import UBI squid-5.5-14.el9
This commit is contained in:
parent
6cc520776e
commit
be91175c1f
113
SOURCES/squid-5.5-ipv6-crash.patch
Normal file
113
SOURCES/squid-5.5-ipv6-crash.patch
Normal file
@ -0,0 +1,113 @@
|
|||||||
|
From a0a9e6dc69d0c7b9ba237702b4c5020abc7ad1f8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alex Rousskov <rousskov@measurement-factory.com>
|
||||||
|
Date: Sat, 4 Nov 2023 00:30:42 +0000
|
||||||
|
Subject: [PATCH] Bug 5154: Do not open IPv6 sockets when IPv6 is disabled
|
||||||
|
(#1567)
|
||||||
|
|
||||||
|
... but allow basic IPv6 manipulations like getSockAddr().
|
||||||
|
|
||||||
|
Address.cc:663 getAddrInfo() assertion failed: false
|
||||||
|
|
||||||
|
Squids receives IPv6 addresses from traffic, configuration, or
|
||||||
|
hard-coded constants even when ./configured with --disable-ipv6 or when
|
||||||
|
IPv6 support was automatically disabled at startup after failing IPv6
|
||||||
|
tests. To handle IPv6 correctly, such Squids must support basic IPv6
|
||||||
|
operations like recognizing an IPv6 address in a request-target or
|
||||||
|
reporting an unsolicited IPv6 DNS record. At least for now, such Squids
|
||||||
|
must also correctly parse configuration-related IPv6 addresses.
|
||||||
|
|
||||||
|
All those activities rely on various low-level operations like filling
|
||||||
|
addrinfo structure with IP address information. Since 2012 commit
|
||||||
|
c5fbbc7, Ip::Address::getAddrInfo() was failing for IPv6 addresses when
|
||||||
|
Ip::EnableIpv6 was falsy. That change correctly recognized[^1] the need
|
||||||
|
for such Squids to handle IPv6, but to support basic operations, we need
|
||||||
|
to reject IPv6 addresses at a higher level and without asserting.
|
||||||
|
|
||||||
|
That high-level rejection work is ongoing, but initial attempts have
|
||||||
|
exposed difficult problems that will take time to address. For now, we
|
||||||
|
just avoid the assertion while protecting IPv6-disabled Squid from
|
||||||
|
listening on or opening connections to IPv6 addresses. Since Squid
|
||||||
|
already expects (and usually correctly handles) socket opening failures,
|
||||||
|
disabling those operations is better than failing in low-level IP
|
||||||
|
manipulation code.
|
||||||
|
|
||||||
|
The overall IPv6 posture of IPv6-disabled Squids that lack http_access
|
||||||
|
or other rules to deny IPv6 requests will change: This fix exposes more
|
||||||
|
of IPv6-disabled Squid code to IPv6 addresses. It is possible that such
|
||||||
|
exposure will make some IPv6 resources inside Squid (e.g., a previously
|
||||||
|
cached HTTP response) accessible to external requests. Squids will not
|
||||||
|
open or accept IPv6 connections but may forward requests with raw IPv6
|
||||||
|
targets to IPv4 cache_peers. Whether these and similar behavior changes
|
||||||
|
are going to be permanent is open for debate, but even if they are
|
||||||
|
temporary, they are arguably better than the corresponding assertions.
|
||||||
|
|
||||||
|
These changes do not effect IPv6-enabled Squids.
|
||||||
|
|
||||||
|
The assertion in IPv6-disabled Squid was reported by Joshua Rogers at
|
||||||
|
https://megamansec.github.io/Squid-Security-Audit/ipv6-assert.html where
|
||||||
|
it was filed as "Assertion on IPv6 Host Requests with --disable-ipv6".
|
||||||
|
|
||||||
|
[^1]: https://bugs.squid-cache.org/show_bug.cgi?id=3593#c1
|
||||||
|
---
|
||||||
|
src/comm.cc | 6 ++++++
|
||||||
|
src/ip/Address.cc | 2 +-
|
||||||
|
src/ip/Intercept.cc | 8 ++++++++
|
||||||
|
3 files changed, 15 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/comm.cc b/src/comm.cc
|
||||||
|
index 4659955b011..271ba04d4da 100644
|
||||||
|
--- a/src/comm.cc
|
||||||
|
+++ b/src/comm.cc
|
||||||
|
@@ -344,6 +344,12 @@ comm_openex(int sock_type,
|
||||||
|
/* Create socket for accepting new connections. */
|
||||||
|
++ statCounter.syscalls.sock.sockets;
|
||||||
|
|
||||||
|
+ if (!Ip::EnableIpv6 && addr.isIPv6()) {
|
||||||
|
+ debugs(50, 2, "refusing to open an IPv6 socket when IPv6 support is disabled: " << addr);
|
||||||
|
+ errno = ENOTSUP;
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/* Setup the socket addrinfo details for use */
|
||||||
|
addr.getAddrInfo(AI);
|
||||||
|
AI->ai_socktype = sock_type;
|
||||||
|
diff --git a/src/ip/Address.cc b/src/ip/Address.cc
|
||||||
|
index b6f810bfc25..ae6db37da5e 100644
|
||||||
|
--- a/src/ip/Address.cc
|
||||||
|
+++ b/src/ip/Address.cc
|
||||||
|
@@ -623,7 +623,7 @@ Ip::Address::getAddrInfo(struct addrinfo *&dst, int force) const
|
||||||
|
&& dst->ai_protocol == 0)
|
||||||
|
dst->ai_protocol = IPPROTO_UDP;
|
||||||
|
|
||||||
|
- if (force == AF_INET6 || (force == AF_UNSPEC && Ip::EnableIpv6 && isIPv6()) ) {
|
||||||
|
+ if (force == AF_INET6 || (force == AF_UNSPEC && isIPv6()) ) {
|
||||||
|
dst->ai_addr = (struct sockaddr*)new sockaddr_in6;
|
||||||
|
|
||||||
|
memset(dst->ai_addr,0,sizeof(struct sockaddr_in6));
|
||||||
|
diff --git a/src/ip/Intercept.cc b/src/ip/Intercept.cc
|
||||||
|
index 1a5e2d15af1..a8522efaac0 100644
|
||||||
|
--- a/src/ip/Intercept.cc
|
||||||
|
+++ b/src/ip/Intercept.cc
|
||||||
|
@@ -15,6 +15,7 @@
|
||||||
|
#include "comm/Connection.h"
|
||||||
|
#include "fde.h"
|
||||||
|
#include "ip/Intercept.h"
|
||||||
|
+#include "ip/tools.h"
|
||||||
|
#include "src/tools.h"
|
||||||
|
|
||||||
|
#include <cerrno>
|
||||||
|
@@ -430,6 +431,13 @@ Ip::Intercept::ProbeForTproxy(Ip::Address &test)
|
||||||
|
|
||||||
|
debugs(3, 3, "Detect TPROXY support on port " << test);
|
||||||
|
|
||||||
|
+ if (!Ip::EnableIpv6 && test.isIPv6() && !test.setIPv4()) {
|
||||||
|
+ debugs(3, DBG_CRITICAL, "Cannot use TPROXY for " << test << " because IPv6 support is disabled");
|
||||||
|
+ if (doneSuid)
|
||||||
|
+ leave_suid();
|
||||||
|
+ return false;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
int tos = 1;
|
||||||
|
int tmp_sock = -1;
|
||||||
|
|
||||||
|
|
@ -2,7 +2,7 @@
|
|||||||
|
|
||||||
Name: squid
|
Name: squid
|
||||||
Version: 5.5
|
Version: 5.5
|
||||||
Release: 13%{?dist}
|
Release: 14%{?dist}
|
||||||
Summary: The Squid proxy caching server
|
Summary: The Squid proxy caching server
|
||||||
Epoch: 7
|
Epoch: 7
|
||||||
# See CREDITS for breakdown of non GPLv2+ code
|
# See CREDITS for breakdown of non GPLv2+ code
|
||||||
@ -46,6 +46,8 @@ Patch207: squid-5.0.6-active-ftp.patch
|
|||||||
Patch208: squid-5.1-test-store-cppsuite.patch
|
Patch208: squid-5.1-test-store-cppsuite.patch
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2231827
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2231827
|
||||||
Patch209: squid-5.5-halfclosed.patch
|
Patch209: squid-5.5-halfclosed.patch
|
||||||
|
# https://issues.redhat.com/browse/RHEL-30352
|
||||||
|
Patch210: squid-5.5-ipv6-crash.patch
|
||||||
|
|
||||||
# Security patches
|
# Security patches
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2100721
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2100721
|
||||||
@ -79,7 +81,6 @@ Patch514: squid-5.5-CVE-2024-37894.patch
|
|||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2260051
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2260051
|
||||||
Patch515: squid-5.5-CVE-2024-23638.patch
|
Patch515: squid-5.5-CVE-2024-23638.patch
|
||||||
|
|
||||||
|
|
||||||
# cache_swap.sh
|
# cache_swap.sh
|
||||||
Requires: bash gawk
|
Requires: bash gawk
|
||||||
# for httpd conf file - cachemgr script alias
|
# for httpd conf file - cachemgr script alias
|
||||||
@ -153,6 +154,7 @@ lookup program (dnsserver), a program for retrieving FTP data
|
|||||||
%patch207 -p1 -b .active-ftp
|
%patch207 -p1 -b .active-ftp
|
||||||
%patch208 -p1 -b .test-store-cpp
|
%patch208 -p1 -b .test-store-cpp
|
||||||
%patch209 -p1 -b .halfclosed
|
%patch209 -p1 -b .halfclosed
|
||||||
|
%patch210 -p1 -b .ipv6-crash
|
||||||
|
|
||||||
%patch501 -p1 -b .CVE-2021-46784
|
%patch501 -p1 -b .CVE-2021-46784
|
||||||
%patch502 -p1 -b .CVE-2022-41318
|
%patch502 -p1 -b .CVE-2022-41318
|
||||||
@ -396,12 +398,16 @@ fi
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Mon Jul 01 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:5.5-13
|
* Mon Jul 01 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:5.5-14
|
||||||
- Resolves: RHEL-45056 - squid: Out-of-bounds write error may lead to Denial of
|
- Resolves: RHEL-45057 - squid: Out-of-bounds write error may lead to Denial of
|
||||||
Service (CVE-2024-37894)
|
Service (CVE-2024-37894)
|
||||||
- Resolves: RHEL-45643 - squid: vulnerable to a Denial of Service attack against
|
- Resolves: RHEL-22594 - squid: vulnerable to a Denial of Service attack against
|
||||||
Cache Manager error responses (CVE-2024-23638)
|
Cache Manager error responses (CVE-2024-23638)
|
||||||
|
|
||||||
|
* Thu May 09 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:5.5-13
|
||||||
|
- Resolves: RHEL-30352 - squid v5 crashes with SIGABRT when ipv6 is disabled
|
||||||
|
at kernel level but it is asked to connect to an ipv6 address by a client
|
||||||
|
|
||||||
* Tue Mar 19 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:5.5-12
|
* Tue Mar 19 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:5.5-12
|
||||||
- Resolves: RHEL-28530 - squid: Denial of Service in HTTP Chunked
|
- Resolves: RHEL-28530 - squid: Denial of Service in HTTP Chunked
|
||||||
Decoding (CVE-2024-25111)
|
Decoding (CVE-2024-25111)
|
||||||
|
Loading…
Reference in New Issue
Block a user