import CS squid-5.5-14.el9

SOURCES/squid-5.5-CVE-2024-23638.patch

@@ -0,0 +1,30 @@
+commit 8fcff9c09824b18628f010d26a04247f6a6cbcb8
+Author: Alex Rousskov <rousskov@measurement-factory.com>
+Date:   Sun Nov 12 09:33:20 2023 +0000
+
+    Do not update StoreEntry expiration after errorAppendEntry() (#1580)
+    
+    errorAppendEntry() is responsible for setting entry expiration times,
+    which it does by calling StoreEntry::storeErrorResponse() that calls
+    StoreEntry::negativeCache().
+    
+    This change was triggered by a vulnerability report by Joshua Rogers at
+    https://megamansec.github.io/Squid-Security-Audit/cache-uaf.html where
+    it was filed as "Use-After-Free in Cache Manager Errors". The reported
+    "use after free" vulnerability was unknowingly addressed by 2022 commit
+    1fa761a that removed excessively long "reentrant" store_client calls
+    responsible for the disappearance of the properly locked StoreEntry in
+    this (and probably other) contexts.
+
+diff --git a/src/cache_manager.cc b/src/cache_manager.cc
+index 61c7f65be..65bf22dd0 100644
+--- a/src/cache_manager.cc
++++ b/src/cache_manager.cc
+@@ -326,7 +326,6 @@ CacheManager::start(const Comm::ConnectionPointer &client, HttpRequest *request,
+         err->url = xstrdup(entry->url());
+         err->detailError(new ExceptionErrorDetail(Here().id()));
+         errorAppendEntry(entry, err);
+-        entry->expires = squid_curtime;
+         return;
+     }
+ 

SOURCES/squid-5.5-CVE-2024-25111.patch

@@ -0,0 +1,192 @@
+diff --git a/src/http.cc b/src/http.cc
+index 98e3969..8b55bf3 100644
+--- a/src/http.cc
++++ b/src/http.cc
+@@ -54,6 +54,7 @@
+ #include "rfc1738.h"
+ #include "SquidConfig.h"
+ #include "SquidTime.h"
++#include "SquidMath.h"
+ #include "StatCounters.h"
+ #include "Store.h"
+ #include "StrList.h"
+@@ -1235,18 +1236,26 @@ HttpStateData::readReply(const CommIoCbParams &io)
+      * Plus, it breaks our lame *HalfClosed() detection
+      */
+ 
+-    Must(maybeMakeSpaceAvailable(true));
+-    CommIoCbParams rd(this); // will be expanded with ReadNow results
+-    rd.conn = io.conn;
+-    rd.size = entry->bytesWanted(Range<size_t>(0, inBuf.spaceSize()));
++    const auto moreDataPermission = canBufferMoreReplyBytes();
++    if (!moreDataPermission) {
++        abortTransaction("ready to read required data, but the read buffer is full and cannot be drained");
++        return;
++    }
++
++    const auto readSizeMax = maybeMakeSpaceAvailable(moreDataPermission.value());
++    // TODO: Move this logic inside maybeMakeSpaceAvailable():
++    const auto readSizeWanted = readSizeMax ? entry->bytesWanted(Range<size_t>(0, readSizeMax)) : 0;
+ 
+-    if (rd.size <= 0) {
++    if (readSizeWanted <= 0) {
+         assert(entry->mem_obj);
+         AsyncCall::Pointer nilCall;
+         entry->mem_obj->delayRead(DeferredRead(readDelayed, this, CommRead(io.conn, NULL, 0, nilCall)));
+         return;
+     }
+ 
++    CommIoCbParams rd(this); // will be expanded with ReadNow results
++    rd.conn = io.conn;
++    rd.size = readSizeWanted;
+     switch (Comm::ReadNow(rd, inBuf)) {
+     case Comm::INPROGRESS:
+         if (inBuf.isEmpty())
+@@ -1617,8 +1626,10 @@ HttpStateData::maybeReadVirginBody()
+     if (!Comm::IsConnOpen(serverConnection) || fd_table[serverConnection->fd].closing())
+         return;
+ 
+-    if (!maybeMakeSpaceAvailable(false))
++    if (!canBufferMoreReplyBytes()) {
++        abortTransaction("more response bytes required, but the read buffer is full and cannot be drained");
+         return;
++    }
+ 
+     // XXX: get rid of the do_next_read flag
+     // check for the proper reasons preventing read(2)
+@@ -1636,40 +1647,78 @@ HttpStateData::maybeReadVirginBody()
+     Comm::Read(serverConnection, call);
+ }
+ 
+-bool
+-HttpStateData::maybeMakeSpaceAvailable(bool doGrow)
++/// Desired inBuf capacity based on various capacity preferences/limits:
++/// * a smaller buffer may not hold enough for look-ahead header/body parsers;
++/// * a smaller buffer may result in inefficient tiny network reads;
++/// * a bigger buffer may waste memory;
++/// * a bigger buffer may exceed SBuf storage capabilities (SBuf::maxSize);
++size_t
++HttpStateData::calcReadBufferCapacityLimit() const
+ {
+-    // how much we are allowed to buffer
+-    const int limitBuffer = (flags.headers_parsed ? Config.readAheadGap : Config.maxReplyHeaderSize);
+-
+-    if (limitBuffer < 0 || inBuf.length() >= (SBuf::size_type)limitBuffer) {
+-        // when buffer is at or over limit already
+-        debugs(11, 7, "will not read up to " << limitBuffer << ". buffer has (" << inBuf.length() << "/" << inBuf.spaceSize() << ") from " << serverConnection);
+-        debugs(11, DBG_DATA, "buffer has {" << inBuf << "}");
+-        // Process next response from buffer
+-        processReply();
+-        return false;
++    if (!flags.headers_parsed)
++        return Config.maxReplyHeaderSize;
++
++    // XXX: Our inBuf is not used to maintain the read-ahead gap, and using
++    // Config.readAheadGap like this creates huge read buffers for large
++    // read_ahead_gap values. TODO: Switch to using tcp_recv_bufsize as the
++    // primary read buffer capacity factor.
++    //
++    // TODO: Cannot reuse throwing NaturalCast() here. Consider removing
++    // .value() dereference in NaturalCast() or add/use NaturalCastOrMax().
++    const auto configurationPreferences = NaturalSum<size_t>(Config.readAheadGap).value_or(SBuf::maxSize);
++
++    // TODO: Honor TeChunkedParser look-ahead and trailer parsing requirements
++    // (when explicit configurationPreferences are set too low).
++
++    return std::min<size_t>(configurationPreferences, SBuf::maxSize);
++}
++
++/// The maximum number of virgin reply bytes we may buffer before we violate
++/// the currently configured response buffering limits.
++/// \retval std::nullopt means that no more virgin response bytes can be read
++/// \retval 0 means that more virgin response bytes may be read later
++/// \retval >0 is the number of bytes that can be read now (subject to other constraints)
++std::optional<size_t>
++HttpStateData::canBufferMoreReplyBytes() const
++{
++#if USE_ADAPTATION
++    // If we do not check this now, we may say the final "no" prematurely below
++    // because inBuf.length() will decrease as adaptation drains buffered bytes.
++    if (responseBodyBuffer) {
++        debugs(11, 3, "yes, but waiting for adaptation to drain read buffer");
++        return 0; // yes, we may be able to buffer more (but later)
++    }
++#endif
++
++    const auto maxCapacity = calcReadBufferCapacityLimit();
++    if (inBuf.length() >= maxCapacity) {
++        debugs(11, 3, "no, due to a full buffer: " << inBuf.length() << '/' << inBuf.spaceSize() << "; limit: " << maxCapacity);
++        return std::nullopt; // no, configuration prohibits buffering more
+     }
+ 
++    const auto maxReadSize = maxCapacity - inBuf.length(); // positive
++    debugs(11, 7, "yes, may read up to " << maxReadSize << " into " << inBuf.length() << '/' << inBuf.spaceSize());
++    return maxReadSize; // yes, can read up to this many bytes (subject to other constraints)
++}
++
++/// prepare read buffer for reading
++/// \return the maximum number of bytes the caller should attempt to read
++/// \retval 0 means that the caller should delay reading
++size_t
++HttpStateData::maybeMakeSpaceAvailable(const size_t maxReadSize)
++{
+     // how much we want to read
+-    const size_t read_size = calcBufferSpaceToReserve(inBuf.spaceSize(), (limitBuffer - inBuf.length()));
++    const size_t read_size = calcBufferSpaceToReserve(inBuf.spaceSize(), maxReadSize);
+ 
+-    if (!read_size) {
++    if (read_size < 2) {
+         debugs(11, 7, "will not read up to " << read_size << " into buffer (" << inBuf.length() << "/" << inBuf.spaceSize() << ") from " << serverConnection);
+-        return false;
++        return 0;
+     }
+ 
+-    // just report whether we could grow or not, do not actually do it
+-    if (doGrow)
+-        return (read_size >= 2);
+-
+     // we may need to grow the buffer
+     inBuf.reserveSpace(read_size);
+-    debugs(11, 8, (!flags.do_next_read ? "will not" : "may") <<
+-           " read up to " << read_size << " bytes info buf(" << inBuf.length() << "/" << inBuf.spaceSize() <<
+-           ") from " << serverConnection);
+-
+-    return (inBuf.spaceSize() >= 2); // only read if there is 1+ bytes of space available
++    debugs(11, 7, "may read up to " << read_size << " bytes info buffer (" << inBuf.length() << "/" << inBuf.spaceSize() << ") from " << serverConnection);
++    return read_size;
+ }
+ 
+ /// called after writing the very last request byte (body, last-chunk, etc)
+diff --git a/src/http.h b/src/http.h
+index e70cd7e..f7ed40d 100644
+--- a/src/http.h
++++ b/src/http.h
+@@ -15,6 +15,8 @@
+ #include "http/StateFlags.h"
+ #include "sbuf/SBuf.h"
+ 
++#include <optional>
++
+ class FwdState;
+ class HttpHeader;
+ class String;
+@@ -112,16 +114,9 @@ private:
+ 
+     void abortTransaction(const char *reason) { abortAll(reason); } // abnormal termination
+ 
+-    /**
+-     * determine if read buffer can have space made available
+-     * for a read.
+-     *
+-     * \param grow  whether to actually expand the buffer
+-     *
+-     * \return whether the buffer can be grown to provide space
+-     *         regardless of whether the grow actually happened.
+-     */
+-    bool maybeMakeSpaceAvailable(bool grow);
++    size_t calcReadBufferCapacityLimit() const;
++    std::optional<size_t> canBufferMoreReplyBytes() const;
++    size_t maybeMakeSpaceAvailable(size_t maxReadSize);
+ 
+     // consuming request body
+     virtual void handleMoreRequestBodyAvailable();

SOURCES/squid-5.5-CVE-2024-25617.patch

@@ -0,0 +1,105 @@
+diff --git a/src/SquidString.h b/src/SquidString.h
+index e36cd27..ea613ad 100644
+--- a/src/SquidString.h
++++ b/src/SquidString.h
+@@ -140,7 +140,16 @@ private:
+ 
+     size_type len_ = 0;  /* current length  */
+ 
+-    static const size_type SizeMax_ = 65535; ///< 64K limit protects some fixed-size buffers
++    /// An earlier 64KB limit was meant to protect some fixed-size buffers, but
++    /// (a) we do not know where those buffers are (or whether they still exist)
++    /// (b) too many String users unknowingly exceeded that limit and asserted.
++    /// We are now using a larger limit to reduce the number of (b) cases,
++    /// especially cases where "compact" lists of items grow 50% in size when we
++    /// convert them to canonical form. The new limit is selected to withstand
++    /// concatenation and ~50% expansion of two HTTP headers limited by default
++    /// request_header_max_size and reply_header_max_size settings.
++    static const size_type SizeMax_ = 3*64*1024 - 1;
++
+     /// returns true after increasing the first argument by extra if the sum does not exceed SizeMax_
+     static bool SafeAdd(size_type &base, size_type extra) { if (extra <= SizeMax_ && base <= SizeMax_ - extra) { base += extra; return true; } return false; }
+ 
+diff --git a/src/cache_cf.cc b/src/cache_cf.cc
+index cb746dc..c4ade96 100644
+--- a/src/cache_cf.cc
++++ b/src/cache_cf.cc
+@@ -950,6 +950,18 @@ configDoConfigure(void)
+                (uint32_t)Config.maxRequestBufferSize, (uint32_t)Config.maxRequestHeaderSize);
+     }
+ 
++    // Warn about the dangers of exceeding String limits when manipulating HTTP
++    // headers. Technically, we do not concatenate _requests_, so we could relax
++    // their check, but we keep the two checks the same for simplicity sake.
++    const auto safeRawHeaderValueSizeMax = (String::SizeMaxXXX()+1)/3;
++    // TODO: static_assert(safeRawHeaderValueSizeMax >= 64*1024); // no WARNINGs for default settings
++    if (Config.maxRequestHeaderSize > safeRawHeaderValueSizeMax)
++        debugs(3, DBG_CRITICAL, "WARNING: Increasing request_header_max_size beyond " << safeRawHeaderValueSizeMax <<
++               " bytes makes Squid more vulnerable to denial-of-service attacks; configured value: " << Config.maxRequestHeaderSize << " bytes");
++    if (Config.maxReplyHeaderSize > safeRawHeaderValueSizeMax)
++        debugs(3, DBG_CRITICAL, "WARNING: Increasing reply_header_max_size beyond " << safeRawHeaderValueSizeMax <<
++               " bytes makes Squid more vulnerable to denial-of-service attacks; configured value: " << Config.maxReplyHeaderSize << " bytes");
++
+     /*
+      * Disable client side request pipelining if client_persistent_connections OFF.
+      * Waste of resources queueing any pipelined requests when the first will close the connection.
+diff --git a/src/cf.data.pre b/src/cf.data.pre
+index 67a66b0..61a66f1 100644
+--- a/src/cf.data.pre
++++ b/src/cf.data.pre
+@@ -6489,11 +6489,14 @@ TYPE: b_size_t
+ DEFAULT: 64 KB
+ LOC: Config.maxRequestHeaderSize
+ DOC_START
+-	This specifies the maximum size for HTTP headers in a request.
+-	Request headers are usually relatively small (about 512 bytes).
+-	Placing a limit on the request header size will catch certain
+-	bugs (for example with persistent connections) and possibly
+-	buffer-overflow or denial-of-service attacks.
++	This directives limits the header size of a received HTTP request
++	(including request-line). Increasing this limit beyond its 64 KB default
++	exposes certain old Squid code to various denial-of-service attacks. This
++	limit also applies to received FTP commands.
++
++	This limit has no direct affect on Squid memory consumption.
++
++	Squid does not check this limit when sending requests.
+ DOC_END
+ 
+ NAME: reply_header_max_size
+@@ -6502,11 +6505,14 @@ TYPE: b_size_t
+ DEFAULT: 64 KB
+ LOC: Config.maxReplyHeaderSize
+ DOC_START
+-	This specifies the maximum size for HTTP headers in a reply.
+-	Reply headers are usually relatively small (about 512 bytes).
+-	Placing a limit on the reply header size will catch certain
+-	bugs (for example with persistent connections) and possibly
+-	buffer-overflow or denial-of-service attacks.
++	This directives limits the header size of a received HTTP response
++	(including status-line). Increasing this limit beyond its 64 KB default
++	exposes certain old Squid code to various denial-of-service attacks. This
++	limit also applies to FTP command responses.
++
++	Squid also checks this limit when loading hit responses from disk cache.
++
++	Squid does not check this limit when sending responses.
+ DOC_END
+ 
+ NAME: request_body_max_size
+diff --git a/src/http.cc b/src/http.cc
+index 7c9ae70..98e3969 100644
+--- a/src/http.cc
++++ b/src/http.cc
+@@ -1926,8 +1926,9 @@ HttpStateData::httpBuildRequestHeader(HttpRequest * request,
+ 
+         String strFwd = hdr_in->getList(Http::HdrType::X_FORWARDED_FOR);
+ 
+-        // if we cannot double strFwd size, then it grew past 50% of the limit
+-        if (!strFwd.canGrowBy(strFwd.size())) {
++        // Detect unreasonably long header values. And paranoidly check String
++        // limits: a String ought to accommodate two reasonable-length values.
++        if (strFwd.size() > 32*1024 || !strFwd.canGrowBy(strFwd.size())) {
+             // There is probably a forwarding loop with Via detection disabled.
+             // If we do nothing, String will assert on overflow soon.
+             // TODO: Terminate all transactions with huge XFF?

SOURCES/squid-5.5-CVE-2024-37894.patch

@@ -0,0 +1,13 @@
+diff --git a/lib/libTrie/TrieNode.cc b/lib/libTrie/TrieNode.cc
+index b379856..5d87279 100644
+--- a/lib/libTrie/TrieNode.cc
++++ b/lib/libTrie/TrieNode.cc
+@@ -32,7 +32,7 @@ TrieNode::add(char const *aString, size_t theLength, void *privatedata, TrieChar
+     /* We trust that privatedata and existant keys have already been checked */
+ 
+     if (theLength) {
+-        int index = transform ? (*transform)(*aString): *aString;
++        const unsigned char index = transform ? (*transform)(*aString): *aString;
+ 
+         if (!internal[index])
+             internal[index] = new TrieNode;

SOURCES/squid-5.5-ipv6-crash.patch

@@ -0,0 +1,113 @@
+From a0a9e6dc69d0c7b9ba237702b4c5020abc7ad1f8 Mon Sep 17 00:00:00 2001
+From: Alex Rousskov <rousskov@measurement-factory.com>
+Date: Sat, 4 Nov 2023 00:30:42 +0000
+Subject: [PATCH] Bug 5154: Do not open IPv6 sockets when IPv6 is disabled
+ (#1567)
+
+... but allow basic IPv6 manipulations like getSockAddr().
+
+    Address.cc:663 getAddrInfo() assertion failed: false
+
+Squids receives IPv6 addresses from traffic, configuration, or
+hard-coded constants even when ./configured with --disable-ipv6 or when
+IPv6 support was automatically disabled at startup after failing IPv6
+tests. To handle IPv6 correctly, such Squids must support basic IPv6
+operations like recognizing an IPv6 address in a request-target or
+reporting an unsolicited IPv6 DNS record. At least for now, such Squids
+must also correctly parse configuration-related IPv6 addresses.
+
+All those activities rely on various low-level operations like filling
+addrinfo structure with IP address information. Since 2012 commit
+c5fbbc7, Ip::Address::getAddrInfo() was failing for IPv6 addresses when
+Ip::EnableIpv6 was falsy. That change correctly recognized[^1] the need
+for such Squids to handle IPv6, but to support basic operations, we need
+to reject IPv6 addresses at a higher level and without asserting.
+
+That high-level rejection work is ongoing, but initial attempts have
+exposed difficult problems that will take time to address. For now, we
+just avoid the assertion while protecting IPv6-disabled Squid from
+listening on or opening connections to IPv6 addresses. Since Squid
+already expects (and usually correctly handles) socket opening failures,
+disabling those operations is better than failing in low-level IP
+manipulation code.
+
+The overall IPv6 posture of IPv6-disabled Squids that lack http_access
+or other rules to deny IPv6 requests will change: This fix exposes more
+of IPv6-disabled Squid code to IPv6 addresses. It is possible that such
+exposure will make some IPv6 resources inside Squid (e.g., a previously
+cached HTTP response) accessible to external requests. Squids will not
+open or accept IPv6 connections but may forward requests with raw IPv6
+targets to IPv4 cache_peers. Whether these and similar behavior changes
+are going to be permanent is open for debate, but even if they are
+temporary, they are arguably better than the corresponding assertions.
+
+These changes do not effect IPv6-enabled Squids.
+
+The assertion in IPv6-disabled Squid was reported by Joshua Rogers at
+https://megamansec.github.io/Squid-Security-Audit/ipv6-assert.html where
+it was filed as "Assertion on IPv6 Host Requests with --disable-ipv6".
+
+[^1]: https://bugs.squid-cache.org/show_bug.cgi?id=3593#c1
+---
+ src/comm.cc         | 6 ++++++
+ src/ip/Address.cc   | 2 +-
+ src/ip/Intercept.cc | 8 ++++++++
+ 3 files changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/src/comm.cc b/src/comm.cc
+index 4659955b011..271ba04d4da 100644
+--- a/src/comm.cc
++++ b/src/comm.cc
+@@ -344,6 +344,12 @@ comm_openex(int sock_type,
+     /* Create socket for accepting new connections. */
+     ++ statCounter.syscalls.sock.sockets;
+ 
++    if (!Ip::EnableIpv6 && addr.isIPv6()) {
++        debugs(50, 2, "refusing to open an IPv6 socket when IPv6 support is disabled: " << addr);
++        errno = ENOTSUP;
++        return -1;
++    }
++
+     /* Setup the socket addrinfo details for use */
+     addr.getAddrInfo(AI);
+     AI->ai_socktype = sock_type;
+diff --git a/src/ip/Address.cc b/src/ip/Address.cc
+index b6f810bfc25..ae6db37da5e 100644
+--- a/src/ip/Address.cc
++++ b/src/ip/Address.cc
+@@ -623,7 +623,7 @@ Ip::Address::getAddrInfo(struct addrinfo *&dst, int force) const
+             && dst->ai_protocol == 0)
+         dst->ai_protocol = IPPROTO_UDP;
+ 
+-    if (force == AF_INET6 || (force == AF_UNSPEC && Ip::EnableIpv6 && isIPv6()) ) {
++    if (force == AF_INET6 || (force == AF_UNSPEC && isIPv6()) ) {
+         dst->ai_addr = (struct sockaddr*)new sockaddr_in6;
+ 
+         memset(dst->ai_addr,0,sizeof(struct sockaddr_in6));
+diff --git a/src/ip/Intercept.cc b/src/ip/Intercept.cc
+index 1a5e2d15af1..a8522efaac0 100644
+--- a/src/ip/Intercept.cc
++++ b/src/ip/Intercept.cc
+@@ -15,6 +15,7 @@
+ #include "comm/Connection.h"
+ #include "fde.h"
+ #include "ip/Intercept.h"
++#include "ip/tools.h"
+ #include "src/tools.h"
+ 
+ #include <cerrno>
+@@ -430,6 +431,13 @@ Ip::Intercept::ProbeForTproxy(Ip::Address &test)
+ 
+     debugs(3, 3, "Detect TPROXY support on port " << test);
+ 
++    if (!Ip::EnableIpv6 && test.isIPv6() && !test.setIPv4()) {
++        debugs(3, DBG_CRITICAL, "Cannot use TPROXY for " << test << " because IPv6 support is disabled");
++        if (doneSuid)
++            leave_suid();
++        return false;
++    }
++
+     int tos = 1;
+     int tmp_sock = -1;
+ 
+

SPECS/squid.spec

@@ -2,7 +2,7 @@
 
 Name:     squid
 Version:  5.5
-Release:  10%{?dist}
+Release:  14%{?dist}
 Summary:  The Squid proxy caching server
 Epoch:    7
 # See CREDITS for breakdown of non GPLv2+ code
@@ -25,8 +25,8 @@ Source98: perl-requires-squid.sh
 # Upstream patches
 
 # Backported patches
-Patch101: squid-5.5-ip-bind-address-no-port.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2151188
+Patch101: squid-5.5-ip-bind-address-no-port.patch
 
 # Local patches
 # Applying upstream patches first makes it less likely that local patches
@@ -46,6 +46,8 @@ Patch207: squid-5.0.6-active-ftp.patch
 Patch208: squid-5.1-test-store-cppsuite.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2231827
 Patch209: squid-5.5-halfclosed.patch
+# https://issues.redhat.com/browse/RHEL-30352
+Patch210: squid-5.5-ipv6-crash.patch
 
 # Security patches
 # https://bugzilla.redhat.com/show_bug.cgi?id=2100721
@@ -70,7 +72,14 @@ Patch509: squid-5.5-CVE-2023-49285.patch
 Patch510: squid-5.5-CVE-2023-49286.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2254663
 Patch511: squid-5.5-CVE-2023-50269.patch
-
+# https://bugzilla.redhat.com/show_bug.cgi?id=2264309
+Patch512: squid-5.5-CVE-2024-25617.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2268366
+Patch513: squid-5.5-CVE-2024-25111.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2294353
+Patch514: squid-5.5-CVE-2024-37894.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2260051
+Patch515: squid-5.5-CVE-2024-23638.patch
 
 # cache_swap.sh
 Requires: bash gawk
@@ -145,6 +154,7 @@ lookup program (dnsserver), a program for retrieving FTP data
 %patch207 -p1 -b .active-ftp
 %patch208 -p1 -b .test-store-cpp
 %patch209 -p1 -b .halfclosed
+%patch210 -p1 -b .ipv6-crash
 
 %patch501 -p1 -b .CVE-2021-46784
 %patch502 -p1 -b .CVE-2022-41318
@@ -157,6 +167,11 @@ lookup program (dnsserver), a program for retrieving FTP data
 %patch509 -p1 -b .CVE-2023-49285
 %patch510 -p1 -b .CVE-2023-49286
 %patch511 -p1 -b .CVE-2023-50269
+%patch512 -p1 -b .CVE-2024-25617
+%patch513 -p1 -b .CVE-2024-25111
+%patch514 -p1 -b .CVE-2024-37894
+%patch515 -p1 -b .CVE-2024-23638
+
 
 # https://bugzilla.redhat.com/show_bug.cgi?id=1679526
 # Patch in the vendor documentation and used different location for documentation
@@ -383,6 +398,22 @@ fi
 
 
 %changelog
+* Mon Jul 01 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:5.5-14
+- Resolves: RHEL-45057 - squid: Out-of-bounds write error may lead to Denial of 
+  Service (CVE-2024-37894)
+- Resolves: RHEL-22594 - squid: vulnerable to a Denial of Service attack against
+  Cache Manager error responses (CVE-2024-23638)
+
+* Thu May 09 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:5.5-13
+- Resolves: RHEL-30352 - squid v5 crashes with SIGABRT when ipv6 is disabled
+  at kernel level but it is asked to connect to an ipv6 address by a client
+
+* Tue Mar 19 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:5.5-12
+- Resolves: RHEL-28530 - squid: Denial of Service in HTTP Chunked
+  Decoding (CVE-2024-25111)
+- Resolves: RHEL-26092 - squid: denial of service in HTTP header
+  parser (CVE-2024-25617)
+
 * Fri Feb 02 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:5.5-10
 - Resolves: RHEL-19556 - squid: denial of service in HTTP request
   parsing (CVE-2023-50269)