import UBI squid-5.5-14.el9

This commit is contained in:
eabdullin 2024-11-12 10:32:09 +00:00
parent 6cc520776e
commit be91175c1f
2 changed files with 124 additions and 5 deletions

View File

@ -0,0 +1,113 @@
From a0a9e6dc69d0c7b9ba237702b4c5020abc7ad1f8 Mon Sep 17 00:00:00 2001
From: Alex Rousskov <rousskov@measurement-factory.com>
Date: Sat, 4 Nov 2023 00:30:42 +0000
Subject: [PATCH] Bug 5154: Do not open IPv6 sockets when IPv6 is disabled
(#1567)
... but allow basic IPv6 manipulations like getSockAddr().
Address.cc:663 getAddrInfo() assertion failed: false
Squids receives IPv6 addresses from traffic, configuration, or
hard-coded constants even when ./configured with --disable-ipv6 or when
IPv6 support was automatically disabled at startup after failing IPv6
tests. To handle IPv6 correctly, such Squids must support basic IPv6
operations like recognizing an IPv6 address in a request-target or
reporting an unsolicited IPv6 DNS record. At least for now, such Squids
must also correctly parse configuration-related IPv6 addresses.
All those activities rely on various low-level operations like filling
addrinfo structure with IP address information. Since 2012 commit
c5fbbc7, Ip::Address::getAddrInfo() was failing for IPv6 addresses when
Ip::EnableIpv6 was falsy. That change correctly recognized[^1] the need
for such Squids to handle IPv6, but to support basic operations, we need
to reject IPv6 addresses at a higher level and without asserting.
That high-level rejection work is ongoing, but initial attempts have
exposed difficult problems that will take time to address. For now, we
just avoid the assertion while protecting IPv6-disabled Squid from
listening on or opening connections to IPv6 addresses. Since Squid
already expects (and usually correctly handles) socket opening failures,
disabling those operations is better than failing in low-level IP
manipulation code.
The overall IPv6 posture of IPv6-disabled Squids that lack http_access
or other rules to deny IPv6 requests will change: This fix exposes more
of IPv6-disabled Squid code to IPv6 addresses. It is possible that such
exposure will make some IPv6 resources inside Squid (e.g., a previously
cached HTTP response) accessible to external requests. Squids will not
open or accept IPv6 connections but may forward requests with raw IPv6
targets to IPv4 cache_peers. Whether these and similar behavior changes
are going to be permanent is open for debate, but even if they are
temporary, they are arguably better than the corresponding assertions.
These changes do not effect IPv6-enabled Squids.
The assertion in IPv6-disabled Squid was reported by Joshua Rogers at
https://megamansec.github.io/Squid-Security-Audit/ipv6-assert.html where
it was filed as "Assertion on IPv6 Host Requests with --disable-ipv6".
[^1]: https://bugs.squid-cache.org/show_bug.cgi?id=3593#c1
---
src/comm.cc | 6 ++++++
src/ip/Address.cc | 2 +-
src/ip/Intercept.cc | 8 ++++++++
3 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/src/comm.cc b/src/comm.cc
index 4659955b011..271ba04d4da 100644
--- a/src/comm.cc
+++ b/src/comm.cc
@@ -344,6 +344,12 @@ comm_openex(int sock_type,
/* Create socket for accepting new connections. */
++ statCounter.syscalls.sock.sockets;
+ if (!Ip::EnableIpv6 && addr.isIPv6()) {
+ debugs(50, 2, "refusing to open an IPv6 socket when IPv6 support is disabled: " << addr);
+ errno = ENOTSUP;
+ return -1;
+ }
+
/* Setup the socket addrinfo details for use */
addr.getAddrInfo(AI);
AI->ai_socktype = sock_type;
diff --git a/src/ip/Address.cc b/src/ip/Address.cc
index b6f810bfc25..ae6db37da5e 100644
--- a/src/ip/Address.cc
+++ b/src/ip/Address.cc
@@ -623,7 +623,7 @@ Ip::Address::getAddrInfo(struct addrinfo *&dst, int force) const
&& dst->ai_protocol == 0)
dst->ai_protocol = IPPROTO_UDP;
- if (force == AF_INET6 || (force == AF_UNSPEC && Ip::EnableIpv6 && isIPv6()) ) {
+ if (force == AF_INET6 || (force == AF_UNSPEC && isIPv6()) ) {
dst->ai_addr = (struct sockaddr*)new sockaddr_in6;
memset(dst->ai_addr,0,sizeof(struct sockaddr_in6));
diff --git a/src/ip/Intercept.cc b/src/ip/Intercept.cc
index 1a5e2d15af1..a8522efaac0 100644
--- a/src/ip/Intercept.cc
+++ b/src/ip/Intercept.cc
@@ -15,6 +15,7 @@
#include "comm/Connection.h"
#include "fde.h"
#include "ip/Intercept.h"
+#include "ip/tools.h"
#include "src/tools.h"
#include <cerrno>
@@ -430,6 +431,13 @@ Ip::Intercept::ProbeForTproxy(Ip::Address &test)
debugs(3, 3, "Detect TPROXY support on port " << test);
+ if (!Ip::EnableIpv6 && test.isIPv6() && !test.setIPv4()) {
+ debugs(3, DBG_CRITICAL, "Cannot use TPROXY for " << test << " because IPv6 support is disabled");
+ if (doneSuid)
+ leave_suid();
+ return false;
+ }
+
int tos = 1;
int tmp_sock = -1;

View File

@ -2,7 +2,7 @@
Name: squid Name: squid
Version: 5.5 Version: 5.5
Release: 13%{?dist} Release: 14%{?dist}
Summary: The Squid proxy caching server Summary: The Squid proxy caching server
Epoch: 7 Epoch: 7
# See CREDITS for breakdown of non GPLv2+ code # See CREDITS for breakdown of non GPLv2+ code
@ -46,6 +46,8 @@ Patch207: squid-5.0.6-active-ftp.patch
Patch208: squid-5.1-test-store-cppsuite.patch Patch208: squid-5.1-test-store-cppsuite.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2231827 # https://bugzilla.redhat.com/show_bug.cgi?id=2231827
Patch209: squid-5.5-halfclosed.patch Patch209: squid-5.5-halfclosed.patch
# https://issues.redhat.com/browse/RHEL-30352
Patch210: squid-5.5-ipv6-crash.patch
# Security patches # Security patches
# https://bugzilla.redhat.com/show_bug.cgi?id=2100721 # https://bugzilla.redhat.com/show_bug.cgi?id=2100721
@ -79,7 +81,6 @@ Patch514: squid-5.5-CVE-2024-37894.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2260051 # https://bugzilla.redhat.com/show_bug.cgi?id=2260051
Patch515: squid-5.5-CVE-2024-23638.patch Patch515: squid-5.5-CVE-2024-23638.patch
# cache_swap.sh # cache_swap.sh
Requires: bash gawk Requires: bash gawk
# for httpd conf file - cachemgr script alias # for httpd conf file - cachemgr script alias
@ -153,6 +154,7 @@ lookup program (dnsserver), a program for retrieving FTP data
%patch207 -p1 -b .active-ftp %patch207 -p1 -b .active-ftp
%patch208 -p1 -b .test-store-cpp %patch208 -p1 -b .test-store-cpp
%patch209 -p1 -b .halfclosed %patch209 -p1 -b .halfclosed
%patch210 -p1 -b .ipv6-crash
%patch501 -p1 -b .CVE-2021-46784 %patch501 -p1 -b .CVE-2021-46784
%patch502 -p1 -b .CVE-2022-41318 %patch502 -p1 -b .CVE-2022-41318
@ -396,12 +398,16 @@ fi
%changelog %changelog
* Mon Jul 01 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:5.5-13 * Mon Jul 01 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:5.5-14
- Resolves: RHEL-45056 - squid: Out-of-bounds write error may lead to Denial of - Resolves: RHEL-45057 - squid: Out-of-bounds write error may lead to Denial of
Service (CVE-2024-37894) Service (CVE-2024-37894)
- Resolves: RHEL-45643 - squid: vulnerable to a Denial of Service attack against - Resolves: RHEL-22594 - squid: vulnerable to a Denial of Service attack against
Cache Manager error responses (CVE-2024-23638) Cache Manager error responses (CVE-2024-23638)
* Thu May 09 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:5.5-13
- Resolves: RHEL-30352 - squid v5 crashes with SIGABRT when ipv6 is disabled
at kernel level but it is asked to connect to an ipv6 address by a client
* Tue Mar 19 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:5.5-12 * Tue Mar 19 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:5.5-12
- Resolves: RHEL-28530 - squid: Denial of Service in HTTP Chunked - Resolves: RHEL-28530 - squid: Denial of Service in HTTP Chunked
Decoding (CVE-2024-25111) Decoding (CVE-2024-25111)