---
- branch: MAIN
  date: Tue Sep 22 13:39:31 UTC 2015
  files:
  - new: '1.53'
    old: '1.52'
    path: pkgsrc/www/squid3/Makefile
    pathrev: pkgsrc/www/squid3/Makefile@1.53
    type: modified
  - new: '1.39'
    old: '1.38'
    path: pkgsrc/www/squid3/distinfo
    pathrev: pkgsrc/www/squid3/distinfo@1.39
    type: modified
  id: 20150922T133931Z.10f111254c69989b219270768e8ac07cac4caf6f
  log: |
    Update squid3 to 3.5.9, it is security fix release.

    * SQUID-2015:3 Multiple Remote Denial of service issues in SSL/TLS
      processing

    These problems allow any trusted client or external server to
    perform a denial of service attack on the Squid service and all
    other services on the same machine.

    However, the bugs are exploitable only if you have configured a
    Squid-3.5 listening port with ssl-bump.

    The visible signs of these bugs are a Squid crash or high CPU usage.
    Skype is known to trigger the crash and/or a small amount of extra CPU
    use unintentionally. Malicious traffic is possible which could have
    severe effects.

    * Regression Bug 3618: ntlm_smb_lm_auth rejects correct passwords

    The SMB LanMan authentication helper in Squid-3.2 and later has been
    rejecting valid user credentials.

    Reminder: Use of this helper is deprecated. We strongly recommend
    against using it. LanMan authentication gives the illusion of
    transmitting NTLM protocol while actually transmitting username and
    password with crypto algorithms that can be decoded in real-time (this
    helper relies on that ability). The combination makes it overall less
    secure than even HTTP Basic authentication.

    * TLS: Support SNI on generated CONNECT after peek

    When Squid generates CONNECT requests it will now attempt to use the
    client SNI value if any is known.

    Note that SNI is found during an ssl_bump peek action, so will only be
    available on some generated CONNECT. Intercepted traffic will always
    begin with a raw-IP CONNECT message which must pass access controls and
    adaptations before ssl_bump peek is even considered.

    * Quieten UFS cache maintenance skipped warnings

    This resolves the log noise encountered since the 3.5.8 release when
    large caches are running a full (aka. 'DIRTY') cache_dir rebuild scan.
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/www/squid3'
  unixtime: '1442929171'
  user: taca