new version 4.11

libsystemd integration
Resolves: #1827564 - CVE-2020-11945 squid: improper access restriction upon
  Digest Authentication nonce replay could lead to remote code execution
This commit is contained in:
Lubos Uhliarik 2020-05-07 12:54:34 +02:00
parent c684998ac2
commit 929622f85f
4 changed files with 45 additions and 7 deletions

View File

@ -1,3 +1,3 @@
SHA512 (squid-4.10.tar.xz) = 033891f84789fe23a23fabcfb6f51a5b044c16892600f94380b5f0bcbceaef67b95c7047154d940511146248ca9846a949f00a609c6ed27f9af8829325eb08e0 SHA512 (squid-4.11.tar.xz) = 02d4bb4d5860124347670615e69b1b92be7ea4fc0131e54091a06cb2e67bd73583d8e6cbe472473f0c59764611a49561d02ab9fe2bf0305ce4652d4ec7714f26
SHA512 (squid-4.10.tar.xz.asc) = 9a319a001275fcf1c3831bc59cbfd910a2d2d81e45fb0e47995ce723e99bc9bc69ad532871095944bb15709e175491dd70aaec25435b6e97ffd7a3a82fd900c7 SHA512 (squid-4.11.tar.xz.asc) = df90af48cf32b4bd8ad3803c363180048fadacd0b1dbee4b74bf7fe2ce9ef2a4fda1790ceb4a4e1ec7c1bf66b323e3975c05a7f6dcb697c445186f577cfb16e9
SHA512 (pgp.asc) = 09f7012030d68831dfc083d67ca63ee54ed851482ca8d0e9505b444ee3e7ddeed62369b53f2917c9b2e0e57cc0533fce46e8cafd2ebcd1c6cb186b516efd0ad2 SHA512 (pgp.asc) = 09f7012030d68831dfc083d67ca63ee54ed851482ca8d0e9505b444ee3e7ddeed62369b53f2917c9b2e0e57cc0533fce46e8cafd2ebcd1c6cb186b516efd0ad2

27
squid-4.11-systemd.patch Normal file
View File

@ -0,0 +1,27 @@
diff --git a/configure b/configure
index 17b2ebf..9530f6b 100755
--- a/configure
+++ b/configure
@@ -33915,6 +33915,7 @@ done
fi
if test "x$SYSTEMD_LIBS" != "x" ; then
CXXFLAGS="$SYSTEMD_CFLAGS $CXXFLAGS"
+ LDFLAGS="$SYSTEMD_LIBS $LDFLAGS"
$as_echo "#define USE_SYSTEMD 1" >>confdefs.h
diff --git a/src/Debug.h b/src/Debug.h
index 6eecd01..ddd9e38 100644
--- a/src/Debug.h
+++ b/src/Debug.h
@@ -99,6 +99,10 @@ public:
/// configures the active debugging context to write syslog ALERT
static void ForceAlert();
+
+ /// prefixes each grouped debugs() line after the first one in the group
+ static std::ostream& Extra(std::ostream &os) { return os << "\n "; }
+
private:
static Context *Current; ///< deepest active context; nil outside debugs()
};

View File

@ -4,14 +4,15 @@ Documentation=man:squid(8)
After=network.target network-online.target nss-lookup.target After=network.target network-online.target nss-lookup.target
[Service] [Service]
Type=forking Type=notify
LimitNOFILE=16384 LimitNOFILE=16384
PIDFile=/run/squid.pid PIDFile=/run/squid.pid
EnvironmentFile=/etc/sysconfig/squid EnvironmentFile=/etc/sysconfig/squid
ExecStartPre=/usr/libexec/squid/cache_swap.sh ExecStartPre=/usr/libexec/squid/cache_swap.sh
ExecStart=/usr/sbin/squid $SQUID_OPTS -f ${SQUID_CONF} ExecStart=/usr/sbin/squid --foreground $SQUID_OPTS -f ${SQUID_CONF}
ExecReload=/usr/bin/kill -HUP $MAINPID ExecReload=/usr/bin/kill -HUP $MAINPID
KillMode=mixed KillMode=mixed
NotifyAccess=all
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

View File

@ -1,8 +1,8 @@
%define __perl_requires %{SOURCE98} %define __perl_requires %{SOURCE98}
Name: squid Name: squid
Version: 4.10 Version: 4.11
Release: 4%{?dist} Release: 1%{?dist}
Summary: The Squid proxy caching server Summary: The Squid proxy caching server
Epoch: 7 Epoch: 7
# See CREDITS for breakdown of non GPLv2+ code # See CREDITS for breakdown of non GPLv2+ code
@ -33,6 +33,7 @@ Patch202: squid-3.1.0.9-location.patch
Patch203: squid-3.0.STABLE1-perlpath.patch Patch203: squid-3.0.STABLE1-perlpath.patch
Patch204: squid-3.5.9-include-guards.patch Patch204: squid-3.5.9-include-guards.patch
Patch205: squid-4.0.21-large-acl.patch Patch205: squid-4.0.21-large-acl.patch
Patch206: squid-4.11-systemd.patch
# cache_swap.sh # cache_swap.sh
Requires: bash gawk Requires: bash gawk
@ -69,6 +70,8 @@ BuildRequires: gnupg2
# for _tmpfilesdir and _unitdir macro # for _tmpfilesdir and _unitdir macro
# see https://docs.fedoraproject.org/en-US/packaging-guidelines/Systemd/#_packaging # see https://docs.fedoraproject.org/en-US/packaging-guidelines/Systemd/#_packaging
BuildRequires: systemd-rpm-macros BuildRequires: systemd-rpm-macros
# systemd notify
BuildRequires: systemd-devel
# Old NetworkManager expects the dispatcher scripts in a different place # Old NetworkManager expects the dispatcher scripts in a different place
@ -100,6 +103,7 @@ lookup program (dnsserver), a program for retrieving FTP data
%patch203 -p1 -b .perlpath %patch203 -p1 -b .perlpath
%patch204 -p0 -b .include-guards %patch204 -p0 -b .include-guards
%patch205 -p1 -b .large_acl %patch205 -p1 -b .large_acl
%patch206 -p1 -b .systemd
# https://bugzilla.redhat.com/show_bug.cgi?id=1679526 # https://bugzilla.redhat.com/show_bug.cgi?id=1679526
# Patch in the vendor documentation and used different location for documentation # Patch in the vendor documentation and used different location for documentation
@ -292,6 +296,12 @@ fi
%changelog %changelog
* Thu May 07 2020 Lubos Uhliarik <luhliari@redhat.com> - 7:4.11-1
- new version 4.11
- libsystemd integration
- Resolves: #1827564 - CVE-2020-11945 squid: improper access restriction upon
Digest Authentication nonce replay could lead to remote code execution
* Thu Mar 26 2020 Lubos Uhliarik <luhliari@redhat.com> - 7:4.10-4 * Thu Mar 26 2020 Lubos Uhliarik <luhliari@redhat.com> - 7:4.10-4
- Resolves: #1817208 - More cache_swap.sh optimizations - Resolves: #1817208 - More cache_swap.sh optimizations