Add security patch for SQUID-2018_3.
Bump PKGREVISION.
http://www.squid-cache.org/Advisories/SQUID-2018_3.txt
__________________________________________________________________
Problem Description:
Due to incorrect pointer handling Squid is vulnerable to denial
of service attack when processing ESI responses.
__________________________________________________________________
Severity:
This problem allows a remote server delivering ESI responses
to trigger a denial of service for all clients accessing the
Squid service.
This problem is limited to Squid operating as reverse proxy.
Fix build on FreeBSD after rev.14180
Bug 4464: Reduce "!Comm::MonitorsRead(serverConnection->fd)" assertions.
Fix mgr query handoff from the original recipient to Coordinator.
Fix message packing error handling in mgr and snmp SMP Forwarders.
basic_ncsa_auth: fix hash listing wrap in man(8) page
Bug 4687: Wrong names of components in man page, section SEE ALSO
Bug 4112: ssl_engine does not accept cryptodev
Bug 4671 pt3: various GCC 7 compile errors
Replace new/delete operators using modern C++ rules.
Bug 4671 pt2: GCC 7: raise FTP Gateway CTRL channel buffer to 16KB
SourceFormat Enforcement
Bug 2833 pt3: Do not respond with HTTP/304 to unconditional requests
Bug 2833 pt2: Collapse internal revalidation requests (SMP-unaware caches), again.
* Bug 4688: various typo error(s) in man page(s)
* libtrie: Fix 'make check' when run before 'make all'
* Docs: update refresh_pattern description regarding 'max' option
* Fix variable shadowing after rev.14149
* Bug 4508: Host forgery stalls intercepted being-spliced connections.
* Native FTP relay: NAT and TPROXY interception fixes
* ext_kerberos_ldap_group_acl: fix unused value warnings
* Check that -k argument is provided before trying to use it.
* Fix missing CRLF on FTP timeout ABORT commands
* Fix crash when configuring with invalid delay_parameters restore value.
* Fix regression in CONNECT authentication after rev.14142
* Bump SSL client on [more] errors encountered before ssl_bump evaluation
* SSLv2 records force SslBump bumping despite a matching step2 peek rule.
* Mitigate DoS attacks that use client-initiated SSL/TLS renegotiation.
* Detect HTTP header ACL issue
* Fix some spelling mistakes
* Update External ACL helpers error handling and caching
* Fix "Source and destination overlap in memcpy" Valgrind errors
* Reduce crashes due to unexpected ClientHttpRequest termination.
* Bug 3940 pt2: Make 'cache deny' do what is documented
MASTER_SITES= site1 \
site2
style continuation lines to be simple repeated
MASTER_SITES+= site1
MASTER_SITES+= site2
lines. As previewed on tech-pkg. With thanks to rillig for fixing pkglint
accordingly.
Changes to squid-3.5.23 (16 Dec 2016):
- Bug 4627: fix generate-host-certificates and dynamic_cert_mem_cache_size docs
- Bug 4620: NetBSD build error with --enable-ipf-transparent
- Bug 4567: Strange IPv6 shown in access.log
- Bug 4406: SIGSEV in TunnelStateData::handleConnectResponse() during reconfigure and restart
- Bug 4174 partial: fix Write.cc:41 "!ccb->active()" assertion.
- Bug 4169: HIT marked as MISS when If-None-Match does not match
- Bug 4007: Hang on DNS query with dead-end CNAME
- Bug 4004 partial: Fix segfault via Ftp::Client::readControlReply
- Bug 3940 partial: hostHeaderVerify failures MISS when they should be HIT
- Bug 3533: Cache still valid after HTTP/1.1 303 See Other
- Bug 3379: Combination of If-Match and a Cache Hit result in TCP Connection Failure
- Bug 3290: authenticate_ttl not working for digest authentication
- Bug 2258: bypassing cache but not destroying cache entry
- HTTP/1.1: make Vary:* objects cacheable
- HTTP/1.1: Add registered codes entry for new 103 (Early Hints) status code
- Support IPv6 NAT with PF for NetBSD and FreeBSD
- TLS: Make key= before cert= an error instead of quietly hiding the issue
- ... and some debug updates
- ... and some build fixes
- ... and several documentation updates
Changes to squid-3.5.21 (08 Sep 2016):
- Bug 4563: duplicate code in httpMakeVaryMark
- Bug 4542: authentication credentials IP TTL updated incorrectly
- Bug 4534: assertion failure in xcalloc when using many cache_dir
- Bug 4428: mal-formed Cache-Control:stale-if-error header
- Bug 3025: Proxy-Authenticate problem using ICAP server
- Fix segfault via Ftp::Client::readControlReply()
- Fix SSL-Bump failure results in SEGFAULT
- HTTP/1.1: MUST always revalidate Cache-Control:no-cache responses
- HTTP/1.1: do not allow Proxy-Connection to override Connection header
- SSL: CN wildcard must only match a single domain component [fragment]
Assertion failed: Write.cc:38: "fd_table[conn->fd].flags.open"
Bug 4523: smblib compile fails on NetBSD
Do not make bogus recvmsg(2) calls when closing UDS sockets.
Fix SEGFAULT parsing malformed adaptation service configuration
Fixed ConnStateData::In::maybeMakeSpaceAvailable() logic.
Bug 3579: assertion failed 'MemPools[type]' from dst_as ACL
Do not allow low-level debugging to hide important/critical messages.
Bug 4485: off-by-one out-of-bounds Parser::Tokenizer::int64() read errors
Increase debug level in a peek-and-splice related debug message
Fix icons loading speed.
Fix OpenSSL detection on FreeBSD
Do not override user defined -std option
Support unified EUI format code in external_acl_type
Changes to squid-3.5.19 (09 May 2016):
- Regression Bug 4515: interception proxy hangs
Changes to squid-3.5.18 (06 May 2016):
- Bug 4510: stale comment about 32KB limit on shared memory cache entries
- Bug 4509: EUI compile error on NetBSD
- Bug 4501: HTTP/1.1: normalize Host header
- Bug 4498: URL-unescape the login-info after extraction from URI
- Bug 4455: SegFault from ESIInclude::Start
- Prevent Squid forcing -b 2048 into the arguments for sslcrtd_program
- Fix TLS/SSL server handshake alert handling
* nullptr is a C++11 feature
* Fix several ESI element construction issues
* SourceFormat Enforcement
* cachemgr.cgi: use dynamic MemBuf for internal content generation
* Add chained certificates and signing certificate to peek-then-bumped connections.
* Handshake Error: ccs received early: fix typo
* Avoid startup/shutdown crashes [by avoiding static non-POD globals].
* Bugs fixed.
Please refer release note for other changes:
http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html
* SQUID-2016:4 - Denial of Service issue in HTTP Response processing
http://www.squid-cache.org/Advisories/SQUID-2016_4.txt
aka. CVE-2016-3948
This is another of the bugs left unfixed by the SQUID-2016:2 patches.
The visible symptom is assertions about:
"String.cc:*: 'len_ + len <65536'"
There is an attack in the wild for this one, but not as widely as for
the previous issues.
* SQUID-2016:3 - Buffer overrun issue in pinger ICMPv6 processing.
http://www.squid-cache.org/Advisories/SQUID-2016_3.txt
aka. CVE-2016-3947
This bug shows up as pinger crashing with Icmp6::Recv errors. This may
affect Squid HTTP routing decisions. In some configurations, sub-optimal
routing decisions may result in serious service degradation or even
transaction failures.
All previous Squid-3 releases are affected by both these issues. See the
advisory for further details. Upgrade or patching should be considered a
high priority.
* pinger: drop capabilities on Linux
On Linux, it is now possible to install pinger helper with only
CAP_NET_RAW permissions raised instead of full setuid-root:
(setcap cap_net_raw+ep /path/to/pinger &&
chmod u-s /path/to/pinger) || :
Other operating systems without libcap capabilities features are not
affected by this change.
* Bug #4447: FwdState.cc:447 "serverConnection() == conn" assertion
This rather cripling bug appears after the CVE-2016-2569 patch. It
turned out to be a race condition closing connections and has now been
fully fixed.
* SQUID-2016:2 - Multiple Denial of Service issues in HTTP Response
processing
http://www.squid-cache.org/Advisories/SQUID-2016_2.txt
Changes to squid-3.5.15 (23 Feb 2016):
- Bug 3870: assertion failed: String.cc: 'len_ + len <65536' in ESI::CustomParser
- Fix multiple assertion on String overflows
- Fix unit test errors on MacOS
- Better handling of huge response headers. Fewer incorrect "Bug #3279" messages.
- Log noise reduction for eCAP
* Ssl::CertValidationHelper::sslSubmit: Assure that the callback->getDialer()
* Fix build error with ICC
* Fix GnuTLS detection via pkg-config
* Reflect the [ugly] reality in external_acl_type cache=n documentation.
* Avoid memory leaks when a certificate validator is used with SslBump
* Support Ephemeral Elliptic Curve Diffie-Hellman (EECDH) key exchange
* Fix clang build error after rev.13961
* Bug 4397: DragonFly BSD, POSIX shared memory is implemented as filepath
* Fix startup crash with a misconfigured (too-small) shared memory cache
* Fix connection retry and fallback after failed server TLS connections
* Complete certificate chains using external intermediate certificates
* Bug 4387: Kerberos build errors on Solaris
* Add missing stub definition for CPU_ISSET
* Fix build errors in cpuafinity.cc
* Bug 4228: links with krb5 libs despite --without options
* Fix delay_parameters documentation
* Stop using dangling pointers for eCAP-set custom HTTP reason phrases.
* Fix status code-based HTTP reason phrase for eCAP-generated messages.
* Revert r13921: Migrate StoreEntry to using MEMPROXY_CLASS
* Fix cache_peer forceddomain= in CONNECT
* TLS: Handshake Problem during Renegotiation
* Docs: Updated stale Ssl text to make the comment match the code again.
* Fix SSL_get_certificate() problem detection
* Polished cache_peer_access and related documentation.
* Bug 4374: refresh_pattern config parser (%)
* Bug 4373: assertion failed: client_side_request.cc:1709: 'calloutContext->redirect_state == REDIRECT_NONE'
* Make FATAL messages have a consistent prefix
* Add Locker friend class to SBuf for protection against memory issues
* Connection stats, including %<lp, missing for persistent connections
* Fix incorrect authentication headers on cache digest requests
* Bug 4281: copy-paste typos in src/tools.cc
* Bug 4188: Bumping intercepted SSL connections does not work on Solaris
* Avoid errors when parsing manager ACL in old squid.conf
* Bug 4279: No response from proxy for FTP-download of non-existing file
* Bug 3574: crashes on reconfigure and startup
* Bug 4347: compile errors with LibreSSL 2.3
* Align behavior of MEMPROXY_CLASS's operator delete with ::delete on nullptr
* Bug 4330: Do not use SSL_METHOD::put_cipher_by_char to determine size
* Fix cache_peer login=PASS(THRU) after CVE-2015-5400
* Bug 4304: PeerConnector.cc:743 "!callback" assertion.
* Relicense SSPI helper to GPLv2+
* Bug 4208: more than one port in wccp2_service_info line causes error
* Relicense smb_lm auth helper to GPLv2+
* Relicense ntlm_fake_auth.pl to GPLv2+
* SMP: register worker listening ports one by one
* Bug 4328: %un format code does not work for external ACLs in credentials-fetching rules
* Bug 4323: Netfilter broken cross-includes with Linux 4.2
* Cleanup: Migrate StoreEntry to using MEMPROXY_CLASS
* Remove custom pool chunk size for StoreEntry
* Implement default constructor for hash_link
* Bug 4326: base64 binary encoder rejects data beginning with nil byte
* SQUID-2015:3 Multiple Remote Denial of service issues in SSL/TLS
processing
These problems allow any trusted client or external server to
perform a denial of service attack on the Squid service and all
other services on the same machine.
However, the bugs are exploitable only if you have configured a
Squid-3.5 listening port with ssl-bump.
The visible signs of these bugs are a Squid crash or high CPU usage.
Skype is known to trigger the crash and/or a small amount of extra CPU
use unintentionally. Malicious traffic is possible which could have
severe effects.
* Regression Bug 3618: ntlm_smb_lm_auth rejects correct passwords
The SMB LanMan authentication helper in Squid-3.2 and later has been
rejecting valid user credentials.
Reminder: Use of this helper is deprecated. We strongly recommend
against using it. LanMan authentication gives the illusion of
transmitting NTLM protocol while actually transmitting username and
password with crypto algorithms that can be decoded in real-time (this
helper relies on that ability). The combination makes it overall less
secure than even HTTP Basic authentication.
* TLS: Support SNI on generated CONNECT after peek
When Squid generates CONNECT requests it will now attempt to use the
client SNI value if any is known.
Note that SNI is found during an ssl_bump peek action, so will only be
available on some generated CONNECT. Intercepted traffic will always
begin with a raw-IP CONNECT message which must pass access controls and
adaptations before ssl_bump peek is even considered.
* Quieten UFS cache maintenance skipped warnings
This resolves the log noise encountered since the 3.5.8 release when
large caches are running a full (aka. 'DIRTY') cache_dir rebuild scan.
Fix FreeBSD Clang-3.5 build error
Support splice for SSLv3 and TLSv1 sessions that start with an SSLv2 Hello
Bug 3553: cache_swap_high ignored and maxCapacity used instead
Fix memory leak in Surrogate-Capability header detection
When a RESPMOD service aborts, mark the body it produced as truncated.
Cleanup: fix assertion in Store unit tests
Bug 3696: crash when client delay pools are activated
Bug 4278: Docs: typo in the refresh_pattern freshness algorithm
Bug 4306: build portability fix in Kerberos helpers
Docs: auto-build release notes for snapshots
FtpServer.cc:1024: "reply != NULL" assertion
Work around clang-3.6 complaining of unknown attributes in libxml2
Ignore impossible SSL bumping actions, as intended and documented.
Bug 4242: compile errors with eCAP using clang-3.6
Docs: fix typo in miss_access
Bug 4285 partial: %us is not supported in access.log
Bug 4302: IPFilter v5 transparent interception
Docs: update intercept/tproxy related text
Bug 4301: compile errors with IPFilter interception
Polish: add debug section,level to cache.log
Reject non-chunked HTTP messages with conflicting Content-Length values
Boilerplate: update ignored files
Boilerplate: add Foundation details to rfcnb and smblib documentation files
Cleanup: de-duplicate fake-CONNECT code
Use automake subdir-objects feature
* Bug 4293: wrong SNI sent to server after URL-rewrite
* Add ENABLE_POD2MAN_DOC automake conditional for pod2man builds
* basic_smb_auth: rejecting valid credentials
* basic_smb_auth: doesn't handle passwords with backslashes
* basic_smb_auth: nmblookup fails when smb.conf contaisn WINS servers
* Docs: fix man(8) page syntax for lexgrof tool
* Make pod2man an optional dependency
* Handle exceptions during squid.conf parse
* When SBuf chop()s away everything, always clear the buffer.
* Cleanup: avoid mentioning compiler directives in configure output
* Bug 4251: incorrect instance name for memory segments in /dev/shm
* Bug 3345: Support %un (any available user name) format code for external ACLs.
* AUFS: Raise I/O queue congestion limits
* Improve handling of client connections on shutdown
* Avoid SSL certificate db corruption with empty index.txt as a symptom.
* Errors served using invalid certificates when dealing with SSL server errors.
* IPv6: improve BCP 177 compliance
* Polish debugs on NAT failure
* Fix crash in TcpAccepter with profiler enabled
* Splice to origin cache_peer.
* Bug 4227: invalid key in AuthUserHashPointer causing assertation failure
* ext_edirectory_userip_acl: fix uninitialized variable
* Do not blindly forward cache peer CONNECT responses.
* Bug 3483: assertion failed store.cc:1866: 'isEmpty()'
* Use relative-URL in errorpage.css for SN.png
* Bug 4193: Memory leak on FTP listings
* Bug 4274: ssl_crtd.8 not being installed
* Fix CONNECT failover to IPv4 after trying broken IPv6 servers
* Bug 4183: segfault when freeing https_port clientca on reconfigure or exit.
* TLS: Disable client-initiated renegotiation
* Translations: add Spanish US dialect alias
* Cleanup: replace __DATE__ and __TIME__ macros
* Fix assertion String.cc:221: "str"
* Fix assertion comm.cc:759: "Comm::IsConnOpen(conn)" in ConnStateData::getSslContextDone
* Bug 3875: bad mimeLoadIconFile error handling
* Support custom OIDs in *_cert ACLs
* Bug 3329: The server side pinned connection is not closed properly
