From 929622f85f7849d109b50685e45bdccdb9a3651a Mon Sep 17 00:00:00 2001
From: Lubos Uhliarik <luhliari@redhat.com>
Date: Thu, 7 May 2020 12:54:34 +0200
Subject: [PATCH] new version 4.11 libsystemd integration Resolves: #1827564 -
 CVE-2020-11945 squid: improper access restriction upon   Digest
 Authentication nonce replay could lead to remote code execution

---
 sources                  |  4 ++--
 squid-4.11-systemd.patch | 27 +++++++++++++++++++++++++++
 squid.service            |  5 +++--
 squid.spec               | 16 +++++++++++++---
 4 files changed, 45 insertions(+), 7 deletions(-)
 create mode 100644 squid-4.11-systemd.patch

diff --git a/sources b/sources
index ea4ca30..91c4319 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
-SHA512 (squid-4.10.tar.xz) = 033891f84789fe23a23fabcfb6f51a5b044c16892600f94380b5f0bcbceaef67b95c7047154d940511146248ca9846a949f00a609c6ed27f9af8829325eb08e0
-SHA512 (squid-4.10.tar.xz.asc) = 9a319a001275fcf1c3831bc59cbfd910a2d2d81e45fb0e47995ce723e99bc9bc69ad532871095944bb15709e175491dd70aaec25435b6e97ffd7a3a82fd900c7
+SHA512 (squid-4.11.tar.xz) = 02d4bb4d5860124347670615e69b1b92be7ea4fc0131e54091a06cb2e67bd73583d8e6cbe472473f0c59764611a49561d02ab9fe2bf0305ce4652d4ec7714f26
+SHA512 (squid-4.11.tar.xz.asc) = df90af48cf32b4bd8ad3803c363180048fadacd0b1dbee4b74bf7fe2ce9ef2a4fda1790ceb4a4e1ec7c1bf66b323e3975c05a7f6dcb697c445186f577cfb16e9
 SHA512 (pgp.asc) = 09f7012030d68831dfc083d67ca63ee54ed851482ca8d0e9505b444ee3e7ddeed62369b53f2917c9b2e0e57cc0533fce46e8cafd2ebcd1c6cb186b516efd0ad2
diff --git a/squid-4.11-systemd.patch b/squid-4.11-systemd.patch
new file mode 100644
index 0000000..0ee7fd7
--- /dev/null
+++ b/squid-4.11-systemd.patch
@@ -0,0 +1,27 @@
+diff --git a/configure b/configure
+index 17b2ebf..9530f6b 100755
+--- a/configure
++++ b/configure
+@@ -33915,6 +33915,7 @@ done
+   fi
+   if test "x$SYSTEMD_LIBS" != "x" ; then
+     CXXFLAGS="$SYSTEMD_CFLAGS $CXXFLAGS"
++    LDFLAGS="$SYSTEMD_LIBS $LDFLAGS"
+ 
+ $as_echo "#define USE_SYSTEMD 1" >>confdefs.h
+ 
+diff --git a/src/Debug.h b/src/Debug.h
+index 6eecd01..ddd9e38 100644
+--- a/src/Debug.h
++++ b/src/Debug.h
+@@ -99,6 +99,10 @@ public:
+ 
+     /// configures the active debugging context to write syslog ALERT
+     static void ForceAlert();
++
++    /// prefixes each grouped debugs() line after the first one in the group
++    static std::ostream& Extra(std::ostream &os) { return os << "\n    "; }
++
+ private:
+     static Context *Current; ///< deepest active context; nil outside debugs()
+ };
diff --git a/squid.service b/squid.service
index 1252756..6978032 100644
--- a/squid.service
+++ b/squid.service
@@ -4,14 +4,15 @@ Documentation=man:squid(8)
 After=network.target network-online.target nss-lookup.target
 
 [Service]
-Type=forking
+Type=notify
 LimitNOFILE=16384
 PIDFile=/run/squid.pid
 EnvironmentFile=/etc/sysconfig/squid
 ExecStartPre=/usr/libexec/squid/cache_swap.sh
-ExecStart=/usr/sbin/squid $SQUID_OPTS -f ${SQUID_CONF}
+ExecStart=/usr/sbin/squid --foreground $SQUID_OPTS -f ${SQUID_CONF}
 ExecReload=/usr/bin/kill -HUP $MAINPID
 KillMode=mixed
+NotifyAccess=all
 
 [Install]
 WantedBy=multi-user.target
diff --git a/squid.spec b/squid.spec
index c51c0fa..b59ea45 100644
--- a/squid.spec
+++ b/squid.spec
@@ -1,8 +1,8 @@
 %define __perl_requires %{SOURCE98}
 
 Name:     squid
-Version:  4.10
-Release:  4%{?dist}
+Version:  4.11
+Release:  1%{?dist}
 Summary:  The Squid proxy caching server
 Epoch:    7
 # See CREDITS for breakdown of non GPLv2+ code
@@ -33,6 +33,7 @@ Patch202: squid-3.1.0.9-location.patch
 Patch203: squid-3.0.STABLE1-perlpath.patch
 Patch204: squid-3.5.9-include-guards.patch
 Patch205: squid-4.0.21-large-acl.patch
+Patch206: squid-4.11-systemd.patch
 
 # cache_swap.sh
 Requires: bash gawk
@@ -69,6 +70,8 @@ BuildRequires: gnupg2
 # for _tmpfilesdir and _unitdir macro
 # see https://docs.fedoraproject.org/en-US/packaging-guidelines/Systemd/#_packaging
 BuildRequires: systemd-rpm-macros
+# systemd notify
+BuildRequires: systemd-devel
 
 
 # Old NetworkManager expects the dispatcher scripts in a different place
@@ -100,6 +103,7 @@ lookup program (dnsserver), a program for retrieving FTP data
 %patch203 -p1 -b .perlpath
 %patch204 -p0 -b .include-guards
 %patch205 -p1 -b .large_acl
+%patch206 -p1 -b .systemd
 
 # https://bugzilla.redhat.com/show_bug.cgi?id=1679526
 # Patch in the vendor documentation and used different location for documentation
@@ -158,7 +162,7 @@ sed -i 's|@SYSCONFDIR@/squid.conf.documented|%{_pkgdocdir}/squid.conf.documented
 
 %check
 make check
-	
+
 %install
 %make_install
 
@@ -292,6 +296,12 @@ fi
 
 
 %changelog
+* Thu May 07 2020 Lubos Uhliarik <luhliari@redhat.com> - 7:4.11-1
+- new version 4.11
+- libsystemd integration
+- Resolves: #1827564 - CVE-2020-11945 squid: improper access restriction upon
+  Digest Authentication nonce replay could lead to remote code execution
+
 * Thu Mar 26 2020 Lubos Uhliarik <luhliari@redhat.com> - 7:4.10-4
 - Resolves: #1817208 - More cache_swap.sh optimizations