From adc3794cc0f5953298f26eee5be663e933a91193 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Fri, 22 Nov 2024 17:20:47 +0100 Subject: [PATCH] Resolves: RHEL-66120 - squid caches DNS entries despite having TTL set to 0 --- squid-4.15-dns-obey-ttl-set-to-zero.patch | 61 +++++++++++++++++++++++ squid.spec | 8 ++- 2 files changed, 68 insertions(+), 1 deletion(-) create mode 100644 squid-4.15-dns-obey-ttl-set-to-zero.patch diff --git a/squid-4.15-dns-obey-ttl-set-to-zero.patch b/squid-4.15-dns-obey-ttl-set-to-zero.patch new file mode 100644 index 0000000..442e88e --- /dev/null +++ b/squid-4.15-dns-obey-ttl-set-to-zero.patch @@ -0,0 +1,61 @@ +diff --git a/src/ipcache.cc b/src/ipcache.cc +index ea32021..6012f1f 100644 +--- a/src/ipcache.cc ++++ b/src/ipcache.cc +@@ -103,6 +103,7 @@ public: + } flags; + + int age() const; ///< time passed since request_time or -1 if unknown ++ void updateTtl(const unsigned int rrTtl); + }; + + /// \ingroup IPCacheInternal +@@ -338,7 +339,6 @@ ipcacheParse(ipcache_entry *i, const rfc1035_rr * answers, int nr, const char *e + int k; + int j = 0; + int na = 0; +- int ttl = 0; + const char *name = (const char *)i->hash.key; + int cname_found = 0; + +@@ -436,8 +436,8 @@ ipcacheParse(ipcache_entry *i, const rfc1035_rr * answers, int nr, const char *e + debugs(14, 3, name << " #" << j << " " << i->addrs.in_addrs[j] ); + ++j; + } +- if (ttl == 0 || (int) answers[k].ttl < ttl) +- ttl = answers[k].ttl; ++ ++ i->updateTtl(answers[k].ttl); + } + + assert(j == na); +@@ -447,17 +447,21 @@ ipcacheParse(ipcache_entry *i, const rfc1035_rr * answers, int nr, const char *e + else + i->addrs.count = 255; + +- if (ttl > Config.positiveDnsTtl) +- ttl = Config.positiveDnsTtl; +- +- if (ttl < Config.negativeDnsTtl) +- ttl = Config.negativeDnsTtl; +- +- i->expires = squid_curtime + ttl; +- + i->flags.negcached = false; + } + ++void ++ipcache_entry::updateTtl(const unsigned int rrTtl) ++{ ++ const time_t ttl = std::min(std::max( ++ Config.negativeDnsTtl, // smallest value allowed ++ static_cast(rrTtl)), ++ Config.positiveDnsTtl); // largest value allowed ++ const time_t rrExpires = squid_curtime + ttl; ++ if (rrExpires < expires) ++ expires = rrExpires; ++} ++ + /// \ingroup IPCacheInternal + static void + ipcacheHandleReply(void *data, const rfc1035_rr * answers, int na, const char *error_message) diff --git a/squid.spec b/squid.spec index e055816..6b54bc0 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 4.15 -Release: 10%{?dist}.4 +Release: 10%{?dist}.5 Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -40,6 +40,8 @@ Patch208: squid-4.11-convert-ipv4.patch Patch209: squid-4.15-ftp-filename-extraction.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2076717 Patch210: squid-4.15-halfclosed.patch +# https://issues.redhat.com/browse/RHEL-66120 +Patch211: squid-4.15-dns-obey-ttl-set-to-zero.patch # Security fixes # https://bugzilla.redhat.com/show_bug.cgi?id=1941506 @@ -134,6 +136,7 @@ lookup program (dnsserver), a program for retrieving FTP data %patch208 -p1 -b .convert-ipv4 %patch209 -p1 -b .ftp-fn-extraction %patch210 -p1 -b .halfclosed +%patch211 -p1 -b .dns-obey-ttl-set-to-zero # Security patches %patch300 -p1 -b .CVE-2021-28116 @@ -367,6 +370,9 @@ fi %changelog +* Fri Nov 22 2024 Luboš Uhliarik - 7:4.15-10.5 +- Resolves: RHEL-66120 - squid caches DNS entries despite having TTL set to 0 + * Mon Nov 18 2024 Luboš Uhliarik - 7:4.15-10.4 - Resolves: RHEL-67870 - Remove gopher mention from spec file