rpms
/
squid
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import squid-4.11-1.module+el8.3.0+6769+637637ab

This commit is contained in:
CentOS Sources 2020-07-28 07:42:19 -04:00 committed by Stepan Oksanichenko
parent bf7f24e547
commit 14299772a1
18 changed files with 188 additions and 408 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/squid-4.4.tar.xz SOURCES/squid-4.11.tar.xz

2
.squid.metadata
View File

@ -1 +1 @@
0ab6b133f65866d825bf72cbbe8cef209768b2fa SOURCES/squid-4.4.tar.xz 053277bf5497163ffc9261b9807abda5959bb6fc SOURCES/squid-4.11.tar.xz

95
SOURCES/squid-3.5.9-include-guards.patch
View File

@ -1,95 +0,0 @@
------------------------------------------------------------
revno: 14311
revision-id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4
parent: squid3@treenet.co.nz-20150924032241-6cx3g6hwz9xfoybr
------------------------------------------------------------
revno: 14311
revision-id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4
parent: squid3@treenet.co.nz-20150924032241-6cx3g6hwz9xfoybr
fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4323
author: Francesco Chemolli <kinkie@squid-cache.org>
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: trunk
timestamp: Thu 2015-09-24 06:05:37 -0700
message:
Bug 4323: Netfilter broken cross-includes with Linux 4.2
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4
# target_branch: http://bzr.squid-cache.org/bzr/squid3/trunk/
# testament_sha1: c67cfca81040f3845d7c4caf2f40518511f14d0b
# timestamp: 2015-09-24 13:06:33 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/trunk
# base_revision_id: squid3@treenet.co.nz-20150924032241-\
# 6cx3g6hwz9xfoybr
#
# Begin patch
=== modified file 'compat/os/linux.h'
--- compat/os/linux.h 2015-01-13 07:25:36 +0000
+++ compat/os/linux.h 2015-09-24 13:05:37 +0000
@@ -30,6 +30,21 @@
#endif
/*
+ * Netfilter header madness. (see Bug 4323)
+ *
+ * Netfilter have a history of defining their own versions of network protocol
+ * primitives without sufficient protection against the POSIX defines which are
+ * aways present in Linux.
+ *
+ * netinet/in.h must be included before any other sys header in order to properly
+ * activate include guards in <linux/libc-compat.h> the kernel maintainers added
+ * to workaround it.
+ */
+#if HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+
+/*
* sys/capability.h is only needed in Linux apparently.
*
* HACK: LIBCAP_BROKEN Ugly glue to get around linux header madness colliding with glibc
fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4323
author: Francesco Chemolli <kinkie@squid-cache.org>
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: trunk
timestamp: Thu 2015-09-24 06:05:37 -0700
message:
Bug 4323: Netfilter broken cross-includes with Linux 4.2
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4
# target_branch: http://bzr.squid-cache.org/bzr/squid3/trunk/
# testament_sha1: c67cfca81040f3845d7c4caf2f40518511f14d0b
# timestamp: 2015-09-24 13:06:33 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/trunk
# base_revision_id: squid3@treenet.co.nz-20150924032241-\
# 6cx3g6hwz9xfoybr
#
# Begin patch
=== modified file 'compat/os/linux.h'
--- compat/os/linux.h 2015-01-13 07:25:36 +0000
+++ compat/os/linux.h 2015-09-24 13:05:37 +0000
@@ -30,6 +30,21 @@
#endif
/*
+ * Netfilter header madness. (see Bug 4323)
+ *
+ * Netfilter have a history of defining their own versions of network protocol
+ * primitives without sufficient protection against the POSIX defines which are
+ * aways present in Linux.
+ *
+ * netinet/in.h must be included before any other sys header in order to properly
+ * activate include guards in <linux/libc-compat.h> the kernel maintainers added
+ * to workaround it.
+ */
+#if HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+
+/*
* sys/capability.h is only needed in Linux apparently.
*
* HACK: LIBCAP_BROKEN Ugly glue to get around linux header madness colliding with glibc

14
SOURCES/squid-4.4.0-active-ftp.patch → SOURCES/squid-4.11-active-ftp.patch
View File

@ -1,5 +1,5 @@
diff --git a/src/clients/FtpClient.cc b/src/clients/FtpClient.cc diff --git a/src/clients/FtpClient.cc b/src/clients/FtpClient.cc
index 777210c..4c80511 100644 index b665bcf..d287e55 100644
--- a/src/clients/FtpClient.cc --- a/src/clients/FtpClient.cc
+++ b/src/clients/FtpClient.cc +++ b/src/clients/FtpClient.cc
@@ -778,7 +778,8 @@ Ftp::Client::connectDataChannel() @@ -778,7 +778,8 @@ Ftp::Client::connectDataChannel()
@ -13,7 +13,7 @@ index 777210c..4c80511 100644
/// creates a data channel Comm close callback /// creates a data channel Comm close callback
diff --git a/src/clients/FtpClient.h b/src/clients/FtpClient.h diff --git a/src/clients/FtpClient.h b/src/clients/FtpClient.h
index 465fdb7..75dbd3b 100644 index a76a5a0..218d696 100644
--- a/src/clients/FtpClient.h --- a/src/clients/FtpClient.h
+++ b/src/clients/FtpClient.h +++ b/src/clients/FtpClient.h
@@ -118,7 +118,7 @@ public: @@ -118,7 +118,7 @@ public:
@ -26,7 +26,7 @@ index 465fdb7..75dbd3b 100644
CtrlChannel ctrl; ///< FTP control channel state CtrlChannel ctrl; ///< FTP control channel state
diff --git a/src/clients/FtpGateway.cc b/src/clients/FtpGateway.cc diff --git a/src/clients/FtpGateway.cc b/src/clients/FtpGateway.cc
index a13cdda..b958b14 100644 index 411bce9..31d3e36 100644
--- a/src/clients/FtpGateway.cc --- a/src/clients/FtpGateway.cc
+++ b/src/clients/FtpGateway.cc +++ b/src/clients/FtpGateway.cc
@@ -87,6 +87,13 @@ struct GatewayFlags { @@ -87,6 +87,13 @@ struct GatewayFlags {
@ -56,7 +56,7 @@ index a13cdda..b958b14 100644
int checkAuth(const HttpHeader * req_hdr); int checkAuth(const HttpHeader * req_hdr);
void checkUrlpath(); void checkUrlpath();
void buildTitleUrl(); void buildTitleUrl();
@@ -1792,6 +1803,7 @@ ftpOpenListenSocket(Ftp::Gateway * ftpState, int fallback) @@ -1787,6 +1798,7 @@ ftpOpenListenSocket(Ftp::Gateway * ftpState, int fallback)
} }
ftpState->listenForDataChannel(temp); ftpState->listenForDataChannel(temp);
@ -64,7 +64,7 @@ index a13cdda..b958b14 100644
} }
static void static void
@@ -1827,13 +1839,19 @@ ftpSendPORT(Ftp::Gateway * ftpState) @@ -1822,13 +1834,19 @@ ftpSendPORT(Ftp::Gateway * ftpState)
// pull out the internal IP address bytes to send in PORT command... // pull out the internal IP address bytes to send in PORT command...
// source them from the listen_conn->local // source them from the listen_conn->local
@ -86,7 +86,7 @@ index a13cdda..b958b14 100644
ftpState->writeCommand(cbuf); ftpState->writeCommand(cbuf);
ftpState->state = Ftp::Client::SENT_PORT; ftpState->state = Ftp::Client::SENT_PORT;
@@ -1886,14 +1904,27 @@ ftpSendEPRT(Ftp::Gateway * ftpState) @@ -1881,14 +1899,27 @@ ftpSendEPRT(Ftp::Gateway * ftpState)
return; return;
} }
@ -116,7 +116,7 @@ index a13cdda..b958b14 100644
ftpState->writeCommand(cbuf); ftpState->writeCommand(cbuf);
ftpState->state = Ftp::Client::SENT_EPRT; ftpState->state = Ftp::Client::SENT_EPRT;
@@ -1912,7 +1943,7 @@ ftpReadEPRT(Ftp::Gateway * ftpState) @@ -1907,7 +1938,7 @@ ftpReadEPRT(Ftp::Gateway * ftpState)
ftpSendPORT(ftpState); ftpSendPORT(ftpState);
return; return;
} }

11
SOURCES/squid-4.0.11-config.patch → SOURCES/squid-4.11-config.patch
View File

@ -1,7 +1,8 @@
diff -up squid-4.0.11/src/cf.data.pre.config squid-4.0.11/src/cf.data.pre diff --git a/src/cf.data.pre b/src/cf.data.pre
--- squid-4.0.11/src/cf.data.pre.config 2016-06-09 22:32:57.000000000 +0200 index 26ef576..30d5509 100644
+++ squid-4.0.11/src/cf.data.pre 2016-07-11 21:08:35.090976840 +0200 --- a/src/cf.data.pre
@@ -4658,7 +4658,7 @@ DOC_END +++ b/src/cf.data.pre
@@ -5006,7 +5006,7 @@ DOC_END
NAME: logfile_rotate NAME: logfile_rotate
TYPE: int TYPE: int
@ -10,7 +11,7 @@ diff -up squid-4.0.11/src/cf.data.pre.config squid-4.0.11/src/cf.data.pre
LOC: Config.Log.rotateNumber LOC: Config.Log.rotateNumber
DOC_START DOC_START
Specifies the default number of logfile rotations to make when you Specifies the default number of logfile rotations to make when you
@@ -6444,11 +6444,11 @@ COMMENT_END @@ -6857,11 +6857,11 @@ COMMENT_END
NAME: cache_mgr NAME: cache_mgr
TYPE: string TYPE: string

41
SOURCES/squid-4.11-include-guards.patch Normal file
View File

@ -0,0 +1,41 @@
diff --git a/compat/os/linux.h b/compat/os/linux.h
index 0ff05c6..d51389b 100644
--- a/compat/os/linux.h
+++ b/compat/os/linux.h
@@ -44,6 +44,36 @@
#include <netinet/in.h>
#endif
+/*
+ * Netfilter header madness. (see Bug 4323)
+ *
+ * Netfilter have a history of defining their own versions of network protocol
+ * primitives without sufficient protection against the POSIX defines which are
+ * aways present in Linux.
+ *
+ * netinet/in.h must be included before any other sys header in order to properly
+ * activate include guards in <linux/libc-compat.h> the kernel maintainers added
+ * to workaround it.
+ */
+#if HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+
+/*
+ * Netfilter header madness. (see Bug 4323)
+ *
+ * Netfilter have a history of defining their own versions of network protocol
+ * primitives without sufficient protection against the POSIX defines which are
+ * aways present in Linux.
+ *
+ * netinet/in.h must be included before any other sys header in order to properly
+ * activate include guards in <linux/libc-compat.h> the kernel maintainers added
+ * to workaround it.
+ */
+#if HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+
/*
* sys/capability.h is only needed in Linux apparently.
*

0
SOURCES/squid-4.0.21-large-acl.patch → SOURCES/squid-4.11-large-acl.patch
View File

11
SOURCES/squid-3.1.0.9-location.patch → SOURCES/squid-4.11-location.patch
View File

@ -1,7 +1,8 @@
diff -up squid-3.1.0.9/QUICKSTART.location squid-3.1.0.9/QUICKSTART diff --git a/QUICKSTART b/QUICKSTART
--- squid-3.1.0.9/QUICKSTART.location 2009-06-26 12:35:27.000000000 +0200 index e5299b4..a243437 100644
+++ squid-3.1.0.9/QUICKSTART 2009-07-17 14:03:10.000000000 +0200 --- a/QUICKSTART
@@ -10,10 +10,9 @@ After you retrieved, compiled and instal +++ b/QUICKSTART
@@ -10,10 +10,9 @@ After you retrieved, compiled and installed the Squid software (see
INSTALL in the same directory), you have to configure the squid.conf INSTALL in the same directory), you have to configure the squid.conf
file. This is the list of the values you *need* to change, because no file. This is the list of the values you *need* to change, because no
sensible defaults could be defined. Do not touch the other variables sensible defaults could be defined. Do not touch the other variables
@ -14,7 +15,7 @@ diff -up squid-3.1.0.9/QUICKSTART.location squid-3.1.0.9/QUICKSTART
============================================================================== ==============================================================================
@@ -82,12 +81,12 @@ After editing squid.conf to your liking, @@ -80,12 +79,12 @@ After editing squid.conf to your liking, run Squid from the command
line TWICE: line TWICE:
To create any disk cache_dir configured: To create any disk cache_dir configured:

2
SOURCES/squid-3.0.STABLE1-perlpath.patch → SOURCES/squid-4.11-perlpath.patch
View File

@ -6,5 +6,5 @@ index 90ac6a4..8dbed90 100755
-#!/usr/local/bin/perl -Tw -#!/usr/local/bin/perl -Tw
+#!/usr/bin/perl -Tw +#!/usr/bin/perl -Tw
# #
# * Copyright (C) 1996-2018 The Squid Software Foundation and contributors # * Copyright (C) 1996-2020 The Squid Software Foundation and contributors
# * # *

39
SOURCES/squid-4.11-systemd.patch Normal file
View File

@ -0,0 +1,39 @@
diff --git a/configure b/configure
index 17b2ebf..9530f6b 100755
--- a/configure
+++ b/configure
@@ -33915,6 +33915,7 @@ done
fi
if test "x$SYSTEMD_LIBS" != "x" ; then
CXXFLAGS="$SYSTEMD_CFLAGS $CXXFLAGS"
+ LDFLAGS="$SYSTEMD_LIBS $LDFLAGS"
$as_echo "#define USE_SYSTEMD 1" >>confdefs.h
diff --git a/src/Debug.h b/src/Debug.h
index 6eecd01..ddd9e38 100644
--- a/src/Debug.h
+++ b/src/Debug.h
@@ -99,6 +99,10 @@ public:
/// configures the active debugging context to write syslog ALERT
static void ForceAlert();
+
+ /// prefixes each grouped debugs() line after the first one in the group
+ static std::ostream& Extra(std::ostream &os) { return os << "\n "; }
+
private:
static Context *Current; ///< deepest active context; nil outside debugs()
};
diff --git a/configure.ac b/configure.ac
index d3c5da8..806302c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2162,6 +2162,7 @@ if test "x$with_systemd" != "xno" -a "x$squid_host_os" = "xlinux"; then
fi
if test "x$SYSTEMD_LIBS" != "x" ; then
CXXFLAGS="$SYSTEMD_CFLAGS $CXXFLAGS"
+ LDFLAGS="$SYSTEMD_LIBS $LDFLAGS"
AC_DEFINE(USE_SYSTEMD,1,[systemd support is available])
else
with_systemd=no

25
SOURCES/squid-4.11.tar.xz.asc Normal file
View File

@ -0,0 +1,25 @@
File: squid-4.11.tar.xz
Date: Sun Apr 19 12:56:37 UTC 2020
Size: 2447700
MD5 : 10f34e852153a9996aa4614670e2bda1
SHA1: 053277bf5497163ffc9261b9807abda5959bb6fc
Key : CD6DBF8EF3B17D3E <squid3@treenet.co.nz>
B068 84ED B779 C89B 044E 64E3 CD6D BF8E F3B1 7D3E
keyring = http://www.squid-cache.org/pgp.asc
keyserver = pool.sks-keyservers.net
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEsGiE7bd5yJsETmTjzW2/jvOxfT4FAl6cSpEACgkQzW2/jvOx
fT6YbA/6A+IbIbNBJUW45oj23Io9Tw/CzAcTeLHR+McKwV77qMbR+L+kQ+fUdM5F
rHAmd8bVVlyHc4WanVfWItEmzBzHA/ifTNvVpefSGGEbDb80RF66k7ACiZUokg1b
kkPwc/SjDhe2wvketIaBiVVd7pylrlCdVvazcF8gE9MWDOIlJND5mnHXidXvwkbJ
T2//8JZVEmcmN9pdFGNAUVckFm+AnwWXcRM1SQPYDGSVUtjVlqido8snLTA1mZwl
rIpjppujMV54OOWlj+Gqa3MZkpNzIaMCAfphzUFlsQY+/sRUYAOv1wmxw2WclxlK
WlWM+fw8OsYNDMwkOScKZZWceoAkq6UsUHzCAdJIdLqV/R6mZ9nfuZ6BHIr0+2dP
bDf9MU4KXbwEuXiRD/KPziUxxOZwSPivbm3wy9DqTTZfO9V+Iq6FVHX+ahxJ0XbM
JWRYA3GW+DRLjorfsWxU5r4UJsrnBfhItPUAfGPjPjEGZ/pn8r9G6MGenNGPLMKy
wP1rMlOhrZPwerzokzAvKx8G0WWkfN+IPv2JK3rDot6RiJIOuvnZZd4RIuVNTGbh
liO7M24JlWX3WD2wHBzxQag46+plb3VvrrVChwIQnZ2Qzpf50w0Bife/wtNBGpK0
k/Xi/nocO796YS8GZBnmhS1lEGEwp/YpJBFWmIjTWMUMEOcswVA=
=PKl0
-----END PGP SIGNATURE-----

139
SOURCES/squid-4.4.0-CVE-2019-12527.patch
View File

@ -1,139 +0,0 @@
commit 7f73e9c5d17664b882ed32590e6af310c247f320
Author: Amos Jeffries <yadij@users.noreply.github.com>
Date: 2019-06-19 05:58:36 +0000
Update HttpHeader::getAuth to SBuf (#416)
Replace the fixed-size buffer for decoding base64 tokens with an
SBuf to avoid decoder issues on large inputs.
Update callers to SBuf API operations for more efficient memory
management.
diff --git a/src/HttpHeader.cc b/src/HttpHeader.cc
index 1e2b650..284a057 100644
--- a/src/HttpHeader.cc
+++ b/src/HttpHeader.cc
@@ -1268,43 +1268,46 @@ HttpHeader::getContRange() const
return cr;
}
-const char *
-HttpHeader::getAuth(Http::HdrType id, const char *auth_scheme) const
+SBuf
+HttpHeader::getAuthToken(Http::HdrType id, const char *auth_scheme) const
{
const char *field;
int l;
assert(auth_scheme);
field = getStr(id);
+ static const SBuf nil;
if (!field) /* no authorization field */
- return NULL;
+ return nil;
l = strlen(auth_scheme);
if (!l || strncasecmp(field, auth_scheme, l)) /* wrong scheme */
- return NULL;
+ return nil;
field += l;
if (!xisspace(*field)) /* wrong scheme */
- return NULL;
+ return nil;
/* skip white space */
for (; field && xisspace(*field); ++field);
if (!*field) /* no authorization cookie */
- return NULL;
+ return nil;
- static char decodedAuthToken[8192];
+ const auto fieldLen = strlen(field);
+ SBuf result;
+ char *decodedAuthToken = result.rawAppendStart(BASE64_DECODE_LENGTH(fieldLen));
struct base64_decode_ctx ctx;
base64_decode_init(&ctx);
size_t decodedLen = 0;
- if (!base64_decode_update(&ctx, &decodedLen, reinterpret_cast<uint8_t*>(decodedAuthToken), strlen(field), field) ||
+ if (!base64_decode_update(&ctx, &decodedLen, reinterpret_cast<uint8_t*>(decodedAuthToken), fieldLen, field) ||
!base64_decode_final(&ctx)) {
- return NULL;
+ return nil;
}
- decodedAuthToken[decodedLen] = '\0';
- return decodedAuthToken;
+ result.rawAppendFinish(decodedAuthToken, decodedLen);
+ return result;
}
ETag
diff --git a/src/HttpHeader.h b/src/HttpHeader.h
index a26b127..3b262be 100644
--- a/src/HttpHeader.h
+++ b/src/HttpHeader.h
@@ -134,7 +134,7 @@ public:
HttpHdrRange *getRange() const;
HttpHdrSc *getSc() const;
HttpHdrContRange *getContRange() const;
- const char *getAuth(Http::HdrType id, const char *auth_scheme) const;
+ SBuf getAuthToken(Http::HdrType id, const char *auth_scheme) const;
ETag getETag(Http::HdrType id) const;
TimeOrTag getTimeOrTag(Http::HdrType id) const;
int hasListMember(Http::HdrType id, const char *member, const char separator) const;
diff --git a/src/cache_manager.cc b/src/cache_manager.cc
index da22f7a..2fae767 100644
--- a/src/cache_manager.cc
+++ b/src/cache_manager.cc
@@ -27,6 +27,7 @@
#include "mgr/FunAction.h"
#include "mgr/QueryParams.h"
#include "protos.h"
+#include "sbuf/StringConvert.h"
#include "SquidConfig.h"
#include "SquidTime.h"
#include "Store.h"
@@ -243,20 +244,20 @@ CacheManager::ParseHeaders(const HttpRequest * request, Mgr::ActionParams &param
// TODO: use the authentication system decode to retrieve these details properly.
/* base 64 _decoded_ user:passwd pair */
- const char *basic_cookie = request->header.getAuth(Http::HdrType::AUTHORIZATION, "Basic");
+ const auto basic_cookie(request->header.getAuthToken(Http::HdrType::AUTHORIZATION, "Basic"));
- if (!basic_cookie)
+ if (basic_cookie.isEmpty())
return;
- const char *passwd_del;
- if (!(passwd_del = strchr(basic_cookie, ':'))) {
+ const auto colonPos = basic_cookie.find(':');
+ if (colonPos == SBuf::npos) {
debugs(16, DBG_IMPORTANT, "CacheManager::ParseHeaders: unknown basic_cookie format '" << basic_cookie << "'");
return;
}
/* found user:password pair, reset old values */
- params.userName.limitInit(basic_cookie, passwd_del - basic_cookie);
- params.password = passwd_del + 1;
+ params.userName = SBufToString(basic_cookie.substr(0, colonPos));
+ params.password = SBufToString(basic_cookie.substr(colonPos+1));
/* warning: this prints decoded password which maybe not be what you want to do @?@ @?@ */
debugs(16, 9, "CacheManager::ParseHeaders: got user: '" <<
diff --git a/src/clients/FtpGateway.cc b/src/clients/FtpGateway.cc
index b958b14..7ca5d24 100644
--- a/src/clients/FtpGateway.cc
+++ b/src/clients/FtpGateway.cc
@@ -1050,7 +1050,7 @@ Ftp::Gateway::checkAuth(const HttpHeader * req_hdr)
#if HAVE_AUTH_MODULE_BASIC
/* Check HTTP Authorization: headers (better than defaults, but less than URL) */
- const SBuf auth(req_hdr->getAuth(Http::HdrType::AUTHORIZATION, "Basic"));
+ const auto auth(req_hdr->getAuthToken(Http::HdrType::AUTHORIZATION, "Basic"));
if (!auth.isEmpty()) {
flags.authenticated = 1;
loginParser(auth, false);

64
SOURCES/squid-4.4.0-CVE-2019-13345.patch
View File

@ -1,64 +0,0 @@
diff --git a/tools/cachemgr.cc b/tools/cachemgr.cc
index 0c745c2..8a67eba 100644
--- a/tools/cachemgr.cc
+++ b/tools/cachemgr.cc
@@ -355,7 +355,7 @@ auth_html(const char *host, int port, const char *user_name)
printf("<TR><TH ALIGN=\"left\">Manager name:</TH><TD><INPUT NAME=\"user_name\" ");
- printf("size=\"30\" VALUE=\"%s\"></TD></TR>\n", user_name);
+ printf("size=\"30\" VALUE=\"%s\"></TD></TR>\n", rfc1738_escape(user_name));
printf("<TR><TH ALIGN=\"left\">Password:</TH><TD><INPUT TYPE=\"password\" NAME=\"passwd\" ");
@@ -419,7 +419,7 @@ menu_url(cachemgr_request * req, const char *action)
script_name,
req->hostname,
req->port,
- safe_str(req->user_name),
+ rfc1738_escape(safe_str(req->user_name)),
action,
safe_str(req->pub_auth));
return url;
@@ -1074,8 +1074,8 @@ make_pub_auth(cachemgr_request * req)
const int bufLen = snprintf(buf, sizeof(buf), "%s|%d|%s|%s",
req->hostname,
(int) now,
- req->user_name ? req->user_name : "",
- req->passwd);
+ rfc1738_escape(safe_str(req->user_name)),
+ rfc1738_escape(req->passwd));
debug("cmgr: pre-encoded for pub: %s\n", buf);
const int encodedLen = base64_encode_len(bufLen);
@@ -1094,8 +1094,6 @@ decode_pub_auth(cachemgr_request * req)
char *buf;
const char *host_name;
const char *time_str;
- const char *user_name;
- const char *passwd;
debug("cmgr: decoding pub: '%s'\n", safe_str(req->pub_auth));
safe_free(req->passwd);
@@ -1131,17 +1129,21 @@ decode_pub_auth(cachemgr_request * req)
debug("cmgr: decoded time: '%s' (now: %d)\n", time_str, (int) now);
+ char *user_name;
if ((user_name = strtok(NULL, "|")) == NULL) {
xfree(buf);
return;
}
+ rfc1738_unescape(user_name);
debug("cmgr: decoded uname: '%s'\n", user_name);
+ char *passwd;
if ((passwd = strtok(NULL, "|")) == NULL) {
xfree(buf);
return;
}
+ rfc1738_unescape(passwd);
debug("cmgr: decoded passwd: '%s'\n", passwd);

12
SOURCES/squid-4.4.0-lower-cachepeer.patch
View File

@ -1,12 +0,0 @@
diff --git a/src/cache_cf.cc b/src/cache_cf.cc
index 9165ef99c..32a3df322 100644
--- a/src/cache_cf.cc
+++ b/src/cache_cf.cc
@@ -2081,6 +2081,7 @@ parse_peer(CachePeer ** head)
CachePeer *p = new CachePeer;
p->host = xstrdup(host_str);
+ Tolower(p->host);
p->name = xstrdup(host_str);
p->type = parseNeighborType(token);

26
SOURCES/squid-4.4.0-man-pages.patch
View File

@ -1,26 +0,0 @@
diff --git a/src/http/url_rewriters/LFS/url_lfs_rewrite.8 b/src/http/url_rewriters/LFS/url_lfs_rewrite.8
index 3053180..1d295fb 100644
--- a/src/http/url_rewriters/LFS/url_lfs_rewrite.8
+++ b/src/http/url_rewriters/LFS/url_lfs_rewrite.8
@@ -135,7 +135,7 @@
.if n .ad l
.nh
.SH "NAME"
-url_lfs_rewrite
+\& url_lfs_rewrite \- a URL-rewriter based on local file existence
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
diff --git a/src/http/url_rewriters/LFS/url_lfs_rewrite.pl.in b/src/http/url_rewriters/LFS/url_lfs_rewrite.pl.in
index a7168e0..da7055c 100755
--- a/src/http/url_rewriters/LFS/url_lfs_rewrite.pl.in
+++ b/src/http/url_rewriters/LFS/url_lfs_rewrite.pl.in
@@ -8,7 +8,7 @@ use Pod::Usage;
=head1 NAME
-B<url_lfs_rewrite>
+B<url_lfs_rewrite> - a URL-rewriter based on local file existence
=head1 SYNOPSIS

25
SOURCES/squid-4.4.tar.xz.asc
View File

@ -1,25 +0,0 @@
File: squid-4.4.tar.xz
Date: Sat Oct 27 21:20:24 UTC 2018
Size: 2436468
MD5 : 892504ca9700e1f139a53f84098613bd
SHA1: 0ab6b133f65866d825bf72cbbe8cef209768b2fa
Key : CD6DBF8EF3B17D3E <squid3@treenet.co.nz>
B068 84ED B779 C89B 044E 64E3 CD6D BF8E F3B1 7D3E
keyring = http://www.squid-cache.org/pgp.asc
keyserver = pool.sks-keyservers.net
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEsGiE7bd5yJsETmTjzW2/jvOxfT4FAlvU1qAACgkQzW2/jvOx
fT5Y3Q//R3/ZtDHal9H9c4VUB1fEzkk22JfgXTzRRUdzNkN+XxDkVGmM9R0E0Opo
9E/lsE9PcLX1EBtBXbPfwLESzfMe4QJgqq1B4FocpJcdtfCQX6ADU4Qdfc+oo8Z1
J/xCf8XrU3yUgXn3pMnQ9DT+IuPYe+Jte7Awm148mC15GMC49NBAYAd793XZ+L2t
fVPCbVYA40AU3xVJkxlblh7O0E8UEQ7zQMxcXM2jJJ4jJOjqecOIoJt6lyPD59q3
UjD0EmcjTj54BpaU8r++kAc2TkLyBvFV1vWQuQRNG5IAMEOF3H8OfujCXl3lX9fD
Tvi9763f9LxdImLJttkzgTt20XAudlUmKOdpj6t1uF+7EmNJg/ChowyLsLzlLLST
1mGNdcUdP9VhX2aoTXN/ctn8BTQ/cNIx2VY8kKWsXB+ymFcCJRBW1cBAr3R+UzuX
KVlsDzlxP6Dp8EFvKN3sIbM/QtpstKgbTkxro7d9XBkeldsasd5uI2Yt5PSMIs+y
VtscqCnwDjxAIW6FNqB96J4hcOYECdWHDL3s46wEDnQaiR0IdBAN5QHn1imzM5e1
eHuwZimqBW6vE4rPnVpPIr1Gml5OlLl3te2jsbUVmBiOwDVlQLZJQGzI5UTazvnN
eR3QeTW+ggSAdVc6GEApELARfKPRxywLQTOlAhEPn0xayy4ByME=
=1eSQ
-----END PGP SIGNATURE-----

11
SOURCES/squid.service
View File

@ -4,14 +4,15 @@ Documentation=man:squid(8)
After=network.target network-online.target nss-lookup.target After=network.target network-online.target nss-lookup.target
[Service] [Service]
Type=forking Type=notify
LimitNOFILE=16384 LimitNOFILE=16384
PIDFile=/run/squid.pid
EnvironmentFile=/etc/sysconfig/squid EnvironmentFile=/etc/sysconfig/squid
ExecStartPre=/usr/libexec/squid/cache_swap.sh ExecStartPre=/usr/libexec/squid/cache_swap.sh
ExecStart=/usr/sbin/squid $SQUID_OPTS -f $SQUID_CONF ExecStart=/usr/sbin/squid --foreground $SQUID_OPTS -f ${SQUID_CONF}
ExecReload=/usr/sbin/squid $SQUID_OPTS -k reconfigure -f $SQUID_CONF ExecReload=/usr/bin/kill -HUP $MAINPID
ExecStop=/usr/sbin/squid -k shutdown -f $SQUID_CONF KillMode=mixed
TimeoutSec=0 NotifyAccess=all
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

77
SPECS/squid.spec
View File

@ -1,8 +1,8 @@
%define __perl_requires %{SOURCE98} %define __perl_requires %{SOURCE98}
Name: squid Name: squid
Version: 4.4 Version: 4.11
Release: 8%{?dist} Release: 1%{?dist}
Summary: The Squid proxy caching server Summary: The Squid proxy caching server
Epoch: 7 Epoch: 7
# See CREDITS for breakdown of non GPLv2+ code # See CREDITS for breakdown of non GPLv2+ code
@ -26,23 +26,17 @@ Source98: perl-requires-squid.sh
# Local patches # Local patches
# Applying upstream patches first makes it less likely that local patches # Applying upstream patches first makes it less likely that local patches
# will break upstream ones. # will break upstream ones.
Patch201: squid-4.0.11-config.patch Patch201: squid-4.11-config.patch
Patch202: squid-3.1.0.9-location.patch Patch202: squid-4.11-location.patch
Patch203: squid-3.0.STABLE1-perlpath.patch Patch203: squid-4.11-perlpath.patch
Patch204: squid-3.5.9-include-guards.patch Patch204: squid-4.11-include-guards.patch
Patch205: squid-4.0.21-large-acl.patch Patch205: squid-4.11-large-acl.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=980511 # https://bugzilla.redhat.com/show_bug.cgi?id=980511
Patch206: squid-4.4.0-active-ftp.patch Patch206: squid-4.11-active-ftp.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1612524 # https://github.com/squid-cache/squid/commit/c26cd1cb6a60ff196ef13c00e82576d3bfeb2e30
Patch207: squid-4.4.0-man-pages.patch Patch207: squid-4.11-systemd.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1691741
Patch208: squid-4.4.0-lower-cachepeer.patch
# Security fixes # Security fixes
# https://bugzilla.redhat.com/show_bug.cgi?id=1729436
Patch500: squid-4.4.0-CVE-2019-13345.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1738485
Patch501: squid-4.4.0-CVE-2019-12527.patch
Requires: bash >= 2.0 Requires: bash >= 2.0
Requires(pre): shadow-utils Requires(pre): shadow-utils
@ -72,6 +66,8 @@ BuildRequires: perl-generators
# For test suite # For test suite
BuildRequires: pkgconfig(cppunit) BuildRequires: pkgconfig(cppunit)
BuildRequires: autoconf BuildRequires: autoconf
# systemd notify
BuildRequires: systemd-devel
%description %description
Squid is a high-performance proxy caching server for Web clients, Squid is a high-performance proxy caching server for Web clients,
@ -96,14 +92,10 @@ lookup program (dnsserver), a program for retrieving FTP data
%patch201 -p1 -b .config %patch201 -p1 -b .config
%patch202 -p1 -b .location %patch202 -p1 -b .location
%patch203 -p1 -b .perlpath %patch203 -p1 -b .perlpath
%patch204 -p0 -b .include-guards %patch204 -p1 -b .include-guards
%patch205 -p1 -b .large_acl %patch205 -p1 -b .large_acl
%patch206 -p1 -b .active-ftp %patch206 -p1 -b .active-ftp
%patch207 -p1 -b .man-pages %patch207 -p1 -b .systemd
%patch208 -p1 -b .lower-cachepeer
%patch500 -p1 -b .CVE-2019-13345
%patch501 -p1 -b .CVE-2019-12527
# https://bugzilla.redhat.com/show_bug.cgi?id=1679526 # https://bugzilla.redhat.com/show_bug.cgi?id=1679526
# Patch in the vendor documentation and used different location for documentation # Patch in the vendor documentation and used different location for documentation
@ -320,6 +312,47 @@ fi
%changelog %changelog
* Thu May 07 2020 Lubos Uhliarik <luhliari@redhat.com> - 7:4.11-1
- new version 4.11
- libsystemd integration
- Resolves: #1829467 - squid:4 rebase
- Resolves: #1828378 - CVE-2019-12521 squid:4/squid: off-by-one error in
addStackElement allows for a heap buffer overflow and a crash
- Resolves: #1828377 - CVE-2019-12520 squid:4/squid: improper input validation
in request allows for proxy manipulation
- Resolves: #1828375 - CVE-2019-12524 squid:4/squid: improper access restriction
in url_regex may lead to security bypass
- Resolves: #1820664 - CVE-2019-18860 squid: mishandles HTML in the host
parameter to cachemgr.cgi which could result in squid behaving in unsecure way
- Resolves: #1802514 - CVE-2020-8449 squid:4/squid: Improper input validation
issues in HTTP Request processing
- Resolves: #1802513 - CVE-2020-8450 squid:4/squid: Buffer overflow in a Squid
acting as reverse-proxy
- Resolves: #1802512 - CVE-2019-12528 squid:4/squid: Information Disclosure
issue in FTP Gateway
- Resolves: #1771288 - CVE-2019-18678 squid:4/squid: HTTP Request Splitting
issue in HTTP message processing
- Resolves: #1771283 - CVE-2019-18679 squid:4/squid: Information Disclosure
issue in HTTP Digest Authentication
- Resolves: #1771280 - CVE-2019-18677 squid:4/squid: Cross-Site Request Forgery
issue in HTTP Request processing
- Resolves: #1771275 - CVE-2019-12523 squid:4/squid: Improper input validation
in URI processor
- Resolves: #1771272 - CVE-2019-18676 squid:4/squid: Buffer overflow in URI
processor
- Resolves: #1771264 - CVE-2019-12526 squid:4/squid: Heap overflow issue in URN
processing
- Resolves: #1738581 - CVE-2019-12529 squid: OOB read in Proxy-Authorization
header causes DoS
* Tue Apr 28 2020 Lubos Uhliarik <luhliari@redhat.com> - 7:4.4-9
- Resolves: #1738583 - CVE-2019-12525 squid:4/squid: parsing of header
Proxy-Authentication leads to memory corruption
- Resolves: #1828369 - CVE-2020-11945 squid: improper access restriction upon
Digest Authentication nonce replay could lead to remote code execution
- Resolves: #1828370 - CVE-2019-12519 squid: improper check for new member in
ESIExpression::Evaluate allows for stack buffer overflow
* Fri Aug 23 2019 Lubos Uhliarik <luhliari@redhat.com> - 7:4.4-8 * Fri Aug 23 2019 Lubos Uhliarik <luhliari@redhat.com> - 7:4.4-8
- Resolves: # 1738485 - CVE-2019-12527 squid:4/squid: heap-based buffer overflow - Resolves: # 1738485 - CVE-2019-12527 squid:4/squid: heap-based buffer overflow
in HttpHeader::getAuth in HttpHeader::getAuth