Sun Aug 23 09:51:35 2020 UTC ()
www/squid4: update to 4.13

Update squid4 to 4.13 (Squid 4.13).

Here is release announce:

The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.13 release!

This release is a security release resolving several issues found in
the prior Squid releases.

The major changes to be aware of:

 * SQUID-2020:8 HTTP(S) Request Splitting
   (CVE-2020-15811)

This problem is serious because it allows any client, including
browser scripts, to bypass local security and poison the browser
cache and any downstream caches with content from an arbitrary
source.

See the advisory for patches:
 <https://github.com/squid-cache/squid/security/advisories/GHSA-c7p8-xqhm-49wv>

 * SQUID-2020:9 Denial of Service processing Cache Digest Response
   (CVE pending allocation)

This problem allows a trusted peer to deliver to perform Denial
of Service by consuming all available CPU cycles on the machine
running Squid when handling a crafted Cache Digest response
message.

This attack is limited to Squid using cache_peer with cache
digests feature.

See the advisory for patches:
 <https://github.com/squid-cache/squid/security/advisories/GHSA-vvj7-xjgq-g2jg>

 * SQUID-2020:10 HTTP(S) Request Smuggling
   (CVE-2020-15810)

This problem is serious because it allows any client, including
browser scripts, to bypass local security and poison the proxy
cache and any downstream caches with content from an arbitrary
source.

See the advisory for patches:
 <https://github.com/squid-cache/squid/security/advisories/GHSA-3365-q9qx-f98m>

 * Bug 5051: Some collapsed revalidation responses never expire

This bug appears as a 4xx or 5xx status response becoming the only
response delivered by Squid to a URL when Collapsed Forwarding
feature is used.

It primarily affects Squid which are caching the 4xx/5xx status
object since Bug 5030 fix in Squid-4.11. But may have been
occurring for short times on any proxy with Collapsed Forwarding.

 * SSL-Bump: Support parsing GREASEd (and future) TLS handshakes

Chrome Browser intentionally sends random garbage values in the
TLS handshake to force TLS implementations to cope with future TLS
extensions cleanly. The changes in Squid-4.12 to disable TLS/1.3
caused our parser to be extra strict and reject this TLS garbage.

This release adds explicit support for Chrome, or any other TLS
agent performing these "GREASE" behaviours.

 * Honor on_unsupported_protocol for intercepted https_port

This behaviour was one of the intended use-cases for unsupported
protocol handling, but somehow was not enabled earlier.

Squid should now be able to perform the on_unsupported_protocol
selected action for any traffic handled by SSL-Bump.

  All users of Squid are urged to upgrade as soon as possible.

See the ChangeLog for the full list of changes in this and earlier
releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4


(taca)
diff -r1.11 -r1.12 pkgsrc/www/squid4/Makefile
diff -r1.8 -r1.9 pkgsrc/www/squid4/distinfo
diff -r1.1 -r0 pkgsrc/www/squid4/patches/patch-src_security_Handshake.cc
cvs diff -r1.11 -r1.12 pkgsrc/www/squid4/Makefile (expand / switch to unified diff)

--- pkgsrc/www/squid4/Makefile 2020/07/09 20:57:11 1.11
+++ pkgsrc/www/squid4/Makefile 2020/08/23 09:51:35 1.12
@@ -1,17 +1,16 @@ @@ -1,17 +1,16 @@
1# $NetBSD: Makefile,v 1.11 2020/07/09 20:57:11 otis Exp $ 1# $NetBSD: Makefile,v 1.12 2020/08/23 09:51:35 taca Exp $
2 2
3DISTNAME= squid-4.12 3DISTNAME= squid-4.13
4PKGREVISION= 1 
5CATEGORIES= www 4CATEGORIES= www
6MASTER_SITES= http://www.squid-cache.org/Versions/v4/ 5MASTER_SITES= http://www.squid-cache.org/Versions/v4/
7MASTER_SITES+= ftp://ftp.squid-cache.org/pub/squid/ 6MASTER_SITES+= ftp://ftp.squid-cache.org/pub/squid/
8MASTER_SITES+= ftp://ftp.squid-cache.org/pub/archive/4/ 7MASTER_SITES+= ftp://ftp.squid-cache.org/pub/archive/4/
9EXTRACT_SUFX= .tar.xz 8EXTRACT_SUFX= .tar.xz
10 9
11MAINTAINER= pkgsrc-users@NetBSD.org 10MAINTAINER= pkgsrc-users@NetBSD.org
12HOMEPAGE= http://www.squid-cache.org/ 11HOMEPAGE= http://www.squid-cache.org/
13COMMENT= Post-Harvest_cached WWW proxy cache and accelerator 12COMMENT= Post-Harvest_cached WWW proxy cache and accelerator
14LICENSE= gnu-gpl-v2 13LICENSE= gnu-gpl-v2
15 14
16USE_LANGUAGES= c c++11 15USE_LANGUAGES= c c++11
17USE_TOOLS+= perl:run gmake 16USE_TOOLS+= perl:run gmake
cvs diff -r1.8 -r1.9 pkgsrc/www/squid4/distinfo (expand / switch to unified diff)

--- pkgsrc/www/squid4/distinfo 2020/07/09 20:57:11 1.8
+++ pkgsrc/www/squid4/distinfo 2020/08/23 09:51:35 1.9
@@ -1,16 +1,16 @@ @@ -1,16 +1,16 @@
1$NetBSD: distinfo,v 1.8 2020/07/09 20:57:11 otis Exp $ 1$NetBSD: distinfo,v 1.9 2020/08/23 09:51:35 taca Exp $
2 2
3SHA1 (squid-4.12.tar.xz) = 316b8a343aa542b5e7469d33b9d726bee00679c6 3SHA1 (squid-4.13.tar.xz) = cac95c18789e9ecd6620c2f278fc3900498c065b
4RMD160 (squid-4.12.tar.xz) = 5d593efe84ca34c39a21bab523e75621dec4e9bb 4RMD160 (squid-4.13.tar.xz) = e49c1b0c6154a3ec0c1ce84e1d9c1c76733cefc1
5SHA512 (squid-4.12.tar.xz) = 96fa700a0c28711eb1ec5e44e1d324dc8d3accdddbc675def8babe057e2cc71083bd3817bc37cbd9f3c03772743df578573ee3698bbd6131df68c3580ad31ef4 5SHA512 (squid-4.13.tar.xz) = 06807f82ed01e12afe2dd843aa0a94f69c351765b1889c4c5c3da1cf2ecb06ac3a4be6a24a62f04397299c8fc0df5397f76f64df5422ff78b37a9382d5fdf7fc
6Size (squid-4.12.tar.xz) = 2450564 bytes 6Size (squid-4.13.tar.xz) = 2452752 bytes
7SHA1 (patch-compat_compat.h) = 839381a5e1f46e7d9b822bbb53d82a53c996ddc0 7SHA1 (patch-compat_compat.h) = 839381a5e1f46e7d9b822bbb53d82a53c996ddc0
8SHA1 (patch-configure) = 0d204989666c36172f0765f2a44766d9194c7bb2 8SHA1 (patch-configure) = 0d204989666c36172f0765f2a44766d9194c7bb2
9SHA1 (patch-errors_Makefile.in) = 84cbf5c836f02ed5fbfff140888c6d3aadeac326 9SHA1 (patch-errors_Makefile.in) = 84cbf5c836f02ed5fbfff140888c6d3aadeac326
10SHA1 (patch-src_Makefile.in) = afc5aefd97c46d1ffab43e97aeaeade3a5a8c648 10SHA1 (patch-src_Makefile.in) = afc5aefd97c46d1ffab43e97aeaeade3a5a8c648
11SHA1 (patch-src_acl_external_kerberos__ldap__group_support__resolv.cc) = 0ea41d55e32d689a16e012391a9eea67631daf3a 11SHA1 (patch-src_acl_external_kerberos__ldap__group_support__resolv.cc) = 0ea41d55e32d689a16e012391a9eea67631daf3a
12SHA1 (patch-src_comm_ModKqueue.cc) = d8c5d235f07a48731275101d60fcbf2e22f77b96 12SHA1 (patch-src_comm_ModKqueue.cc) = d8c5d235f07a48731275101d60fcbf2e22f77b96
13SHA1 (patch-src_esi_VarState.cc) = d9418e59cdc390b2d970195167a99bb7ed392c38 13SHA1 (patch-src_esi_VarState.cc) = d9418e59cdc390b2d970195167a99bb7ed392c38
14SHA1 (patch-src_fs_ufs_RebuildState.h) = 76ee5c437b3dad05e428ae89cd5af6c052a40e59 14SHA1 (patch-src_fs_ufs_RebuildState.h) = 76ee5c437b3dad05e428ae89cd5af6c052a40e59
15SHA1 (patch-src_security_Handshake.cc) = 5c48ab63e7e387ff14e3a0a2d9cddfeef66782ec 15SHA1 (patch-src_security_Handshake.cc) = 5c48ab63e7e387ff14e3a0a2d9cddfeef66782ec
16SHA1 (patch-tools_Makefile.in) = d098c0c9dc4af577f74e562d99f07ed98be5ae01 16SHA1 (patch-tools_Makefile.in) = d098c0c9dc4af577f74e562d99f07ed98be5ae01
File Deleted: pkgsrc/www/squid4/patches/Attic/patch-src_security_Handshake.cc