Sat Apr 2 09:07:40 2016 UTC ()
Update squid3 pacakge to 3.5.16, fixing several security problems.
Please refer release note for other changes:
http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html

* SQUID-2016:4 - Denial of Service issue in HTTP Response processing

    http://www.squid-cache.org/Advisories/SQUID-2016_4.txt
    aka. CVE-2016-3948

This is another of the bugs left unfixed by the SQUID-2016:2 patches.
The visible symptom is assertions about:
 "String.cc:*: 'len_ + len <65536'"

There is an attack in the wild for this one, but not as widely as for
the previous issues.

* SQUID-2016:3 - Buffer overrun issue in pinger ICMPv6 processing.

    http://www.squid-cache.org/Advisories/SQUID-2016_3.txt
    aka. CVE-2016-3947

This bug shows up as pinger crashing with Icmp6::Recv errors. This may
affect Squid HTTP routing decisions. In some configurations, sub-optimal
routing decisions may result in serious service degradation or even
transaction failures.

All previous Squid-3 releases are affected by both these issues. See the
advisory for further details. Upgrade or patching should be considered a
high priority.

* pinger: drop capabilities on Linux

On Linux, it is now possible to install pinger helper with only
CAP_NET_RAW permissions raised instead of full setuid-root:

  (setcap cap_net_raw+ep /path/to/pinger &&
   chmod u-s /path/to/pinger) || :

Other operating systems without libcap capabilities features are not
affected by this change.

* Bug #4447: FwdState.cc:447 "serverConnection() == conn" assertion

This rather cripling bug appears after the CVE-2016-2569 patch. It
turned out to be a race condition closing connections and has now been
fully fixed.


(taca)
diff -r1.62 -r1.63 pkgsrc/www/squid3/Makefile
diff -r1.47 -r1.48 pkgsrc/www/squid3/distinfo
cvs diff -r1.62 -r1.63 pkgsrc/www/squid3/Attic/Makefile (expand / switch to unified diff)

--- pkgsrc/www/squid3/Attic/Makefile 2016/03/05 11:29:40 1.62
+++ pkgsrc/www/squid3/Attic/Makefile 2016/04/02 09:07:40 1.63
@@ -1,17 +1,16 @@ @@ -1,17 +1,16 @@
1# $NetBSD: Makefile,v 1.62 2016/03/05 11:29:40 jperkin Exp $ 1# $NetBSD: Makefile,v 1.63 2016/04/02 09:07:40 taca Exp $
2 2
3DISTNAME= squid-3.5.15 3DISTNAME= squid-3.5.16
4PKGREVISION= 1 
5CATEGORIES= www 4CATEGORIES= www
6MASTER_SITES= http://www.squid-cache.org/Versions/v3/${PKGVERSION_NOREV:R}/ \ 5MASTER_SITES= http://www.squid-cache.org/Versions/v3/${PKGVERSION_NOREV:R}/ \
7 ftp://ftp.squid-cache.org/pub/squid/ \ 6 ftp://ftp.squid-cache.org/pub/squid/ \
8 http://ftp.nluug.nl/internet/squid/ 7 http://ftp.nluug.nl/internet/squid/
9EXTRACT_SUFX= .tar.xz 8EXTRACT_SUFX= .tar.xz
10 9
11MAINTAINER= pkgsrc-users@NetBSD.org 10MAINTAINER= pkgsrc-users@NetBSD.org
12HOMEPAGE= http://www.squid-cache.org/ 11HOMEPAGE= http://www.squid-cache.org/
13COMMENT= Post-Harvest_cached WWW proxy cache and accelerator 12COMMENT= Post-Harvest_cached WWW proxy cache and accelerator
14LICENSE= gnu-gpl-v2 13LICENSE= gnu-gpl-v2
15 14
16USE_LANGUAGES= c c++ 15USE_LANGUAGES= c c++
17USE_TOOLS+= perl:run gmake 16USE_TOOLS+= perl:run gmake
cvs diff -r1.47 -r1.48 pkgsrc/www/squid3/Attic/distinfo (expand / switch to unified diff)

--- pkgsrc/www/squid3/Attic/distinfo 2016/02/24 06:38:57 1.47
+++ pkgsrc/www/squid3/Attic/distinfo 2016/04/02 09:07:40 1.48
@@ -1,15 +1,15 @@ @@ -1,15 +1,15 @@
1$NetBSD: distinfo,v 1.47 2016/02/24 06:38:57 taca Exp $ 1$NetBSD: distinfo,v 1.48 2016/04/02 09:07:40 taca Exp $
2 2
3SHA1 (squid-3.5.15.tar.xz) = 054fb18a3b0b8228be28e61bf58cfb621c266155 3SHA1 (squid-3.5.16.tar.xz) = 8268ace3de2971222e4e5b05b0d3caa6475280d4
4RMD160 (squid-3.5.15.tar.xz) = 27730de4768f33cb288d4f34456fe1b3264475c7 4RMD160 (squid-3.5.16.tar.xz) = 0ad226fd739b5cf13eef0cec6f9b988a68f92aad
5SHA512 (squid-3.5.15.tar.xz) = b5a6b4bc94d007f475419123b7ff4cdf7d47a024b859d2f7de0952115285114f06fd389fc6f463c21a1ce7d41e06227972bd802bafd2704cf0814afdee893dde 5SHA512 (squid-3.5.16.tar.xz) = 117cf70dd87aff0c0db209648c43a8c2f056c87331133948a799715748a28133df32cf6982251a8c1366c960bbda2bd2d33287df0df7c642632723c6dbedc8cf
6Size (squid-3.5.15.tar.xz) = 2315628 bytes 6Size (squid-3.5.16.tar.xz) = 2317320 bytes
7SHA1 (patch-compat_compat.h) = d6cd93fa7a6d0faad3bf1aca8ae4fa5c984fe288 7SHA1 (patch-compat_compat.h) = d6cd93fa7a6d0faad3bf1aca8ae4fa5c984fe288
8SHA1 (patch-compat_debug.cc) = 95fc0aa6901834175b9bbf1ddb51eeb7d9ddc8c7 8SHA1 (patch-compat_debug.cc) = 95fc0aa6901834175b9bbf1ddb51eeb7d9ddc8c7
9SHA1 (patch-compat_debug.h) = a828871704b1578b520d412393c3d398099a5fdc 9SHA1 (patch-compat_debug.h) = a828871704b1578b520d412393c3d398099a5fdc
10SHA1 (patch-errors_Makefile.in) = afbac822ac84d5e1734d55fc625e949ae0b85289 10SHA1 (patch-errors_Makefile.in) = afbac822ac84d5e1734d55fc625e949ae0b85289
11SHA1 (patch-src_Makefile.in) = 7233a92a4f6ecc06d88e125f08f7413e0741f3b6 11SHA1 (patch-src_Makefile.in) = 7233a92a4f6ecc06d88e125f08f7413e0741f3b6
12SHA1 (patch-src_SquidNew.cc) = eef6e72e168cf7f40518fab13dc2f55ed0268db9 12SHA1 (patch-src_SquidNew.cc) = eef6e72e168cf7f40518fab13dc2f55ed0268db9
13SHA1 (patch-src_base_TidyPointer.h) = d05017d7db904286afb02600ed3cc2f0f253b939 13SHA1 (patch-src_base_TidyPointer.h) = d05017d7db904286afb02600ed3cc2f0f253b939
14SHA1 (patch-src_store.cc) = 055d98a59103b02a51876a5c8ffed9514954beb4 14SHA1 (patch-src_store.cc) = 055d98a59103b02a51876a5c8ffed9514954beb4
15SHA1 (patch-tools_Makefile.in) = 3a7678c63a11a35fabef091a3b18e63859f0796f 15SHA1 (patch-tools_Makefile.in) = 3a7678c63a11a35fabef091a3b18e63859f0796f