diff --git a/SOURCES/squid-4.4.0-CVE-2019-13345.patch b/SOURCES/squid-4.4.0-CVE-2019-13345.patch
new file mode 100644
index 0000000..9a5754e
--- /dev/null
+++ b/SOURCES/squid-4.4.0-CVE-2019-13345.patch
@@ -0,0 +1,64 @@
+diff --git a/tools/cachemgr.cc b/tools/cachemgr.cc
+index 0c745c2..8a67eba 100644
+--- a/tools/cachemgr.cc
++++ b/tools/cachemgr.cc
+@@ -355,7 +355,7 @@ auth_html(const char *host, int port, const char *user_name)
+
+ printf("<TR><TH ALIGN=\"left\">Manager name:</TH><TD><INPUT NAME=\"user_name\" ");
+
+- printf("size=\"30\" VALUE=\"%s\"></TD></TR>\n", user_name);
++ printf("size=\"30\" VALUE=\"%s\"></TD></TR>\n", rfc1738_escape(user_name));
+
+ printf("<TR><TH ALIGN=\"left\">Password:</TH><TD><INPUT TYPE=\"password\" NAME=\"passwd\" ");
+
+@@ -419,7 +419,7 @@ menu_url(cachemgr_request * req, const char *action)
+ script_name,
+ req->hostname,
+ req->port,
+- safe_str(req->user_name),
++ rfc1738_escape(safe_str(req->user_name)),
+ action,
+ safe_str(req->pub_auth));
+ return url;
+@@ -1074,8 +1074,8 @@ make_pub_auth(cachemgr_request * req)
+ const int bufLen = snprintf(buf, sizeof(buf), "%s|%d|%s|%s",
+ req->hostname,
+ (int) now,
+- req->user_name ? req->user_name : "",
+- req->passwd);
++ rfc1738_escape(safe_str(req->user_name)),
++ rfc1738_escape(req->passwd));
+ debug("cmgr: pre-encoded for pub: %s\n", buf);
+
+ const int encodedLen = base64_encode_len(bufLen);
+@@ -1094,8 +1094,6 @@ decode_pub_auth(cachemgr_request * req)
+ char *buf;
+ const char *host_name;
+ const char *time_str;
+- const char *user_name;
+- const char *passwd;
+
+ debug("cmgr: decoding pub: '%s'\n", safe_str(req->pub_auth));
+ safe_free(req->passwd);
+@@ -1131,17 +1129,21 @@ decode_pub_auth(cachemgr_request * req)
+
+ debug("cmgr: decoded time: '%s' (now: %d)\n", time_str, (int) now);
+
++ char *user_name;
+ if ((user_name = strtok(NULL, "|")) == NULL) {
+ xfree(buf);
+ return;
+ }
++ rfc1738_unescape(user_name);
+
+ debug("cmgr: decoded uname: '%s'\n", user_name);
+
++ char *passwd;
+ if ((passwd = strtok(NULL, "|")) == NULL) {
+ xfree(buf);
+ return;
+ }
++ rfc1738_unescape(passwd);
+
+ debug("cmgr: decoded passwd: '%s'\n", passwd);
+
diff --git a/SOURCES/squid-4.4.0-lower-cachepeer.patch b/SOURCES/squid-4.4.0-lower-cachepeer.patch
new file mode 100644
index 0000000..42bc2aa
--- /dev/null
+++ b/SOURCES/squid-4.4.0-lower-cachepeer.patch
@@ -0,0 +1,12 @@
+diff --git a/src/cache_cf.cc b/src/cache_cf.cc
+index 9165ef99c..32a3df322 100644
+--- a/src/cache_cf.cc
++++ b/src/cache_cf.cc
+@@ -2081,6 +2081,7 @@ parse_peer(CachePeer ** head)
+
+ CachePeer *p = new CachePeer;
+ p->host = xstrdup(host_str);
++ Tolower(p->host);
+ p->name = xstrdup(host_str);
+ p->type = parseNeighborType(token);
+
diff --git a/SOURCES/squid.service b/SOURCES/squid.service
index da1c0ea..f49d7db 100644
--- a/SOURCES/squid.service
+++ b/SOURCES/squid.service
@@ -1,6 +1,7 @@
[Unit]
Description=Squid caching proxy
-After=network.target nss-lookup.target
+Documentation=man:squid(8)
+After=network.target network-online.target nss-lookup.target
[Service]
Type=forking
diff --git a/SPECS/squid.spec b/SPECS/squid.spec
index f2aeafc..81f9470 100644
--- a/SPECS/squid.spec
+++ b/SPECS/squid.spec
@@ -2,7 +2,7 @@
Name: squid
Version: 4.4
-Release: 5%{?dist}
+Release: 8%{?dist}
Summary: The Squid proxy caching server
Epoch: 7
# See CREDITS for breakdown of non GPLv2+ code
@@ -35,10 +35,14 @@ Patch205: squid-4.0.21-large-acl.patch
Patch206: squid-4.4.0-active-ftp.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1612524
Patch207: squid-4.4.0-man-pages.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1691741
+Patch208: squid-4.4.0-lower-cachepeer.patch
-# security fixes
-# https://bugzilla.redhat.com/show_bug.cgi?id=1744672
-Patch500: squid-4.4.0-CVE-2019-12527.patch
+# Security fixes
+# https://bugzilla.redhat.com/show_bug.cgi?id=1729436
+Patch500: squid-4.4.0-CVE-2019-13345.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1738485
+Patch501: squid-4.4.0-CVE-2019-12527.patch
Requires: bash >= 2.0
Requires(pre): shadow-utils
@@ -96,24 +100,23 @@ lookup program (dnsserver), a program for retrieving FTP data
%patch205 -p1 -b .large_acl
%patch206 -p1 -b .active-ftp
%patch207 -p1 -b .man-pages
+%patch208 -p1 -b .lower-cachepeer
-%patch500 -p1 -b .CVE-2019-12527
+%patch500 -p1 -b .CVE-2019-13345
+%patch501 -p1 -b .CVE-2019-12527
+
+# https://bugzilla.redhat.com/show_bug.cgi?id=1679526
+# Patch in the vendor documentation and used different location for documentation
+sed -i 's|@SYSCONFDIR@/squid.conf.documented|%{_pkgdocdir}/squid.conf.documented|' src/squid.8.in
%build
# cppunit-config patch changes configure.ac
autoconf
-# libtool fails somewhat on -fpie. PIC also works for -pie
-CXXFLAGS="$RPM_OPT_FLAGS -fPIC"
-CFLAGS="$RPM_OPT_FLAGS -fPIC"
-LDFLAGS="$RPM_LD_FLAGS -pie -Wl,-z,relro -Wl,-z,now -Wl,--warn-shared-textrel"
-
# NIS helper has been removed because of the following bug
# https://bugzilla.redhat.com/show_bug.cgi?id=1531540
%configure \
- --exec_prefix=%{_prefix} \
--libexecdir=%{_libdir}/squid \
- --localstatedir=%{_localstatedir} \
--datadir=%{_datadir}/squid \
--sysconfdir=%{_sysconfdir}/squid \
--with-logdir='%{_localstatedir}/log/squid' \
@@ -153,20 +156,17 @@ LDFLAGS="$RPM_LD_FLAGS -pie -Wl,-z,relro -Wl,-z,now -Wl,--warn-shared-textrel"
--with-openssl \
--with-pthreads \
--disable-arch-native \
- --with-pic \
- --disable-security-cert-validators
+ --disable-security-cert-validators \
+ --with-swapdir=%{_localstatedir}/spool/squid
-make \
- DEFAULT_SWAP_DIR=%{_localstatedir}/spool/squid \
- %{?_smp_mflags}
+%make_build
%check
make check
%install
-make \
- DESTDIR=$RPM_BUILD_ROOT \
- install
+%make_install
+
echo "
#
# This is %{_sysconfdir}/httpd/conf.d/squid.conf
@@ -283,6 +283,25 @@ done
exit 0
+%pretrans -p <lua>
+-- Due to a bug #447156
+paths = {"/usr/share/squid/errors/zh-cn", "/usr/share/squid/errors/zh-tw"}
+for key,path in ipairs(paths)
+do
+ st = posix.stat(path)
+ if st and st.type == "directory" then
+ status = os.rename(path, path .. ".rpmmoved")
+ if not status then
+ suffix = 0
+ while not status do
+ suffix = suffix + 1
+ status = os.rename(path .. ".rpmmoved", path .. ".rpmmoved." .. suffix)
+ end
+ os.rename(path, path .. ".rpmmoved")
+ end
+ end
+end
+
%post
%systemd_post squid.service
@@ -301,10 +320,23 @@ fi
%changelog
-* Fri Aug 23 2019 Lubos Uhliarik <luhliari@redhat.com> - 7:4.4-5
-- Resolves: #1744672 - CVE-2019-12527 squid:4/squid: heap-based buffer overflow
+* Fri Aug 23 2019 Lubos Uhliarik <luhliari@redhat.com> - 7:4.4-8
+- Resolves: # 1738485 - CVE-2019-12527 squid:4/squid: heap-based buffer overflow
in HttpHeader::getAuth
+* Wed Jul 31 2019 Lubos Uhliarik <luhliari@redhat.com> - 7:4.4-7
+- Resolves: #1729436 - CVE-2019-13345 squid: XSS via user_name or auth parameter
+ in cachemgr.cgi
+
+* Fri Jun 21 2019 Lubos Uhliarik <luhliari@redhat.com> - 7:4.4-6
+- Resolves: #1679526 - Missing detailed configuration file
+- Resolves: #1703117 - RHEL 7 to 8 fails with squid installed because dirs
+ changed to symlinks
+- Resolves: #1691741 - Squid cache_peer DNS lookup failed when not all lower
+ case
+- Resolves: #1683527 - "Reloading" message on a fresh reboot after enabling
+ squid
+
* Tue Dec 11 2018 Lubos Uhliarik <luhliari@redhat.com> - 7:4.4-4
- Resolves: #1612524 - Man page scan results for squid