import UBI squid-6.10-6.el10_1.1

This commit is contained in:
eabdullin 2025-11-11 22:16:37 +00:00
parent 39dc524b2e
commit 49b8a8b494
3 changed files with 412 additions and 1 deletions

View File

@ -0,0 +1,173 @@
diff --git a/src/HttpRequest.cc b/src/HttpRequest.cc
index d6be6ae..5c85eb8 100644
--- a/src/HttpRequest.cc
+++ b/src/HttpRequest.cc
@@ -341,7 +341,7 @@ HttpRequest::swapOut(StoreEntry * e)
/* packs request-line and headers, appends <crlf> terminator */
void
-HttpRequest::pack(Packable * p) const
+HttpRequest::pack(Packable * const p, const bool maskSensitiveInfo) const
{
assert(p);
/* pack request-line */
@@ -349,8 +349,8 @@ HttpRequest::pack(Packable * p) const
SQUIDSBUFPRINT(method.image()), SQUIDSBUFPRINT(url.path()),
http_ver.major, http_ver.minor);
/* headers */
- header.packInto(p);
- /* trailer */
+ header.packInto(p, maskSensitiveInfo);
+ /* indicate the end of the header section */
p->append("\r\n", 2);
}
diff --git a/src/HttpRequest.h b/src/HttpRequest.h
index 2256a55..2ada8e5 100644
--- a/src/HttpRequest.h
+++ b/src/HttpRequest.h
@@ -206,7 +206,7 @@ public:
void swapOut(StoreEntry * e);
- void pack(Packable * p) const;
+ void pack(Packable * p, bool maskSensitiveInfo = false) const;
static void httpRequestPack(void *obj, Packable *p);
diff --git a/src/cf.data.pre b/src/cf.data.pre
index 20a7338..d1f3317 100644
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -8941,12 +8941,18 @@ NAME: email_err_data
COMMENT: on|off
TYPE: onoff
LOC: Config.onoff.emailErrData
-DEFAULT: on
+DEFAULT: off
DOC_START
If enabled, information about the occurred error will be
included in the mailto links of the ERR pages (if %W is set)
so that the email body contains the data.
Syntax is <A HREF="mailto:%w%W">%w</A>
+
+ SECURITY WARNING:
+ Request headers and other included facts may contain
+ sensitive information about transaction history, the
+ Squid instance, and its environment which would be
+ unavailable to error recipients otherwise.
DOC_END
NAME: deny_info
diff --git a/src/client_side_reply.cc b/src/client_side_reply.cc
index 6818d76..860edfc 100644
--- a/src/client_side_reply.cc
+++ b/src/client_side_reply.cc
@@ -94,7 +94,7 @@ clientReplyContext::clientReplyContext(ClientHttpRequest *clientContext) :
void
clientReplyContext::setReplyToError(
err_type err, Http::StatusCode status, char const *uri,
- const ConnStateData *conn, HttpRequest *failedrequest, const char *unparsedrequest,
+ const ConnStateData *conn, HttpRequest *failedrequest, const char *,
#if USE_AUTH
Auth::UserRequest::Pointer auth_user_request
#else
@@ -104,9 +104,6 @@ clientReplyContext::setReplyToError(
{
auto errstate = clientBuildError(err, status, uri, conn, failedrequest, http->al);
- if (unparsedrequest)
- errstate->request_hdrs = xstrdup(unparsedrequest);
-
#if USE_AUTH
errstate->auth_user_request = auth_user_request;
#endif
@@ -995,11 +992,14 @@ clientReplyContext::traceReply()
triggerInitialStoreRead();
http->storeEntry()->releaseRequest();
http->storeEntry()->buffer();
+ MemBuf content;
+ content.init();
+ http->request->pack(&content, true /* hide authorization data */);
const HttpReplyPointer rep(new HttpReply);
- rep->setHeaders(Http::scOkay, nullptr, "text/plain", http->request->prefixLen(), 0, squid_curtime);
+ rep->setHeaders(Http::scOkay, nullptr, "message/http", content.contentSize(), 0, squid_curtime);
+ rep->body.set(SBuf(content.buf, content.size));
http->storeEntry()->replaceHttpReply(rep);
- http->request->swapOut(http->storeEntry());
- http->storeEntry()->complete();
+ http->storeEntry()->completeSuccessfully("traceReply() stored the entire response");
}
#define SENDING_BODY 0
diff --git a/src/errorpage.cc b/src/errorpage.cc
index 0b7e5b8..31566dc 100644
--- a/src/errorpage.cc
+++ b/src/errorpage.cc
@@ -792,7 +792,6 @@ ErrorState::~ErrorState()
{
safe_free(redirect_url);
safe_free(url);
- safe_free(request_hdrs);
wordlistDestroy(&ftp.server_msg);
safe_free(ftp.request);
safe_free(ftp.reply);
@@ -850,7 +849,10 @@ ErrorState::Dump(MemBuf * mb)
SQUIDSBUFPRINT(request->url.path()),
AnyP::ProtocolType_str[request->http_ver.protocol],
request->http_ver.major, request->http_ver.minor);
- request->header.packInto(&str);
+ MemBuf r;
+ r.init();
+ request->pack(&r, true /* hide authorization data */);
+ str.append(r.content(), r.contentSize());
}
str.append("\r\n", 2);
@@ -1112,18 +1114,10 @@ ErrorState::compileLegacyCode(Build &build)
p = "[no request]";
break;
}
- if (request) {
- mb.appendf(SQUIDSBUFPH " " SQUIDSBUFPH " %s/%d.%d\n",
- SQUIDSBUFPRINT(request->method.image()),
- SQUIDSBUFPRINT(request->url.path()),
- AnyP::ProtocolType_str[request->http_ver.protocol],
- request->http_ver.major, request->http_ver.minor);
- request->header.packInto(&mb, true); //hide authorization data
- } else if (request_hdrs) {
- p = request_hdrs;
- } else {
+ else if (request)
+ request->pack(&mb, true /* hide authorization data */);
+ else
p = "[no request]";
- }
break;
case 's':
diff --git a/src/errorpage.h b/src/errorpage.h
index 8d23857..0dc10d7 100644
--- a/src/errorpage.h
+++ b/src/errorpage.h
@@ -194,7 +194,6 @@ public:
MemBuf *listing = nullptr;
} ftp;
- char *request_hdrs = nullptr;
char *err_msg = nullptr; /* Preformatted error message from the cache */
AccessLogEntryPointer ale; ///< transaction details (or nil)
diff --git a/src/tests/stub_HttpRequest.cc b/src/tests/stub_HttpRequest.cc
index 495597d..48a0f1c 100644
--- a/src/tests/stub_HttpRequest.cc
+++ b/src/tests/stub_HttpRequest.cc
@@ -45,7 +45,7 @@ bool HttpRequest::expectingBody(const HttpRequestMethod &, int64_t &) const STUB
bool HttpRequest::bodyNibbled() const STUB_RETVAL(false)
int HttpRequest::prefixLen() const STUB_RETVAL(0)
void HttpRequest::swapOut(StoreEntry *) STUB
-void HttpRequest::pack(Packable *) const STUB
+void HttpRequest::pack(Packable *, bool) const STUB
void HttpRequest::httpRequestPack(void *, Packable *) STUB
HttpRequest * HttpRequest::FromUrl(const SBuf &, const MasterXaction::Pointer &, const HttpRequestMethod &) STUB_RETVAL(nullptr)
HttpRequest * HttpRequest::FromUrlXXX(const char *, const MasterXaction::Pointer &, const HttpRequestMethod &) STUB_RETVAL(nullptr)

View File

@ -0,0 +1,223 @@
diff --git a/src/CachePeer.cc b/src/CachePeer.cc
index 1a5ea04..b67ac3f 100644
--- a/src/CachePeer.cc
+++ b/src/CachePeer.cc
@@ -68,20 +68,11 @@ CachePeer::noteSuccess()
}
}
-void
-CachePeer::noteFailure(const Http::StatusCode code)
-{
- if (Http::Is4xx(code))
- return; // this failure is not our fault
-
- countFailure();
-}
-
// TODO: Require callers to detail failures instead of using one (and often
// misleading!) "connection failed" phrase for all of them.
/// noteFailure() helper for handling failures attributed to this peer
void
-CachePeer::countFailure()
+CachePeer::noteFailure()
{
stats.last_connect_failure = squid_curtime;
if (tcp_up > 0)
diff --git a/src/CachePeer.h b/src/CachePeer.h
index 6c4e4fc..180c76d 100644
--- a/src/CachePeer.h
+++ b/src/CachePeer.h
@@ -38,9 +38,8 @@ public:
/// reacts to a successful establishment of a connection to this cache_peer
void noteSuccess();
- /// reacts to a failure on a connection to this cache_peer
- /// \param code a received response status code, if any
- void noteFailure(Http::StatusCode code);
+ /// reacts to a failed attempt to establish a connection to this cache_peer
+ void noteFailure();
/// (re)configure cache_peer name=value
void rename(const char *);
@@ -238,14 +237,13 @@ NoteOutgoingConnectionSuccess(CachePeer * const peer)
peer->noteSuccess();
}
-/// reacts to a failure on a connection to an origin server or cache_peer
+/// reacts to a failed attempt to establish a connection to an origin server or cache_peer
/// \param peer nil if the connection is to an origin server
-/// \param code a received response status code, if any
inline void
-NoteOutgoingConnectionFailure(CachePeer * const peer, const Http::StatusCode code)
+NoteOutgoingConnectionFailure(CachePeer * const peer)
{
if (peer)
- peer->noteFailure(code);
+ peer->noteFailure();
}
/// identify the given cache peer in cache.log messages and such
diff --git a/src/HappyConnOpener.cc b/src/HappyConnOpener.cc
index 9812160..a2d3052 100644
--- a/src/HappyConnOpener.cc
+++ b/src/HappyConnOpener.cc
@@ -638,7 +638,7 @@ HappyConnOpener::handleConnOpenerAnswer(Attempt &attempt, const CommConnectCbPar
lastError = makeError(ERR_CONNECT_FAIL);
lastError->xerrno = params.xerrno;
- NoteOutgoingConnectionFailure(params.conn->getPeer(), lastError->httpStatus);
+ NoteOutgoingConnectionFailure(params.conn->getPeer());
if (spareWaiting)
updateSpareWaitAfterPrimeFailure();
diff --git a/src/PeerPoolMgr.cc b/src/PeerPoolMgr.cc
index 7becaf6..448bfed 100644
--- a/src/PeerPoolMgr.cc
+++ b/src/PeerPoolMgr.cc
@@ -86,7 +86,7 @@ PeerPoolMgr::handleOpenedConnection(const CommConnectCbParams &params)
}
if (params.flag != Comm::OK) {
- NoteOutgoingConnectionFailure(peer, Http::scNone);
+ NoteOutgoingConnectionFailure(peer);
checkpoint("conn opening failure"); // may retry
return;
}
diff --git a/src/clients/HttpTunneler.cc b/src/clients/HttpTunneler.cc
index f31ce52..4840866 100644
--- a/src/clients/HttpTunneler.cc
+++ b/src/clients/HttpTunneler.cc
@@ -90,7 +90,7 @@ Http::Tunneler::handleConnectionClosure(const CommCloseCbParams &)
{
closer = nullptr;
if (connection) {
- countFailingConnection(nullptr);
+ countFailingConnection();
connection->noteClosure();
connection = nullptr;
}
@@ -355,7 +355,7 @@ Http::Tunneler::bailWith(ErrorState *error)
if (const auto failingConnection = connection) {
// TODO: Reuse to-peer connections after a CONNECT error response.
- countFailingConnection(error);
+ countFailingConnection();
disconnect();
failingConnection->close();
}
@@ -374,10 +374,12 @@ Http::Tunneler::sendSuccess()
}
void
-Http::Tunneler::countFailingConnection(const ErrorState * const error)
+Http::Tunneler::countFailingConnection()
{
assert(connection);
- NoteOutgoingConnectionFailure(connection->getPeer(), error ? error->httpStatus : Http::scNone);
+ // No NoteOutgoingConnectionFailure(connection->getPeer()) call here because
+ // we do not blame cache_peer for CONNECT failures (on top of a successfully
+ // established connection to that cache_peer).
if (noteFwdPconnUse && connection->isOpen())
fwdPconnPool->noteUses(fd_table[connection->fd].pconn.uses);
}
diff --git a/src/clients/HttpTunneler.h b/src/clients/HttpTunneler.h
index eb8dcee..d5090d3 100644
--- a/src/clients/HttpTunneler.h
+++ b/src/clients/HttpTunneler.h
@@ -80,7 +80,7 @@ private:
void disconnect();
/// updates connection usage history before the connection is closed
- void countFailingConnection(const ErrorState *);
+ void countFailingConnection();
AsyncCall::Pointer writer; ///< called when the request has been written
AsyncCall::Pointer reader; ///< called when the response should be read
diff --git a/src/neighbors.cc b/src/neighbors.cc
index cf03505..628b801 100644
--- a/src/neighbors.cc
+++ b/src/neighbors.cc
@@ -1311,7 +1311,7 @@ peerProbeConnectDone(const Comm::ConnectionPointer &conn, Comm::Flag status, int
if (status == Comm::OK)
p->noteSuccess();
else
- p->noteFailure(Http::scNone);
+ p->noteFailure();
-- p->testing_now;
conn->close();
diff --git a/src/security/BlindPeerConnector.cc b/src/security/BlindPeerConnector.cc
index 7372df9..b884127 100644
--- a/src/security/BlindPeerConnector.cc
+++ b/src/security/BlindPeerConnector.cc
@@ -76,7 +76,7 @@ Security::BlindPeerConnector::noteNegotiationDone(ErrorState *error)
// based on TCP results, SSL results, or both. And the code is probably not
// consistent in this aspect across tunnelling and forwarding modules.
if (peer && peer->secure.encryptTransport)
- peer->noteFailure(error->httpStatus);
+ peer->noteFailure();
return;
}
diff --git a/src/security/PeerConnector.cc b/src/security/PeerConnector.cc
index f122294..96c2f0e 100644
--- a/src/security/PeerConnector.cc
+++ b/src/security/PeerConnector.cc
@@ -115,7 +115,7 @@ Security::PeerConnector::commCloseHandler(const CommCloseCbParams &params)
err->detailError(d);
if (serverConn) {
- countFailingConnection(err);
+ countFailingConnection();
serverConn->noteClosure();
serverConn = nullptr;
}
@@ -507,7 +507,7 @@ Security::PeerConnector::bail(ErrorState *error)
answer().error = error;
if (const auto failingConnection = serverConn) {
- countFailingConnection(error);
+ countFailingConnection();
disconnect();
failingConnection->close();
}
@@ -525,10 +525,10 @@ Security::PeerConnector::sendSuccess()
}
void
-Security::PeerConnector::countFailingConnection(const ErrorState * const error)
+Security::PeerConnector::countFailingConnection()
{
assert(serverConn);
- NoteOutgoingConnectionFailure(serverConn->getPeer(), error ? error->httpStatus : Http::scNone);
+ NoteOutgoingConnectionFailure(serverConn->getPeer());
// TODO: Calling PconnPool::noteUses() should not be our responsibility.
if (noteFwdPconnUse && serverConn->isOpen())
fwdPconnPool->noteUses(fd_table[serverConn->fd].pconn.uses);
diff --git a/src/security/PeerConnector.h b/src/security/PeerConnector.h
index 3c7c01b..b00f385 100644
--- a/src/security/PeerConnector.h
+++ b/src/security/PeerConnector.h
@@ -150,7 +150,7 @@ protected:
void disconnect();
/// updates connection usage history before the connection is closed
- void countFailingConnection(const ErrorState *);
+ void countFailingConnection();
/// If called the certificates validator will not used
void bypassCertValidator() {useCertValidator_ = false;}
diff --git a/src/tests/stub_libsecurity.cc b/src/tests/stub_libsecurity.cc
index 3b6eb79..8e14ac1 100644
--- a/src/tests/stub_libsecurity.cc
+++ b/src/tests/stub_libsecurity.cc
@@ -97,7 +97,7 @@ void PeerConnector::bail(ErrorState *) STUB
void PeerConnector::sendSuccess() STUB
void PeerConnector::callBack() STUB
void PeerConnector::disconnect() STUB
-void PeerConnector::countFailingConnection(const ErrorState *) STUB
+void PeerConnector::countFailingConnection() STUB
void PeerConnector::recordNegotiationDetails() STUB
EncryptorAnswer &PeerConnector::answer() STUB_RETREF(EncryptorAnswer)
}

View File

@ -2,7 +2,7 @@
Name: squid
Version: 6.10
Release: 5%{?dist}
Release: 6%{?dist}.1
Summary: The Squid proxy caching server
Epoch: 7
# See CREDITS for breakdown of non GPLv2+ code
@ -42,6 +42,13 @@ Patch205: squid-6.1-crash-half-closed.patch
Patch206: squid-6.10-ignore-wsp-after-chunk-size.patch
# https://bugs.squid-cache.org/show_bug.cgi?id=5214
Patch207: squid-6.10-large-upload-buffer-dies.patch
# Upstream commit: https://github.com/squid-cache/squid/commit/2e7dea3cedd3ef2f071dee82867c4147f17376dd
# https://issues.redhat.com/browse/RHEL-86817
Patch208: squid-6.10-cache-peer-connect-errors.patch
# Security patches
# https://bugzilla.redhat.com/show_bug.cgi?id=2404736
Patch500: squid-6.10-CVE-2025-62168.patch
# cache_swap.sh
Requires: bash gawk
@ -326,6 +333,14 @@ fi
%changelog
* Mon Oct 20 2025 Luboš Uhliarik <luhliari@redhat.com> - 7:6.10-6.1
- Resolves: RHEL-122480 - CVE-2025-62168 squid: Squid vulnerable to information
disclosure via authentication credential leakage in error handling
* Thu Apr 10 2025 Luboš Uhliarik <luhliari@redhat.com> - 7:6.10-6
- Resolves: RHEL-86817 - ”TCP connection to XX.XX.XX.XX/XXXX failed” message is
output frequently on RHEL10
* Thu Nov 07 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:6.10-5
- Disable ESI support
- Resolves: RHEL-65069 - CVE-2024-45802 squid: Denial of Service processing ESI