diff --git a/SOURCES/squid-4.11-CVE-2020-14058.patch b/SOURCES/squid-4.11-CVE-2020-14058.patch new file mode 100644 index 0000000..1567477 --- /dev/null +++ b/SOURCES/squid-4.11-CVE-2020-14058.patch @@ -0,0 +1,295 @@ +commit 93f5fda134a2a010b84ffedbe833d670e63ba4be +Author: Christos Tsantilas +Date: 2020-05-15 04:54:54 +0000 + + Fix sending of unknown validation errors to cert. validator (#633) + + Squid may be compiled with an OpenSSL release introducing X509 + validation errors that Squid does not have the names for. Send their + integer codes. + + Also sync Squid certificate verification errors with OpenSSL v1.1.1g. + + This is a Measurement Factory project. + +diff --git a/src/format/Format.cc b/src/format/Format.cc +index 8c5574b..4b4ad42 100644 +--- a/src/format/Format.cc ++++ b/src/format/Format.cc +@@ -322,15 +322,6 @@ log_quoted_string(const char *str, char *out) + *p = '\0'; + } + +-#if USE_OPENSSL +-static char * +-sslErrorName(Security::ErrorCode err, char *buf, size_t size) +-{ +- snprintf(buf, size, "SSL_ERR=%d", err); +- return buf; +-} +-#endif +- + /// XXX: Misnamed. TODO: Split request && al->request->errType == ERR_SECURE_CONNECT_FAIL) { +- out = Ssl::GetErrorName(al->request->errDetail); +- if (!out) +- out = sslErrorName(al->request->errDetail, tmp, sizeof(tmp)); ++ out = Ssl::GetErrorName(al->request->errDetail, true); + } else + #endif + if (al->request && al->request->errDetail != ERR_DETAIL_NONE) { +@@ -1263,10 +1252,7 @@ Format::Format::assemble(MemBuf &mb, const AccessLogEntry::Pointer &al, int logS + for (const Security::CertErrors *sslError = srvBump->sslErrors(); sslError; sslError = sslError->next) { + if (!sb.isEmpty()) + sb.append(separator); +- if (const char *errorName = Ssl::GetErrorName(sslError->element.code)) +- sb.append(errorName); +- else +- sb.append(sslErrorName(sslError->element.code, tmp, sizeof(tmp))); ++ sb.append(Ssl::GetErrorName(sslError->element.code, true)); + if (sslError->element.depth >= 0) + sb.appendf("@depth=%d", sslError->element.depth); + } +diff --git a/src/ssl/ErrorDetail.cc b/src/ssl/ErrorDetail.cc +index ddd61fd..00eb0e2 100644 +--- a/src/ssl/ErrorDetail.cc ++++ b/src/ssl/ErrorDetail.cc +@@ -233,6 +233,9 @@ static SslErrorEntry TheSslErrorArray[] = { + "X509_V_ERR_SUBTREE_MINMAX" + }, + #endif ++ { X509_V_ERR_APPLICATION_VERIFICATION, //50 ++ "X509_V_ERR_APPLICATION_VERIFICATION" ++ }, + #if defined(X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE) + { + X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE, //51 +@@ -257,9 +260,132 @@ static SslErrorEntry TheSslErrorArray[] = { + "X509_V_ERR_CRL_PATH_VALIDATION_ERROR" + }, + #endif +- { X509_V_ERR_APPLICATION_VERIFICATION, +- "X509_V_ERR_APPLICATION_VERIFICATION" ++#if defined(X509_V_ERR_PATH_LOOP) ++ { ++ X509_V_ERR_PATH_LOOP, //55 ++ "X509_V_ERR_PATH_LOOP" ++ }, ++#endif ++#if defined(X509_V_ERR_SUITE_B_INVALID_VERSION) ++ { ++ X509_V_ERR_SUITE_B_INVALID_VERSION, //56 ++ "X509_V_ERR_SUITE_B_INVALID_VERSION" ++ }, ++#endif ++#if defined(X509_V_ERR_SUITE_B_INVALID_ALGORITHM) ++ { ++ X509_V_ERR_SUITE_B_INVALID_ALGORITHM, //57 ++ "X509_V_ERR_SUITE_B_INVALID_ALGORITHM" ++ }, ++#endif ++#if defined(X509_V_ERR_SUITE_B_INVALID_CURVE) ++ { ++ X509_V_ERR_SUITE_B_INVALID_CURVE, //58 ++ "X509_V_ERR_SUITE_B_INVALID_CURVE" ++ }, ++#endif ++#if defined(X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM) ++ { ++ X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM, //59 ++ "X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM" ++ }, ++#endif ++#if defined(X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED) ++ { ++ X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED, //60 ++ "X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED" ++ }, ++#endif ++#if defined(X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256) ++ { ++ X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256, //61 ++ "X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256" ++ }, ++#endif ++#if defined(X509_V_ERR_HOSTNAME_MISMATCH) ++ { ++ X509_V_ERR_HOSTNAME_MISMATCH, //62 ++ "X509_V_ERR_HOSTNAME_MISMATCH" ++ }, ++#endif ++#if defined(X509_V_ERR_EMAIL_MISMATCH) ++ { ++ X509_V_ERR_EMAIL_MISMATCH, //63 ++ "X509_V_ERR_EMAIL_MISMATCH" ++ }, ++#endif ++#if defined(X509_V_ERR_IP_ADDRESS_MISMATCH) ++ { ++ X509_V_ERR_IP_ADDRESS_MISMATCH, //64 ++ "X509_V_ERR_IP_ADDRESS_MISMATCH" ++ }, ++#endif ++#if defined(X509_V_ERR_DANE_NO_MATCH) ++ { ++ X509_V_ERR_DANE_NO_MATCH, //65 ++ "X509_V_ERR_DANE_NO_MATCH" + }, ++#endif ++#if defined(X509_V_ERR_EE_KEY_TOO_SMALL) ++ { ++ X509_V_ERR_EE_KEY_TOO_SMALL, //66 ++ "X509_V_ERR_EE_KEY_TOO_SMALL" ++ }, ++#endif ++#if defined(X509_V_ERR_CA_KEY_TOO_SMALL) ++ { ++ X509_V_ERR_CA_KEY_TOO_SMALL, //67 ++ "X509_V_ERR_CA_KEY_TOO_SMALL" ++ }, ++#endif ++#if defined(X509_V_ERR_CA_MD_TOO_WEAK) ++ { ++ X509_V_ERR_CA_MD_TOO_WEAK, //68 ++ "X509_V_ERR_CA_MD_TOO_WEAK" ++ }, ++#endif ++#if defined(X509_V_ERR_INVALID_CALL) ++ { ++ X509_V_ERR_INVALID_CALL, //69 ++ "X509_V_ERR_INVALID_CALL" ++ }, ++#endif ++#if defined(X509_V_ERR_STORE_LOOKUP) ++ { ++ X509_V_ERR_STORE_LOOKUP, //70 ++ "X509_V_ERR_STORE_LOOKUP" ++ }, ++#endif ++#if defined(X509_V_ERR_NO_VALID_SCTS) ++ { ++ X509_V_ERR_NO_VALID_SCTS, //71 ++ "X509_V_ERR_NO_VALID_SCTS" ++ }, ++#endif ++#if defined(X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION) ++ { ++ X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION, //72 ++ "X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION" ++ }, ++#endif ++#if defined(X509_V_ERR_OCSP_VERIFY_NEEDED) ++ { ++ X509_V_ERR_OCSP_VERIFY_NEEDED, //73 ++ "X509_V_ERR_OCSP_VERIFY_NEEDED" ++ }, ++#endif ++#if defined(X509_V_ERR_OCSP_VERIFY_FAILED) ++ { ++ X509_V_ERR_OCSP_VERIFY_FAILED, //74 ++ "X509_V_ERR_OCSP_VERIFY_FAILED" ++ }, ++#endif ++#if defined(X509_V_ERR_OCSP_CERT_UNKNOWN) ++ { ++ X509_V_ERR_OCSP_CERT_UNKNOWN, //75 ++ "X509_V_ERR_OCSP_CERT_UNKNOWN" ++ }, ++#endif + { SSL_ERROR_NONE, "SSL_ERROR_NONE"}, + {SSL_ERROR_NONE, NULL} + }; +@@ -286,6 +412,27 @@ static const char *OptionalSslErrors[] = { + "X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX", + "X509_V_ERR_UNSUPPORTED_NAME_SYNTAX", + "X509_V_ERR_CRL_PATH_VALIDATION_ERROR", ++ "X509_V_ERR_PATH_LOOP", ++ "X509_V_ERR_SUITE_B_INVALID_VERSION", ++ "X509_V_ERR_SUITE_B_INVALID_ALGORITHM", ++ "X509_V_ERR_SUITE_B_INVALID_CURVE", ++ "X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM", ++ "X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED", ++ "X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256", ++ "X509_V_ERR_HOSTNAME_MISMATCH", ++ "X509_V_ERR_EMAIL_MISMATCH", ++ "X509_V_ERR_IP_ADDRESS_MISMATCH", ++ "X509_V_ERR_DANE_NO_MATCH", ++ "X509_V_ERR_EE_KEY_TOO_SMALL", ++ "X509_V_ERR_CA_KEY_TOO_SMALL", ++ "X509_V_ERR_CA_MD_TOO_WEAK", ++ "X509_V_ERR_INVALID_CALL", ++ "X509_V_ERR_STORE_LOOKUP", ++ "X509_V_ERR_NO_VALID_SCTS", ++ "X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION", ++ "X509_V_ERR_OCSP_VERIFY_NEEDED", ++ "X509_V_ERR_OCSP_VERIFY_FAILED", ++ "X509_V_ERR_OCSP_CERT_UNKNOWN", + NULL + }; + +@@ -390,7 +537,7 @@ Ssl::ParseErrorString(const char *name, Security::Errors &errors) + return false; // not reached + } + +-const char *Ssl::GetErrorName(Security::ErrorCode value) ++const char *Ssl::GetErrorName(Security::ErrorCode value, const bool prefixRawCode) + { + if (TheSslErrors.empty()) + loadSslErrorMap(); +@@ -399,7 +546,9 @@ const char *Ssl::GetErrorName(Security::ErrorCode value) + if (it != TheSslErrors.end()) + return it->second->name; + +- return NULL; ++ static char tmpBuffer[128]; ++ snprintf(tmpBuffer, sizeof(tmpBuffer), "%s%d", prefixRawCode ? "SSL_ERR=" : "", (int)value); ++ return tmpBuffer; + } + + bool +@@ -529,21 +678,14 @@ const char *Ssl::ErrorDetail::notafter() const + */ + const char *Ssl::ErrorDetail::err_code() const + { +- static char tmpBuffer[64]; + // We can use the GetErrorName but using the detailEntry is faster, + // so try it first. +- const char *err = detailEntry.name.termedBuf(); ++ if (const char *err = detailEntry.name.termedBuf()) ++ return err; + + // error details not loaded yet or not defined in error_details.txt, + // try the GetErrorName... +- if (!err) +- err = GetErrorName(error_no); +- +- if (!err) { +- snprintf(tmpBuffer, 64, "%d", (int)error_no); +- err = tmpBuffer; +- } +- return err; ++ return GetErrorName(error_no); + } + + /** +diff --git a/src/ssl/ErrorDetail.h b/src/ssl/ErrorDetail.h +index 48dc405..0eec0a9 100644 +--- a/src/ssl/ErrorDetail.h ++++ b/src/ssl/ErrorDetail.h +@@ -26,8 +26,9 @@ bool ParseErrorString(const char *name, Security::Errors &); + /// The Security::ErrorCode code of the error described by "name". + Security::ErrorCode GetErrorCode(const char *name); + +-/// The string representation of the TLS error "value" +-const char *GetErrorName(Security::ErrorCode value); ++/// \return string representation of a known TLS error (or a raw error code) ++/// \param prefixRawCode whether to prefix raw codes with "SSL_ERR=" ++const char *GetErrorName(Security::ErrorCode value, const bool prefixRawCode = false); + + /// A short description of the TLS error "value" + const char *GetErrorDescr(Security::ErrorCode value); diff --git a/SOURCES/squid-4.11-CVE-2020-15049.patch b/SOURCES/squid-4.11-CVE-2020-15049.patch new file mode 100644 index 0000000..5f7151d --- /dev/null +++ b/SOURCES/squid-4.11-CVE-2020-15049.patch @@ -0,0 +1,105 @@ +commit ea12a34d338b962707d5078d6d1fc7c6eb119a22 +Author: Alex Rousskov +Date: 2020-05-13 14:05:00 +0000 + + Validate Content-Length value prefix (#629) + + The new code detects all invalid Content-Length prefixes but the old + code was already rejecting most invalid prefixes using strtoll(). The + newly covered (and now rejected) invalid characters are + + * explicit "+" sign; + * explicit "-" sign in "-0" values; + * isspace(3) characters that are not (relaxed) OWS characters. + + In most deployment environments, the last set is probably empty because + the relaxed OWS set has all the POSIX/C isspace(3) characters but the + new line, and the new line is unlikely to sneak in past other checks. + + Thank you, Amit Klein , for elevating the + importance of this 2016 TODO (added in commit a1b9ec2). + +diff --git a/CONTRIBUTORS b/CONTRIBUTORS +index 36957f2..c10a221 100644 +--- a/CONTRIBUTORS ++++ b/CONTRIBUTORS +@@ -25,6 +25,7 @@ Thank you! + Alex Wu + Alin Nastac + Alter ++ Amit Klein + Amos Jeffries + Amos Jeffries + Amos Jeffries +diff --git a/src/http/ContentLengthInterpreter.cc b/src/http/ContentLengthInterpreter.cc +index 3fdf7de..a3741eb 100644 +--- a/src/http/ContentLengthInterpreter.cc ++++ b/src/http/ContentLengthInterpreter.cc +@@ -28,6 +28,24 @@ Http::ContentLengthInterpreter::ContentLengthInterpreter(const int aDebugLevel): + { + } + ++/// checks whether all characters before the Content-Length number are allowed ++/// \returns the start of the digit sequence (or nil on errors) ++const char * ++Http::ContentLengthInterpreter::findDigits(const char *prefix, const char * const valueEnd) const ++{ ++ // skip leading OWS in RFC 7230's `OWS field-value OWS` ++ const CharacterSet &whitespace = Http::One::Parser::WhitespaceCharacters(); ++ while (prefix < valueEnd) { ++ const auto ch = *prefix; ++ if (CharacterSet::DIGIT[ch]) ++ return prefix; // common case: a pre-trimmed field value ++ if (!whitespace[ch]) ++ return nullptr; // (trimmed) length does not start with a digit ++ ++prefix; ++ } ++ return nullptr; // empty or whitespace-only value ++} ++ + /// checks whether all characters after the Content-Length are allowed + bool + Http::ContentLengthInterpreter::goodSuffix(const char *suffix, const char * const end) const +@@ -52,10 +70,19 @@ Http::ContentLengthInterpreter::checkValue(const char *rawValue, const int value + { + Must(!sawBad); + ++ const auto valueEnd = rawValue + valueSize; ++ ++ const auto digits = findDigits(rawValue, valueEnd); ++ if (!digits) { ++ debugs(55, debugLevel, "WARNING: Leading garbage or empty value in" << Raw("Content-Length", rawValue, valueSize)); ++ sawBad = true; ++ return false; ++ } ++ + int64_t latestValue = -1; + char *suffix = nullptr; +- // TODO: Handle malformed values with leading signs (e.g., "-0" or "+1"). +- if (!httpHeaderParseOffset(rawValue, &latestValue, &suffix)) { ++ ++ if (!httpHeaderParseOffset(digits, &latestValue, &suffix)) { + debugs(55, DBG_IMPORTANT, "WARNING: Malformed" << Raw("Content-Length", rawValue, valueSize)); + sawBad = true; + return false; +@@ -68,7 +95,7 @@ Http::ContentLengthInterpreter::checkValue(const char *rawValue, const int value + } + + // check for garbage after the number +- if (!goodSuffix(suffix, rawValue + valueSize)) { ++ if (!goodSuffix(suffix, valueEnd)) { + debugs(55, debugLevel, "WARNING: Trailing garbage in" << Raw("Content-Length", rawValue, valueSize)); + sawBad = true; + return false; +diff --git a/src/http/ContentLengthInterpreter.h b/src/http/ContentLengthInterpreter.h +index ce36e22..f22de91 100644 +--- a/src/http/ContentLengthInterpreter.h ++++ b/src/http/ContentLengthInterpreter.h +@@ -46,6 +46,7 @@ public: + bool sawGood; + + protected: ++ const char *findDigits(const char *prefix, const char *valueEnd) const; + bool goodSuffix(const char *suffix, const char * const end) const; + bool checkValue(const char *start, const int size); + bool checkList(const String &list); diff --git a/SOURCES/squid-4.11-convert-ipv4.patch b/SOURCES/squid-4.11-convert-ipv4.patch new file mode 100644 index 0000000..4a6e47f --- /dev/null +++ b/SOURCES/squid-4.11-convert-ipv4.patch @@ -0,0 +1,145 @@ +From 771908d313ee9c255adfb5e4fdba4d6797c18409 Mon Sep 17 00:00:00 2001 +From: Amos Jeffries +Date: Thu, 7 Mar 2019 13:50:38 +0000 +Subject: [PATCH] Bug 4928: Cannot convert non-IPv4 to IPv4 (#379) + +... when reaching client_ip_max_connections + +The client_ip_max_connections limit is checked before the TCP dst-IP is located for the newly received TCP connection. This leaves Squid unable to fetch the NFMARK or similar +details later on (they do not exist for [::]). + +Move client_ip_max_connections test later in the TCP accept process to ensure dst-IP is known when the error is produced. +--- + src/comm/TcpAcceptor.cc | 82 ++++++++++++++++++++--------------------- + 1 file changed, 39 insertions(+), 43 deletions(-) + +diff --git a/src/comm/TcpAcceptor.cc b/src/comm/TcpAcceptor.cc +index cae92a7b1e..2109913008 100644 +--- a/src/comm/TcpAcceptor.cc ++++ b/src/comm/TcpAcceptor.cc +@@ -282,16 +282,7 @@ Comm::TcpAcceptor::acceptOne() + ConnectionPointer newConnDetails = new Connection(); + const Comm::Flag flag = oldAccept(newConnDetails); + +- /* Check for errors */ +- if (!newConnDetails->isOpen()) { +- +- if (flag == Comm::NOMESSAGE) { +- /* register interest again */ +- debugs(5, 5, HERE << "try later: " << conn << " handler Subscription: " << theCallSub); +- SetSelect(conn->fd, COMM_SELECT_READ, doAccept, this, 0); +- return; +- } +- ++ if (flag == Comm::COMM_ERROR) { + // A non-recoverable error; notify the caller */ + debugs(5, 5, HERE << "non-recoverable error:" << status() << " handler Subscription: " << theCallSub); + if (intendedForUserConnections()) +@@ -301,12 +292,16 @@ Comm::TcpAcceptor::acceptOne() + return; + } + +- newConnDetails->nfmark = Ip::Qos::getNfmarkFromConnection(newConnDetails, Ip::Qos::dirAccepted); ++ if (flag == Comm::NOMESSAGE) { ++ /* register interest again */ ++ debugs(5, 5, "try later: " << conn << " handler Subscription: " << theCallSub); ++ } else { ++ debugs(5, 5, "Listener: " << conn << ++ " accepted new connection " << newConnDetails << ++ " handler Subscription: " << theCallSub); ++ notify(flag, newConnDetails); ++ } + +- debugs(5, 5, HERE << "Listener: " << conn << +- " accepted new connection " << newConnDetails << +- " handler Subscription: " << theCallSub); +- notify(flag, newConnDetails); + SetSelect(conn->fd, COMM_SELECT_READ, doAccept, this, 0); + } + +@@ -346,8 +341,8 @@ Comm::TcpAcceptor::notify(const Comm::Flag flag, const Comm::ConnectionPointer & + * + * \retval Comm::OK success. details parameter filled. + * \retval Comm::NOMESSAGE attempted accept() but nothing useful came in. +- * \retval Comm::COMM_ERROR an outright failure occurred. + * Or this client has too many connections already. ++ * \retval Comm::COMM_ERROR an outright failure occurred. + */ + Comm::Flag + Comm::TcpAcceptor::oldAccept(Comm::ConnectionPointer &details) +@@ -382,15 +377,6 @@ Comm::TcpAcceptor::oldAccept(Comm::ConnectionPointer &details) + details->fd = sock; + details->remote = *gai; + +- if ( Config.client_ip_max_connections >= 0) { +- if (clientdbEstablished(details->remote, 0) > Config.client_ip_max_connections) { +- debugs(50, DBG_IMPORTANT, "WARNING: " << details->remote << " attempting more than " << Config.client_ip_max_connections << " connections."); +- Ip::Address::FreeAddr(gai); +- PROF_stop(comm_accept); +- return Comm::COMM_ERROR; +- } +- } +- + // lookup the local-end details of this new connection + Ip::Address::InitAddr(gai); + details->local.setEmpty(); +@@ -404,6 +390,34 @@ Comm::TcpAcceptor::oldAccept(Comm::ConnectionPointer &details) + details->local = *gai; + Ip::Address::FreeAddr(gai); + ++ // Perform NAT or TPROXY operations to retrieve the real client/dest IP addresses ++ if (conn->flags&(COMM_TRANSPARENT|COMM_INTERCEPTION) && !Ip::Interceptor.Lookup(details, conn)) { ++ debugs(50, DBG_IMPORTANT, "ERROR: NAT/TPROXY lookup failed to locate original IPs on " << details); ++ // Failed. ++ PROF_stop(comm_accept); ++ return Comm::COMM_ERROR; ++ } ++ ++#if USE_SQUID_EUI ++ if (Eui::TheConfig.euiLookup) { ++ if (details->remote.isIPv4()) { ++ details->remoteEui48.lookup(details->remote); ++ } else if (details->remote.isIPv6()) { ++ details->remoteEui64.lookup(details->remote); ++ } ++ } ++#endif ++ ++ details->nfmark = Ip::Qos::getNfmarkFromConnection(details, Ip::Qos::dirAccepted); ++ ++ if (Config.client_ip_max_connections >= 0) { ++ if (clientdbEstablished(details->remote, 0) > Config.client_ip_max_connections) { ++ debugs(50, DBG_IMPORTANT, "WARNING: " << details->remote << " attempting more than " << Config.client_ip_max_connections << " connections."); ++ PROF_stop(comm_accept); ++ return Comm::NOMESSAGE; ++ } ++ } ++ + /* fdstat update */ + // XXX : these are not all HTTP requests. use a note about type and ip:port details-> + // so we end up with a uniform "(HTTP|FTP-data|HTTPS|...) remote-ip:remote-port" +@@ -425,24 +439,6 @@ Comm::TcpAcceptor::oldAccept(Comm::ConnectionPointer &details) + /* IFF the socket is (tproxy) transparent, pass the flag down to allow spoofing */ + F->flags.transparent = fd_table[conn->fd].flags.transparent; // XXX: can we remove this line yet? + +- // Perform NAT or TPROXY operations to retrieve the real client/dest IP addresses +- if (conn->flags&(COMM_TRANSPARENT|COMM_INTERCEPTION) && !Ip::Interceptor.Lookup(details, conn)) { +- debugs(50, DBG_IMPORTANT, "ERROR: NAT/TPROXY lookup failed to locate original IPs on " << details); +- // Failed. +- PROF_stop(comm_accept); +- return Comm::COMM_ERROR; +- } +- +-#if USE_SQUID_EUI +- if (Eui::TheConfig.euiLookup) { +- if (details->remote.isIPv4()) { +- details->remoteEui48.lookup(details->remote); +- } else if (details->remote.isIPv6()) { +- details->remoteEui64.lookup(details->remote); +- } +- } +-#endif +- + PROF_stop(comm_accept); + return Comm::OK; + } diff --git a/SPECS/squid.spec b/SPECS/squid.spec index e1d36a2..c0fc773 100644 --- a/SPECS/squid.spec +++ b/SPECS/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 4.11 -Release: 1%{?dist} +Release: 2%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -35,8 +35,13 @@ Patch205: squid-4.11-large-acl.patch Patch206: squid-4.11-active-ftp.patch # https://github.com/squid-cache/squid/commit/c26cd1cb6a60ff196ef13c00e82576d3bfeb2e30 Patch207: squid-4.11-systemd.patch +Patch208: squid-4.11-convert-ipv4.patch # Security fixes +# https://bugzilla.redhat.com/show_bug.cgi?id=1852554 +Patch500: squid-4.11-CVE-2020-14058.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1852550 +Patch501: squid-4.11-CVE-2020-15049.patch Requires: bash >= 2.0 Requires(pre): shadow-utils @@ -96,6 +101,11 @@ lookup program (dnsserver), a program for retrieving FTP data %patch205 -p1 -b .large_acl %patch206 -p1 -b .active-ftp %patch207 -p1 -b .systemd +%patch208 -p1 -R -b .convert-ipv4 + +# Security patches +%patch500 -p1 -b .cve-2020-14058 +%patch501 -p1 -b .cve-2020-15049 # https://bugzilla.redhat.com/show_bug.cgi?id=1679526 # Patch in the vendor documentation and used different location for documentation @@ -312,6 +322,11 @@ fi %changelog +* Thu Jul 02 2020 Lubos Uhliarik - 7:4.11-2 +- Resolves: #1853130 - CVE-2020-15049 squid:4/squid: request smuggling and + poisoning attack against the HTTP cache +- Resolves: #1853136 - CVE-2020-14058 squid:4/squid: DoS in TLS handshake + * Thu May 07 2020 Lubos Uhliarik - 7:4.11-1 - new version 4.11 - libsystemd integration