ports/86179: [Maintainer] [Security] www/squid: integrate vendor patches; fix a possible DOS condition

Thomas-Martin Seck tmseck at netcologne.de
Thu Sep 15 18:40:17 UTC 2005 

>Number:         86179
>Category:       ports
>Synopsis:       [Maintainer] [Security] www/squid: integrate vendor patches; fix a possible DOS condition
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Thu Sep 15 18:40:16 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Thomas-Martin Seck
>Release:        FreeBSD 4.11-STABLE i386
>Organization:
a private site in Germany
>Environment:
FreeBSD ports collection as of Sept 15, 2005.

	
>Description:
Integrate the following vendor patches as published on
<http://www.squid-cache.org/Versions/v2/2.5/bugs/>:

(Note: the IPFilter related patches were omitted because they did not
apply cleanly on my (the maintainer's) development system and I had not yet
time to investigate.  squid-2.5.STABLE11 will contain them and is scheduled to
be released soon.)

- LDAP helpers do not work with TLS (-Z option)
  (squid bug #1389)
- Incorrect store dir selection debug message on objects >2G
  (squid bug #1343)
- Enums cannot be assumed to be signed ints
  (squid bug #1343)
- Allow leaving core dumps on Linux
  (squid bug #1335)
- Do not let clients bypass delay pools by faking a cache hit
  (squid bug #500)
- Fix problems regarding CONNECT requests when squid is configured with
  "pipeline_prefetch on"
- Fix a possible DOS condition which may be triggered by certain NTLM
  authentication requests
  (squid bug #1391)

Remove a patch that is obsolete with the removal of security/pf and
the related pre-patch actions.

Note to committer:
please 'cvs rm' files/pf_from_ports.patch.in

VuXML information for the possible DOS condition regarding NTLM:

  <vuln vid="44e7764c-2614-11da-9e1e-c296ac722cb3">
    <topic>squid -- possible denial of service condition regarding NTLM authentication</topic>
    <affects>
      <package>
	<name>squid</name>
	<range><lt>2.5.10_6</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>The squid patches page notes:</p>
	<blockquote cite="http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE10-NTLM-scheme_assert">
	  <p>Squid may crash with the above error [FATAL: Incorrect scheme in auth header] when given certain request sentences.</p>
	  <p>Workaround: disable NTLM authentication.</p>
	</blockquote>
      </body>
    </description>
    <references>
    	<url>http://www.squid-cache.org/bugs/show_bug.cgi?id=1391</url>
	<url>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE10-NTLM-scheme_assert</url>
    </references>
    <dates>
      <discovery>2005-09-12</discovery>
      <entry>YYYY-MM-DD</entry>
    </dates>
  </vuln>

	
>How-To-Repeat:
	
>Fix:
Apply this patch:


Index: distinfo
===================================================================
--- distinfo	(.../www/squid)	(revision 566)
+++ distinfo	(.../local/squid)	(revision 566)
@@ -50,3 +50,17 @@
 SIZE (squid2.5/squid-2.5.STABLE10-cacheClientTable.patch) = 632
 MD5 (squid2.5/squid-2.5.STABLE10-mail_from.patch) = 8a944c1d3f3bac0d1dadcb7aace0ad68
 SIZE (squid2.5/squid-2.5.STABLE10-mail_from.patch) = 1863
+MD5 (squid2.5/squid-2.5.STABLE10-LDAP_TLS.patch) = be16c3bd42c1e72c84db9107d91fb1d7
+SIZE (squid2.5/squid-2.5.STABLE10-LDAP_TLS.patch) = 2466
+MD5 (squid2.5/squid-2.5.STABLE10-storedir_objsize_debug.patch) = 50c480674cc3cf8de7362e0a440c2753
+SIZE (squid2.5/squid-2.5.STABLE10-storedir_objsize_debug.patch) = 1289
+MD5 (squid2.5/squid-2.5.STABLE10-header_id_enum.patch) = df2c547c9390f060333683e7e60b6363
+SIZE (squid2.5/squid-2.5.STABLE10-header_id_enum.patch) = 628
+MD5 (squid2.5/squid-2.5.STABLE10-allow_coredump.patch) = 14184adb5452ddac77c8511ee1202689
+SIZE (squid2.5/squid-2.5.STABLE10-allow_coredump.patch) = 3496
+MD5 (squid2.5/squid-2.5.STABLE10-delay_pools.patch) = bd4e5d3d8fbea996d29cfe6d6132cb0a
+SIZE (squid2.5/squid-2.5.STABLE10-delay_pools.patch) = 7782
+MD5 (squid2.5/squid-2.5.STABLE10-pipeline-CONNECT.patch) = 9e264ac64f93755ccfdce33f14a470c3
+SIZE (squid2.5/squid-2.5.STABLE10-pipeline-CONNECT.patch) = 6316
+MD5 (squid2.5/squid-2.5.STABLE10-NTLM-scheme_assert.patch) = e62ba264eaa7c248ef8d8cbb3777110c
+SIZE (squid2.5/squid-2.5.STABLE10-NTLM-scheme_assert.patch) = 1203
Index: files/pf_from_ports.patch.in
===================================================================
--- files/pf_from_ports.patch.in	(.../www/squid)	(revision 566)
+++ files/pf_from_ports.patch.in	(.../local/squid)	(revision 566)
@@ -1,20 +0,0 @@
---- configure.orig	Thu Jun 10 12:22:06 2004
-+++ configure	Thu Jun 10 13:31:53 2004
-@@ -3781,7 +3781,7 @@
- 	memory.h \
- 	mount.h \
- 	net/if.h \
--	net/pfvar.h \
-+	%%PF_INCLUDEDIR%%/net/pfvar.h \
- 	netdb.h \
- 	netinet/if_ether.h \
- 	netinet/in.h \
-@@ -7604,7 +7604,7 @@
-     echo $ac_n "checking if PF header file is installed""... $ac_c" 1>&6
- echo "configure:7606: checking if PF header file is installed" >&5
-     # hold on to your hats...
--    if test "$ac_cv_header_net_pfvar_h" = "yes"; then
-+    if test "$ac_cv_header_%%PF_AC_INCLUDEPATH%%_net_pfvar_h" = "yes"; then
-         PF_TRANSPARENT="yes"
-         cat >> confdefs.h <<\EOF
- #define PF_TRANSPARENT 1
Index: Makefile
===================================================================
--- Makefile	(.../www/squid)	(revision 566)
+++ Makefile	(.../local/squid)	(revision 566)
@@ -66,7 +66,7 @@
 
 PORTNAME=	squid
 PORTVERSION=	2.5.10
-PORTREVISION=	5
+PORTREVISION=	6
 CATEGORIES=	www
 MASTER_SITES=	\
 		ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \
@@ -103,7 +103,14 @@
 		squid-2.5.STABLE10-STORE_PENDING.patch \
 		squid-2.5.STABLE10-ldap_auth-U.patch \
 		squid-2.5.STABLE10-cacheClientTable.patch \
-		squid-2.5.STABLE10-mail_from.patch
+		squid-2.5.STABLE10-mail_from.patch \
+		squid-2.5.STABLE10-LDAP_TLS.patch \
+		squid-2.5.STABLE10-storedir_objsize_debug.patch \
+		squid-2.5.STABLE10-header_id_enum.patch \
+		squid-2.5.STABLE10-allow_coredump.patch \
+		squid-2.5.STABLE10-delay_pools.patch \
+		squid-2.5.STABLE10-pipeline-CONNECT.patch \
+		squid-2.5.STABLE10-NTLM-scheme_assert.patch
 PATCH_DIST_STRIP=	-p1
 
 MAINTAINER=	tmseck at netcologne.de
@@ -364,15 +371,6 @@
 .endfor
 PLIST_DIRS+=	etc/squid/errors etc/squid squid/logs squid/cache squid
 
-pre-patch:
-# Check whether we need to create the extra patch that makes pf(4)
-# visible to squid's configure script:
-.if defined(pf_includedir)
-	@${SED} -e 's|%%PF_INCLUDEDIR%%|${pf_includedir}|g' \
-	    -e 's|%%PF_AC_INCLUDEPATH%%|${pf_includedir:S,/,_,g}|g' \
-	    ${PATCHDIR}/pf_from_ports.patch.in >${WRKDIR}/pf_from_ports.patch
-.endif
-
 post-patch:
 	@${REINPLACE_CMD} -e 's|-lpthread|${PTHREAD_LIBS}|g' ${WRKSRC}/configure
 	@${REINPLACE_CMD} -e 's|%%SQUID_UID%%|${SQUID_UID}|g' \
	


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list