| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
Add official patches for security fix to CVE-2022-41317 and CVE-2022-41318.
Bump PKGREVISION.
|
|
Trying to remove references to the build directory related to PKG_CONF*.
|
|
|
|
|
|
|
|
All checksums have been double-checked against existing RMD160 and
SHA512 hashes
Not committed (merge conflicts):
www/nghttp2/distinfo
Unfetchable distfiles (almost certainly fetched conditionally...):
./www/nginx-devel/distinfo array-var-nginx-module-0.05.tar.gz
./www/nginx-devel/distinfo echo-nginx-module-0.62.tar.gz
./www/nginx-devel/distinfo encrypted-session-nginx-module-0.08.tar.gz
./www/nginx-devel/distinfo form-input-nginx-module-0.12.tar.gz
./www/nginx-devel/distinfo headers-more-nginx-module-0.33.tar.gz
./www/nginx-devel/distinfo lua-nginx-module-0.10.19.tar.gz
./www/nginx-devel/distinfo naxsi-1.3.tar.gz
./www/nginx-devel/distinfo nginx-dav-ext-module-3.0.0.tar.gz
./www/nginx-devel/distinfo nginx-rtmp-module-1.2.2.tar.gz
./www/nginx-devel/distinfo nginx_http_push_module-1.2.10.tar.gz
./www/nginx-devel/distinfo ngx_cache_purge-2.5.1.tar.gz
./www/nginx-devel/distinfo ngx_devel_kit-0.3.1.tar.gz
./www/nginx-devel/distinfo ngx_http_geoip2_module-3.3.tar.gz
./www/nginx-devel/distinfo njs-0.5.0.tar.gz
./www/nginx-devel/distinfo set-misc-nginx-module-0.32.tar.gz
./www/nginx/distinfo array-var-nginx-module-0.05.tar.gz
./www/nginx/distinfo echo-nginx-module-0.62.tar.gz
./www/nginx/distinfo encrypted-session-nginx-module-0.08.tar.gz
./www/nginx/distinfo form-input-nginx-module-0.12.tar.gz
./www/nginx/distinfo headers-more-nginx-module-0.33.tar.gz
./www/nginx/distinfo lua-nginx-module-0.10.19.tar.gz
./www/nginx/distinfo naxsi-1.3.tar.gz
./www/nginx/distinfo nginx-dav-ext-module-3.0.0.tar.gz
./www/nginx/distinfo nginx-rtmp-module-1.2.2.tar.gz
./www/nginx/distinfo nginx_http_push_module-1.2.10.tar.gz
./www/nginx/distinfo ngx_cache_purge-2.5.1.tar.gz
./www/nginx/distinfo ngx_devel_kit-0.3.1.tar.gz
./www/nginx/distinfo ngx_http_geoip2_module-3.3.tar.gz
./www/nginx/distinfo njs-0.5.0.tar.gz
./www/nginx/distinfo set-misc-nginx-module-0.32.tar.gz
|
|
its buildlink3.mk now includes openssl's buildlink3.mk
|
|
Changes in squid-4.17 (03 Oct 2021):
- WCCP: Validate packets better
|
|
|
|
|
|
Changes in squid-4.16 (04 Jul 2021):
- Regression Fix: --with-valgrind-debug build broken since 4.15
- Bug 5129 pt1: remove Lock use from HttpRequestMethod
- Bug 5128: Translation: Fix '% i' typo in es/ERR_FORWARDING_DENIED
- Bug 4528: ICAP transactions quit on async DNS lookups
|
|
|
|
This release fixes these security issues from prior release.
* SQUID-2020:11 HTTP Request Smuggling
(CVE-2020-25097)
* SQUID-2021:1 Denial of Service in URN processing
(CVE-2021-28651)
* SQUID-2021:2 Denial of Service in HTTP Response Processing
(CVE-2021-28662)
* SQUID-2021:3 Denial of Service issue in Cache Manager
(CVE-2021-28652)
* SQUID-2021:4 Multiple issues in HTTP Range header
(CVE-2021-31806, CVE-2021-31807, CVE-2021-31808)
* SQUID-2021:5 Denial of Service in HTTP Response Processing
(CVE pending allocation)
Changes in squid-4.15 (10 May 2021):
- Bug 5112: Excessively loud chunked reply parsing error reporting
- Bug 5106: Broken cache manager URL parsing
- Bug 5104: Memory leak in RFC 2169 response parsing
- Bug 3556: "FD ... is not an open socket" for accept() problems
- Profiling: CPU timing implemented for MAC non-x86
- Fix HttpHeaderStats definition to include hoErrorDetail
- Fix Squid-to-client write_timeout triggers client_lifetime timeout
- Limit HeaderLookupTable_t::lookup() to BadHdr and specific IDs
- Handle more Range requests
- Handle more partial responses
- Stop processing a response if the Store entry is gone
- ... and some portability fixes
- ... and some documentation updates
|
|
|
|
|
|
Changes in squid-4.14 (02 Feb 2021):
- Regression Fix: support for non-lowercase Transfer-Encoding value
- Regression Fix: cachemgr.cgi wrong 403 response to authenticated menu URIs
- Bug 5076: WCCP Security Info incorrect
- Bug 5073: Compile error: index was not declared in this scope
- Bug 5065: url_rewrite_program documentation update
- Bug 3074 pt2: improved handling of URI paths implicit '/'
- Fix transactions exceeding client_lifetime logged as _ABORTED
|
|
|
|
|
|
Update squid4 to 4.13 (Squid 4.13).
Here is release announce:
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.13 release!
This release is a security release resolving several issues found in
the prior Squid releases.
The major changes to be aware of:
* SQUID-2020:8 HTTP(S) Request Splitting
(CVE-2020-15811)
This problem is serious because it allows any client, including
browser scripts, to bypass local security and poison the browser
cache and any downstream caches with content from an arbitrary
source.
See the advisory for patches:
<https://github.com/squid-cache/squid/security/advisories/GHSA-c7p8-xqhm-49wv>
* SQUID-2020:9 Denial of Service processing Cache Digest Response
(CVE pending allocation)
This problem allows a trusted peer to deliver to perform Denial
of Service by consuming all available CPU cycles on the machine
running Squid when handling a crafted Cache Digest response
message.
This attack is limited to Squid using cache_peer with cache
digests feature.
See the advisory for patches:
<https://github.com/squid-cache/squid/security/advisories/GHSA-vvj7-xjgq-g2jg>
* SQUID-2020:10 HTTP(S) Request Smuggling
(CVE-2020-15810)
This problem is serious because it allows any client, including
browser scripts, to bypass local security and poison the proxy
cache and any downstream caches with content from an arbitrary
source.
See the advisory for patches:
<https://github.com/squid-cache/squid/security/advisories/GHSA-3365-q9qx-f98m>
* Bug 5051: Some collapsed revalidation responses never expire
This bug appears as a 4xx or 5xx status response becoming the only
response delivered by Squid to a URL when Collapsed Forwarding
feature is used.
It primarily affects Squid which are caching the 4xx/5xx status
object since Bug 5030 fix in Squid-4.11. But may have been
occurring for short times on any proxy with Collapsed Forwarding.
* SSL-Bump: Support parsing GREASEd (and future) TLS handshakes
Chrome Browser intentionally sends random garbage values in the
TLS handshake to force TLS implementations to cope with future TLS
extensions cleanly. The changes in Squid-4.12 to disable TLS/1.3
caused our parser to be extra strict and reject this TLS garbage.
This release adds explicit support for Chrome, or any other TLS
agent performing these "GREASE" behaviours.
* Honor on_unsupported_protocol for intercepted https_port
This behaviour was one of the intended use-cases for unsupported
protocol handling, but somehow was not enabled earlier.
Squid should now be able to perform the on_unsupported_protocol
selected action for any traffic handled by SSL-Bump.
All users of Squid are urged to upgrade as soon as possible.
See the ChangeLog for the full list of changes in this and earlier
releases.
Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4
|
|
Changes:
- Fix an error where strings.h was not properly included
- Add SMF support on apropriate platforms
- Backport https://github.com/squid-cache/squid/pull/663:
SslBump: Support parsing GREASEd (and future) TLS handshakes
|
|
Rename two PKG_OPTIONS.
ecap -> squid-ecap
esi -> squid-esi
Suggested by wiz@ via private mail.
|
|
Update squid4 to 4.12 (Squid 4.12). This release includes fix for
CVE-2020-14058: <http://www.squid-cache.org/Advisories/SQUID-2020_6.txt>.
Changes to squid-4.12 (05 Jun 2020):
- Regression Fix: Revert to slow search for new SMP shm pages
- Bug 5045: ext_edirectory_userip_acl is missing include files
- Bug 5041: Missing Debug::Extra breaks build on hosts with systemd
- Bug 5030: Negative responses are never cached
- HTTP: validate Content-Length value prefix
- HTTP: add flexible RFC 3986 URI encoder
- SslBump: disable OpenSSL TLSv1.3 support for older TLS traffic
- Tests: Support passing a custom config.cache to test builds
- Fix IPFilter IPv6 detection, especially on NetBSD
- Fix stall if transaction overwrites a recently active cache entry
- ... and some compile fixes
|
|
|
|
|
|
Changes to squid-4.11 (18 Apr 2020):
- Bug 5036: capital 'L's in logs when daemon queue overflows
- Bug 5022: Reconfigure kills Coordinator in SMP+ufs configurations
- Bug 5016: systemd thinks Squid is ready before Squid listens
- kerberos_ldap_group: fix encryption type for cross realm check
- HTTP: Ignore malformed Host header in intercept and reverse proxy mode
- Fix Digest authentication nonce handling
- Supply ALE to request_header_add/reply_header_add
- ... and some documentation updates
- ... and some compile fixes
|
|
underscores
|
|
- including correct headers in configure tests
- using correct autoconf value output by configure
Bump PKGREVISION
|
|
|
|
pkgsrc changes: clean up PKG_OPTIONS and enable several backends default.
Quote from release announce:
This release is a security release resolving several issues found in
the prior Squid releases.
The major changes to be aware of:
* SQUID-2020:1 Improper Input Validation issues in HTTP Request
processing
(CVE-2020-8449, CVE-2020-8450)
This issue allows attackers to perform denial of service on the
proxy and all clients using it.
This issue potentially allows attackers to bypass security access
controls in systems between client and proxy.
This issue potentially allows remote code execution under the
proxy low-privilege level. While restricted, it does have access
to a wide range of information about the network structure and
other clients using the proxy.
This issue is limited to Squid acting as a reverse-proxy. Some
effects also require allow_direct permissions.
See the advisory for updated patches:
<http://www.squid-cache.org/Advisories/SQUID-2020_1.txt>
Please note that NTLM is a deprecated authentication mechanism.
All users of this tool are advised to plan migration to
Negotiate/Kerberos authentication.
* SQUID-2020:2 Information Disclosure issue in FTP Gateway.
(CVE-2019-12528)
Certain FTP server responses can result in Squid revealing
random amounts of memory content from heap.
When Squid mempools feature is enabled the leak is limited to
lines in FTP directory listings, possibly from other clients.
When mempools is disabled the information may be anything from
the heap area including information from other processes on the
machine.
See the advisory for more details:
<http://www.squid-cache.org/Advisories/SQUID-2020_2.txt>
* SQUID-2020:3 Buffer Overflow issue in ext_lm_group_acl helper.
(CVE-2020-8517)
This problem is limited to installations using the ext_lm_group_acl
binary (previously shipped as mswin_check_lm_group).
Due to incorrect input validation the NTLM authentication
credentials parser in ext_lm_group_acl may write to memory
outside the credentials buffer.
On systems with memory access protections this can result in
the the helper process being terminated unexpectedly. Resulting
in Squid process also terminating and a denial of service for
all clients using the proxy.
See the advisory for more details:
<http://www.squid-cache.org/Advisories/SQUID-2020_3.txt>
* Bug 5008: SIGBUS in PagePool::level() with custom rock slot size
This shows up as SMP Squids crashing on arm64 with a SIGBUS error. The
issues was incorrect memory alignment with certain cache sizes. This
Squid release now forces alignment of the critical rock page details.
* Bug 4735: Truncated chunked responses cached as whole
This bug shows up as clients getting the cached truncated response
objects until the cache object expires or is force removed.
In absence of partial-object caching this Squid release treats
incomplete responses as non-cacheable and prevents the chunked encoding
terminator chunk being delivered to the active client(s).
* Fix server_cert_fingerprint on cert validator-reported errors
This bug shows up as a server_cert_fingerprint ACL mismatch when
sslproxy_cert_error directive was applied to validation errors reported
by the certificate validator, because the ACL could not find the server
certificate.
All users of Squid are urged to upgrade as soon as possible.
|
|
|
|
There is a package option for it, use it so that openldap is correctly
pulled in when enabled.
|
|
|
|
|
|
Add squid4 package version 4.9 based on wip/squid4 package.
Squid is a fully-featured HTTP/1.0 proxy with partial HTTP/1.1 support
The 4 series brings many new features and upgrades to the basic
networking protocols. A short list of the major new features is:
Squid 4 represents a new feature release above 3.5.
The most important of these new features are:
* Configurable helper queue size
* Helper concurrency channels changes
* SSL support removal
* Helper Binary Changes
* Secure ICAP
* Improved SMP support
* Improved process management
* Initial GnuTLS support
* ESI Custom Parser removal
|
