- Malicious users may spoof DNS lookups if the DNS client UDP port (random,
assigned by OS at startup) is unfiltered and your network is not protected
from IP spoofing.
- CVE-1999-0710, adds access controls to the cachemgr.cgi script, preventing
it from being abused to reach other servers than allowed in a local
configuration file.
Fixes 2 major issues over STABLE7 + the previous round of patches..
- Data corruption when HTTP reply headers is split in several packets
- Assertion failure on certain odd DNS responses
add most of the latest distribution patches which include 4 security
fixes.
-Correct handling of oversized reply headers
-Buffer overflow in WCCP recvfrom() call
-Strengthen Squid from HTTP response splitting cache pollution attack
-Reject malformed HTTP requests and responses that conflict with the HTTP specifications
A bug exists in the code that parses responses from Gopher servers.
The bug results in a buffer overflow if a Gopher server returns a
line longer than 4096 bytes. The overflow results in memory
corruption and usually crashes Squid.
CAN-2005-0094
A bug exists in the code that parses WCCP messages. An attacker
that sends a malformed WCCP messages, with a spoofed source address
matching Squid's "home router" can crash Squid.
CAN-2005-0095
A parsing error exists in the SNMP module of Squid where a
specially-crafted UDP packet can potentially cause the server to
restart, closing all current connections.
- add snmp FLAVOR from Joel CARNAT <joel at carnat dot net>
- add some auth types and auth/acl helpers
- add NTLM auth SMB patch even though the default port does NOT compile this support in
i386-unknown-freebsd3.5 when I'm actually on a powerpc-unknown-openbsd3.0
system, turns out there is a stale auto-generated autoconf.h in the
distfile.
squid-2.3.stable4-carp-assertion.patch
Comparing floating point numbers for equality is tricky. The old way can cause an assertion even though two numbers actually do add up to 1
squid-2.3.stable4-accel_only_access.patch
clientAccessCheck incorrectly returns ACCESS_ALLOWED for proxy requests
when configured as an HTTP accelerator only
squid-2.3.stable4-html_quoting.patch
Everywhere where Squid inserts text received from the network into a HTML
page (error pages, FTP listings, Gopher listings, ...) care must be taken
to ensure that the text is properly encoded as HTML, or a malicious user
might be able to insert script code or other HTML tags, and exploit the
web browser of any user visiting their page or clicking on that funny link
received in a email..
squid-2.3.stable4-ipfw_configure.patch
The configure script uses "==" when it should use "=" for /bin/test
squid-2.3.stable4-invalid_ip_acl_entry.patch
The code that scans ACL tokens for IP addresses and hostnames couldn't
tell that "123.foo.com" is a hostname rather than an IP address
config directory that has to be removed
- change a whole bunch of vars in INSTALL from ${FOO} to $FOO so they do
not get substituded and have the substitution occur only once at the top
of the INSTALL script
- NOTE: you can now override the dir used for cache/logs by using the
variable STATEDIR. i.e., "make STATEDIR=/alternate/dir package", and it
will be substituted into the INSTALL/DEINSTALL scripts.
- change MAINTAINER, ports@ -> brad@
- add 2 distribution patches;
squid-2.2.stable5-domain-match.patch
Matching a hostname and a domain name doesn't always work, depending on
leading dots and other edge conditions. Plus, the code for matching in
ACL's worked one way, while the code for matching 'cache_peer_domain' list
worked slighly different.
The patch below makes all host/domain matching operate the same way. It
also changes the rules a bit, so your current configuration probably will
not work the way you want after applying this patch.
- patch was included in the patches dir because of the difference in
relative path in comparison to all the other distribution patches.
squid-2.2.stable5-mkhttpdlogtime-end-of-year.patch = patch-ai
mkhttpdlogtime() generates a date string of the form 31/Dec/1999:23:59:59 +0900.
But when the year changes, the timezone offset will be wrong, for example:
01/Jan/2000:00:00:00 -1500.
