diff --git a/SOURCES/squid-4.15-dns-obey-ttl-set-to-zero.patch b/SOURCES/squid-4.15-dns-obey-ttl-set-to-zero.patch new file mode 100644 index 0000000..442e88e --- /dev/null +++ b/SOURCES/squid-4.15-dns-obey-ttl-set-to-zero.patch @@ -0,0 +1,61 @@ +diff --git a/src/ipcache.cc b/src/ipcache.cc +index ea32021..6012f1f 100644 +--- a/src/ipcache.cc ++++ b/src/ipcache.cc +@@ -103,6 +103,7 @@ public: + } flags; + + int age() const; ///< time passed since request_time or -1 if unknown ++ void updateTtl(const unsigned int rrTtl); + }; + + /// \ingroup IPCacheInternal +@@ -338,7 +339,6 @@ ipcacheParse(ipcache_entry *i, const rfc1035_rr * answers, int nr, const char *e + int k; + int j = 0; + int na = 0; +- int ttl = 0; + const char *name = (const char *)i->hash.key; + int cname_found = 0; + +@@ -436,8 +436,8 @@ ipcacheParse(ipcache_entry *i, const rfc1035_rr * answers, int nr, const char *e + debugs(14, 3, name << " #" << j << " " << i->addrs.in_addrs[j] ); + ++j; + } +- if (ttl == 0 || (int) answers[k].ttl < ttl) +- ttl = answers[k].ttl; ++ ++ i->updateTtl(answers[k].ttl); + } + + assert(j == na); +@@ -447,17 +447,21 @@ ipcacheParse(ipcache_entry *i, const rfc1035_rr * answers, int nr, const char *e + else + i->addrs.count = 255; + +- if (ttl > Config.positiveDnsTtl) +- ttl = Config.positiveDnsTtl; +- +- if (ttl < Config.negativeDnsTtl) +- ttl = Config.negativeDnsTtl; +- +- i->expires = squid_curtime + ttl; +- + i->flags.negcached = false; + } + ++void ++ipcache_entry::updateTtl(const unsigned int rrTtl) ++{ ++ const time_t ttl = std::min(std::max( ++ Config.negativeDnsTtl, // smallest value allowed ++ static_cast(rrTtl)), ++ Config.positiveDnsTtl); // largest value allowed ++ const time_t rrExpires = squid_curtime + ttl; ++ if (rrExpires < expires) ++ expires = rrExpires; ++} ++ + /// \ingroup IPCacheInternal + static void + ipcacheHandleReply(void *data, const rfc1035_rr * answers, int na, const char *error_message) diff --git a/SPECS/squid.spec b/SPECS/squid.spec index 8d93173..6b54bc0 100644 --- a/SPECS/squid.spec +++ b/SPECS/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 4.15 -Release: 10%{?dist}.3 +Release: 10%{?dist}.5 Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -40,6 +40,8 @@ Patch208: squid-4.11-convert-ipv4.patch Patch209: squid-4.15-ftp-filename-extraction.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2076717 Patch210: squid-4.15-halfclosed.patch +# https://issues.redhat.com/browse/RHEL-66120 +Patch211: squid-4.15-dns-obey-ttl-set-to-zero.patch # Security fixes # https://bugzilla.redhat.com/show_bug.cgi?id=1941506 @@ -106,7 +108,7 @@ BuildRequires: systemd-devel %description Squid is a high-performance proxy caching server for Web clients, -supporting FTP, gopher, and HTTP data objects. Unlike traditional +supporting FTP and HTTP data objects. Unlike traditional caching software, Squid handles all requests in a single, non-blocking, I/O-driven process. Squid keeps meta data and especially hot objects cached in RAM, caches DNS lookups, supports non-blocking @@ -134,6 +136,7 @@ lookup program (dnsserver), a program for retrieving FTP data %patch208 -p1 -b .convert-ipv4 %patch209 -p1 -b .ftp-fn-extraction %patch210 -p1 -b .halfclosed +%patch211 -p1 -b .dns-obey-ttl-set-to-zero # Security patches %patch300 -p1 -b .CVE-2021-28116 @@ -367,6 +370,12 @@ fi %changelog +* Fri Nov 22 2024 Luboš Uhliarik - 7:4.15-10.5 +- Resolves: RHEL-66120 - squid caches DNS entries despite having TTL set to 0 + +* Mon Nov 18 2024 Luboš Uhliarik - 7:4.15-10.4 +- Resolves: RHEL-67870 - Remove gopher mention from spec file + * Wed Nov 13 2024 Luboš Uhliarik - 7:4.15-10.3 - Resolves: RHEL-22593 - CVE-2024-23638 squid:4/squid: vulnerable to a Denial of Service attack against Cache Manager error responses