Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK)) by mollari.NetBSD.org (Postfix) with ESMTPS id 0150D7A468 for ; Sat, 2 Apr 2016 09:07:56 +0000 (UTC) Received: by mail.netbsd.org (Postfix, from userid 605) id 0294285F1E; Sat, 2 Apr 2016 09:07:42 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 814D885E5C for ; Sat, 2 Apr 2016 09:07:41 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id CJJ-kaB0uw79 for ; Sat, 2 Apr 2016 09:07:41 +0000 (UTC) Received: from cvs.NetBSD.org (unknown [IPv6:2001:470:a085:999:28c:faff:fe03:5984]) by mail.netbsd.org (Postfix) with ESMTP id DA49D84CEC for ; Sat, 2 Apr 2016 09:07:40 +0000 (UTC) Received: by cvs.NetBSD.org (Postfix, from userid 500) id D549DFBBA; Sat, 2 Apr 2016 09:07:40 +0000 (UTC) Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" MIME-Version: 1.0 Date: Sat, 2 Apr 2016 09:07:40 +0000 From: "Takahiro Kambe" Subject: CVS commit: pkgsrc/www/squid3 To: pkgsrc-changes@NetBSD.org Reply-To: taca@netbsd.org X-Mailer: log_accum Message-Id: <20160402090740.D549DFBBA@cvs.NetBSD.org> Sender: pkgsrc-changes-owner@NetBSD.org List-Id: pkgsrc-changes.NetBSD.org Precedence: bulk Module Name: pkgsrc Committed By: taca Date: Sat Apr 2 09:07:40 UTC 2016 Modified Files: pkgsrc/www/squid3: Makefile distinfo Log Message: Update squid3 pacakge to 3.5.16, fixing several security problems. Please refer release note for other changes: http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html * SQUID-2016:4 - Denial of Service issue in HTTP Response processing http://www.squid-cache.org/Advisories/SQUID-2016_4.txt aka. CVE-2016-3948 This is another of the bugs left unfixed by the SQUID-2016:2 patches. The visible symptom is assertions about: "String.cc:*: 'len_ + len <65536'" There is an attack in the wild for this one, but not as widely as for the previous issues. * SQUID-2016:3 - Buffer overrun issue in pinger ICMPv6 processing. http://www.squid-cache.org/Advisories/SQUID-2016_3.txt aka. CVE-2016-3947 This bug shows up as pinger crashing with Icmp6::Recv errors. This may affect Squid HTTP routing decisions. In some configurations, sub-optimal routing decisions may result in serious service degradation or even transaction failures. All previous Squid-3 releases are affected by both these issues. See the advisory for further details. Upgrade or patching should be considered a high priority. * pinger: drop capabilities on Linux On Linux, it is now possible to install pinger helper with only CAP_NET_RAW permissions raised instead of full setuid-root: (setcap cap_net_raw+ep /path/to/pinger && chmod u-s /path/to/pinger) || : Other operating systems without libcap capabilities features are not affected by this change. * Bug #4447: FwdState.cc:447 "serverConnection() == conn" assertion This rather cripling bug appears after the CVE-2016-2569 patch. It turned out to be a race condition closing connections and has now been fully fixed. To generate a diff of this commit: cvs rdiff -u -r1.62 -r1.63 pkgsrc/www/squid3/Makefile cvs rdiff -u -r1.47 -r1.48 pkgsrc/www/squid3/distinfo Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.