This fixes squid's potential security problem.
Changes to Squid-2.4.STABLE6 (March 19, 2002):
- The patch for 2.4.STABLE5 was insufficnetly tested and
introduced a bug that causes frequent assertions when
handling DNS PTR answers.
Changes to Squid-2.4.STABLE5 (March 15, 2002):
- Fixed an array bounds bug in lib/rfc1035.c. This bug
could allow a malicious DNS server to send bogus replies
and corrupt the heap memory.
2.4STABLE3:
- htcp_port 0 now properly disables htcp
- Fixed problem with certain non-anonymous ftp:// style URL's
- SNMP bugfixes including several memory leaks
- replace a hack adding fd_mask definition in autoconf.h with re-writing
configure script. It cause to run configure twice and result "no fd_mask".
- Incorporate three official patches from
http://www.squid-cache.org/Versions/v2/2.4/bugs/.
o SNMP memory leaks
synopsis
The SNMP implementation in Squid had several memory leaks
possibly causing an denial of service.
workaround
Disable the SNMP port if enabled by using "snmp_port 0" in
squid.conf. Or if you only use SNMP for MRTG data
collection running on the same host then use
"snmp_incoming_address 127.0.0.1" to limit reachability
of the SNMP port to only localhost or some other trusted
network.
o Coredump on certain ftp:// style URL's
synopsis
If certain constructed ftp:// style URL's are received then
squid crashes, causing a denial of service and maybe even
remote execution of code.
workaround
Deny forwarding of non-anonymous FTP URLs by inserting
the following rules at the top of squid.conf, prior to
any http_access allow lines.
acl non_anonymous_ftp url_regex -i ftp://[^/@]*@
http_access deny non_anonymous_ftp
o "htcp_port 0" fails to disable the HTCP port
synopsis
"htcp_port 0" fails to completely disable the HTCP port as
documented in squid.conf, instead HTCP will be listening on
a random port number.
from "Ciarcinski, Adam \(ISS Brussels\)" <ACiarcinski@iss.net>.
From ChangeLog:
Changes to Squid-2.4.STABLE3 (Nov 28, 2001):
- Fixed bug #255: core dump on SSL/CONNECT if access denied by
miss_access
- Fixed bug #246: corrupt on-disk meta information preventing
rebuilds of lost swap.state files
- Fixed bug #243: squid_ldap_auth now supports spaces in passwords
- Fixed a coredump when creating FTP directories
- Fixed a compile time problem with statHistDump prototype mistmatch,
reported by some compilers
- Fixed a potential coredump situation on snmpwalk in certain
configurations
- Fixed bug #229: filedescriptor leakage in the "aufs" cache_dir
store implementation
- Serbian error message translations
I added following changes, too.
o honor PKG_SYSCONFDIR keep SQUID_SYSCONFDIR effective.
o Add --disable-internal-dns. This made external dnsserver
available. External dnsserver could be disabled with configuration
file.
o Enable optimization with "-O".
o Fix a problem to access nat device when transparent proxy enabled.
This fix will be contained in squid 2.5 release.
o setproctitle() hack for external dnsserver from daemonnews's article.
installed into "etc/squid" (and are not moved arround after installation).
The message of the install script matches the actual layout again and is
adapted to changes to "SQUID_SYSCONFDIR".
include his improved "rc.d" script.
- Use the same directory structure as in the Apache package. The
configuration files are now in "${PREFIX}/etc/squid" and won't be
removed during deinstallation.
- Remove unnecessary configuration variables "SQUID_HTTP_PORT" and
"SQUID_ICP_PORT". These values can perfectly be adjusted by editing
the configuration file and supporting all these variables would make
the package too complex.
- Bump the version number to 2.4.1nb1.