From tmseck@netcologne.de  Wed Dec  8 18:07:47 2004
Return-Path: <tmseck@netcologne.de>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 49D5716A4CF
	for <FreeBSD-gnats-submit@freebsd.org>; Wed,  8 Dec 2004 18:07:47 +0000 (GMT)
Received: from smtp2.netcologne.de (smtp2.netcologne.de [194.8.194.218])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8C2E743D1F
	for <FreeBSD-gnats-submit@freebsd.org>; Wed,  8 Dec 2004 18:07:46 +0000 (GMT)
	(envelope-from tmseck@netcologne.de)
Received: from laurel.tmseck.homedns.org (xdsl-81-173-179-186.netcologne.de [81.173.179.186])
	by smtp2.netcologne.de (Postfix) with SMTP id 1DC2C4453
	for <FreeBSD-gnats-submit@freebsd.org>; Wed,  8 Dec 2004 19:07:44 +0100 (MET)
Received: (qmail 16236 invoked by uid 1001); 8 Dec 2004 18:08:05 -0000
Message-Id: <20041208180805.16235.qmail@laurel.tmseck.homedns.org>
Date: 8 Dec 2004 18:08:05 -0000
From: Thomas-Martin Seck <tmseck@netcologne.de>
Reply-To: Thomas-Martin Seck <tmseck@netcologne.de>
To: FreeBSD-gnats-submit@freebsd.org
Cc: security-team@freebsd.org
Subject: [Maintainer] www/squid: integrate vendor patches
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         74859
>Category:       ports
>Synopsis:       [Maintainer] www/squid: integrate vendor patches
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Wed Dec 08 18:10:30 GMT 2004
>Closed-Date:    Wed Dec 08 23:19:35 GMT 2004
>Last-Modified:  Wed Dec 08 23:19:35 GMT 2004
>Originator:     Thomas-Martin Seck
>Release:        FreeBSD 4.10-STABLE i386
>Organization:
a private site in Germany
>Environment:
FreeBSD ports collection as of December 8, 2004.

	
>Description:
Integrate the following vendor patches as published on
http://www.squid-cache.org/Versions/v2/2.5/bugs/:

- a malformed hostname can cause squid to return random data as error messages,
  possibly leaking internal information from former requests (squid bug #1143).
  (This is classified as a minor security issue by the squid developers, so
  I cc'ed security-team@. See below for a proposed VuXML entry.)
- the "httpd_accel_port 0" directive does not work on its own (squid bug #1121)
- fix crashes occuring when using cachemgr's "vm_objects" operation (squid
  bug #1149)

VuXML information:

<topic>squid -- possible information disclosure</topic>
<affects>
	<package>
		<name>squid</name>
		<range><lt>2.5.7_4</lt></range>
	</package>
</affects>
<description>
	<body xmlns="http://www.w3.org/1999/xhtml">
	  <p>The squid-2.5 patches pages notes:</p>
	  <blockquote cite="http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-dothost">
	    <p>In certain conditions Squid returns random data as error messages
	       in response to malformed host name, possibly leaking random
	       internal information which may come from other requests.</p>
	  </blockquote>
	</body>
</description>
<references>
	<url>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-dothost</url>
</references>
<dates>
	<discovery>2004-11-23</discovery>
</dates>

	
>How-To-Repeat:
	
>Fix:
Apply this patch:

Index: distinfo
===================================================================
--- distinfo	(.../www/squid)	(revision 306)
+++ distinfo	(.../local/squid)	(revision 306)
@@ -10,3 +10,9 @@
 SIZE (squid2.5/squid-2.5.STABLE7-helper_shutdown.patch) = 11579
 MD5 (squid2.5/squid-2.5.STABLE7-blank_response.patch) = b4d3265c55888f9b9ba3c5bc7d073822
 SIZE (squid2.5/squid-2.5.STABLE7-blank_response.patch) = 723
+MD5 (squid2.5/squid-2.5.STABLE7-dothost.patch) = 81034e9092a06d9aa1e9ede26632ae03
+SIZE (squid2.5/squid-2.5.STABLE7-dothost.patch) = 2155
+MD5 (squid2.5/squid-2.5.STABLE7-httpd_accel_vport.patch) = 2366a84e29fad439c2a488b03f112779
+SIZE (squid2.5/squid-2.5.STABLE7-httpd_accel_vport.patch) = 843
+MD5 (squid2.5/squid-2.5.STABLE7-cachemgr_vmobjects.patch) = fdde57025dbfb8caf9154e24b4e1bf3e
+SIZE (squid2.5/squid-2.5.STABLE7-cachemgr_vmobjects.patch) = 6238
Index: Makefile
===================================================================
--- Makefile	(.../www/squid)	(revision 306)
+++ Makefile	(.../local/squid)	(revision 306)
@@ -74,7 +74,7 @@
 
 PORTNAME=	squid
 PORTVERSION=	2.5.7
-PORTREVISION=	3
+PORTREVISION=	4
 CATEGORIES=	www
 MASTER_SITES=	\
 		ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \
@@ -91,7 +91,10 @@
 		squid-2.5.STABLE7-LDAP_version_documentation.patch \
 		squid-2.5.STABLE7_req_resp_header.patch \
 		squid-2.5.STABLE7-helper_shutdown.patch \
-		squid-2.5.STABLE7-blank_response.patch
+		squid-2.5.STABLE7-blank_response.patch \
+		squid-2.5.STABLE7-dothost.patch \
+		squid-2.5.STABLE7-httpd_accel_vport.patch \
+		squid-2.5.STABLE7-cachemgr_vmobjects.patch
 PATCH_DIST_STRIP=	-p1
 
 MAINTAINER=	tmseck@netcologne.de

	


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: sem 
State-Changed-When: Wed Dec 8 23:18:55 GMT 2004 
State-Changed-Why:  
Committed, thanks! 
VuXML entry added. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=74859 
>Unformatted:
