diff options
| author | taca <taca@pkgsrc.org> | 2015-09-22 13:39:31 +0000 |
|---|---|---|
| committer | taca <taca@pkgsrc.org> | 2015-09-22 13:39:31 +0000 |
| commit | 4797081a66f39bd970bb61f425b24e84c55fe74d (patch) | |
| tree | 50a0610c01d7eed4e4224f1076d378122a3010c8 | |
| parent | 20a1581c0d3381752dd984b4f33a6eb41668e44a (diff) | |
| download | pkgsrc-4797081a66f39bd970bb61f425b24e84c55fe74d.tar.gz | |
Update squid3 to 3.5.9, it is security fix release.
* SQUID-2015:3 Multiple Remote Denial of service issues in SSL/TLS
processing
These problems allow any trusted client or external server to
perform a denial of service attack on the Squid service and all
other services on the same machine.
However, the bugs are exploitable only if you have configured a
Squid-3.5 listening port with ssl-bump.
The visible signs of these bugs are a Squid crash or high CPU usage.
Skype is known to trigger the crash and/or a small amount of extra CPU
use unintentionally. Malicious traffic is possible which could have
severe effects.
* Regression Bug 3618: ntlm_smb_lm_auth rejects correct passwords
The SMB LanMan authentication helper in Squid-3.2 and later has been
rejecting valid user credentials.
Reminder: Use of this helper is deprecated. We strongly recommend
against using it. LanMan authentication gives the illusion of
transmitting NTLM protocol while actually transmitting username and
password with crypto algorithms that can be decoded in real-time (this
helper relies on that ability). The combination makes it overall less
secure than even HTTP Basic authentication.
* TLS: Support SNI on generated CONNECT after peek
When Squid generates CONNECT requests it will now attempt to use the
client SNI value if any is known.
Note that SNI is found during an ssl_bump peek action, so will only be
available on some generated CONNECT. Intercepted traffic will always
begin with a raw-IP CONNECT message which must pass access controls and
adaptations before ssl_bump peek is even considered.
* Quieten UFS cache maintenance skipped warnings
This resolves the log noise encountered since the 3.5.8 release when
large caches are running a full (aka. 'DIRTY') cache_dir rebuild scan.
| -rw-r--r-- | www/squid3/Makefile | 4 | ||||
| -rw-r--r-- | www/squid3/distinfo | 8 |
2 files changed, 6 insertions, 6 deletions
diff --git a/www/squid3/Makefile b/www/squid3/Makefile index c8cb5bc03aa..effa8ff14a7 100644 --- a/www/squid3/Makefile +++ b/www/squid3/Makefile @@ -1,6 +1,6 @@ -# $NetBSD: Makefile,v 1.52 2015/09/05 14:25:37 adam Exp $ +# $NetBSD: Makefile,v 1.53 2015/09/22 13:39:31 taca Exp $ -DISTNAME= squid-3.5.8 +DISTNAME= squid-3.5.9 CATEGORIES= www MASTER_SITES= http://www.squid-cache.org/Versions/v3/${PKGVERSION_NOREV:R}/ \ ftp://ftp.squid-cache.org/pub/squid/ \ diff --git a/www/squid3/distinfo b/www/squid3/distinfo index c45eb34f086..8cfd7e0756f 100644 --- a/www/squid3/distinfo +++ b/www/squid3/distinfo @@ -1,8 +1,8 @@ -$NetBSD: distinfo,v 1.38 2015/09/05 14:25:37 adam Exp $ +$NetBSD: distinfo,v 1.39 2015/09/22 13:39:31 taca Exp $ -SHA1 (squid-3.5.8.tar.xz) = 4ba4b43cf9abaf7e5015ad4d2d9b628213e55044 -RMD160 (squid-3.5.8.tar.xz) = 56f8b3f20ae34845a38c77697bef6bbd66fc3523 -Size (squid-3.5.8.tar.xz) = 2295644 bytes +SHA1 (squid-3.5.9.tar.xz) = 4856ca628cafbd1cbfa0ddcbadec440e6f4c2da7 +RMD160 (squid-3.5.9.tar.xz) = 090d9ba34bf51d1bfc8d4795080024835f16c9f9 +Size (squid-3.5.9.tar.xz) = 2296384 bytes SHA1 (patch-compat_compat.h) = d6cd93fa7a6d0faad3bf1aca8ae4fa5c984fe288 SHA1 (patch-errors_Makefile.in) = afbac822ac84d5e1734d55fc625e949ae0b85289 SHA1 (patch-src_Makefile.in) = 7233a92a4f6ecc06d88e125f08f7413e0741f3b6 |