ports/76550: [Maintainer/security] www/squid: protect against HTTP resonse split attack and other patches

Thomas-Martin Seck tmseck at netcologne.de
Fri Jan 21 18:40:32 UTC 2005 

>Number:         76550
>Category:       ports
>Synopsis:       [Maintainer/security] www/squid: protect against HTTP resonse split attack and other patches
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jan 21 18:40:28 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Thomas-Martin Seck
>Release:        FreeBSD 4.10-STABLE i386
>Organization:
a private site in Germany
>Environment:
FreeBSD ports collection as of Jan 21, 2005.

	
>Description:
Integrate vendor patches as published on
<http://www.squid-cache.org/Versions/v2/2.5/bugs/>:

- FTP data connection fails on some FTP servers when requesting a directory
  without a trailing slash (squid bug #1194)

- Icons fail to load on non-anonymous FTP when using the short_icons_url
  configuration directive (squid bug #1203)

- Strengthen squid against HTTP response splitting cache pollution attacks
  (squid bug #1200), classified as security issue by the vendor

Proposed VuXML information, entry date left to be filled in:

(Note: I added only a publically accessible link to the Sanctum, Inc.
whitepaper, the squid bug tracker contains a deep link to the PDF
itself; if we are allowed to publish it, it could instead be used as
reference because Sanctum, Inc. wants you to register with them before
you get access to their whitepapers.)

<vuln vid="4e4bd2c2-6bd5-11d9-9e1e-c296ac722cb3">
  <topic>squid -- HTTP response splitting cache pollution attack</topic>
  <affects>
    <package>
	<name>squid</name>
	<range><lt>2.5.7_8</lt></range>
    </package>
  </affects>
  <description>
    <body xmlns="http://www.w3.org/1999/xhtml">
	<p>According to a whitepaper published by Sanctum, Inc., it
	  is possible to mount cache poisoning attacks against, among others,
	  squid proxies by inserting false replies into the HTTP stream.</p>
	<p>The squid patches page notes:</p>
	<blockquote cite="http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-response_splitting">
	  <p>This patch additionally strengthens Squid from the HTTP response
	    attack described by Sanctum.</p>
	</blockquote>
    </body>
  </description>
  <references>
    <url>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-response_splitting</url>
    <url>http://www.squid-cache.org/bugs/show_bug.cgi?id=1200</url>
    <url>https://www.watchfire.com/securearea/whitepapers.aspx?id=8</url>
  </references>
  <dates>
    <discovery>2004-03-01</discovery>
    <entry></entry>
  </dates>
</vuln>
	
>How-To-Repeat:
	
>Fix:
Apply this patch:

Index: distinfo
===================================================================
--- distinfo	(.../www/squid)	(revision 340)
+++ distinfo	(.../local/squid)	(revision 340)
@@ -32,3 +32,9 @@
 SIZE (squid2.5/squid-2.5.STABLE7-fqdn_truncated.patch) = 4484
 MD5 (squid2.5/squid-2.5.STABLE7-ldap_spaces.patch) = 8c2eb269b16d757b562ee32a2eb7ef99
 SIZE (squid2.5/squid-2.5.STABLE7-ldap_spaces.patch) = 1974
+MD5 (squid2.5/squid-2.5.STABLE7-ftp_datachannel.patch) = cc65c481c7ea1e2cb2bc1c0b61f09a69
+SIZE (squid2.5/squid-2.5.STABLE7-ftp_datachannel.patch) = 4825
+MD5 (squid2.5/squid-2.5.STABLE7-short_icons_urls.patch) = 3cbed4fe923641bff5f23e69c444d63e
+SIZE (squid2.5/squid-2.5.STABLE7-short_icons_urls.patch) = 704
+MD5 (squid2.5/squid-2.5.STABLE7-response_splitting.patch) = ff3d8ae3e933817c91e745beba76b5fc
+SIZE (squid2.5/squid-2.5.STABLE7-response_splitting.patch) = 9782
Index: Makefile
===================================================================
--- Makefile	(.../www/squid)	(revision 340)
+++ Makefile	(.../local/squid)	(revision 340)
@@ -74,7 +74,7 @@
 
 PORTNAME=	squid
 PORTVERSION=	2.5.7
-PORTREVISION=	7
+PORTREVISION=	8
 CATEGORIES=	www
 MASTER_SITES=	\
 		ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \
@@ -102,7 +102,10 @@
 		squid-2.5.STABLE7-wccp_denial_of_service.patch \
 		squid-2.5.STABLE7-dns_memleak.patch \
 		squid-2.5.STABLE7-fqdn_truncated.patch \
-		squid-2.5.STABLE7-ldap_spaces.patch
+		squid-2.5.STABLE7-ldap_spaces.patch \
+		squid-2.5.STABLE7-ftp_datachannel.patch \
+		squid-2.5.STABLE7-short_icons_urls.patch \
+		squid-2.5.STABLE7-response_splitting.patch
 PATCH_DIST_STRIP=	-p1
 
 MAINTAINER=	tmseck at netcologne.de
	


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list