch:
  - do you really want to specify the strict version dependency
    for SASL?  For example, on my machine I have libsasl.2.so.3,
    so version specification of sasl2.2 just won't go:
 {{{
 $ pkg query %n-%v | grep sasl
 cyrus-sasl-2.1.26_1
 $ make BATCH=3Dyes WITH_SQUID_SASL_AUTH=3Dyes
 =3D=3D=3D>   squid-3.1.22_1 depends on file: /usr/local/bin/perl5.10.1 - fo=
 und
 =3D=3D=3D>   squid-3.1.22_1 depends on shared library: sasl2.2 - not found
 =3D=3D=3D>    Verifying install for sasl2.2 in /usr/ports/security/cyrus-sa=
 sl2
 =3D=3D=3D>  License BSD accepted by the user
 =3D=3D=3D>   cyrus-sasl-2.1.26_1 depends on file: /usr/local/sbin/pkg - fou=
 nd
 =3D=3D=3D>  Extracting for cyrus-sasl-2.1.26_1
 =3D> SHA256 Checksum OK for cyrus-sasl-2.1.26.tar.gz.
 ^C
 $ svn diff .
 Index: Makefile
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 --- Makefile	(revision 308964)
 +++ Makefile	(working copy)
 @@ -254,7 +254,7 @@
  libexec+=3D	digest_ldap_auth squid_ldap_auth squid_ldap_group
  .endif
  .if defined(WITH_SQUID_SASL_AUTH)
 -LIB_DEPENDS+=3D	sasl2:${PORTSDIR}/security/cyrus-sasl2
 +LIB_DEPENDS+=3D	sasl2.2:${PORTSDIR}/security/cyrus-sasl2
  CFLAGS+=3D	-I${LOCALBASE}/include
  CPPFLAGS+=3D	-I${LOCALBASE}/include
  LDFLAGS+=3D	-L${LOCALBASE}/lib
 }}}
 
  - you're for the old Makefile header with all 4 lines, aren't you?
    There was a decision that it should be slowly phased out,
      http://blogs.freebsdish.org/portmgr/2012/09/01/change-to-the-header-in=
 -ports-makefiles/
    though I vaguely recall that old form (perhaps, without
    "New ports collection ..." line) is still allowed.
 
 Thanks!
 --=20
 Eygene Ryabinkin                                        ,,,^..^,,,
 [ Life's unfair - but root password helps!           | codelabs.ru ]
 [ 82FE 06BC D497 C0DE 49EC  4FF0 16AF 9EAE 8152 ECFB | freebsd.org ]
 
 --kkcDP0v44wDpNmbp
 Content-Type: application/pgp-signature
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.19 (FreeBSD)
 
 iF4EABEIAAYFAlDrs/kACgkQFq+eroFS7Ps+mgD9G/gwNSUp/X9ciP3l3o5QGjuc
 yEr40UyWDAc0x9WNaFkA/RqzjdLd/ogNhUpJoKmoQ479NIJbCaSySY7I7P8njBuh
 =dS+G
 -----END PGP SIGNATURE-----
 
 --kkcDP0v44wDpNmbp--
State-Changed-From-To: open->closed 
State-Changed-By: rea 
State-Changed-When: Tue Jan 15 08:40:00 UTC 2013 
State-Changed-Why:  
Closing the PR: upgrade that closes security vulnerability was committed 
and there is no response about additional parts of the patch.  If it is 
really needed, please, drop me a mail at rea@FreeBSD.org. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=175084 
>Unformatted:
