From 506662cb1ca96ac3f95db6cb110fd2504f6bde11 Mon Sep 17 00:00:00 2001 From: James Antill Date: Mon, 8 Aug 2022 14:08:02 -0400 Subject: [PATCH] Import rpm: 602ea65a25fa2db67807d3a6e8f23364256ef875 --- .gitignore | 1 + cache_swap.sh | 16 + gating.yaml | 9 + perl-requires-squid.sh | 3 + sources | 1 + squid-3.0.STABLE1-perlpath.patch | 10 + squid-3.1.0.9-location.patch | 32 + squid-3.5.9-include-guards.patch | 95 ++ squid-4.0.11-config.patch | 26 + squid-4.11-active-ftp.patch | 127 ++ squid-4.11-config.patch | 27 + squid-4.11-convert-ipv4.patch | 143 ++ squid-4.11-include-guards.patch | 41 + squid-4.11-large-acl.patch | 178 +++ squid-4.11-location.patch | 33 + squid-4.11-perlpath.patch | 10 + squid-4.15-CVE-2021-28116.patch | 424 ++++++ squid-4.15-ftp-filename-extraction.patch | 32 + squid-4.15.tar.xz.asc | 25 + squid-5.0.5-symlink-lang-err.patch | 68 + squid-5.0.6-active-ftp.patch | 127 ++ squid-5.0.6-openssl3.patch | 185 +++ squid-5.1-test-store-cppsuite.patch | 24 + squid-5.5-CVE-2021-46784.patch | 120 ++ squid.logrotate | 16 + squid.nm | 7 + squid.pam | 3 + squid.service | 18 + squid.spec | 1704 ++++++++++++++++++++++ squid.sysconfig | 9 + 30 files changed, 3514 insertions(+) create mode 100644 .gitignore create mode 100644 cache_swap.sh create mode 100644 gating.yaml create mode 100755 perl-requires-squid.sh create mode 100644 sources create mode 100644 squid-3.0.STABLE1-perlpath.patch create mode 100644 squid-3.1.0.9-location.patch create mode 100644 squid-3.5.9-include-guards.patch create mode 100644 squid-4.0.11-config.patch create mode 100644 squid-4.11-active-ftp.patch create mode 100644 squid-4.11-config.patch create mode 100644 squid-4.11-convert-ipv4.patch create mode 100644 squid-4.11-include-guards.patch create mode 100644 squid-4.11-large-acl.patch create mode 100644 squid-4.11-location.patch create mode 100644 squid-4.11-perlpath.patch create mode 100644 squid-4.15-CVE-2021-28116.patch create mode 100644 squid-4.15-ftp-filename-extraction.patch create mode 100644 squid-4.15.tar.xz.asc create mode 100644 squid-5.0.5-symlink-lang-err.patch create mode 100644 squid-5.0.6-active-ftp.patch create mode 100644 squid-5.0.6-openssl3.patch create mode 100644 squid-5.1-test-store-cppsuite.patch create mode 100644 squid-5.5-CVE-2021-46784.patch create mode 100644 squid.logrotate create mode 100755 squid.nm create mode 100644 squid.pam create mode 100644 squid.service create mode 100644 squid.spec create mode 100644 squid.sysconfig diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..4d9a0ed --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/squid-4.15.tar.xz diff --git a/cache_swap.sh b/cache_swap.sh new file mode 100644 index 0000000..5e94072 --- /dev/null +++ b/cache_swap.sh @@ -0,0 +1,16 @@ +#!/bin/bash +if [ -f /etc/sysconfig/squid ]; then + . /etc/sysconfig/squid +fi + +SQUID_CONF=${SQUID_CONF:-"/etc/squid/squid.conf"} + +CACHE_SWAP=`sed -e 's/#.*//g' $SQUID_CONF | \ + grep cache_dir | awk '{ print $3 }'` + +for adir in $CACHE_SWAP; do + if [ ! -d $adir/00 ]; then + echo -n "init_cache_dir $adir... " + squid -N -z -F -f $SQUID_CONF >> /var/log/squid/squid.out 2>&1 + fi +done diff --git a/gating.yaml b/gating.yaml new file mode 100644 index 0000000..2e4e68f --- /dev/null +++ b/gating.yaml @@ -0,0 +1,9 @@ +--- !Policy +product_versions: + - rhel-9 +decision_context: osci_compose_gate +rules: + - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional} + - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier2.functional} + - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier3.functional} + - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.acceptance-tier.functional} diff --git a/perl-requires-squid.sh b/perl-requires-squid.sh new file mode 100755 index 0000000..029e7b9 --- /dev/null +++ b/perl-requires-squid.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +/usr/lib/rpm/perl.req $* | grep -v "Authen::Smb" diff --git a/sources b/sources new file mode 100644 index 0000000..4cd965a --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA1 (squid-4.15.tar.xz) = 60bda34ba39657e2d870c8c1d2acece8a69c3075 diff --git a/squid-3.0.STABLE1-perlpath.patch b/squid-3.0.STABLE1-perlpath.patch new file mode 100644 index 0000000..d927e43 --- /dev/null +++ b/squid-3.0.STABLE1-perlpath.patch @@ -0,0 +1,10 @@ +diff --git a/contrib/url-normalizer.pl b/contrib/url-normalizer.pl +index 4cb0480..4b89910 100755 +--- a/contrib/url-normalizer.pl ++++ b/contrib/url-normalizer.pl +@@ -1,4 +1,4 @@ +-#!/usr/local/bin/perl -Tw ++#!/usr/bin/perl -Tw + # + # * Copyright (C) 1996-2022 The Squid Software Foundation and contributors + # * diff --git a/squid-3.1.0.9-location.patch b/squid-3.1.0.9-location.patch new file mode 100644 index 0000000..4abd519 --- /dev/null +++ b/squid-3.1.0.9-location.patch @@ -0,0 +1,32 @@ +diff -up squid-3.1.0.9/QUICKSTART.location squid-3.1.0.9/QUICKSTART +--- squid-3.1.0.9/QUICKSTART.location 2009-06-26 12:35:27.000000000 +0200 ++++ squid-3.1.0.9/QUICKSTART 2009-07-17 14:03:10.000000000 +0200 +@@ -10,10 +10,9 @@ After you retrieved, compiled and instal + INSTALL in the same directory), you have to configure the squid.conf + file. This is the list of the values you *need* to change, because no + sensible defaults could be defined. Do not touch the other variables +-for now. We assume you have installed Squid in the default location: +-/usr/local/squid ++for now. + +-Uncomment and edit the following lines in /usr/local/squid/etc/squid.conf: ++Uncomment and edit the following lines in /etc/squid/squid.conf: + + ============================================================================== + +@@ -82,12 +81,12 @@ After editing squid.conf to your liking, + line TWICE: + + To create any disk cache_dir configured: +- % /usr/local/squid/sbin/squid -z ++ % /usr/sbin/squid -z + + To start squid: +- % /usr/local/squid/sbin/squid ++ % /usr/sbin/squid + +-Check in the cache.log (/usr/local/squid/var/logs/cache.log) that ++Check in the cache.log (/var/log/squid/cache.log) that + everything is all right. + + Once Squid created all its files (it can take several minutes on some diff --git a/squid-3.5.9-include-guards.patch b/squid-3.5.9-include-guards.patch new file mode 100644 index 0000000..e2d4ff9 --- /dev/null +++ b/squid-3.5.9-include-guards.patch @@ -0,0 +1,95 @@ +------------------------------------------------------------ +revno: 14311 +revision-id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4 +parent: squid3@treenet.co.nz-20150924032241-6cx3g6hwz9xfoybr +------------------------------------------------------------ +revno: 14311 +revision-id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4 +parent: squid3@treenet.co.nz-20150924032241-6cx3g6hwz9xfoybr +fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4323 +author: Francesco Chemolli +committer: Amos Jeffries +branch nick: trunk +timestamp: Thu 2015-09-24 06:05:37 -0700 +message: + Bug 4323: Netfilter broken cross-includes with Linux 4.2 +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4 +# target_branch: http://bzr.squid-cache.org/bzr/squid3/trunk/ +# testament_sha1: c67cfca81040f3845d7c4caf2f40518511f14d0b +# timestamp: 2015-09-24 13:06:33 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/trunk +# base_revision_id: squid3@treenet.co.nz-20150924032241-\ +# 6cx3g6hwz9xfoybr +# +# Begin patch +=== modified file 'compat/os/linux.h' +--- compat/os/linux.h 2015-01-13 07:25:36 +0000 ++++ compat/os/linux.h 2015-09-24 13:05:37 +0000 +@@ -30,6 +30,21 @@ + #endif + + /* ++ * Netfilter header madness. (see Bug 4323) ++ * ++ * Netfilter have a history of defining their own versions of network protocol ++ * primitives without sufficient protection against the POSIX defines which are ++ * aways present in Linux. ++ * ++ * netinet/in.h must be included before any other sys header in order to properly ++ * activate include guards in the kernel maintainers added ++ * to workaround it. ++ */ ++#if HAVE_NETINET_IN_H ++#include ++#endif ++ ++/* + * sys/capability.h is only needed in Linux apparently. + * + * HACK: LIBCAP_BROKEN Ugly glue to get around linux header madness colliding with glibc +fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4323 +author: Francesco Chemolli +committer: Amos Jeffries +branch nick: trunk +timestamp: Thu 2015-09-24 06:05:37 -0700 +message: + Bug 4323: Netfilter broken cross-includes with Linux 4.2 +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4 +# target_branch: http://bzr.squid-cache.org/bzr/squid3/trunk/ +# testament_sha1: c67cfca81040f3845d7c4caf2f40518511f14d0b +# timestamp: 2015-09-24 13:06:33 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/trunk +# base_revision_id: squid3@treenet.co.nz-20150924032241-\ +# 6cx3g6hwz9xfoybr +# +# Begin patch +=== modified file 'compat/os/linux.h' +--- compat/os/linux.h 2015-01-13 07:25:36 +0000 ++++ compat/os/linux.h 2015-09-24 13:05:37 +0000 +@@ -30,6 +30,21 @@ + #endif + + /* ++ * Netfilter header madness. (see Bug 4323) ++ * ++ * Netfilter have a history of defining their own versions of network protocol ++ * primitives without sufficient protection against the POSIX defines which are ++ * aways present in Linux. ++ * ++ * netinet/in.h must be included before any other sys header in order to properly ++ * activate include guards in the kernel maintainers added ++ * to workaround it. ++ */ ++#if HAVE_NETINET_IN_H ++#include ++#endif ++ ++/* + * sys/capability.h is only needed in Linux apparently. + * + * HACK: LIBCAP_BROKEN Ugly glue to get around linux header madness colliding with glibc + diff --git a/squid-4.0.11-config.patch b/squid-4.0.11-config.patch new file mode 100644 index 0000000..a4faae8 --- /dev/null +++ b/squid-4.0.11-config.patch @@ -0,0 +1,26 @@ +diff -up squid-4.0.11/src/cf.data.pre.config squid-4.0.11/src/cf.data.pre +--- squid-4.0.11/src/cf.data.pre.config 2016-06-09 22:32:57.000000000 +0200 ++++ squid-4.0.11/src/cf.data.pre 2016-07-11 21:08:35.090976840 +0200 +@@ -4658,7 +4658,7 @@ DOC_END + + NAME: logfile_rotate + TYPE: int +-DEFAULT: 10 ++DEFAULT: 0 + LOC: Config.Log.rotateNumber + DOC_START + Specifies the default number of logfile rotations to make when you +@@ -6444,11 +6444,11 @@ COMMENT_END + + NAME: cache_mgr + TYPE: string +-DEFAULT: webmaster ++DEFAULT: root + LOC: Config.adminEmail + DOC_START + Email-address of local cache manager who will receive +- mail if the cache dies. The default is "webmaster". ++ mail if the cache dies. The default is "root". + DOC_END + + NAME: mail_from diff --git a/squid-4.11-active-ftp.patch b/squid-4.11-active-ftp.patch new file mode 100644 index 0000000..00a9b56 --- /dev/null +++ b/squid-4.11-active-ftp.patch @@ -0,0 +1,127 @@ +diff --git a/src/clients/FtpClient.cc b/src/clients/FtpClient.cc +index b665bcf..d287e55 100644 +--- a/src/clients/FtpClient.cc ++++ b/src/clients/FtpClient.cc +@@ -778,7 +778,8 @@ Ftp::Client::connectDataChannel() + bool + Ftp::Client::openListenSocket() + { +- return false; ++ debugs(9, 3, HERE); ++ return false; + } + + /// creates a data channel Comm close callback +diff --git a/src/clients/FtpClient.h b/src/clients/FtpClient.h +index a76a5a0..218d696 100644 +--- a/src/clients/FtpClient.h ++++ b/src/clients/FtpClient.h +@@ -118,7 +118,7 @@ public: + bool sendPort(); + bool sendPassive(); + void connectDataChannel(); +- bool openListenSocket(); ++ virtual bool openListenSocket(); + void switchTimeoutToDataChannel(); + + CtrlChannel ctrl; ///< FTP control channel state +diff --git a/src/clients/FtpGateway.cc b/src/clients/FtpGateway.cc +index 411bce9..31d3e36 100644 +--- a/src/clients/FtpGateway.cc ++++ b/src/clients/FtpGateway.cc +@@ -87,6 +87,13 @@ struct GatewayFlags { + class Gateway; + typedef void (StateMethod)(Ftp::Gateway *); + ++} // namespace FTP ++ ++static void ftpOpenListenSocket(Ftp::Gateway * ftpState, int fallback); ++ ++namespace Ftp ++{ ++ + /// FTP Gateway: An FTP client that takes an HTTP request with an ftp:// URI, + /// converts it into one or more FTP commands, and then + /// converts one or more FTP responses into the final HTTP response. +@@ -137,7 +144,11 @@ public: + + /// create a data channel acceptor and start listening. + void listenForDataChannel(const Comm::ConnectionPointer &conn); +- ++ virtual bool openListenSocket() { ++ debugs(9, 3, HERE); ++ ftpOpenListenSocket(this, 0); ++ return Comm::IsConnOpen(data.conn); ++ } + int checkAuth(const HttpHeader * req_hdr); + void checkUrlpath(); + void buildTitleUrl(); +@@ -1787,6 +1798,7 @@ ftpOpenListenSocket(Ftp::Gateway * ftpState, int fallback) + } + + ftpState->listenForDataChannel(temp); ++ ftpState->data.listenConn = temp; + } + + static void +@@ -1822,13 +1834,19 @@ ftpSendPORT(Ftp::Gateway * ftpState) + // pull out the internal IP address bytes to send in PORT command... + // source them from the listen_conn->local + ++ struct sockaddr_in addr; ++ socklen_t addrlen = sizeof(addr); ++ getsockname(ftpState->data.listenConn->fd, (struct sockaddr *) &addr, &addrlen); ++ unsigned char port_high = ntohs(addr.sin_port) >> 8; ++ unsigned char port_low = ntohs(addr.sin_port) & 0xff; ++ + struct addrinfo *AI = NULL; + ftpState->data.listenConn->local.getAddrInfo(AI, AF_INET); + unsigned char *addrptr = (unsigned char *) &((struct sockaddr_in*)AI->ai_addr)->sin_addr; +- unsigned char *portptr = (unsigned char *) &((struct sockaddr_in*)AI->ai_addr)->sin_port; ++ // unsigned char *portptr = (unsigned char *) &((struct sockaddr_in*)AI->ai_addr)->sin_port; + snprintf(cbuf, CTRL_BUFLEN, "PORT %d,%d,%d,%d,%d,%d\r\n", + addrptr[0], addrptr[1], addrptr[2], addrptr[3], +- portptr[0], portptr[1]); ++ port_high, port_low); + ftpState->writeCommand(cbuf); + ftpState->state = Ftp::Client::SENT_PORT; + +@@ -1881,14 +1899,27 @@ ftpSendEPRT(Ftp::Gateway * ftpState) + return; + } + ++ ++ unsigned int port; ++ struct sockaddr_storage addr; ++ socklen_t addrlen = sizeof(addr); ++ getsockname(ftpState->data.listenConn->fd, (struct sockaddr *) &addr, &addrlen); ++ if (addr.ss_family == AF_INET) { ++ struct sockaddr_in *addr4 = (struct sockaddr_in*) &addr; ++ port = ntohs( addr4->sin_port ); ++ } else { ++ struct sockaddr_in6 *addr6 = (struct sockaddr_in6 *) &addr; ++ port = ntohs( addr6->sin6_port ); ++ } ++ + char buf[MAX_IPSTRLEN]; + + /* RFC 2428 defines EPRT as IPv6 equivalent to IPv4 PORT command. */ + /* Which can be used by EITHER protocol. */ +- snprintf(cbuf, CTRL_BUFLEN, "EPRT |%d|%s|%d|\r\n", ++ snprintf(cbuf, CTRL_BUFLEN, "EPRT |%d|%s|%u|\r\n", + ( ftpState->data.listenConn->local.isIPv6() ? 2 : 1 ), + ftpState->data.listenConn->local.toStr(buf,MAX_IPSTRLEN), +- ftpState->data.listenConn->local.port() ); ++ port); + + ftpState->writeCommand(cbuf); + ftpState->state = Ftp::Client::SENT_EPRT; +@@ -1907,7 +1938,7 @@ ftpReadEPRT(Ftp::Gateway * ftpState) + ftpSendPORT(ftpState); + return; + } +- ++ ftpState->ctrl.message = NULL; + ftpRestOrList(ftpState); + } + diff --git a/squid-4.11-config.patch b/squid-4.11-config.patch new file mode 100644 index 0000000..9b0e2d8 --- /dev/null +++ b/squid-4.11-config.patch @@ -0,0 +1,27 @@ +diff --git a/src/cf.data.pre b/src/cf.data.pre +index 26ef576..30d5509 100644 +--- a/src/cf.data.pre ++++ b/src/cf.data.pre +@@ -5006,7 +5006,7 @@ DOC_END + + NAME: logfile_rotate + TYPE: int +-DEFAULT: 10 ++DEFAULT: 0 + LOC: Config.Log.rotateNumber + DOC_START + Specifies the default number of logfile rotations to make when you +@@ -6857,11 +6857,11 @@ COMMENT_END + + NAME: cache_mgr + TYPE: string +-DEFAULT: webmaster ++DEFAULT: root + LOC: Config.adminEmail + DOC_START + Email-address of local cache manager who will receive +- mail if the cache dies. The default is "webmaster". ++ mail if the cache dies. The default is "root". + DOC_END + + NAME: mail_from diff --git a/squid-4.11-convert-ipv4.patch b/squid-4.11-convert-ipv4.patch new file mode 100644 index 0000000..5198f35 --- /dev/null +++ b/squid-4.11-convert-ipv4.patch @@ -0,0 +1,143 @@ +From 771908d313ee9c255adfb5e4fdba4d6797c18409 Mon Sep 17 00:00:00 2001 +From: Amos Jeffries +Date: Thu, 7 Mar 2019 13:50:38 +0000 +Subject: [PATCH] Bug 4928: Cannot convert non-IPv4 to IPv4 (#379) + +... when reaching client_ip_max_connections + +The client_ip_max_connections limit is checked before the TCP dst-IP is located for the newly received TCP connection. This leaves Squid unable to fetch the NFMARK or similar +details later on (they do not exist for [::]). + +Move client_ip_max_connections test later in the TCP accept process to ensure dst-IP is known when the error is produced. +--- + src/comm/TcpAcceptor.cc | 82 ++++++++++++++++++++--------------------- + 1 file changed, 39 insertions(+), 43 deletions(-) + +diff --git a/src/comm/TcpAcceptor.cc b/src/comm/TcpAcceptor.cc +index d4b576d..936aa30 100644 +--- a/src/comm/TcpAcceptor.cc ++++ b/src/comm/TcpAcceptor.cc +@@ -282,7 +282,16 @@ Comm::TcpAcceptor::acceptOne() + ConnectionPointer newConnDetails = new Connection(); + const Comm::Flag flag = oldAccept(newConnDetails); + +- if (flag == Comm::COMM_ERROR) { ++ /* Check for errors */ ++ if (!newConnDetails->isOpen()) { ++ ++ if (flag == Comm::NOMESSAGE) { ++ /* register interest again */ ++ debugs(5, 5, HERE << "try later: " << conn << " handler Subscription: " << theCallSub); ++ SetSelect(conn->fd, COMM_SELECT_READ, doAccept, this, 0); ++ return; ++ } ++ + // A non-recoverable error; notify the caller */ + debugs(5, 5, HERE << "non-recoverable error:" << status() << " handler Subscription: " << theCallSub); + if (intendedForUserConnections()) +@@ -292,16 +301,12 @@ Comm::TcpAcceptor::acceptOne() + return; + } + +- if (flag == Comm::NOMESSAGE) { +- /* register interest again */ +- debugs(5, 5, "try later: " << conn << " handler Subscription: " << theCallSub); +- } else { +- debugs(5, 5, "Listener: " << conn << +- " accepted new connection " << newConnDetails << +- " handler Subscription: " << theCallSub); +- notify(flag, newConnDetails); +- } ++ newConnDetails->nfmark = Ip::Qos::getNfmarkFromConnection(newConnDetails, Ip::Qos::dirAccepted); + ++ debugs(5, 5, HERE << "Listener: " << conn << ++ " accepted new connection " << newConnDetails << ++ " handler Subscription: " << theCallSub); ++ notify(flag, newConnDetails); + SetSelect(conn->fd, COMM_SELECT_READ, doAccept, this, 0); + } + +@@ -341,8 +346,8 @@ Comm::TcpAcceptor::notify(const Comm::Flag flag, const Comm::ConnectionPointer & + * + * \retval Comm::OK success. details parameter filled. + * \retval Comm::NOMESSAGE attempted accept() but nothing useful came in. +- * Or this client has too many connections already. + * \retval Comm::COMM_ERROR an outright failure occurred. ++ * Or this client has too many connections already. + */ + Comm::Flag + Comm::TcpAcceptor::oldAccept(Comm::ConnectionPointer &details) +@@ -383,6 +388,15 @@ Comm::TcpAcceptor::oldAccept(Comm::ConnectionPointer &details) + + details->remote = *gai; + ++ if ( Config.client_ip_max_connections >= 0) { ++ if (clientdbEstablished(details->remote, 0) > Config.client_ip_max_connections) { ++ debugs(50, DBG_IMPORTANT, "WARNING: " << details->remote << " attempting more than " << Config.client_ip_max_connections << " connections."); ++ Ip::Address::FreeAddr(gai); ++ PROF_stop(comm_accept); ++ return Comm::COMM_ERROR; ++ } ++ } ++ + // lookup the local-end details of this new connection + Ip::Address::InitAddr(gai); + details->local.setEmpty(); +@@ -396,6 +410,23 @@ Comm::TcpAcceptor::oldAccept(Comm::ConnectionPointer &details) + details->local = *gai; + Ip::Address::FreeAddr(gai); + ++ /* fdstat update */ ++ fdd_table[sock].close_file = NULL; ++ fdd_table[sock].close_line = 0; ++ ++ fde *F = &fd_table[sock]; ++ details->remote.toStr(F->ipaddr,MAX_IPSTRLEN); ++ F->remote_port = details->remote.port(); ++ F->local_addr = details->local; ++ F->sock_family = details->local.isIPv6()?AF_INET6:AF_INET; ++ ++ // set socket flags ++ commSetCloseOnExec(sock); ++ commSetNonBlocking(sock); ++ ++ /* IFF the socket is (tproxy) transparent, pass the flag down to allow spoofing */ ++ F->flags.transparent = fd_table[conn->fd].flags.transparent; // XXX: can we remove this line yet? ++ + // Perform NAT or TPROXY operations to retrieve the real client/dest IP addresses + if (conn->flags&(COMM_TRANSPARENT|COMM_INTERCEPTION) && !Ip::Interceptor.Lookup(details, conn)) { + debugs(50, DBG_IMPORTANT, "ERROR: NAT/TPROXY lookup failed to locate original IPs on " << details); +@@ -414,33 +445,6 @@ Comm::TcpAcceptor::oldAccept(Comm::ConnectionPointer &details) + } + #endif + +- details->nfmark = Ip::Qos::getNfmarkFromConnection(details, Ip::Qos::dirAccepted); +- +- if (Config.client_ip_max_connections >= 0) { +- if (clientdbEstablished(details->remote, 0) > Config.client_ip_max_connections) { +- debugs(50, DBG_IMPORTANT, "WARNING: " << details->remote << " attempting more than " << Config.client_ip_max_connections << " connections."); +- PROF_stop(comm_accept); +- return Comm::NOMESSAGE; +- } +- } +- +- /* fdstat update */ +- fdd_table[sock].close_file = NULL; +- fdd_table[sock].close_line = 0; +- +- fde *F = &fd_table[sock]; +- details->remote.toStr(F->ipaddr,MAX_IPSTRLEN); +- F->remote_port = details->remote.port(); +- F->local_addr = details->local; +- F->sock_family = details->local.isIPv6()?AF_INET6:AF_INET; +- +- // set socket flags +- commSetCloseOnExec(sock); +- commSetNonBlocking(sock); +- +- /* IFF the socket is (tproxy) transparent, pass the flag down to allow spoofing */ +- F->flags.transparent = fd_table[conn->fd].flags.transparent; // XXX: can we remove this line yet? +- + PROF_stop(comm_accept); + return Comm::OK; + } diff --git a/squid-4.11-include-guards.patch b/squid-4.11-include-guards.patch new file mode 100644 index 0000000..fb96c57 --- /dev/null +++ b/squid-4.11-include-guards.patch @@ -0,0 +1,41 @@ +diff --git a/compat/os/linux.h b/compat/os/linux.h +index 0ff05c6..d51389b 100644 +--- a/compat/os/linux.h ++++ b/compat/os/linux.h +@@ -44,6 +44,36 @@ + #include + #endif + ++/* ++ * Netfilter header madness. (see Bug 4323) ++ * ++ * Netfilter have a history of defining their own versions of network protocol ++ * primitives without sufficient protection against the POSIX defines which are ++ * aways present in Linux. ++ * ++ * netinet/in.h must be included before any other sys header in order to properly ++ * activate include guards in the kernel maintainers added ++ * to workaround it. ++ */ ++#if HAVE_NETINET_IN_H ++#include ++#endif ++ ++/* ++ * Netfilter header madness. (see Bug 4323) ++ * ++ * Netfilter have a history of defining their own versions of network protocol ++ * primitives without sufficient protection against the POSIX defines which are ++ * aways present in Linux. ++ * ++ * netinet/in.h must be included before any other sys header in order to properly ++ * activate include guards in the kernel maintainers added ++ * to workaround it. ++ */ ++#if HAVE_NETINET_IN_H ++#include ++#endif ++ + /* + * sys/capability.h is only needed in Linux apparently. + * diff --git a/squid-4.11-large-acl.patch b/squid-4.11-large-acl.patch new file mode 100644 index 0000000..8aacf38 --- /dev/null +++ b/squid-4.11-large-acl.patch @@ -0,0 +1,178 @@ +diff --git a/src/acl/RegexData.cc b/src/acl/RegexData.cc +index 01a4c12..b5c1679 100644 +--- a/src/acl/RegexData.cc ++++ b/src/acl/RegexData.cc +@@ -22,6 +22,7 @@ + #include "ConfigParser.h" + #include "Debug.h" + #include "sbuf/List.h" ++#include "sbuf/Algorithms.h" + + ACLRegexData::~ACLRegexData() + { +@@ -129,6 +130,18 @@ compileRE(std::list &curlist, const char * RE, int flags) + return true; + } + ++static bool ++compileRE(std::list &curlist, const SBufList &RE, int flags) ++{ ++ if (RE.empty()) ++ return curlist.empty(); // XXX: old code did this. It looks wrong. ++ SBuf regexp; ++ static const SBuf openparen("("), closeparen(")"), separator(")|("); ++ JoinContainerIntoSBuf(regexp, RE.begin(), RE.end(), separator, openparen, ++ closeparen); ++ return compileRE(curlist, regexp.c_str(), flags); ++} ++ + /** Compose and compile one large RE from a set of (small) REs. + * The ultimate goal is to have only one RE per ACL so that match() is + * called only once per ACL. +@@ -137,16 +150,11 @@ static int + compileOptimisedREs(std::list &curlist, const SBufList &sl) + { + std::list newlist; +- int numREs = 0; ++ SBufList accumulatedRE; ++ int numREs = 0, reSize = 0; + int flags = REG_EXTENDED | REG_NOSUB; +- int largeREindex = 0; +- char largeRE[BUFSIZ]; +- *largeRE = 0; + + for (const SBuf & configurationLineWord : sl) { +- int RElen; +- RElen = configurationLineWord.length(); +- + static const SBuf minus_i("-i"); + static const SBuf plus_i("+i"); + if (configurationLineWord == minus_i) { +@@ -155,10 +163,11 @@ compileOptimisedREs(std::list &curlist, const SBufList &sl) + debugs(28, 2, "optimisation of -i ... -i" ); + } else { + debugs(28, 2, "-i" ); +- if (!compileRE(newlist, largeRE, flags)) ++ if (!compileRE(newlist, accumulatedRE, flags)) + return 0; + flags |= REG_ICASE; +- largeRE[largeREindex=0] = '\0'; ++ accumulatedRE.clear(); ++ reSize = 0; + } + } else if (configurationLineWord == plus_i) { + if ((flags & REG_ICASE) == 0) { +@@ -166,37 +175,34 @@ compileOptimisedREs(std::list &curlist, const SBufList &sl) + debugs(28, 2, "optimisation of +i ... +i"); + } else { + debugs(28, 2, "+i"); +- if (!compileRE(newlist, largeRE, flags)) ++ if (!compileRE(newlist, accumulatedRE, flags)) + return 0; + flags &= ~REG_ICASE; +- largeRE[largeREindex=0] = '\0'; ++ accumulatedRE.clear(); ++ reSize = 0; + } +- } else if (RElen + largeREindex + 3 < BUFSIZ-1) { ++ } else if (reSize < 1024) { + debugs(28, 2, "adding RE '" << configurationLineWord << "'"); +- if (largeREindex > 0) { +- largeRE[largeREindex] = '|'; +- ++largeREindex; +- } +- largeRE[largeREindex] = '('; +- ++largeREindex; +- configurationLineWord.copy(largeRE+largeREindex, BUFSIZ-largeREindex); +- largeREindex += configurationLineWord.length(); +- largeRE[largeREindex] = ')'; +- ++largeREindex; +- largeRE[largeREindex] = '\0'; ++ accumulatedRE.push_back(configurationLineWord); + ++numREs; ++ reSize += configurationLineWord.length(); + } else { + debugs(28, 2, "buffer full, generating new optimised RE..." ); +- if (!compileRE(newlist, largeRE, flags)) ++ accumulatedRE.push_back(configurationLineWord); ++ if (!compileRE(newlist, accumulatedRE, flags)) + return 0; +- largeRE[largeREindex=0] = '\0'; ++ accumulatedRE.clear(); ++ reSize = 0; + continue; /* do the loop again to add the RE to largeRE */ + } + } + +- if (!compileRE(newlist, largeRE, flags)) ++ if (!compileRE(newlist, accumulatedRE, flags)) + return 0; + ++ accumulatedRE.clear(); ++ reSize = 0; ++ + /* all was successful, so put the new list at the tail */ + curlist.splice(curlist.end(), newlist); + +diff --git a/src/sbuf/Algorithms.h b/src/sbuf/Algorithms.h +index 21ee889..338e9c0 100644 +--- a/src/sbuf/Algorithms.h ++++ b/src/sbuf/Algorithms.h +@@ -81,6 +81,57 @@ SBufContainerJoin(const Container &items, const SBuf& separator) + return rv; + } + ++/** Join container of SBufs and append to supplied target ++ * ++ * append to the target SBuf all elements in the [begin,end) range from ++ * an iterable container, prefixed by prefix, separated by separator and ++ * followed by suffix. Prefix and suffix are added also in case of empty ++ * iterable ++ * ++ * \return the modified dest ++ */ ++template ++SBuf& ++JoinContainerIntoSBuf(SBuf &dest, const ContainerIterator &begin, ++ const ContainerIterator &end, const SBuf& separator, ++ const SBuf& prefix = SBuf(), const SBuf& suffix = SBuf()) ++{ ++ if (begin == end) { ++ dest.append(prefix).append(suffix); ++ return dest; ++ } ++ ++ // optimization: pre-calculate needed storage ++ const SBuf::size_type totalContainerSize = ++ std::accumulate(begin, end, 0, SBufAddLength(separator)) + ++ dest.length() + prefix.length() + suffix.length(); ++ SBufReservationRequirements req; ++ req.minSpace = totalContainerSize; ++ dest.reserve(req); ++ ++ auto i = begin; ++ dest.append(prefix); ++ dest.append(*i); ++ ++i; ++ for (; i != end; ++i) ++ dest.append(separator).append(*i); ++ dest.append(suffix); ++ return dest; ++} ++ ++ ++/// convenience wrapper of JoinContainerIntoSBuf with no caller-supplied SBuf ++template ++SBuf ++JoinContainerToSBuf(const ContainerIterator &begin, ++ const ContainerIterator &end, const SBuf& separator, ++ const SBuf& prefix = SBuf(), const SBuf& suffix = SBuf()) ++{ ++ SBuf rv; ++ return JoinContainerIntoSBuf(rv, begin, end, separator, prefix, suffix); ++} ++ ++ + namespace std { + /// default hash functor to support std::unordered_map + template <> diff --git a/squid-4.11-location.patch b/squid-4.11-location.patch new file mode 100644 index 0000000..e33e9a0 --- /dev/null +++ b/squid-4.11-location.patch @@ -0,0 +1,33 @@ +diff --git a/QUICKSTART b/QUICKSTART +index e5299b4..a243437 100644 +--- a/QUICKSTART ++++ b/QUICKSTART +@@ -10,10 +10,9 @@ After you retrieved, compiled and installed the Squid software (see + INSTALL in the same directory), you have to configure the squid.conf + file. This is the list of the values you *need* to change, because no + sensible defaults could be defined. Do not touch the other variables +-for now. We assume you have installed Squid in the default location: +-/usr/local/squid ++for now. + +-Uncomment and edit the following lines in /usr/local/squid/etc/squid.conf: ++Uncomment and edit the following lines in /etc/squid/squid.conf: + + ============================================================================== + +@@ -80,12 +79,12 @@ After editing squid.conf to your liking, run Squid from the command + line TWICE: + + To create any disk cache_dir configured: +- % /usr/local/squid/sbin/squid -z ++ % /usr/sbin/squid -z + + To start squid: +- % /usr/local/squid/sbin/squid ++ % /usr/sbin/squid + +-Check in the cache.log (/usr/local/squid/var/logs/cache.log) that ++Check in the cache.log (/var/log/squid/cache.log) that + everything is all right. + + Once Squid created all its files (it can take several minutes on some diff --git a/squid-4.11-perlpath.patch b/squid-4.11-perlpath.patch new file mode 100644 index 0000000..9e7fbbc --- /dev/null +++ b/squid-4.11-perlpath.patch @@ -0,0 +1,10 @@ +diff --git a/contrib/url-normalizer.pl b/contrib/url-normalizer.pl +index 90ac6a4..8dbed90 100755 +--- a/contrib/url-normalizer.pl ++++ b/contrib/url-normalizer.pl +@@ -1,4 +1,4 @@ +-#!/usr/local/bin/perl -Tw ++#!/usr/bin/perl -Tw + # + # * Copyright (C) 1996-2021 The Squid Software Foundation and contributors + # * diff --git a/squid-4.15-CVE-2021-28116.patch b/squid-4.15-CVE-2021-28116.patch new file mode 100644 index 0000000..116a520 --- /dev/null +++ b/squid-4.15-CVE-2021-28116.patch @@ -0,0 +1,424 @@ +commit b003a0da7865caa25b5d1e70c79329b32409b02a (HEAD -> refs/heads/v4, refs/remotes/origin/v4) +Author: Amos Jeffries +Date: 2021-09-24 21:53:11 +0000 + + WCCP: Validate packets better (#899) + + Update WCCP to support exception based error handling for + parsing and processing we are moving Squid to for protocol + handling. + + Update the main WCCPv2 parsing checks to throw meaningful + exceptions when detected. + +diff --git a/src/wccp2.cc b/src/wccp2.cc +index ee592449c..6ef469e91 100644 +--- a/src/wccp2.cc ++++ b/src/wccp2.cc +@@ -1108,6 +1108,59 @@ wccp2ConnectionClose(void) + * Functions for handling the requests. + */ + ++/// Checks that the given area section ends inside the given (whole) area. ++/// \param error the message to throw when the section does not fit ++static void ++CheckSectionLength(const void *sectionStart, const size_t sectionLength, const void *wholeStart, const size_t wholeSize, const char *error) ++{ ++ assert(sectionStart); ++ assert(wholeStart); ++ ++ const auto wholeEnd = static_cast(wholeStart) + wholeSize; ++ assert(sectionStart >= wholeStart && "we never go backwards"); ++ assert(sectionStart <= wholeEnd && "we never go beyond our whole (but zero-sized fields are OK)"); ++ static_assert(sizeof(wccp2_i_see_you_t) <= PTRDIFF_MAX, "paranoid: no UB when subtracting in-whole pointers"); ++ // subtraction safe due to the three assertions above ++ const auto remainderDiff = wholeEnd - static_cast(sectionStart); ++ ++ // casting safe due to the assertions above (and size_t definition) ++ assert(remainderDiff >= 0); ++ const auto remainderSize = static_cast(remainderDiff); ++ ++ if (sectionLength <= remainderSize) ++ return; ++ ++ throw TextException(error, Here()); ++} ++ ++/// Checks that the area contains at least dataLength bytes after the header. ++/// The size of the field header itself is not included in dataLength. ++/// \returns the total field size -- the field header and field data combined ++template ++static size_t ++CheckFieldDataLength(const FieldHeader *header, const size_t dataLength, const void *areaStart, const size_t areaSize, const char *error) ++{ ++ assert(header); ++ const auto dataStart = reinterpret_cast(header) + sizeof(header); ++ CheckSectionLength(dataStart, dataLength, areaStart, areaSize, error); ++ return sizeof(header) + dataLength; // no overflow after CheckSectionLength() ++} ++ ++/// Positions the given field at a given start within a given packet area. ++/// The Field type determines the correct field size (used for bounds checking). ++/// \param field the field pointer the function should set ++/// \param areaStart the start of a packet (sub)structure containing the field ++/// \param areaSize the size of the packet (sub)structure starting at areaStart ++/// \param fieldStart the start of a field within the given area ++/// \param error the message to throw when the field does not fit the area ++template ++static void ++SetField(Field *&field, const void *fieldStart, const void *areaStart, const size_t areaSize, const char *error) ++{ ++ CheckSectionLength(fieldStart, sizeof(Field), areaStart, areaSize, error); ++ field = static_cast(const_cast(fieldStart)); ++} ++ + /* + * Accept the UDP packet + */ +@@ -1124,8 +1177,6 @@ wccp2HandleUdp(int sock, void *) + + /* These structs form the parts of the packet */ + +- struct wccp2_item_header_t *header = NULL; +- + struct wccp2_security_none_t *security_info = NULL; + + struct wccp2_service_info_t *service_info = NULL; +@@ -1141,14 +1192,13 @@ wccp2HandleUdp(int sock, void *) + struct wccp2_cache_identity_info_t *cache_identity = NULL; + + struct wccp2_capability_info_header_t *router_capability_header = NULL; ++ char *router_capability_data_start = nullptr; + + struct wccp2_capability_element_t *router_capability_element; + + struct sockaddr_in from; + + struct in_addr cache_address; +- int len, found; +- short int data_length, offset; + uint32_t tmp; + char *ptr; + int num_caches; +@@ -1161,20 +1211,18 @@ wccp2HandleUdp(int sock, void *) + Ip::Address from_tmp; + from_tmp.setIPv4(); + +- len = comm_udp_recvfrom(sock, +- &wccp2_i_see_you, +- WCCP_RESPONSE_SIZE, +- 0, +- from_tmp); ++ const auto lenOrError = comm_udp_recvfrom(sock, &wccp2_i_see_you, WCCP_RESPONSE_SIZE, 0, from_tmp); + +- if (len < 0) ++ if (lenOrError < 0) + return; ++ const auto len = static_cast(lenOrError); + +- if (ntohs(wccp2_i_see_you.version) != WCCP2_VERSION) +- return; +- +- if (ntohl(wccp2_i_see_you.type) != WCCP2_I_SEE_YOU) +- return; ++ try { ++ // TODO: Remove wccp2_i_see_you.data and use a buffer to read messages. ++ const auto message_header_size = sizeof(wccp2_i_see_you) - sizeof(wccp2_i_see_you.data); ++ Must2(len >= message_header_size, "incomplete WCCP message header"); ++ Must2(ntohs(wccp2_i_see_you.version) == WCCP2_VERSION, "WCCP version unsupported"); ++ Must2(ntohl(wccp2_i_see_you.type) == WCCP2_I_SEE_YOU, "WCCP packet type unsupported"); + + /* FIXME INET6 : drop conversion boundary */ + from_tmp.getSockAddr(from); +@@ -1182,73 +1230,60 @@ wccp2HandleUdp(int sock, void *) + debugs(80, 3, "Incoming WCCPv2 I_SEE_YOU length " << ntohs(wccp2_i_see_you.length) << "."); + + /* Record the total data length */ +- data_length = ntohs(wccp2_i_see_you.length); ++ const auto data_length = ntohs(wccp2_i_see_you.length); ++ Must2(data_length <= len - message_header_size, ++ "malformed packet claiming it's bigger than received data"); + +- offset = 0; +- +- if (data_length > len) { +- debugs(80, DBG_IMPORTANT, "ERROR: Malformed WCCPv2 packet claiming it's bigger than received data"); +- return; +- } ++ size_t offset = 0; + + /* Go through the data structure */ +- while (data_length > offset) { ++ while (offset + sizeof(struct wccp2_item_header_t) <= data_length) { + + char *data = wccp2_i_see_you.data; + +- header = (struct wccp2_item_header_t *) &data[offset]; ++ const auto itemHeader = reinterpret_cast(&data[offset]); ++ const auto itemSize = CheckFieldDataLength(itemHeader, ntohs(itemHeader->length), ++ data, data_length, "truncated record"); ++ // XXX: Check "The specified length must be a multiple of 4 octets" ++ // requirement to avoid unaligned memory reads after the first item. + +- switch (ntohs(header->type)) { ++ switch (ntohs(itemHeader->type)) { + + case WCCP2_SECURITY_INFO: +- +- if (security_info != NULL) { +- debugs(80, DBG_IMPORTANT, "Duplicate security definition"); +- return; +- } +- +- security_info = (struct wccp2_security_none_t *) &wccp2_i_see_you.data[offset]; ++ Must2(!security_info, "duplicate security definition"); ++ SetField(security_info, itemHeader, itemHeader, itemSize, ++ "security definition truncated"); + break; + + case WCCP2_SERVICE_INFO: +- +- if (service_info != NULL) { +- debugs(80, DBG_IMPORTANT, "Duplicate service_info definition"); +- return; +- } +- +- service_info = (struct wccp2_service_info_t *) &wccp2_i_see_you.data[offset]; ++ Must2(!service_info, "duplicate service_info definition"); ++ SetField(service_info, itemHeader, itemHeader, itemSize, ++ "service_info definition truncated"); + break; + + case WCCP2_ROUTER_ID_INFO: +- +- if (router_identity_info != NULL) { +- debugs(80, DBG_IMPORTANT, "Duplicate router_identity_info definition"); +- return; +- } +- +- router_identity_info = (struct router_identity_info_t *) &wccp2_i_see_you.data[offset]; ++ Must2(!router_identity_info, "duplicate router_identity_info definition"); ++ SetField(router_identity_info, itemHeader, itemHeader, itemSize, ++ "router_identity_info definition truncated"); + break; + + case WCCP2_RTR_VIEW_INFO: +- +- if (router_view_header != NULL) { +- debugs(80, DBG_IMPORTANT, "Duplicate router_view definition"); +- return; +- } +- +- router_view_header = (struct router_view_t *) &wccp2_i_see_you.data[offset]; ++ Must2(!router_view_header, "duplicate router_view definition"); ++ SetField(router_view_header, itemHeader, itemHeader, itemSize, ++ "router_view definition truncated"); + break; + +- case WCCP2_CAPABILITY_INFO: +- +- if (router_capability_header != NULL) { +- debugs(80, DBG_IMPORTANT, "Duplicate router_capability definition"); +- return; +- } ++ case WCCP2_CAPABILITY_INFO: { ++ Must2(!router_capability_header, "duplicate router_capability definition"); ++ SetField(router_capability_header, itemHeader, itemHeader, itemSize, ++ "router_capability definition truncated"); + +- router_capability_header = (struct wccp2_capability_info_header_t *) &wccp2_i_see_you.data[offset]; ++ CheckFieldDataLength(router_capability_header, ntohs(router_capability_header->capability_info_length), ++ itemHeader, itemSize, "capability info truncated"); ++ router_capability_data_start = reinterpret_cast(router_capability_header) + ++ sizeof(*router_capability_header); + break; ++ } + + /* Nothing to do for the types below */ + +@@ -1257,22 +1292,17 @@ wccp2HandleUdp(int sock, void *) + break; + + default: +- debugs(80, DBG_IMPORTANT, "Unknown record type in WCCPv2 Packet (" << ntohs(header->type) << ")."); ++ debugs(80, DBG_IMPORTANT, "Unknown record type in WCCPv2 Packet (" << ntohs(itemHeader->type) << ")."); + } + +- offset += sizeof(struct wccp2_item_header_t); +- offset += ntohs(header->length); +- +- if (offset > data_length) { +- debugs(80, DBG_IMPORTANT, "Error: WCCPv2 packet tried to tell us there is data beyond the end of the packet"); +- return; +- } ++ offset += itemSize; ++ assert(offset <= data_length && "CheckFieldDataLength(itemHeader...) established that"); + } + +- if ((security_info == NULL) || (service_info == NULL) || (router_identity_info == NULL) || (router_view_header == NULL)) { +- debugs(80, DBG_IMPORTANT, "Incomplete WCCPv2 Packet"); +- return; +- } ++ Must2(security_info, "packet missing security definition"); ++ Must2(service_info, "packet missing service_info definition"); ++ Must2(router_identity_info, "packet missing router_identity_info definition"); ++ Must2(router_view_header, "packet missing router_view definition"); + + debugs(80, 5, "Complete packet received"); + +@@ -1308,10 +1338,7 @@ wccp2HandleUdp(int sock, void *) + break; + } + +- if (router_list_ptr->next == NULL) { +- debugs(80, DBG_IMPORTANT, "WCCPv2 Packet received from unknown router"); +- return; +- } ++ Must2(router_list_ptr->next, "packet received from unknown router"); + + /* Set the router id */ + router_list_ptr->info->router_address = router_identity_info->router_id_element.router_address; +@@ -1331,11 +1358,20 @@ wccp2HandleUdp(int sock, void *) + } + } else { + +- char *end = ((char *) router_capability_header) + sizeof(*router_capability_header) + ntohs(router_capability_header->capability_info_length) - sizeof(struct wccp2_capability_info_header_t); +- +- router_capability_element = (struct wccp2_capability_element_t *) (((char *) router_capability_header) + sizeof(*router_capability_header)); +- +- while ((char *) router_capability_element <= end) { ++ const auto router_capability_data_length = ntohs(router_capability_header->capability_info_length); ++ assert(router_capability_data_start); ++ const auto router_capability_data_end = router_capability_data_start + ++ router_capability_data_length; ++ for (auto router_capability_data_current = router_capability_data_start; ++ router_capability_data_current < router_capability_data_end;) { ++ ++ SetField(router_capability_element, router_capability_data_current, ++ router_capability_data_start, router_capability_data_length, ++ "capability element header truncated"); ++ const auto elementSize = CheckFieldDataLength( ++ router_capability_element, ntohs(router_capability_element->capability_length), ++ router_capability_data_start, router_capability_data_length, ++ "capability element truncated"); + + switch (ntohs(router_capability_element->capability_type)) { + +@@ -1377,7 +1413,7 @@ wccp2HandleUdp(int sock, void *) + debugs(80, DBG_IMPORTANT, "Unknown capability type in WCCPv2 Packet (" << ntohs(router_capability_element->capability_type) << ")."); + } + +- router_capability_element = (struct wccp2_capability_element_t *) (((char *) router_capability_element) + sizeof(struct wccp2_item_header_t) + ntohs(router_capability_element->capability_length)); ++ router_capability_data_current += elementSize; + } + } + +@@ -1396,23 +1432,34 @@ wccp2HandleUdp(int sock, void *) + num_caches = 0; + + /* Check to see if we're the master cache and update the cache list */ +- found = 0; ++ bool found = false; + service_list_ptr->lowest_ip = 1; + cache_list_ptr = &router_list_ptr->cache_list_head; + + /* to find the list of caches, we start at the end of the router view header */ + + ptr = (char *) (router_view_header) + sizeof(struct router_view_t); ++ const auto router_view_size = sizeof(struct router_view_t) + ++ ntohs(router_view_header->header.length); + + /* Then we read the number of routers */ +- memcpy(&tmp, ptr, sizeof(tmp)); ++ const uint32_t *routerCountRaw = nullptr; ++ SetField(routerCountRaw, ptr, router_view_header, router_view_size, ++ "malformed packet (truncated router view info w/o number of routers)"); + + /* skip the number plus all the ip's */ +- +- ptr += sizeof(tmp) + (ntohl(tmp) * sizeof(struct in_addr)); ++ ptr += sizeof(*routerCountRaw); ++ const auto ipCount = ntohl(*routerCountRaw); ++ const auto ipsSize = ipCount * sizeof(struct in_addr); // we check for unsigned overflow below ++ Must2(ipsSize / sizeof(struct in_addr) != ipCount, "huge IP address count"); ++ CheckSectionLength(ptr, ipsSize, router_view_header, router_view_size, "invalid IP address count"); ++ ptr += ipsSize; + + /* Then read the number of caches */ +- memcpy(&tmp, ptr, sizeof(tmp)); ++ const uint32_t *cacheCountRaw = nullptr; ++ SetField(cacheCountRaw, ptr, router_view_header, router_view_size, ++ "malformed packet (truncated router view info w/o cache count)"); ++ memcpy(&tmp, cacheCountRaw, sizeof(tmp)); // TODO: Replace tmp with cacheCount + ptr += sizeof(tmp); + + if (ntohl(tmp) != 0) { +@@ -1426,7 +1473,8 @@ wccp2HandleUdp(int sock, void *) + + case WCCP2_ASSIGNMENT_METHOD_HASH: + +- cache_identity = (struct wccp2_cache_identity_info_t *) ptr; ++ SetField(cache_identity, ptr, router_view_header, router_view_size, ++ "malformed packet (truncated router view info cache w/o assignment hash)"); + + ptr += sizeof(struct wccp2_cache_identity_info_t); + +@@ -1437,13 +1485,15 @@ wccp2HandleUdp(int sock, void *) + + case WCCP2_ASSIGNMENT_METHOD_MASK: + +- cache_mask_info = (struct cache_mask_info_t *) ptr; ++ SetField(cache_mask_info, ptr, router_view_header, router_view_size, ++ "malformed packet (truncated router view info cache w/o assignment mask)"); + + /* The mask assignment has an undocumented variable length entry here */ + + if (ntohl(cache_mask_info->num1) == 3) { + +- cache_mask_identity = (struct wccp2_cache_mask_identity_info_t *) ptr; ++ SetField(cache_mask_identity, ptr, router_view_header, router_view_size, ++ "malformed packet (truncated router view info cache w/o assignment mask identity)"); + + ptr += sizeof(struct wccp2_cache_mask_identity_info_t); + +@@ -1474,10 +1524,7 @@ wccp2HandleUdp(int sock, void *) + debugs (80, 5, "checking cache list: (" << std::hex << cache_address.s_addr << ":" << router_list_ptr->local_ip.s_addr << ")"); + + /* Check to see if it's the master, or us */ +- +- if (cache_address.s_addr == router_list_ptr->local_ip.s_addr) { +- found = 1; +- } ++ found = found || (cache_address.s_addr == router_list_ptr->local_ip.s_addr); + + if (cache_address.s_addr < router_list_ptr->local_ip.s_addr) { + service_list_ptr->lowest_ip = 0; +@@ -1494,7 +1541,7 @@ wccp2HandleUdp(int sock, void *) + cache_list_ptr->next = NULL; + + service_list_ptr->lowest_ip = 1; +- found = 1; ++ found = true; + num_caches = 1; + } + +@@ -1502,7 +1549,7 @@ wccp2HandleUdp(int sock, void *) + + router_list_ptr->num_caches = htonl(num_caches); + +- if ((found == 1) && (service_list_ptr->lowest_ip == 1)) { ++ if (found && (service_list_ptr->lowest_ip == 1)) { + if (ntohl(router_view_header->change_number) != router_list_ptr->member_change) { + debugs(80, 4, "Change detected - queueing up new assignment"); + router_list_ptr->member_change = ntohl(router_view_header->change_number); +@@ -1515,6 +1562,10 @@ wccp2HandleUdp(int sock, void *) + eventDelete(wccp2AssignBuckets, NULL); + debugs(80, 5, "I am not the lowest ip cache - not assigning buckets"); + } ++ ++ } catch (...) { ++ debugs(80, DBG_IMPORTANT, "ERROR: Ignoring WCCPv2 message: " << CurrentException); ++ } + } + + static void diff --git a/squid-4.15-ftp-filename-extraction.patch b/squid-4.15-ftp-filename-extraction.patch new file mode 100644 index 0000000..cf1aeb3 --- /dev/null +++ b/squid-4.15-ftp-filename-extraction.patch @@ -0,0 +1,32 @@ +diff --git a/src/clients/FtpGateway.cc b/src/clients/FtpGateway.cc +index da9867f..e992638 100644 +--- a/src/clients/FtpGateway.cc ++++ b/src/clients/FtpGateway.cc +@@ -1084,16 +1084,17 @@ Ftp::Gateway::checkAuth(const HttpHeader * req_hdr) + void + Ftp::Gateway::checkUrlpath() + { +- static SBuf str_type_eq("type="); +- auto t = request->url.path().rfind(';'); +- +- if (t != SBuf::npos) { +- auto filenameEnd = t-1; +- if (request->url.path().substr(++t).cmp(str_type_eq, str_type_eq.length()) == 0) { +- t += str_type_eq.length(); +- typecode = (char)xtoupper(request->url.path()[t]); +- request->url.path(request->url.path().substr(0,filenameEnd)); +- } ++ // If typecode was specified, extract it and leave just the filename in ++ // url.path. Tolerate trailing garbage or missing typecode value. Roughly: ++ // [filename] ;type=[typecode char] [trailing garbage] ++ static const SBuf middle(";type="); ++ const auto typeSpecStart = request->url.path().find(middle); ++ if (typeSpecStart != SBuf::npos) { ++ const auto fullPath = request->url.path(); ++ const auto typecodePos = typeSpecStart + middle.length(); ++ typecode = (typecodePos < fullPath.length()) ? ++ static_cast(xtoupper(fullPath[typecodePos])) : '\0'; ++ request->url.path(fullPath.substr(0, typeSpecStart)); + } + + int l = request->url.path().length(); diff --git a/squid-4.15.tar.xz.asc b/squid-4.15.tar.xz.asc new file mode 100644 index 0000000..7305eaa --- /dev/null +++ b/squid-4.15.tar.xz.asc @@ -0,0 +1,25 @@ +File: squid-4.15.tar.xz +Date: Mon 10 May 2021 10:50:22 UTC +Size: 2454176 +MD5 : a593de9dc888dfeca4f1f7db2cd7d3b9 +SHA1: 60bda34ba39657e2d870c8c1d2acece8a69c3075 +Key : CD6DBF8EF3B17D3E + B068 84ED B779 C89B 044E 64E3 CD6D BF8E F3B1 7D3E + keyring = http://www.squid-cache.org/pgp.asc + keyserver = pool.sks-keyservers.net +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEsGiE7bd5yJsETmTjzW2/jvOxfT4FAmCZD/UACgkQzW2/jvOx +fT6zZg/+N8JMIYpmVJ7jm4lF0Ub2kEHGTOrc+tnlA3LGnlMQuTm61+BYk58g0SKW +96NbJ0cycW215Q34L+Y0tWuxEbIU01vIc3AA7rQd0LKy+fQU0OtBuhk5Vf4bKilW +uHEVIQZs9HmY6bqC+kgtCf49tVZvR8FZYNuilg/68+i/pQdwaDDmVb+j2oF7w+y2 +dgkTFWtM5NTL6bqUVC0E7lLFPjzMefKfxkkpWFdV/VrAhU25jN24kpnjcfotQhdW +LDFy5okduz3ljso9pBYJfLeMXM1FZPpceC91zj32x3tcUyrD3yIoXob58rEKvfe4 +RDXN4SuClsNe4UQ4oNoGIES9XtaYlOzPR1PlbqPUrdp1cDnhgLJ+1fkAixlMqCml +wuI1VIKSEY+nvRzQzFHnXJK9otV8QwMF76AHaytO9y+X6JuZmu/CcV1pq61qY9qv +t1/8z99wWSxpu17zthZgq64J225GF/hkBedaFlYoS5k5YUMDLPlRSCC0yPmb8JBF +Cns5i/aq2PmOx2ZhQ2RQIF416J3HK8Galw8ytFOjnEcn4ux9yzKNjL38p4+PJJA0 +7GCMAqYYNjok3LSkGbiR7cPgbHnkqRfYbPFLMj4FtruoFlZ9L5MIU3oFvqA3ZR6l +Az6LaKLsAYPUmukAOPUSIrqpKXZHc7hdBWkT+7RYA4qaoU+9oIo= +=1Re1 +-----END PGP SIGNATURE----- diff --git a/squid-5.0.5-symlink-lang-err.patch b/squid-5.0.5-symlink-lang-err.patch new file mode 100644 index 0000000..45d6fe9 --- /dev/null +++ b/squid-5.0.5-symlink-lang-err.patch @@ -0,0 +1,68 @@ +From fc01451000eaa5592cd5afbd6aee14e53f7dd2c3 Mon Sep 17 00:00:00 2001 +From: Amos Jeffries +Date: Sun, 18 Oct 2020 20:23:10 +1300 +Subject: [PATCH] Update translations integration + +* Add credits for es-mx translation moderator +* Use es-mx for default of all Spanish (Central America) texts +* Update translation related .am files +--- + doc/manuals/language.am | 2 +- + errors/TRANSLATORS | 1 + + errors/aliases | 3 ++- + errors/language.am | 3 ++- + errors/template.am | 2 +- + 5 files changed, 7 insertions(+), 4 deletions(-) + +diff --git a/doc/manuals/language.am b/doc/manuals/language.am +index 7670c88380c..f03c4cf71b4 100644 +--- a/doc/manuals/language.am ++++ b/doc/manuals/language.am +@@ -18,4 +18,4 @@ TRANSLATE_LANGUAGES = \ + oc.lang \ + pt.lang \ + ro.lang \ +- ru.lang ++ ru.lang +diff --git a/errors/aliases b/errors/aliases +index 36f17f4b80f..cf0116f297d 100644 +--- a/errors/aliases ++++ b/errors/aliases +@@ -14,7 +14,8 @@ da da-dk + de de-at de-ch de-de de-li de-lu + el el-gr + en en-au en-bz en-ca en-cn en-gb en-ie en-in en-jm en-nz en-ph en-sg en-tt en-uk en-us en-za en-zw +-es es-ar es-bo es-cl es-co es-cr es-do es-ec es-es es-gt es-hn es-mx es-ni es-pa es-pe es-pr es-py es-sv es-us es-uy es-ve es-xl ++es es-ar es-bo es-cl es-cu es-co es-do es-ec es-es es-pe es-pr es-py es-us es-uy es-ve es-xl spq ++es-mx es-bz es-cr es-gt es-hn es-ni es-pa es-sv + et et-ee + fa fa-fa fa-ir + fi fi-fi +diff --git a/errors/language.am b/errors/language.am +index 12b1b2b3b43..029e8c1eb2f 100644 +--- a/errors/language.am ++++ b/errors/language.am +@@ -17,6 +17,7 @@ TRANSLATE_LANGUAGES = \ + de.lang \ + el.lang \ + en.lang \ ++ es-mx.lang \ + es.lang \ + et.lang \ + fa.lang \ +@@ -51,4 +52,4 @@ TRANSLATE_LANGUAGES = \ + uz.lang \ + vi.lang \ + zh-hans.lang \ +- zh-hant.lang ++ zh-hant.lang +diff --git a/errors/template.am b/errors/template.am +index 6c12781e6f4..715c65aa22b 100644 +--- a/errors/template.am ++++ b/errors/template.am +@@ -48,4 +48,4 @@ ERROR_TEMPLATES = \ + templates/ERR_UNSUP_REQ \ + templates/ERR_URN_RESOLVE \ + templates/ERR_WRITE_ERROR \ +- templates/ERR_ZERO_SIZE_OBJECT ++ templates/ERR_ZERO_SIZE_OBJECT diff --git a/squid-5.0.6-active-ftp.patch b/squid-5.0.6-active-ftp.patch new file mode 100644 index 0000000..9206da2 --- /dev/null +++ b/squid-5.0.6-active-ftp.patch @@ -0,0 +1,127 @@ +diff --git a/src/clients/FtpClient.cc b/src/clients/FtpClient.cc +index 747ed35..f2b7126 100644 +--- a/src/clients/FtpClient.cc ++++ b/src/clients/FtpClient.cc +@@ -795,7 +795,8 @@ Ftp::Client::connectDataChannel() + bool + Ftp::Client::openListenSocket() + { +- return false; ++ debugs(9, 3, HERE); ++ return false; + } + + /// creates a data channel Comm close callback +diff --git a/src/clients/FtpClient.h b/src/clients/FtpClient.h +index eb5ea1b..e92c007 100644 +--- a/src/clients/FtpClient.h ++++ b/src/clients/FtpClient.h +@@ -137,7 +137,7 @@ public: + bool sendPort(); + bool sendPassive(); + void connectDataChannel(); +- bool openListenSocket(); ++ virtual bool openListenSocket(); + void switchTimeoutToDataChannel(); + + CtrlChannel ctrl; ///< FTP control channel state +diff --git a/src/clients/FtpGateway.cc b/src/clients/FtpGateway.cc +index 05db817..2989cd2 100644 +--- a/src/clients/FtpGateway.cc ++++ b/src/clients/FtpGateway.cc +@@ -86,6 +86,13 @@ struct GatewayFlags { + class Gateway; + typedef void (StateMethod)(Ftp::Gateway *); + ++} // namespace FTP ++ ++static void ftpOpenListenSocket(Ftp::Gateway * ftpState, int fallback); ++ ++namespace Ftp ++{ ++ + /// FTP Gateway: An FTP client that takes an HTTP request with an ftp:// URI, + /// converts it into one or more FTP commands, and then + /// converts one or more FTP responses into the final HTTP response. +@@ -136,7 +143,11 @@ public: + + /// create a data channel acceptor and start listening. + void listenForDataChannel(const Comm::ConnectionPointer &conn); +- ++ virtual bool openListenSocket() { ++ debugs(9, 3, HERE); ++ ftpOpenListenSocket(this, 0); ++ return Comm::IsConnOpen(data.conn); ++ } + int checkAuth(const HttpHeader * req_hdr); + void checkUrlpath(); + void buildTitleUrl(); +@@ -1786,6 +1797,7 @@ ftpOpenListenSocket(Ftp::Gateway * ftpState, int fallback) + } + + ftpState->listenForDataChannel(temp); ++ ftpState->data.listenConn = temp; + } + + static void +@@ -1821,13 +1833,19 @@ ftpSendPORT(Ftp::Gateway * ftpState) + // pull out the internal IP address bytes to send in PORT command... + // source them from the listen_conn->local + ++ struct sockaddr_in addr; ++ socklen_t addrlen = sizeof(addr); ++ getsockname(ftpState->data.listenConn->fd, (struct sockaddr *) &addr, &addrlen); ++ unsigned char port_high = ntohs(addr.sin_port) >> 8; ++ unsigned char port_low = ntohs(addr.sin_port) & 0xff; ++ + struct addrinfo *AI = NULL; + ftpState->data.listenConn->local.getAddrInfo(AI, AF_INET); + unsigned char *addrptr = (unsigned char *) &((struct sockaddr_in*)AI->ai_addr)->sin_addr; +- unsigned char *portptr = (unsigned char *) &((struct sockaddr_in*)AI->ai_addr)->sin_port; ++ // unsigned char *portptr = (unsigned char *) &((struct sockaddr_in*)AI->ai_addr)->sin_port; + snprintf(cbuf, CTRL_BUFLEN, "PORT %d,%d,%d,%d,%d,%d\r\n", + addrptr[0], addrptr[1], addrptr[2], addrptr[3], +- portptr[0], portptr[1]); ++ port_high, port_low); + ftpState->writeCommand(cbuf); + ftpState->state = Ftp::Client::SENT_PORT; + +@@ -1880,14 +1898,27 @@ ftpSendEPRT(Ftp::Gateway * ftpState) + return; + } + ++ ++ unsigned int port; ++ struct sockaddr_storage addr; ++ socklen_t addrlen = sizeof(addr); ++ getsockname(ftpState->data.listenConn->fd, (struct sockaddr *) &addr, &addrlen); ++ if (addr.ss_family == AF_INET) { ++ struct sockaddr_in *addr4 = (struct sockaddr_in*) &addr; ++ port = ntohs( addr4->sin_port ); ++ } else { ++ struct sockaddr_in6 *addr6 = (struct sockaddr_in6 *) &addr; ++ port = ntohs( addr6->sin6_port ); ++ } ++ + char buf[MAX_IPSTRLEN]; + + /* RFC 2428 defines EPRT as IPv6 equivalent to IPv4 PORT command. */ + /* Which can be used by EITHER protocol. */ +- snprintf(cbuf, CTRL_BUFLEN, "EPRT |%d|%s|%d|\r\n", ++ snprintf(cbuf, CTRL_BUFLEN, "EPRT |%d|%s|%u|\r\n", + ( ftpState->data.listenConn->local.isIPv6() ? 2 : 1 ), + ftpState->data.listenConn->local.toStr(buf,MAX_IPSTRLEN), +- ftpState->data.listenConn->local.port() ); ++ port); + + ftpState->writeCommand(cbuf); + ftpState->state = Ftp::Client::SENT_EPRT; +@@ -1906,7 +1937,7 @@ ftpReadEPRT(Ftp::Gateway * ftpState) + ftpSendPORT(ftpState); + return; + } +- ++ ftpState->ctrl.message = NULL; + ftpRestOrList(ftpState); + } + diff --git a/squid-5.0.6-openssl3.patch b/squid-5.0.6-openssl3.patch new file mode 100644 index 0000000..32ff6ee --- /dev/null +++ b/squid-5.0.6-openssl3.patch @@ -0,0 +1,185 @@ +diff --git a/src/ssl/support.cc b/src/ssl/support.cc +index 3ad135d..73912ce 100644 +--- a/src/ssl/support.cc ++++ b/src/ssl/support.cc +@@ -557,7 +557,11 @@ Ssl::VerifyCallbackParameters::At(Security::Connection &sconn) + } + + // "dup" function for SSL_get_ex_new_index("cert_err_check") +-#if SQUID_USE_CONST_CRYPTO_EX_DATA_DUP ++#if OPENSSL_VERSION_MAJOR >= 3 ++static int ++ssl_dupAclChecklist(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void **, ++ int, long, void *) ++#elif SQUID_USE_CONST_CRYPTO_EX_DATA_DUP + static int + ssl_dupAclChecklist(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void *, + int, long, void *) +diff --git a/src/security/PeerOptions.cc b/src/security/PeerOptions.cc +index cf1d4ba..4346ba5 100644 +--- a/src/security/PeerOptions.cc ++++ b/src/security/PeerOptions.cc +@@ -297,130 +297,130 @@ static struct ssl_option { + + } ssl_options[] = { + +-#if SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG ++#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG + { + "NETSCAPE_REUSE_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG + }, + #endif +-#if SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG ++#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG + { + "SSLREF2_REUSE_CERT_TYPE_BUG", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG + }, + #endif +-#if SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER ++#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER + { + "MICROSOFT_BIG_SSLV3_BUFFER", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER + }, + #endif +-#if SSL_OP_SSLEAY_080_CLIENT_DH_BUG ++#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG + { + "SSLEAY_080_CLIENT_DH_BUG", SSL_OP_SSLEAY_080_CLIENT_DH_BUG + }, + #endif +-#if SSL_OP_TLS_D5_BUG ++#ifdef SSL_OP_TLS_D5_BUG + { + "TLS_D5_BUG", SSL_OP_TLS_D5_BUG + }, + #endif +-#if SSL_OP_TLS_BLOCK_PADDING_BUG ++#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG + { + "TLS_BLOCK_PADDING_BUG", SSL_OP_TLS_BLOCK_PADDING_BUG + }, + #endif +-#if SSL_OP_TLS_ROLLBACK_BUG ++#ifdef SSL_OP_TLS_ROLLBACK_BUG + { + "TLS_ROLLBACK_BUG", SSL_OP_TLS_ROLLBACK_BUG + }, + #endif +-#if SSL_OP_ALL ++#ifdef SSL_OP_ALL + { + "ALL", (long)SSL_OP_ALL + }, + #endif +-#if SSL_OP_SINGLE_DH_USE ++#ifdef SSL_OP_SINGLE_DH_USE + { + "SINGLE_DH_USE", SSL_OP_SINGLE_DH_USE + }, + #endif +-#if SSL_OP_EPHEMERAL_RSA ++#ifdef SSL_OP_EPHEMERAL_RSA + { + "EPHEMERAL_RSA", SSL_OP_EPHEMERAL_RSA + }, + #endif +-#if SSL_OP_PKCS1_CHECK_1 ++#ifdef SSL_OP_PKCS1_CHECK_1 + { + "PKCS1_CHECK_1", SSL_OP_PKCS1_CHECK_1 + }, + #endif +-#if SSL_OP_PKCS1_CHECK_2 ++#ifdef SSL_OP_PKCS1_CHECK_2 + { + "PKCS1_CHECK_2", SSL_OP_PKCS1_CHECK_2 + }, + #endif +-#if SSL_OP_NETSCAPE_CA_DN_BUG ++#ifdef SSL_OP_NETSCAPE_CA_DN_BUG + { + "NETSCAPE_CA_DN_BUG", SSL_OP_NETSCAPE_CA_DN_BUG + }, + #endif +-#if SSL_OP_NON_EXPORT_FIRST ++#ifdef SSL_OP_NON_EXPORT_FIRST + { + "NON_EXPORT_FIRST", SSL_OP_NON_EXPORT_FIRST + }, + #endif +-#if SSL_OP_CIPHER_SERVER_PREFERENCE ++#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE + { + "CIPHER_SERVER_PREFERENCE", SSL_OP_CIPHER_SERVER_PREFERENCE + }, + #endif +-#if SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG ++#ifdef SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG + { + "NETSCAPE_DEMO_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG + }, + #endif +-#if SSL_OP_NO_SSLv3 ++#ifdef SSL_OP_NO_SSLv3 + { + "NO_SSLv3", SSL_OP_NO_SSLv3 + }, + #endif +-#if SSL_OP_NO_TLSv1 ++#ifdef SSL_OP_NO_TLSv1 + { + "NO_TLSv1", SSL_OP_NO_TLSv1 + }, + #else + { "NO_TLSv1", 0 }, + #endif +-#if SSL_OP_NO_TLSv1_1 ++#ifdef SSL_OP_NO_TLSv1_1 + { + "NO_TLSv1_1", SSL_OP_NO_TLSv1_1 + }, + #else + { "NO_TLSv1_1", 0 }, + #endif +-#if SSL_OP_NO_TLSv1_2 ++#ifdef SSL_OP_NO_TLSv1_2 + { + "NO_TLSv1_2", SSL_OP_NO_TLSv1_2 + }, + #else + { "NO_TLSv1_2", 0 }, + #endif +-#if SSL_OP_NO_TLSv1_3 ++#ifdef SSL_OP_NO_TLSv1_3 + { + "NO_TLSv1_3", SSL_OP_NO_TLSv1_3 + }, + #else + { "NO_TLSv1_3", 0 }, + #endif +-#if SSL_OP_NO_COMPRESSION ++#ifdef SSL_OP_NO_COMPRESSION + { + "No_Compression", SSL_OP_NO_COMPRESSION + }, + #endif +-#if SSL_OP_NO_TICKET ++#ifdef SSL_OP_NO_TICKET + { + "NO_TICKET", SSL_OP_NO_TICKET + }, + #endif +-#if SSL_OP_SINGLE_ECDH_USE ++#ifdef SSL_OP_SINGLE_ECDH_USE + { + "SINGLE_ECDH_USE", SSL_OP_SINGLE_ECDH_USE + }, +@@ -512,7 +512,7 @@ Security::PeerOptions::parseOptions() + + } + +-#if SSL_OP_NO_SSLv2 ++#ifdef SSL_OP_NO_SSLv2 + // compliance with RFC 6176: Prohibiting Secure Sockets Layer (SSL) Version 2.0 + op = op | SSL_OP_NO_SSLv2; + #endif diff --git a/squid-5.1-test-store-cppsuite.patch b/squid-5.1-test-store-cppsuite.patch new file mode 100644 index 0000000..d7c52be --- /dev/null +++ b/squid-5.1-test-store-cppsuite.patch @@ -0,0 +1,24 @@ +diff --git a/src/tests/testStoreHashIndex.cc b/src/tests/testStoreHashIndex.cc +index 0564380..fcd60b9 100644 +--- a/src/tests/testStoreHashIndex.cc ++++ b/src/tests/testStoreHashIndex.cc +@@ -102,6 +102,8 @@ void commonInit() + if (inited) + return; + ++ inited = true; ++ + Mem::Init(); + + Config.Store.avgObjectSize = 1024; +@@ -109,6 +111,10 @@ void commonInit() + Config.Store.objectsPerBucket = 20; + + Config.Store.maxObjectSize = 2048; ++ ++ Config.memShared.defaultTo(false); ++ ++ Config.store_dir_select_algorithm = xstrdup("round-robin"); + } + + /* TODO make this a cbdata class */ diff --git a/squid-5.5-CVE-2021-46784.patch b/squid-5.5-CVE-2021-46784.patch new file mode 100644 index 0000000..4e5e796 --- /dev/null +++ b/squid-5.5-CVE-2021-46784.patch @@ -0,0 +1,120 @@ +diff --git a/src/gopher.cc b/src/gopher.cc +index 576a3f7..2645b6b 100644 +--- a/src/gopher.cc ++++ b/src/gopher.cc +@@ -364,7 +364,6 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len) + char *lpos = NULL; + char *tline = NULL; + LOCAL_ARRAY(char, line, TEMP_BUF_SIZE); +- LOCAL_ARRAY(char, tmpbuf, TEMP_BUF_SIZE); + char *name = NULL; + char *selector = NULL; + char *host = NULL; +@@ -374,7 +373,6 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len) + char gtype; + StoreEntry *entry = NULL; + +- memset(tmpbuf, '\0', TEMP_BUF_SIZE); + memset(line, '\0', TEMP_BUF_SIZE); + + entry = gopherState->entry; +@@ -409,7 +407,7 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len) + return; + } + +- String outbuf; ++ SBuf outbuf; + + if (!gopherState->HTML_header_added) { + if (gopherState->conversion == GopherStateData::HTML_CSO_RESULT) +@@ -577,34 +575,34 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len) + break; + } + +- memset(tmpbuf, '\0', TEMP_BUF_SIZE); +- + if ((gtype == GOPHER_TELNET) || (gtype == GOPHER_3270)) { + if (strlen(escaped_selector) != 0) +- snprintf(tmpbuf, TEMP_BUF_SIZE, " %s\n", +- icon_url, escaped_selector, rfc1738_escape_part(host), +- *port ? ":" : "", port, html_quote(name)); ++ outbuf.appendf(" %s\n", ++ icon_url, escaped_selector, rfc1738_escape_part(host), ++ *port ? ":" : "", port, html_quote(name)); + else +- snprintf(tmpbuf, TEMP_BUF_SIZE, " %s\n", +- icon_url, rfc1738_escape_part(host), *port ? ":" : "", +- port, html_quote(name)); ++ outbuf.appendf(" %s\n", ++ icon_url, rfc1738_escape_part(host), *port ? ":" : "", ++ port, html_quote(name)); + + } else if (gtype == GOPHER_INFO) { +- snprintf(tmpbuf, TEMP_BUF_SIZE, "\t%s\n", html_quote(name)); ++ outbuf.appendf("\t%s\n", html_quote(name)); + } else { + if (strncmp(selector, "GET /", 5) == 0) { + /* WWW link */ +- snprintf(tmpbuf, TEMP_BUF_SIZE, " %s\n", +- icon_url, host, rfc1738_escape_unescaped(selector + 5), html_quote(name)); ++ outbuf.appendf(" %s\n", ++ icon_url, host, rfc1738_escape_unescaped(selector + 5), html_quote(name)); ++ } else if (gtype == GOPHER_WWW) { ++ outbuf.appendf(" %s\n", ++ icon_url, rfc1738_escape_unescaped(selector), html_quote(name)); + } else { + /* Standard link */ +- snprintf(tmpbuf, TEMP_BUF_SIZE, " %s\n", +- icon_url, host, gtype, escaped_selector, html_quote(name)); ++ outbuf.appendf(" %s\n", ++ icon_url, host, gtype, escaped_selector, html_quote(name)); + } + } + + safe_free(escaped_selector); +- outbuf.append(tmpbuf); + } else { + memset(line, '\0', TEMP_BUF_SIZE); + continue; +@@ -637,13 +635,12 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len) + break; + + if (gopherState->cso_recno != recno) { +- snprintf(tmpbuf, TEMP_BUF_SIZE, "

Record# %d
%s

\n
", recno, html_quote(result));
++                    outbuf.appendf("

Record# %d
%s

\n
", recno, html_quote(result));
+                     gopherState->cso_recno = recno;
+                 } else {
+-                    snprintf(tmpbuf, TEMP_BUF_SIZE, "%s\n", html_quote(result));
++                    outbuf.appendf("%s\n", html_quote(result));
+                 }
+ 
+-                outbuf.append(tmpbuf);
+                 break;
+             } else {
+                 int code;
+@@ -671,8 +668,7 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
+ 
+                 case 502: { /* Too Many Matches */
+                     /* Print the message the server returns */
+-                    snprintf(tmpbuf, TEMP_BUF_SIZE, "

%s

\n
", html_quote(result));
+-                    outbuf.append(tmpbuf);
++                    outbuf.appendf("

%s

\n
", html_quote(result));
+                     break;
+                 }
+ 
+@@ -688,13 +684,12 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
+ 
+     }               /* while loop */
+ 
+-    if (outbuf.size() > 0) {
+-        entry->append(outbuf.rawBuf(), outbuf.size());
++    if (outbuf.length() > 0) {
++        entry->append(outbuf.rawContent(), outbuf.length());
+         /* now let start sending stuff to client */
+         entry->flush();
+     }
+ 
+-    outbuf.clean();
+     return;
+ }
+ 
diff --git a/squid.logrotate b/squid.logrotate
new file mode 100644
index 0000000..4a0406f
--- /dev/null
+++ b/squid.logrotate
@@ -0,0 +1,16 @@
+/var/log/squid/*.log {
+    weekly
+    rotate 5
+    compress
+    notifempty
+    missingok
+    nocreate
+    sharedscripts
+    postrotate
+      # Asks squid to reopen its logs. (logfile_rotate 0 is set in squid.conf)
+      # errors redirected to make it silent if squid is not running
+      /usr/sbin/squid -k rotate 2>/dev/null
+      # Wait a little to allow Squid to catch up before the logs is compressed
+      sleep 1
+    endscript
+}
diff --git a/squid.nm b/squid.nm
new file mode 100755
index 0000000..5e40f76
--- /dev/null
+++ b/squid.nm
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+case "$2" in
+        up|down|vpn-up|vpn-down)
+                /bin/systemctl -q reload squid.service || :
+                ;;
+esac
diff --git a/squid.pam b/squid.pam
new file mode 100644
index 0000000..1d78594
--- /dev/null
+++ b/squid.pam
@@ -0,0 +1,3 @@
+#%PAM-1.0
+auth		include		password-auth
+account		include		password-auth
diff --git a/squid.service b/squid.service
new file mode 100644
index 0000000..6978032
--- /dev/null
+++ b/squid.service
@@ -0,0 +1,18 @@
+[Unit]
+Description=Squid caching proxy
+Documentation=man:squid(8)
+After=network.target network-online.target nss-lookup.target
+
+[Service]
+Type=notify
+LimitNOFILE=16384
+PIDFile=/run/squid.pid
+EnvironmentFile=/etc/sysconfig/squid
+ExecStartPre=/usr/libexec/squid/cache_swap.sh
+ExecStart=/usr/sbin/squid --foreground $SQUID_OPTS -f ${SQUID_CONF}
+ExecReload=/usr/bin/kill -HUP $MAINPID
+KillMode=mixed
+NotifyAccess=all
+
+[Install]
+WantedBy=multi-user.target
diff --git a/squid.spec b/squid.spec
new file mode 100644
index 0000000..3252413
--- /dev/null
+++ b/squid.spec
@@ -0,0 +1,1704 @@
+%define __perl_requires %{SOURCE98}
+
+Name:     squid
+Version:  4.15
+Release:  3%{?dist}
+Summary:  The Squid proxy caching server
+Epoch:    7
+# See CREDITS for breakdown of non GPLv2+ code
+License:  GPLv2+ and (LGPLv2+ and MIT and BSD and Public Domain)
+URL:      http://www.squid-cache.org
+Source0:  http://www.squid-cache.org/Versions/v4/squid-%{version}.tar.xz
+Source1:  http://www.squid-cache.org/Versions/v4/squid-%{version}.tar.xz.asc
+Source2:  squid.logrotate
+Source3:  squid.sysconfig
+Source4:  squid.pam
+Source5:  squid.nm
+Source6:  squid.service
+Source7:  cache_swap.sh
+
+Source98: perl-requires-squid.sh
+
+# Upstream patches
+
+# Backported patches
+
+# Local patches
+# Applying upstream patches first makes it less likely that local patches
+# will break upstream ones.
+Patch201: squid-4.11-config.patch
+Patch202: squid-4.11-location.patch
+Patch203: squid-4.11-perlpath.patch
+Patch204: squid-4.11-include-guards.patch
+Patch205: squid-4.11-large-acl.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=980511
+Patch206: squid-4.11-active-ftp.patch
+Patch208: squid-4.11-convert-ipv4.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2006121
+Patch209: squid-4.15-ftp-filename-extraction.patch
+
+# Security fixes
+# https://bugzilla.redhat.com/show_bug.cgi?id=1941506
+Patch300: squid-4.15-CVE-2021-28116.patch
+
+Requires: bash >= 2.0
+Requires(pre): shadow-utils
+Requires(post): systemd
+Requires(preun): systemd
+Requires(postun): systemd
+# squid_ldap_auth and other LDAP helpers require OpenLDAP
+BuildRequires: openldap-devel
+# squid_pam_auth requires PAM development libs
+BuildRequires: pam-devel
+# SSL support requires OpenSSL
+BuildRequires: openssl-devel
+# squid_kerb_aut requires Kerberos development libs
+BuildRequires: krb5-devel
+# time_quota requires DB
+BuildRequires: libdb-devel
+# ESI support requires Expat & libxml2
+BuildRequires: expat-devel libxml2-devel
+# TPROXY requires libcap, and also increases security somewhat
+BuildRequires: libcap-devel
+# eCAP support
+BuildRequires: libecap-devel
+#ip_user helper requires
+BuildRequires: gcc-c++
+BuildRequires: libtool libtool-ltdl-devel
+BuildRequires: perl-generators
+# For test suite
+BuildRequires: pkgconfig(cppunit)
+BuildRequires: autoconf
+# systemd notify
+BuildRequires: systemd-devel
+
+%description
+Squid is a high-performance proxy caching server for Web clients,
+supporting FTP, gopher, and HTTP data objects. Unlike traditional
+caching software, Squid handles all requests in a single,
+non-blocking, I/O-driven process. Squid keeps meta data and especially
+hot objects cached in RAM, caches DNS lookups, supports non-blocking
+DNS lookups, and implements negative caching of failed requests.
+
+Squid consists of a main server program squid, a Domain Name System
+lookup program (dnsserver), a program for retrieving FTP data
+(ftpget), and some management and client tools.
+
+%prep
+%setup -q
+
+# Upstream patches
+
+# Backported patches
+
+# Local patches
+%patch201 -p1 -b .config
+%patch202 -p1 -b .location
+%patch203 -p1 -b .perlpath
+%patch204 -p1 -b .include-guards
+%patch205 -p1 -b .large_acl
+%patch206 -p1 -b .active-ftp
+%patch208 -p1 -b .convert-ipv4
+%patch209 -p1 -b .ftp-fn-extraction
+
+# Security patches
+%patch300 -p1 -b .CVE-2021-28116
+
+# https://bugzilla.redhat.com/show_bug.cgi?id=1679526
+# Patch in the vendor documentation and used different location for documentation
+sed -i 's|@SYSCONFDIR@/squid.conf.documented|%{_pkgdocdir}/squid.conf.documented|' src/squid.8.in
+
+%build
+# cppunit-config patch changes configure.ac
+autoconf
+
+# NIS helper has been removed because of the following bug
+# https://bugzilla.redhat.com/show_bug.cgi?id=1531540
+%configure \
+   --libexecdir=%{_libdir}/squid \
+   --datadir=%{_datadir}/squid \
+   --sysconfdir=%{_sysconfdir}/squid \
+   --with-logdir='%{_localstatedir}/log/squid' \
+   --with-pidfile='%{_localstatedir}/run/squid.pid' \
+   --disable-dependency-tracking \
+   --enable-eui \
+   --enable-follow-x-forwarded-for \
+   --enable-auth \
+   --enable-auth-basic="DB,fake,getpwnam,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB,SMB_LM" \
+   --enable-auth-ntlm="SMB_LM,fake" \
+   --enable-auth-digest="file,LDAP" \
+   --enable-auth-negotiate="kerberos" \
+   --enable-external-acl-helpers="LDAP_group,time_quota,session,unix_group,wbinfo_group,kerberos_ldap_group" \
+   --enable-storeid-rewrite-helpers="file" \
+   --enable-cache-digests \
+   --enable-cachemgr-hostname=localhost \
+   --enable-delay-pools \
+   --enable-epoll \
+   --enable-icap-client \
+   --enable-ident-lookups \
+   %ifnarch %{power64} ia64 x86_64 s390x aarch64
+   --with-large-files \
+   %endif
+   --enable-linux-netfilter \
+   --enable-removal-policies="heap,lru" \
+   --enable-snmp \
+   --enable-ssl \
+   --enable-ssl-crtd \
+   --enable-storeio="aufs,diskd,ufs,rock" \
+   --enable-diskio \
+   --enable-wccpv2 \
+   --enable-esi \
+   --enable-ecap \
+   --with-aio \
+   --with-default-user="squid" \
+   --with-dl \
+   --with-openssl \
+   --with-pthreads \
+   --disable-arch-native \
+   --disable-security-cert-validators \
+   --with-swapdir=%{_localstatedir}/spool/squid
+
+%make_build
+
+%check
+make check
+	
+%install
+%make_install
+
+echo "
+#
+# This is %{_sysconfdir}/httpd/conf.d/squid.conf
+#
+
+ScriptAlias /Squid/cgi-bin/cachemgr.cgi %{_libdir}/squid/cachemgr.cgi
+
+# Only allow access from localhost by default
+
+ Require local
+ # Add additional allowed hosts as needed
+ # Require host example.com
+" > $RPM_BUILD_ROOT/squid.httpd.tmp
+
+
+mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d
+mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig
+mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pam.d
+mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d/
+mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/NetworkManager/dispatcher.d
+mkdir -p $RPM_BUILD_ROOT%{_unitdir}
+mkdir -p $RPM_BUILD_ROOT%{_libexecdir}/squid
+install -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/squid
+install -m 644 %{SOURCE3} $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/squid
+install -m 644 %{SOURCE4} $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/squid
+install -m 644 %{SOURCE6} $RPM_BUILD_ROOT%{_unitdir}
+install -m 755 %{SOURCE7} $RPM_BUILD_ROOT%{_libexecdir}/squid
+install -m 644 $RPM_BUILD_ROOT/squid.httpd.tmp $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d/squid.conf
+install -m 644 %{SOURCE5} $RPM_BUILD_ROOT%{_sysconfdir}/NetworkManager/dispatcher.d/20-squid
+mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/log/squid
+mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/spool/squid
+mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/run/squid
+chmod 644 contrib/url-normalizer.pl contrib/user-agents.pl
+iconv -f ISO88591 -t UTF8 ChangeLog -o ChangeLog.tmp
+mv -f ChangeLog.tmp ChangeLog
+
+# install /usr/lib/tmpfiles.d/squid.conf
+mkdir -p ${RPM_BUILD_ROOT}%{_tmpfilesdir}
+cat > ${RPM_BUILD_ROOT}%{_tmpfilesdir}/squid.conf </dev/null 2>&1; then
+  /usr/sbin/groupadd -g 23 squid
+fi
+
+if ! getent passwd squid >/dev/null 2>&1 ; then
+  /usr/sbin/useradd -g 23 -u 23 -d /var/spool/squid -r -s /sbin/nologin squid >/dev/null 2>&1 || exit 1 
+fi
+
+for i in /var/log/squid /var/spool/squid ; do
+        if [ -d $i ] ; then
+                for adir in `find $i -maxdepth 0 \! -user squid`; do
+                        chown -R squid:squid $adir
+                done
+        fi
+done
+
+exit 0
+
+%pretrans -p 
+-- Due to a bug #447156
+paths = {"/usr/share/squid/errors/zh-cn", "/usr/share/squid/errors/zh-tw"}
+for key,path in ipairs(paths)
+do
+  st = posix.stat(path)
+  if st and st.type == "directory" then
+    status = os.rename(path, path .. ".rpmmoved")
+    if not status then
+      suffix = 0
+      while not status do
+        suffix = suffix + 1
+        status = os.rename(path .. ".rpmmoved", path .. ".rpmmoved." .. suffix)
+      end
+      os.rename(path, path .. ".rpmmoved")
+    end
+  end
+end
+
+%post
+%systemd_post squid.service
+
+%preun
+%systemd_preun squid.service
+
+%postun
+%systemd_postun_with_restart squid.service
+
+%triggerin -- samba-common
+if ! getent group wbpriv >/dev/null 2>&1 ; then
+  /usr/sbin/groupadd -g 88 wbpriv >/dev/null 2>&1 || :
+fi
+/usr/sbin/usermod -a -G wbpriv squid >/dev/null 2>&1 || \
+    chgrp squid /var/cache/samba/winbindd_privileged >/dev/null 2>&1 || :
+
+
+%changelog
+* Wed Feb 09 2022 Luboš Uhliarik  - 7:4.15-3
+- Resolves: #1941506 - CVE-2021-28116 squid:4/squid: out-of-bounds read in WCCP
+  protocol data may lead to information disclosure
+
+* Tue Jan 25 2022 Luboš Uhliarik  - 7:4.15-2
+- Resolves: #2006121 - SQUID shortens FTP Link wrong that contains a semi-colon
+  and as a result is not able to download zip file.CODE 404 TO CLIENT)
+
+* Fri Jun 18 2021 Luboš Uhliarik  - 7:4.15-1
+- new version 4.15
+- Resolves: #1964384 - squid:4 rebase to 4.15
+
+* Wed Mar 31 2021 Lubos Uhliarik  - 7:4.11-5
+- Resolves: #1944261 - CVE-2020-25097 squid:4/squid: improper input validation
+  may allow a trusted client to perform HTTP Request Smuggling
+
+* Mon Oct 26 2020 Lubos Uhliarik  - 7:4.11-4
+- Resolves: #1890606 - Fix for CVE 2019-13345 breaks authentication in
+  cachemgr.cgi
+
+* Wed Aug 26 2020 Lubos Uhliarik  - 7:4.11-3
+- Resolves: #1871705 - CVE-2020-24606 squid: Improper Input Validation could
+  result in a DoS
+- Resolves: #1871702 - CVE-2020-15811 squid: HTTP Request Splitting could result
+  in cache poisoning
+- Resolves: #1871700 - CVE-2020-15810 squid: HTTP Request Smuggling could result
+  in cache poisoning
+
+* Thu Jul 02 2020 Lubos Uhliarik  - 7:4.11-2
+- Resolves: #1853130 - CVE-2020-15049 squid:4/squid: request smuggling and
+  poisoning attack against the HTTP cache
+- Resolves: #1853136 - CVE-2020-14058 squid:4/squid: DoS in TLS handshake
+
+* Thu May 07 2020 Lubos Uhliarik  - 7:4.11-1
+- new version 4.11
+- libsystemd integration
+- Resolves: #1829467 - squid:4 rebase
+- Resolves: #1828378 - CVE-2019-12521 squid:4/squid: off-by-one error in
+  addStackElement allows for a heap buffer overflow and a crash
+- Resolves: #1828377 - CVE-2019-12520 squid:4/squid: improper input validation
+  in request allows for proxy manipulation
+- Resolves: #1828375 - CVE-2019-12524 squid:4/squid: improper access restriction
+  in url_regex may lead to security bypass
+- Resolves: #1820664 - CVE-2019-18860 squid: mishandles HTML in the host
+  parameter to cachemgr.cgi which could result in squid behaving in unsecure way
+- Resolves: #1802514 - CVE-2020-8449 squid:4/squid: Improper input validation
+  issues in HTTP Request processing
+- Resolves: #1802513 - CVE-2020-8450 squid:4/squid: Buffer overflow in a Squid
+  acting as reverse-proxy
+- Resolves: #1802512 - CVE-2019-12528 squid:4/squid: Information Disclosure
+  issue in FTP Gateway
+- Resolves: #1771288 - CVE-2019-18678 squid:4/squid: HTTP Request Splitting
+  issue in HTTP message processing
+- Resolves: #1771283 - CVE-2019-18679 squid:4/squid: Information Disclosure
+  issue in HTTP Digest Authentication
+- Resolves: #1771280 - CVE-2019-18677 squid:4/squid: Cross-Site Request Forgery
+  issue in HTTP Request processing
+- Resolves: #1771275 - CVE-2019-12523 squid:4/squid: Improper input validation
+  in URI processor
+- Resolves: #1771272 - CVE-2019-18676 squid:4/squid: Buffer overflow in URI
+  processor
+- Resolves: #1771264 - CVE-2019-12526 squid:4/squid: Heap overflow issue in URN
+  processing
+- Resolves: #1738581 - CVE-2019-12529 squid: OOB read in Proxy-Authorization
+  header causes DoS
+
+* Tue Apr 28 2020 Lubos Uhliarik  - 7:4.4-9
+- Resolves: #1738583 - CVE-2019-12525 squid:4/squid: parsing of header
+  Proxy-Authentication leads to memory corruption
+- Resolves: #1828369 - CVE-2020-11945 squid: improper access restriction upon
+  Digest Authentication nonce replay could lead to remote code execution
+- Resolves: #1828370 - CVE-2019-12519 squid: improper check for new member in
+  ESIExpression::Evaluate allows for stack buffer overflow
+
+* Fri Aug 23 2019 Lubos Uhliarik  - 7:4.4-8
+- Resolves: # 1738485 - CVE-2019-12527 squid:4/squid: heap-based buffer overflow
+  in HttpHeader::getAuth
+
+* Wed Jul 31 2019 Lubos Uhliarik  - 7:4.4-7
+- Resolves: #1729436 - CVE-2019-13345 squid: XSS via user_name or auth parameter
+  in cachemgr.cgi
+
+* Fri Jun 21 2019 Lubos Uhliarik  - 7:4.4-6
+- Resolves: #1679526 - Missing detailed configuration file
+- Resolves: #1703117 - RHEL 7 to 8 fails with squid installed because dirs
+  changed to symlinks
+- Resolves: #1691741 - Squid cache_peer DNS lookup failed when not all lower
+  case
+- Resolves: #1683527 - "Reloading" message on a fresh reboot after enabling
+  squid
+
+* Tue Dec 11 2018 Lubos Uhliarik  - 7:4.4-4
+- Resolves: #1612524 - Man page scan results for squid 
+
+* Tue Dec 11 2018 Lubos Uhliarik  - 7:4.4-3
+- Resolves: #1642384 - squid doesn't work with active ftp
+
+* Tue Dec 11 2018 Lubos Uhliarik  - 7:4.4-2
+- Resolves: #1657847 - Unable to start Squid in Selinux Enforcing mode
+
+* Mon Dec 10 2018 Lubos Uhliarik  - 7:4.4-1
+- Resolves: #1656871 - squid rebase to 4.4
+- Resolves: #1645148 - CVE-2018-19131 squid: Cross-Site Scripting when
+  generating HTTPS response messages about TLS errors
+- Resolves: #1645156 - CVE-2018-19132 squid: Memory leak in SNMP query
+  rejection code
+
+* Mon Aug 06 2018 Lubos Uhliarik  - 7:4.2-1
+- new version 4.2
+- enable back strict error checking
+
+* Wed Aug 01 2018 Luboš Uhliarik  - 7:4.1-1
+- new version 4.1
+
+* Mon Jun 04 2018 Luboš Uhliarik  - 7:4.0.23-5
+- Resolves: #1585617 - Build against libdb only instead of libdb4
+- disabled strict checking for now (squid can not be built with GCC8)
+
+* Mon Apr 16 2018 Luboš Uhliarik  - 7:4.0.23-4
+- Resolves: #1566055 - module squid cannot be installed due to missing
+  perl(Crypt::OpenSSL::X509)
+
+* Fri Feb 09 2018 Fedora Release Engineering  - 7:4.0.23-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Tue Jan 23 2018 Luboš Uhliarik  - 7:4.0.23-2
+- Resolves: #1481195 - squid loses some REs when optimising ACLs
+
+* Tue Jan 23 2018 Luboš Uhliarik  - 7:4.0.23-1
+- new version 4.0.23
+
+* Sat Jan 20 2018 Björn Esser  - 7:4.0.22-2
+- Rebuilt for switch to libxcrypt
+
+* Wed Jan 17 2018 Luboš Uhliarik  - 7:4.0.22-1
+- new version 4.0.22
+- Removed NIS helper (#1531540)
+
+* Mon Aug 07 2017 Luboš Uhliarik  - 7:4.0.21-1
+- new version 4.0.21
+
+* Thu Aug 03 2017 Fedora Release Engineering  - 7:4.0.20-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Thu Jul 27 2017 Fedora Release Engineering  - 7:4.0.20-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Mon Jun 05 2017 Luboš Uhliarik  - 7:4.0.20-2
+- related: new version 4.0.20
+
+* Mon Jun 05 2017 Luboš Uhliarik  - 7:4.0.20-1
+- new version 4.0.20
+
+* Tue Apr 25 2017 Luboš Uhliarik  - 7:4.0.19-4
+- Related: #1445255 - Squid SMP Mode Fails
+
+* Tue Apr 25 2017 Luboš Uhliarik  - 7:4.0.19-3
+- Resolves: #1445255 - Squid SMP Mode Fails
+
+* Tue Apr 18 2017 Luboš Uhliarik  - 7:4.0.19-2
+- Resolves: #1442375 - squid helper squid_kerb_ldap not included in package
+
+* Mon Apr 03 2017 Luboš Uhliarik  - 7:4.0.19-1
+- new version 4.0.19
+
+* Thu Mar 30 2017 Luboš Uhliarik  - 7:4.0.18-1
+- new version 4.0.18
+
+* Sat Feb 11 2017 Fedora Release Engineering  - 7:4.0.17-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Mon Dec 19 2016 Luboš Uhliarik  - 7:4.0.17-1
+- new version 4.0.17
+
+* Mon Oct 31 2016 Luboš Uhliarik  - 7:4.0.16-1
+- new version 4.0.16
+
+* Mon Oct 10 2016 Luboš Uhliarik  - 7:4.0.15-1
+- new version 4.0.15
+
+* Mon Sep 12 2016 Luboš Uhliarik  - 7:4.0.14-1
+- new version 4.0.14
+
+* Tue Aug 09 2016 Luboš Uhliarik  - 7:4.0.13-1
+- new version 4.0.13
+
+* Mon Jul 11 2016 Henrik Nordstrom  - 7:4.0.11-1
+- new version 4.0.11
+
+* Wed May 18 2016 Luboš Uhliarik  - 7:3.5.19-2
+- Resolves: #1336993 - Mistyped command in dirname
+  /etc/NetworkManager/dispatcher.d/20-squid
+
+* Tue May 10 2016 Luboš Uhliarik  - 7:3.5.19-1
+- new version 3.5.19
+
+* Thu May 05 2016 Luboš Uhliarik  - 7:3.5.17-1
+- new version 3.5.17
+
+* Tue Apr 05 2016 Luboš Uhliarik  - 7:3.5.16-1
+- new version 3.5.16
+
+* Tue Mar 01 2016 Luboš Uhliarik  - 7:3.5.15-1
+- new version 3.5.15
+- Resolves: #1311585 - squid: Multiple Denial of Service issues in
+  HTTP Response processing
+- Resolves: #1312267 - squid: SQUID-2016_2 advisory, multiple DoS issues
+
+* Tue Mar 01 2016 Luboš Uhliarik  - 7:3.5.13-3
+- Resolves: #1308866 - CVE-2016-2390 squid: incorrect server error 
+  handling resulting in denial of service
+
+* Fri Feb 05 2016 Fedora Release Engineering  - 7:3.5.13-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Fri Jan 08 2016 Luboš Uhliarik  - 7:3.5.13-1
+- new version 3.5.13
+
+* Thu Dec 03 2015 Luboš Uhliarik  - 7:3.5.12-2
+- new version 3.5.12
+
+* Fri Sep 25 2015 Luboš Uhliarik  - 7:3.5.9-3
+- Resolves: #1231992
+
+* Fri Sep 25 2015 Luboš Uhliarik  - 7:3.5.9-2
+- Resolves: #1230501
+
+* Thu Sep 24 2015 Luboš Uhliarik  - 7:3.5.9-1
+- new version 3.5.9
+- added Patch, which fixes problem with include guards 
+
+* Fri Jun 19 2015 Fedora Release Engineering  - 7:3.5.3-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Sat May 02 2015 Kalev Lember  - 7:3.5.3-4
+- Rebuilt for GCC 5 C++11 ABI change
+
+* Tue Mar 31 2015 Pavel Šimerda  - 7:3.5.3-3
+- Fix build by removing eDirectory support
+
+* Tue Mar 31 2015 Pavel Šimerda  - 7:3.5.3-2
+- clean up defunct patches
+
+* Tue Mar 31 2015 Pavel Šimerda  - 7:3.5.3-1
+- new version 3.5.3
+
+* Mon Mar 23 2015 Pavel Šimerda  - 7:3.5.2-4
+- Resolves: #1145235, #1173488, #1176318 – revert a couple of recent changes
+
+* Sun Mar 15 2015 Henrik Nordstrom  - 7:3.5.2-3
+- Correct execmod build issue caused by libtool confusion on
+  required compiler flags
+
+* Sun Mar 15 2015 Henrik Nordstrom  - 7:3.5.2-2
+- Update to latest upstream version 3.5.2
+- Remove deprecated (and renamed) squid_msnt_auth basic auth helper. Only
+  performs LM authentication and not considered useful in todays networks.
+
+* Wed Feb 25 2015 Henrik Nordstrom  - 7:3.4.12-1
+- Update to latest upstream version 3.4.12
+- bug #1173946: Disable -march=native compile time optimization, use Fedora defaults.
+
+* Tue Nov 18 2014 Henrik Nordstrom  - 7:3.4.9-3
+- Update to latest upstream version 3.4.9
+
+* Sun Oct 19 2014 Peter Robinson  7:3.4.7-3
+- Update ppc64 macro to cover little endian too
+
+* Thu Sep 11 2014 Michal Luscon  - 7:3.4.7-2
+- Fixed: CVE-2014-6270
+
+* Thu Aug 28 2014 Michal Luscon  - 7:3.4.7-1
+- Update to latest upstream version
+- Fixed: CVE-2014-3609
+
+* Thu Aug 21 2014 Kevin Fenzi  - 7:3.4.6-3
+- Rebuild for rpm bug 1131960
+
+* Mon Aug 18 2014 Fedora Release Engineering  - 7:3.4.6-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Wed Jul 2 2014 Michal Luscon  - 7:3.4.6-1
+- Update to latest upstream version 3.4.6
+
+* Fri Jun 13 2014 Michal Luscon  - 7:3.4.5-6
+- Fixed #855111: set unlimited start and shutdown timeout
+
+* Sun Jun 08 2014 Michal Luscon  - 7:3.4.5-5
+- Run squid under user and group squid
+
+* Sun Jun 08 2014 Fedora Release Engineering  - 7:3.4.5-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Tue May 27 2014 Michal Luscon  - 7:3.4.5-3
+- Remove sysvinit subpackage 
+- Enable rock store
+
+* Fri May 23 2014 Michal Luscon  - 7:3.4.5-2
+- Fixed #1099970: missing /var/run/squid folder
+- Reverted #1038160: breaks SMP mode
+
+* Tue May 6 2014 Michal Luscon  - 7:3.4.5-1
+- Update to latest upstream version 3.4.5
+
+* Fri Apr 25 2014 Michal Luscon  - 7:3.4.4.2-1
+- Update to latest upstream version 3.4.4.2
+
+* Thu Mar 13 2014 Pavel Šimerda  - 7:3.4.4-1
+- bump to 3.4.4
+
+* Tue Feb 04 2014 Henrik Nordstrom  - 7:3.4.3-1
+- Update to latest upstream bugfix version 3.4.3
+
+* Mon Jan 06 2014 Pavel Šimerda  - 7:3.4.1-2
+- Resolves: #1038160 - avoid running squid's own supervisor process
+
+* Mon Dec 30 2013 Michal Luscon  - 7:3.4.1-1
+- Rebase to latest stable upstream release 3.4.1
+- Fixed #1034306: fails to build for AArch64
+- Fixed: active ftp
+
+* Tue Dec 03 2013 Henrik Nordstrom  - 7:3.3.11-1
+- Update to latest upstream bugfix version 3.3.11
+
+* Fri Sep 13 2013 Michal Luscon  - 7:3.3.9-1
+- Update to latest upstream version 3.3.9
+- Fixed #976815: file descriptors are hard coded to 16384
+- Fixed: active ftp crashing
+- Fixed: offset of patches
+
+* Thu Aug 08 2013 Michal Luscon  - 7:3.3.8-3
+- Fixed #994814: enable time_quota helper
+
+* Sun Aug 04 2013 Fedora Release Engineering  - 7:3.3.8-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
+* Mon Jul 22 2013 Michal Luscon  - 7:3.3.8-1
+- Update to latest upstream version 3.3.8
+- Fixed: CVE-2013-4123
+- Fixed: CVE-2013-4115
+
+* Wed Jul 17 2013 Petr Pisar  - 7:3.3.4-3
+- Perl 5.18 rebuild
+
+* Wed May  8 2013 Ville Skyttä  - 7:3.3.4-2
+- Fix basic auth and log daemon DB helper builds.
+- Use xz compressed tarball, fix source URLs.
+- Fix bogus dates in %%changelog.
+
+* Fri May 3 2013 Michal Luscon  - 7:3.3.4-1
+- Rebase to latest upstream version 3.3.4
+
+* Tue Apr 23 2013 Michal Luscon  - 7:3.2.9-3
+- Option '-k' is not stated in squidclient man
+- Remove pid from service file(#913262)
+
+* Fri Apr 19 2013 Michal Luscon  - 7:3.2.9-2
+- Enable full RELRO (-Wl,-z,relro -Wl,-z,now)
+
+* Tue Mar 19 2013 Michal Luscon  - 7:3.2.9-1
+- Update to latest upstream version 3.2.9
+- Fixed: CVE-2013-1839
+- Removed: makefile-patch (+make check)
+
+* Mon Mar 11 2013 Michal Luscon  - 7:3.2.8-3
+- Resolved: /usr move - squid service file
+
+* Sat Mar 09 2013 Michal Luscon  - 7:3.2.8-2
+- Resolved: #896127 - basic_ncsa_auth does not work
+
+* Fri Mar 08 2013 Michal Luscon  - 7:3.2.8-1
+- Update to latest upstream version 3.2.8
+- Fixed rawhide build issues (-make check)
+
+* Thu Feb 07 2013 Michal Luscon  - 7:3.2.7-1
+- Update to latest upstream version 3.2.7
+
+* Thu Jan 24 2013 Michal Luscon  - 7:3.2.5-2
+- CVE-2013-0189: Incomplete fix for the CVE-2012-5643
+
+* Mon Dec 17 2012 Michal Luscon  - 7:3.2.5-1
+- Update to latest upstream version 3.2.5
+
+* Mon Nov 05 2012 Michal Luscon  - 7:3.2.3-3
+- Resolved: #71483 - httpd 2.4 requires new configuration directives
+
+* Fri Oct 26 2012 Michal Luscon  - 7:3.2.3-2
+- Resolved: #854356 - squid.service use PIDFile
+- Resolved: #859393 - Improve cache_swap script
+- Resolved: #791129 - disk space warning
+- Resolved: #862252 - reload on VPN or network up/down
+- Resolved: #867531 - run test suite during build
+- Resolved: #832684 - missing after dependency nss-lookup.target
+- Removed obsolete configure options
+
+* Mon Oct 22 2012 Tomas Hozza  - 7:3.2.3-1
+- Update to latest upstream version 3.2.3
+
+* Tue Oct 16 2012 Tomas Hozza  - 7:3.2.2-1
+- Update to latest upstream version 3.2.2
+
+* Fri Oct 05 2012 Tomas Hozza  - 7:3.2.1-2
+- Introduced new systemd-rpm macros in squid spec file. (#850326)
+
+* Wed Aug 29 2012 Michal Luscon  - 7:3.2.1-1
+- Update to latest upstream 3.2.1
+
+* Sat Jul 21 2012 Fedora Release Engineering  - 7:3.2.0.16-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Mon Apr 02 2012 Henrik Nordstrom  - 7:3.2.0.16-2
+- Enable SSL CRTD for ssl bump
+
+* Wed Mar 07 2012 Henrik Nordstrom  - 7:3.2.0.16-1
+- Upstream 3.2.0.16 bugfix release
+
+* Tue Feb 28 2012 Fedora Release Engineering  - 7:3.2.0.15-2
+- Rebuilt for c++ ABI breakage
+
+* Mon Feb 06 2012 Henrik Nordstrom  - 7:3.2.0.15-1
+- Upstream 3.2.0.15 bugfix release
+
+* Wed Feb 01 2012 Henrik Nordstrom  - 7:3.2.0.14-7
+- update with upstreamed patch versions
+
+* Tue Jan 17 2012 Henrik Nordstrom  - 7:3.2.0.14-6
+- upstream gcc-4.7 patch
+- fix for bug #772483 running out of memory, mem_node growing out of bounds
+
+* Mon Jan 16 2012 Jiri Skala  - 7:3.2.0.14-5
+- fixes FTBFS due to gcc-4.7
+
+* Fri Jan 13 2012 Jiri Skala  - 7:3.2.0.14-4
+- fixes #772481 - Low number of open files for squid process
+- fixes FTBFS due to gcc4.7
+
+* Thu Jan 05 2012 Henrik Nordstrom  - 3.2.0.14-3
+- rebuild for gcc-4.7.0
+
+* Mon Dec 19 2011 Jiri Skala  - 7:3.2.0.14-2
+- fixes #768586 - Please enable eCAP support again
+
+* Wed Dec 14 2011 Jiri Skala  - 7:3.2.0.14-1
+- update to latest upstream 3.2.0.14
+
+* Mon Nov 07 2011 Jiri Skala  - 7:3.2.0.13-5
+- fixes #751679 - host_strict_verify setting inverted in squid.conf
+
+* Thu Nov 03 2011 Jiri Skala  - 7:3.2.0.13-4
+- fixes #750550 - Squid might depend on named
+
+* Wed Oct 26 2011 Jiri Skala  - 7:3.2.0.13-3
+- added upstream fix for #747125
+
+* Wed Oct 26 2011 Jiri Skala  - 7:3.2.0.13-2
+- fixes #747103 - squid does not start if /var/spool/squid is empty
+- fixes #747110 - squid does not start adding "memory_pools off"
+
+* Mon Oct 17 2011 Jiri Skala  - 7:3.2.0.13-1
+- update to latest upstream 3.2.0.13
+
+* Tue Sep 20 2011 Jiri Skala  - 7:3.2.0.12-1
+- update to latest upstream 3.2.0.12
+
+* Mon Aug 29 2011 Henrik Nordstrom  - 7:3.2.0.11-3
+- update to latest upstream 3.2.0.11
+
+* Sat Aug 27 2011 Henrik Nordstrom  - 7:3.2.0.10-3
+- Fix for SQUID-2011:3 Gopher vulnerability
+
+* Thu Aug 18 2011 Jiri Skala  - 7:3.2.0.10-2
+- rebuild for rpm
+
+* Mon Aug 01 2011 Jiri Skala  - 7:3.2.0.10-1
+- update to latest upsteam 3.2.0.10
+
+* Mon Aug 01 2011 Jiri Skala  - 7:3.2.0.9-2
+- rebuild for libcap
+
+* Tue Jun 07 2011 Jiri Skala  - 7:3.2.0.9-1
+- upgrade to squid-3.2
+- fixes #720445 - Provide native systemd unit file
+- SysV initscript moved to subpackage
+- temproary disabled eCap
+
+* Wed May 18 2011 Jiri Skala  - 7:3.1.12-3
+- enabled eCAP support
+
+* Wed May 04 2011 Jiri Skala  - 7:3.1.12-2
+- applied corrections of unused patch (Ismail Dönmez)
+
+* Fri Apr 15 2011 Jiri Skala  - 7:3.1.12-1
+- Update to 3.1.12 upstream release
+
+* Thu Feb 10 2011 Jiri Skala  - 7:3.1.11-1
+- Update to 3.1.11 upstream release
+- fixes issue with unused variale after mass rebuild (gcc-4.6)
+
+* Wed Feb 09 2011 Fedora Release Engineering  - 7:3.1.10-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Thu Jan 06 2011 Jiri Skala  - 7:3.1.10-1
+- Update to 3.1.10 upstream release
+
+* Fri Nov 05 2010 Jiri Skala  - 7:3.1.9-5
+- rebuild for libxml2
+
+* Mon Nov 01 2010 Jiri Skala  - 7:3.1.9-4
+- fixes #647967 - build with -fPIE option back and dropped proper libltdl usage
+
+* Sat Oct 30 2010 Henrik Nordstrom  - 7:3.1.9-3
+- Bug #647967 - License clarification & spec-file cleanup
+
+* Mon Oct 25 2010 Henrik Nordstrom  7:3.1.9-2
+- Upstream 3.1.9 bugfix release
+
+* Wed Oct 13 2010 Jiri Skala  - 7:3.1.8-2
+- fixes #584161 - squid userid not added to wbpriv group
+
+* Sun Sep 05 2010 Henrik Nordstrom  - 7:3.1.8-1
+- Bug #630445: SQUID-2010:3 Denial of service issue
+
+* Tue Aug 24 2010 Henrik Nordstrom  - 7:3.1.7-1
+- Upstream 3.1.7 bugfix release
+
+* Fri Aug 20 2010 Henrik Nordstrom  - 7:3.1.6-1
+- Upstream 3.1.6 bugfix release
+- Build with system libtool-ltdl
+
+* Thu Jul 15 2010 Henrik Nordstrom  - 7:3.1.5-2
+- Upstream 3.1.5 bugfix release
+- Upstream patch for Bug #614665: Squid crashes with  ident auth
+- Upstream patches for various memory leaks
+
+* Mon May 31 2010 Henrik Nordstrom  - 7:3.1.4-2
+- Correct case-insensitiveness in HTTP list header parsing
+
+* Sun May 30 2010 Henrik Nordstrom  - 7:3.1.4-1
+- Upstream 3.1.4 bugfix release, issues relating to IPv6, TPROXY, Memory
+  management, follow_x_forwarded_for, and stability fixes
+
+* Fri May 14 2010 Henrik Nordstrom  - 7:3.1.3-2
+- Fully fix #548903 - "comm_open: socket failure: (97) Address family not supported by protocol" if IPv6 disabled
+- Various IPv6 related issues fixed, making tcp_outgoing_address behave
+  as expected and no commResetFD warnings when using tproxy setups.
+
+* Sun May 02 2010 Henrik Nordstrom  - 7:3.1.3-1
+- Update to 3.1.3 Upstream bugfix release, fixing WCCPv1
+
+* Mon Apr 19 2010 Henrik Nordstrom  - 7:3.1.1-4
+- Bug #583489: Adjust logrotate script to changes in logrotate package.
+
+* Mon Apr 19 2010 Jiri Skala 
+- fixes #548903 - "comm_open: socket failure: (97) Address family not supported by protocol" if IPv6 disabled
+
+* Tue Mar 30 2010 Henrik Nordstrom  - 7:3.1.1-2
+- Update to 3.1.1 Squid bug #2827 crash with assertion failed:
+  FilledChecklist.cc:90: "conn() != NULL" under high load.
+
+* Mon Mar 15 2010 Henrik Nordstrom  - 7:3.1.0.18-1
+- Upgrade to 3.1.0.18 fixing Digest authentication and improved HTTP/1.1 support
+
+* Sun Feb 28 2010 Henrik Nordstrom  -  7:3.1.0.17-3
+- Bug 569120, fails to open unbound ipv4 listening sockets
+
+* Thu Feb 25 2010 Henrik Nordstrom  - 7:3.1.0.17-2
+- Upgrade to 3.1.0.17
+
+* Thu Feb 18 2010 Henrik Nordstrom  - 7:3.1.0.16-7
+- Workaround for Fedora-13 build failure
+
+* Sun Feb 14 2010 Henrik Nordstrom  - 7:3.1.0.16-6
+- Patch for Squid security advisory SQUID-2010:2, denial of service
+  issue in HTCP processing (CVE-2010-0639)
+
+* Sun Feb 07 2010 Henrik Nordstrom  - 7:3.1.0.16-5
+- Rebuild 3.1.0.16 with corrected upstream release.
+
+* Wed Feb 03 2010 Jiri Skala  - 7:3.1.0.16-4
+- spec file modified to be fedora packaging guidline compliant
+- little shifting lines in init script header due to rpmlint complaint
+- fixes assertion during start up
+
+* Mon Feb 01 2010 Henrik Nordstrom  7:3.1.0.16-3
+- Upgrade to 3.1.0.16 for DNS related DoS fix (Squid-2010:1)
+
+* Sat Jan 09 2010 Henrik Nordstrom  - 7:3.1.0.15-3
+- fixed #551302 PROXY needs libcap. Also increases security a little.
+- merged relevant upstream bugfixes waiting for next 3.1 release
+
+* Mon Nov 23 2009 Henrik Nordstrom  - 7:3.1.0.15-2
+- Update to 3.1.0.15 with a number of bugfixes and a workaround for
+  ICEcast/SHOUTcast streams.
+
+* Mon Nov 23 2009 Jiri Skala  7:3.1.0.14-2
+- fixed #532930 Syntactic error in /etc/init.d/squid
+- fixed #528453 cannot initialize cache_dir with user specified config file
+
+* Sun Sep 27 2009 Henrik Nordstrom  - 7:3.1.0.14-1
+- Update to 3.1.0.14
+
+* Sat Sep 26 2009 Henrik Nordstrom  - 7:3.1.0.13-7
+- Include upstream patches fixing important operational issues
+- Enable ESI support now that it does not conflict with normal operation
+
+* Fri Sep 18 2009 Henrik Nordstrom  - 7:3.1.0.13-6
+- Rotate store.log if enabled
+
+* Wed Sep 16 2009 Tomas Mraz  - 7:3.1.0.13-5
+- Use password-auth common PAM configuration instead of system-auth
+
+* Tue Sep 15 2009 Jiri Skala  - 7:3.1.0.13-4
+- fixed #521596 - wrong return code of init script
+
+* Tue Sep 08 2009 Henrik Nordstrom  - 7:3.1.0.13-3
+- Enable squid_kerb_auth
+
+* Mon Sep 07 2009 Henrik Nordstrom  - 7:3.1.0.13-2
+- Cleaned up packaging to ease future maintenance
+
+* Fri Sep 04 2009 Henrik Nordstrom  - 7:3.1.0.13-1
+- Upgrade to next upstream release 3.1.0.13 with many new features
+  * IPv6 support
+  * NTLM-passthru
+  * Kerberos/Negotiate authentication scheme support
+  * Localized error pages based on browser language preferences
+  * Follow X-Forwarded-For capability
+  * and more..
+
+* Mon Aug 31 2009 Henrik Nordstrom  - 3.0.STABLE18-3
+- Bug #520445 silence logrotate when Squid is not running
+
+* Fri Aug 21 2009 Tomas Mraz  - 7:3.0.STABLE18-2
+- rebuilt with new openssl
+
+* Tue Aug 04 2009 Henrik Nordstrom  - 7:3.0.STABLE18-1
+- Update to 3.0.STABLE18
+
+* Sat Aug 01 2009 Henrik Nordstrom  - 7:3.0.STABLE17-3
+- Squid Bug #2728: regression: assertion failed: http.cc:705: "!eof"
+
+* Mon Jul 27 2009 Henrik Nordstrom  - 7:3.0.STABLE17-2
+- Bug #514014, update to 3.0.STABLE17 fixing the denial of service issues
+  mentioned in Squid security advisory SQUID-2009_2.
+
+* Sun Jul 26 2009 Fedora Release Engineering  - 7:3.0.STABLE16-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Wed Jul 01 2009 Jiri Skala  7:3.0.STABLE16-2
+- fixed patch parameter of bXXX patches
+
+* Mon Jun 29 2009 Henrik Nordstrom  - 7:3.0.STABLE16-1
+- Upgrade to 3.0.STABLE16
+
+* Sat May 23 2009 Henrik Nordstrom  - 7:3.0.STABLE15-2
+- Bug #453304 - Squid requires restart after Network Manager connection setup
+
+* Sat May 09 2009 Henrik Nordstrom  - 7:3.0.STABLE15-1
+- Upgrade to 3.0.STABLE15
+
+* Tue Apr 28 2009 Jiri Skala  - 7:3.0.STABLE14-3
+- fixed ambiguous condition in the init script (exit 4)
+
+* Mon Apr 20 2009 Henrik Nordstrom  - 7:3.0.STABLE14-2
+- Squid bug #2635: assertion failed: HttpHeader.cc:1196: "Headers[id].type == ftInt64"
+
+* Sun Apr 19 2009 Henrik Nordstrom  - 7:3.0.STABLE14-1
+- Upgrade to 3.0.STABLE14
+
+* Fri Mar 06 2009 Henrik Nordstrom  - 7:3.0.STABLE13-2
+- backported logfile.cc syslog parameters patch from 3.1 (b9443.patch)
+- GCC-4.4 workaround in src/wccp2.cc
+
+* Wed Feb 25 2009 Fedora Release Engineering  - 7:3.0.STABLE13-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Thu Feb 5 2009 Jonathan Steffan  - 7:3.0.STABLE13-1
+- upgrade to latest upstream
+
+* Tue Jan 27 2009 Henrik Nordstrom  - 7:3.0.STABLE12-1
+- upgrade to latest upstream
+
+* Sun Jan 18 2009 Tomas Mraz  - 7:3.0.STABLE10-4
+- rebuild with new openssl
+
+* Fri Dec 19 2008 Henrik Nordstrom  - 7:3.0.STABLE10-3
+- actually include the upstream bugfixes in the build
+
+* Fri Dec 19 2008 Henrik Nordstrom  - 7:3.0.STABLE10-2
+- upstream bugfixes for cache corruption and access.log response size errors
+
+* Fri Oct 24 2008 Henrik Nordstrom  - 7:3.0.STABLE10-1
+- upgrade to latest upstream
+
+* Sun Oct 19 2008 Henrik Nordstrom  - 7:3.0.STABLE9-2
+- disable coss support, not officially supported in 3.0
+
+* Sun Oct 19 2008 Henrik Nordstrom  - 7:3.0.STABLE9-1
+- update to latest upstream
+
+* Thu Oct 09 2008 Henrik Nordstrom  - 7:3.0.STABLE7-4
+- change logrotate to move instead of copytruncate
+
+* Wed Oct 08 2008 Jiri Skala  - 7:3.0.STABLE7-3
+- fix #465052 -  FTBFS squid-3.0.STABLE7-1.fc10
+
+* Thu Aug 14 2008 Jiri Skala  - 7:3.0.STABLE7-2
+- used ncsa_auth.8 from man-pages. there will be this file removed due to conflict
+- fix #458593 noisy initscript
+- fix #463129 init script tests wrong conf file
+- fix #450352 - build.patch patches only generated files
+
+* Wed Jul 02 2008 Jiri Skala  - 7:3.0.STABLE7-1
+- update to latest upstream
+- fix #453214
+
+* Mon May 26 2008 Martin Nagy  - 7:3.0.STABLE6-2
+- fix bad allocation
+
+* Wed May 21 2008 Martin Nagy  - 7:3.0.STABLE6-1
+- upgrade to latest upstream
+- fix bad allocation
+
+* Fri May 09 2008 Martin Nagy  - 7:3.0.STABLE5-2
+- fix configure detection of netfilter kernel headers (#435499),
+  patch by aoliva@redhat.com
+- add support for negotiate authentication (#445337)
+
+* Fri May 02 2008 Martin Nagy  - 7:3.0.STABLE5-1
+- upgrade to latest upstream
+
+* Tue Apr 08 2008 Martin Nagy  - 7:3.0.STABLE4-1
+- upgrade to latest upstream
+
+* Thu Apr 03 2008 Martin Nagy  - 7:3.0.STABLE2-2
+- add %%{optflags} to make
+- remove warnings about unused return values
+
+* Thu Mar 13 2008 Martin Nagy  - 7:3.0.STABLE2-1
+- upgrade to latest upstream 3.0.STABLE2
+- check config file before starting (#428998)
+- whitespace unification of init script
+- some minor path changes in the QUICKSTART file
+- configure with the --with-filedescriptors=16384 option
+
+* Tue Feb 26 2008 Martin Nagy  - 7:3.0.STABLE1-3
+- change the cache_effective_group default back to none
+
+* Mon Feb 11 2008 Martin Nagy  - 7:3.0.STABLE1-2
+- rebuild for 4.3
+
+* Wed Jan 23 2008 Martin Nagy  - 7:3.0.STABLE1-1
+- upgrade to latest upstream 3.0.STABLE1
+
+* Tue Dec 04 2007 Martin Bacovsky  - 2.6.STABLE17-1
+- upgrade to latest upstream 2.6.STABLE17
+
+* Wed Oct 31 2007 Martin Bacovsky  - 7:2.6.STABLE16-3
+- arp-acl was enabled
+
+* Tue Sep 25 2007 Martin Bacovsky  - 7:2.6.STABLE16-2
+- our fd_config patch was replaced by upstream's version 
+- Source1 (FAQ.sgml) points to local source (upstream's moved to wiki)
+
+* Fri Sep 14 2007 Martin Bacovsky  - 7:2.6.STABLE16-1
+- upgrade to latest upstream 2.6.STABLE16
+
+* Wed Aug 29 2007 Fedora Release Engineering  - 7:2.6.STABLE14-2
+- Rebuild for selinux ppc32 issue.
+
+* Thu Jul 19 2007 Martin Bacovsky  - 7:2.6.STABLE14-1
+- update to latest upstream 2.6.STABLE14
+- resolves: #247064: Initscript Review
+
+* Tue Mar 27 2007 Martin Bacovsky  - 7:2.6.STABLE12-1
+- update to latest upstream 2.6.STABLE12
+- Resolves: #233913: squid: unowned directory
+
+* Mon Feb 19 2007 Martin Bacovsky  - 7:2.6.STABLE9-2
+- Resolves: #226431: Merge Review: squid
+
+* Mon Jan 29 2007 Martin Bacovsky  - 7:2.6.STABLE9-1
+- update to the latest upstream
+
+* Sun Jan 14 2007 Martin Stransky  - 7:2.6.STABLE7-1
+- update to the latest upstream
+
+* Tue Dec 12 2006 Martin Stransky  - 7:2.6.STABLE6-1
+- update to the latest upstream
+
+* Mon Nov  6 2006 Martin Stransky  - 7:2.6.STABLE5-1
+- update to the latest upstream
+
+* Thu Oct 26 2006 Martin Stransky  - 7:2.6.STABLE4-4
+- added fix for #205568 - marked cachemgr.conf as world readable
+
+* Wed Oct 25 2006 Martin Stransky  - 7:2.6.STABLE4-3
+- added fix for #183869 - squid can abort when getting status
+- added upstream fixes:
+    * Bug #1796: Assertion error HttpHeader.c:914: "str"
+    * Bug #1779: Delay pools fairness, correction to first patch
+    * Bug #1802: Crash on exit in certain conditions where cache.log is not writeable
+    * Bug #1779: Delay pools fairness when multiple connections compete for bandwidth
+    * Clarify the select/poll/kqueue/epoll configure --enable/disable options
+- reworked fd patch for STABLE4
+
+* Tue Oct 17 2006 Martin Stransky  - 7:2.6.STABLE4-2
+- upstream fixes:
+  * Accept 00:00-24:00 as a valid time specification (upstream BZ #1794)
+  * aioDone() could be called twice
+  * Squid reconfiguration (upstream BZ #1800)
+
+* Mon Oct 2 2006 Martin Stransky  - 7:2.6.STABLE4-1
+- new upstream
+- fixes from upstream bugzilla, items #1782,#1780,#1785,#1719,#1784,#1776
+
+* Tue Sep 5 2006 Martin Stransky  - 7:2.6.STABLE3-2
+- added upstream patches for ACL
+
+* Mon Aug 21 2006 Martin Stransky  - 7:2.6.STABLE3-1
+- the latest stable upstream
+
+* Thu Aug 10 2006 Karsten Hopp  7:2.6.STABLE2-3
+- added some requirements for pre/post install scripts
+
+* Fri Aug 04 2006 Martin Stransky  - 7:2.6.STABLE2-2
+- added patch for #198253 - squid: don't chgrp another pkg's
+  files/directory
+
+* Mon Jul 31 2006 Martin Stransky  - 7:2.6.STABLE2-1
+- the latest stable upstream
+- reworked fd config patch
+
+* Tue Jul 25 2006 Martin Stransky  - 7:2.6.STABLE1-3
+- the latest CVS upstream snapshot
+
+* Wed Jul 19 2006 Martin Stransky  - 7:2.6.STABLE1-2
+- the latest CVS snapshot
+
+* Tue Jul 18 2006 Martin Stransky  - 7:2.6.STABLE1-1
+- new upstream + the latest CVS snapshot from 2006/07/18
+- updated fd config patch
+- enabled epoll
+- fixed release format (#197405)
+- enabled WCCPv2 support (#198642)
+
+* Wed Jul 12 2006 Jesse Keating  - 7:2.5.STABLE14-2.1
+- rebuild
+
+* Thu Jun 8 2006 Martin Stransky  - 7:2.5.STABLE14-2
+- fix for squid BZ#1511 - assertion failed: HttpReply.c:105: "rep"
+
+* Tue May 30 2006 Martin Stransky  - 7:2.5.STABLE14-1
+- update to new upstream
+
+* Sun May 28 2006 Martin Stransky  - 7:2.5.STABLE13-5
+- fixed libbind patch (#193298)
+
+* Wed May 3  2006 Martin Stransky  - 7:2.5.STABLE13-4
+- added extra group check (#190544)
+
+* Wed Mar 29 2006 Martin Stransky  - 7:2.5.STABLE13-3
+- improved pre script (#187217) - added group switch
+
+* Thu Mar 23 2006 Martin Stransky  - 7:2.5.STABLE13-2
+- removed "--with-large-files" on 64bit arches
+
+* Mon Mar 13 2006 Martin Stransky  - 7:2.5.STABLE13-1
+- update to new upstream
+
+* Fri Feb 10 2006 Jesse Keating  - 7:2.5.STABLE12-5.1
+- bump again for double-long bug on ppc(64)
+
+* Tue Feb 07 2006 Martin Stransky  - 7:2.5.STABLE12-5
+- new upstream patches
+
+* Tue Feb 07 2006 Jesse Keating  - 7:2.5.STABLE12-4.1
+- rebuilt for new gcc4.1 snapshot and glibc changes
+
+* Wed Dec 28 2005  Martin Stransky  7:2.5.STABLE12-4
+- added follow-xff patch (#176055)
+- samba path fix (#176659)
+
+* Mon Dec 19 2005  Martin Stransky  7:2.5.STABLE12-3
+- fd-config.patch clean-up
+- SMB_BadFetch patch from upstream
+
+* Fri Dec 09 2005 Jesse Keating 
+- rebuilt
+
+* Mon Nov 28 2005  Martin Stransky  7:2.5.STABLE12-2
+- rewriten patch squid-2.5.STABLE10-64bit.patch, it works with
+  "--with-large-files" option now
+- fix for #72896 - squid does not support > 1024 file descriptors,
+  new "--enable-fd-config" option for it.
+
+* Wed Nov 9 2005  Martin Stransky  7:2.5.STABLE12-1
+- update to STABLE12
+- setenv patch
+
+* Mon Oct 24 2005 Martin Stransky  7:2.5.STABLE11-6
+- fix for delay pool from upstream
+
+* Thu Oct 20 2005 Martin Stransky  7:2.5.STABLE11-5
+- fix for #171213 - CVE-2005-3258 Squid crash due to malformed FTP response
+- more fixes from upstream
+
+* Fri Oct 14 2005 Martin Stransky  7:2.5.STABLE11-4
+- enabled support for large files (#167503)
+
+* Thu Oct 13 2005 Tomas Mraz  7:2.5.STABLE11-3
+- use include instead of pam_stack in pam config
+
+* Thu Sep 29 2005 Martin Stransky  7:2.5.STABLE11-2
+- added patch for delay pools and some minor fixes
+
+* Fri Sep 23 2005 Martin Stransky  7:2.5.STABLE11-1
+- update to STABLE11
+
+* Mon Sep 5 2005 Martin Stransky  7:2.5.STABLE10-4
+- Three upstream patches for #167414
+- Spanish and Greek messages
+- patch for -D_FORTIFY_SOURCE=2 
+
+* Tue Aug 30 2005 Martin Stransky  7:2.5.STABLE10-3
+- removed "--enable-truncate" option (#165948)
+- added "--enable-cache-digests" option (#102134)
+- added "--enable-ident-lookups" option (#161640)
+- some clean up (#165949)
+
+* Fri Jul 15 2005 Martin Stransky  7:2.5.STABLE10-2
+- pam_auth and ncsa_auth have setuid (#162660)
+
+* Thu Jul 7 2005 Martin Stransky  7:2.5.STABLE10-1
+- new upstream version
+- enabled fakeauth utility (#154020)
+- enabled digest authentication scheme (#155882)
+- all error pages marked as config (#127836)
+- patch for 64bit statvfs interface (#153274)
+- added httpd config file for cachemgr.cgi (#112725)
+
+* Mon May 16 2005 Jay Fenlason  7:2.5.STABLE9-7
+- Upgrade the upstream -dns_query patch from -4 to -5
+
+* Wed May 11 2005 Jay Fenlason  7:2.5.STABLE9-6
+- More upstream patches, including a fix for
+  bz#157456 CAN-2005-1519 DNS lookups unreliable on untrusted networks
+
+* Tue Apr 26 2005 Jay Fenlason  7:2.5.STABLE9-5
+- more upstream patches, including a fix for
+  CVE-1999-0710 cachemgr malicious use
+
+* Fri Apr 22 2005 Jay Fenlason  7:2.5.STABLE9-4
+- More upstream patches, including the fixed 2GB patch.
+- include the -libbind patch, which prevents squid from using the optional
+  -lbind library, even if it's installed.
+
+* Tue Mar 15 2005 Jay Fenlason  7:2.5.STABLE9-2
+- New upstream version, with 14 upstream patches.
+
+* Wed Feb 16 2005 Jay Fenlason  7:2.5.STABLE8-2
+- new upstream version with 4 upstream patches.
+- Reorganize spec file to apply upstream patches first
+
+* Tue Feb 1 2005 Jay Fenlason  7:2.5.STABLE7-4
+- Include two more upstream patches for security vulns:
+  bz#146783 Correct handling of oversized reply headers
+  bz#146778 CAN-2005-0211 Buffer overflow in WCCP recvfrom() call
+
+* Tue Jan 25 2005 Jay Fenlason  7:2.5.STABLE7-3
+- Include more upstream patches, including two for security holes.
+
+* Tue Jan 18 2005 Jay Fenlason  7:2.5.STABLE7-2
+- Add a triggerin on samba-common to make /var/cache/samba/winbindd_privileged
+  accessable so that ntlm_auth will work.  It needs to be in this rpm,
+  because the Samba RPM can't assume the squid user exists.
+  Note that this will only work if the Samba RPM is recent enough to create
+  that directory at install time instead of at winbindd startup time.
+  That should be samba-common-3.0.0-15 or later.
+  This fixes bugzilla #103726
+- Clean up extra whitespace in this spec file.
+- Add additional upstream patches. (Now 18 upstream patches).
+- patch #112 closes CAN-2005-0096 and CAN-2005-0097, remote DOS security holes.
+- patch #113 closes CAN-2005-0094, a remote buffer-overflow DOS security hole.
+- patch #114 closes CAN-2005-0095, a remote DOS security hole.
+- Remove the -nonbl (replaced by #104) and -close (replaced by #111) patches, since
+  they're now fixed by upstream patches.
+
+* Mon Oct 25 2004 Jay Fenlason  7:2.5.STABLE7-1
+- new upstream version, with 3 upstream patches.
+  Updated the -build and -config patches
+- Include patch from Ulrich Drepper  to more
+  intelligently close all file descriptors.
+
+* Mon Oct 18 2004 Jay Fenlason  7:2.5.STABLE6-3
+- include patch from Ulrich Drepper  to stop
+  problems with O_NONBLOCK.  This closes #136049
+
+* Tue Oct 12 2004 Jay Fenlason  7:2.5.STABLE6-2
+- Include fix for CAN-2004-0918
+
+* Tue Sep 28 2004 Jay Fenlason  7:2.5.STABLE6-1
+- New upstream version, with 32 upstream patches.
+  This closes #133970, #133931, #131728, #128143, #126726
+
+- Change the permissions on /etc/squid/squid.conf to 640.  This closes
+  bugzilla #125007
+
+* Mon Jun 28 2004 Jay Fenlason  7:2.5STABLE5-5
+- Merge current upstream patches.
+- Fix the -pipe patch to have the correct name of the winbind pipe.
+
+* Tue Jun 15 2004 Elliot Lee 
+- rebuilt
+
+* Mon Apr 5 2004 Jay Fenlason  7:2.5.STABLE5-2
+- Include the first 10 upstream patches
+- Add a patch for the correct location of the winbindd pipe.  This closes
+  bugzilla #107561
+- Remove the change to ssl_support.c from squid-2.5.STABLE3-build patch
+  This closes #117851
+- Include /etc/pam.d/squid .  This closes #113404
+- Include a patch to close #111254 (assignment in assert)
+- Change squid.init to put output messages in /var/log/squid/squid.out
+  This closes #104697
+- Only useradd the squid user if it doesn't already exist, and error out
+  if the useradd fails.  This closes #118718.
+
+* Tue Mar 2 2004 Jay Fenlason  7:2.5.STABLE5-1
+- New upstream version, obsoletes many patches.
+- Fix --datadir passed to configure.  Configure automatically adds /squid
+  so we shouldn't.
+- Remove the problematic triggerpostun trigger, since is's broken, and FC2
+  never shipped with that old version.
+- add %%{?_smp_mflags} to make line.
+
+* Tue Mar 02 2004 Elliot Lee 
+- rebuilt
+
+* Mon Feb 23 2004 Tim Waugh 
+- Use ':' instead of '.' as separator for chown.
+
+* Fri Feb 20 2004 Jay Fenlason  7:2.5.STABLE4-3
+- Clean up the spec file to work on 64-bit platforms (use %%{_libdir}
+  instead of /usr/lib, etc)
+- Make the release number in the changelog section agree with reality.
+- use -fPIE rather than -fpie.  s390 fails with just -fpie
+
+* Fri Feb 13 2004 Elliot Lee 
+- rebuilt
+
+* Thu Feb 5 2004 Jay Fenlason 
+- Incorporate many upstream patches
+- Include many spec file changes from D.Johnson 
+
+* Tue Sep 23 2003 Jay Fenlason  7:2.5.STABLE4-1
+- New upstream version.
+- Fix the Source: line in this spec file to point to the correct URL.
+- redo the -location patch to work with the new upstream version.
+
+* Mon Jun 30 2003 Jay Fenlason  7:2.5.STABLE3-0
+- Spec file change to enable the nul storage module. bugzilla #74654
+- Upgrade to 2.5STABLE3 with current official patches.
+- Added --enable-auth="basic,ntlm": closes bugzilla #90145
+- Added --with-winbind-auth-challenge: closes bugzilla #78691
+- Added --enable-useragent-log and --enable-referer-log, closes
+- bugzilla #91884
+# - Changed configure line to enable pie
+# (Disabled due to broken compilers on ia64 build machines)
+#- Patched to increase the maximum number of file descriptors #72896
+#- (disabled for now--needs more testing)
+
+* Wed Jun 04 2003 Elliot Lee 
+- rebuilt
+
+* Wed Jan 22 2003 Tim Powers 
+- rebuilt
+
+* Wed Jan 15 2003 Bill Nottingham  7:2.5.STABLE1-1
+- update to 2.5.STABLE1
+
+* Wed Nov 27 2002 Tim Powers  7:2.4.STABLE7-5
+- remove unpackaged files from the buildroot
+
+* Tue Aug 27 2002 Nalin Dahyabhai  2.4.STABLE7-4
+- rebuild
+
+* Wed Jul 31 2002 Karsten Hopp 
+- don't raise an error if the config file is incomplete
+  set defaults instead (#69322, #70065)
+
+* Thu Jul 18 2002 Bill Nottingham  2.4.STABLE7-2
+- don't strip binaries
+
+* Mon Jul  8 2002 Bill Nottingham 
+- update to 2.4.STABLE7
+- fix restart (#53761)
+
+* Tue Jun 25 2002 Bill Nottingham 
+- add various upstream bugfix patches
+
+* Fri Jun 21 2002 Tim Powers 
+- automated rebuild
+
+* Thu May 23 2002 Tim Powers 
+- automated rebuild
+
+* Fri Mar 22 2002 Bill Nottingham 
+- 2.4.STABLE6
+- turn off carp
+
+* Mon Feb 18 2002 Bill Nottingham 
+- 2.4.STABLE3 + patches
+- turn off HTCP at request of maintainers
+- leave SNMP enabled in the build, but disabled in the default config
+
+* Fri Jan 25 2002 Tim Powers 
+- rebuild against new libssl
+
+* Wed Jan 09 2002 Tim Powers 
+- automated rebuild
+
+* Mon Jan 07 2002 Florian La Roche 
+- require linuxdoc-tools instead of sgml-tools
+
+* Tue Sep 25 2001 Bill Nottingham 
+- update to 2.4.STABLE2
+
+* Mon Sep 24 2001 Bill Nottingham 
+- add patch to fix FTP crash
+
+* Mon Aug  6 2001 Bill Nottingham 
+- fix uninstall (#50411)
+
+* Mon Jul 23 2001 Bill Nottingham 
+- add some buildprereqs (#49705)
+
+* Sun Jul 22 2001 Bill Nottingham 
+- update FAQ
+
+* Tue Jul 17 2001 Bill Nottingham 
+- own /etc/squid, /usr/lib/squid
+
+* Tue Jun 12 2001 Nalin Dahyabhai 
+- rebuild in new environment
+- s/Copyright:/License:/
+
+* Tue Apr 24 2001 Bill Nottingham 
+- update to 2.4.STABLE1 + patches
+- enable some more configure options (#24981)
+- oops, ship /etc/sysconfig/squid
+
+* Fri Mar  2 2001 Nalin Dahyabhai 
+- rebuild in new environment
+
+* Tue Feb  6 2001 Trond Eivind Glomsrød 
+- improve i18n
+- make the initscript use the standard OK/FAILED
+
+* Tue Jan 23 2001 Bill Nottingham 
+- change i18n mechanism
+
+* Fri Jan 19 2001 Bill Nottingham 
+- fix path references in QUICKSTART (#15114)
+- fix initscript translations (#24086)
+- fix shutdown logic (#24234), patch from 
+- add /etc/sysconfig/squid for daemon options & shutdown timeouts
+- three more bugfixes from the Squid people
+- update FAQ.sgml
+- build and ship auth modules (#23611)
+
+* Thu Jan 11 2001 Bill Nottingham 
+- initscripts translations
+
+* Mon Jan  8 2001 Bill Nottingham 
+- add patch to use mkstemp (greg@wirex.com)
+
+* Fri Dec 01 2000 Bill Nottingham 
+- rebuild because of broken fileutils
+
+* Sat Nov 11 2000 Bill Nottingham 
+- fix the acl matching cases (only need the second patch)
+
+* Tue Nov  7 2000 Bill Nottingham 
+- add two patches to fix domain ACLs
+- add 2 bugfix patches from the squid people
+
+* Fri Jul 28 2000 Bill Nottingham 
+- clean up init script; fix condrestart
+- update to STABLE4, more bugfixes
+- update FAQ
+
+* Tue Jul 18 2000 Nalin Dahyabhai 
+- fix syntax error in init script
+- finish adding condrestart support
+
+* Fri Jul 14 2000 Bill Nottingham 
+- move initscript back
+
+* Wed Jul 12 2000 Prospector 
+- automatic rebuild
+
+* Thu Jul  6 2000 Bill Nottingham 
+- prereq /etc/init.d
+- add bugfix patch
+- update FAQ
+
+* Thu Jun 29 2000 Bill Nottingham 
+- fix init script
+
+* Tue Jun 27 2000 Bill Nottingham 
+- don't prereq new initscripts
+
+* Mon Jun 26 2000 Bill Nottingham 
+- initscript munging
+
+* Sat Jun 10 2000 Bill Nottingham 
+- rebuild for exciting FHS stuff
+
+* Wed May 31 2000 Bill Nottingham 
+- fix init script again (#11699)
+- add --enable-delay-pools (#11695)
+- update to STABLE3
+- update FAQ
+
+* Fri Apr 28 2000 Bill Nottingham 
+- fix init script (#11087)
+
+* Fri Apr  7 2000 Bill Nottingham 
+- three more bugfix patches from the squid people
+- buildprereq jade, sgmltools
+
+* Sun Mar 26 2000 Florian La Roche 
+- make %%pre more portable
+
+* Thu Mar 16 2000 Bill Nottingham 
+- bugfix patches
+- fix dependency on /usr/local/bin/perl
+
+* Sat Mar  4 2000 Bill Nottingham 
+- 2.3.STABLE2
+
+* Mon Feb 14 2000 Bill Nottingham 
+- Yet More Bugfix Patches
+
+* Tue Feb  8 2000 Bill Nottingham 
+- add more bugfix patches
+- --enable-heap-replacement
+
+* Mon Jan 31 2000 Cristian Gafton 
+- rebuild to fix dependencies
+
+* Fri Jan 28 2000 Bill Nottingham 
+- grab some bugfix patches
+
+* Mon Jan 10 2000 Bill Nottingham 
+- 2.3.STABLE1 (whee, another serial number)
+
+* Tue Dec 21 1999 Bernhard Rosenkraenzer 
+- Fix compliance with ftp RFCs
+  (http://www.wu-ftpd.org/broken-clients.html)
+- Work around a bug in some versions of autoconf
+- BuildPrereq sgml-tools - we're using sgml2html
+
+* Mon Oct 18 1999 Bill Nottingham 
+- add a couple of bugfix patches
+
+* Wed Oct 13 1999 Bill Nottingham 
+- update to 2.2.STABLE5.
+- update FAQ, fix URLs.
+
+* Sat Sep 11 1999 Cristian Gafton 
+- transform restart in reload and add restart to the init script
+
+* Tue Aug 31 1999 Bill Nottingham 
+- add squid user as user 23.
+
+* Mon Aug 16 1999 Bill Nottingham 
+- initscript munging
+- fix conflict between logrotate & squid -k (#4562)
+
+* Wed Jul 28 1999 Bill Nottingham 
+- put cachemgr.cgi back in /usr/lib/squid
+
+* Wed Jul 14 1999 Bill Nottingham 
+- add webdav bugfix patch (#4027)
+
+* Mon Jul 12 1999 Bill Nottingham 
+- fix path to config in squid.init (confuses linuxconf)
+
+* Wed Jul  7 1999 Bill Nottingham 
+- 2.2.STABLE4
+
+* Wed Jun 9 1999 Dale Lovelace 
+- logrotate changes
+- errors from find when /var/spool/squid or
+- /var/log/squid didn't exist
+
+* Thu May 20 1999 Bill Nottingham 
+- 2.2.STABLE3
+
+* Thu Apr 22 1999 Bill Nottingham 
+- update to 2.2.STABLE.2
+
+* Sun Apr 18 1999 Bill Nottingham 
+- update to 2.2.STABLE1
+
+* Thu Apr 15 1999 Bill Nottingham 
+- don't need to run groupdel on remove
+- fix useradd
+
+* Mon Apr 12 1999 Bill Nottingham 
+- fix effective_user (bug #2124)
+
+* Mon Apr  5 1999 Bill Nottingham 
+- strip binaries
+
+* Thu Apr  1 1999 Bill Nottingham 
+- duh. adduser does require a user name.
+- add a serial number
+
+* Tue Mar 30 1999 Bill Nottingham 
+- add an adduser in %%pre, too
+
+* Thu Mar 25 1999 Bill Nottingham 
+- oog. chkconfig must be in %%preun, not %%postun
+
+* Wed Mar 24 1999 Bill Nottingham 
+- switch to using group squid
+- turn off icmp (insecure)
+- update to 2.2.DEVEL3
+- build FAQ docs from source
+
+* Tue Mar 23 1999 Bill Nottingham 
+- logrotate changes
+
+* Sun Mar 21 1999 Cristian Gafton 
+- auto rebuild in the new build environment (release 4)
+
+* Wed Feb 10 1999 Bill Nottingham 
+- update to 2.2.PRE2
+
+* Wed Dec 30 1998 Bill Nottingham 
+- cache & log dirs shouldn't be world readable
+- remove preun script (leave logs & cache @ uninstall)
+
+* Tue Dec 29 1998 Bill Nottingham 
+- fix initscript to get cache_dir correct
+
+* Fri Dec 18 1998 Bill Nottingham 
+- update to 2.1.PATCH2
+- merge in some changes from RHCN version
+
+* Sat Oct 10 1998 Cristian Gafton 
+- strip binaries
+- version 1.1.22
+
+* Sun May 10 1998 Cristian Gafton 
+- don't make packages conflict with each other...
+
+* Sat May 02 1998 Cristian Gafton 
+- added a proxy auth patch from Alex deVries 
+- fixed initscripts
+
+* Thu Apr 09 1998 Cristian Gafton 
+- rebuilt for Manhattan
+
+* Fri Mar 20 1998 Cristian Gafton 
+- upgraded to 1.1.21/1.NOVM.21
+
+* Mon Mar 02 1998 Cristian Gafton 
+- updated the init script to use reconfigure option to restart squid instead
+  of shutdown/restart (both safer and quicker)
+
+* Sat Feb 07 1998 Cristian Gafton 
+- upgraded to 1.1.20
+- added the NOVM package and tryied to reduce the mess in the spec file
+
+* Wed Jan 7 1998 Cristian Gafton 
+- first build against glibc
+- patched out the use of setresuid(), which is available only on kernels
+  2.1.44 and later
+
diff --git a/squid.sysconfig b/squid.sysconfig
new file mode 100644
index 0000000..3864bd8
--- /dev/null
+++ b/squid.sysconfig
@@ -0,0 +1,9 @@
+# default squid options
+SQUID_OPTS=""
+
+# Time to wait for Squid to shut down when asked. Should not be necessary
+# most of the time.
+SQUID_SHUTDOWN_TIMEOUT=100
+
+# default squid conf file
+SQUID_CONF="/etc/squid/squid.conf"