CVS commit: pkgsrc/www/squid3

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/www/squid3
From: "Takahiro Kambe" <taca%netbsd.org@localhost>
Date: Sat, 2 Apr 2016 09:07:40 +0000

Module Name:    pkgsrc
Committed By:   taca
Date:           Sat Apr  2 09:07:40 UTC 2016

Modified Files:
        pkgsrc/www/squid3: Makefile distinfo

Log Message:
Update squid3 pacakge to 3.5.16, fixing several security problems.
Please refer release note for other changes:
http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html

* SQUID-2016:4 - Denial of Service issue in HTTP Response processing

    http://www.squid-cache.org/Advisories/SQUID-2016_4.txt
    aka. CVE-2016-3948

This is another of the bugs left unfixed by the SQUID-2016:2 patches.
The visible symptom is assertions about:
 "String.cc:*: 'len_ + len <65536'"

There is an attack in the wild for this one, but not as widely as for
the previous issues.

* SQUID-2016:3 - Buffer overrun issue in pinger ICMPv6 processing.

    http://www.squid-cache.org/Advisories/SQUID-2016_3.txt
    aka. CVE-2016-3947

This bug shows up as pinger crashing with Icmp6::Recv errors. This may
affect Squid HTTP routing decisions. In some configurations, sub-optimal
routing decisions may result in serious service degradation or even
transaction failures.

All previous Squid-3 releases are affected by both these issues. See the
advisory for further details. Upgrade or patching should be considered a
high priority.

* pinger: drop capabilities on Linux

On Linux, it is now possible to install pinger helper with only
CAP_NET_RAW permissions raised instead of full setuid-root:

  (setcap cap_net_raw+ep /path/to/pinger &&
   chmod u-s /path/to/pinger) || :

Other operating systems without libcap capabilities features are not
affected by this change.

* Bug #4447: FwdState.cc:447 "serverConnection() == conn" assertion

This rather cripling bug appears after the CVE-2016-2569 patch. It
turned out to be a race condition closing connections and has now been
fully fixed.


To generate a diff of this commit:
cvs rdiff -u -r1.62 -r1.63 pkgsrc/www/squid3/Makefile
cvs rdiff -u -r1.47 -r1.48 pkgsrc/www/squid3/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Prev by Date: CVS commit: pkgsrc
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index