From b4990d7207e47622d422cffc0629686d7755bc83 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Wed, 6 May 2020 08:53:16 -0400 Subject: [PATCH] import squid-4.4-8.module+el8.2.0+6449+6ba3df3e.1 --- .gitignore | 1 + .squid.metadata | 1 + SOURCES/cache_swap.sh | 16 + SOURCES/perl-requires-squid.sh | 3 + SOURCES/squid-3.0.STABLE1-perlpath.patch | 10 + SOURCES/squid-3.1.0.9-location.patch | 32 + SOURCES/squid-3.5.9-include-guards.patch | 95 ++ SOURCES/squid-4.0.11-config.patch | 26 + SOURCES/squid-4.0.21-large-acl.patch | 178 +++ SOURCES/squid-4.4.0-CVE-2019-12519.patch | 296 ++++ SOURCES/squid-4.4.0-CVE-2019-12525.patch | 30 + SOURCES/squid-4.4.0-CVE-2019-12527.patch | 139 ++ SOURCES/squid-4.4.0-CVE-2019-13345.patch | 64 + SOURCES/squid-4.4.0-CVE-2020-11945.patch | 50 + SOURCES/squid-4.4.0-active-ftp.patch | 127 ++ SOURCES/squid-4.4.0-lower-cachepeer.patch | 12 + SOURCES/squid-4.4.0-man-pages.patch | 26 + SOURCES/squid-4.4.tar.xz.asc | 25 + SOURCES/squid.logrotate | 16 + SOURCES/squid.nm | 7 + SOURCES/squid.pam | 3 + SOURCES/squid.service | 17 + SOURCES/squid.sysconfig | 9 + SPECS/squid.spec | 1648 +++++++++++++++++++++ 24 files changed, 2831 insertions(+) create mode 100644 .gitignore create mode 100644 .squid.metadata create mode 100644 SOURCES/cache_swap.sh create mode 100755 SOURCES/perl-requires-squid.sh create mode 100644 SOURCES/squid-3.0.STABLE1-perlpath.patch create mode 100644 SOURCES/squid-3.1.0.9-location.patch create mode 100644 SOURCES/squid-3.5.9-include-guards.patch create mode 100644 SOURCES/squid-4.0.11-config.patch create mode 100644 SOURCES/squid-4.0.21-large-acl.patch create mode 100644 SOURCES/squid-4.4.0-CVE-2019-12519.patch create mode 100644 SOURCES/squid-4.4.0-CVE-2019-12525.patch create mode 100644 SOURCES/squid-4.4.0-CVE-2019-12527.patch create mode 100644 SOURCES/squid-4.4.0-CVE-2019-13345.patch create mode 100644 SOURCES/squid-4.4.0-CVE-2020-11945.patch create mode 100644 SOURCES/squid-4.4.0-active-ftp.patch create mode 100644 SOURCES/squid-4.4.0-lower-cachepeer.patch create mode 100644 SOURCES/squid-4.4.0-man-pages.patch create mode 100644 SOURCES/squid-4.4.tar.xz.asc create mode 100644 SOURCES/squid.logrotate create mode 100755 SOURCES/squid.nm create mode 100644 SOURCES/squid.pam create mode 100644 SOURCES/squid.service create mode 100644 SOURCES/squid.sysconfig create mode 100644 SPECS/squid.spec diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..aa9cebb --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/squid-4.4.tar.xz diff --git a/.squid.metadata b/.squid.metadata new file mode 100644 index 0000000..70ddf1b --- /dev/null +++ b/.squid.metadata @@ -0,0 +1 @@ +0ab6b133f65866d825bf72cbbe8cef209768b2fa SOURCES/squid-4.4.tar.xz diff --git a/SOURCES/cache_swap.sh b/SOURCES/cache_swap.sh new file mode 100644 index 0000000..5e94072 --- /dev/null +++ b/SOURCES/cache_swap.sh @@ -0,0 +1,16 @@ +#!/bin/bash +if [ -f /etc/sysconfig/squid ]; then + . /etc/sysconfig/squid +fi + +SQUID_CONF=${SQUID_CONF:-"/etc/squid/squid.conf"} + +CACHE_SWAP=`sed -e 's/#.*//g' $SQUID_CONF | \ + grep cache_dir | awk '{ print $3 }'` + +for adir in $CACHE_SWAP; do + if [ ! -d $adir/00 ]; then + echo -n "init_cache_dir $adir... " + squid -N -z -F -f $SQUID_CONF >> /var/log/squid/squid.out 2>&1 + fi +done diff --git a/SOURCES/perl-requires-squid.sh b/SOURCES/perl-requires-squid.sh new file mode 100755 index 0000000..029e7b9 --- /dev/null +++ b/SOURCES/perl-requires-squid.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +/usr/lib/rpm/perl.req $* | grep -v "Authen::Smb" diff --git a/SOURCES/squid-3.0.STABLE1-perlpath.patch b/SOURCES/squid-3.0.STABLE1-perlpath.patch new file mode 100644 index 0000000..052b8d7 --- /dev/null +++ b/SOURCES/squid-3.0.STABLE1-perlpath.patch @@ -0,0 +1,10 @@ +diff --git a/contrib/url-normalizer.pl b/contrib/url-normalizer.pl +index 90ac6a4..8dbed90 100755 +--- a/contrib/url-normalizer.pl ++++ b/contrib/url-normalizer.pl +@@ -1,4 +1,4 @@ +-#!/usr/local/bin/perl -Tw ++#!/usr/bin/perl -Tw + # + # * Copyright (C) 1996-2018 The Squid Software Foundation and contributors + # * diff --git a/SOURCES/squid-3.1.0.9-location.patch b/SOURCES/squid-3.1.0.9-location.patch new file mode 100644 index 0000000..4abd519 --- /dev/null +++ b/SOURCES/squid-3.1.0.9-location.patch @@ -0,0 +1,32 @@ +diff -up squid-3.1.0.9/QUICKSTART.location squid-3.1.0.9/QUICKSTART +--- squid-3.1.0.9/QUICKSTART.location 2009-06-26 12:35:27.000000000 +0200 ++++ squid-3.1.0.9/QUICKSTART 2009-07-17 14:03:10.000000000 +0200 +@@ -10,10 +10,9 @@ After you retrieved, compiled and instal + INSTALL in the same directory), you have to configure the squid.conf + file. This is the list of the values you *need* to change, because no + sensible defaults could be defined. Do not touch the other variables +-for now. We assume you have installed Squid in the default location: +-/usr/local/squid ++for now. + +-Uncomment and edit the following lines in /usr/local/squid/etc/squid.conf: ++Uncomment and edit the following lines in /etc/squid/squid.conf: + + ============================================================================== + +@@ -82,12 +81,12 @@ After editing squid.conf to your liking, + line TWICE: + + To create any disk cache_dir configured: +- % /usr/local/squid/sbin/squid -z ++ % /usr/sbin/squid -z + + To start squid: +- % /usr/local/squid/sbin/squid ++ % /usr/sbin/squid + +-Check in the cache.log (/usr/local/squid/var/logs/cache.log) that ++Check in the cache.log (/var/log/squid/cache.log) that + everything is all right. + + Once Squid created all its files (it can take several minutes on some diff --git a/SOURCES/squid-3.5.9-include-guards.patch b/SOURCES/squid-3.5.9-include-guards.patch new file mode 100644 index 0000000..e2d4ff9 --- /dev/null +++ b/SOURCES/squid-3.5.9-include-guards.patch @@ -0,0 +1,95 @@ +------------------------------------------------------------ +revno: 14311 +revision-id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4 +parent: squid3@treenet.co.nz-20150924032241-6cx3g6hwz9xfoybr +------------------------------------------------------------ +revno: 14311 +revision-id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4 +parent: squid3@treenet.co.nz-20150924032241-6cx3g6hwz9xfoybr +fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4323 +author: Francesco Chemolli +committer: Amos Jeffries +branch nick: trunk +timestamp: Thu 2015-09-24 06:05:37 -0700 +message: + Bug 4323: Netfilter broken cross-includes with Linux 4.2 +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4 +# target_branch: http://bzr.squid-cache.org/bzr/squid3/trunk/ +# testament_sha1: c67cfca81040f3845d7c4caf2f40518511f14d0b +# timestamp: 2015-09-24 13:06:33 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/trunk +# base_revision_id: squid3@treenet.co.nz-20150924032241-\ +# 6cx3g6hwz9xfoybr +# +# Begin patch +=== modified file 'compat/os/linux.h' +--- compat/os/linux.h 2015-01-13 07:25:36 +0000 ++++ compat/os/linux.h 2015-09-24 13:05:37 +0000 +@@ -30,6 +30,21 @@ + #endif + + /* ++ * Netfilter header madness. (see Bug 4323) ++ * ++ * Netfilter have a history of defining their own versions of network protocol ++ * primitives without sufficient protection against the POSIX defines which are ++ * aways present in Linux. ++ * ++ * netinet/in.h must be included before any other sys header in order to properly ++ * activate include guards in the kernel maintainers added ++ * to workaround it. ++ */ ++#if HAVE_NETINET_IN_H ++#include ++#endif ++ ++/* + * sys/capability.h is only needed in Linux apparently. + * + * HACK: LIBCAP_BROKEN Ugly glue to get around linux header madness colliding with glibc +fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4323 +author: Francesco Chemolli +committer: Amos Jeffries +branch nick: trunk +timestamp: Thu 2015-09-24 06:05:37 -0700 +message: + Bug 4323: Netfilter broken cross-includes with Linux 4.2 +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4 +# target_branch: http://bzr.squid-cache.org/bzr/squid3/trunk/ +# testament_sha1: c67cfca81040f3845d7c4caf2f40518511f14d0b +# timestamp: 2015-09-24 13:06:33 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/trunk +# base_revision_id: squid3@treenet.co.nz-20150924032241-\ +# 6cx3g6hwz9xfoybr +# +# Begin patch +=== modified file 'compat/os/linux.h' +--- compat/os/linux.h 2015-01-13 07:25:36 +0000 ++++ compat/os/linux.h 2015-09-24 13:05:37 +0000 +@@ -30,6 +30,21 @@ + #endif + + /* ++ * Netfilter header madness. (see Bug 4323) ++ * ++ * Netfilter have a history of defining their own versions of network protocol ++ * primitives without sufficient protection against the POSIX defines which are ++ * aways present in Linux. ++ * ++ * netinet/in.h must be included before any other sys header in order to properly ++ * activate include guards in the kernel maintainers added ++ * to workaround it. ++ */ ++#if HAVE_NETINET_IN_H ++#include ++#endif ++ ++/* + * sys/capability.h is only needed in Linux apparently. + * + * HACK: LIBCAP_BROKEN Ugly glue to get around linux header madness colliding with glibc + diff --git a/SOURCES/squid-4.0.11-config.patch b/SOURCES/squid-4.0.11-config.patch new file mode 100644 index 0000000..a4faae8 --- /dev/null +++ b/SOURCES/squid-4.0.11-config.patch @@ -0,0 +1,26 @@ +diff -up squid-4.0.11/src/cf.data.pre.config squid-4.0.11/src/cf.data.pre +--- squid-4.0.11/src/cf.data.pre.config 2016-06-09 22:32:57.000000000 +0200 ++++ squid-4.0.11/src/cf.data.pre 2016-07-11 21:08:35.090976840 +0200 +@@ -4658,7 +4658,7 @@ DOC_END + + NAME: logfile_rotate + TYPE: int +-DEFAULT: 10 ++DEFAULT: 0 + LOC: Config.Log.rotateNumber + DOC_START + Specifies the default number of logfile rotations to make when you +@@ -6444,11 +6444,11 @@ COMMENT_END + + NAME: cache_mgr + TYPE: string +-DEFAULT: webmaster ++DEFAULT: root + LOC: Config.adminEmail + DOC_START + Email-address of local cache manager who will receive +- mail if the cache dies. The default is "webmaster". ++ mail if the cache dies. The default is "root". + DOC_END + + NAME: mail_from diff --git a/SOURCES/squid-4.0.21-large-acl.patch b/SOURCES/squid-4.0.21-large-acl.patch new file mode 100644 index 0000000..8aacf38 --- /dev/null +++ b/SOURCES/squid-4.0.21-large-acl.patch @@ -0,0 +1,178 @@ +diff --git a/src/acl/RegexData.cc b/src/acl/RegexData.cc +index 01a4c12..b5c1679 100644 +--- a/src/acl/RegexData.cc ++++ b/src/acl/RegexData.cc +@@ -22,6 +22,7 @@ + #include "ConfigParser.h" + #include "Debug.h" + #include "sbuf/List.h" ++#include "sbuf/Algorithms.h" + + ACLRegexData::~ACLRegexData() + { +@@ -129,6 +130,18 @@ compileRE(std::list &curlist, const char * RE, int flags) + return true; + } + ++static bool ++compileRE(std::list &curlist, const SBufList &RE, int flags) ++{ ++ if (RE.empty()) ++ return curlist.empty(); // XXX: old code did this. It looks wrong. ++ SBuf regexp; ++ static const SBuf openparen("("), closeparen(")"), separator(")|("); ++ JoinContainerIntoSBuf(regexp, RE.begin(), RE.end(), separator, openparen, ++ closeparen); ++ return compileRE(curlist, regexp.c_str(), flags); ++} ++ + /** Compose and compile one large RE from a set of (small) REs. + * The ultimate goal is to have only one RE per ACL so that match() is + * called only once per ACL. +@@ -137,16 +150,11 @@ static int + compileOptimisedREs(std::list &curlist, const SBufList &sl) + { + std::list newlist; +- int numREs = 0; ++ SBufList accumulatedRE; ++ int numREs = 0, reSize = 0; + int flags = REG_EXTENDED | REG_NOSUB; +- int largeREindex = 0; +- char largeRE[BUFSIZ]; +- *largeRE = 0; + + for (const SBuf & configurationLineWord : sl) { +- int RElen; +- RElen = configurationLineWord.length(); +- + static const SBuf minus_i("-i"); + static const SBuf plus_i("+i"); + if (configurationLineWord == minus_i) { +@@ -155,10 +163,11 @@ compileOptimisedREs(std::list &curlist, const SBufList &sl) + debugs(28, 2, "optimisation of -i ... -i" ); + } else { + debugs(28, 2, "-i" ); +- if (!compileRE(newlist, largeRE, flags)) ++ if (!compileRE(newlist, accumulatedRE, flags)) + return 0; + flags |= REG_ICASE; +- largeRE[largeREindex=0] = '\0'; ++ accumulatedRE.clear(); ++ reSize = 0; + } + } else if (configurationLineWord == plus_i) { + if ((flags & REG_ICASE) == 0) { +@@ -166,37 +175,34 @@ compileOptimisedREs(std::list &curlist, const SBufList &sl) + debugs(28, 2, "optimisation of +i ... +i"); + } else { + debugs(28, 2, "+i"); +- if (!compileRE(newlist, largeRE, flags)) ++ if (!compileRE(newlist, accumulatedRE, flags)) + return 0; + flags &= ~REG_ICASE; +- largeRE[largeREindex=0] = '\0'; ++ accumulatedRE.clear(); ++ reSize = 0; + } +- } else if (RElen + largeREindex + 3 < BUFSIZ-1) { ++ } else if (reSize < 1024) { + debugs(28, 2, "adding RE '" << configurationLineWord << "'"); +- if (largeREindex > 0) { +- largeRE[largeREindex] = '|'; +- ++largeREindex; +- } +- largeRE[largeREindex] = '('; +- ++largeREindex; +- configurationLineWord.copy(largeRE+largeREindex, BUFSIZ-largeREindex); +- largeREindex += configurationLineWord.length(); +- largeRE[largeREindex] = ')'; +- ++largeREindex; +- largeRE[largeREindex] = '\0'; ++ accumulatedRE.push_back(configurationLineWord); + ++numREs; ++ reSize += configurationLineWord.length(); + } else { + debugs(28, 2, "buffer full, generating new optimised RE..." ); +- if (!compileRE(newlist, largeRE, flags)) ++ accumulatedRE.push_back(configurationLineWord); ++ if (!compileRE(newlist, accumulatedRE, flags)) + return 0; +- largeRE[largeREindex=0] = '\0'; ++ accumulatedRE.clear(); ++ reSize = 0; + continue; /* do the loop again to add the RE to largeRE */ + } + } + +- if (!compileRE(newlist, largeRE, flags)) ++ if (!compileRE(newlist, accumulatedRE, flags)) + return 0; + ++ accumulatedRE.clear(); ++ reSize = 0; ++ + /* all was successful, so put the new list at the tail */ + curlist.splice(curlist.end(), newlist); + +diff --git a/src/sbuf/Algorithms.h b/src/sbuf/Algorithms.h +index 21ee889..338e9c0 100644 +--- a/src/sbuf/Algorithms.h ++++ b/src/sbuf/Algorithms.h +@@ -81,6 +81,57 @@ SBufContainerJoin(const Container &items, const SBuf& separator) + return rv; + } + ++/** Join container of SBufs and append to supplied target ++ * ++ * append to the target SBuf all elements in the [begin,end) range from ++ * an iterable container, prefixed by prefix, separated by separator and ++ * followed by suffix. Prefix and suffix are added also in case of empty ++ * iterable ++ * ++ * \return the modified dest ++ */ ++template ++SBuf& ++JoinContainerIntoSBuf(SBuf &dest, const ContainerIterator &begin, ++ const ContainerIterator &end, const SBuf& separator, ++ const SBuf& prefix = SBuf(), const SBuf& suffix = SBuf()) ++{ ++ if (begin == end) { ++ dest.append(prefix).append(suffix); ++ return dest; ++ } ++ ++ // optimization: pre-calculate needed storage ++ const SBuf::size_type totalContainerSize = ++ std::accumulate(begin, end, 0, SBufAddLength(separator)) + ++ dest.length() + prefix.length() + suffix.length(); ++ SBufReservationRequirements req; ++ req.minSpace = totalContainerSize; ++ dest.reserve(req); ++ ++ auto i = begin; ++ dest.append(prefix); ++ dest.append(*i); ++ ++i; ++ for (; i != end; ++i) ++ dest.append(separator).append(*i); ++ dest.append(suffix); ++ return dest; ++} ++ ++ ++/// convenience wrapper of JoinContainerIntoSBuf with no caller-supplied SBuf ++template ++SBuf ++JoinContainerToSBuf(const ContainerIterator &begin, ++ const ContainerIterator &end, const SBuf& separator, ++ const SBuf& prefix = SBuf(), const SBuf& suffix = SBuf()) ++{ ++ SBuf rv; ++ return JoinContainerIntoSBuf(rv, begin, end, separator, prefix, suffix); ++} ++ ++ + namespace std { + /// default hash functor to support std::unordered_map + template <> diff --git a/SOURCES/squid-4.4.0-CVE-2019-12519.patch b/SOURCES/squid-4.4.0-CVE-2019-12519.patch new file mode 100644 index 0000000..d0f7c27 --- /dev/null +++ b/SOURCES/squid-4.4.0-CVE-2019-12519.patch @@ -0,0 +1,296 @@ +commit fdd4123629320aa1ee4c3481bb392437c90d188d +Author: Amos Jeffries +Date: 2019-05-20 11:23:13 +0000 + + ESI: convert parse exceptions into 500 status response (#411) + + Produce a valid HTTP 500 status reply and continue operations when + ESI parser throws an exception. This will prevent incomplete ESI + responses reaching clients on server errors. Such responses might + have been cacheable and thus corrupted, albeit corrupted consistently + and at source by the reverse-proxy delivering them. + + ESI: throw on large stack recursions (#408) + + This reduces the impact on concurrent clients to only those + accessing the malformed resource. + + Depending on what type of recursion is being performed the + resource may appear to the client with missing segments, or + not at all. + +diff --git a/src/esi/Context.h b/src/esi/Context.h +index f3281a1..1b08cfb 100644 +--- a/src/esi/Context.h ++++ b/src/esi/Context.h +@@ -12,6 +12,7 @@ + #include "clientStream.h" + #include "err_type.h" + #include "esi/Element.h" ++#include "esi/Esi.h" + #include "esi/Parser.h" + #include "http/forward.h" + #include "http/StatusCode.h" +@@ -113,7 +114,7 @@ public: + { + + public: +- ESIElement::Pointer stack[10]; /* a stack of esi elements that are open */ ++ ESIElement::Pointer stack[ESI_STACK_DEPTH_LIMIT]; /* a stack of esi elements that are open */ + int stackdepth; /* self explanatory */ + ESIParser::Pointer theParser; + ESIElement::Pointer top(); +diff --git a/src/esi/Esi.cc b/src/esi/Esi.cc +index cc662c4..e41d593 100644 +--- a/src/esi/Esi.cc ++++ b/src/esi/Esi.cc +@@ -29,6 +29,7 @@ + #include "esi/Expression.h" + #include "esi/Segment.h" + #include "esi/VarState.h" ++#include "FadingCounter.h" + #include "fatal.h" + #include "http/Stream.h" + #include "HttpHdrSc.h" +@@ -930,13 +931,18 @@ void + ESIContext::addStackElement (ESIElement::Pointer element) + { + /* Put on the stack to allow skipping of 'invalid' markup */ +- assert (parserState.stackdepth <11); ++ ++ // throw an error if the stack location would be invalid ++ if (parserState.stackdepth >= ESI_STACK_DEPTH_LIMIT) ++ throw Esi::Error("ESI Too many nested elements"); ++ if (parserState.stackdepth < 0) ++ throw Esi::Error("ESI elements stack error, probable error in ESI template"); ++ + assert (!failed()); + debugs(86, 5, "ESIContext::addStackElement: About to add ESI Node " << element.getRaw()); + + if (!parserState.top()->addElement(element)) { +- debugs(86, DBG_IMPORTANT, "ESIContext::addStackElement: failed to add esi node, probable error in ESI template"); +- flags.error = 1; ++ throw Esi::Error("ESIContext::addStackElement failed, probable error in ESI template"); + } else { + /* added ok, push onto the stack */ + parserState.stack[parserState.stackdepth] = element; +@@ -1188,13 +1194,10 @@ ESIContext::addLiteral (const char *s, int len) + assert (len); + debugs(86, 5, "literal length is " << len); + /* give a literal to the current element */ +- assert (parserState.stackdepth <11); + ESIElement::Pointer element (new esiLiteral (this, s, len)); + +- if (!parserState.top()->addElement(element)) { +- debugs(86, DBG_IMPORTANT, "ESIContext::addLiteral: failed to add esi node, probable error in ESI template"); +- flags.error = 1; +- } ++ if (!parserState.top()->addElement(element)) ++ throw Esi::Error("ESIContext::addLiteral failed, probable error in ESI template"); + } + + void +@@ -1256,8 +1259,24 @@ ESIContext::parse() + + PROF_start(esiParsing); + +- while (buffered.getRaw() && !flags.error) +- parseOneBuffer(); ++ try { ++ while (buffered.getRaw() && !flags.error) ++ parseOneBuffer(); ++ ++ } catch (Esi::ErrorDetail &errMsg) { // FIXME: non-const for c_str() ++ // level-2: these are protocol/syntax errors from upstream ++ debugs(86, 2, "WARNING: ESI syntax error: " << errMsg); ++ setError(); ++ setErrorMessage(errMsg.c_str()); ++ ++ } catch (...) { ++ // DBG_IMPORTANT because these are local issues the admin needs to fix ++ static FadingCounter logEntries; // TODO: set horizon less than infinity ++ if (logEntries.count(1) < 100) ++ debugs(86, DBG_IMPORTANT, "ERROR: ESI parser: " << CurrentException); ++ setError(); ++ setErrorMessage("ESI parser error"); ++ } + + PROF_stop(esiParsing); + +diff --git a/src/esi/Esi.h b/src/esi/Esi.h +index 180b2c4..6fd5aac 100644 +--- a/src/esi/Esi.h ++++ b/src/esi/Esi.h +@@ -10,6 +10,11 @@ + #define SQUID_ESI_H + + #include "clientStream.h" ++#include "sbuf/SBuf.h" ++ ++#if !defined(ESI_STACK_DEPTH_LIMIT) ++#define ESI_STACK_DEPTH_LIMIT 20 ++#endif + + /* ESI.c */ + extern CSR esiStreamRead; +@@ -18,5 +23,14 @@ extern CSD esiStreamDetach; + extern CSS esiStreamStatus; + int esiEnableProcessing (HttpReply *); + ++namespace Esi ++{ ++ ++typedef SBuf ErrorDetail; ++/// prepare an Esi::ErrorDetail for throw on ESI parser internal errors ++inline Esi::ErrorDetail Error(const char *msg) { return ErrorDetail(msg); } ++ ++} // namespace Esi ++ + #endif /* SQUID_ESI_H */ + +diff --git a/src/esi/Expression.cc b/src/esi/Expression.cc +index 2b5b762..8519b03 100644 +--- a/src/esi/Expression.cc ++++ b/src/esi/Expression.cc +@@ -10,6 +10,7 @@ + + #include "squid.h" + #include "Debug.h" ++#include "esi/Esi.h" + #include "esi/Expression.h" + #include "profiler/Profiler.h" + +@@ -97,6 +98,17 @@ stackpop(stackmember * s, int *depth) + cleanmember(&s[*depth]); + } + ++static void ++stackpush(stackmember *stack, stackmember &item, int *depth) ++{ ++ if (*depth < 0) ++ throw Esi::Error("ESIExpression stack has negative size"); ++ if (*depth >= ESI_STACK_DEPTH_LIMIT) ++ throw Esi::Error("ESIExpression stack is full, cannot push"); ++ ++ stack[(*depth)++] = item; ++} ++ + static evaluate evalnegate; + static evaluate evalliteral; + static evaluate evalor; +@@ -208,6 +220,11 @@ evalnegate(stackmember * stack, int *depth, int whereAmI, stackmember * candidat + /* invalid stack */ + return 1; + ++ if (whereAmI < 0) ++ throw Esi::Error("negate expression location too small"); ++ if (*depth >= ESI_STACK_DEPTH_LIMIT) ++ throw Esi::Error("negate expression too complex"); ++ + if (stack[whereAmI + 1].valuetype != ESI_EXPR_EXPR) + /* invalid operand */ + return 1; +@@ -280,7 +297,7 @@ evalor(stackmember * stack, int *depth, int whereAmI, stackmember * candidate) + + srv.precedence = 1; + +- stack[(*depth)++] = srv; ++ stackpush(stack, srv, depth); + + /* we're out of way, try adding now */ + if (!addmember(stack, depth, candidate)) +@@ -327,7 +344,7 @@ evaland(stackmember * stack, int *depth, int whereAmI, stackmember * candidate) + + srv.precedence = 1; + +- stack[(*depth)++] = srv; ++ stackpush(stack, srv, depth); + + /* we're out of way, try adding now */ + if (!addmember(stack, depth, candidate)) +@@ -373,7 +390,7 @@ evallesseq(stackmember * stack, int *depth, int whereAmI, stackmember * candidat + + srv.precedence = 1; + +- stack[(*depth)++] = srv; ++ stackpush(stack, srv, depth); + + /* we're out of way, try adding now */ + if (!addmember(stack, depth, candidate)) +@@ -421,7 +438,7 @@ evallessthan(stackmember * stack, int *depth, int whereAmI, stackmember * candid + + srv.precedence = 1; + +- stack[(*depth)++] = srv; ++ stackpush(stack, srv, depth); + + /* we're out of way, try adding now */ + if (!addmember(stack, depth, candidate)) +@@ -469,7 +486,7 @@ evalmoreeq(stackmember * stack, int *depth, int whereAmI, stackmember * candidat + + srv.precedence = 1; + +- stack[(*depth)++] = srv; ++ stackpush(stack, srv, depth); + + /* we're out of way, try adding now */ + if (!addmember(stack, depth, candidate)) +@@ -517,7 +534,7 @@ evalmorethan(stackmember * stack, int *depth, int whereAmI, stackmember * candid + + srv.precedence = 1; + +- stack[(*depth)++] = srv; ++ stackpush(stack, srv, depth); + + /* we're out of way, try adding now */ + if (!addmember(stack, depth, candidate)) +@@ -566,7 +583,7 @@ evalequals(stackmember * stack, int *depth, int whereAmI, + + srv.precedence = 1; + +- stack[(*depth)++] = srv; ++ stackpush(stack, srv, depth); + + /* we're out of way, try adding now */ + if (!addmember(stack, depth, candidate)) +@@ -613,7 +630,7 @@ evalnotequals(stackmember * stack, int *depth, int whereAmI, stackmember * candi + + srv.precedence = 1; + +- stack[(*depth)++] = srv; ++ stackpush(stack, srv, depth); + + /* we're out of way, try adding now */ + if (!addmember(stack, depth, candidate)) +@@ -953,6 +970,9 @@ addmember(stackmember * stack, int *stackdepth, stackmember * candidate) + /* !(!(a==b))) is why thats safe */ + /* strictly less than until we unwind */ + ++ if (*stackdepth >= ESI_STACK_DEPTH_LIMIT) ++ throw Esi::Error("ESI expression too complex to add member"); ++ + if (candidate->precedence < stack[*stackdepth - 1].precedence || + candidate->precedence < stack[*stackdepth - 2].precedence) { + /* must be an operator */ +@@ -968,10 +988,10 @@ addmember(stackmember * stack, int *stackdepth, stackmember * candidate) + return 0; + } + } else { +- stack[(*stackdepth)++] = *candidate; ++ stackpush(stack, *candidate, stackdepth); + } + } else if (candidate->valuetype != ESI_EXPR_INVALID) +- stack[(*stackdepth)++] = *candidate; ++ stackpush(stack, *candidate, stackdepth); + + return 1; + } +@@ -979,7 +999,7 @@ addmember(stackmember * stack, int *stackdepth, stackmember * candidate) + int + ESIExpression::Evaluate(char const *s) + { +- stackmember stack[20]; ++ stackmember stack[ESI_STACK_DEPTH_LIMIT]; + int stackdepth = 0; + char const *end; + PROF_start(esiExpressionEval); diff --git a/SOURCES/squid-4.4.0-CVE-2019-12525.patch b/SOURCES/squid-4.4.0-CVE-2019-12525.patch new file mode 100644 index 0000000..ee093f1 --- /dev/null +++ b/SOURCES/squid-4.4.0-CVE-2019-12525.patch @@ -0,0 +1,30 @@ +commit 409956536647b3a05ee1e367424a24ae6b8f13fd +Author: Amos Jeffries +Date: 2019-06-08 21:09:23 +0000 + + Fix Digest auth parameter parsing (#415) + + Only remove quoting if the domain=, uri= or qop= parameter + value is surrounded by double-quotes. + +diff --git a/src/auth/digest/Config.cc b/src/auth/digest/Config.cc +index a8a07cd..b547bf8 100644 +--- a/src/auth/digest/Config.cc ++++ b/src/auth/digest/Config.cc +@@ -787,14 +787,14 @@ Auth::Digest::Config::decode(char const *proxy_auth, const char *aRequestRealm) + if (keyName == SBuf("domain",6) || keyName == SBuf("uri",3)) { + // domain is Special. Not a quoted-string, must not be de-quoted. But is wrapped in '"' + // BUG 3077: uri= can also be sent to us in a mangled (invalid!) form like domain +- if (*p == '"' && *(p + vlen -1) == '"') { ++ if (vlen > 1 && *p == '"' && *(p + vlen -1) == '"') { + value.limitInit(p+1, vlen-2); + } + } else if (keyName == SBuf("qop",3)) { + // qop is more special. + // On request this must not be quoted-string de-quoted. But is several values wrapped in '"' + // On response this is a single un-quoted token. +- if (*p == '"' && *(p + vlen -1) == '"') { ++ if (vlen > 1 && *p == '"' && *(p + vlen -1) == '"') { + value.limitInit(p+1, vlen-2); + } else { + value.limitInit(p, vlen); diff --git a/SOURCES/squid-4.4.0-CVE-2019-12527.patch b/SOURCES/squid-4.4.0-CVE-2019-12527.patch new file mode 100644 index 0000000..ea950f5 --- /dev/null +++ b/SOURCES/squid-4.4.0-CVE-2019-12527.patch @@ -0,0 +1,139 @@ +commit 7f73e9c5d17664b882ed32590e6af310c247f320 +Author: Amos Jeffries +Date: 2019-06-19 05:58:36 +0000 + + Update HttpHeader::getAuth to SBuf (#416) + + Replace the fixed-size buffer for decoding base64 tokens with an + SBuf to avoid decoder issues on large inputs. + + Update callers to SBuf API operations for more efficient memory + management. + +diff --git a/src/HttpHeader.cc b/src/HttpHeader.cc +index 1e2b650..284a057 100644 +--- a/src/HttpHeader.cc ++++ b/src/HttpHeader.cc +@@ -1268,43 +1268,46 @@ HttpHeader::getContRange() const + return cr; + } + +-const char * +-HttpHeader::getAuth(Http::HdrType id, const char *auth_scheme) const ++SBuf ++HttpHeader::getAuthToken(Http::HdrType id, const char *auth_scheme) const + { + const char *field; + int l; + assert(auth_scheme); + field = getStr(id); + ++ static const SBuf nil; + if (!field) /* no authorization field */ +- return NULL; ++ return nil; + + l = strlen(auth_scheme); + + if (!l || strncasecmp(field, auth_scheme, l)) /* wrong scheme */ +- return NULL; ++ return nil; + + field += l; + + if (!xisspace(*field)) /* wrong scheme */ +- return NULL; ++ return nil; + + /* skip white space */ + for (; field && xisspace(*field); ++field); + + if (!*field) /* no authorization cookie */ +- return NULL; ++ return nil; + +- static char decodedAuthToken[8192]; ++ const auto fieldLen = strlen(field); ++ SBuf result; ++ char *decodedAuthToken = result.rawAppendStart(BASE64_DECODE_LENGTH(fieldLen)); + struct base64_decode_ctx ctx; + base64_decode_init(&ctx); + size_t decodedLen = 0; +- if (!base64_decode_update(&ctx, &decodedLen, reinterpret_cast(decodedAuthToken), strlen(field), field) || ++ if (!base64_decode_update(&ctx, &decodedLen, reinterpret_cast(decodedAuthToken), fieldLen, field) || + !base64_decode_final(&ctx)) { +- return NULL; ++ return nil; + } +- decodedAuthToken[decodedLen] = '\0'; +- return decodedAuthToken; ++ result.rawAppendFinish(decodedAuthToken, decodedLen); ++ return result; + } + + ETag +diff --git a/src/HttpHeader.h b/src/HttpHeader.h +index a26b127..3b262be 100644 +--- a/src/HttpHeader.h ++++ b/src/HttpHeader.h +@@ -134,7 +134,7 @@ public: + HttpHdrRange *getRange() const; + HttpHdrSc *getSc() const; + HttpHdrContRange *getContRange() const; +- const char *getAuth(Http::HdrType id, const char *auth_scheme) const; ++ SBuf getAuthToken(Http::HdrType id, const char *auth_scheme) const; + ETag getETag(Http::HdrType id) const; + TimeOrTag getTimeOrTag(Http::HdrType id) const; + int hasListMember(Http::HdrType id, const char *member, const char separator) const; +diff --git a/src/cache_manager.cc b/src/cache_manager.cc +index da22f7a..2fae767 100644 +--- a/src/cache_manager.cc ++++ b/src/cache_manager.cc +@@ -27,6 +27,7 @@ + #include "mgr/FunAction.h" + #include "mgr/QueryParams.h" + #include "protos.h" ++#include "sbuf/StringConvert.h" + #include "SquidConfig.h" + #include "SquidTime.h" + #include "Store.h" +@@ -243,20 +244,20 @@ CacheManager::ParseHeaders(const HttpRequest * request, Mgr::ActionParams ¶m + // TODO: use the authentication system decode to retrieve these details properly. + + /* base 64 _decoded_ user:passwd pair */ +- const char *basic_cookie = request->header.getAuth(Http::HdrType::AUTHORIZATION, "Basic"); ++ const auto basic_cookie(request->header.getAuthToken(Http::HdrType::AUTHORIZATION, "Basic")); + +- if (!basic_cookie) ++ if (basic_cookie.isEmpty()) + return; + +- const char *passwd_del; +- if (!(passwd_del = strchr(basic_cookie, ':'))) { ++ const auto colonPos = basic_cookie.find(':'); ++ if (colonPos == SBuf::npos) { + debugs(16, DBG_IMPORTANT, "CacheManager::ParseHeaders: unknown basic_cookie format '" << basic_cookie << "'"); + return; + } + + /* found user:password pair, reset old values */ +- params.userName.limitInit(basic_cookie, passwd_del - basic_cookie); +- params.password = passwd_del + 1; ++ params.userName = SBufToString(basic_cookie.substr(0, colonPos)); ++ params.password = SBufToString(basic_cookie.substr(colonPos+1)); + + /* warning: this prints decoded password which maybe not be what you want to do @?@ @?@ */ + debugs(16, 9, "CacheManager::ParseHeaders: got user: '" << +diff --git a/src/clients/FtpGateway.cc b/src/clients/FtpGateway.cc +index b958b14..7ca5d24 100644 +--- a/src/clients/FtpGateway.cc ++++ b/src/clients/FtpGateway.cc +@@ -1050,7 +1050,7 @@ Ftp::Gateway::checkAuth(const HttpHeader * req_hdr) + + #if HAVE_AUTH_MODULE_BASIC + /* Check HTTP Authorization: headers (better than defaults, but less than URL) */ +- const SBuf auth(req_hdr->getAuth(Http::HdrType::AUTHORIZATION, "Basic")); ++ const auto auth(req_hdr->getAuthToken(Http::HdrType::AUTHORIZATION, "Basic")); + if (!auth.isEmpty()) { + flags.authenticated = 1; + loginParser(auth, false); diff --git a/SOURCES/squid-4.4.0-CVE-2019-13345.patch b/SOURCES/squid-4.4.0-CVE-2019-13345.patch new file mode 100644 index 0000000..9a5754e --- /dev/null +++ b/SOURCES/squid-4.4.0-CVE-2019-13345.patch @@ -0,0 +1,64 @@ +diff --git a/tools/cachemgr.cc b/tools/cachemgr.cc +index 0c745c2..8a67eba 100644 +--- a/tools/cachemgr.cc ++++ b/tools/cachemgr.cc +@@ -355,7 +355,7 @@ auth_html(const char *host, int port, const char *user_name) + + printf("Manager name:\n", user_name); ++ printf("size=\"30\" VALUE=\"%s\">\n", rfc1738_escape(user_name)); + + printf("Password:hostname, + req->port, +- safe_str(req->user_name), ++ rfc1738_escape(safe_str(req->user_name)), + action, + safe_str(req->pub_auth)); + return url; +@@ -1074,8 +1074,8 @@ make_pub_auth(cachemgr_request * req) + const int bufLen = snprintf(buf, sizeof(buf), "%s|%d|%s|%s", + req->hostname, + (int) now, +- req->user_name ? req->user_name : "", +- req->passwd); ++ rfc1738_escape(safe_str(req->user_name)), ++ rfc1738_escape(req->passwd)); + debug("cmgr: pre-encoded for pub: %s\n", buf); + + const int encodedLen = base64_encode_len(bufLen); +@@ -1094,8 +1094,6 @@ decode_pub_auth(cachemgr_request * req) + char *buf; + const char *host_name; + const char *time_str; +- const char *user_name; +- const char *passwd; + + debug("cmgr: decoding pub: '%s'\n", safe_str(req->pub_auth)); + safe_free(req->passwd); +@@ -1131,17 +1129,21 @@ decode_pub_auth(cachemgr_request * req) + + debug("cmgr: decoded time: '%s' (now: %d)\n", time_str, (int) now); + ++ char *user_name; + if ((user_name = strtok(NULL, "|")) == NULL) { + xfree(buf); + return; + } ++ rfc1738_unescape(user_name); + + debug("cmgr: decoded uname: '%s'\n", user_name); + ++ char *passwd; + if ((passwd = strtok(NULL, "|")) == NULL) { + xfree(buf); + return; + } ++ rfc1738_unescape(passwd); + + debug("cmgr: decoded passwd: '%s'\n", passwd); + diff --git a/SOURCES/squid-4.4.0-CVE-2020-11945.patch b/SOURCES/squid-4.4.0-CVE-2020-11945.patch new file mode 100644 index 0000000..8c48f26 --- /dev/null +++ b/SOURCES/squid-4.4.0-CVE-2020-11945.patch @@ -0,0 +1,50 @@ +diff --git a/src/auth/digest/Config.cc b/src/auth/digest/Config.cc +index 45e46c0..433335a 100644 +--- a/src/auth/digest/Config.cc ++++ b/src/auth/digest/Config.cc +@@ -94,9 +94,6 @@ static void authenticateDigestNonceDelete(digest_nonce_h * nonce); + static void authenticateDigestNonceSetup(void); + static void authDigestNonceEncode(digest_nonce_h * nonce); + static void authDigestNonceLink(digest_nonce_h * nonce); +-#if NOT_USED +-static int authDigestNonceLinks(digest_nonce_h * nonce); +-#endif + static void authDigestNonceUserUnlink(digest_nonce_h * nonce); + + static void +@@ -287,21 +284,10 @@ authDigestNonceLink(digest_nonce_h * nonce) + { + assert(nonce != NULL); + ++nonce->references; ++ assert(nonce->references != 0); // no overflows + debugs(29, 9, "nonce '" << nonce << "' now at '" << nonce->references << "'."); + } + +-#if NOT_USED +-static int +-authDigestNonceLinks(digest_nonce_h * nonce) +-{ +- if (!nonce) +- return -1; +- +- return nonce->references; +-} +- +-#endif +- + void + authDigestNonceUnlink(digest_nonce_h * nonce) + { +diff --git a/src/auth/digest/Config.h b/src/auth/digest/Config.h +index b79ff30..2840865 100644 +--- a/src/auth/digest/Config.h ++++ b/src/auth/digest/Config.h +@@ -44,7 +44,7 @@ struct _digest_nonce_h : public hash_link { + /* number of uses we've seen of this nonce */ + unsigned long nc; + /* reference count */ +- short references; ++ uint64_t references; + /* the auth_user this nonce has been tied to */ + Auth::Digest::User *user; + /* has this nonce been invalidated ? */ diff --git a/SOURCES/squid-4.4.0-active-ftp.patch b/SOURCES/squid-4.4.0-active-ftp.patch new file mode 100644 index 0000000..64988fe --- /dev/null +++ b/SOURCES/squid-4.4.0-active-ftp.patch @@ -0,0 +1,127 @@ +diff --git a/src/clients/FtpClient.cc b/src/clients/FtpClient.cc +index 777210c..4c80511 100644 +--- a/src/clients/FtpClient.cc ++++ b/src/clients/FtpClient.cc +@@ -778,7 +778,8 @@ Ftp::Client::connectDataChannel() + bool + Ftp::Client::openListenSocket() + { +- return false; ++ debugs(9, 3, HERE); ++ return false; + } + + /// creates a data channel Comm close callback +diff --git a/src/clients/FtpClient.h b/src/clients/FtpClient.h +index 465fdb7..75dbd3b 100644 +--- a/src/clients/FtpClient.h ++++ b/src/clients/FtpClient.h +@@ -118,7 +118,7 @@ public: + bool sendPort(); + bool sendPassive(); + void connectDataChannel(); +- bool openListenSocket(); ++ virtual bool openListenSocket(); + void switchTimeoutToDataChannel(); + + CtrlChannel ctrl; ///< FTP control channel state +diff --git a/src/clients/FtpGateway.cc b/src/clients/FtpGateway.cc +index a13cdda..b958b14 100644 +--- a/src/clients/FtpGateway.cc ++++ b/src/clients/FtpGateway.cc +@@ -87,6 +87,13 @@ struct GatewayFlags { + class Gateway; + typedef void (StateMethod)(Ftp::Gateway *); + ++} // namespace FTP ++ ++static void ftpOpenListenSocket(Ftp::Gateway * ftpState, int fallback); ++ ++namespace Ftp ++{ ++ + /// FTP Gateway: An FTP client that takes an HTTP request with an ftp:// URI, + /// converts it into one or more FTP commands, and then + /// converts one or more FTP responses into the final HTTP response. +@@ -137,7 +144,11 @@ public: + + /// create a data channel acceptor and start listening. + void listenForDataChannel(const Comm::ConnectionPointer &conn); +- ++ virtual bool openListenSocket() { ++ debugs(9, 3, HERE); ++ ftpOpenListenSocket(this, 0); ++ return Comm::IsConnOpen(data.conn); ++ } + int checkAuth(const HttpHeader * req_hdr); + void checkUrlpath(); + void buildTitleUrl(); +@@ -1792,6 +1803,7 @@ ftpOpenListenSocket(Ftp::Gateway * ftpState, int fallback) + } + + ftpState->listenForDataChannel(temp); ++ ftpState->data.listenConn = temp; + } + + static void +@@ -1827,13 +1839,19 @@ ftpSendPORT(Ftp::Gateway * ftpState) + // pull out the internal IP address bytes to send in PORT command... + // source them from the listen_conn->local + ++ struct sockaddr_in addr; ++ socklen_t addrlen = sizeof(addr); ++ getsockname(ftpState->data.listenConn->fd, (struct sockaddr *) &addr, &addrlen); ++ unsigned char port_high = ntohs(addr.sin_port) >> 8; ++ unsigned char port_low = ntohs(addr.sin_port) & 0xff; ++ + struct addrinfo *AI = NULL; + ftpState->data.listenConn->local.getAddrInfo(AI, AF_INET); + unsigned char *addrptr = (unsigned char *) &((struct sockaddr_in*)AI->ai_addr)->sin_addr; +- unsigned char *portptr = (unsigned char *) &((struct sockaddr_in*)AI->ai_addr)->sin_port; ++ // unsigned char *portptr = (unsigned char *) &((struct sockaddr_in*)AI->ai_addr)->sin_port; + snprintf(cbuf, CTRL_BUFLEN, "PORT %d,%d,%d,%d,%d,%d\r\n", + addrptr[0], addrptr[1], addrptr[2], addrptr[3], +- portptr[0], portptr[1]); ++ port_high, port_low); + ftpState->writeCommand(cbuf); + ftpState->state = Ftp::Client::SENT_PORT; + +@@ -1886,14 +1904,27 @@ ftpSendEPRT(Ftp::Gateway * ftpState) + return; + } + ++ ++ unsigned int port; ++ struct sockaddr_storage addr; ++ socklen_t addrlen = sizeof(addr); ++ getsockname(ftpState->data.listenConn->fd, (struct sockaddr *) &addr, &addrlen); ++ if (addr.ss_family == AF_INET) { ++ struct sockaddr_in *addr4 = (struct sockaddr_in*) &addr; ++ port = ntohs( addr4->sin_port ); ++ } else { ++ struct sockaddr_in6 *addr6 = (struct sockaddr_in6 *) &addr; ++ port = ntohs( addr6->sin6_port ); ++ } ++ + char buf[MAX_IPSTRLEN]; + + /* RFC 2428 defines EPRT as IPv6 equivalent to IPv4 PORT command. */ + /* Which can be used by EITHER protocol. */ +- snprintf(cbuf, CTRL_BUFLEN, "EPRT |%d|%s|%d|\r\n", ++ snprintf(cbuf, CTRL_BUFLEN, "EPRT |%d|%s|%u|\r\n", + ( ftpState->data.listenConn->local.isIPv6() ? 2 : 1 ), + ftpState->data.listenConn->local.toStr(buf,MAX_IPSTRLEN), +- ftpState->data.listenConn->local.port() ); ++ port); + + ftpState->writeCommand(cbuf); + ftpState->state = Ftp::Client::SENT_EPRT; +@@ -1912,7 +1943,7 @@ ftpReadEPRT(Ftp::Gateway * ftpState) + ftpSendPORT(ftpState); + return; + } +- ++ ftpState->ctrl.message = NULL; + ftpRestOrList(ftpState); + } + diff --git a/SOURCES/squid-4.4.0-lower-cachepeer.patch b/SOURCES/squid-4.4.0-lower-cachepeer.patch new file mode 100644 index 0000000..42bc2aa --- /dev/null +++ b/SOURCES/squid-4.4.0-lower-cachepeer.patch @@ -0,0 +1,12 @@ +diff --git a/src/cache_cf.cc b/src/cache_cf.cc +index 9165ef99c..32a3df322 100644 +--- a/src/cache_cf.cc ++++ b/src/cache_cf.cc +@@ -2081,6 +2081,7 @@ parse_peer(CachePeer ** head) + + CachePeer *p = new CachePeer; + p->host = xstrdup(host_str); ++ Tolower(p->host); + p->name = xstrdup(host_str); + p->type = parseNeighborType(token); + diff --git a/SOURCES/squid-4.4.0-man-pages.patch b/SOURCES/squid-4.4.0-man-pages.patch new file mode 100644 index 0000000..974795d --- /dev/null +++ b/SOURCES/squid-4.4.0-man-pages.patch @@ -0,0 +1,26 @@ +diff --git a/src/http/url_rewriters/LFS/url_lfs_rewrite.8 b/src/http/url_rewriters/LFS/url_lfs_rewrite.8 +index 3053180..1d295fb 100644 +--- a/src/http/url_rewriters/LFS/url_lfs_rewrite.8 ++++ b/src/http/url_rewriters/LFS/url_lfs_rewrite.8 +@@ -135,7 +135,7 @@ + .if n .ad l + .nh + .SH "NAME" +-url_lfs_rewrite ++\& url_lfs_rewrite \- a URL-rewriter based on local file existence + .SH "SYNOPSIS" + .IX Header "SYNOPSIS" + .Vb 1 +diff --git a/src/http/url_rewriters/LFS/url_lfs_rewrite.pl.in b/src/http/url_rewriters/LFS/url_lfs_rewrite.pl.in +index a7168e0..da7055c 100755 +--- a/src/http/url_rewriters/LFS/url_lfs_rewrite.pl.in ++++ b/src/http/url_rewriters/LFS/url_lfs_rewrite.pl.in +@@ -8,7 +8,7 @@ use Pod::Usage; + + =head1 NAME + +-B ++B - a URL-rewriter based on local file existence + + =head1 SYNOPSIS + diff --git a/SOURCES/squid-4.4.tar.xz.asc b/SOURCES/squid-4.4.tar.xz.asc new file mode 100644 index 0000000..a0f8623 --- /dev/null +++ b/SOURCES/squid-4.4.tar.xz.asc @@ -0,0 +1,25 @@ +File: squid-4.4.tar.xz +Date: Sat Oct 27 21:20:24 UTC 2018 +Size: 2436468 +MD5 : 892504ca9700e1f139a53f84098613bd +SHA1: 0ab6b133f65866d825bf72cbbe8cef209768b2fa +Key : CD6DBF8EF3B17D3E + B068 84ED B779 C89B 044E 64E3 CD6D BF8E F3B1 7D3E + keyring = http://www.squid-cache.org/pgp.asc + keyserver = pool.sks-keyservers.net +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEsGiE7bd5yJsETmTjzW2/jvOxfT4FAlvU1qAACgkQzW2/jvOx +fT5Y3Q//R3/ZtDHal9H9c4VUB1fEzkk22JfgXTzRRUdzNkN+XxDkVGmM9R0E0Opo +9E/lsE9PcLX1EBtBXbPfwLESzfMe4QJgqq1B4FocpJcdtfCQX6ADU4Qdfc+oo8Z1 +J/xCf8XrU3yUgXn3pMnQ9DT+IuPYe+Jte7Awm148mC15GMC49NBAYAd793XZ+L2t +fVPCbVYA40AU3xVJkxlblh7O0E8UEQ7zQMxcXM2jJJ4jJOjqecOIoJt6lyPD59q3 +UjD0EmcjTj54BpaU8r++kAc2TkLyBvFV1vWQuQRNG5IAMEOF3H8OfujCXl3lX9fD +Tvi9763f9LxdImLJttkzgTt20XAudlUmKOdpj6t1uF+7EmNJg/ChowyLsLzlLLST +1mGNdcUdP9VhX2aoTXN/ctn8BTQ/cNIx2VY8kKWsXB+ymFcCJRBW1cBAr3R+UzuX +KVlsDzlxP6Dp8EFvKN3sIbM/QtpstKgbTkxro7d9XBkeldsasd5uI2Yt5PSMIs+y +VtscqCnwDjxAIW6FNqB96J4hcOYECdWHDL3s46wEDnQaiR0IdBAN5QHn1imzM5e1 +eHuwZimqBW6vE4rPnVpPIr1Gml5OlLl3te2jsbUVmBiOwDVlQLZJQGzI5UTazvnN +eR3QeTW+ggSAdVc6GEApELARfKPRxywLQTOlAhEPn0xayy4ByME= +=1eSQ +-----END PGP SIGNATURE----- diff --git a/SOURCES/squid.logrotate b/SOURCES/squid.logrotate new file mode 100644 index 0000000..4a0406f --- /dev/null +++ b/SOURCES/squid.logrotate @@ -0,0 +1,16 @@ +/var/log/squid/*.log { + weekly + rotate 5 + compress + notifempty + missingok + nocreate + sharedscripts + postrotate + # Asks squid to reopen its logs. (logfile_rotate 0 is set in squid.conf) + # errors redirected to make it silent if squid is not running + /usr/sbin/squid -k rotate 2>/dev/null + # Wait a little to allow Squid to catch up before the logs is compressed + sleep 1 + endscript +} diff --git a/SOURCES/squid.nm b/SOURCES/squid.nm new file mode 100755 index 0000000..5e40f76 --- /dev/null +++ b/SOURCES/squid.nm @@ -0,0 +1,7 @@ +#!/bin/sh + +case "$2" in + up|down|vpn-up|vpn-down) + /bin/systemctl -q reload squid.service || : + ;; +esac diff --git a/SOURCES/squid.pam b/SOURCES/squid.pam new file mode 100644 index 0000000..1d78594 --- /dev/null +++ b/SOURCES/squid.pam @@ -0,0 +1,3 @@ +#%PAM-1.0 +auth include password-auth +account include password-auth diff --git a/SOURCES/squid.service b/SOURCES/squid.service new file mode 100644 index 0000000..f49d7db --- /dev/null +++ b/SOURCES/squid.service @@ -0,0 +1,17 @@ +[Unit] +Description=Squid caching proxy +Documentation=man:squid(8) +After=network.target network-online.target nss-lookup.target + +[Service] +Type=forking +LimitNOFILE=16384 +EnvironmentFile=/etc/sysconfig/squid +ExecStartPre=/usr/libexec/squid/cache_swap.sh +ExecStart=/usr/sbin/squid $SQUID_OPTS -f $SQUID_CONF +ExecReload=/usr/sbin/squid $SQUID_OPTS -k reconfigure -f $SQUID_CONF +ExecStop=/usr/sbin/squid -k shutdown -f $SQUID_CONF +TimeoutSec=0 + +[Install] +WantedBy=multi-user.target diff --git a/SOURCES/squid.sysconfig b/SOURCES/squid.sysconfig new file mode 100644 index 0000000..3864bd8 --- /dev/null +++ b/SOURCES/squid.sysconfig @@ -0,0 +1,9 @@ +# default squid options +SQUID_OPTS="" + +# Time to wait for Squid to shut down when asked. Should not be necessary +# most of the time. +SQUID_SHUTDOWN_TIMEOUT=100 + +# default squid conf file +SQUID_CONF="/etc/squid/squid.conf" diff --git a/SPECS/squid.spec b/SPECS/squid.spec new file mode 100644 index 0000000..7c507cf --- /dev/null +++ b/SPECS/squid.spec @@ -0,0 +1,1648 @@ +%define __perl_requires %{SOURCE98} + +Name: squid +Version: 4.4 +Release: 8%{?dist}.1 +Summary: The Squid proxy caching server +Epoch: 7 +# See CREDITS for breakdown of non GPLv2+ code +License: GPLv2+ and (LGPLv2+ and MIT and BSD and Public Domain) +URL: http://www.squid-cache.org +Source0: http://www.squid-cache.org/Versions/v4/squid-%{version}.tar.xz +Source1: http://www.squid-cache.org/Versions/v4/squid-%{version}.tar.xz.asc +Source2: squid.logrotate +Source3: squid.sysconfig +Source4: squid.pam +Source5: squid.nm +Source6: squid.service +Source7: cache_swap.sh + +Source98: perl-requires-squid.sh + +# Upstream patches + +# Backported patches + +# Local patches +# Applying upstream patches first makes it less likely that local patches +# will break upstream ones. +Patch201: squid-4.0.11-config.patch +Patch202: squid-3.1.0.9-location.patch +Patch203: squid-3.0.STABLE1-perlpath.patch +Patch204: squid-3.5.9-include-guards.patch +Patch205: squid-4.0.21-large-acl.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=980511 +Patch206: squid-4.4.0-active-ftp.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1612524 +Patch207: squid-4.4.0-man-pages.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1691741 +Patch208: squid-4.4.0-lower-cachepeer.patch + +# Security fixes +# https://bugzilla.redhat.com/show_bug.cgi?id=1729436 +Patch500: squid-4.4.0-CVE-2019-13345.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1738485 +Patch501: squid-4.4.0-CVE-2019-12527.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1828368 +Patch502: squid-4.4.0-CVE-2019-12519.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1828367 +Patch503: squid-4.4.0-CVE-2020-11945.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1829402 +Patch504: squid-4.4.0-CVE-2019-12525.patch + +Requires: bash >= 2.0 +Requires(pre): shadow-utils +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd +# squid_ldap_auth and other LDAP helpers require OpenLDAP +BuildRequires: openldap-devel +# squid_pam_auth requires PAM development libs +BuildRequires: pam-devel +# SSL support requires OpenSSL +BuildRequires: openssl-devel +# squid_kerb_aut requires Kerberos development libs +BuildRequires: krb5-devel +# time_quota requires DB +BuildRequires: libdb-devel +# ESI support requires Expat & libxml2 +BuildRequires: expat-devel libxml2-devel +# TPROXY requires libcap, and also increases security somewhat +BuildRequires: libcap-devel +# eCAP support +BuildRequires: libecap-devel +#ip_user helper requires +BuildRequires: gcc-c++ +BuildRequires: libtool libtool-ltdl-devel +BuildRequires: perl-generators +# For test suite +BuildRequires: pkgconfig(cppunit) +BuildRequires: autoconf + +%description +Squid is a high-performance proxy caching server for Web clients, +supporting FTP, gopher, and HTTP data objects. Unlike traditional +caching software, Squid handles all requests in a single, +non-blocking, I/O-driven process. Squid keeps meta data and especially +hot objects cached in RAM, caches DNS lookups, supports non-blocking +DNS lookups, and implements negative caching of failed requests. + +Squid consists of a main server program squid, a Domain Name System +lookup program (dnsserver), a program for retrieving FTP data +(ftpget), and some management and client tools. + +%prep +%setup -q + +# Upstream patches + +# Backported patches + +# Local patches +%patch201 -p1 -b .config +%patch202 -p1 -b .location +%patch203 -p1 -b .perlpath +%patch204 -p0 -b .include-guards +%patch205 -p1 -b .large_acl +%patch206 -p1 -b .active-ftp +%patch207 -p1 -b .man-pages +%patch208 -p1 -b .lower-cachepeer + +%patch500 -p1 -b .CVE-2019-13345 +%patch501 -p1 -b .CVE-2019-12527 +%patch502 -p1 -b .CVE-2019-12519 +%patch503 -p1 -b .CVE-2020-11945 +%patch504 -p1 -b .CVE-2019-12525 + +# https://bugzilla.redhat.com/show_bug.cgi?id=1679526 +# Patch in the vendor documentation and used different location for documentation +sed -i 's|@SYSCONFDIR@/squid.conf.documented|%{_pkgdocdir}/squid.conf.documented|' src/squid.8.in + +%build +# cppunit-config patch changes configure.ac +autoconf + +# NIS helper has been removed because of the following bug +# https://bugzilla.redhat.com/show_bug.cgi?id=1531540 +%configure \ + --libexecdir=%{_libdir}/squid \ + --datadir=%{_datadir}/squid \ + --sysconfdir=%{_sysconfdir}/squid \ + --with-logdir='%{_localstatedir}/log/squid' \ + --with-pidfile='%{_localstatedir}/run/squid.pid' \ + --disable-dependency-tracking \ + --enable-eui \ + --enable-follow-x-forwarded-for \ + --enable-auth \ + --enable-auth-basic="DB,fake,getpwnam,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB,SMB_LM" \ + --enable-auth-ntlm="SMB_LM,fake" \ + --enable-auth-digest="file,LDAP" \ + --enable-auth-negotiate="kerberos" \ + --enable-external-acl-helpers="LDAP_group,time_quota,session,unix_group,wbinfo_group,kerberos_ldap_group" \ + --enable-storeid-rewrite-helpers="file" \ + --enable-cache-digests \ + --enable-cachemgr-hostname=localhost \ + --enable-delay-pools \ + --enable-epoll \ + --enable-icap-client \ + --enable-ident-lookups \ + %ifnarch %{power64} ia64 x86_64 s390x aarch64 + --with-large-files \ + %endif + --enable-linux-netfilter \ + --enable-removal-policies="heap,lru" \ + --enable-snmp \ + --enable-ssl \ + --enable-ssl-crtd \ + --enable-storeio="aufs,diskd,ufs,rock" \ + --enable-diskio \ + --enable-wccpv2 \ + --enable-esi \ + --enable-ecap \ + --with-aio \ + --with-default-user="squid" \ + --with-dl \ + --with-openssl \ + --with-pthreads \ + --disable-arch-native \ + --disable-security-cert-validators \ + --with-swapdir=%{_localstatedir}/spool/squid + +%make_build + +%check +make check + +%install +%make_install + +echo " +# +# This is %{_sysconfdir}/httpd/conf.d/squid.conf +# + +ScriptAlias /Squid/cgi-bin/cachemgr.cgi %{_libdir}/squid/cachemgr.cgi + +# Only allow access from localhost by default + + Require local + # Add additional allowed hosts as needed + # Require host example.com +" > $RPM_BUILD_ROOT/squid.httpd.tmp + + +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pam.d +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d/ +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/NetworkManager/dispatcher.d +mkdir -p $RPM_BUILD_ROOT%{_unitdir} +mkdir -p $RPM_BUILD_ROOT%{_libexecdir}/squid +install -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/squid +install -m 644 %{SOURCE3} $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/squid +install -m 644 %{SOURCE4} $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/squid +install -m 644 %{SOURCE6} $RPM_BUILD_ROOT%{_unitdir} +install -m 755 %{SOURCE7} $RPM_BUILD_ROOT%{_libexecdir}/squid +install -m 644 $RPM_BUILD_ROOT/squid.httpd.tmp $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d/squid.conf +install -m 644 %{SOURCE5} $RPM_BUILD_ROOT%{_sysconfdir}/NetworkManager/dispatcher.d/20-squid +mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/log/squid +mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/spool/squid +mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/run/squid +chmod 644 contrib/url-normalizer.pl contrib/user-agents.pl +iconv -f ISO88591 -t UTF8 ChangeLog -o ChangeLog.tmp +mv -f ChangeLog.tmp ChangeLog + +# install /usr/lib/tmpfiles.d/squid.conf +mkdir -p ${RPM_BUILD_ROOT}%{_tmpfilesdir} +cat > ${RPM_BUILD_ROOT}%{_tmpfilesdir}/squid.conf </dev/null 2>&1; then + /usr/sbin/groupadd -g 23 squid +fi + +if ! getent passwd squid >/dev/null 2>&1 ; then + /usr/sbin/useradd -g 23 -u 23 -d /var/spool/squid -r -s /sbin/nologin squid >/dev/null 2>&1 || exit 1 +fi + +for i in /var/log/squid /var/spool/squid ; do + if [ -d $i ] ; then + for adir in `find $i -maxdepth 0 \! -user squid`; do + chown -R squid:squid $adir + done + fi +done + +exit 0 + +%pretrans -p +-- Due to a bug #447156 +paths = {"/usr/share/squid/errors/zh-cn", "/usr/share/squid/errors/zh-tw"} +for key,path in ipairs(paths) +do + st = posix.stat(path) + if st and st.type == "directory" then + status = os.rename(path, path .. ".rpmmoved") + if not status then + suffix = 0 + while not status do + suffix = suffix + 1 + status = os.rename(path .. ".rpmmoved", path .. ".rpmmoved." .. suffix) + end + os.rename(path, path .. ".rpmmoved") + end + end +end + +%post +%systemd_post squid.service + +%preun +%systemd_preun squid.service + +%postun +%systemd_postun_with_restart squid.service + +%triggerin -- samba-common +if ! getent group wbpriv >/dev/null 2>&1 ; then + /usr/sbin/groupadd -g 88 wbpriv >/dev/null 2>&1 || : +fi +/usr/sbin/usermod -a -G wbpriv squid >/dev/null 2>&1 || \ + chgrp squid /var/cache/samba/winbindd_privileged >/dev/null 2>&1 || : + + +%changelog +* Wed Apr 29 2020 Lubos Uhliarik - 7:4.4-8.1 +- Resolves: #1828368 - CVE-2019-12519 squid: improper check for new member in + ESIExpression::Evaluate allows for stack buffer overflow +- Resolves: #1828367 - CVE-2020-11945 squid: improper access restriction upon + Digest Authentication nonce replay could lead to remote code execution +- Resolves: #1829402 - CVE-2019-12525 squid:4/squid: parsing of header + Proxy-Authentication leads to memory corruption + +* Fri Aug 23 2019 Lubos Uhliarik - 7:4.4-8 +- Resolves: # 1738485 - CVE-2019-12527 squid:4/squid: heap-based buffer overflow + in HttpHeader::getAuth + +* Wed Jul 31 2019 Lubos Uhliarik - 7:4.4-7 +- Resolves: #1729436 - CVE-2019-13345 squid: XSS via user_name or auth parameter + in cachemgr.cgi + +* Fri Jun 21 2019 Lubos Uhliarik - 7:4.4-6 +- Resolves: #1679526 - Missing detailed configuration file +- Resolves: #1703117 - RHEL 7 to 8 fails with squid installed because dirs + changed to symlinks +- Resolves: #1691741 - Squid cache_peer DNS lookup failed when not all lower + case +- Resolves: #1683527 - "Reloading" message on a fresh reboot after enabling + squid + +* Tue Dec 11 2018 Lubos Uhliarik - 7:4.4-4 +- Resolves: #1612524 - Man page scan results for squid + +* Tue Dec 11 2018 Lubos Uhliarik - 7:4.4-3 +- Resolves: #1642384 - squid doesn't work with active ftp + +* Tue Dec 11 2018 Lubos Uhliarik - 7:4.4-2 +- Resolves: #1657847 - Unable to start Squid in Selinux Enforcing mode + +* Mon Dec 10 2018 Lubos Uhliarik - 7:4.4-1 +- Resolves: #1656871 - squid rebase to 4.4 +- Resolves: #1645148 - CVE-2018-19131 squid: Cross-Site Scripting when + generating HTTPS response messages about TLS errors +- Resolves: #1645156 - CVE-2018-19132 squid: Memory leak in SNMP query + rejection code + +* Mon Aug 06 2018 Lubos Uhliarik - 7:4.2-1 +- new version 4.2 +- enable back strict error checking + +* Wed Aug 01 2018 Luboš Uhliarik - 7:4.1-1 +- new version 4.1 + +* Mon Jun 04 2018 Luboš Uhliarik - 7:4.0.23-5 +- Resolves: #1585617 - Build against libdb only instead of libdb4 +- disabled strict checking for now (squid can not be built with GCC8) + +* Mon Apr 16 2018 Luboš Uhliarik - 7:4.0.23-4 +- Resolves: #1566055 - module squid cannot be installed due to missing + perl(Crypt::OpenSSL::X509) + +* Fri Feb 09 2018 Fedora Release Engineering - 7:4.0.23-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Tue Jan 23 2018 Luboš Uhliarik - 7:4.0.23-2 +- Resolves: #1481195 - squid loses some REs when optimising ACLs + +* Tue Jan 23 2018 Luboš Uhliarik - 7:4.0.23-1 +- new version 4.0.23 + +* Sat Jan 20 2018 Björn Esser - 7:4.0.22-2 +- Rebuilt for switch to libxcrypt + +* Wed Jan 17 2018 Luboš Uhliarik - 7:4.0.22-1 +- new version 4.0.22 +- Removed NIS helper (#1531540) + +* Mon Aug 07 2017 Luboš Uhliarik - 7:4.0.21-1 +- new version 4.0.21 + +* Thu Aug 03 2017 Fedora Release Engineering - 7:4.0.20-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 7:4.0.20-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Mon Jun 05 2017 Luboš Uhliarik - 7:4.0.20-2 +- related: new version 4.0.20 + +* Mon Jun 05 2017 Luboš Uhliarik - 7:4.0.20-1 +- new version 4.0.20 + +* Tue Apr 25 2017 Luboš Uhliarik - 7:4.0.19-4 +- Related: #1445255 - Squid SMP Mode Fails + +* Tue Apr 25 2017 Luboš Uhliarik - 7:4.0.19-3 +- Resolves: #1445255 - Squid SMP Mode Fails + +* Tue Apr 18 2017 Luboš Uhliarik - 7:4.0.19-2 +- Resolves: #1442375 - squid helper squid_kerb_ldap not included in package + +* Mon Apr 03 2017 Luboš Uhliarik - 7:4.0.19-1 +- new version 4.0.19 + +* Thu Mar 30 2017 Luboš Uhliarik - 7:4.0.18-1 +- new version 4.0.18 + +* Sat Feb 11 2017 Fedora Release Engineering - 7:4.0.17-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Mon Dec 19 2016 Luboš Uhliarik - 7:4.0.17-1 +- new version 4.0.17 + +* Mon Oct 31 2016 Luboš Uhliarik - 7:4.0.16-1 +- new version 4.0.16 + +* Mon Oct 10 2016 Luboš Uhliarik - 7:4.0.15-1 +- new version 4.0.15 + +* Mon Sep 12 2016 Luboš Uhliarik - 7:4.0.14-1 +- new version 4.0.14 + +* Tue Aug 09 2016 Luboš Uhliarik - 7:4.0.13-1 +- new version 4.0.13 + +* Mon Jul 11 2016 Henrik Nordstrom - 7:4.0.11-1 +- new version 4.0.11 + +* Wed May 18 2016 Luboš Uhliarik - 7:3.5.19-2 +- Resolves: #1336993 - Mistyped command in dirname + /etc/NetworkManager/dispatcher.d/20-squid + +* Tue May 10 2016 Luboš Uhliarik - 7:3.5.19-1 +- new version 3.5.19 + +* Thu May 05 2016 Luboš Uhliarik - 7:3.5.17-1 +- new version 3.5.17 + +* Tue Apr 05 2016 Luboš Uhliarik - 7:3.5.16-1 +- new version 3.5.16 + +* Tue Mar 01 2016 Luboš Uhliarik - 7:3.5.15-1 +- new version 3.5.15 +- Resolves: #1311585 - squid: Multiple Denial of Service issues in + HTTP Response processing +- Resolves: #1312267 - squid: SQUID-2016_2 advisory, multiple DoS issues + +* Tue Mar 01 2016 Luboš Uhliarik - 7:3.5.13-3 +- Resolves: #1308866 - CVE-2016-2390 squid: incorrect server error + handling resulting in denial of service + +* Fri Feb 05 2016 Fedora Release Engineering - 7:3.5.13-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Fri Jan 08 2016 Luboš Uhliarik - 7:3.5.13-1 +- new version 3.5.13 + +* Thu Dec 03 2015 Luboš Uhliarik - 7:3.5.12-2 +- new version 3.5.12 + +* Fri Sep 25 2015 Luboš Uhliarik - 7:3.5.9-3 +- Resolves: #1231992 + +* Fri Sep 25 2015 Luboš Uhliarik - 7:3.5.9-2 +- Resolves: #1230501 + +* Thu Sep 24 2015 Luboš Uhliarik - 7:3.5.9-1 +- new version 3.5.9 +- added Patch, which fixes problem with include guards + +* Fri Jun 19 2015 Fedora Release Engineering - 7:3.5.3-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Sat May 02 2015 Kalev Lember - 7:3.5.3-4 +- Rebuilt for GCC 5 C++11 ABI change + +* Tue Mar 31 2015 Pavel Šimerda - 7:3.5.3-3 +- Fix build by removing eDirectory support + +* Tue Mar 31 2015 Pavel Šimerda - 7:3.5.3-2 +- clean up defunct patches + +* Tue Mar 31 2015 Pavel Šimerda - 7:3.5.3-1 +- new version 3.5.3 + +* Mon Mar 23 2015 Pavel Šimerda - 7:3.5.2-4 +- Resolves: #1145235, #1173488, #1176318 – revert a couple of recent changes + +* Sun Mar 15 2015 Henrik Nordstrom - 7:3.5.2-3 +- Correct execmod build issue caused by libtool confusion on + required compiler flags + +* Sun Mar 15 2015 Henrik Nordstrom - 7:3.5.2-2 +- Update to latest upstream version 3.5.2 +- Remove deprecated (and renamed) squid_msnt_auth basic auth helper. Only + performs LM authentication and not considered useful in todays networks. + +* Wed Feb 25 2015 Henrik Nordstrom - 7:3.4.12-1 +- Update to latest upstream version 3.4.12 +- bug #1173946: Disable -march=native compile time optimization, use Fedora defaults. + +* Tue Nov 18 2014 Henrik Nordstrom - 7:3.4.9-3 +- Update to latest upstream version 3.4.9 + +* Sun Oct 19 2014 Peter Robinson 7:3.4.7-3 +- Update ppc64 macro to cover little endian too + +* Thu Sep 11 2014 Michal Luscon - 7:3.4.7-2 +- Fixed: CVE-2014-6270 + +* Thu Aug 28 2014 Michal Luscon - 7:3.4.7-1 +- Update to latest upstream version +- Fixed: CVE-2014-3609 + +* Thu Aug 21 2014 Kevin Fenzi - 7:3.4.6-3 +- Rebuild for rpm bug 1131960 + +* Mon Aug 18 2014 Fedora Release Engineering - 7:3.4.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Wed Jul 2 2014 Michal Luscon - 7:3.4.6-1 +- Update to latest upstream version 3.4.6 + +* Fri Jun 13 2014 Michal Luscon - 7:3.4.5-6 +- Fixed #855111: set unlimited start and shutdown timeout + +* Sun Jun 08 2014 Michal Luscon - 7:3.4.5-5 +- Run squid under user and group squid + +* Sun Jun 08 2014 Fedora Release Engineering - 7:3.4.5-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Tue May 27 2014 Michal Luscon - 7:3.4.5-3 +- Remove sysvinit subpackage +- Enable rock store + +* Fri May 23 2014 Michal Luscon - 7:3.4.5-2 +- Fixed #1099970: missing /var/run/squid folder +- Reverted #1038160: breaks SMP mode + +* Tue May 6 2014 Michal Luscon - 7:3.4.5-1 +- Update to latest upstream version 3.4.5 + +* Fri Apr 25 2014 Michal Luscon - 7:3.4.4.2-1 +- Update to latest upstream version 3.4.4.2 + +* Thu Mar 13 2014 Pavel Šimerda - 7:3.4.4-1 +- bump to 3.4.4 + +* Tue Feb 04 2014 Henrik Nordstrom - 7:3.4.3-1 +- Update to latest upstream bugfix version 3.4.3 + +* Mon Jan 06 2014 Pavel Šimerda - 7:3.4.1-2 +- Resolves: #1038160 - avoid running squid's own supervisor process + +* Mon Dec 30 2013 Michal Luscon - 7:3.4.1-1 +- Rebase to latest stable upstream release 3.4.1 +- Fixed #1034306: fails to build for AArch64 +- Fixed: active ftp + +* Tue Dec 03 2013 Henrik Nordstrom - 7:3.3.11-1 +- Update to latest upstream bugfix version 3.3.11 + +* Fri Sep 13 2013 Michal Luscon - 7:3.3.9-1 +- Update to latest upstream version 3.3.9 +- Fixed #976815: file descriptors are hard coded to 16384 +- Fixed: active ftp crashing +- Fixed: offset of patches + +* Thu Aug 08 2013 Michal Luscon - 7:3.3.8-3 +- Fixed #994814: enable time_quota helper + +* Sun Aug 04 2013 Fedora Release Engineering - 7:3.3.8-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Mon Jul 22 2013 Michal Luscon - 7:3.3.8-1 +- Update to latest upstream version 3.3.8 +- Fixed: CVE-2013-4123 +- Fixed: CVE-2013-4115 + +* Wed Jul 17 2013 Petr Pisar - 7:3.3.4-3 +- Perl 5.18 rebuild + +* Wed May 8 2013 Ville Skyttä - 7:3.3.4-2 +- Fix basic auth and log daemon DB helper builds. +- Use xz compressed tarball, fix source URLs. +- Fix bogus dates in %%changelog. + +* Fri May 3 2013 Michal Luscon - 7:3.3.4-1 +- Rebase to latest upstream version 3.3.4 + +* Tue Apr 23 2013 Michal Luscon - 7:3.2.9-3 +- Option '-k' is not stated in squidclient man +- Remove pid from service file(#913262) + +* Fri Apr 19 2013 Michal Luscon - 7:3.2.9-2 +- Enable full RELRO (-Wl,-z,relro -Wl,-z,now) + +* Tue Mar 19 2013 Michal Luscon - 7:3.2.9-1 +- Update to latest upstream version 3.2.9 +- Fixed: CVE-2013-1839 +- Removed: makefile-patch (+make check) + +* Mon Mar 11 2013 Michal Luscon - 7:3.2.8-3 +- Resolved: /usr move - squid service file + +* Sat Mar 09 2013 Michal Luscon - 7:3.2.8-2 +- Resolved: #896127 - basic_ncsa_auth does not work + +* Fri Mar 08 2013 Michal Luscon - 7:3.2.8-1 +- Update to latest upstream version 3.2.8 +- Fixed rawhide build issues (-make check) + +* Thu Feb 07 2013 Michal Luscon - 7:3.2.7-1 +- Update to latest upstream version 3.2.7 + +* Thu Jan 24 2013 Michal Luscon - 7:3.2.5-2 +- CVE-2013-0189: Incomplete fix for the CVE-2012-5643 + +* Mon Dec 17 2012 Michal Luscon - 7:3.2.5-1 +- Update to latest upstream version 3.2.5 + +* Mon Nov 05 2012 Michal Luscon - 7:3.2.3-3 +- Resolved: #71483 - httpd 2.4 requires new configuration directives + +* Fri Oct 26 2012 Michal Luscon - 7:3.2.3-2 +- Resolved: #854356 - squid.service use PIDFile +- Resolved: #859393 - Improve cache_swap script +- Resolved: #791129 - disk space warning +- Resolved: #862252 - reload on VPN or network up/down +- Resolved: #867531 - run test suite during build +- Resolved: #832684 - missing after dependency nss-lookup.target +- Removed obsolete configure options + +* Mon Oct 22 2012 Tomas Hozza - 7:3.2.3-1 +- Update to latest upstream version 3.2.3 + +* Tue Oct 16 2012 Tomas Hozza - 7:3.2.2-1 +- Update to latest upstream version 3.2.2 + +* Fri Oct 05 2012 Tomas Hozza - 7:3.2.1-2 +- Introduced new systemd-rpm macros in squid spec file. (#850326) + +* Wed Aug 29 2012 Michal Luscon - 7:3.2.1-1 +- Update to latest upstream 3.2.1 + +* Sat Jul 21 2012 Fedora Release Engineering - 7:3.2.0.16-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Mon Apr 02 2012 Henrik Nordstrom - 7:3.2.0.16-2 +- Enable SSL CRTD for ssl bump + +* Wed Mar 07 2012 Henrik Nordstrom - 7:3.2.0.16-1 +- Upstream 3.2.0.16 bugfix release + +* Tue Feb 28 2012 Fedora Release Engineering - 7:3.2.0.15-2 +- Rebuilt for c++ ABI breakage + +* Mon Feb 06 2012 Henrik Nordstrom - 7:3.2.0.15-1 +- Upstream 3.2.0.15 bugfix release + +* Wed Feb 01 2012 Henrik Nordstrom - 7:3.2.0.14-7 +- update with upstreamed patch versions + +* Tue Jan 17 2012 Henrik Nordstrom - 7:3.2.0.14-6 +- upstream gcc-4.7 patch +- fix for bug #772483 running out of memory, mem_node growing out of bounds + +* Mon Jan 16 2012 Jiri Skala - 7:3.2.0.14-5 +- fixes FTBFS due to gcc-4.7 + +* Fri Jan 13 2012 Jiri Skala - 7:3.2.0.14-4 +- fixes #772481 - Low number of open files for squid process +- fixes FTBFS due to gcc4.7 + +* Thu Jan 05 2012 Henrik Nordstrom - 3.2.0.14-3 +- rebuild for gcc-4.7.0 + +* Mon Dec 19 2011 Jiri Skala - 7:3.2.0.14-2 +- fixes #768586 - Please enable eCAP support again + +* Wed Dec 14 2011 Jiri Skala - 7:3.2.0.14-1 +- update to latest upstream 3.2.0.14 + +* Mon Nov 07 2011 Jiri Skala - 7:3.2.0.13-5 +- fixes #751679 - host_strict_verify setting inverted in squid.conf + +* Thu Nov 03 2011 Jiri Skala - 7:3.2.0.13-4 +- fixes #750550 - Squid might depend on named + +* Wed Oct 26 2011 Jiri Skala - 7:3.2.0.13-3 +- added upstream fix for #747125 + +* Wed Oct 26 2011 Jiri Skala - 7:3.2.0.13-2 +- fixes #747103 - squid does not start if /var/spool/squid is empty +- fixes #747110 - squid does not start adding "memory_pools off" + +* Mon Oct 17 2011 Jiri Skala - 7:3.2.0.13-1 +- update to latest upstream 3.2.0.13 + +* Tue Sep 20 2011 Jiri Skala - 7:3.2.0.12-1 +- update to latest upstream 3.2.0.12 + +* Mon Aug 29 2011 Henrik Nordstrom - 7:3.2.0.11-3 +- update to latest upstream 3.2.0.11 + +* Sat Aug 27 2011 Henrik Nordstrom - 7:3.2.0.10-3 +- Fix for SQUID-2011:3 Gopher vulnerability + +* Thu Aug 18 2011 Jiri Skala - 7:3.2.0.10-2 +- rebuild for rpm + +* Mon Aug 01 2011 Jiri Skala - 7:3.2.0.10-1 +- update to latest upsteam 3.2.0.10 + +* Mon Aug 01 2011 Jiri Skala - 7:3.2.0.9-2 +- rebuild for libcap + +* Tue Jun 07 2011 Jiri Skala - 7:3.2.0.9-1 +- upgrade to squid-3.2 +- fixes #720445 - Provide native systemd unit file +- SysV initscript moved to subpackage +- temproary disabled eCap + +* Wed May 18 2011 Jiri Skala - 7:3.1.12-3 +- enabled eCAP support + +* Wed May 04 2011 Jiri Skala - 7:3.1.12-2 +- applied corrections of unused patch (Ismail Dönmez) + +* Fri Apr 15 2011 Jiri Skala - 7:3.1.12-1 +- Update to 3.1.12 upstream release + +* Thu Feb 10 2011 Jiri Skala - 7:3.1.11-1 +- Update to 3.1.11 upstream release +- fixes issue with unused variale after mass rebuild (gcc-4.6) + +* Wed Feb 09 2011 Fedora Release Engineering - 7:3.1.10-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Thu Jan 06 2011 Jiri Skala - 7:3.1.10-1 +- Update to 3.1.10 upstream release + +* Fri Nov 05 2010 Jiri Skala - 7:3.1.9-5 +- rebuild for libxml2 + +* Mon Nov 01 2010 Jiri Skala - 7:3.1.9-4 +- fixes #647967 - build with -fPIE option back and dropped proper libltdl usage + +* Sat Oct 30 2010 Henrik Nordstrom - 7:3.1.9-3 +- Bug #647967 - License clarification & spec-file cleanup + +* Mon Oct 25 2010 Henrik Nordstrom 7:3.1.9-2 +- Upstream 3.1.9 bugfix release + +* Wed Oct 13 2010 Jiri Skala - 7:3.1.8-2 +- fixes #584161 - squid userid not added to wbpriv group + +* Sun Sep 05 2010 Henrik Nordstrom - 7:3.1.8-1 +- Bug #630445: SQUID-2010:3 Denial of service issue + +* Tue Aug 24 2010 Henrik Nordstrom - 7:3.1.7-1 +- Upstream 3.1.7 bugfix release + +* Fri Aug 20 2010 Henrik Nordstrom - 7:3.1.6-1 +- Upstream 3.1.6 bugfix release +- Build with system libtool-ltdl + +* Thu Jul 15 2010 Henrik Nordstrom - 7:3.1.5-2 +- Upstream 3.1.5 bugfix release +- Upstream patch for Bug #614665: Squid crashes with ident auth +- Upstream patches for various memory leaks + +* Mon May 31 2010 Henrik Nordstrom - 7:3.1.4-2 +- Correct case-insensitiveness in HTTP list header parsing + +* Sun May 30 2010 Henrik Nordstrom - 7:3.1.4-1 +- Upstream 3.1.4 bugfix release, issues relating to IPv6, TPROXY, Memory + management, follow_x_forwarded_for, and stability fixes + +* Fri May 14 2010 Henrik Nordstrom - 7:3.1.3-2 +- Fully fix #548903 - "comm_open: socket failure: (97) Address family not supported by protocol" if IPv6 disabled +- Various IPv6 related issues fixed, making tcp_outgoing_address behave + as expected and no commResetFD warnings when using tproxy setups. + +* Sun May 02 2010 Henrik Nordstrom - 7:3.1.3-1 +- Update to 3.1.3 Upstream bugfix release, fixing WCCPv1 + +* Mon Apr 19 2010 Henrik Nordstrom - 7:3.1.1-4 +- Bug #583489: Adjust logrotate script to changes in logrotate package. + +* Mon Apr 19 2010 Jiri Skala +- fixes #548903 - "comm_open: socket failure: (97) Address family not supported by protocol" if IPv6 disabled + +* Tue Mar 30 2010 Henrik Nordstrom - 7:3.1.1-2 +- Update to 3.1.1 Squid bug #2827 crash with assertion failed: + FilledChecklist.cc:90: "conn() != NULL" under high load. + +* Mon Mar 15 2010 Henrik Nordstrom - 7:3.1.0.18-1 +- Upgrade to 3.1.0.18 fixing Digest authentication and improved HTTP/1.1 support + +* Sun Feb 28 2010 Henrik Nordstrom - 7:3.1.0.17-3 +- Bug 569120, fails to open unbound ipv4 listening sockets + +* Thu Feb 25 2010 Henrik Nordstrom - 7:3.1.0.17-2 +- Upgrade to 3.1.0.17 + +* Thu Feb 18 2010 Henrik Nordstrom - 7:3.1.0.16-7 +- Workaround for Fedora-13 build failure + +* Sun Feb 14 2010 Henrik Nordstrom - 7:3.1.0.16-6 +- Patch for Squid security advisory SQUID-2010:2, denial of service + issue in HTCP processing (CVE-2010-0639) + +* Sun Feb 07 2010 Henrik Nordstrom - 7:3.1.0.16-5 +- Rebuild 3.1.0.16 with corrected upstream release. + +* Wed Feb 03 2010 Jiri Skala - 7:3.1.0.16-4 +- spec file modified to be fedora packaging guidline compliant +- little shifting lines in init script header due to rpmlint complaint +- fixes assertion during start up + +* Mon Feb 01 2010 Henrik Nordstrom 7:3.1.0.16-3 +- Upgrade to 3.1.0.16 for DNS related DoS fix (Squid-2010:1) + +* Sat Jan 09 2010 Henrik Nordstrom - 7:3.1.0.15-3 +- fixed #551302 PROXY needs libcap. Also increases security a little. +- merged relevant upstream bugfixes waiting for next 3.1 release + +* Mon Nov 23 2009 Henrik Nordstrom - 7:3.1.0.15-2 +- Update to 3.1.0.15 with a number of bugfixes and a workaround for + ICEcast/SHOUTcast streams. + +* Mon Nov 23 2009 Jiri Skala 7:3.1.0.14-2 +- fixed #532930 Syntactic error in /etc/init.d/squid +- fixed #528453 cannot initialize cache_dir with user specified config file + +* Sun Sep 27 2009 Henrik Nordstrom - 7:3.1.0.14-1 +- Update to 3.1.0.14 + +* Sat Sep 26 2009 Henrik Nordstrom - 7:3.1.0.13-7 +- Include upstream patches fixing important operational issues +- Enable ESI support now that it does not conflict with normal operation + +* Fri Sep 18 2009 Henrik Nordstrom - 7:3.1.0.13-6 +- Rotate store.log if enabled + +* Wed Sep 16 2009 Tomas Mraz - 7:3.1.0.13-5 +- Use password-auth common PAM configuration instead of system-auth + +* Tue Sep 15 2009 Jiri Skala - 7:3.1.0.13-4 +- fixed #521596 - wrong return code of init script + +* Tue Sep 08 2009 Henrik Nordstrom - 7:3.1.0.13-3 +- Enable squid_kerb_auth + +* Mon Sep 07 2009 Henrik Nordstrom - 7:3.1.0.13-2 +- Cleaned up packaging to ease future maintenance + +* Fri Sep 04 2009 Henrik Nordstrom - 7:3.1.0.13-1 +- Upgrade to next upstream release 3.1.0.13 with many new features + * IPv6 support + * NTLM-passthru + * Kerberos/Negotiate authentication scheme support + * Localized error pages based on browser language preferences + * Follow X-Forwarded-For capability + * and more.. + +* Mon Aug 31 2009 Henrik Nordstrom - 3.0.STABLE18-3 +- Bug #520445 silence logrotate when Squid is not running + +* Fri Aug 21 2009 Tomas Mraz - 7:3.0.STABLE18-2 +- rebuilt with new openssl + +* Tue Aug 04 2009 Henrik Nordstrom - 7:3.0.STABLE18-1 +- Update to 3.0.STABLE18 + +* Sat Aug 01 2009 Henrik Nordstrom - 7:3.0.STABLE17-3 +- Squid Bug #2728: regression: assertion failed: http.cc:705: "!eof" + +* Mon Jul 27 2009 Henrik Nordstrom - 7:3.0.STABLE17-2 +- Bug #514014, update to 3.0.STABLE17 fixing the denial of service issues + mentioned in Squid security advisory SQUID-2009_2. + +* Sun Jul 26 2009 Fedora Release Engineering - 7:3.0.STABLE16-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Wed Jul 01 2009 Jiri Skala 7:3.0.STABLE16-2 +- fixed patch parameter of bXXX patches + +* Mon Jun 29 2009 Henrik Nordstrom - 7:3.0.STABLE16-1 +- Upgrade to 3.0.STABLE16 + +* Sat May 23 2009 Henrik Nordstrom - 7:3.0.STABLE15-2 +- Bug #453304 - Squid requires restart after Network Manager connection setup + +* Sat May 09 2009 Henrik Nordstrom - 7:3.0.STABLE15-1 +- Upgrade to 3.0.STABLE15 + +* Tue Apr 28 2009 Jiri Skala - 7:3.0.STABLE14-3 +- fixed ambiguous condition in the init script (exit 4) + +* Mon Apr 20 2009 Henrik Nordstrom - 7:3.0.STABLE14-2 +- Squid bug #2635: assertion failed: HttpHeader.cc:1196: "Headers[id].type == ftInt64" + +* Sun Apr 19 2009 Henrik Nordstrom - 7:3.0.STABLE14-1 +- Upgrade to 3.0.STABLE14 + +* Fri Mar 06 2009 Henrik Nordstrom - 7:3.0.STABLE13-2 +- backported logfile.cc syslog parameters patch from 3.1 (b9443.patch) +- GCC-4.4 workaround in src/wccp2.cc + +* Wed Feb 25 2009 Fedora Release Engineering - 7:3.0.STABLE13-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Thu Feb 5 2009 Jonathan Steffan - 7:3.0.STABLE13-1 +- upgrade to latest upstream + +* Tue Jan 27 2009 Henrik Nordstrom - 7:3.0.STABLE12-1 +- upgrade to latest upstream + +* Sun Jan 18 2009 Tomas Mraz - 7:3.0.STABLE10-4 +- rebuild with new openssl + +* Fri Dec 19 2008 Henrik Nordstrom - 7:3.0.STABLE10-3 +- actually include the upstream bugfixes in the build + +* Fri Dec 19 2008 Henrik Nordstrom - 7:3.0.STABLE10-2 +- upstream bugfixes for cache corruption and access.log response size errors + +* Fri Oct 24 2008 Henrik Nordstrom - 7:3.0.STABLE10-1 +- upgrade to latest upstream + +* Sun Oct 19 2008 Henrik Nordstrom - 7:3.0.STABLE9-2 +- disable coss support, not officially supported in 3.0 + +* Sun Oct 19 2008 Henrik Nordstrom - 7:3.0.STABLE9-1 +- update to latest upstream + +* Thu Oct 09 2008 Henrik Nordstrom - 7:3.0.STABLE7-4 +- change logrotate to move instead of copytruncate + +* Wed Oct 08 2008 Jiri Skala - 7:3.0.STABLE7-3 +- fix #465052 - FTBFS squid-3.0.STABLE7-1.fc10 + +* Thu Aug 14 2008 Jiri Skala - 7:3.0.STABLE7-2 +- used ncsa_auth.8 from man-pages. there will be this file removed due to conflict +- fix #458593 noisy initscript +- fix #463129 init script tests wrong conf file +- fix #450352 - build.patch patches only generated files + +* Wed Jul 02 2008 Jiri Skala - 7:3.0.STABLE7-1 +- update to latest upstream +- fix #453214 + +* Mon May 26 2008 Martin Nagy - 7:3.0.STABLE6-2 +- fix bad allocation + +* Wed May 21 2008 Martin Nagy - 7:3.0.STABLE6-1 +- upgrade to latest upstream +- fix bad allocation + +* Fri May 09 2008 Martin Nagy - 7:3.0.STABLE5-2 +- fix configure detection of netfilter kernel headers (#435499), + patch by aoliva@redhat.com +- add support for negotiate authentication (#445337) + +* Fri May 02 2008 Martin Nagy - 7:3.0.STABLE5-1 +- upgrade to latest upstream + +* Tue Apr 08 2008 Martin Nagy - 7:3.0.STABLE4-1 +- upgrade to latest upstream + +* Thu Apr 03 2008 Martin Nagy - 7:3.0.STABLE2-2 +- add %%{optflags} to make +- remove warnings about unused return values + +* Thu Mar 13 2008 Martin Nagy - 7:3.0.STABLE2-1 +- upgrade to latest upstream 3.0.STABLE2 +- check config file before starting (#428998) +- whitespace unification of init script +- some minor path changes in the QUICKSTART file +- configure with the --with-filedescriptors=16384 option + +* Tue Feb 26 2008 Martin Nagy - 7:3.0.STABLE1-3 +- change the cache_effective_group default back to none + +* Mon Feb 11 2008 Martin Nagy - 7:3.0.STABLE1-2 +- rebuild for 4.3 + +* Wed Jan 23 2008 Martin Nagy - 7:3.0.STABLE1-1 +- upgrade to latest upstream 3.0.STABLE1 + +* Tue Dec 04 2007 Martin Bacovsky - 2.6.STABLE17-1 +- upgrade to latest upstream 2.6.STABLE17 + +* Wed Oct 31 2007 Martin Bacovsky - 7:2.6.STABLE16-3 +- arp-acl was enabled + +* Tue Sep 25 2007 Martin Bacovsky - 7:2.6.STABLE16-2 +- our fd_config patch was replaced by upstream's version +- Source1 (FAQ.sgml) points to local source (upstream's moved to wiki) + +* Fri Sep 14 2007 Martin Bacovsky - 7:2.6.STABLE16-1 +- upgrade to latest upstream 2.6.STABLE16 + +* Wed Aug 29 2007 Fedora Release Engineering - 7:2.6.STABLE14-2 +- Rebuild for selinux ppc32 issue. + +* Thu Jul 19 2007 Martin Bacovsky - 7:2.6.STABLE14-1 +- update to latest upstream 2.6.STABLE14 +- resolves: #247064: Initscript Review + +* Tue Mar 27 2007 Martin Bacovsky - 7:2.6.STABLE12-1 +- update to latest upstream 2.6.STABLE12 +- Resolves: #233913: squid: unowned directory + +* Mon Feb 19 2007 Martin Bacovsky - 7:2.6.STABLE9-2 +- Resolves: #226431: Merge Review: squid + +* Mon Jan 29 2007 Martin Bacovsky - 7:2.6.STABLE9-1 +- update to the latest upstream + +* Sun Jan 14 2007 Martin Stransky - 7:2.6.STABLE7-1 +- update to the latest upstream + +* Tue Dec 12 2006 Martin Stransky - 7:2.6.STABLE6-1 +- update to the latest upstream + +* Mon Nov 6 2006 Martin Stransky - 7:2.6.STABLE5-1 +- update to the latest upstream + +* Thu Oct 26 2006 Martin Stransky - 7:2.6.STABLE4-4 +- added fix for #205568 - marked cachemgr.conf as world readable + +* Wed Oct 25 2006 Martin Stransky - 7:2.6.STABLE4-3 +- added fix for #183869 - squid can abort when getting status +- added upstream fixes: + * Bug #1796: Assertion error HttpHeader.c:914: "str" + * Bug #1779: Delay pools fairness, correction to first patch + * Bug #1802: Crash on exit in certain conditions where cache.log is not writeable + * Bug #1779: Delay pools fairness when multiple connections compete for bandwidth + * Clarify the select/poll/kqueue/epoll configure --enable/disable options +- reworked fd patch for STABLE4 + +* Tue Oct 17 2006 Martin Stransky - 7:2.6.STABLE4-2 +- upstream fixes: + * Accept 00:00-24:00 as a valid time specification (upstream BZ #1794) + * aioDone() could be called twice + * Squid reconfiguration (upstream BZ #1800) + +* Mon Oct 2 2006 Martin Stransky - 7:2.6.STABLE4-1 +- new upstream +- fixes from upstream bugzilla, items #1782,#1780,#1785,#1719,#1784,#1776 + +* Tue Sep 5 2006 Martin Stransky - 7:2.6.STABLE3-2 +- added upstream patches for ACL + +* Mon Aug 21 2006 Martin Stransky - 7:2.6.STABLE3-1 +- the latest stable upstream + +* Thu Aug 10 2006 Karsten Hopp 7:2.6.STABLE2-3 +- added some requirements for pre/post install scripts + +* Fri Aug 04 2006 Martin Stransky - 7:2.6.STABLE2-2 +- added patch for #198253 - squid: don't chgrp another pkg's + files/directory + +* Mon Jul 31 2006 Martin Stransky - 7:2.6.STABLE2-1 +- the latest stable upstream +- reworked fd config patch + +* Tue Jul 25 2006 Martin Stransky - 7:2.6.STABLE1-3 +- the latest CVS upstream snapshot + +* Wed Jul 19 2006 Martin Stransky - 7:2.6.STABLE1-2 +- the latest CVS snapshot + +* Tue Jul 18 2006 Martin Stransky - 7:2.6.STABLE1-1 +- new upstream + the latest CVS snapshot from 2006/07/18 +- updated fd config patch +- enabled epoll +- fixed release format (#197405) +- enabled WCCPv2 support (#198642) + +* Wed Jul 12 2006 Jesse Keating - 7:2.5.STABLE14-2.1 +- rebuild + +* Thu Jun 8 2006 Martin Stransky - 7:2.5.STABLE14-2 +- fix for squid BZ#1511 - assertion failed: HttpReply.c:105: "rep" + +* Tue May 30 2006 Martin Stransky - 7:2.5.STABLE14-1 +- update to new upstream + +* Sun May 28 2006 Martin Stransky - 7:2.5.STABLE13-5 +- fixed libbind patch (#193298) + +* Wed May 3 2006 Martin Stransky - 7:2.5.STABLE13-4 +- added extra group check (#190544) + +* Wed Mar 29 2006 Martin Stransky - 7:2.5.STABLE13-3 +- improved pre script (#187217) - added group switch + +* Thu Mar 23 2006 Martin Stransky - 7:2.5.STABLE13-2 +- removed "--with-large-files" on 64bit arches + +* Mon Mar 13 2006 Martin Stransky - 7:2.5.STABLE13-1 +- update to new upstream + +* Fri Feb 10 2006 Jesse Keating - 7:2.5.STABLE12-5.1 +- bump again for double-long bug on ppc(64) + +* Tue Feb 07 2006 Martin Stransky - 7:2.5.STABLE12-5 +- new upstream patches + +* Tue Feb 07 2006 Jesse Keating - 7:2.5.STABLE12-4.1 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Wed Dec 28 2005 Martin Stransky 7:2.5.STABLE12-4 +- added follow-xff patch (#176055) +- samba path fix (#176659) + +* Mon Dec 19 2005 Martin Stransky 7:2.5.STABLE12-3 +- fd-config.patch clean-up +- SMB_BadFetch patch from upstream + +* Fri Dec 09 2005 Jesse Keating +- rebuilt + +* Mon Nov 28 2005 Martin Stransky 7:2.5.STABLE12-2 +- rewriten patch squid-2.5.STABLE10-64bit.patch, it works with + "--with-large-files" option now +- fix for #72896 - squid does not support > 1024 file descriptors, + new "--enable-fd-config" option for it. + +* Wed Nov 9 2005 Martin Stransky 7:2.5.STABLE12-1 +- update to STABLE12 +- setenv patch + +* Mon Oct 24 2005 Martin Stransky 7:2.5.STABLE11-6 +- fix for delay pool from upstream + +* Thu Oct 20 2005 Martin Stransky 7:2.5.STABLE11-5 +- fix for #171213 - CVE-2005-3258 Squid crash due to malformed FTP response +- more fixes from upstream + +* Fri Oct 14 2005 Martin Stransky 7:2.5.STABLE11-4 +- enabled support for large files (#167503) + +* Thu Oct 13 2005 Tomas Mraz 7:2.5.STABLE11-3 +- use include instead of pam_stack in pam config + +* Thu Sep 29 2005 Martin Stransky 7:2.5.STABLE11-2 +- added patch for delay pools and some minor fixes + +* Fri Sep 23 2005 Martin Stransky 7:2.5.STABLE11-1 +- update to STABLE11 + +* Mon Sep 5 2005 Martin Stransky 7:2.5.STABLE10-4 +- Three upstream patches for #167414 +- Spanish and Greek messages +- patch for -D_FORTIFY_SOURCE=2 + +* Tue Aug 30 2005 Martin Stransky 7:2.5.STABLE10-3 +- removed "--enable-truncate" option (#165948) +- added "--enable-cache-digests" option (#102134) +- added "--enable-ident-lookups" option (#161640) +- some clean up (#165949) + +* Fri Jul 15 2005 Martin Stransky 7:2.5.STABLE10-2 +- pam_auth and ncsa_auth have setuid (#162660) + +* Thu Jul 7 2005 Martin Stransky 7:2.5.STABLE10-1 +- new upstream version +- enabled fakeauth utility (#154020) +- enabled digest authentication scheme (#155882) +- all error pages marked as config (#127836) +- patch for 64bit statvfs interface (#153274) +- added httpd config file for cachemgr.cgi (#112725) + +* Mon May 16 2005 Jay Fenlason 7:2.5.STABLE9-7 +- Upgrade the upstream -dns_query patch from -4 to -5 + +* Wed May 11 2005 Jay Fenlason 7:2.5.STABLE9-6 +- More upstream patches, including a fix for + bz#157456 CAN-2005-1519 DNS lookups unreliable on untrusted networks + +* Tue Apr 26 2005 Jay Fenlason 7:2.5.STABLE9-5 +- more upstream patches, including a fix for + CVE-1999-0710 cachemgr malicious use + +* Fri Apr 22 2005 Jay Fenlason 7:2.5.STABLE9-4 +- More upstream patches, including the fixed 2GB patch. +- include the -libbind patch, which prevents squid from using the optional + -lbind library, even if it's installed. + +* Tue Mar 15 2005 Jay Fenlason 7:2.5.STABLE9-2 +- New upstream version, with 14 upstream patches. + +* Wed Feb 16 2005 Jay Fenlason 7:2.5.STABLE8-2 +- new upstream version with 4 upstream patches. +- Reorganize spec file to apply upstream patches first + +* Tue Feb 1 2005 Jay Fenlason 7:2.5.STABLE7-4 +- Include two more upstream patches for security vulns: + bz#146783 Correct handling of oversized reply headers + bz#146778 CAN-2005-0211 Buffer overflow in WCCP recvfrom() call + +* Tue Jan 25 2005 Jay Fenlason 7:2.5.STABLE7-3 +- Include more upstream patches, including two for security holes. + +* Tue Jan 18 2005 Jay Fenlason 7:2.5.STABLE7-2 +- Add a triggerin on samba-common to make /var/cache/samba/winbindd_privileged + accessable so that ntlm_auth will work. It needs to be in this rpm, + because the Samba RPM can't assume the squid user exists. + Note that this will only work if the Samba RPM is recent enough to create + that directory at install time instead of at winbindd startup time. + That should be samba-common-3.0.0-15 or later. + This fixes bugzilla #103726 +- Clean up extra whitespace in this spec file. +- Add additional upstream patches. (Now 18 upstream patches). +- patch #112 closes CAN-2005-0096 and CAN-2005-0097, remote DOS security holes. +- patch #113 closes CAN-2005-0094, a remote buffer-overflow DOS security hole. +- patch #114 closes CAN-2005-0095, a remote DOS security hole. +- Remove the -nonbl (replaced by #104) and -close (replaced by #111) patches, since + they're now fixed by upstream patches. + +* Mon Oct 25 2004 Jay Fenlason 7:2.5.STABLE7-1 +- new upstream version, with 3 upstream patches. + Updated the -build and -config patches +- Include patch from Ulrich Drepper to more + intelligently close all file descriptors. + +* Mon Oct 18 2004 Jay Fenlason 7:2.5.STABLE6-3 +- include patch from Ulrich Drepper to stop + problems with O_NONBLOCK. This closes #136049 + +* Tue Oct 12 2004 Jay Fenlason 7:2.5.STABLE6-2 +- Include fix for CAN-2004-0918 + +* Tue Sep 28 2004 Jay Fenlason 7:2.5.STABLE6-1 +- New upstream version, with 32 upstream patches. + This closes #133970, #133931, #131728, #128143, #126726 + +- Change the permissions on /etc/squid/squid.conf to 640. This closes + bugzilla #125007 + +* Mon Jun 28 2004 Jay Fenlason 7:2.5STABLE5-5 +- Merge current upstream patches. +- Fix the -pipe patch to have the correct name of the winbind pipe. + +* Tue Jun 15 2004 Elliot Lee +- rebuilt + +* Mon Apr 5 2004 Jay Fenlason 7:2.5.STABLE5-2 +- Include the first 10 upstream patches +- Add a patch for the correct location of the winbindd pipe. This closes + bugzilla #107561 +- Remove the change to ssl_support.c from squid-2.5.STABLE3-build patch + This closes #117851 +- Include /etc/pam.d/squid . This closes #113404 +- Include a patch to close #111254 (assignment in assert) +- Change squid.init to put output messages in /var/log/squid/squid.out + This closes #104697 +- Only useradd the squid user if it doesn't already exist, and error out + if the useradd fails. This closes #118718. + +* Tue Mar 2 2004 Jay Fenlason 7:2.5.STABLE5-1 +- New upstream version, obsoletes many patches. +- Fix --datadir passed to configure. Configure automatically adds /squid + so we shouldn't. +- Remove the problematic triggerpostun trigger, since is's broken, and FC2 + never shipped with that old version. +- add %%{?_smp_mflags} to make line. + +* Tue Mar 02 2004 Elliot Lee +- rebuilt + +* Mon Feb 23 2004 Tim Waugh +- Use ':' instead of '.' as separator for chown. + +* Fri Feb 20 2004 Jay Fenlason 7:2.5.STABLE4-3 +- Clean up the spec file to work on 64-bit platforms (use %%{_libdir} + instead of /usr/lib, etc) +- Make the release number in the changelog section agree with reality. +- use -fPIE rather than -fpie. s390 fails with just -fpie + +* Fri Feb 13 2004 Elliot Lee +- rebuilt + +* Thu Feb 5 2004 Jay Fenlason +- Incorporate many upstream patches +- Include many spec file changes from D.Johnson + +* Tue Sep 23 2003 Jay Fenlason 7:2.5.STABLE4-1 +- New upstream version. +- Fix the Source: line in this spec file to point to the correct URL. +- redo the -location patch to work with the new upstream version. + +* Mon Jun 30 2003 Jay Fenlason 7:2.5.STABLE3-0 +- Spec file change to enable the nul storage module. bugzilla #74654 +- Upgrade to 2.5STABLE3 with current official patches. +- Added --enable-auth="basic,ntlm": closes bugzilla #90145 +- Added --with-winbind-auth-challenge: closes bugzilla #78691 +- Added --enable-useragent-log and --enable-referer-log, closes +- bugzilla #91884 +# - Changed configure line to enable pie +# (Disabled due to broken compilers on ia64 build machines) +#- Patched to increase the maximum number of file descriptors #72896 +#- (disabled for now--needs more testing) + +* Wed Jun 04 2003 Elliot Lee +- rebuilt + +* Wed Jan 22 2003 Tim Powers +- rebuilt + +* Wed Jan 15 2003 Bill Nottingham 7:2.5.STABLE1-1 +- update to 2.5.STABLE1 + +* Wed Nov 27 2002 Tim Powers 7:2.4.STABLE7-5 +- remove unpackaged files from the buildroot + +* Tue Aug 27 2002 Nalin Dahyabhai 2.4.STABLE7-4 +- rebuild + +* Wed Jul 31 2002 Karsten Hopp +- don't raise an error if the config file is incomplete + set defaults instead (#69322, #70065) + +* Thu Jul 18 2002 Bill Nottingham 2.4.STABLE7-2 +- don't strip binaries + +* Mon Jul 8 2002 Bill Nottingham +- update to 2.4.STABLE7 +- fix restart (#53761) + +* Tue Jun 25 2002 Bill Nottingham +- add various upstream bugfix patches + +* Fri Jun 21 2002 Tim Powers +- automated rebuild + +* Thu May 23 2002 Tim Powers +- automated rebuild + +* Fri Mar 22 2002 Bill Nottingham +- 2.4.STABLE6 +- turn off carp + +* Mon Feb 18 2002 Bill Nottingham +- 2.4.STABLE3 + patches +- turn off HTCP at request of maintainers +- leave SNMP enabled in the build, but disabled in the default config + +* Fri Jan 25 2002 Tim Powers +- rebuild against new libssl + +* Wed Jan 09 2002 Tim Powers +- automated rebuild + +* Mon Jan 07 2002 Florian La Roche +- require linuxdoc-tools instead of sgml-tools + +* Tue Sep 25 2001 Bill Nottingham +- update to 2.4.STABLE2 + +* Mon Sep 24 2001 Bill Nottingham +- add patch to fix FTP crash + +* Mon Aug 6 2001 Bill Nottingham +- fix uninstall (#50411) + +* Mon Jul 23 2001 Bill Nottingham +- add some buildprereqs (#49705) + +* Sun Jul 22 2001 Bill Nottingham +- update FAQ + +* Tue Jul 17 2001 Bill Nottingham +- own /etc/squid, /usr/lib/squid + +* Tue Jun 12 2001 Nalin Dahyabhai +- rebuild in new environment +- s/Copyright:/License:/ + +* Tue Apr 24 2001 Bill Nottingham +- update to 2.4.STABLE1 + patches +- enable some more configure options (#24981) +- oops, ship /etc/sysconfig/squid + +* Fri Mar 2 2001 Nalin Dahyabhai +- rebuild in new environment + +* Tue Feb 6 2001 Trond Eivind Glomsrød +- improve i18n +- make the initscript use the standard OK/FAILED + +* Tue Jan 23 2001 Bill Nottingham +- change i18n mechanism + +* Fri Jan 19 2001 Bill Nottingham +- fix path references in QUICKSTART (#15114) +- fix initscript translations (#24086) +- fix shutdown logic (#24234), patch from +- add /etc/sysconfig/squid for daemon options & shutdown timeouts +- three more bugfixes from the Squid people +- update FAQ.sgml +- build and ship auth modules (#23611) + +* Thu Jan 11 2001 Bill Nottingham +- initscripts translations + +* Mon Jan 8 2001 Bill Nottingham +- add patch to use mkstemp (greg@wirex.com) + +* Fri Dec 01 2000 Bill Nottingham +- rebuild because of broken fileutils + +* Sat Nov 11 2000 Bill Nottingham +- fix the acl matching cases (only need the second patch) + +* Tue Nov 7 2000 Bill Nottingham +- add two patches to fix domain ACLs +- add 2 bugfix patches from the squid people + +* Fri Jul 28 2000 Bill Nottingham +- clean up init script; fix condrestart +- update to STABLE4, more bugfixes +- update FAQ + +* Tue Jul 18 2000 Nalin Dahyabhai +- fix syntax error in init script +- finish adding condrestart support + +* Fri Jul 14 2000 Bill Nottingham +- move initscript back + +* Wed Jul 12 2000 Prospector +- automatic rebuild + +* Thu Jul 6 2000 Bill Nottingham +- prereq /etc/init.d +- add bugfix patch +- update FAQ + +* Thu Jun 29 2000 Bill Nottingham +- fix init script + +* Tue Jun 27 2000 Bill Nottingham +- don't prereq new initscripts + +* Mon Jun 26 2000 Bill Nottingham +- initscript munging + +* Sat Jun 10 2000 Bill Nottingham +- rebuild for exciting FHS stuff + +* Wed May 31 2000 Bill Nottingham +- fix init script again (#11699) +- add --enable-delay-pools (#11695) +- update to STABLE3 +- update FAQ + +* Fri Apr 28 2000 Bill Nottingham +- fix init script (#11087) + +* Fri Apr 7 2000 Bill Nottingham +- three more bugfix patches from the squid people +- buildprereq jade, sgmltools + +* Sun Mar 26 2000 Florian La Roche +- make %%pre more portable + +* Thu Mar 16 2000 Bill Nottingham +- bugfix patches +- fix dependency on /usr/local/bin/perl + +* Sat Mar 4 2000 Bill Nottingham +- 2.3.STABLE2 + +* Mon Feb 14 2000 Bill Nottingham +- Yet More Bugfix Patches + +* Tue Feb 8 2000 Bill Nottingham +- add more bugfix patches +- --enable-heap-replacement + +* Mon Jan 31 2000 Cristian Gafton +- rebuild to fix dependencies + +* Fri Jan 28 2000 Bill Nottingham +- grab some bugfix patches + +* Mon Jan 10 2000 Bill Nottingham +- 2.3.STABLE1 (whee, another serial number) + +* Tue Dec 21 1999 Bernhard Rosenkraenzer +- Fix compliance with ftp RFCs + (http://www.wu-ftpd.org/broken-clients.html) +- Work around a bug in some versions of autoconf +- BuildPrereq sgml-tools - we're using sgml2html + +* Mon Oct 18 1999 Bill Nottingham +- add a couple of bugfix patches + +* Wed Oct 13 1999 Bill Nottingham +- update to 2.2.STABLE5. +- update FAQ, fix URLs. + +* Sat Sep 11 1999 Cristian Gafton +- transform restart in reload and add restart to the init script + +* Tue Aug 31 1999 Bill Nottingham +- add squid user as user 23. + +* Mon Aug 16 1999 Bill Nottingham +- initscript munging +- fix conflict between logrotate & squid -k (#4562) + +* Wed Jul 28 1999 Bill Nottingham +- put cachemgr.cgi back in /usr/lib/squid + +* Wed Jul 14 1999 Bill Nottingham +- add webdav bugfix patch (#4027) + +* Mon Jul 12 1999 Bill Nottingham +- fix path to config in squid.init (confuses linuxconf) + +* Wed Jul 7 1999 Bill Nottingham +- 2.2.STABLE4 + +* Wed Jun 9 1999 Dale Lovelace +- logrotate changes +- errors from find when /var/spool/squid or +- /var/log/squid didn't exist + +* Thu May 20 1999 Bill Nottingham +- 2.2.STABLE3 + +* Thu Apr 22 1999 Bill Nottingham +- update to 2.2.STABLE.2 + +* Sun Apr 18 1999 Bill Nottingham +- update to 2.2.STABLE1 + +* Thu Apr 15 1999 Bill Nottingham +- don't need to run groupdel on remove +- fix useradd + +* Mon Apr 12 1999 Bill Nottingham +- fix effective_user (bug #2124) + +* Mon Apr 5 1999 Bill Nottingham +- strip binaries + +* Thu Apr 1 1999 Bill Nottingham +- duh. adduser does require a user name. +- add a serial number + +* Tue Mar 30 1999 Bill Nottingham +- add an adduser in %%pre, too + +* Thu Mar 25 1999 Bill Nottingham +- oog. chkconfig must be in %%preun, not %%postun + +* Wed Mar 24 1999 Bill Nottingham +- switch to using group squid +- turn off icmp (insecure) +- update to 2.2.DEVEL3 +- build FAQ docs from source + +* Tue Mar 23 1999 Bill Nottingham +- logrotate changes + +* Sun Mar 21 1999 Cristian Gafton +- auto rebuild in the new build environment (release 4) + +* Wed Feb 10 1999 Bill Nottingham +- update to 2.2.PRE2 + +* Wed Dec 30 1998 Bill Nottingham +- cache & log dirs shouldn't be world readable +- remove preun script (leave logs & cache @ uninstall) + +* Tue Dec 29 1998 Bill Nottingham +- fix initscript to get cache_dir correct + +* Fri Dec 18 1998 Bill Nottingham +- update to 2.1.PATCH2 +- merge in some changes from RHCN version + +* Sat Oct 10 1998 Cristian Gafton +- strip binaries +- version 1.1.22 + +* Sun May 10 1998 Cristian Gafton +- don't make packages conflict with each other... + +* Sat May 02 1998 Cristian Gafton +- added a proxy auth patch from Alex deVries +- fixed initscripts + +* Thu Apr 09 1998 Cristian Gafton +- rebuilt for Manhattan + +* Fri Mar 20 1998 Cristian Gafton +- upgraded to 1.1.21/1.NOVM.21 + +* Mon Mar 02 1998 Cristian Gafton +- updated the init script to use reconfigure option to restart squid instead + of shutdown/restart (both safer and quicker) + +* Sat Feb 07 1998 Cristian Gafton +- upgraded to 1.1.20 +- added the NOVM package and tryied to reduce the mess in the spec file + +* Wed Jan 7 1998 Cristian Gafton +- first build against glibc +- patched out the use of setresuid(), which is available only on kernels + 2.1.44 and later +