Compare commits
6 Commits
imports/c8
...
c8-stream-
Author | SHA1 | Date | |
---|---|---|---|
1a43b6ea59 | |||
|
06eaaacb31 | ||
|
b5d3c5c00b | ||
|
9beaf3832c | ||
|
7599e828ff | ||
|
297f15c9e2 |
24
SOURCES/squid-4.15-CVE-2023-46724.patch
Normal file
24
SOURCES/squid-4.15-CVE-2023-46724.patch
Normal file
@ -0,0 +1,24 @@
|
||||
diff --git a/src/anyp/Uri.cc b/src/anyp/Uri.cc
|
||||
index 20b9bf1..81ebb18 100644
|
||||
--- a/src/anyp/Uri.cc
|
||||
+++ b/src/anyp/Uri.cc
|
||||
@@ -173,6 +173,10 @@ urlInitialize(void)
|
||||
assert(0 == matchDomainName("*.foo.com", ".foo.com", mdnHonorWildcards));
|
||||
assert(0 != matchDomainName("*.foo.com", "foo.com", mdnHonorWildcards));
|
||||
|
||||
+ assert(0 != matchDomainName("foo.com", ""));
|
||||
+ assert(0 != matchDomainName("foo.com", "", mdnHonorWildcards));
|
||||
+ assert(0 != matchDomainName("foo.com", "", mdnRejectSubsubDomains));
|
||||
+
|
||||
/* more cases? */
|
||||
}
|
||||
|
||||
@@ -756,6 +760,8 @@ matchDomainName(const char *h, const char *d, MatchDomainNameFlags flags)
|
||||
return -1;
|
||||
|
||||
dl = strlen(d);
|
||||
+ if (dl == 0)
|
||||
+ return 1;
|
||||
|
||||
/*
|
||||
* Start at the ends of the two strings and work towards the
|
1673
SOURCES/squid-4.15-CVE-2023-46728.patch
Normal file
1673
SOURCES/squid-4.15-CVE-2023-46728.patch
Normal file
File diff suppressed because it is too large
Load Diff
1281
SOURCES/squid-4.15-CVE-2023-46846.patch
Normal file
1281
SOURCES/squid-4.15-CVE-2023-46846.patch
Normal file
File diff suppressed because it is too large
Load Diff
23
SOURCES/squid-4.15-CVE-2023-46847.patch
Normal file
23
SOURCES/squid-4.15-CVE-2023-46847.patch
Normal file
@ -0,0 +1,23 @@
|
||||
diff --git a/src/auth/digest/Config.cc b/src/auth/digest/Config.cc
|
||||
index 6a9736f..0a883fa 100644
|
||||
--- a/src/auth/digest/Config.cc
|
||||
+++ b/src/auth/digest/Config.cc
|
||||
@@ -847,11 +847,15 @@ Auth::Digest::Config::decode(char const *proxy_auth, const char *aRequestRealm)
|
||||
break;
|
||||
|
||||
case DIGEST_NC:
|
||||
- if (value.size() != 8) {
|
||||
+ if (value.size() == 8) {
|
||||
+ // for historical reasons, the nc value MUST be exactly 8 bytes
|
||||
+ static_assert(sizeof(digest_request->nc) == 8 + 1, "bad nc buffer size");
|
||||
+ xstrncpy(digest_request->nc, value.rawBuf(), value.size() + 1);
|
||||
+ debugs(29, 9, "Found noncecount '" << digest_request->nc << "'");
|
||||
+ } else {
|
||||
debugs(29, 9, "Invalid nc '" << value << "' in '" << temp << "'");
|
||||
+ digest_request->nc[0] = 0;
|
||||
}
|
||||
- xstrncpy(digest_request->nc, value.rawBuf(), value.size() + 1);
|
||||
- debugs(29, 9, "Found noncecount '" << digest_request->nc << "'");
|
||||
break;
|
||||
|
||||
case DIGEST_CNONCE:
|
30
SOURCES/squid-4.15-CVE-2023-49285.patch
Normal file
30
SOURCES/squid-4.15-CVE-2023-49285.patch
Normal file
@ -0,0 +1,30 @@
|
||||
commit 77b3fb4df0f126784d5fd4967c28ed40eb8d521b
|
||||
Author: Alex Rousskov <rousskov@measurement-factory.com>
|
||||
Date: Wed Oct 25 19:41:45 2023 +0000
|
||||
|
||||
RFC 1123: Fix date parsing (#1538)
|
||||
|
||||
The bug was discovered and detailed by Joshua Rogers at
|
||||
https://megamansec.github.io/Squid-Security-Audit/datetime-overflow.html
|
||||
where it was filed as "1-Byte Buffer OverRead in RFC 1123 date/time
|
||||
Handling".
|
||||
|
||||
diff --git a/lib/rfc1123.c b/lib/rfc1123.c
|
||||
index e5bf9a4d7..cb484cc00 100644
|
||||
--- a/lib/rfc1123.c
|
||||
+++ b/lib/rfc1123.c
|
||||
@@ -50,7 +50,13 @@ make_month(const char *s)
|
||||
char month[3];
|
||||
|
||||
month[0] = xtoupper(*s);
|
||||
+ if (!month[0])
|
||||
+ return -1; // protects *(s + 1) below
|
||||
+
|
||||
month[1] = xtolower(*(s + 1));
|
||||
+ if (!month[1])
|
||||
+ return -1; // protects *(s + 2) below
|
||||
+
|
||||
month[2] = xtolower(*(s + 2));
|
||||
|
||||
for (i = 0; i < 12; i++)
|
||||
|
62
SOURCES/squid-4.15-CVE-2023-49286.patch
Normal file
62
SOURCES/squid-4.15-CVE-2023-49286.patch
Normal file
@ -0,0 +1,62 @@
|
||||
diff --git a/src/ipc.cc b/src/ipc.cc
|
||||
index 42e11e6..a68e623 100644
|
||||
--- a/src/ipc.cc
|
||||
+++ b/src/ipc.cc
|
||||
@@ -19,6 +19,11 @@
|
||||
#include "SquidConfig.h"
|
||||
#include "SquidIpc.h"
|
||||
#include "tools.h"
|
||||
+#include <cstdlib>
|
||||
+
|
||||
+#if HAVE_UNISTD_H
|
||||
+#include <unistd.h>
|
||||
+#endif
|
||||
|
||||
static const char *hello_string = "hi there\n";
|
||||
#ifndef HELLO_BUF_SZ
|
||||
@@ -365,6 +370,22 @@ ipcCreate(int type, const char *prog, const char *const args[], const char *name
|
||||
}
|
||||
|
||||
PutEnvironment();
|
||||
+
|
||||
+ // A dup(2) wrapper that reports and exits the process on errors. The
|
||||
+ // exiting logic is only suitable for this child process context.
|
||||
+ const auto dupOrExit = [prog,name](const int oldFd) {
|
||||
+ const auto newFd = dup(oldFd);
|
||||
+ if (newFd < 0) {
|
||||
+ const auto savedErrno = errno;
|
||||
+ debugs(54, DBG_CRITICAL, "ERROR: Helper process initialization failure: " << name <<
|
||||
+ Debug::Extra << "helper (CHILD) PID: " << getpid() <<
|
||||
+ Debug::Extra << "helper program name: " << prog <<
|
||||
+ Debug::Extra << "dup(2) system call error for FD " << oldFd << ": " << xstrerr(savedErrno));
|
||||
+ _exit(EXIT_FAILURE);
|
||||
+ }
|
||||
+ return newFd;
|
||||
+ };
|
||||
+
|
||||
/*
|
||||
* This double-dup stuff avoids problems when one of
|
||||
* crfd, cwfd, or debug_log are in the rage 0-2.
|
||||
@@ -372,17 +393,16 @@ ipcCreate(int type, const char *prog, const char *const args[], const char *name
|
||||
|
||||
do {
|
||||
/* First make sure 0-2 is occupied by something. Gets cleaned up later */
|
||||
- x = dup(crfd);
|
||||
- assert(x > -1);
|
||||
- } while (x < 3 && x > -1);
|
||||
+ x = dupOrExit(crfd);
|
||||
+ } while (x < 3);
|
||||
|
||||
close(x);
|
||||
|
||||
- t1 = dup(crfd);
|
||||
+ t1 = dupOrExit(crfd);
|
||||
|
||||
- t2 = dup(cwfd);
|
||||
+ t2 = dupOrExit(cwfd);
|
||||
|
||||
- t3 = dup(fileno(debug_log));
|
||||
+ t3 = dupOrExit(fileno(debug_log));
|
||||
|
||||
assert(t1 > 2 && t2 > 2 && t3 > 2);
|
||||
|
50
SOURCES/squid-4.15-CVE-2023-50269.patch
Normal file
50
SOURCES/squid-4.15-CVE-2023-50269.patch
Normal file
@ -0,0 +1,50 @@
|
||||
diff --git a/src/ClientRequestContext.h b/src/ClientRequestContext.h
|
||||
index fe2edf6..47aa935 100644
|
||||
--- a/src/ClientRequestContext.h
|
||||
+++ b/src/ClientRequestContext.h
|
||||
@@ -81,6 +81,10 @@ public:
|
||||
#endif
|
||||
ErrorState *error; ///< saved error page for centralized/delayed processing
|
||||
bool readNextRequest; ///< whether Squid should read after error handling
|
||||
+
|
||||
+#if FOLLOW_X_FORWARDED_FOR
|
||||
+ size_t currentXffHopNumber = 0; ///< number of X-Forwarded-For header values processed so far
|
||||
+#endif
|
||||
};
|
||||
|
||||
#endif /* SQUID_CLIENTREQUESTCONTEXT_H */
|
||||
diff --git a/src/client_side_request.cc b/src/client_side_request.cc
|
||||
index 1c6ff62..b758f6f 100644
|
||||
--- a/src/client_side_request.cc
|
||||
+++ b/src/client_side_request.cc
|
||||
@@ -78,6 +78,11 @@
|
||||
static const char *const crlf = "\r\n";
|
||||
|
||||
#if FOLLOW_X_FORWARDED_FOR
|
||||
+
|
||||
+#if !defined(SQUID_X_FORWARDED_FOR_HOP_MAX)
|
||||
+#define SQUID_X_FORWARDED_FOR_HOP_MAX 64
|
||||
+#endif
|
||||
+
|
||||
static void clientFollowXForwardedForCheck(allow_t answer, void *data);
|
||||
#endif /* FOLLOW_X_FORWARDED_FOR */
|
||||
|
||||
@@ -485,8 +490,16 @@ clientFollowXForwardedForCheck(allow_t answer, void *data)
|
||||
/* override the default src_addr tested if we have to go deeper than one level into XFF */
|
||||
Filled(calloutContext->acl_checklist)->src_addr = request->indirect_client_addr;
|
||||
}
|
||||
- calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data);
|
||||
- return;
|
||||
+ if (++calloutContext->currentXffHopNumber < SQUID_X_FORWARDED_FOR_HOP_MAX) {
|
||||
+ calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data);
|
||||
+ return;
|
||||
+ }
|
||||
+ const auto headerName = Http::HeaderLookupTable.lookup(Http::HdrType::X_FORWARDED_FOR).name;
|
||||
+ debugs(28, DBG_CRITICAL, "ERROR: Ignoring trailing " << headerName << " addresses" <<
|
||||
+ Debug::Extra << "addresses allowed by follow_x_forwarded_for: " << calloutContext->currentXffHopNumber <<
|
||||
+ Debug::Extra << "last/accepted address: " << request->indirect_client_addr <<
|
||||
+ Debug::Extra << "ignored trailing addresses: " << request->x_forwarded_for_iterator);
|
||||
+ // fall through to resume clientAccessCheck() processing
|
||||
}
|
||||
}
|
||||
|
4352
SOURCES/squid-4.15-CVE-2023-5824.patch
Normal file
4352
SOURCES/squid-4.15-CVE-2023-5824.patch
Normal file
File diff suppressed because it is too large
Load Diff
193
SOURCES/squid-4.15-CVE-2024-25111.patch
Normal file
193
SOURCES/squid-4.15-CVE-2024-25111.patch
Normal file
@ -0,0 +1,193 @@
|
||||
diff --git a/src/http.cc b/src/http.cc
|
||||
index b006300..023e411 100644
|
||||
--- a/src/http.cc
|
||||
+++ b/src/http.cc
|
||||
@@ -52,6 +52,7 @@
|
||||
#include "rfc1738.h"
|
||||
#include "SquidConfig.h"
|
||||
#include "SquidTime.h"
|
||||
+#include "SquidMath.h"
|
||||
#include "StatCounters.h"
|
||||
#include "Store.h"
|
||||
#include "StrList.h"
|
||||
@@ -1150,18 +1151,26 @@ HttpStateData::readReply(const CommIoCbParams &io)
|
||||
* Plus, it breaks our lame *HalfClosed() detection
|
||||
*/
|
||||
|
||||
- Must(maybeMakeSpaceAvailable(true));
|
||||
- CommIoCbParams rd(this); // will be expanded with ReadNow results
|
||||
- rd.conn = io.conn;
|
||||
- rd.size = entry->bytesWanted(Range<size_t>(0, inBuf.spaceSize()));
|
||||
+ size_t moreDataPermission = 0;
|
||||
+ if ((!canBufferMoreReplyBytes(&moreDataPermission) || !moreDataPermission)) {
|
||||
+ abortTransaction("ready to read required data, but the read buffer is full and cannot be drained");
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ const auto readSizeMax = maybeMakeSpaceAvailable(moreDataPermission);
|
||||
+ // TODO: Move this logic inside maybeMakeSpaceAvailable():
|
||||
+ const auto readSizeWanted = readSizeMax ? entry->bytesWanted(Range<size_t>(0, readSizeMax)) : 0;
|
||||
|
||||
- if (rd.size <= 0) {
|
||||
+ if (readSizeWanted <= 0) {
|
||||
assert(entry->mem_obj);
|
||||
AsyncCall::Pointer nilCall;
|
||||
entry->mem_obj->delayRead(DeferredRead(readDelayed, this, CommRead(io.conn, NULL, 0, nilCall)));
|
||||
return;
|
||||
}
|
||||
|
||||
+ CommIoCbParams rd(this); // will be expanded with ReadNow results
|
||||
+ rd.conn = io.conn;
|
||||
+ rd.size = readSizeWanted;
|
||||
switch (Comm::ReadNow(rd, inBuf)) {
|
||||
case Comm::INPROGRESS:
|
||||
if (inBuf.isEmpty())
|
||||
@@ -1520,8 +1529,11 @@ HttpStateData::maybeReadVirginBody()
|
||||
if (!Comm::IsConnOpen(serverConnection) || fd_table[serverConnection->fd].closing())
|
||||
return;
|
||||
|
||||
- if (!maybeMakeSpaceAvailable(false))
|
||||
+ size_t moreDataPermission = 0;
|
||||
+ if ((!canBufferMoreReplyBytes(&moreDataPermission)) || !moreDataPermission) {
|
||||
+ abortTransaction("more response bytes required, but the read buffer is full and cannot be drained");
|
||||
return;
|
||||
+ }
|
||||
|
||||
// XXX: get rid of the do_next_read flag
|
||||
// check for the proper reasons preventing read(2)
|
||||
@@ -1539,40 +1551,79 @@ HttpStateData::maybeReadVirginBody()
|
||||
Comm::Read(serverConnection, call);
|
||||
}
|
||||
|
||||
+/// Desired inBuf capacity based on various capacity preferences/limits:
|
||||
+/// * a smaller buffer may not hold enough for look-ahead header/body parsers;
|
||||
+/// * a smaller buffer may result in inefficient tiny network reads;
|
||||
+/// * a bigger buffer may waste memory;
|
||||
+/// * a bigger buffer may exceed SBuf storage capabilities (SBuf::maxSize);
|
||||
+size_t
|
||||
+HttpStateData::calcReadBufferCapacityLimit() const
|
||||
+{
|
||||
+ if (!flags.headers_parsed)
|
||||
+ return Config.maxReplyHeaderSize;
|
||||
+
|
||||
+ // XXX: Our inBuf is not used to maintain the read-ahead gap, and using
|
||||
+ // Config.readAheadGap like this creates huge read buffers for large
|
||||
+ // read_ahead_gap values. TODO: Switch to using tcp_recv_bufsize as the
|
||||
+ // primary read buffer capacity factor.
|
||||
+ //
|
||||
+ // TODO: Cannot reuse throwing NaturalCast() here. Consider removing
|
||||
+ // .value() dereference in NaturalCast() or add/use NaturalCastOrMax().
|
||||
+ const auto configurationPreferences = NaturalSum<size_t>(Config.readAheadGap).second ? NaturalSum<size_t>(Config.readAheadGap).first : SBuf::maxSize;
|
||||
+
|
||||
+ // TODO: Honor TeChunkedParser look-ahead and trailer parsing requirements
|
||||
+ // (when explicit configurationPreferences are set too low).
|
||||
+
|
||||
+ return std::min<size_t>(configurationPreferences, SBuf::maxSize);
|
||||
+}
|
||||
+
|
||||
+/// The maximum number of virgin reply bytes we may buffer before we violate
|
||||
+/// the currently configured response buffering limits.
|
||||
+/// \retval std::nullopt means that no more virgin response bytes can be read
|
||||
+/// \retval 0 means that more virgin response bytes may be read later
|
||||
+/// \retval >0 is the number of bytes that can be read now (subject to other constraints)
|
||||
bool
|
||||
-HttpStateData::maybeMakeSpaceAvailable(bool doGrow)
|
||||
+HttpStateData::canBufferMoreReplyBytes(size_t *maxReadSize) const
|
||||
{
|
||||
- // how much we are allowed to buffer
|
||||
- const int limitBuffer = (flags.headers_parsed ? Config.readAheadGap : Config.maxReplyHeaderSize);
|
||||
-
|
||||
- if (limitBuffer < 0 || inBuf.length() >= (SBuf::size_type)limitBuffer) {
|
||||
- // when buffer is at or over limit already
|
||||
- debugs(11, 7, "will not read up to " << limitBuffer << ". buffer has (" << inBuf.length() << "/" << inBuf.spaceSize() << ") from " << serverConnection);
|
||||
- debugs(11, DBG_DATA, "buffer has {" << inBuf << "}");
|
||||
- // Process next response from buffer
|
||||
- processReply();
|
||||
- return false;
|
||||
+#if USE_ADAPTATION
|
||||
+ // If we do not check this now, we may say the final "no" prematurely below
|
||||
+ // because inBuf.length() will decrease as adaptation drains buffered bytes.
|
||||
+ if (responseBodyBuffer) {
|
||||
+ debugs(11, 3, "yes, but waiting for adaptation to drain read buffer");
|
||||
+ *maxReadSize = 0; // yes, we may be able to buffer more (but later)
|
||||
+ return true;
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
+ const auto maxCapacity = calcReadBufferCapacityLimit();
|
||||
+ if (inBuf.length() >= maxCapacity) {
|
||||
+ debugs(11, 3, "no, due to a full buffer: " << inBuf.length() << '/' << inBuf.spaceSize() << "; limit: " << maxCapacity);
|
||||
+ return false; // no, configuration prohibits buffering more
|
||||
}
|
||||
|
||||
+ *maxReadSize = (maxCapacity - inBuf.length()); // positive
|
||||
+ debugs(11, 7, "yes, may read up to " << *maxReadSize << " into " << inBuf.length() << '/' << inBuf.spaceSize());
|
||||
+ return true; // yes, can read up to this many bytes (subject to other constraints)
|
||||
+}
|
||||
+
|
||||
+/// prepare read buffer for reading
|
||||
+/// \return the maximum number of bytes the caller should attempt to read
|
||||
+/// \retval 0 means that the caller should delay reading
|
||||
+size_t
|
||||
+HttpStateData::maybeMakeSpaceAvailable(const size_t maxReadSize)
|
||||
+{
|
||||
// how much we want to read
|
||||
- const size_t read_size = calcBufferSpaceToReserve(inBuf.spaceSize(), (limitBuffer - inBuf.length()));
|
||||
+ const size_t read_size = calcBufferSpaceToReserve(inBuf.spaceSize(), maxReadSize);
|
||||
|
||||
- if (!read_size) {
|
||||
+ if (read_size < 2) {
|
||||
debugs(11, 7, "will not read up to " << read_size << " into buffer (" << inBuf.length() << "/" << inBuf.spaceSize() << ") from " << serverConnection);
|
||||
- return false;
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
- // just report whether we could grow or not, do not actually do it
|
||||
- if (doGrow)
|
||||
- return (read_size >= 2);
|
||||
-
|
||||
// we may need to grow the buffer
|
||||
inBuf.reserveSpace(read_size);
|
||||
- debugs(11, 8, (!flags.do_next_read ? "will not" : "may") <<
|
||||
- " read up to " << read_size << " bytes info buf(" << inBuf.length() << "/" << inBuf.spaceSize() <<
|
||||
- ") from " << serverConnection);
|
||||
-
|
||||
- return (inBuf.spaceSize() >= 2); // only read if there is 1+ bytes of space available
|
||||
+ debugs(11, 7, "may read up to " << read_size << " bytes info buffer (" << inBuf.length() << "/" << inBuf.spaceSize() << ") from " << serverConnection);
|
||||
+ return read_size;
|
||||
}
|
||||
|
||||
/// called after writing the very last request byte (body, last-chunk, etc)
|
||||
diff --git a/src/http.h b/src/http.h
|
||||
index 8965b77..007d2e6 100644
|
||||
--- a/src/http.h
|
||||
+++ b/src/http.h
|
||||
@@ -15,6 +15,8 @@
|
||||
#include "http/StateFlags.h"
|
||||
#include "sbuf/SBuf.h"
|
||||
|
||||
+#include <optional>
|
||||
+
|
||||
class FwdState;
|
||||
class HttpHeader;
|
||||
|
||||
@@ -107,16 +109,9 @@ private:
|
||||
|
||||
void abortTransaction(const char *reason) { abortAll(reason); } // abnormal termination
|
||||
|
||||
- /**
|
||||
- * determine if read buffer can have space made available
|
||||
- * for a read.
|
||||
- *
|
||||
- * \param grow whether to actually expand the buffer
|
||||
- *
|
||||
- * \return whether the buffer can be grown to provide space
|
||||
- * regardless of whether the grow actually happened.
|
||||
- */
|
||||
- bool maybeMakeSpaceAvailable(bool grow);
|
||||
+ size_t calcReadBufferCapacityLimit() const;
|
||||
+ bool canBufferMoreReplyBytes(size_t *maxReadSize) const;
|
||||
+ size_t maybeMakeSpaceAvailable(size_t maxReadSize);
|
||||
|
||||
// consuming request body
|
||||
virtual void handleMoreRequestBodyAvailable();
|
105
SOURCES/squid-4.15-CVE-2024-25617.patch
Normal file
105
SOURCES/squid-4.15-CVE-2024-25617.patch
Normal file
@ -0,0 +1,105 @@
|
||||
diff --git a/src/SquidString.h b/src/SquidString.h
|
||||
index a791885..b9aef38 100644
|
||||
--- a/src/SquidString.h
|
||||
+++ b/src/SquidString.h
|
||||
@@ -114,7 +114,16 @@ private:
|
||||
|
||||
size_type len_; /* current length */
|
||||
|
||||
- static const size_type SizeMax_ = 65535; ///< 64K limit protects some fixed-size buffers
|
||||
+ /// An earlier 64KB limit was meant to protect some fixed-size buffers, but
|
||||
+ /// (a) we do not know where those buffers are (or whether they still exist)
|
||||
+ /// (b) too many String users unknowingly exceeded that limit and asserted.
|
||||
+ /// We are now using a larger limit to reduce the number of (b) cases,
|
||||
+ /// especially cases where "compact" lists of items grow 50% in size when we
|
||||
+ /// convert them to canonical form. The new limit is selected to withstand
|
||||
+ /// concatenation and ~50% expansion of two HTTP headers limited by default
|
||||
+ /// request_header_max_size and reply_header_max_size settings.
|
||||
+ static const size_type SizeMax_ = 3*64*1024 - 1;
|
||||
+
|
||||
/// returns true after increasing the first argument by extra if the sum does not exceed SizeMax_
|
||||
static bool SafeAdd(size_type &base, size_type extra) { if (extra <= SizeMax_ && base <= SizeMax_ - extra) { base += extra; return true; } return false; }
|
||||
|
||||
diff --git a/src/cache_cf.cc b/src/cache_cf.cc
|
||||
index a9c1b7e..46f07bb 100644
|
||||
--- a/src/cache_cf.cc
|
||||
+++ b/src/cache_cf.cc
|
||||
@@ -935,6 +935,18 @@ configDoConfigure(void)
|
||||
(uint32_t)Config.maxRequestBufferSize, (uint32_t)Config.maxRequestHeaderSize);
|
||||
}
|
||||
|
||||
+ // Warn about the dangers of exceeding String limits when manipulating HTTP
|
||||
+ // headers. Technically, we do not concatenate _requests_, so we could relax
|
||||
+ // their check, but we keep the two checks the same for simplicity sake.
|
||||
+ const auto safeRawHeaderValueSizeMax = (String::SizeMaxXXX()+1)/3;
|
||||
+ // TODO: static_assert(safeRawHeaderValueSizeMax >= 64*1024); // no WARNINGs for default settings
|
||||
+ if (Config.maxRequestHeaderSize > safeRawHeaderValueSizeMax)
|
||||
+ debugs(3, DBG_CRITICAL, "WARNING: Increasing request_header_max_size beyond " << safeRawHeaderValueSizeMax <<
|
||||
+ " bytes makes Squid more vulnerable to denial-of-service attacks; configured value: " << Config.maxRequestHeaderSize << " bytes");
|
||||
+ if (Config.maxReplyHeaderSize > safeRawHeaderValueSizeMax)
|
||||
+ debugs(3, DBG_CRITICAL, "WARNING: Increasing reply_header_max_size beyond " << safeRawHeaderValueSizeMax <<
|
||||
+ " bytes makes Squid more vulnerable to denial-of-service attacks; configured value: " << Config.maxReplyHeaderSize << " bytes");
|
||||
+
|
||||
/*
|
||||
* Disable client side request pipelining if client_persistent_connections OFF.
|
||||
* Waste of resources queueing any pipelined requests when the first will close the connection.
|
||||
diff --git a/src/cf.data.pre b/src/cf.data.pre
|
||||
index bc2ddcd..d55b870 100644
|
||||
--- a/src/cf.data.pre
|
||||
+++ b/src/cf.data.pre
|
||||
@@ -6196,11 +6196,14 @@ TYPE: b_size_t
|
||||
DEFAULT: 64 KB
|
||||
LOC: Config.maxRequestHeaderSize
|
||||
DOC_START
|
||||
- This specifies the maximum size for HTTP headers in a request.
|
||||
- Request headers are usually relatively small (about 512 bytes).
|
||||
- Placing a limit on the request header size will catch certain
|
||||
- bugs (for example with persistent connections) and possibly
|
||||
- buffer-overflow or denial-of-service attacks.
|
||||
+ This directives limits the header size of a received HTTP request
|
||||
+ (including request-line). Increasing this limit beyond its 64 KB default
|
||||
+ exposes certain old Squid code to various denial-of-service attacks. This
|
||||
+ limit also applies to received FTP commands.
|
||||
+
|
||||
+ This limit has no direct affect on Squid memory consumption.
|
||||
+
|
||||
+ Squid does not check this limit when sending requests.
|
||||
DOC_END
|
||||
|
||||
NAME: reply_header_max_size
|
||||
@@ -6209,11 +6212,14 @@ TYPE: b_size_t
|
||||
DEFAULT: 64 KB
|
||||
LOC: Config.maxReplyHeaderSize
|
||||
DOC_START
|
||||
- This specifies the maximum size for HTTP headers in a reply.
|
||||
- Reply headers are usually relatively small (about 512 bytes).
|
||||
- Placing a limit on the reply header size will catch certain
|
||||
- bugs (for example with persistent connections) and possibly
|
||||
- buffer-overflow or denial-of-service attacks.
|
||||
+ This directives limits the header size of a received HTTP response
|
||||
+ (including status-line). Increasing this limit beyond its 64 KB default
|
||||
+ exposes certain old Squid code to various denial-of-service attacks. This
|
||||
+ limit also applies to FTP command responses.
|
||||
+
|
||||
+ Squid also checks this limit when loading hit responses from disk cache.
|
||||
+
|
||||
+ Squid does not check this limit when sending responses.
|
||||
DOC_END
|
||||
|
||||
NAME: request_body_max_size
|
||||
diff --git a/src/http.cc b/src/http.cc
|
||||
index 877172d..b006300 100644
|
||||
--- a/src/http.cc
|
||||
+++ b/src/http.cc
|
||||
@@ -1820,8 +1820,9 @@ HttpStateData::httpBuildRequestHeader(HttpRequest * request,
|
||||
|
||||
String strFwd = hdr_in->getList(Http::HdrType::X_FORWARDED_FOR);
|
||||
|
||||
- // if we cannot double strFwd size, then it grew past 50% of the limit
|
||||
- if (!strFwd.canGrowBy(strFwd.size())) {
|
||||
+ // Detect unreasonably long header values. And paranoidly check String
|
||||
+ // limits: a String ought to accommodate two reasonable-length values.
|
||||
+ if (strFwd.size() > 32*1024 || !strFwd.canGrowBy(strFwd.size())) {
|
||||
// There is probably a forwarding loop with Via detection disabled.
|
||||
// If we do nothing, String will assert on overflow soon.
|
||||
// TODO: Terminate all transactions with huge XFF?
|
163
SOURCES/squid-4.15-halfclosed.patch
Normal file
163
SOURCES/squid-4.15-halfclosed.patch
Normal file
@ -0,0 +1,163 @@
|
||||
diff --git a/src/client_side.cc b/src/client_side.cc
|
||||
index f57f3f7..ab393e4 100644
|
||||
--- a/src/client_side.cc
|
||||
+++ b/src/client_side.cc
|
||||
@@ -906,7 +906,7 @@ ConnStateData::kick()
|
||||
* We are done with the response, and we are either still receiving request
|
||||
* body (early response!) or have already stopped receiving anything.
|
||||
*
|
||||
- * If we are still receiving, then clientParseRequest() below will fail.
|
||||
+ * If we are still receiving, then parseRequests() below will fail.
|
||||
* (XXX: but then we will call readNextRequest() which may succeed and
|
||||
* execute a smuggled request as we are not done with the current request).
|
||||
*
|
||||
@@ -926,28 +926,12 @@ ConnStateData::kick()
|
||||
* Attempt to parse a request from the request buffer.
|
||||
* If we've been fed a pipelined request it may already
|
||||
* be in our read buffer.
|
||||
- *
|
||||
- \par
|
||||
- * This needs to fall through - if we're unlucky and parse the _last_ request
|
||||
- * from our read buffer we may never re-register for another client read.
|
||||
*/
|
||||
|
||||
- if (clientParseRequests()) {
|
||||
- debugs(33, 3, clientConnection << ": parsed next request from buffer");
|
||||
- }
|
||||
+ parseRequests();
|
||||
|
||||
- /** \par
|
||||
- * Either we need to kick-start another read or, if we have
|
||||
- * a half-closed connection, kill it after the last request.
|
||||
- * This saves waiting for half-closed connections to finished being
|
||||
- * half-closed _AND_ then, sometimes, spending "Timeout" time in
|
||||
- * the keepalive "Waiting for next request" state.
|
||||
- */
|
||||
- if (commIsHalfClosed(clientConnection->fd) && pipeline.empty()) {
|
||||
- debugs(33, 3, "half-closed client with no pending requests, closing");
|
||||
- clientConnection->close();
|
||||
+ if (!isOpen())
|
||||
return;
|
||||
- }
|
||||
|
||||
/** \par
|
||||
* At this point we either have a parsed request (which we've
|
||||
@@ -2058,16 +2042,11 @@ ConnStateData::receivedFirstByte()
|
||||
commSetConnTimeout(clientConnection, Config.Timeout.request, timeoutCall);
|
||||
}
|
||||
|
||||
-/**
|
||||
- * Attempt to parse one or more requests from the input buffer.
|
||||
- * Returns true after completing parsing of at least one request [header]. That
|
||||
- * includes cases where parsing ended with an error (e.g., a huge request).
|
||||
- */
|
||||
-bool
|
||||
-ConnStateData::clientParseRequests()
|
||||
+/// Attempt to parse one or more requests from the input buffer.
|
||||
+/// May close the connection.
|
||||
+void
|
||||
+ConnStateData::parseRequests()
|
||||
{
|
||||
- bool parsed_req = false;
|
||||
-
|
||||
debugs(33, 5, HERE << clientConnection << ": attempting to parse");
|
||||
|
||||
// Loop while we have read bytes that are not needed for producing the body
|
||||
@@ -2116,8 +2095,6 @@ ConnStateData::clientParseRequests()
|
||||
|
||||
processParsedRequest(context);
|
||||
|
||||
- parsed_req = true; // XXX: do we really need to parse everything right NOW ?
|
||||
-
|
||||
if (context->mayUseConnection()) {
|
||||
debugs(33, 3, HERE << "Not parsing new requests, as this request may need the connection");
|
||||
break;
|
||||
@@ -2130,8 +2107,19 @@ ConnStateData::clientParseRequests()
|
||||
}
|
||||
}
|
||||
|
||||
- /* XXX where to 'finish' the parsing pass? */
|
||||
- return parsed_req;
|
||||
+ debugs(33, 7, "buffered leftovers: " << inBuf.length());
|
||||
+
|
||||
+ if (isOpen() && commIsHalfClosed(clientConnection->fd)) {
|
||||
+ if (pipeline.empty()) {
|
||||
+ // we processed what we could parse, and no more data is coming
|
||||
+ debugs(33, 5, "closing half-closed without parsed requests: " << clientConnection);
|
||||
+ clientConnection->close();
|
||||
+ } else {
|
||||
+ // we parsed what we could, and no more data is coming
|
||||
+ debugs(33, 5, "monitoring half-closed while processing parsed requests: " << clientConnection);
|
||||
+ flags.readMore = false; // may already be false
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
|
||||
void
|
||||
@@ -2148,23 +2136,7 @@ ConnStateData::afterClientRead()
|
||||
if (pipeline.empty())
|
||||
fd_note(clientConnection->fd, "Reading next request");
|
||||
|
||||
- if (!clientParseRequests()) {
|
||||
- if (!isOpen())
|
||||
- return;
|
||||
- /*
|
||||
- * If the client here is half closed and we failed
|
||||
- * to parse a request, close the connection.
|
||||
- * The above check with connFinishedWithConn() only
|
||||
- * succeeds _if_ the buffer is empty which it won't
|
||||
- * be if we have an incomplete request.
|
||||
- * XXX: This duplicates ConnStateData::kick
|
||||
- */
|
||||
- if (pipeline.empty() && commIsHalfClosed(clientConnection->fd)) {
|
||||
- debugs(33, 5, clientConnection << ": half-closed connection, no completed request parsed, connection closing.");
|
||||
- clientConnection->close();
|
||||
- return;
|
||||
- }
|
||||
- }
|
||||
+ parseRequests();
|
||||
|
||||
if (!isOpen())
|
||||
return;
|
||||
@@ -3945,7 +3917,7 @@ ConnStateData::notePinnedConnectionBecameIdle(PinnedIdleContext pic)
|
||||
startPinnedConnectionMonitoring();
|
||||
|
||||
if (pipeline.empty())
|
||||
- kick(); // in case clientParseRequests() was blocked by a busy pic.connection
|
||||
+ kick(); // in case parseRequests() was blocked by a busy pic.connection
|
||||
}
|
||||
|
||||
/// Forward future client requests using the given server connection.
|
||||
diff --git a/src/client_side.h b/src/client_side.h
|
||||
index 9fe8463..dfb4d8e 100644
|
||||
--- a/src/client_side.h
|
||||
+++ b/src/client_side.h
|
||||
@@ -85,7 +85,6 @@ public:
|
||||
virtual void doneWithControlMsg();
|
||||
|
||||
/// Traffic parsing
|
||||
- bool clientParseRequests();
|
||||
void readNextRequest();
|
||||
|
||||
/// try to make progress on a transaction or read more I/O
|
||||
@@ -373,6 +372,7 @@ private:
|
||||
virtual bool connFinishedWithConn(int size);
|
||||
virtual void checkLogging();
|
||||
|
||||
+ void parseRequests();
|
||||
void clientAfterReadingRequests();
|
||||
bool concurrentRequestQueueFilled() const;
|
||||
|
||||
diff --git a/src/tests/stub_client_side.cc b/src/tests/stub_client_side.cc
|
||||
index d7efb0f..655ed83 100644
|
||||
--- a/src/tests/stub_client_side.cc
|
||||
+++ b/src/tests/stub_client_side.cc
|
||||
@@ -14,7 +14,7 @@
|
||||
#include "tests/STUB.h"
|
||||
|
||||
#include "client_side.h"
|
||||
-bool ConnStateData::clientParseRequests() STUB_RETVAL(false)
|
||||
+void ConnStateData::parseRequests() STUB
|
||||
void ConnStateData::readNextRequest() STUB
|
||||
bool ConnStateData::isOpen() const STUB_RETVAL(false)
|
||||
void ConnStateData::kick() STUB
|
156
SOURCES/squid-4.15-ip-bind-address-no-port.patch
Normal file
156
SOURCES/squid-4.15-ip-bind-address-no-port.patch
Normal file
@ -0,0 +1,156 @@
|
||||
commit c08948c8b831a2ba73c676b48aa11ba1b58cc542
|
||||
Author: Tomas Korbar <tkorbar@redhat.com>
|
||||
Date: Thu Dec 8 11:03:08 2022 +0100
|
||||
|
||||
Backport adding IP_BIND_ADDRESS_NO_PORT flag to outgoing connections
|
||||
|
||||
diff --git a/src/comm.cc b/src/comm.cc
|
||||
index 0d5f34d..6811b54 100644
|
||||
--- a/src/comm.cc
|
||||
+++ b/src/comm.cc
|
||||
@@ -58,6 +58,7 @@
|
||||
*/
|
||||
|
||||
static IOCB commHalfClosedReader;
|
||||
+static int comm_openex(int sock_type, int proto, Ip::Address &, int flags, const char *note);
|
||||
static void comm_init_opened(const Comm::ConnectionPointer &conn, const char *note, struct addrinfo *AI);
|
||||
static int comm_apply_flags(int new_socket, Ip::Address &addr, int flags, struct addrinfo *AI);
|
||||
|
||||
@@ -75,6 +76,7 @@ static EVH commHalfClosedCheck;
|
||||
static void commPlanHalfClosedCheck();
|
||||
|
||||
static Comm::Flag commBind(int s, struct addrinfo &);
|
||||
+static void commSetBindAddressNoPort(int);
|
||||
static void commSetReuseAddr(int);
|
||||
static void commSetNoLinger(int);
|
||||
#ifdef TCP_NODELAY
|
||||
@@ -201,6 +203,22 @@ comm_local_port(int fd)
|
||||
return F->local_addr.port();
|
||||
}
|
||||
|
||||
+/// sets the IP_BIND_ADDRESS_NO_PORT socket option to optimize ephemeral port
|
||||
+/// reuse by outgoing TCP connections that must bind(2) to a source IP address
|
||||
+static void
|
||||
+commSetBindAddressNoPort(const int fd)
|
||||
+{
|
||||
+#if defined(IP_BIND_ADDRESS_NO_PORT)
|
||||
+ int flag = 1;
|
||||
+ if (setsockopt(fd, IPPROTO_IP, IP_BIND_ADDRESS_NO_PORT, reinterpret_cast<char*>(&flag), sizeof(flag)) < 0) {
|
||||
+ const auto savedErrno = errno;
|
||||
+ debugs(50, DBG_IMPORTANT, "ERROR: setsockopt(IP_BIND_ADDRESS_NO_PORT) failure: " << xstrerr(savedErrno));
|
||||
+ }
|
||||
+#else
|
||||
+ (void)fd;
|
||||
+#endif
|
||||
+}
|
||||
+
|
||||
static Comm::Flag
|
||||
commBind(int s, struct addrinfo &inaddr)
|
||||
{
|
||||
@@ -227,6 +245,10 @@ comm_open(int sock_type,
|
||||
int flags,
|
||||
const char *note)
|
||||
{
|
||||
+ // assume zero-port callers do not need to know the assigned port right away
|
||||
+ if (sock_type == SOCK_STREAM && addr.port() == 0 && ((flags & COMM_DOBIND) || !addr.isAnyAddr()))
|
||||
+ flags |= COMM_DOBIND_PORT_LATER;
|
||||
+
|
||||
return comm_openex(sock_type, proto, addr, flags, note);
|
||||
}
|
||||
|
||||
@@ -328,7 +350,7 @@ comm_set_transparent(int fd)
|
||||
* Create a socket. Default is blocking, stream (TCP) socket. IO_TYPE
|
||||
* is OR of flags specified in defines.h:COMM_*
|
||||
*/
|
||||
-int
|
||||
+static int
|
||||
comm_openex(int sock_type,
|
||||
int proto,
|
||||
Ip::Address &addr,
|
||||
@@ -476,6 +498,9 @@ comm_apply_flags(int new_socket,
|
||||
if ( addr.isNoAddr() )
|
||||
debugs(5,0,"CRITICAL: Squid is attempting to bind() port " << addr << "!!");
|
||||
|
||||
+ if ((flags & COMM_DOBIND_PORT_LATER))
|
||||
+ commSetBindAddressNoPort(new_socket);
|
||||
+
|
||||
if (commBind(new_socket, *AI) != Comm::OK) {
|
||||
comm_close(new_socket);
|
||||
return -1;
|
||||
diff --git a/src/comm.h b/src/comm.h
|
||||
index c963e1c..9ff201d 100644
|
||||
--- a/src/comm.h
|
||||
+++ b/src/comm.h
|
||||
@@ -43,7 +43,6 @@ void comm_import_opened(const Comm::ConnectionPointer &, const char *note, struc
|
||||
|
||||
/**
|
||||
* Open a port specially bound for listening or sending through a specific port.
|
||||
- * This is a wrapper providing IPv4/IPv6 failover around comm_openex().
|
||||
* Please use for all listening sockets and bind() outbound sockets.
|
||||
*
|
||||
* It will open a socket bound for:
|
||||
@@ -59,7 +58,6 @@ void comm_import_opened(const Comm::ConnectionPointer &, const char *note, struc
|
||||
int comm_open_listener(int sock_type, int proto, Ip::Address &addr, int flags, const char *note);
|
||||
void comm_open_listener(int sock_type, int proto, Comm::ConnectionPointer &conn, const char *note);
|
||||
|
||||
-int comm_openex(int, int, Ip::Address &, int, const char *);
|
||||
unsigned short comm_local_port(int fd);
|
||||
|
||||
int comm_udp_sendto(int sock, const Ip::Address &to, const void *buf, int buflen);
|
||||
diff --git a/src/comm/ConnOpener.cc b/src/comm/ConnOpener.cc
|
||||
index 25a30e4..2082214 100644
|
||||
--- a/src/comm/ConnOpener.cc
|
||||
+++ b/src/comm/ConnOpener.cc
|
||||
@@ -263,7 +263,7 @@ Comm::ConnOpener::createFd()
|
||||
if (callback_ == NULL || callback_->canceled())
|
||||
return false;
|
||||
|
||||
- temporaryFd_ = comm_openex(SOCK_STREAM, IPPROTO_TCP, conn_->local, conn_->flags, host_);
|
||||
+ temporaryFd_ = comm_open(SOCK_STREAM, IPPROTO_TCP, conn_->local, conn_->flags, host_);
|
||||
if (temporaryFd_ < 0) {
|
||||
sendAnswer(Comm::ERR_CONNECT, 0, "Comm::ConnOpener::createFd");
|
||||
return false;
|
||||
diff --git a/src/comm/Connection.h b/src/comm/Connection.h
|
||||
index 4f2f23a..1e32c22 100644
|
||||
--- a/src/comm/Connection.h
|
||||
+++ b/src/comm/Connection.h
|
||||
@@ -47,6 +47,8 @@ namespace Comm
|
||||
#define COMM_DOBIND 0x08 // requires a bind()
|
||||
#define COMM_TRANSPARENT 0x10 // arrived via TPROXY
|
||||
#define COMM_INTERCEPTION 0x20 // arrived via NAT
|
||||
+/// Internal Comm optimization: Keep the source port unassigned until connect(2)
|
||||
+#define COMM_DOBIND_PORT_LATER 0x100
|
||||
|
||||
/**
|
||||
* Store data about the physical and logical attributes of a connection.
|
||||
diff --git a/src/ipc.cc b/src/ipc.cc
|
||||
index e1d48fc..e92a27f 100644
|
||||
--- a/src/ipc.cc
|
||||
+++ b/src/ipc.cc
|
||||
@@ -95,12 +95,12 @@ ipcCreate(int type, const char *prog, const char *const args[], const char *name
|
||||
} else void(0)
|
||||
|
||||
if (type == IPC_TCP_SOCKET) {
|
||||
- crfd = cwfd = comm_open(SOCK_STREAM,
|
||||
+ crfd = cwfd = comm_open_listener(SOCK_STREAM,
|
||||
0,
|
||||
local_addr,
|
||||
COMM_NOCLOEXEC,
|
||||
name);
|
||||
- prfd = pwfd = comm_open(SOCK_STREAM,
|
||||
+ prfd = pwfd = comm_open_listener(SOCK_STREAM,
|
||||
0, /* protocol */
|
||||
local_addr,
|
||||
0, /* blocking */
|
||||
diff --git a/src/tests/stub_comm.cc b/src/tests/stub_comm.cc
|
||||
index 58f85e4..5381ab2 100644
|
||||
--- a/src/tests/stub_comm.cc
|
||||
+++ b/src/tests/stub_comm.cc
|
||||
@@ -46,7 +46,6 @@ int comm_open_uds(int sock_type, int proto, struct sockaddr_un* addr, int flags)
|
||||
void comm_import_opened(const Comm::ConnectionPointer &, const char *note, struct addrinfo *AI) STUB
|
||||
int comm_open_listener(int sock_type, int proto, Ip::Address &addr, int flags, const char *note) STUB_RETVAL(-1)
|
||||
void comm_open_listener(int sock_type, int proto, Comm::ConnectionPointer &conn, const char *note) STUB
|
||||
-int comm_openex(int, int, Ip::Address &, int, tos_t tos, nfmark_t nfmark, const char *) STUB_RETVAL(-1)
|
||||
unsigned short comm_local_port(int fd) STUB_RETVAL(0)
|
||||
int comm_udp_sendto(int sock, const Ip::Address &to, const void *buf, int buflen) STUB_RETVAL(-1)
|
||||
void commCallCloseHandlers(int fd) STUB
|
@ -2,7 +2,7 @@
|
||||
|
||||
Name: squid
|
||||
Version: 4.15
|
||||
Release: 3%{?dist}.2
|
||||
Release: 10%{?dist}
|
||||
Summary: The Squid proxy caching server
|
||||
Epoch: 7
|
||||
# See CREDITS for breakdown of non GPLv2+ code
|
||||
@ -22,6 +22,8 @@ Source98: perl-requires-squid.sh
|
||||
# Upstream patches
|
||||
|
||||
# Backported patches
|
||||
Patch101: squid-4.15-ip-bind-address-no-port.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2072988
|
||||
|
||||
# Local patches
|
||||
# Applying upstream patches first makes it less likely that local patches
|
||||
@ -36,6 +38,8 @@ Patch206: squid-4.11-active-ftp.patch
|
||||
Patch208: squid-4.11-convert-ipv4.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2006121
|
||||
Patch209: squid-4.15-ftp-filename-extraction.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2076717
|
||||
Patch210: squid-4.15-halfclosed.patch
|
||||
|
||||
# Security fixes
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1941506
|
||||
@ -44,6 +48,28 @@ Patch300: squid-4.15-CVE-2021-28116.patch
|
||||
Patch301: squid-4.15-CVE-2021-46784.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2129771
|
||||
Patch302: squid-4.15-CVE-2022-41318.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2245910
|
||||
# +backported: https://github.com/squid-cache/squid/commit/417da4006cf5c97d44e74431b816fc58fec9e270
|
||||
Patch303: squid-4.15-CVE-2023-46846.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2245916
|
||||
Patch304: squid-4.15-CVE-2023-46847.patch
|
||||
# https://issues.redhat.com/browse/RHEL-14792
|
||||
Patch305: squid-4.15-CVE-2023-5824.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2248521
|
||||
Patch306: squid-4.15-CVE-2023-46728.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2247567
|
||||
Patch307: squid-4.15-CVE-2023-46724.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2252926
|
||||
Patch308: squid-4.15-CVE-2023-49285.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2252923
|
||||
Patch309: squid-4.15-CVE-2023-49286.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2254663
|
||||
Patch310: squid-4.15-CVE-2023-50269.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2264309
|
||||
Patch311: squid-4.15-CVE-2024-25617.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2268366
|
||||
Patch312: squid-4.15-CVE-2024-25111.patch
|
||||
|
||||
|
||||
Requires: bash >= 2.0
|
||||
Requires(pre): shadow-utils
|
||||
@ -94,6 +120,7 @@ lookup program (dnsserver), a program for retrieving FTP data
|
||||
# Upstream patches
|
||||
|
||||
# Backported patches
|
||||
%patch101 -p1 -b .ip-bind-address-no-port
|
||||
|
||||
# Local patches
|
||||
%patch201 -p1 -b .config
|
||||
@ -104,11 +131,23 @@ lookup program (dnsserver), a program for retrieving FTP data
|
||||
%patch206 -p1 -b .active-ftp
|
||||
%patch208 -p1 -b .convert-ipv4
|
||||
%patch209 -p1 -b .ftp-fn-extraction
|
||||
%patch210 -p1 -b .halfclosed
|
||||
|
||||
# Security patches
|
||||
%patch300 -p1 -b .CVE-2021-28116
|
||||
%patch301 -p1 -b .CVE-2021-46784
|
||||
%patch302 -p1 -b .CVE-2022-41318
|
||||
%patch303 -p1 -b .CVE-2023-46846
|
||||
%patch304 -p1 -b .CVE-2023-46847
|
||||
%patch305 -p1 -b .CVE-2023-5824
|
||||
%patch306 -p1 -b .CVE-2023-46728
|
||||
%patch307 -p1 -b .CVE-2023-46724
|
||||
%patch308 -p1 -b .CVE-2023-49285
|
||||
%patch309 -p1 -b .CVE-2023-49286
|
||||
%patch310 -p1 -b .CVE-2023-50269
|
||||
%patch311 -p1 -b .CVE-2024-25617
|
||||
%patch312 -p1 -b .CVE-2024-25111
|
||||
|
||||
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1679526
|
||||
# Patch in the vendor documentation and used different location for documentation
|
||||
@ -325,12 +364,46 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Wed Sep 28 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-3.2
|
||||
- Resolves: #2130258 - CVE-2022-41318 squid:4/squid: buffer-over-read in SSPI and SMB
|
||||
* Tue Mar 19 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-10
|
||||
- Resolves: RHEL-28529 - squid:4/squid: Denial of Service in HTTP Chunked
|
||||
Decoding (CVE-2024-25111)
|
||||
- Resolves: RHEL-26088 - squid:4/squid: denial of service in HTTP header
|
||||
parser (CVE-2024-25617)
|
||||
|
||||
* Fri Feb 02 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-9
|
||||
- Resolves: RHEL-19552 - squid:4/squid: denial of service in HTTP request
|
||||
parsing (CVE-2023-50269)
|
||||
|
||||
* Fri Feb 02 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-8
|
||||
- Resolves: RHEL-18351 - squid:4/squid: Buffer over-read in the HTTP Message
|
||||
processing feature (CVE-2023-49285)
|
||||
- Resolves: RHEL-18342 - squid:4/squid: Incorrect Check of Function Return
|
||||
Value In Helper Process management (CVE-2023-49286)
|
||||
- Resolves: RHEL-18230 - squid:4/squid: Denial of Service in SSL Certificate
|
||||
validation (CVE-2023-46724)
|
||||
- Resolves: RHEL-15911 - squid:4/squid: NULL pointer dereference in the gopher
|
||||
protocol code (CVE-2023-46728)
|
||||
- Resolves: RHEL-18251 - squid crashes in assertion when a parent peer exists
|
||||
- Resolves: RHEL-14794 - squid: squid multiple issues in HTTP response caching
|
||||
(CVE-2023-5824)
|
||||
- Resolves: RHEL-14803 - squid: squid: Denial of Service in HTTP Digest
|
||||
Authentication (CVE-2023-46847)
|
||||
- Resolves: RHEL-14777 - squid: squid: Request/Response smuggling in HTTP/1.1
|
||||
and ICAP (CVE-2023-46846)
|
||||
|
||||
* Wed Aug 16 2023 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-7
|
||||
- Resolves: #2076717 - Crash with half_closed_client on
|
||||
|
||||
* Thu Dec 08 2022 Tomas Korbar <tkorbar@redhat.com> - 4.15-6
|
||||
- Resolves: #2072988 - [RFE] Add the "IP_BIND_ADDRESS_NO_PORT"
|
||||
flag to sockets created for outgoing connections in the squid source code.
|
||||
|
||||
* Wed Sep 28 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-5
|
||||
- Resolves: #2130260 - CVE-2022-41318 squid:4/squid: buffer-over-read in SSPI and SMB
|
||||
authentication
|
||||
|
||||
* Tue Jun 28 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-3.1
|
||||
- Resolves: #2100782 - CVE-2021-46784 squid:4/squid: DoS when processing gopher
|
||||
* Tue Jun 28 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-4
|
||||
- Resolves: #2100783 - CVE-2021-46784 squid:4/squid: DoS when processing gopher
|
||||
server responses
|
||||
|
||||
* Wed Feb 09 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-3
|
||||
|
Loading…
Reference in New Issue
Block a user