<http://www.squid-cache.org/Versions/v2/2.5/bugs/>:
+ Handle odd data formats (squid bug #321)
+ reload_into_ims fails to revalidate negatively cached entries
(squid bug #1159)
+ Clarify delay_access function (squid bug #1245)
+ Check several squid.conf directives for int overflows (squid bug #1247)
+ Use memset(3) instead of bzero(3) (squid bug #1256)
+ Fix compile warnings due to pid_t not being an int (squid bug #1257)
+ Fix incorrect use of ctype functions (squid bug #1259)
+ Defer digest fetch if the peer is not allowed to be used (squid bug #1262)
+ Extend relaxed_header_parser to work around "excess data from" errors from
many major web servers (squid bug #1265)
- Enable IPFilter based transparent proxying on all FreeBSD versions where
IPFilter headers are part of the base system (i.e. RELENG_4 < 4.7-RELEASE,
RELENG_5 and 6-CURRENT). Create a new OPTION WITH_SQUID_IPFILTER for this
purpose. Thanks to sem@ for keeping track of this issue!
PR: ports/78780
Submitted by: Thomas-Martin Seck <tmseck@netcologne.de> (maintainer)
- correct a race condition related to the Set-Cookie header
- correct the FTP parser with regards to the EPLF format
(squid bug #1252)
- correct FTP listing output when the URL was requested without a trailing
slash (squid bug #1253)
- make ACL configuration errors fatal (squid bug #1255)
PR: ports/78446
Submitted by: Thomas-Martin Seck <tmseck@netcologne.de> (maintainer)
- fix some cross-platform build format warnings
- allow high characters in generated FTP and Gopher directory listings
(squid bug #1220)
- cleanup generation of FTP URLs
- relax the newly introduced strict HTTP parser slightly to work around some
more malformed HTTP responses (squid bug #1242)
PR: ports/77779
Submitted by: Thomas-Martin Seck <tmseck@netcologne.de> (maintainer)
- Integrate a vendor patch from:
http://www.squid-cache.org/Versions/v2/2.5/bugs/
it fixes a major problem regarding the handling of invalid DNS responses
PR: ports/77423
Submitted by: maintainer
<http://www.squid-cache.org/Versions/v2/2.5/bugs/>:
+ Reject malformed HTTP requests and responses that conflict with the HTTP
specifications
This issue is qualified as a security issue by the vendor.
+ PURGE is allowed to delete internal objects (squid bug #1112)
+ Disable Path-MTU discovery on intercepted requests (squid bug #1154)
(VuXML vid=b4d94fa0-6e38-11d9-9e1e-c296ac722cb3)
- Clean up and correct package list generation. Now installed files
and directories are visible via PLIST_FILES and PLIST_DIRS.
- Don't claim that squid related files or directories are still present
after deinstallation when in fact they are not.
- Add "-g" to CFLAGS when WITH_SQUID_STACKTRACES is defined to make this
option actually useful.
PR: ports/76628
Submitted by: maintainer
attack and other patches
Integrate vendor patches as published on
<http://www.squid-cache.org/Versions/v2/2.5/bugs/>:
- FTP data connection fails on some FTP servers when requesting
a directory without a trailing slash (squid bug #1194)
- Icons fail to load on non-anonymous FTP when using the
short_icons_url configuration directive (squid bug #1203)
- Strengthen squid against HTTP response splitting cache pollution
attacks (squid bug #1200), classified as security issue by
the vendor
Proposed VuXML information, entry date left to be filled in:
(Note: I added only a publically accessible link to the Sanctum,
Inc. whitepaper, the squid bug tracker contains a deep link
to the PDF itself; if we are allowed to publish it, it could
instead be used as reference because Sanctum, Inc. wants you
to register with them before you get access to their whitepapers.)
PR: ports/76550
Submitted by: Thomas-Martin Seck <tmseck@netcologne.de>
Integrate vendor patches as published on
<http://www.squid-cache.org/Versions/v2/2.5/bugs/>:
- Sanity check usernames in squid_ldap_auth (squid bug #1187),
classified as minor security issue by the vendor, see below for VuXML
information
- FQDN names truncated on compressed DNS responses (squid bug #1136)
- Internal DNS memory leak on malformed responses (squid bug #1197)
PR: ports/76364
Submitted by: Thomas-Martin Seck <tmseck@netcologne.de>
<http://www.squid-cache.org/Versions/v2/2.5/bugs/> for the following
issues:
+ Prevent a possible denial of service attack via WCCP messages (squid bug
#1190), classified as security issue by the vendor
+ Fix a buffer overflow in the Gopher to HTML conversion routine (squid bug
#1189), classified as security issue by the vendor
+ Fix a null pointer access and plug memory leaks in the fake_auth NTLM
helper (squid bug #1183) (this helper app is not installed by default by
the port)
+ Stop closing open filedescriptors beyond stdin, stdout and stderr on
startup (squid bug #1177)
- Unbreak the port on NO_NIS systems (thanks to "Alexander <freebsd AT
nagilum.de>" for reporting this)
- Document the two security issues in VuXML.
PR: ports/76173
Submitted by: Thomas-Martin Seck <tmseck@netcologne.de> (maintainer)
Approved by: erwin (mentor)
http://www.squid-cache.org/Versions/v2/2.5/bugs/:
- a malformed hostname can cause squid to return random data as error messages,
possibly leaking internal information from former requests (squid bug #1143).
(This is classified as a minor security issue by the squid developers, so
maintainer cc'ed security-team@. See VuXML entry.)
- the "httpd_accel_port 0" directive does not work on its own (squid bug #1121)
- fix crashes occuring when using cachemgr's "vm_objects" operation (squid
bug #1149)
PR: ports/74859
Submitted by: maintainer
logrotation (squid bug #1118)
- properly close the client TCP connection when a malformed blank
HTTP response was received from the server (squid bug #1116)
PR: ports/73913
Submitted by: maintainer
- document the LDAP helpers' -v option
- correct the implementation of the req_header and resp_header acls
(the original implementation submitted in squid bug #961 was faulty)
See <http://www.squid-cache.org/Versions/v2/2.5/bugs/> for further details.
- Bump PORTREVISION
PR: ports/73154
Submitted by: Thomas-Martin Seck (maintainer)
CPU for half closed PUT/POST requests (squid bugs #354, 1096).
See <http://www.squid-cache.org/Versions/v2/2.5/bugs/> for further
details.
- Adapt the follow_xff patch to changes in some of squid's data
structures and unbreak the WITH_SQUID_FOLLOW_XFF option.
- Bump PORTREVISION.
PR: ports/72840
Submitted by: Thomas-Martin Seck (maintainer)
the SNMP module
- Remove a patch that is now part of the distribution
- Miscellaneuous small fixes:
+ in squid.sh, make stop_command poll for the squid processes' exit in
the rcNG case too; this eliminates the need to do this in restart_command
+ make the information regarding rcNG'ness in pkg-install easier to read
+ install unstripped binaries if WITH_SQUID_STACKTRACES is defined
PR: ports/72581
Submitted by: Thomas-Martin Seck (maintainer)
The client_db_gc patch contained a wrong debugging information
and was thus reissued by the vendor.
Update distinfo accordingly and bump PORTREVISION.
PR: ports/72387
Submitted by: Thomas-Martin Seck (maintainer)
Approved by: portsmgr (krion)
- try to prevent crashes of the digest helper (squid bug #1031)
- correct parsing of the acl_time directive when multiple time specifications
are given (squid bug #1060)
- correct "cachemgr config" output for http_header_* directives
(squid bug #1056)
- recognize the Content-Disposition header to be able to specify
http_header_access directives using it (squid bug #961)
See <http://www.squid-cache.org/Versions/v2/2.5/bugs/> for further
information.
Reimplement the rcNG support. See UPDATING for details.
PR: ports/71260
Submitted by: maintainer
- close a memory leak when NTLM authentication without challenge reuse
is used (squid bug #994)
- close a temporary memory leak when NTLM challenge response reuse is
enabled (squid bug #910)
- when performing log rotation with 'squid -k rotate' do not crash if a
swap state file or a cache directory is unwriteable (squid bug #1053)
See <http://www.squid-cache.org/Versions/v2/2.5/bugs/> for further
information.
PR: ports/71082
Submitted by: maintainer
Set supplementary group membership correctly when running squid
as a non-root user and do not ignore the squid_group setting
when starting squid as root (squid bug #1021)
Enable the external_acl helper protocol to handle newlines
in the embedded data (squid bug #1038)
PR: ports/70767
Submitted by: maintainer
- fix a problem in the heap policy code that could cause memory
corruption when a {cache,memory}_replacement_policy other
than the default "lru" was used (squid bug #1009)
- correct quoting of unknown % escape codes when generating
error pages (squid bug #1030)
PR: ports/70110
Submitted by: maintainer
The concurrent_dns_lookups patch was reissued, update distinfo accordingly.
See <http://www.squid-cache.org/bugs/show_bug.cgi?id=852> for
further information.
PR: ports/69764
Submitted by: Thomas-Martin Seck <tmseck@netcologne.de>
problems with the previous version are hopefully fixed (squid bug #1018)
- integrate a new NTLM authentication patch to address a problem with
truncating NTLM authentication blobs (squid bug #1016)
- remove two patches which were withdrawn (see squid bugs #910
and 994)
PR: ports/69719
Submitted by: maintainer
- Fix dynamic plist generation to not include files that happen to be
in target directories. This prevents their removal on deinstallation
or upgrade.
PR: ports/69552, ports/69266
Submitted by: Thomas-Martin Seck <tmseck@netcologne.de> (maintainer)
cf <http://www.squid-cache.org/bugs/show_bug.cgi?id=1018>
Do not bump PORTREVISION, since
a) ldap is not in the default configuration
b) we hope to have that fixed soon
PR: 69465
Submitted by: Thomas-Martin Seck <tmseck@netcologne.de> (maintainer)
http://www.squid-cache.org/Versions/v2/2.5/bugs/:
- fix a memory leak in client_db (squid bug #833)
- add delay pools information to cachemgr's active_requests
page
- make basic authentication operate case insensitive by
default, case sensitive operation can be enabled via
squid.conf
- log if cache files cannot be created for some reason
- make sure that a HTTP HEAD request does not return stale data
- correctly log partial hits as TCP_MISS instead of TCP_HIT
- fix memory leaks within the NTLM authentication helper
- handle the request_header_max_size directive correctly
- avoid creating a large number of queued DNS lookups for the
same domain in case of DNS problems
- update LDAP helper
PR: ports/69307
Submitted by: maintainer
follow-xff-patchset (thanks to Michael Ranner for spotting the
problem and testing the fix). While at it, wordsmith the
comments in the patch.
Use the official patch for the NTLM auth helper vulnerability,
see <http://www.squid-cache.org/Versions/v2/2.5/bugs/> for
details.
Build install the SMB basic authentication helpers by default
PR: ports/68448
Submitted by: maintainer
to <http://www.squid-cache.org/bugs/show_bug.cgi?id=998>
Apply some cleanups:
+ prefer PATCHDIR over FILEDIR when referring patches
+ remove unnecessary quotes
+ move all substitution tasks to the post-patch target
+ use "${FALSE}" instead of "exit 1" to generate error 1 from a shell
Bump PORTREVISION
PR: ports/68078
Submitted by: maintainer
ports/67724, submitted by Michal F. Hanula)
- Change ": foo=${foo:=bar}" into "foo=${foo:-bar}" to make the
shell scripts easier to read and understand
- Correct credits for the recently published NTLM auth
vulnerability and fix a nearby braino, too
- Bump PORTREVISION
PR: ports/67797
Submitted by: maintainer
in cache.log (squid bug #570)
- correct the least-load store directory selection algorithm
for the cache directories using the "ufs" storage scheme (squid bug #676)
- correct the type of the cacheCurrentUnlinkRequests SNMP variable
(squid bug #946)
- include client IP addresses in debug output (squid bug #948)
- correct the HTML doctype for autogenerated FTP directory listings
(squid bug #969)
- if no resolv.conf is present the dns_servers variable now defaults
to 127.0.0.1 (squid bug #991)
- update the documentation of the MSNT basic authentication helper
(squid bug #717)
PR: ports/67495
Submitted by: maintainer
+ clarify the meaning of the ERR keyword in digest authentication
+ correct a spelling error in the Turkish ERR_DNS_FAIL error page
(squid bug #950)
+ fix a problem regarding negatively cached 404 replies with VARY: header
(squid bug #616)
+ correct a parsing bug which rejected a 'range_offset_limit -1 KB'
statement in squid.conf (squid bug #968)
- Bump PORTREVISION
PR: ports/66139
Submitted by: maintainer
- Bump PORTREVISION
- Clean up pkg-deinstall:
+ remove an unnecessary variable
+ replace rmdir -p with two distinct rmdir calls since we
do not want to delete $PKG_PREFIX too if it happens to be empty
PR: ports/65918
Submitted by: maintainer
submitting a blank username in digest authentication (squid bug #954)
and bump PORTREVISION
- follow Duane Wessel's squid book and use "storage scheme"
instead of "store type"
- remove trailing whitespace
- no longer hardcode the path of the nologin binary in
pkg-install and re-wrap pw(8)'s arguments for better readability
PR: ports/65723
Submitted by: maintainer
<http://www.squid-cache.org/Versions/v2/2.5/bugs/> for details
- Correct OpenSSL support and, while at it, clean up CFLAGS and
LDFLAGS handling (thanks to dinoex for lots of helpful advice!).
- better be safe than sorry and pass PTHREAD_CFLAGS through in
case we are compiling with threads
- try to remove the errorpages directory silently since user
defined directories might legitimately be present
- clean up shell scripting:
+ do not use too many variables
+ use /bin/sh's features instead of external commands
PR: ports/65356
Submitted by: maintainer
