On 16/08/11 20:37, Ralf Hildebrandt wrote:
* Amos Jeffries:
On 15/08/11 23:52, Ralf Hildebrandt wrote:
With today's BZR checkout (3.2-HEAD) I'm getting a lot of "SECURITY
ALERT: Host: header forgery detected" with everyday requests:
2011/08/15 13:50:59.016| SECURITY ALERT: Host: header forgery detected from local=141.42.1.205:8080 remote=10.43.65.227:3266 FD 1312 flags=1 (amsprd0104.outlook.com:443 does not match amsprd0104.outlook.com)
We now forcibly detect CVE-2009-0801 vulnerability abuse. A few cases
have been found missing from the detection. Please apply these two
patches in this order:
http://www.squid-cache.org/Versions/v3/3.HEAD/changesets/squid-3-11647.patch
http://www.squid-cache.org/Versions/v3/3.HEAD/changesets/squid-3-11649.patch
I tried to apply them both but:
# patch -p1< ../squid-3-11647.patch
patching file ClientRequestContext.h
Hunk #1 FAILED at 27.
1 out of 1 hunk FAILED -- saving rejects to file ClientRequestContext.h.rej
patching file client_side_request.cc
Hunk #1 FAILED at 546.
Hunk #2 FAILED at 620.
Hunk #3 FAILED at 638.
3 out of 3 hunks FAILED -- saving rejects to file client_side_request.cc.rej
Sorry, looks like you sync'd them in from 3.2 before applying.
FWIW the Firefox CONNECT case is fixed a few hours ago now too.
I've had confirmation that one works and just ported it back to 3.2
right now. Should be available to you soon.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.14
Beta testers wanted for 3.2.0.10
