From 14299772a1c206210d1a47c933e5c8ee950c6212 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 28 Jul 2020 07:42:19 -0400 Subject: [PATCH] import squid-4.11-1.module+el8.3.0+6769+637637ab --- .gitignore | 2 +- .squid.metadata | 2 +- SOURCES/squid-3.5.9-include-guards.patch | 95 ------------ ...-ftp.patch => squid-4.11-active-ftp.patch} | 14 +- ...1-config.patch => squid-4.11-config.patch} | 11 +- SOURCES/squid-4.11-include-guards.patch | 41 ++++++ ...e-acl.patch => squid-4.11-large-acl.patch} | 0 ...cation.patch => squid-4.11-location.patch} | 11 +- ...rlpath.patch => squid-4.11-perlpath.patch} | 2 +- SOURCES/squid-4.11-systemd.patch | 39 +++++ SOURCES/squid-4.11.tar.xz.asc | 25 ++++ SOURCES/squid-4.4.0-CVE-2019-12527.patch | 139 ------------------ SOURCES/squid-4.4.0-CVE-2019-13345.patch | 64 -------- SOURCES/squid-4.4.0-lower-cachepeer.patch | 12 -- SOURCES/squid-4.4.0-man-pages.patch | 26 ---- SOURCES/squid-4.4.tar.xz.asc | 25 ---- SOURCES/squid.service | 11 +- SPECS/squid.spec | 77 +++++++--- 18 files changed, 188 insertions(+), 408 deletions(-) delete mode 100644 SOURCES/squid-3.5.9-include-guards.patch rename SOURCES/{squid-4.4.0-active-ftp.patch => squid-4.11-active-ftp.patch} (92%) rename SOURCES/{squid-4.0.11-config.patch => squid-4.11-config.patch} (61%) create mode 100644 SOURCES/squid-4.11-include-guards.patch rename SOURCES/{squid-4.0.21-large-acl.patch => squid-4.11-large-acl.patch} (100%) rename SOURCES/{squid-3.1.0.9-location.patch => squid-4.11-location.patch} (74%) rename SOURCES/{squid-3.0.STABLE1-perlpath.patch => squid-4.11-perlpath.patch} (79%) create mode 100644 SOURCES/squid-4.11-systemd.patch create mode 100644 SOURCES/squid-4.11.tar.xz.asc delete mode 100644 SOURCES/squid-4.4.0-CVE-2019-12527.patch delete mode 100644 SOURCES/squid-4.4.0-CVE-2019-13345.patch delete mode 100644 SOURCES/squid-4.4.0-lower-cachepeer.patch delete mode 100644 SOURCES/squid-4.4.0-man-pages.patch delete mode 100644 SOURCES/squid-4.4.tar.xz.asc diff --git a/.gitignore b/.gitignore index aa9cebb..da80573 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/squid-4.4.tar.xz +SOURCES/squid-4.11.tar.xz diff --git a/.squid.metadata b/.squid.metadata index 70ddf1b..94d7ed2 100644 --- a/.squid.metadata +++ b/.squid.metadata @@ -1 +1 @@ -0ab6b133f65866d825bf72cbbe8cef209768b2fa SOURCES/squid-4.4.tar.xz +053277bf5497163ffc9261b9807abda5959bb6fc SOURCES/squid-4.11.tar.xz diff --git a/SOURCES/squid-3.5.9-include-guards.patch b/SOURCES/squid-3.5.9-include-guards.patch deleted file mode 100644 index e2d4ff9..0000000 --- a/SOURCES/squid-3.5.9-include-guards.patch +++ /dev/null @@ -1,95 +0,0 @@ ------------------------------------------------------------- -revno: 14311 -revision-id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4 -parent: squid3@treenet.co.nz-20150924032241-6cx3g6hwz9xfoybr ------------------------------------------------------------- -revno: 14311 -revision-id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4 -parent: squid3@treenet.co.nz-20150924032241-6cx3g6hwz9xfoybr -fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4323 -author: Francesco Chemolli -committer: Amos Jeffries -branch nick: trunk -timestamp: Thu 2015-09-24 06:05:37 -0700 -message: - Bug 4323: Netfilter broken cross-includes with Linux 4.2 ------------------------------------------------------------- -# Bazaar merge directive format 2 (Bazaar 0.90) -# revision_id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4 -# target_branch: http://bzr.squid-cache.org/bzr/squid3/trunk/ -# testament_sha1: c67cfca81040f3845d7c4caf2f40518511f14d0b -# timestamp: 2015-09-24 13:06:33 +0000 -# source_branch: http://bzr.squid-cache.org/bzr/squid3/trunk -# base_revision_id: squid3@treenet.co.nz-20150924032241-\ -# 6cx3g6hwz9xfoybr -# -# Begin patch -=== modified file 'compat/os/linux.h' ---- compat/os/linux.h 2015-01-13 07:25:36 +0000 -+++ compat/os/linux.h 2015-09-24 13:05:37 +0000 -@@ -30,6 +30,21 @@ - #endif - - /* -+ * Netfilter header madness. (see Bug 4323) -+ * -+ * Netfilter have a history of defining their own versions of network protocol -+ * primitives without sufficient protection against the POSIX defines which are -+ * aways present in Linux. -+ * -+ * netinet/in.h must be included before any other sys header in order to properly -+ * activate include guards in the kernel maintainers added -+ * to workaround it. -+ */ -+#if HAVE_NETINET_IN_H -+#include -+#endif -+ -+/* - * sys/capability.h is only needed in Linux apparently. - * - * HACK: LIBCAP_BROKEN Ugly glue to get around linux header madness colliding with glibc -fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4323 -author: Francesco Chemolli -committer: Amos Jeffries -branch nick: trunk -timestamp: Thu 2015-09-24 06:05:37 -0700 -message: - Bug 4323: Netfilter broken cross-includes with Linux 4.2 ------------------------------------------------------------- -# Bazaar merge directive format 2 (Bazaar 0.90) -# revision_id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4 -# target_branch: http://bzr.squid-cache.org/bzr/squid3/trunk/ -# testament_sha1: c67cfca81040f3845d7c4caf2f40518511f14d0b -# timestamp: 2015-09-24 13:06:33 +0000 -# source_branch: http://bzr.squid-cache.org/bzr/squid3/trunk -# base_revision_id: squid3@treenet.co.nz-20150924032241-\ -# 6cx3g6hwz9xfoybr -# -# Begin patch -=== modified file 'compat/os/linux.h' ---- compat/os/linux.h 2015-01-13 07:25:36 +0000 -+++ compat/os/linux.h 2015-09-24 13:05:37 +0000 -@@ -30,6 +30,21 @@ - #endif - - /* -+ * Netfilter header madness. (see Bug 4323) -+ * -+ * Netfilter have a history of defining their own versions of network protocol -+ * primitives without sufficient protection against the POSIX defines which are -+ * aways present in Linux. -+ * -+ * netinet/in.h must be included before any other sys header in order to properly -+ * activate include guards in the kernel maintainers added -+ * to workaround it. -+ */ -+#if HAVE_NETINET_IN_H -+#include -+#endif -+ -+/* - * sys/capability.h is only needed in Linux apparently. - * - * HACK: LIBCAP_BROKEN Ugly glue to get around linux header madness colliding with glibc - diff --git a/SOURCES/squid-4.4.0-active-ftp.patch b/SOURCES/squid-4.11-active-ftp.patch similarity index 92% rename from SOURCES/squid-4.4.0-active-ftp.patch rename to SOURCES/squid-4.11-active-ftp.patch index 64988fe..00a9b56 100644 --- a/SOURCES/squid-4.4.0-active-ftp.patch +++ b/SOURCES/squid-4.11-active-ftp.patch @@ -1,5 +1,5 @@ diff --git a/src/clients/FtpClient.cc b/src/clients/FtpClient.cc -index 777210c..4c80511 100644 +index b665bcf..d287e55 100644 --- a/src/clients/FtpClient.cc +++ b/src/clients/FtpClient.cc @@ -778,7 +778,8 @@ Ftp::Client::connectDataChannel() @@ -13,7 +13,7 @@ index 777210c..4c80511 100644 /// creates a data channel Comm close callback diff --git a/src/clients/FtpClient.h b/src/clients/FtpClient.h -index 465fdb7..75dbd3b 100644 +index a76a5a0..218d696 100644 --- a/src/clients/FtpClient.h +++ b/src/clients/FtpClient.h @@ -118,7 +118,7 @@ public: @@ -26,7 +26,7 @@ index 465fdb7..75dbd3b 100644 CtrlChannel ctrl; ///< FTP control channel state diff --git a/src/clients/FtpGateway.cc b/src/clients/FtpGateway.cc -index a13cdda..b958b14 100644 +index 411bce9..31d3e36 100644 --- a/src/clients/FtpGateway.cc +++ b/src/clients/FtpGateway.cc @@ -87,6 +87,13 @@ struct GatewayFlags { @@ -56,7 +56,7 @@ index a13cdda..b958b14 100644 int checkAuth(const HttpHeader * req_hdr); void checkUrlpath(); void buildTitleUrl(); -@@ -1792,6 +1803,7 @@ ftpOpenListenSocket(Ftp::Gateway * ftpState, int fallback) +@@ -1787,6 +1798,7 @@ ftpOpenListenSocket(Ftp::Gateway * ftpState, int fallback) } ftpState->listenForDataChannel(temp); @@ -64,7 +64,7 @@ index a13cdda..b958b14 100644 } static void -@@ -1827,13 +1839,19 @@ ftpSendPORT(Ftp::Gateway * ftpState) +@@ -1822,13 +1834,19 @@ ftpSendPORT(Ftp::Gateway * ftpState) // pull out the internal IP address bytes to send in PORT command... // source them from the listen_conn->local @@ -86,7 +86,7 @@ index a13cdda..b958b14 100644 ftpState->writeCommand(cbuf); ftpState->state = Ftp::Client::SENT_PORT; -@@ -1886,14 +1904,27 @@ ftpSendEPRT(Ftp::Gateway * ftpState) +@@ -1881,14 +1899,27 @@ ftpSendEPRT(Ftp::Gateway * ftpState) return; } @@ -116,7 +116,7 @@ index a13cdda..b958b14 100644 ftpState->writeCommand(cbuf); ftpState->state = Ftp::Client::SENT_EPRT; -@@ -1912,7 +1943,7 @@ ftpReadEPRT(Ftp::Gateway * ftpState) +@@ -1907,7 +1938,7 @@ ftpReadEPRT(Ftp::Gateway * ftpState) ftpSendPORT(ftpState); return; } diff --git a/SOURCES/squid-4.0.11-config.patch b/SOURCES/squid-4.11-config.patch similarity index 61% rename from SOURCES/squid-4.0.11-config.patch rename to SOURCES/squid-4.11-config.patch index a4faae8..9b0e2d8 100644 --- a/SOURCES/squid-4.0.11-config.patch +++ b/SOURCES/squid-4.11-config.patch @@ -1,7 +1,8 @@ -diff -up squid-4.0.11/src/cf.data.pre.config squid-4.0.11/src/cf.data.pre ---- squid-4.0.11/src/cf.data.pre.config 2016-06-09 22:32:57.000000000 +0200 -+++ squid-4.0.11/src/cf.data.pre 2016-07-11 21:08:35.090976840 +0200 -@@ -4658,7 +4658,7 @@ DOC_END +diff --git a/src/cf.data.pre b/src/cf.data.pre +index 26ef576..30d5509 100644 +--- a/src/cf.data.pre ++++ b/src/cf.data.pre +@@ -5006,7 +5006,7 @@ DOC_END NAME: logfile_rotate TYPE: int @@ -10,7 +11,7 @@ diff -up squid-4.0.11/src/cf.data.pre.config squid-4.0.11/src/cf.data.pre LOC: Config.Log.rotateNumber DOC_START Specifies the default number of logfile rotations to make when you -@@ -6444,11 +6444,11 @@ COMMENT_END +@@ -6857,11 +6857,11 @@ COMMENT_END NAME: cache_mgr TYPE: string diff --git a/SOURCES/squid-4.11-include-guards.patch b/SOURCES/squid-4.11-include-guards.patch new file mode 100644 index 0000000..fb96c57 --- /dev/null +++ b/SOURCES/squid-4.11-include-guards.patch @@ -0,0 +1,41 @@ +diff --git a/compat/os/linux.h b/compat/os/linux.h +index 0ff05c6..d51389b 100644 +--- a/compat/os/linux.h ++++ b/compat/os/linux.h +@@ -44,6 +44,36 @@ + #include + #endif + ++/* ++ * Netfilter header madness. (see Bug 4323) ++ * ++ * Netfilter have a history of defining their own versions of network protocol ++ * primitives without sufficient protection against the POSIX defines which are ++ * aways present in Linux. ++ * ++ * netinet/in.h must be included before any other sys header in order to properly ++ * activate include guards in the kernel maintainers added ++ * to workaround it. ++ */ ++#if HAVE_NETINET_IN_H ++#include ++#endif ++ ++/* ++ * Netfilter header madness. (see Bug 4323) ++ * ++ * Netfilter have a history of defining their own versions of network protocol ++ * primitives without sufficient protection against the POSIX defines which are ++ * aways present in Linux. ++ * ++ * netinet/in.h must be included before any other sys header in order to properly ++ * activate include guards in the kernel maintainers added ++ * to workaround it. ++ */ ++#if HAVE_NETINET_IN_H ++#include ++#endif ++ + /* + * sys/capability.h is only needed in Linux apparently. + * diff --git a/SOURCES/squid-4.0.21-large-acl.patch b/SOURCES/squid-4.11-large-acl.patch similarity index 100% rename from SOURCES/squid-4.0.21-large-acl.patch rename to SOURCES/squid-4.11-large-acl.patch diff --git a/SOURCES/squid-3.1.0.9-location.patch b/SOURCES/squid-4.11-location.patch similarity index 74% rename from SOURCES/squid-3.1.0.9-location.patch rename to SOURCES/squid-4.11-location.patch index 4abd519..e33e9a0 100644 --- a/SOURCES/squid-3.1.0.9-location.patch +++ b/SOURCES/squid-4.11-location.patch @@ -1,7 +1,8 @@ -diff -up squid-3.1.0.9/QUICKSTART.location squid-3.1.0.9/QUICKSTART ---- squid-3.1.0.9/QUICKSTART.location 2009-06-26 12:35:27.000000000 +0200 -+++ squid-3.1.0.9/QUICKSTART 2009-07-17 14:03:10.000000000 +0200 -@@ -10,10 +10,9 @@ After you retrieved, compiled and instal +diff --git a/QUICKSTART b/QUICKSTART +index e5299b4..a243437 100644 +--- a/QUICKSTART ++++ b/QUICKSTART +@@ -10,10 +10,9 @@ After you retrieved, compiled and installed the Squid software (see INSTALL in the same directory), you have to configure the squid.conf file. This is the list of the values you *need* to change, because no sensible defaults could be defined. Do not touch the other variables @@ -14,7 +15,7 @@ diff -up squid-3.1.0.9/QUICKSTART.location squid-3.1.0.9/QUICKSTART ============================================================================== -@@ -82,12 +81,12 @@ After editing squid.conf to your liking, +@@ -80,12 +79,12 @@ After editing squid.conf to your liking, run Squid from the command line TWICE: To create any disk cache_dir configured: diff --git a/SOURCES/squid-3.0.STABLE1-perlpath.patch b/SOURCES/squid-4.11-perlpath.patch similarity index 79% rename from SOURCES/squid-3.0.STABLE1-perlpath.patch rename to SOURCES/squid-4.11-perlpath.patch index 052b8d7..18c74a6 100644 --- a/SOURCES/squid-3.0.STABLE1-perlpath.patch +++ b/SOURCES/squid-4.11-perlpath.patch @@ -6,5 +6,5 @@ index 90ac6a4..8dbed90 100755 -#!/usr/local/bin/perl -Tw +#!/usr/bin/perl -Tw # - # * Copyright (C) 1996-2018 The Squid Software Foundation and contributors + # * Copyright (C) 1996-2020 The Squid Software Foundation and contributors # * diff --git a/SOURCES/squid-4.11-systemd.patch b/SOURCES/squid-4.11-systemd.patch new file mode 100644 index 0000000..a461881 --- /dev/null +++ b/SOURCES/squid-4.11-systemd.patch @@ -0,0 +1,39 @@ +diff --git a/configure b/configure +index 17b2ebf..9530f6b 100755 +--- a/configure ++++ b/configure +@@ -33915,6 +33915,7 @@ done + fi + if test "x$SYSTEMD_LIBS" != "x" ; then + CXXFLAGS="$SYSTEMD_CFLAGS $CXXFLAGS" ++ LDFLAGS="$SYSTEMD_LIBS $LDFLAGS" + + $as_echo "#define USE_SYSTEMD 1" >>confdefs.h + +diff --git a/src/Debug.h b/src/Debug.h +index 6eecd01..ddd9e38 100644 +--- a/src/Debug.h ++++ b/src/Debug.h +@@ -99,6 +99,10 @@ public: + + /// configures the active debugging context to write syslog ALERT + static void ForceAlert(); ++ ++ /// prefixes each grouped debugs() line after the first one in the group ++ static std::ostream& Extra(std::ostream &os) { return os << "\n "; } ++ + private: + static Context *Current; ///< deepest active context; nil outside debugs() + }; +diff --git a/configure.ac b/configure.ac +index d3c5da8..806302c 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -2162,6 +2162,7 @@ if test "x$with_systemd" != "xno" -a "x$squid_host_os" = "xlinux"; then + fi + if test "x$SYSTEMD_LIBS" != "x" ; then + CXXFLAGS="$SYSTEMD_CFLAGS $CXXFLAGS" ++ LDFLAGS="$SYSTEMD_LIBS $LDFLAGS" + AC_DEFINE(USE_SYSTEMD,1,[systemd support is available]) + else + with_systemd=no diff --git a/SOURCES/squid-4.11.tar.xz.asc b/SOURCES/squid-4.11.tar.xz.asc new file mode 100644 index 0000000..79a79ee --- /dev/null +++ b/SOURCES/squid-4.11.tar.xz.asc @@ -0,0 +1,25 @@ +File: squid-4.11.tar.xz +Date: Sun Apr 19 12:56:37 UTC 2020 +Size: 2447700 +MD5 : 10f34e852153a9996aa4614670e2bda1 +SHA1: 053277bf5497163ffc9261b9807abda5959bb6fc +Key : CD6DBF8EF3B17D3E + B068 84ED B779 C89B 044E 64E3 CD6D BF8E F3B1 7D3E + keyring = http://www.squid-cache.org/pgp.asc + keyserver = pool.sks-keyservers.net +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEsGiE7bd5yJsETmTjzW2/jvOxfT4FAl6cSpEACgkQzW2/jvOx +fT6YbA/6A+IbIbNBJUW45oj23Io9Tw/CzAcTeLHR+McKwV77qMbR+L+kQ+fUdM5F +rHAmd8bVVlyHc4WanVfWItEmzBzHA/ifTNvVpefSGGEbDb80RF66k7ACiZUokg1b +kkPwc/SjDhe2wvketIaBiVVd7pylrlCdVvazcF8gE9MWDOIlJND5mnHXidXvwkbJ +T2//8JZVEmcmN9pdFGNAUVckFm+AnwWXcRM1SQPYDGSVUtjVlqido8snLTA1mZwl +rIpjppujMV54OOWlj+Gqa3MZkpNzIaMCAfphzUFlsQY+/sRUYAOv1wmxw2WclxlK +WlWM+fw8OsYNDMwkOScKZZWceoAkq6UsUHzCAdJIdLqV/R6mZ9nfuZ6BHIr0+2dP +bDf9MU4KXbwEuXiRD/KPziUxxOZwSPivbm3wy9DqTTZfO9V+Iq6FVHX+ahxJ0XbM +JWRYA3GW+DRLjorfsWxU5r4UJsrnBfhItPUAfGPjPjEGZ/pn8r9G6MGenNGPLMKy +wP1rMlOhrZPwerzokzAvKx8G0WWkfN+IPv2JK3rDot6RiJIOuvnZZd4RIuVNTGbh +liO7M24JlWX3WD2wHBzxQag46+plb3VvrrVChwIQnZ2Qzpf50w0Bife/wtNBGpK0 +k/Xi/nocO796YS8GZBnmhS1lEGEwp/YpJBFWmIjTWMUMEOcswVA= +=PKl0 +-----END PGP SIGNATURE----- diff --git a/SOURCES/squid-4.4.0-CVE-2019-12527.patch b/SOURCES/squid-4.4.0-CVE-2019-12527.patch deleted file mode 100644 index ea950f5..0000000 --- a/SOURCES/squid-4.4.0-CVE-2019-12527.patch +++ /dev/null @@ -1,139 +0,0 @@ -commit 7f73e9c5d17664b882ed32590e6af310c247f320 -Author: Amos Jeffries -Date: 2019-06-19 05:58:36 +0000 - - Update HttpHeader::getAuth to SBuf (#416) - - Replace the fixed-size buffer for decoding base64 tokens with an - SBuf to avoid decoder issues on large inputs. - - Update callers to SBuf API operations for more efficient memory - management. - -diff --git a/src/HttpHeader.cc b/src/HttpHeader.cc -index 1e2b650..284a057 100644 ---- a/src/HttpHeader.cc -+++ b/src/HttpHeader.cc -@@ -1268,43 +1268,46 @@ HttpHeader::getContRange() const - return cr; - } - --const char * --HttpHeader::getAuth(Http::HdrType id, const char *auth_scheme) const -+SBuf -+HttpHeader::getAuthToken(Http::HdrType id, const char *auth_scheme) const - { - const char *field; - int l; - assert(auth_scheme); - field = getStr(id); - -+ static const SBuf nil; - if (!field) /* no authorization field */ -- return NULL; -+ return nil; - - l = strlen(auth_scheme); - - if (!l || strncasecmp(field, auth_scheme, l)) /* wrong scheme */ -- return NULL; -+ return nil; - - field += l; - - if (!xisspace(*field)) /* wrong scheme */ -- return NULL; -+ return nil; - - /* skip white space */ - for (; field && xisspace(*field); ++field); - - if (!*field) /* no authorization cookie */ -- return NULL; -+ return nil; - -- static char decodedAuthToken[8192]; -+ const auto fieldLen = strlen(field); -+ SBuf result; -+ char *decodedAuthToken = result.rawAppendStart(BASE64_DECODE_LENGTH(fieldLen)); - struct base64_decode_ctx ctx; - base64_decode_init(&ctx); - size_t decodedLen = 0; -- if (!base64_decode_update(&ctx, &decodedLen, reinterpret_cast(decodedAuthToken), strlen(field), field) || -+ if (!base64_decode_update(&ctx, &decodedLen, reinterpret_cast(decodedAuthToken), fieldLen, field) || - !base64_decode_final(&ctx)) { -- return NULL; -+ return nil; - } -- decodedAuthToken[decodedLen] = '\0'; -- return decodedAuthToken; -+ result.rawAppendFinish(decodedAuthToken, decodedLen); -+ return result; - } - - ETag -diff --git a/src/HttpHeader.h b/src/HttpHeader.h -index a26b127..3b262be 100644 ---- a/src/HttpHeader.h -+++ b/src/HttpHeader.h -@@ -134,7 +134,7 @@ public: - HttpHdrRange *getRange() const; - HttpHdrSc *getSc() const; - HttpHdrContRange *getContRange() const; -- const char *getAuth(Http::HdrType id, const char *auth_scheme) const; -+ SBuf getAuthToken(Http::HdrType id, const char *auth_scheme) const; - ETag getETag(Http::HdrType id) const; - TimeOrTag getTimeOrTag(Http::HdrType id) const; - int hasListMember(Http::HdrType id, const char *member, const char separator) const; -diff --git a/src/cache_manager.cc b/src/cache_manager.cc -index da22f7a..2fae767 100644 ---- a/src/cache_manager.cc -+++ b/src/cache_manager.cc -@@ -27,6 +27,7 @@ - #include "mgr/FunAction.h" - #include "mgr/QueryParams.h" - #include "protos.h" -+#include "sbuf/StringConvert.h" - #include "SquidConfig.h" - #include "SquidTime.h" - #include "Store.h" -@@ -243,20 +244,20 @@ CacheManager::ParseHeaders(const HttpRequest * request, Mgr::ActionParams ¶m - // TODO: use the authentication system decode to retrieve these details properly. - - /* base 64 _decoded_ user:passwd pair */ -- const char *basic_cookie = request->header.getAuth(Http::HdrType::AUTHORIZATION, "Basic"); -+ const auto basic_cookie(request->header.getAuthToken(Http::HdrType::AUTHORIZATION, "Basic")); - -- if (!basic_cookie) -+ if (basic_cookie.isEmpty()) - return; - -- const char *passwd_del; -- if (!(passwd_del = strchr(basic_cookie, ':'))) { -+ const auto colonPos = basic_cookie.find(':'); -+ if (colonPos == SBuf::npos) { - debugs(16, DBG_IMPORTANT, "CacheManager::ParseHeaders: unknown basic_cookie format '" << basic_cookie << "'"); - return; - } - - /* found user:password pair, reset old values */ -- params.userName.limitInit(basic_cookie, passwd_del - basic_cookie); -- params.password = passwd_del + 1; -+ params.userName = SBufToString(basic_cookie.substr(0, colonPos)); -+ params.password = SBufToString(basic_cookie.substr(colonPos+1)); - - /* warning: this prints decoded password which maybe not be what you want to do @?@ @?@ */ - debugs(16, 9, "CacheManager::ParseHeaders: got user: '" << -diff --git a/src/clients/FtpGateway.cc b/src/clients/FtpGateway.cc -index b958b14..7ca5d24 100644 ---- a/src/clients/FtpGateway.cc -+++ b/src/clients/FtpGateway.cc -@@ -1050,7 +1050,7 @@ Ftp::Gateway::checkAuth(const HttpHeader * req_hdr) - - #if HAVE_AUTH_MODULE_BASIC - /* Check HTTP Authorization: headers (better than defaults, but less than URL) */ -- const SBuf auth(req_hdr->getAuth(Http::HdrType::AUTHORIZATION, "Basic")); -+ const auto auth(req_hdr->getAuthToken(Http::HdrType::AUTHORIZATION, "Basic")); - if (!auth.isEmpty()) { - flags.authenticated = 1; - loginParser(auth, false); diff --git a/SOURCES/squid-4.4.0-CVE-2019-13345.patch b/SOURCES/squid-4.4.0-CVE-2019-13345.patch deleted file mode 100644 index 9a5754e..0000000 --- a/SOURCES/squid-4.4.0-CVE-2019-13345.patch +++ /dev/null @@ -1,64 +0,0 @@ -diff --git a/tools/cachemgr.cc b/tools/cachemgr.cc -index 0c745c2..8a67eba 100644 ---- a/tools/cachemgr.cc -+++ b/tools/cachemgr.cc -@@ -355,7 +355,7 @@ auth_html(const char *host, int port, const char *user_name) - - printf("Manager name:\n", user_name); -+ printf("size=\"30\" VALUE=\"%s\">\n", rfc1738_escape(user_name)); - - printf("Password:hostname, - req->port, -- safe_str(req->user_name), -+ rfc1738_escape(safe_str(req->user_name)), - action, - safe_str(req->pub_auth)); - return url; -@@ -1074,8 +1074,8 @@ make_pub_auth(cachemgr_request * req) - const int bufLen = snprintf(buf, sizeof(buf), "%s|%d|%s|%s", - req->hostname, - (int) now, -- req->user_name ? req->user_name : "", -- req->passwd); -+ rfc1738_escape(safe_str(req->user_name)), -+ rfc1738_escape(req->passwd)); - debug("cmgr: pre-encoded for pub: %s\n", buf); - - const int encodedLen = base64_encode_len(bufLen); -@@ -1094,8 +1094,6 @@ decode_pub_auth(cachemgr_request * req) - char *buf; - const char *host_name; - const char *time_str; -- const char *user_name; -- const char *passwd; - - debug("cmgr: decoding pub: '%s'\n", safe_str(req->pub_auth)); - safe_free(req->passwd); -@@ -1131,17 +1129,21 @@ decode_pub_auth(cachemgr_request * req) - - debug("cmgr: decoded time: '%s' (now: %d)\n", time_str, (int) now); - -+ char *user_name; - if ((user_name = strtok(NULL, "|")) == NULL) { - xfree(buf); - return; - } -+ rfc1738_unescape(user_name); - - debug("cmgr: decoded uname: '%s'\n", user_name); - -+ char *passwd; - if ((passwd = strtok(NULL, "|")) == NULL) { - xfree(buf); - return; - } -+ rfc1738_unescape(passwd); - - debug("cmgr: decoded passwd: '%s'\n", passwd); - diff --git a/SOURCES/squid-4.4.0-lower-cachepeer.patch b/SOURCES/squid-4.4.0-lower-cachepeer.patch deleted file mode 100644 index 42bc2aa..0000000 --- a/SOURCES/squid-4.4.0-lower-cachepeer.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff --git a/src/cache_cf.cc b/src/cache_cf.cc -index 9165ef99c..32a3df322 100644 ---- a/src/cache_cf.cc -+++ b/src/cache_cf.cc -@@ -2081,6 +2081,7 @@ parse_peer(CachePeer ** head) - - CachePeer *p = new CachePeer; - p->host = xstrdup(host_str); -+ Tolower(p->host); - p->name = xstrdup(host_str); - p->type = parseNeighborType(token); - diff --git a/SOURCES/squid-4.4.0-man-pages.patch b/SOURCES/squid-4.4.0-man-pages.patch deleted file mode 100644 index 974795d..0000000 --- a/SOURCES/squid-4.4.0-man-pages.patch +++ /dev/null @@ -1,26 +0,0 @@ -diff --git a/src/http/url_rewriters/LFS/url_lfs_rewrite.8 b/src/http/url_rewriters/LFS/url_lfs_rewrite.8 -index 3053180..1d295fb 100644 ---- a/src/http/url_rewriters/LFS/url_lfs_rewrite.8 -+++ b/src/http/url_rewriters/LFS/url_lfs_rewrite.8 -@@ -135,7 +135,7 @@ - .if n .ad l - .nh - .SH "NAME" --url_lfs_rewrite -+\& url_lfs_rewrite \- a URL-rewriter based on local file existence - .SH "SYNOPSIS" - .IX Header "SYNOPSIS" - .Vb 1 -diff --git a/src/http/url_rewriters/LFS/url_lfs_rewrite.pl.in b/src/http/url_rewriters/LFS/url_lfs_rewrite.pl.in -index a7168e0..da7055c 100755 ---- a/src/http/url_rewriters/LFS/url_lfs_rewrite.pl.in -+++ b/src/http/url_rewriters/LFS/url_lfs_rewrite.pl.in -@@ -8,7 +8,7 @@ use Pod::Usage; - - =head1 NAME - --B -+B - a URL-rewriter based on local file existence - - =head1 SYNOPSIS - diff --git a/SOURCES/squid-4.4.tar.xz.asc b/SOURCES/squid-4.4.tar.xz.asc deleted file mode 100644 index a0f8623..0000000 --- a/SOURCES/squid-4.4.tar.xz.asc +++ /dev/null @@ -1,25 +0,0 @@ -File: squid-4.4.tar.xz -Date: Sat Oct 27 21:20:24 UTC 2018 -Size: 2436468 -MD5 : 892504ca9700e1f139a53f84098613bd -SHA1: 0ab6b133f65866d825bf72cbbe8cef209768b2fa -Key : CD6DBF8EF3B17D3E - B068 84ED B779 C89B 044E 64E3 CD6D BF8E F3B1 7D3E - keyring = http://www.squid-cache.org/pgp.asc - keyserver = pool.sks-keyservers.net ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEEsGiE7bd5yJsETmTjzW2/jvOxfT4FAlvU1qAACgkQzW2/jvOx -fT5Y3Q//R3/ZtDHal9H9c4VUB1fEzkk22JfgXTzRRUdzNkN+XxDkVGmM9R0E0Opo -9E/lsE9PcLX1EBtBXbPfwLESzfMe4QJgqq1B4FocpJcdtfCQX6ADU4Qdfc+oo8Z1 -J/xCf8XrU3yUgXn3pMnQ9DT+IuPYe+Jte7Awm148mC15GMC49NBAYAd793XZ+L2t -fVPCbVYA40AU3xVJkxlblh7O0E8UEQ7zQMxcXM2jJJ4jJOjqecOIoJt6lyPD59q3 -UjD0EmcjTj54BpaU8r++kAc2TkLyBvFV1vWQuQRNG5IAMEOF3H8OfujCXl3lX9fD -Tvi9763f9LxdImLJttkzgTt20XAudlUmKOdpj6t1uF+7EmNJg/ChowyLsLzlLLST -1mGNdcUdP9VhX2aoTXN/ctn8BTQ/cNIx2VY8kKWsXB+ymFcCJRBW1cBAr3R+UzuX -KVlsDzlxP6Dp8EFvKN3sIbM/QtpstKgbTkxro7d9XBkeldsasd5uI2Yt5PSMIs+y -VtscqCnwDjxAIW6FNqB96J4hcOYECdWHDL3s46wEDnQaiR0IdBAN5QHn1imzM5e1 -eHuwZimqBW6vE4rPnVpPIr1Gml5OlLl3te2jsbUVmBiOwDVlQLZJQGzI5UTazvnN -eR3QeTW+ggSAdVc6GEApELARfKPRxywLQTOlAhEPn0xayy4ByME= -=1eSQ ------END PGP SIGNATURE----- diff --git a/SOURCES/squid.service b/SOURCES/squid.service index f49d7db..6978032 100644 --- a/SOURCES/squid.service +++ b/SOURCES/squid.service @@ -4,14 +4,15 @@ Documentation=man:squid(8) After=network.target network-online.target nss-lookup.target [Service] -Type=forking +Type=notify LimitNOFILE=16384 +PIDFile=/run/squid.pid EnvironmentFile=/etc/sysconfig/squid ExecStartPre=/usr/libexec/squid/cache_swap.sh -ExecStart=/usr/sbin/squid $SQUID_OPTS -f $SQUID_CONF -ExecReload=/usr/sbin/squid $SQUID_OPTS -k reconfigure -f $SQUID_CONF -ExecStop=/usr/sbin/squid -k shutdown -f $SQUID_CONF -TimeoutSec=0 +ExecStart=/usr/sbin/squid --foreground $SQUID_OPTS -f ${SQUID_CONF} +ExecReload=/usr/bin/kill -HUP $MAINPID +KillMode=mixed +NotifyAccess=all [Install] WantedBy=multi-user.target diff --git a/SPECS/squid.spec b/SPECS/squid.spec index 81f9470..e1d36a2 100644 --- a/SPECS/squid.spec +++ b/SPECS/squid.spec @@ -1,8 +1,8 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 4.4 -Release: 8%{?dist} +Version: 4.11 +Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -26,23 +26,17 @@ Source98: perl-requires-squid.sh # Local patches # Applying upstream patches first makes it less likely that local patches # will break upstream ones. -Patch201: squid-4.0.11-config.patch -Patch202: squid-3.1.0.9-location.patch -Patch203: squid-3.0.STABLE1-perlpath.patch -Patch204: squid-3.5.9-include-guards.patch -Patch205: squid-4.0.21-large-acl.patch +Patch201: squid-4.11-config.patch +Patch202: squid-4.11-location.patch +Patch203: squid-4.11-perlpath.patch +Patch204: squid-4.11-include-guards.patch +Patch205: squid-4.11-large-acl.patch # https://bugzilla.redhat.com/show_bug.cgi?id=980511 -Patch206: squid-4.4.0-active-ftp.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1612524 -Patch207: squid-4.4.0-man-pages.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1691741 -Patch208: squid-4.4.0-lower-cachepeer.patch +Patch206: squid-4.11-active-ftp.patch +# https://github.com/squid-cache/squid/commit/c26cd1cb6a60ff196ef13c00e82576d3bfeb2e30 +Patch207: squid-4.11-systemd.patch # Security fixes -# https://bugzilla.redhat.com/show_bug.cgi?id=1729436 -Patch500: squid-4.4.0-CVE-2019-13345.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1738485 -Patch501: squid-4.4.0-CVE-2019-12527.patch Requires: bash >= 2.0 Requires(pre): shadow-utils @@ -72,6 +66,8 @@ BuildRequires: perl-generators # For test suite BuildRequires: pkgconfig(cppunit) BuildRequires: autoconf +# systemd notify +BuildRequires: systemd-devel %description Squid is a high-performance proxy caching server for Web clients, @@ -96,14 +92,10 @@ lookup program (dnsserver), a program for retrieving FTP data %patch201 -p1 -b .config %patch202 -p1 -b .location %patch203 -p1 -b .perlpath -%patch204 -p0 -b .include-guards +%patch204 -p1 -b .include-guards %patch205 -p1 -b .large_acl %patch206 -p1 -b .active-ftp -%patch207 -p1 -b .man-pages -%patch208 -p1 -b .lower-cachepeer - -%patch500 -p1 -b .CVE-2019-13345 -%patch501 -p1 -b .CVE-2019-12527 +%patch207 -p1 -b .systemd # https://bugzilla.redhat.com/show_bug.cgi?id=1679526 # Patch in the vendor documentation and used different location for documentation @@ -320,6 +312,47 @@ fi %changelog +* Thu May 07 2020 Lubos Uhliarik - 7:4.11-1 +- new version 4.11 +- libsystemd integration +- Resolves: #1829467 - squid:4 rebase +- Resolves: #1828378 - CVE-2019-12521 squid:4/squid: off-by-one error in + addStackElement allows for a heap buffer overflow and a crash +- Resolves: #1828377 - CVE-2019-12520 squid:4/squid: improper input validation + in request allows for proxy manipulation +- Resolves: #1828375 - CVE-2019-12524 squid:4/squid: improper access restriction + in url_regex may lead to security bypass +- Resolves: #1820664 - CVE-2019-18860 squid: mishandles HTML in the host + parameter to cachemgr.cgi which could result in squid behaving in unsecure way +- Resolves: #1802514 - CVE-2020-8449 squid:4/squid: Improper input validation + issues in HTTP Request processing +- Resolves: #1802513 - CVE-2020-8450 squid:4/squid: Buffer overflow in a Squid + acting as reverse-proxy +- Resolves: #1802512 - CVE-2019-12528 squid:4/squid: Information Disclosure + issue in FTP Gateway +- Resolves: #1771288 - CVE-2019-18678 squid:4/squid: HTTP Request Splitting + issue in HTTP message processing +- Resolves: #1771283 - CVE-2019-18679 squid:4/squid: Information Disclosure + issue in HTTP Digest Authentication +- Resolves: #1771280 - CVE-2019-18677 squid:4/squid: Cross-Site Request Forgery + issue in HTTP Request processing +- Resolves: #1771275 - CVE-2019-12523 squid:4/squid: Improper input validation + in URI processor +- Resolves: #1771272 - CVE-2019-18676 squid:4/squid: Buffer overflow in URI + processor +- Resolves: #1771264 - CVE-2019-12526 squid:4/squid: Heap overflow issue in URN + processing +- Resolves: #1738581 - CVE-2019-12529 squid: OOB read in Proxy-Authorization + header causes DoS + +* Tue Apr 28 2020 Lubos Uhliarik - 7:4.4-9 +- Resolves: #1738583 - CVE-2019-12525 squid:4/squid: parsing of header + Proxy-Authentication leads to memory corruption +- Resolves: #1828369 - CVE-2020-11945 squid: improper access restriction upon + Digest Authentication nonce replay could lead to remote code execution +- Resolves: #1828370 - CVE-2019-12519 squid: improper check for new member in + ESIExpression::Evaluate allows for stack buffer overflow + * Fri Aug 23 2019 Lubos Uhliarik - 7:4.4-8 - Resolves: # 1738485 - CVE-2019-12527 squid:4/squid: heap-based buffer overflow in HttpHeader::getAuth