import squid-4.11-2.module+el8.3.0+7248+0d5b508b
This commit is contained in:
parent
6d8247dd32
commit
34994580ae
295
SOURCES/squid-4.11-CVE-2020-14058.patch
Normal file
295
SOURCES/squid-4.11-CVE-2020-14058.patch
Normal file
@ -0,0 +1,295 @@
|
||||
commit 93f5fda134a2a010b84ffedbe833d670e63ba4be
|
||||
Author: Christos Tsantilas <christos@chtsanti.net>
|
||||
Date: 2020-05-15 04:54:54 +0000
|
||||
|
||||
Fix sending of unknown validation errors to cert. validator (#633)
|
||||
|
||||
Squid may be compiled with an OpenSSL release introducing X509
|
||||
validation errors that Squid does not have the names for. Send their
|
||||
integer codes.
|
||||
|
||||
Also sync Squid certificate verification errors with OpenSSL v1.1.1g.
|
||||
|
||||
This is a Measurement Factory project.
|
||||
|
||||
diff --git a/src/format/Format.cc b/src/format/Format.cc
|
||||
index 8c5574b..4b4ad42 100644
|
||||
--- a/src/format/Format.cc
|
||||
+++ b/src/format/Format.cc
|
||||
@@ -322,15 +322,6 @@ log_quoted_string(const char *str, char *out)
|
||||
*p = '\0';
|
||||
}
|
||||
|
||||
-#if USE_OPENSSL
|
||||
-static char *
|
||||
-sslErrorName(Security::ErrorCode err, char *buf, size_t size)
|
||||
-{
|
||||
- snprintf(buf, size, "SSL_ERR=%d", err);
|
||||
- return buf;
|
||||
-}
|
||||
-#endif
|
||||
-
|
||||
/// XXX: Misnamed. TODO: Split <h (and this function) to distinguish received
|
||||
/// headers from sent headers rather than failing to distinguish requests from responses.
|
||||
/// \retval HttpReply sent to the HTTP client (access.log and default context).
|
||||
@@ -959,9 +950,7 @@ Format::Format::assemble(MemBuf &mb, const AccessLogEntry::Pointer &al, int logS
|
||||
case LFT_SQUID_ERROR_DETAIL:
|
||||
#if USE_OPENSSL
|
||||
if (al->request && al->request->errType == ERR_SECURE_CONNECT_FAIL) {
|
||||
- out = Ssl::GetErrorName(al->request->errDetail);
|
||||
- if (!out)
|
||||
- out = sslErrorName(al->request->errDetail, tmp, sizeof(tmp));
|
||||
+ out = Ssl::GetErrorName(al->request->errDetail, true);
|
||||
} else
|
||||
#endif
|
||||
if (al->request && al->request->errDetail != ERR_DETAIL_NONE) {
|
||||
@@ -1263,10 +1252,7 @@ Format::Format::assemble(MemBuf &mb, const AccessLogEntry::Pointer &al, int logS
|
||||
for (const Security::CertErrors *sslError = srvBump->sslErrors(); sslError; sslError = sslError->next) {
|
||||
if (!sb.isEmpty())
|
||||
sb.append(separator);
|
||||
- if (const char *errorName = Ssl::GetErrorName(sslError->element.code))
|
||||
- sb.append(errorName);
|
||||
- else
|
||||
- sb.append(sslErrorName(sslError->element.code, tmp, sizeof(tmp)));
|
||||
+ sb.append(Ssl::GetErrorName(sslError->element.code, true));
|
||||
if (sslError->element.depth >= 0)
|
||||
sb.appendf("@depth=%d", sslError->element.depth);
|
||||
}
|
||||
diff --git a/src/ssl/ErrorDetail.cc b/src/ssl/ErrorDetail.cc
|
||||
index ddd61fd..00eb0e2 100644
|
||||
--- a/src/ssl/ErrorDetail.cc
|
||||
+++ b/src/ssl/ErrorDetail.cc
|
||||
@@ -233,6 +233,9 @@ static SslErrorEntry TheSslErrorArray[] = {
|
||||
"X509_V_ERR_SUBTREE_MINMAX"
|
||||
},
|
||||
#endif
|
||||
+ { X509_V_ERR_APPLICATION_VERIFICATION, //50
|
||||
+ "X509_V_ERR_APPLICATION_VERIFICATION"
|
||||
+ },
|
||||
#if defined(X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE)
|
||||
{
|
||||
X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE, //51
|
||||
@@ -257,9 +260,132 @@ static SslErrorEntry TheSslErrorArray[] = {
|
||||
"X509_V_ERR_CRL_PATH_VALIDATION_ERROR"
|
||||
},
|
||||
#endif
|
||||
- { X509_V_ERR_APPLICATION_VERIFICATION,
|
||||
- "X509_V_ERR_APPLICATION_VERIFICATION"
|
||||
+#if defined(X509_V_ERR_PATH_LOOP)
|
||||
+ {
|
||||
+ X509_V_ERR_PATH_LOOP, //55
|
||||
+ "X509_V_ERR_PATH_LOOP"
|
||||
+ },
|
||||
+#endif
|
||||
+#if defined(X509_V_ERR_SUITE_B_INVALID_VERSION)
|
||||
+ {
|
||||
+ X509_V_ERR_SUITE_B_INVALID_VERSION, //56
|
||||
+ "X509_V_ERR_SUITE_B_INVALID_VERSION"
|
||||
+ },
|
||||
+#endif
|
||||
+#if defined(X509_V_ERR_SUITE_B_INVALID_ALGORITHM)
|
||||
+ {
|
||||
+ X509_V_ERR_SUITE_B_INVALID_ALGORITHM, //57
|
||||
+ "X509_V_ERR_SUITE_B_INVALID_ALGORITHM"
|
||||
+ },
|
||||
+#endif
|
||||
+#if defined(X509_V_ERR_SUITE_B_INVALID_CURVE)
|
||||
+ {
|
||||
+ X509_V_ERR_SUITE_B_INVALID_CURVE, //58
|
||||
+ "X509_V_ERR_SUITE_B_INVALID_CURVE"
|
||||
+ },
|
||||
+#endif
|
||||
+#if defined(X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM)
|
||||
+ {
|
||||
+ X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM, //59
|
||||
+ "X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM"
|
||||
+ },
|
||||
+#endif
|
||||
+#if defined(X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED)
|
||||
+ {
|
||||
+ X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED, //60
|
||||
+ "X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED"
|
||||
+ },
|
||||
+#endif
|
||||
+#if defined(X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256)
|
||||
+ {
|
||||
+ X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256, //61
|
||||
+ "X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256"
|
||||
+ },
|
||||
+#endif
|
||||
+#if defined(X509_V_ERR_HOSTNAME_MISMATCH)
|
||||
+ {
|
||||
+ X509_V_ERR_HOSTNAME_MISMATCH, //62
|
||||
+ "X509_V_ERR_HOSTNAME_MISMATCH"
|
||||
+ },
|
||||
+#endif
|
||||
+#if defined(X509_V_ERR_EMAIL_MISMATCH)
|
||||
+ {
|
||||
+ X509_V_ERR_EMAIL_MISMATCH, //63
|
||||
+ "X509_V_ERR_EMAIL_MISMATCH"
|
||||
+ },
|
||||
+#endif
|
||||
+#if defined(X509_V_ERR_IP_ADDRESS_MISMATCH)
|
||||
+ {
|
||||
+ X509_V_ERR_IP_ADDRESS_MISMATCH, //64
|
||||
+ "X509_V_ERR_IP_ADDRESS_MISMATCH"
|
||||
+ },
|
||||
+#endif
|
||||
+#if defined(X509_V_ERR_DANE_NO_MATCH)
|
||||
+ {
|
||||
+ X509_V_ERR_DANE_NO_MATCH, //65
|
||||
+ "X509_V_ERR_DANE_NO_MATCH"
|
||||
},
|
||||
+#endif
|
||||
+#if defined(X509_V_ERR_EE_KEY_TOO_SMALL)
|
||||
+ {
|
||||
+ X509_V_ERR_EE_KEY_TOO_SMALL, //66
|
||||
+ "X509_V_ERR_EE_KEY_TOO_SMALL"
|
||||
+ },
|
||||
+#endif
|
||||
+#if defined(X509_V_ERR_CA_KEY_TOO_SMALL)
|
||||
+ {
|
||||
+ X509_V_ERR_CA_KEY_TOO_SMALL, //67
|
||||
+ "X509_V_ERR_CA_KEY_TOO_SMALL"
|
||||
+ },
|
||||
+#endif
|
||||
+#if defined(X509_V_ERR_CA_MD_TOO_WEAK)
|
||||
+ {
|
||||
+ X509_V_ERR_CA_MD_TOO_WEAK, //68
|
||||
+ "X509_V_ERR_CA_MD_TOO_WEAK"
|
||||
+ },
|
||||
+#endif
|
||||
+#if defined(X509_V_ERR_INVALID_CALL)
|
||||
+ {
|
||||
+ X509_V_ERR_INVALID_CALL, //69
|
||||
+ "X509_V_ERR_INVALID_CALL"
|
||||
+ },
|
||||
+#endif
|
||||
+#if defined(X509_V_ERR_STORE_LOOKUP)
|
||||
+ {
|
||||
+ X509_V_ERR_STORE_LOOKUP, //70
|
||||
+ "X509_V_ERR_STORE_LOOKUP"
|
||||
+ },
|
||||
+#endif
|
||||
+#if defined(X509_V_ERR_NO_VALID_SCTS)
|
||||
+ {
|
||||
+ X509_V_ERR_NO_VALID_SCTS, //71
|
||||
+ "X509_V_ERR_NO_VALID_SCTS"
|
||||
+ },
|
||||
+#endif
|
||||
+#if defined(X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION)
|
||||
+ {
|
||||
+ X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION, //72
|
||||
+ "X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION"
|
||||
+ },
|
||||
+#endif
|
||||
+#if defined(X509_V_ERR_OCSP_VERIFY_NEEDED)
|
||||
+ {
|
||||
+ X509_V_ERR_OCSP_VERIFY_NEEDED, //73
|
||||
+ "X509_V_ERR_OCSP_VERIFY_NEEDED"
|
||||
+ },
|
||||
+#endif
|
||||
+#if defined(X509_V_ERR_OCSP_VERIFY_FAILED)
|
||||
+ {
|
||||
+ X509_V_ERR_OCSP_VERIFY_FAILED, //74
|
||||
+ "X509_V_ERR_OCSP_VERIFY_FAILED"
|
||||
+ },
|
||||
+#endif
|
||||
+#if defined(X509_V_ERR_OCSP_CERT_UNKNOWN)
|
||||
+ {
|
||||
+ X509_V_ERR_OCSP_CERT_UNKNOWN, //75
|
||||
+ "X509_V_ERR_OCSP_CERT_UNKNOWN"
|
||||
+ },
|
||||
+#endif
|
||||
{ SSL_ERROR_NONE, "SSL_ERROR_NONE"},
|
||||
{SSL_ERROR_NONE, NULL}
|
||||
};
|
||||
@@ -286,6 +412,27 @@ static const char *OptionalSslErrors[] = {
|
||||
"X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX",
|
||||
"X509_V_ERR_UNSUPPORTED_NAME_SYNTAX",
|
||||
"X509_V_ERR_CRL_PATH_VALIDATION_ERROR",
|
||||
+ "X509_V_ERR_PATH_LOOP",
|
||||
+ "X509_V_ERR_SUITE_B_INVALID_VERSION",
|
||||
+ "X509_V_ERR_SUITE_B_INVALID_ALGORITHM",
|
||||
+ "X509_V_ERR_SUITE_B_INVALID_CURVE",
|
||||
+ "X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM",
|
||||
+ "X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED",
|
||||
+ "X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256",
|
||||
+ "X509_V_ERR_HOSTNAME_MISMATCH",
|
||||
+ "X509_V_ERR_EMAIL_MISMATCH",
|
||||
+ "X509_V_ERR_IP_ADDRESS_MISMATCH",
|
||||
+ "X509_V_ERR_DANE_NO_MATCH",
|
||||
+ "X509_V_ERR_EE_KEY_TOO_SMALL",
|
||||
+ "X509_V_ERR_CA_KEY_TOO_SMALL",
|
||||
+ "X509_V_ERR_CA_MD_TOO_WEAK",
|
||||
+ "X509_V_ERR_INVALID_CALL",
|
||||
+ "X509_V_ERR_STORE_LOOKUP",
|
||||
+ "X509_V_ERR_NO_VALID_SCTS",
|
||||
+ "X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION",
|
||||
+ "X509_V_ERR_OCSP_VERIFY_NEEDED",
|
||||
+ "X509_V_ERR_OCSP_VERIFY_FAILED",
|
||||
+ "X509_V_ERR_OCSP_CERT_UNKNOWN",
|
||||
NULL
|
||||
};
|
||||
|
||||
@@ -390,7 +537,7 @@ Ssl::ParseErrorString(const char *name, Security::Errors &errors)
|
||||
return false; // not reached
|
||||
}
|
||||
|
||||
-const char *Ssl::GetErrorName(Security::ErrorCode value)
|
||||
+const char *Ssl::GetErrorName(Security::ErrorCode value, const bool prefixRawCode)
|
||||
{
|
||||
if (TheSslErrors.empty())
|
||||
loadSslErrorMap();
|
||||
@@ -399,7 +546,9 @@ const char *Ssl::GetErrorName(Security::ErrorCode value)
|
||||
if (it != TheSslErrors.end())
|
||||
return it->second->name;
|
||||
|
||||
- return NULL;
|
||||
+ static char tmpBuffer[128];
|
||||
+ snprintf(tmpBuffer, sizeof(tmpBuffer), "%s%d", prefixRawCode ? "SSL_ERR=" : "", (int)value);
|
||||
+ return tmpBuffer;
|
||||
}
|
||||
|
||||
bool
|
||||
@@ -529,21 +678,14 @@ const char *Ssl::ErrorDetail::notafter() const
|
||||
*/
|
||||
const char *Ssl::ErrorDetail::err_code() const
|
||||
{
|
||||
- static char tmpBuffer[64];
|
||||
// We can use the GetErrorName but using the detailEntry is faster,
|
||||
// so try it first.
|
||||
- const char *err = detailEntry.name.termedBuf();
|
||||
+ if (const char *err = detailEntry.name.termedBuf())
|
||||
+ return err;
|
||||
|
||||
// error details not loaded yet or not defined in error_details.txt,
|
||||
// try the GetErrorName...
|
||||
- if (!err)
|
||||
- err = GetErrorName(error_no);
|
||||
-
|
||||
- if (!err) {
|
||||
- snprintf(tmpBuffer, 64, "%d", (int)error_no);
|
||||
- err = tmpBuffer;
|
||||
- }
|
||||
- return err;
|
||||
+ return GetErrorName(error_no);
|
||||
}
|
||||
|
||||
/**
|
||||
diff --git a/src/ssl/ErrorDetail.h b/src/ssl/ErrorDetail.h
|
||||
index 48dc405..0eec0a9 100644
|
||||
--- a/src/ssl/ErrorDetail.h
|
||||
+++ b/src/ssl/ErrorDetail.h
|
||||
@@ -26,8 +26,9 @@ bool ParseErrorString(const char *name, Security::Errors &);
|
||||
/// The Security::ErrorCode code of the error described by "name".
|
||||
Security::ErrorCode GetErrorCode(const char *name);
|
||||
|
||||
-/// The string representation of the TLS error "value"
|
||||
-const char *GetErrorName(Security::ErrorCode value);
|
||||
+/// \return string representation of a known TLS error (or a raw error code)
|
||||
+/// \param prefixRawCode whether to prefix raw codes with "SSL_ERR="
|
||||
+const char *GetErrorName(Security::ErrorCode value, const bool prefixRawCode = false);
|
||||
|
||||
/// A short description of the TLS error "value"
|
||||
const char *GetErrorDescr(Security::ErrorCode value);
|
105
SOURCES/squid-4.11-CVE-2020-15049.patch
Normal file
105
SOURCES/squid-4.11-CVE-2020-15049.patch
Normal file
@ -0,0 +1,105 @@
|
||||
commit ea12a34d338b962707d5078d6d1fc7c6eb119a22
|
||||
Author: Alex Rousskov <rousskov@measurement-factory.com>
|
||||
Date: 2020-05-13 14:05:00 +0000
|
||||
|
||||
Validate Content-Length value prefix (#629)
|
||||
|
||||
The new code detects all invalid Content-Length prefixes but the old
|
||||
code was already rejecting most invalid prefixes using strtoll(). The
|
||||
newly covered (and now rejected) invalid characters are
|
||||
|
||||
* explicit "+" sign;
|
||||
* explicit "-" sign in "-0" values;
|
||||
* isspace(3) characters that are not (relaxed) OWS characters.
|
||||
|
||||
In most deployment environments, the last set is probably empty because
|
||||
the relaxed OWS set has all the POSIX/C isspace(3) characters but the
|
||||
new line, and the new line is unlikely to sneak in past other checks.
|
||||
|
||||
Thank you, Amit Klein <amit.klein@safebreach.com>, for elevating the
|
||||
importance of this 2016 TODO (added in commit a1b9ec2).
|
||||
|
||||
diff --git a/CONTRIBUTORS b/CONTRIBUTORS
|
||||
index 36957f2..c10a221 100644
|
||||
--- a/CONTRIBUTORS
|
||||
+++ b/CONTRIBUTORS
|
||||
@@ -25,6 +25,7 @@ Thank you!
|
||||
Alex Wu <alex_wu2012@hotmail.com>
|
||||
Alin Nastac <mrness@gentoo.org>
|
||||
Alter <alter@alter.org.ua>
|
||||
+ Amit Klein <amit.klein@safebreach.com>
|
||||
Amos Jeffries
|
||||
Amos Jeffries <amosjeffries@squid-cache.org>
|
||||
Amos Jeffries <squid3@treenet.co.nz>
|
||||
diff --git a/src/http/ContentLengthInterpreter.cc b/src/http/ContentLengthInterpreter.cc
|
||||
index 3fdf7de..a3741eb 100644
|
||||
--- a/src/http/ContentLengthInterpreter.cc
|
||||
+++ b/src/http/ContentLengthInterpreter.cc
|
||||
@@ -28,6 +28,24 @@ Http::ContentLengthInterpreter::ContentLengthInterpreter(const int aDebugLevel):
|
||||
{
|
||||
}
|
||||
|
||||
+/// checks whether all characters before the Content-Length number are allowed
|
||||
+/// \returns the start of the digit sequence (or nil on errors)
|
||||
+const char *
|
||||
+Http::ContentLengthInterpreter::findDigits(const char *prefix, const char * const valueEnd) const
|
||||
+{
|
||||
+ // skip leading OWS in RFC 7230's `OWS field-value OWS`
|
||||
+ const CharacterSet &whitespace = Http::One::Parser::WhitespaceCharacters();
|
||||
+ while (prefix < valueEnd) {
|
||||
+ const auto ch = *prefix;
|
||||
+ if (CharacterSet::DIGIT[ch])
|
||||
+ return prefix; // common case: a pre-trimmed field value
|
||||
+ if (!whitespace[ch])
|
||||
+ return nullptr; // (trimmed) length does not start with a digit
|
||||
+ ++prefix;
|
||||
+ }
|
||||
+ return nullptr; // empty or whitespace-only value
|
||||
+}
|
||||
+
|
||||
/// checks whether all characters after the Content-Length are allowed
|
||||
bool
|
||||
Http::ContentLengthInterpreter::goodSuffix(const char *suffix, const char * const end) const
|
||||
@@ -52,10 +70,19 @@ Http::ContentLengthInterpreter::checkValue(const char *rawValue, const int value
|
||||
{
|
||||
Must(!sawBad);
|
||||
|
||||
+ const auto valueEnd = rawValue + valueSize;
|
||||
+
|
||||
+ const auto digits = findDigits(rawValue, valueEnd);
|
||||
+ if (!digits) {
|
||||
+ debugs(55, debugLevel, "WARNING: Leading garbage or empty value in" << Raw("Content-Length", rawValue, valueSize));
|
||||
+ sawBad = true;
|
||||
+ return false;
|
||||
+ }
|
||||
+
|
||||
int64_t latestValue = -1;
|
||||
char *suffix = nullptr;
|
||||
- // TODO: Handle malformed values with leading signs (e.g., "-0" or "+1").
|
||||
- if (!httpHeaderParseOffset(rawValue, &latestValue, &suffix)) {
|
||||
+
|
||||
+ if (!httpHeaderParseOffset(digits, &latestValue, &suffix)) {
|
||||
debugs(55, DBG_IMPORTANT, "WARNING: Malformed" << Raw("Content-Length", rawValue, valueSize));
|
||||
sawBad = true;
|
||||
return false;
|
||||
@@ -68,7 +95,7 @@ Http::ContentLengthInterpreter::checkValue(const char *rawValue, const int value
|
||||
}
|
||||
|
||||
// check for garbage after the number
|
||||
- if (!goodSuffix(suffix, rawValue + valueSize)) {
|
||||
+ if (!goodSuffix(suffix, valueEnd)) {
|
||||
debugs(55, debugLevel, "WARNING: Trailing garbage in" << Raw("Content-Length", rawValue, valueSize));
|
||||
sawBad = true;
|
||||
return false;
|
||||
diff --git a/src/http/ContentLengthInterpreter.h b/src/http/ContentLengthInterpreter.h
|
||||
index ce36e22..f22de91 100644
|
||||
--- a/src/http/ContentLengthInterpreter.h
|
||||
+++ b/src/http/ContentLengthInterpreter.h
|
||||
@@ -46,6 +46,7 @@ public:
|
||||
bool sawGood;
|
||||
|
||||
protected:
|
||||
+ const char *findDigits(const char *prefix, const char *valueEnd) const;
|
||||
bool goodSuffix(const char *suffix, const char * const end) const;
|
||||
bool checkValue(const char *start, const int size);
|
||||
bool checkList(const String &list);
|
145
SOURCES/squid-4.11-convert-ipv4.patch
Normal file
145
SOURCES/squid-4.11-convert-ipv4.patch
Normal file
@ -0,0 +1,145 @@
|
||||
From 771908d313ee9c255adfb5e4fdba4d6797c18409 Mon Sep 17 00:00:00 2001
|
||||
From: Amos Jeffries <yadij@users.noreply.github.com>
|
||||
Date: Thu, 7 Mar 2019 13:50:38 +0000
|
||||
Subject: [PATCH] Bug 4928: Cannot convert non-IPv4 to IPv4 (#379)
|
||||
|
||||
... when reaching client_ip_max_connections
|
||||
|
||||
The client_ip_max_connections limit is checked before the TCP dst-IP is located for the newly received TCP connection. This leaves Squid unable to fetch the NFMARK or similar
|
||||
details later on (they do not exist for [::]).
|
||||
|
||||
Move client_ip_max_connections test later in the TCP accept process to ensure dst-IP is known when the error is produced.
|
||||
---
|
||||
src/comm/TcpAcceptor.cc | 82 ++++++++++++++++++++---------------------
|
||||
1 file changed, 39 insertions(+), 43 deletions(-)
|
||||
|
||||
diff --git a/src/comm/TcpAcceptor.cc b/src/comm/TcpAcceptor.cc
|
||||
index cae92a7b1e..2109913008 100644
|
||||
--- a/src/comm/TcpAcceptor.cc
|
||||
+++ b/src/comm/TcpAcceptor.cc
|
||||
@@ -282,16 +282,7 @@ Comm::TcpAcceptor::acceptOne()
|
||||
ConnectionPointer newConnDetails = new Connection();
|
||||
const Comm::Flag flag = oldAccept(newConnDetails);
|
||||
|
||||
- /* Check for errors */
|
||||
- if (!newConnDetails->isOpen()) {
|
||||
-
|
||||
- if (flag == Comm::NOMESSAGE) {
|
||||
- /* register interest again */
|
||||
- debugs(5, 5, HERE << "try later: " << conn << " handler Subscription: " << theCallSub);
|
||||
- SetSelect(conn->fd, COMM_SELECT_READ, doAccept, this, 0);
|
||||
- return;
|
||||
- }
|
||||
-
|
||||
+ if (flag == Comm::COMM_ERROR) {
|
||||
// A non-recoverable error; notify the caller */
|
||||
debugs(5, 5, HERE << "non-recoverable error:" << status() << " handler Subscription: " << theCallSub);
|
||||
if (intendedForUserConnections())
|
||||
@@ -301,12 +292,16 @@ Comm::TcpAcceptor::acceptOne()
|
||||
return;
|
||||
}
|
||||
|
||||
- newConnDetails->nfmark = Ip::Qos::getNfmarkFromConnection(newConnDetails, Ip::Qos::dirAccepted);
|
||||
+ if (flag == Comm::NOMESSAGE) {
|
||||
+ /* register interest again */
|
||||
+ debugs(5, 5, "try later: " << conn << " handler Subscription: " << theCallSub);
|
||||
+ } else {
|
||||
+ debugs(5, 5, "Listener: " << conn <<
|
||||
+ " accepted new connection " << newConnDetails <<
|
||||
+ " handler Subscription: " << theCallSub);
|
||||
+ notify(flag, newConnDetails);
|
||||
+ }
|
||||
|
||||
- debugs(5, 5, HERE << "Listener: " << conn <<
|
||||
- " accepted new connection " << newConnDetails <<
|
||||
- " handler Subscription: " << theCallSub);
|
||||
- notify(flag, newConnDetails);
|
||||
SetSelect(conn->fd, COMM_SELECT_READ, doAccept, this, 0);
|
||||
}
|
||||
|
||||
@@ -346,8 +341,8 @@ Comm::TcpAcceptor::notify(const Comm::Flag flag, const Comm::ConnectionPointer &
|
||||
*
|
||||
* \retval Comm::OK success. details parameter filled.
|
||||
* \retval Comm::NOMESSAGE attempted accept() but nothing useful came in.
|
||||
- * \retval Comm::COMM_ERROR an outright failure occurred.
|
||||
* Or this client has too many connections already.
|
||||
+ * \retval Comm::COMM_ERROR an outright failure occurred.
|
||||
*/
|
||||
Comm::Flag
|
||||
Comm::TcpAcceptor::oldAccept(Comm::ConnectionPointer &details)
|
||||
@@ -382,15 +377,6 @@ Comm::TcpAcceptor::oldAccept(Comm::ConnectionPointer &details)
|
||||
details->fd = sock;
|
||||
details->remote = *gai;
|
||||
|
||||
- if ( Config.client_ip_max_connections >= 0) {
|
||||
- if (clientdbEstablished(details->remote, 0) > Config.client_ip_max_connections) {
|
||||
- debugs(50, DBG_IMPORTANT, "WARNING: " << details->remote << " attempting more than " << Config.client_ip_max_connections << " connections.");
|
||||
- Ip::Address::FreeAddr(gai);
|
||||
- PROF_stop(comm_accept);
|
||||
- return Comm::COMM_ERROR;
|
||||
- }
|
||||
- }
|
||||
-
|
||||
// lookup the local-end details of this new connection
|
||||
Ip::Address::InitAddr(gai);
|
||||
details->local.setEmpty();
|
||||
@@ -404,6 +390,34 @@ Comm::TcpAcceptor::oldAccept(Comm::ConnectionPointer &details)
|
||||
details->local = *gai;
|
||||
Ip::Address::FreeAddr(gai);
|
||||
|
||||
+ // Perform NAT or TPROXY operations to retrieve the real client/dest IP addresses
|
||||
+ if (conn->flags&(COMM_TRANSPARENT|COMM_INTERCEPTION) && !Ip::Interceptor.Lookup(details, conn)) {
|
||||
+ debugs(50, DBG_IMPORTANT, "ERROR: NAT/TPROXY lookup failed to locate original IPs on " << details);
|
||||
+ // Failed.
|
||||
+ PROF_stop(comm_accept);
|
||||
+ return Comm::COMM_ERROR;
|
||||
+ }
|
||||
+
|
||||
+#if USE_SQUID_EUI
|
||||
+ if (Eui::TheConfig.euiLookup) {
|
||||
+ if (details->remote.isIPv4()) {
|
||||
+ details->remoteEui48.lookup(details->remote);
|
||||
+ } else if (details->remote.isIPv6()) {
|
||||
+ details->remoteEui64.lookup(details->remote);
|
||||
+ }
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
+ details->nfmark = Ip::Qos::getNfmarkFromConnection(details, Ip::Qos::dirAccepted);
|
||||
+
|
||||
+ if (Config.client_ip_max_connections >= 0) {
|
||||
+ if (clientdbEstablished(details->remote, 0) > Config.client_ip_max_connections) {
|
||||
+ debugs(50, DBG_IMPORTANT, "WARNING: " << details->remote << " attempting more than " << Config.client_ip_max_connections << " connections.");
|
||||
+ PROF_stop(comm_accept);
|
||||
+ return Comm::NOMESSAGE;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
/* fdstat update */
|
||||
// XXX : these are not all HTTP requests. use a note about type and ip:port details->
|
||||
// so we end up with a uniform "(HTTP|FTP-data|HTTPS|...) remote-ip:remote-port"
|
||||
@@ -425,24 +439,6 @@ Comm::TcpAcceptor::oldAccept(Comm::ConnectionPointer &details)
|
||||
/* IFF the socket is (tproxy) transparent, pass the flag down to allow spoofing */
|
||||
F->flags.transparent = fd_table[conn->fd].flags.transparent; // XXX: can we remove this line yet?
|
||||
|
||||
- // Perform NAT or TPROXY operations to retrieve the real client/dest IP addresses
|
||||
- if (conn->flags&(COMM_TRANSPARENT|COMM_INTERCEPTION) && !Ip::Interceptor.Lookup(details, conn)) {
|
||||
- debugs(50, DBG_IMPORTANT, "ERROR: NAT/TPROXY lookup failed to locate original IPs on " << details);
|
||||
- // Failed.
|
||||
- PROF_stop(comm_accept);
|
||||
- return Comm::COMM_ERROR;
|
||||
- }
|
||||
-
|
||||
-#if USE_SQUID_EUI
|
||||
- if (Eui::TheConfig.euiLookup) {
|
||||
- if (details->remote.isIPv4()) {
|
||||
- details->remoteEui48.lookup(details->remote);
|
||||
- } else if (details->remote.isIPv6()) {
|
||||
- details->remoteEui64.lookup(details->remote);
|
||||
- }
|
||||
- }
|
||||
-#endif
|
||||
-
|
||||
PROF_stop(comm_accept);
|
||||
return Comm::OK;
|
||||
}
|
@ -2,7 +2,7 @@
|
||||
|
||||
Name: squid
|
||||
Version: 4.11
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
Summary: The Squid proxy caching server
|
||||
Epoch: 7
|
||||
# See CREDITS for breakdown of non GPLv2+ code
|
||||
@ -35,8 +35,13 @@ Patch205: squid-4.11-large-acl.patch
|
||||
Patch206: squid-4.11-active-ftp.patch
|
||||
# https://github.com/squid-cache/squid/commit/c26cd1cb6a60ff196ef13c00e82576d3bfeb2e30
|
||||
Patch207: squid-4.11-systemd.patch
|
||||
Patch208: squid-4.11-convert-ipv4.patch
|
||||
|
||||
# Security fixes
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1852554
|
||||
Patch500: squid-4.11-CVE-2020-14058.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1852550
|
||||
Patch501: squid-4.11-CVE-2020-15049.patch
|
||||
|
||||
Requires: bash >= 2.0
|
||||
Requires(pre): shadow-utils
|
||||
@ -96,6 +101,11 @@ lookup program (dnsserver), a program for retrieving FTP data
|
||||
%patch205 -p1 -b .large_acl
|
||||
%patch206 -p1 -b .active-ftp
|
||||
%patch207 -p1 -b .systemd
|
||||
%patch208 -p1 -R -b .convert-ipv4
|
||||
|
||||
# Security patches
|
||||
%patch500 -p1 -b .cve-2020-14058
|
||||
%patch501 -p1 -b .cve-2020-15049
|
||||
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1679526
|
||||
# Patch in the vendor documentation and used different location for documentation
|
||||
@ -312,6 +322,11 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Thu Jul 02 2020 Lubos Uhliarik <luhliari@redhat.com> - 7:4.11-2
|
||||
- Resolves: #1853130 - CVE-2020-15049 squid:4/squid: request smuggling and
|
||||
poisoning attack against the HTTP cache
|
||||
- Resolves: #1853136 - CVE-2020-14058 squid:4/squid: DoS in TLS handshake
|
||||
|
||||
* Thu May 07 2020 Lubos Uhliarik <luhliari@redhat.com> - 7:4.11-1
|
||||
- new version 4.11
|
||||
- libsystemd integration
|
||||
|
Loading…
Reference in New Issue
Block a user