Update squid3 pacakge to 3.5.16, fixing several security problems. Please refer release note for other changes: http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html * SQUID-2016:4 - Denial of Service issue in HTTP Response processing http://www.squid-cache.org/Advisories/SQUID-2016_4.txt aka. CVE-2016-3948 This is another of the bugs left unfixed by the SQUID-2016:2 patches. The visible symptom is assertions about: "String.cc:*: 'len_ + len <65536'" There is an attack in the wild for this one, but not as widely as for the previous issues. * SQUID-2016:3 - Buffer overrun issue in pinger ICMPv6 processing. http://www.squid-cache.org/Advisories/SQUID-2016_3.txt aka. CVE-2016-3947 This bug shows up as pinger crashing with Icmp6::Recv errors. This may affect Squid HTTP routing decisions. In some configurations, sub-optimal routing decisions may result in serious service degradation or even transaction failures. All previous Squid-3 releases are affected by both these issues. See the advisory for further details. Upgrade or patching should be considered a high priority. * pinger: drop capabilities on Linux On Linux, it is now possible to install pinger helper with only CAP_NET_RAW permissions raised instead of full setuid-root: (setcap cap_net_raw+ep /path/to/pinger && chmod u-s /path/to/pinger) || : Other operating systems without libcap capabilities features are not affected by this change. * Bug #4447: FwdState.cc:447 "serverConnection() == conn" assertion This rather cripling bug appears after the CVE-2016-2569 patch. It turned out to be a race condition closing connections and has now been fully fixed.diff -r1.62 -r1.63 pkgsrc/www/squid3/Makefile
(taca)
@@ -1,17 +1,16 @@ | @@ -1,17 +1,16 @@ | |||
1 | # $NetBSD: Makefile,v 1.62 2016/03/05 11:29:40 jperkin Exp $ | 1 | # $NetBSD: Makefile,v 1.63 2016/04/02 09:07:40 taca Exp $ | |
2 | 2 | |||
3 | DISTNAME= squid-3.5.15 | 3 | DISTNAME= squid-3.5.16 | |
4 | PKGREVISION= 1 | |||
5 | CATEGORIES= www | 4 | CATEGORIES= www | |
6 | MASTER_SITES= http://www.squid-cache.org/Versions/v3/${PKGVERSION_NOREV:R}/ \ | 5 | MASTER_SITES= http://www.squid-cache.org/Versions/v3/${PKGVERSION_NOREV:R}/ \ | |
7 | ftp://ftp.squid-cache.org/pub/squid/ \ | 6 | ftp://ftp.squid-cache.org/pub/squid/ \ | |
8 | http://ftp.nluug.nl/internet/squid/ | 7 | http://ftp.nluug.nl/internet/squid/ | |
9 | EXTRACT_SUFX= .tar.xz | 8 | EXTRACT_SUFX= .tar.xz | |
10 | 9 | |||
11 | MAINTAINER= pkgsrc-users@NetBSD.org | 10 | MAINTAINER= pkgsrc-users@NetBSD.org | |
12 | HOMEPAGE= http://www.squid-cache.org/ | 11 | HOMEPAGE= http://www.squid-cache.org/ | |
13 | COMMENT= Post-Harvest_cached WWW proxy cache and accelerator | 12 | COMMENT= Post-Harvest_cached WWW proxy cache and accelerator | |
14 | LICENSE= gnu-gpl-v2 | 13 | LICENSE= gnu-gpl-v2 | |
15 | 14 | |||
16 | USE_LANGUAGES= c c++ | 15 | USE_LANGUAGES= c c++ | |
17 | USE_TOOLS+= perl:run gmake | 16 | USE_TOOLS+= perl:run gmake |
@@ -1,15 +1,15 @@ | @@ -1,15 +1,15 @@ | |||
1 | $NetBSD: distinfo,v 1.47 2016/02/24 06:38:57 taca Exp $ | 1 | $NetBSD: distinfo,v 1.48 2016/04/02 09:07:40 taca Exp $ | |
2 | 2 | |||
3 | SHA1 (squid-3.5.15.tar.xz) = 054fb18a3b0b8228be28e61bf58cfb621c266155 | 3 | SHA1 (squid-3.5.16.tar.xz) = 8268ace3de2971222e4e5b05b0d3caa6475280d4 | |
4 | RMD160 (squid-3.5.15.tar.xz) = 27730de4768f33cb288d4f34456fe1b3264475c7 | 4 | RMD160 (squid-3.5.16.tar.xz) = 0ad226fd739b5cf13eef0cec6f9b988a68f92aad | |
5 | SHA512 (squid-3.5.15.tar.xz) = b5a6b4bc94d007f475419123b7ff4cdf7d47a024b859d2f7de0952115285114f06fd389fc6f463c21a1ce7d41e06227972bd802bafd2704cf0814afdee893dde | 5 | SHA512 (squid-3.5.16.tar.xz) = 117cf70dd87aff0c0db209648c43a8c2f056c87331133948a799715748a28133df32cf6982251a8c1366c960bbda2bd2d33287df0df7c642632723c6dbedc8cf | |
6 | Size (squid-3.5.15.tar.xz) = 2315628 bytes | 6 | Size (squid-3.5.16.tar.xz) = 2317320 bytes | |
7 | SHA1 (patch-compat_compat.h) = d6cd93fa7a6d0faad3bf1aca8ae4fa5c984fe288 | 7 | SHA1 (patch-compat_compat.h) = d6cd93fa7a6d0faad3bf1aca8ae4fa5c984fe288 | |
8 | SHA1 (patch-compat_debug.cc) = 95fc0aa6901834175b9bbf1ddb51eeb7d9ddc8c7 | 8 | SHA1 (patch-compat_debug.cc) = 95fc0aa6901834175b9bbf1ddb51eeb7d9ddc8c7 | |
9 | SHA1 (patch-compat_debug.h) = a828871704b1578b520d412393c3d398099a5fdc | 9 | SHA1 (patch-compat_debug.h) = a828871704b1578b520d412393c3d398099a5fdc | |
10 | SHA1 (patch-errors_Makefile.in) = afbac822ac84d5e1734d55fc625e949ae0b85289 | 10 | SHA1 (patch-errors_Makefile.in) = afbac822ac84d5e1734d55fc625e949ae0b85289 | |
11 | SHA1 (patch-src_Makefile.in) = 7233a92a4f6ecc06d88e125f08f7413e0741f3b6 | 11 | SHA1 (patch-src_Makefile.in) = 7233a92a4f6ecc06d88e125f08f7413e0741f3b6 | |
12 | SHA1 (patch-src_SquidNew.cc) = eef6e72e168cf7f40518fab13dc2f55ed0268db9 | 12 | SHA1 (patch-src_SquidNew.cc) = eef6e72e168cf7f40518fab13dc2f55ed0268db9 | |
13 | SHA1 (patch-src_base_TidyPointer.h) = d05017d7db904286afb02600ed3cc2f0f253b939 | 13 | SHA1 (patch-src_base_TidyPointer.h) = d05017d7db904286afb02600ed3cc2f0f253b939 | |
14 | SHA1 (patch-src_store.cc) = 055d98a59103b02a51876a5c8ffed9514954beb4 | 14 | SHA1 (patch-src_store.cc) = 055d98a59103b02a51876a5c8ffed9514954beb4 | |
15 | SHA1 (patch-tools_Makefile.in) = 3a7678c63a11a35fabef091a3b18e63859f0796f | 15 | SHA1 (patch-tools_Makefile.in) = 3a7678c63a11a35fabef091a3b18e63859f0796f |