svn commit: r462952 - in branches/2018Q1/www/squid: . files
Danilo G. Baio
dbaio at FreeBSD.org
Sun Feb 25 13:18:32 UTC 2018
Author: dbaio
Date: Sun Feb 25 13:18:31 2018
New Revision: 462952
URL: https://svnweb.freebsd.org/changeset/ports/462952
Log:
MFH: r462146 r462744
Use BROKEN_SSL
Approved by: portmgr (blanket)
www/squid: Fixes security vulnerabilities
Add patches to fix CVE's:
CVE-2018-1000024
CVE-2018-1000027
PR: 226139
Submitted by: Yasuhiro KIMURA <yasu at utahime.org>
Approved by: timp87 at gmail.com (maintainer)
Security: d5b6d151-1887-11e8-94f7-9c5c8e75236a
Approved by: ports-secteam (riggs)
Added:
branches/2018Q1/www/squid/files/patch-src_client__side__request.cc
- copied unchanged from r462744, head/www/squid/files/patch-src_client__side__request.cc
branches/2018Q1/www/squid/files/patch-src_esi_CustomParser.cc
- copied unchanged from r462744, head/www/squid/files/patch-src_esi_CustomParser.cc
Modified:
branches/2018Q1/www/squid/Makefile
Directory Properties:
branches/2018Q1/ (props changed)
Modified: branches/2018Q1/www/squid/Makefile
==============================================================================
--- branches/2018Q1/www/squid/Makefile Sun Feb 25 12:14:34 2018 (r462951)
+++ branches/2018Q1/www/squid/Makefile Sun Feb 25 13:18:31 2018 (r462952)
@@ -2,7 +2,7 @@
PORTNAME= squid
PORTVERSION= 3.5.27
-PORTREVISION= 2
+PORTREVISION= 3
CATEGORIES= www ipv6
MASTER_SITES= http://www.squid-cache.org/Versions/v3/${PORTVERSION:R}/ \
http://www2.us.squid-cache.org/Versions/v3/${PORTVERSION:R}/ \
@@ -113,6 +113,7 @@ SSL_CONFIGURE_ON= --with-openssl=${OPENSSLBASE} \
LIBOPENSSL_CFLAGS=-I${OPENSSLINC} \
LIBOPENSSL_LIBS="-lcrypto -lssl"
SSL_USES= ssl
+SSL_VARS= BROKEN_SSL=openssl-devel
SSL_CRTD_CONFIGURE_ENABLE= ssl-crtd
SSL_CRTD_IMPLIES= SSL
STACKTRACES_CONFIGURE_ENABLE= stacktraces
@@ -303,10 +304,6 @@ post-install:
(cd ${WRKSRC} && ${INSTALL_DATA} ${MYDOCS} ${STAGEDIR}${DOCSDIR})
.include <bsd.port.pre.mk>
-
-.if ${PORT_OPTIONS:MSSL} && ${SSL_DEFAULT:Mopenssl-devel}
-BROKEN= Does not build with openssl-devel
-.endif
.if ${CHOSEN_COMPILER_TYPE} == clang
CXXFLAGS+= -Wno-unknown-warning-option
Copied: branches/2018Q1/www/squid/files/patch-src_client__side__request.cc (from r462744, head/www/squid/files/patch-src_client__side__request.cc)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ branches/2018Q1/www/squid/files/patch-src_client__side__request.cc Sun Feb 25 13:18:31 2018 (r462952, copy of r462744, head/www/squid/files/patch-src_client__side__request.cc)
@@ -0,0 +1,23 @@
+http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2018_2.patch
+
+commit 8232b83d3fa47a1399f155cb829db829369fbae9 (refs/remotes/origin/v3.5)
+Author: squidadm <squidadm at users.noreply.github.com>
+Date: 2018-01-21 08:07:08 +1300
+
+ Fix indirect IP logging for transactions without a client connection (#129) (#136)
+
+--- src/client_side_request.cc.orig 2018-02-23 13:39:32 UTC
++++ src/client_side_request.cc
+@@ -488,9 +488,9 @@ clientFollowXForwardedForCheck(allow_t answer, void *d
+ * Ensure that the access log shows the indirect client
+ * instead of the direct client.
+ */
+- ConnStateData *conn = http->getConn();
+- conn->log_addr = request->indirect_client_addr;
+- http->al->cache.caddr = conn->log_addr;
++ http->al->cache.caddr = request->indirect_client_addr;
++ if (ConnStateData *conn = http->getConn())
++ conn->log_addr = request->indirect_client_addr;
+ }
+ request->x_forwarded_for_iterator.clean();
+ request->flags.done_follow_x_forwarded_for = true;
Copied: branches/2018Q1/www/squid/files/patch-src_esi_CustomParser.cc (from r462744, head/www/squid/files/patch-src_esi_CustomParser.cc)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ branches/2018Q1/www/squid/files/patch-src_esi_CustomParser.cc Sun Feb 25 13:18:31 2018 (r462952, copy of r462744, head/www/squid/files/patch-src_esi_CustomParser.cc)
@@ -0,0 +1,28 @@
+http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2018_1.patch
+
+commit eb2db98a676321b814fc4a51c4fb7928a8bb45d9 (refs/remotes/origin/v3.5)
+Author: Amos Jeffries <yadij at users.noreply.github.com>
+Date: 2018-01-19 13:54:14 +1300
+
+ ESI: make sure endofName never exceeds tagEnd (#130)
+
+--- src/esi/CustomParser.cc.orig 2018-02-23 13:37:52 UTC
++++ src/esi/CustomParser.cc
+@@ -121,7 +121,7 @@ ESICustomParser::parse(char const *dataToParse, size_t
+
+ char * endofName = strpbrk(const_cast<char *>(tag), w_space);
+
+- if (endofName > tagEnd)
++ if (!endofName || endofName > tagEnd)
+ endofName = const_cast<char *>(tagEnd);
+
+ *endofName = '\0';
+@@ -214,7 +214,7 @@ ESICustomParser::parse(char const *dataToParse, size_t
+
+ char * endofName = strpbrk(const_cast<char *>(tag), w_space);
+
+- if (endofName > tagEnd)
++ if (!endofName || endofName > tagEnd)
+ endofName = const_cast<char *>(tagEnd);
+
+ *endofName = '\0';
More information about the svn-ports-all
mailing list