Squid version 3.0 STABLE21 is out.
Actually version 3.0 STABLE22 is already out.
There is a security issue with previous version:
The 2.7 branch also needs to be fixed and currently there is no new release available. Hopefully, there is a patch that can be added to a new ebuild:
Squid-3.0.STABLE23 has been released.
This is a correction on 3.0.STABLE22 which has now been withdrawn from
net-proxy: Can this go stable?
Forget my last post.
net-proxy: please provide updated ebuilds.
Any ETA on a new ebuild to resolve this security issue?
lib/rfc1035.c in Squid 2.x, 3.0 through 3.0.STABLE22, and 3.1 through
188.8.131.52 allows remote attackers to cause a denial of service
(assertion failure) via a crafted DNS packet that only contains a
The htcpHandleTstRequest function in htcp.c in Squid 2.x and 3.0
through 3.0.STABLE23 allows remote attackers to cause a denial of
service (crash) via crafted packets to the HTCP port, which triggers
a NULL pointer dereference.
Squid 3.0.STABLE25 has been released...
(In reply to comment #9)
> Squid 3.0.STABLE25 has been released...
I took a shot at making an ebuild for 3.0.25. It looks fairly simple, renaming squid-3.0.20-r1.ebuild works, squid-3.0.20-gentoo.patch has one hunk that fails (it removes -Werror from a line and the line around the -Werror changed), and the other patches (squid-3.0.20-cross-compile.patch, squid-3.0.20-libmd5.patch, and squid-3.0.20-adapted-zph.patch) appear to apply with offsets.
After the -gentoo patch is fixed, it compiles and installs fine. I have yet to place it in a test environment. Let me know if I should attach the updated patches to this ticket.
Sure, that would be nice - I think the net-proxy herd will appreciate it.
If you could test them - even better. :)
Created attachment 225165 [details, diff]
Updated -gentoo patch, with fix for broken hunk
Created attachment 225167 [details, diff]
Updated cross-compile patch for offset changes
Created attachment 225169 [details, diff]
Updated libmd5 patch for offset changes
Created attachment 225171 [details, diff]
Updated adapted-zph patch for offset changes
*** Bug 311653 has been marked as a duplicate of this bug. ***
@net-proxy: Can someone bump?
3.0.25 is out, but now considered "old".
Squid 3.1.1 is out and "new stable".
Maybe bumping to the 3.1 tree is prefered?!
squid-2.7.9 and squid-3.1.6 were added to the tree.
Arch teams, please stabilize both versions.
(In reply to comment #19)
> squid-2.7.9 and squid-3.1.6 were added to the tree.
> Arch teams, please stabilize both versions.
both x86 stable
(In reply to comment #20)
> (In reply to comment #19)
> > squid-2.7.9 and squid-3.1.6 were added to the tree.
> > Arch teams, please stabilize both versions.
> both x86 stable
You missed net-libs/libecap
net-proxy/squid/squid-3.1.6.ebuild: x86(default/linux/x86/10.0) ['net-libs/libecap']
leading to broken deptree
(In reply to comment #21)
> You missed net-libs/libecap
> net-proxy/squid/squid-3.1.6.ebuild: x86(default/linux/x86/10.0)
> leading to broken deptree
Fixed now, sorry. Not sure why my repoman didn't complain.
Stable for HPPA.
Stable for PPC.
*** Bug 304751 has been marked as a duplicate of this bug. ***
I had to add a new patch to fix bug 331965.
Please resume stabilization process on net-proxy/squid-3.1.6-r1.
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Already stabled : "amd64 hppa ppc x86"
Missing keywords: "alpha arm ia64 ppc64 sparc"
@ppc64 team: You forgot to stabilize squid-2.7.9.
GLSA Vote: Yes, remote DoS from potentially unauthenticated attackers.
YES, too. GLSA with #334263
could be closed, not more in cvs tree
This issue was resolved and addressed in
GLSA 201110-24 at http://security.gentoo.org/glsa/glsa-201110-24.xml
by GLSA coordinator Tim Sammut (underling).