Resolves: RHEL-66120 - squid caches DNS entries despite having TTL set to 0
This commit is contained in:
parent
636112aa43
commit
adc3794cc0
61
squid-4.15-dns-obey-ttl-set-to-zero.patch
Normal file
61
squid-4.15-dns-obey-ttl-set-to-zero.patch
Normal file
@ -0,0 +1,61 @@
|
|||||||
|
diff --git a/src/ipcache.cc b/src/ipcache.cc
|
||||||
|
index ea32021..6012f1f 100644
|
||||||
|
--- a/src/ipcache.cc
|
||||||
|
+++ b/src/ipcache.cc
|
||||||
|
@@ -103,6 +103,7 @@ public:
|
||||||
|
} flags;
|
||||||
|
|
||||||
|
int age() const; ///< time passed since request_time or -1 if unknown
|
||||||
|
+ void updateTtl(const unsigned int rrTtl);
|
||||||
|
};
|
||||||
|
|
||||||
|
/// \ingroup IPCacheInternal
|
||||||
|
@@ -338,7 +339,6 @@ ipcacheParse(ipcache_entry *i, const rfc1035_rr * answers, int nr, const char *e
|
||||||
|
int k;
|
||||||
|
int j = 0;
|
||||||
|
int na = 0;
|
||||||
|
- int ttl = 0;
|
||||||
|
const char *name = (const char *)i->hash.key;
|
||||||
|
int cname_found = 0;
|
||||||
|
|
||||||
|
@@ -436,8 +436,8 @@ ipcacheParse(ipcache_entry *i, const rfc1035_rr * answers, int nr, const char *e
|
||||||
|
debugs(14, 3, name << " #" << j << " " << i->addrs.in_addrs[j] );
|
||||||
|
++j;
|
||||||
|
}
|
||||||
|
- if (ttl == 0 || (int) answers[k].ttl < ttl)
|
||||||
|
- ttl = answers[k].ttl;
|
||||||
|
+
|
||||||
|
+ i->updateTtl(answers[k].ttl);
|
||||||
|
}
|
||||||
|
|
||||||
|
assert(j == na);
|
||||||
|
@@ -447,17 +447,21 @@ ipcacheParse(ipcache_entry *i, const rfc1035_rr * answers, int nr, const char *e
|
||||||
|
else
|
||||||
|
i->addrs.count = 255;
|
||||||
|
|
||||||
|
- if (ttl > Config.positiveDnsTtl)
|
||||||
|
- ttl = Config.positiveDnsTtl;
|
||||||
|
-
|
||||||
|
- if (ttl < Config.negativeDnsTtl)
|
||||||
|
- ttl = Config.negativeDnsTtl;
|
||||||
|
-
|
||||||
|
- i->expires = squid_curtime + ttl;
|
||||||
|
-
|
||||||
|
i->flags.negcached = false;
|
||||||
|
}
|
||||||
|
|
||||||
|
+void
|
||||||
|
+ipcache_entry::updateTtl(const unsigned int rrTtl)
|
||||||
|
+{
|
||||||
|
+ const time_t ttl = std::min(std::max(
|
||||||
|
+ Config.negativeDnsTtl, // smallest value allowed
|
||||||
|
+ static_cast<time_t>(rrTtl)),
|
||||||
|
+ Config.positiveDnsTtl); // largest value allowed
|
||||||
|
+ const time_t rrExpires = squid_curtime + ttl;
|
||||||
|
+ if (rrExpires < expires)
|
||||||
|
+ expires = rrExpires;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/// \ingroup IPCacheInternal
|
||||||
|
static void
|
||||||
|
ipcacheHandleReply(void *data, const rfc1035_rr * answers, int na, const char *error_message)
|
@ -2,7 +2,7 @@
|
|||||||
|
|
||||||
Name: squid
|
Name: squid
|
||||||
Version: 4.15
|
Version: 4.15
|
||||||
Release: 10%{?dist}.4
|
Release: 10%{?dist}.5
|
||||||
Summary: The Squid proxy caching server
|
Summary: The Squid proxy caching server
|
||||||
Epoch: 7
|
Epoch: 7
|
||||||
# See CREDITS for breakdown of non GPLv2+ code
|
# See CREDITS for breakdown of non GPLv2+ code
|
||||||
@ -40,6 +40,8 @@ Patch208: squid-4.11-convert-ipv4.patch
|
|||||||
Patch209: squid-4.15-ftp-filename-extraction.patch
|
Patch209: squid-4.15-ftp-filename-extraction.patch
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2076717
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2076717
|
||||||
Patch210: squid-4.15-halfclosed.patch
|
Patch210: squid-4.15-halfclosed.patch
|
||||||
|
# https://issues.redhat.com/browse/RHEL-66120
|
||||||
|
Patch211: squid-4.15-dns-obey-ttl-set-to-zero.patch
|
||||||
|
|
||||||
# Security fixes
|
# Security fixes
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1941506
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1941506
|
||||||
@ -134,6 +136,7 @@ lookup program (dnsserver), a program for retrieving FTP data
|
|||||||
%patch208 -p1 -b .convert-ipv4
|
%patch208 -p1 -b .convert-ipv4
|
||||||
%patch209 -p1 -b .ftp-fn-extraction
|
%patch209 -p1 -b .ftp-fn-extraction
|
||||||
%patch210 -p1 -b .halfclosed
|
%patch210 -p1 -b .halfclosed
|
||||||
|
%patch211 -p1 -b .dns-obey-ttl-set-to-zero
|
||||||
|
|
||||||
# Security patches
|
# Security patches
|
||||||
%patch300 -p1 -b .CVE-2021-28116
|
%patch300 -p1 -b .CVE-2021-28116
|
||||||
@ -367,6 +370,9 @@ fi
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Nov 22 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-10.5
|
||||||
|
- Resolves: RHEL-66120 - squid caches DNS entries despite having TTL set to 0
|
||||||
|
|
||||||
* Mon Nov 18 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-10.4
|
* Mon Nov 18 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-10.4
|
||||||
- Resolves: RHEL-67870 - Remove gopher mention from spec file
|
- Resolves: RHEL-67870 - Remove gopher mention from spec file
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user