If we need to make an exception we can do it and properly document the
reason but by default we should just use the default login class.
rc.d uses daemon or the login class provided in login.conf.d so this has
no impact there.
discussed with sthen@, tb@ and robert@
praying that my grep/sed skills did not break anything and still
believing in portbump :-)
that to use it you will need to raise net.unix.dgram.sendspace above the
default of 2048 (it's trying to sendmsg a little above 4k). Add @sample
for the default dirs used for ipc communications.
Only lightly tested, but it's easier to test further if it's in the
default build.
Thanks tb@ for assistance in tracking down the limit that I was hitting.
For the benefit of future searches, the log message from squid when hitting
this case is:
src/comm/Write.cc(120) HandleWrite: FD 30 write failure: (40) Message too long
useless without samba's winbind, and an auth helper that calls smbclient via
a script to do some proxy auth, which is not exactly great, and in any
event doesn't need to be a subpackage.
For actual Squid auth against Windows directories look at the krb5 flavour
instead and the msktutil package may help; give a hint at this in the
package description.
SQUID-2021:1 Denial of Service in URN processing
SQUID-2021:2 Denial of Service in HTTP Response Processing
SQUID-2021:3 Denial of Service issue in Cache Manager
SQUID-2021:4 Multiple issues in HTTP Range header
SQUID-2021:5 Denial of Service in HTTP Response Processing
SQUID-2020:3 - Due to incorrect buffer handling Squid is vulnerable to
cache poisoning, remote execution, and denial of service attacks when
processing ESI responses.
SQUID-2020:4 - Due to an integer overflow bug Squid is vulnerable to
credential replay and remote code execution attacks against HTTP Digest
Authentication tokens.
Follow the upstream recommendations for packagers and switch to
multi-packages:
devel/gettext -> devel/gettext,-runtime
devel/gettext-tools -> devel/gettext,-tools
(new) devel/gettext,-textstyle
quick update notes below, but you should still review upstream's
RELEASENOTES.html if you use this.
- if you explicitly configure sslcrtd_program (for advanced tls mitm
configurations) you need to change from /usr/local/libexec/squid/sslcrtd
to /usr/local/libexec/squid/security_file_certgen in your config (if you
just use options on the http_port line to enable this without extra
config, this doesn't need to change).
- if using a cert helper disk cache, you may need to clear/reinitialize
the directory (not mentioned in release notes but I needed this).
- the SMB_LM helpers (for old lanmanager protocol, which should not be
used anyway) are no longer packaged, following upstream's change in default
build.
Due to incorrect pointer handling Squid is vulnerable to denial
of service attack when processing ESI responses.
This problem allows a remote server delivering ESI responses
to trigger a denial of service for all clients accessing the
Squid service.
This problem is limited to Squid operating as reverse proxy.
Due to incorrect pointer handling Squid is vulnerable to denial
of service attack when processing ESI responses.
This problem allows a remote server delivering certain ESI
response syntax to trigger a denial of service for all clients
accessing the Squid service.
http://www.squid-cache.org/Advisories/SQUID-2018_2.txt
Due to incorrect pointer handling Squid is vulnerable to denial
of service attack when processing ESI responses or downloading
intermediate CA certificates.
This problem allows a remote client delivering certain HTTP
requests in conjunction with certain trusted server responses to
trigger a denial of service for all clients accessing the Squid
service.
