Actually version 3.0 STABLE22 is already out.

There is a security issue with previous version:
http://www.squid-cache.org/Advisories/SQUID-2010_1.txt

The 2.7 branch also needs to be fixed and currently there is no new release available. Hopefully, there is a patch that can be added to a new ebuild:
 http://www.squid-cache.org/Versions/v2/HEAD/changesets/12597.patch

Squid-3.0.STABLE23 has been released.

This is a correction on 3.0.STABLE22 which has now been withdrawn from 
circulation.

Comment 4 Stefan Behte (RETIRED) 2010-02-08 14:53:32 UTC

net-proxy: Can this go stable?

Comment 5 Stefan Behte (RETIRED) 2010-02-08 15:01:05 UTC

Forget my last post.

net-proxy: please provide updated ebuilds. 

Any ETA on a new ebuild to resolve this security issue?

Thanks...

Comment 7 Alex Legler (RETIRED) 2010-03-05 13:10:38 UTC

CVE-2010-0308 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0308):
  lib/rfc1035.c in Squid 2.x, 3.0 through 3.0.STABLE22, and 3.1 through
  3.1.0.15 allows remote attackers to cause a denial of service
  (assertion failure) via a crafted DNS packet that only contains a
  header.

CVE-2010-0639 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0639):
  The htcpHandleTstRequest function in htcp.c in Squid 2.x and 3.0
  through 3.0.STABLE23 allows remote attackers to cause a denial of
  service (crash) via crafted packets to the HTCP port, which triggers
  a NULL pointer dereference.

Comment 8 Alex Legler (RETIRED) 2010-03-05 13:16:14 UTC

net-proxy: ping!

Squid 3.0.STABLE25 has been released...

(In reply to comment #9)
> Squid 3.0.STABLE25 has been released...
> 

And 2.7.STABLE8!

I took a shot at making an ebuild for 3.0.25.  It looks fairly simple, renaming squid-3.0.20-r1.ebuild works, squid-3.0.20-gentoo.patch has one hunk that fails (it removes -Werror from a line and the line around the -Werror changed), and the other patches (squid-3.0.20-cross-compile.patch, squid-3.0.20-libmd5.patch, and squid-3.0.20-adapted-zph.patch) appear to apply with offsets.

After the -gentoo patch is fixed, it compiles and installs fine.  I have yet to place it in a test environment.  Let me know if I should attach the updated patches to this ticket.

Comment 12 Stefan Behte (RETIRED) 2010-03-24 23:20:58 UTC

Sure, that would be nice - I think the net-proxy herd will appreciate it.
If you could test them - even better. :)

Created attachment 225165 [details, diff]
Updated -gentoo patch, with fix for broken hunk

Created attachment 225167 [details, diff]
Updated cross-compile patch for offset changes

Created attachment 225169 [details, diff]
Updated libmd5 patch for offset changes

Created attachment 225171 [details, diff]
Updated adapted-zph patch for offset changes

Comment 17 Kacper Kowalik (Xarthisius) (RETIRED) 2010-03-28 10:31:11 UTC

*** Bug 311653 has been marked as a duplicate of this bug. ***

Comment 18 Stefan Behte (RETIRED) 2010-04-09 16:14:26 UTC

@net-proxy: Can someone bump?

FYI: 
3.0.25 is out, but now considered "old".
Squid 3.1.1 is out and "new stable".

Maybe bumping to the 3.1 tree is prefered?!

Comment 19 Alin Năstac (RETIRED) 2010-08-07 06:45:45 UTC

squid-2.7.9 and squid-3.1.6 were added to the tree.
Arch teams, please stabilize both versions.

Comment 20 Paweł Hajdan, Jr. (RETIRED) 2010-08-07 17:55:47 UTC

(In reply to comment #19)
> squid-2.7.9 and squid-3.1.6 were added to the tree.
> Arch teams, please stabilize both versions.

both x86 stable

Comment 21 Markos Chandras (RETIRED) 2010-08-08 12:00:12 UTC

(In reply to comment #20)
> (In reply to comment #19)
> > squid-2.7.9 and squid-3.1.6 were added to the tree.
> > Arch teams, please stabilize both versions.
> 
> both x86 stable
> 
You missed net-libs/libecap

  net-proxy/squid/squid-3.1.6.ebuild: x86(default/linux/x86/10.0) ['net-libs/libecap']

leading to broken deptree


amd64 done

Comment 22 Paweł Hajdan, Jr. (RETIRED) 2010-08-08 14:16:16 UTC

(In reply to comment #21)
> You missed net-libs/libecap
> 
>   net-proxy/squid/squid-3.1.6.ebuild: x86(default/linux/x86/10.0)
> ['net-libs/libecap']
> 
> leading to broken deptree

Fixed now, sorry. Not sure why my repoman didn't complain.

Comment 23 Jeroen Roovers (RETIRED) 2010-08-09 04:34:34 UTC

Stable for HPPA.

Comment 24 Jeroen Roovers (RETIRED) 2010-08-09 17:51:15 UTC

Stable for PPC.

Comment 25 Alex Legler (RETIRED) 2010-08-10 14:55:55 UTC

*** Bug 304751 has been marked as a duplicate of this bug. ***

Comment 26 Alin Năstac (RETIRED) 2010-08-12 06:31:58 UTC

I had to add a new patch to fix bug 331965.
Please resume stabilization process on net-proxy/squid-3.1.6-r1.

Comment 27 Alex Legler (RETIRED) 2010-08-30 11:12:51 UTC

Explicit request:

Arches, please test and mark stable:
=net-proxy/squid-3.1.6-r1
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Already stabled : "amd64 hppa ppc x86"
Missing keywords: "alpha arm ia64 ppc64 sparc"

Comment 28 Raúl Porcel (RETIRED) 2010-09-04 14:45:56 UTC

alpha/arm/ia64/sparc stable

Comment 29 Brent Baude (RETIRED) 2010-09-06 20:20:16 UTC

ppc64 done

Comment 30 Brent Baude (RETIRED) 2010-09-06 20:24:29 UTC

ppc64 done

Comment 31 Alin Năstac (RETIRED) 2010-09-23 21:27:14 UTC

@ppc64 team: You forgot to stabilize squid-2.7.9. 

Comment 32 Brent Baude (RETIRED) 2010-10-01 14:54:34 UTC

ppc64 done

Comment 33 Tim Sammut (RETIRED) 2010-11-19 18:43:00 UTC

GLSA Vote: Yes, remote DoS from potentially unauthenticated attackers.

Comment 34 Stefan Behte (RETIRED) 2010-11-21 16:51:55 UTC

YES, too. GLSA with #334263 

could be closed, not more in cvs tree

Comment 36 GLSAMaker/CVETool Bot 2011-10-26 20:47:59 UTC

This issue was resolved and addressed in
 GLSA 201110-24 at http://security.gentoo.org/glsa/glsa-201110-24.xml
by GLSA coordinator Tim Sammut (underling).