---
- branch: MAIN
  date: Thu Oct  2 07:33:47 UTC 2014
  files:
  - new: '1.37'
    old: '1.36'
    path: pkgsrc/www/squid3/Makefile
    pathrev: pkgsrc/www/squid3/Makefile@1.37
    type: modified
  - new: '1.24'
    old: '1.23'
    path: pkgsrc/www/squid3/distinfo
    pathrev: pkgsrc/www/squid3/distinfo@1.24
    type: modified
  id: 20141002T073347Z.6bc0f9e234640b837a6488d1d2bbd4a0d8c11980
  log: |
    Update squid to 3.4.8, a security release resolving several vulnerability
    issues found in the prior Squid releases.

    The major changes to be aware of:

    * CVE-2014-6270 : SQUID-2014:3 Buffer overflow in SNMP processing

      http://www.squid-cache.org/Advisories/SQUID-2014_3.txt

    This vulnerability allows any client who is allowed to send SNMP
    packets to the proxy to perform a denial of service attack on Squid.

    The issue came to light as the result of active 0-day attacks. Since
    publication several other attack sightings have been reported.

    * CVE-2014-7141 and CVE-2014-7142 : SQUID-2014:4

      http://www.squid-cache.org/Advisories/SQUID-2014_4.txt

    These vulnerabilities allow a remote attack server to trigger DoS or
    information leakage by sending various malformed ICMP and ICMPv6
    packets to the Squid pinger helper.
    The worst-case DoS scenario is a rarity, a more common impact will be
    general service degradation for high-performance systems relying on
    the pinger for realtime network measurement.

     All users of Squid are urged to upgrade to this release as soon as
    possible.

     See the ChangeLog for the full list of changes in this and earlier
     releases.

    Please refer to the release notes at
    http://www.squid-cache.org/Versions/v3/3.4/RELEASENOTES.html
    when you are ready to make the switch to Squid-3.4

    Upgrade tip:
      "squid -k parse" is starting to display even more
       useful hints about squid.conf changes.
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/www/squid3'
  unixtime: '1412235227'
  user: taca