Squid version 3.0 STABLE21 is out. Reproducible: Always
Actually version 3.0 STABLE22 is already out. There is a security issue with previous version: http://www.squid-cache.org/Advisories/SQUID-2010_1.txt
The 2.7 branch also needs to be fixed and currently there is no new release available. Hopefully, there is a patch that can be added to a new ebuild: http://www.squid-cache.org/Versions/v2/HEAD/changesets/12597.patch
Squid-3.0.STABLE23 has been released. This is a correction on 3.0.STABLE22 which has now been withdrawn from circulation.
net-proxy: Can this go stable?
Forget my last post. net-proxy: please provide updated ebuilds.
Any ETA on a new ebuild to resolve this security issue? Thanks...
CVE-2010-0308 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0308): lib/rfc1035.c in Squid 2.x, 3.0 through 3.0.STABLE22, and 3.1 through 3.1.0.15 allows remote attackers to cause a denial of service (assertion failure) via a crafted DNS packet that only contains a header. CVE-2010-0639 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0639): The htcpHandleTstRequest function in htcp.c in Squid 2.x and 3.0 through 3.0.STABLE23 allows remote attackers to cause a denial of service (crash) via crafted packets to the HTCP port, which triggers a NULL pointer dereference.
net-proxy: ping!
Squid 3.0.STABLE25 has been released...
(In reply to comment #9) > Squid 3.0.STABLE25 has been released... > And 2.7.STABLE8!
I took a shot at making an ebuild for 3.0.25. It looks fairly simple, renaming squid-3.0.20-r1.ebuild works, squid-3.0.20-gentoo.patch has one hunk that fails (it removes -Werror from a line and the line around the -Werror changed), and the other patches (squid-3.0.20-cross-compile.patch, squid-3.0.20-libmd5.patch, and squid-3.0.20-adapted-zph.patch) appear to apply with offsets. After the -gentoo patch is fixed, it compiles and installs fine. I have yet to place it in a test environment. Let me know if I should attach the updated patches to this ticket.
Sure, that would be nice - I think the net-proxy herd will appreciate it. If you could test them - even better. :)
Created attachment 225165 [details, diff] Updated -gentoo patch, with fix for broken hunk
Created attachment 225167 [details, diff] Updated cross-compile patch for offset changes
Created attachment 225169 [details, diff] Updated libmd5 patch for offset changes
Created attachment 225171 [details, diff] Updated adapted-zph patch for offset changes
*** Bug 311653 has been marked as a duplicate of this bug. ***
@net-proxy: Can someone bump? FYI: 3.0.25 is out, but now considered "old". Squid 3.1.1 is out and "new stable". Maybe bumping to the 3.1 tree is prefered?!
squid-2.7.9 and squid-3.1.6 were added to the tree. Arch teams, please stabilize both versions.
(In reply to comment #19) > squid-2.7.9 and squid-3.1.6 were added to the tree. > Arch teams, please stabilize both versions. both x86 stable
(In reply to comment #20) > (In reply to comment #19) > > squid-2.7.9 and squid-3.1.6 were added to the tree. > > Arch teams, please stabilize both versions. > > both x86 stable > You missed net-libs/libecap net-proxy/squid/squid-3.1.6.ebuild: x86(default/linux/x86/10.0) ['net-libs/libecap'] leading to broken deptree amd64 done
(In reply to comment #21) > You missed net-libs/libecap > > net-proxy/squid/squid-3.1.6.ebuild: x86(default/linux/x86/10.0) > ['net-libs/libecap'] > > leading to broken deptree Fixed now, sorry. Not sure why my repoman didn't complain.
Stable for HPPA.
Stable for PPC.
*** Bug 304751 has been marked as a duplicate of this bug. ***
I had to add a new patch to fix bug 331965. Please resume stabilization process on net-proxy/squid-3.1.6-r1.
Explicit request: Arches, please test and mark stable: =net-proxy/squid-3.1.6-r1 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" Already stabled : "amd64 hppa ppc x86" Missing keywords: "alpha arm ia64 ppc64 sparc"
alpha/arm/ia64/sparc stable
ppc64 done
@ppc64 team: You forgot to stabilize squid-2.7.9.
GLSA Vote: Yes, remote DoS from potentially unauthenticated attackers.
YES, too. GLSA with #334263
could be closed, not more in cvs tree
This issue was resolved and addressed in GLSA 201110-24 at http://security.gentoo.org/glsa/glsa-201110-24.xml by GLSA coordinator Tim Sammut (underling).