diff --git a/SOURCES/squid-3.3.8-fd-leaks.patch b/SOURCES/squid-3.3.8-fd-leaks.patch new file mode 100644 index 0000000..dc28954 --- /dev/null +++ b/SOURCES/squid-3.3.8-fd-leaks.patch @@ -0,0 +1,92 @@ +diff -Naurp squid-3.3.8.orig/src/ipc/TypedMsgHdr.cc squid-3.3.8/src/ipc/TypedMsgHdr.cc +--- squid-3.3.8.orig/src/ipc/TypedMsgHdr.cc 2013-07-13 15:25:14.000000000 +0200 ++++ squid-3.3.8/src/ipc/TypedMsgHdr.cc 2015-04-20 14:28:32.971000390 +0200 +@@ -167,10 +167,20 @@ Ipc::TypedMsgHdr::putRaw(const void *raw + } + } + ++bool ++Ipc::TypedMsgHdr::hasFd() const ++{ ++ struct cmsghdr *cmsg = CMSG_FIRSTHDR(this); ++ return cmsg && ++ cmsg->cmsg_level == SOL_SOCKET && ++ cmsg->cmsg_type == SCM_RIGHTS; ++} ++ + void + Ipc::TypedMsgHdr::putFd(int fd) + { + Must(fd >= 0); ++ Must(!hasFd()); + allocControl(); + + const int fdCount = 1; +@@ -183,12 +193,15 @@ Ipc::TypedMsgHdr::putFd(int fd) + int *fdStore = reinterpret_cast(CMSG_DATA(cmsg)); + memcpy(fdStore, &fd, fdCount * sizeof(int)); + msg_controllen = cmsg->cmsg_len; ++ ++ Must(hasFd()); + } + + int + Ipc::TypedMsgHdr::getFd() const + { + Must(msg_control && msg_controllen); ++ Must(hasFd()); + + struct cmsghdr *cmsg = CMSG_FIRSTHDR(this); + Must(cmsg->cmsg_level == SOL_SOCKET); +diff -Naurp squid-3.3.8.orig/src/ipc/TypedMsgHdr.h squid-3.3.8/src/ipc/TypedMsgHdr.h +--- squid-3.3.8.orig/src/ipc/TypedMsgHdr.h 2013-07-13 15:25:14.000000000 +0200 ++++ squid-3.3.8/src/ipc/TypedMsgHdr.h 2015-04-20 14:12:57.509303004 +0200 +@@ -59,8 +59,8 @@ public: + + /* access to a "file" descriptor that can be passed between processes */ + void putFd(int aFd); ///< stores descriptor +- int getFd() const; ///< returns descriptor +- ++ int getFd() const; ///< returns stored descriptor ++ bool hasFd() const; ///< whether the message has a descriptor stored + /* raw, type-independent access for I/O */ + void prepForReading(); ///< reset and provide all buffers + char *raw() { return reinterpret_cast(this); } +diff -Naurp squid-3.3.8.orig/src/snmp/Inquirer.cc squid-3.3.8/src/snmp/Inquirer.cc +--- squid-3.3.8.orig/src/snmp/Inquirer.cc 2013-07-13 15:25:14.000000000 +0200 ++++ squid-3.3.8/src/snmp/Inquirer.cc 2015-04-20 14:15:12.324970907 +0200 +@@ -28,6 +28,10 @@ Snmp::Inquirer::Inquirer(const Request& + closer = asyncCall(49, 5, "Snmp::Inquirer::noteCommClosed", + CommCbMemFunT(this, &Inquirer::noteCommClosed)); + comm_add_close_handler(conn->fd, closer); ++ ++ // forget client FD to avoid sending it to strands that may forget to close ++ if (Request *snmpRequest = dynamic_cast(request.getRaw())) ++ snmpRequest->fd = -1; + } + + /// closes our copy of the client connection socket +diff -Naurp squid-3.3.8.orig/src/snmp/Request.cc squid-3.3.8/src/snmp/Request.cc +--- squid-3.3.8.orig/src/snmp/Request.cc 2013-07-13 15:25:14.000000000 +0200 ++++ squid-3.3.8/src/snmp/Request.cc 2015-04-20 14:21:16.676074181 +0200 +@@ -33,7 +33,8 @@ Snmp::Request::Request(const Ipc::TypedM + session.unpack(msg); + msg.getPod(address); + +- fd = msg.getFd(); ++ // Requests from strands have FDs. Requests from Coordinator do not. ++ fd = msg.hasFd() ? msg.getFd() : -1; + } + + void +@@ -46,7 +47,9 @@ Snmp::Request::pack(Ipc::TypedMsgHdr& ms + session.pack(msg); + msg.putPod(address); + +- msg.putFd(fd); ++ // Requests sent to Coordinator have FDs. Requests sent to strands do not. ++ if (fd >= 0) ++ msg.putFd(fd); + } + + Ipc::Request::Pointer diff --git a/SOURCES/squid-3.3.8-incorrect-cert.patch b/SOURCES/squid-3.3.8-incorrect-cert.patch new file mode 100644 index 0000000..76dfc9f --- /dev/null +++ b/SOURCES/squid-3.3.8-incorrect-cert.patch @@ -0,0 +1,17 @@ +--- a/src/ssl/support.cc ++++ b/src/ssl/support.cc +@@ -208,7 +208,13 @@ static int check_domain( void *check_data, ASN1_STRING *cn_data) + if (cn_data->length > (int)sizeof(cn) - 1) { + return 1; //if does not fit our buffer just ignore + } +- memcpy(cn, cn_data->data, cn_data->length); ++ char *s = reinterpret_cast(cn_data->data); ++ char *d = cn; ++ for (int i = 0; i < cn_data->length; ++i, ++d, ++s){ ++ if (*s == '\0') ++ return 1; // always a domain mismatch. contains 0x00 ++ *d = *s; ++ } + cn[cn_data->length] = '\0'; + debugs(83, 4, "Verifying server domain " << server << " to certificate name/subjectAltName " << cn); + return matchDomainName(server, cn[0] == '*' ? cn + 1 : cn); diff --git a/SOURCES/squid-3.3.8-incorrect-ssl.patch b/SOURCES/squid-3.3.8-incorrect-ssl.patch new file mode 100644 index 0000000..0fe4463 --- /dev/null +++ b/SOURCES/squid-3.3.8-incorrect-ssl.patch @@ -0,0 +1,39 @@ +diff -Naurp squid-3.3.8.orig/src/client_side.cc squid-3.3.8/src/client_side.cc +--- squid-3.3.8.orig/src/client_side.cc 2015-03-26 12:46:28.000000000 +0100 ++++ squid-3.3.8/src/client_side.cc 2015-03-26 11:11:17.000000000 +0100 +@@ -3859,8 +3859,18 @@ ConnStateData::getSslContextDone(SSL_CTX + // Try to add generated ssl context to storage. + if (port->generateHostCertificates && isNew) { + +- if (signAlgorithm == Ssl::algSignTrusted) ++ if (signAlgorithm == Ssl::algSignTrusted) { ++ // Add signing certificate to the certificates chain ++ X509 *cert = port->signingCert.get(); ++ if (SSL_CTX_add_extra_chain_cert(sslContext, cert)) { ++ // increase the certificate lock ++ CRYPTO_add(&(cert->references),1,CRYPTO_LOCK_X509); ++ } else { ++ const int ssl_error = ERR_get_error(); ++ debugs(33, DBG_IMPORTANT, "WARNING: can not add signing certificate to SSL context chain: " << ERR_error_string(ssl_error, NULL)); ++ } + Ssl::addChainToSslContext(sslContext, port->certsToChain.get()); ++ } + //else it is self-signed or untrusted do not attrach any certificate + + Ssl::LocalContextStorage & ssl_ctx_cache(Ssl::TheGlobalContextStorage.getLocalStorage(port->s)); +diff -Naurp squid-3.3.8.orig/src/ssl/support.cc squid-3.3.8/src/ssl/support.cc +--- squid-3.3.8.orig/src/ssl/support.cc 2013-07-13 15:25:14.000000000 +0200 ++++ squid-3.3.8/src/ssl/support.cc 2015-03-26 12:44:15.104570937 +0100 +@@ -1488,11 +1488,7 @@ static X509 * readSslX509CertificatesCha + if (X509_check_issued(certificate, certificate) == X509_V_OK) + debugs(83, 5, "Certificate is self-signed, will not be chained"); + else { +- if (sk_X509_push(chain, certificate)) +- CRYPTO_add(&(certificate->references), 1, CRYPTO_LOCK_X509); +- else +- debugs(83, DBG_IMPORTANT, "WARNING: unable to add signing certificate to cert chain"); +- // and add to the chain any certificate loaded from the file ++ // and add to the chain any other certificate exist in the file + while (X509 *ca = PEM_read_bio_X509(bio.get(), NULL, NULL, NULL)) { + if (!sk_X509_push(chain, ca)) + debugs(83, DBG_IMPORTANT, "WARNING: unable to add CA certificate to cert chain"); diff --git a/SOURCES/squid-3.3.8-le-looping.patch b/SOURCES/squid-3.3.8-le-looping.patch new file mode 100644 index 0000000..c7eeb96 --- /dev/null +++ b/SOURCES/squid-3.3.8-le-looping.patch @@ -0,0 +1,12 @@ +=== modified file 'lib/base64.c' +--- lib/base64.c 2015-01-13 09:13:49 +0000 ++++ lib/base64.c 2015-09-21 11:43:00 +0000 +@@ -149,7 +149,7 @@ + int char_count = 0; + int out_cnt = 0; + +- if (!data || !*data || !result || result_size < 1 || data_size < 1) ++ if (!data || !result || result_size < 1 || data_size < 1) + return 0; + + if (!base64_initialized) diff --git a/SOURCES/squid-3.3.8-segfault-reboot.patch b/SOURCES/squid-3.3.8-segfault-reboot.patch new file mode 100644 index 0000000..8ca47bf --- /dev/null +++ b/SOURCES/squid-3.3.8-segfault-reboot.patch @@ -0,0 +1,11 @@ +--- a/src/comm.cc ++++ b/src/comm.cc +@@ -2001,7 +2001,7 @@ DeferredReadManager::popHead(CbDataListContainer &deferredReads) + // amount of time. We must re-validate that it is active and usable. + + // If the connection has been closed already. Cancel this read. +- if (!Comm::IsConnOpen(read.theRead.conn)) { ++ if (!fd_table || !Comm::IsConnOpen(read.theRead.conn)) { + if (read.closer != NULL) { + read.closer->cancel("Connection closed before."); + read.closer = NULL; diff --git a/SOURCES/squid-3.3.8-vary-headers.patch b/SOURCES/squid-3.3.8-vary-headers.patch new file mode 100644 index 0000000..fdada52 --- /dev/null +++ b/SOURCES/squid-3.3.8-vary-headers.patch @@ -0,0 +1,63 @@ +diff -Naurp squid-3.3.8.orig/src/client_side_reply.cc squid-3.3.8/src/client_side_reply.cc +--- squid-3.3.8.orig/src/client_side_reply.cc 2015-04-22 13:38:31.000000000 +0200 ++++ squid-3.3.8/src/client_side_reply.cc 2015-04-22 13:42:29.332950760 +0200 +@@ -506,6 +506,7 @@ clientReplyContext::cacheHit(StoreIOBuff + + if (strcmp(e->mem_obj->url, urlCanonical(r)) != 0) { + debugs(33, DBG_IMPORTANT, "clientProcessHit: URL mismatch, '" << e->mem_obj->url << "' != '" << urlCanonical(r) << "'"); ++ http->logType = LOG_TCP_MISS; // we lack a more precise LOG_*_MISS code + processMiss(); + return; + } +@@ -537,6 +538,7 @@ clientReplyContext::cacheHit(StoreIOBuff + case VARY_CANCEL: + /* varyEvaluateMatch found a object loop. Process as miss */ + debugs(88, DBG_IMPORTANT, "clientProcessHit: Vary object loop!"); ++ http->logType = LOG_TCP_MISS; // we lack a more precise LOG_*_MISS code + processMiss(); + return; + } +diff -Naurp squid-3.3.8.orig/src/MemStore.cc squid-3.3.8/src/MemStore.cc +--- squid-3.3.8.orig/src/MemStore.cc 2013-07-13 15:25:14.000000000 +0200 ++++ squid-3.3.8/src/MemStore.cc 2015-04-22 13:25:35.879901955 +0200 +@@ -310,6 +310,12 @@ MemStore::considerKeeping(StoreEntry &e) + return; + } + ++ if (e.mem_obj->vary_headers) { ++ // XXX: We must store/load SerialisedMetaData to cache Vary in RAM ++ debugs(20, 5, "Vary not yet supported: " << e.mem_obj->vary_headers); ++ return; ++ } ++ + keep(e); // may still fail + } + +diff -Naurp squid-3.3.8.orig/src/store.cc squid-3.3.8/src/store.cc +--- squid-3.3.8.orig/src/store.cc 2013-07-13 15:25:14.000000000 +0200 ++++ squid-3.3.8/src/store.cc 2015-04-22 13:43:44.675657018 +0200 +@@ -761,7 +761,7 @@ StoreEntry::setPublicKey() + StoreEntry *pe = storeCreateEntry(mem_obj->url, mem_obj->log_url, request->flags, request->method); + /* We are allowed to do this typecast */ + HttpReply *rep = new HttpReply; +- rep->setHeaders(HTTP_OK, "Internal marker object", "x-squid-internal/vary", -1, -1, squid_curtime + 100000); ++ rep->setHeaders(HTTP_OK, "Internal marker object", "x-squid-internal/vary", 0, -1, squid_curtime + 100000); + vary = mem_obj->getReply()->header.getList(HDR_VARY); + + if (vary.size()) { +@@ -780,12 +780,13 @@ StoreEntry::setPublicKey() + } + + #endif +- pe->replaceHttpReply(rep); +- ++ pe->replaceHttpReply(rep, false); // no write until key is public + pe->timestampsSet(); + + pe->makePublic(); + ++ pe->startWriting(); // after makePublic() ++ + pe->complete(); + + pe->unlock(); diff --git a/SOURCES/squid.xml b/SOURCES/squid.xml new file mode 100644 index 0000000..781e11c --- /dev/null +++ b/SOURCES/squid.xml @@ -0,0 +1,6 @@ + + + Squid + Squid is a high-performance proxy caching server for Web clients, supporting FTP, gopher, and HTTP data objects. Unlike traditional caching software, Squid handles all requests in a single, non-blocking, I/O-driven process. Squid keeps meta data and especially hot objects cached in RAM, caches DNS lookups, supports non-blocking DNS lookups, and implements negative caching of failed requests. + + diff --git a/SPECS/squid.spec b/SPECS/squid.spec index cad4b2d..0b16931 100644 --- a/SPECS/squid.spec +++ b/SPECS/squid.spec @@ -4,7 +4,7 @@ Name: squid Version: 3.3.8 -Release: 12%{?dist} +Release: 26%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -20,6 +20,7 @@ Source5: squid.pam Source6: squid.nm Source7: squid.service Source8: cache_swap.sh +Source9: squid.xml Source98: perl-requires-squid.sh ## Source99: filter-requires-squid.sh @@ -27,7 +28,7 @@ Source98: perl-requires-squid.sh #Patch001: http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11480.patch # Backported patches -#Patch101: squid-3.2-mem_node.patch +# Patch211: squid-3.3.8-incorrect-ssl.patch # Local patches # Applying upstream patches first makes it less likely that local patches @@ -45,6 +46,12 @@ Patch208: squid-3.3.8-active-ftp-2.patch # http://www.squid-cache.org/Advisories/SQUID-2014_1.txt Patch209: squid-3.3-12677.patch Patch210: squid-3.3.13-dos.patch +Patch211: squid-3.3.8-incorrect-ssl.patch +Patch212: squid-3.3.8-fd-leaks.patch +Patch213: squid-3.3.8-vary-headers.patch +Patch214: squid-3.3.8-incorrect-cert.patch +Patch215: squid-3.3.8-segfault-reboot.patch +Patch216: squid-3.3.8-le-looping.patch Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Requires: bash >= 2.0 @@ -101,7 +108,7 @@ The squid-sysvinit contains SysV initscritps support. %setup -q # Upstream patches -#patch001 -p0 +#%patch001 -p1 -b # Backported patches #patch101 -p1 -b .mem_node @@ -117,6 +124,12 @@ The squid-sysvinit contains SysV initscritps support. %patch208 -p1 -b .active-ftp-2 %patch209 -p0 %patch210 -p0 +%patch211 -p1 -b .incorrect-ssl +%patch212 -p1 -b .fd-leaks +%patch213 -p1 -b .vary-headers +%patch214 -p1 -b .incorrect-cert +%patch215 -p1 -b .segfault-reboot +%patch216 -p0 -b .le-looping %build %ifarch sparcv9 sparc64 s390 s390x @@ -132,7 +145,7 @@ LDFLAGS="$RPM_LD_FLAGS -pie -Wl,-z,relro -Wl,-z,now" --disable-strict-error-checking \ --exec_prefix=/usr \ --libexecdir=%{_libdir}/squid \ - --localstatedir=/var \ + --localstatedir=%{_var} \ --datadir=%{_datadir}/squid \ --sysconfdir=%{_sysconfdir}/squid \ --with-logdir='$(localstatedir)/log/squid' \ @@ -206,6 +219,8 @@ mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d/ mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/NetworkManager/dispatcher.d mkdir -p $RPM_BUILD_ROOT%{_unitdir} mkdir -p $RPM_BUILD_ROOT%{_libexecdir}/squid +mkdir -p $RPM_BUILD_ROOT%{_prefix}/lib/firewalld/services + install -m 755 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/rc.d/init.d/squid install -m 644 %{SOURCE3} $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/squid install -m 644 %{SOURCE4} $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/squid @@ -214,12 +229,22 @@ install -m 644 %{SOURCE7} $RPM_BUILD_ROOT%{_unitdir} install -m 755 %{SOURCE8} $RPM_BUILD_ROOT%{_libexecdir}/squid install -m 644 $RPM_BUILD_ROOT/squid.httpd.tmp $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d/squid.conf install -m 644 %{SOURCE6} $RPM_BUILD_ROOT%{_sysconfdir}/NetworkManager/dispatcher.d/20-squid -mkdir -p $RPM_BUILD_ROOT/var/log/squid -mkdir -p $RPM_BUILD_ROOT/var/spool/squid +install -m 644 %{SOURCE9} $RPM_BUILD_ROOT%{_prefix}/lib/firewalld/services +mkdir -p $RPM_BUILD_ROOT%{_var}/log/squid +mkdir -p $RPM_BUILD_ROOT%{_var}/spool/squid +mkdir -p $RPM_BUILD_ROOT%{_var}/run/squid chmod 644 contrib/url-normalizer.pl contrib/rredir.* contrib/user-agents.pl iconv -f ISO88591 -t UTF8 ChangeLog -o ChangeLog.tmp mv -f ChangeLog.tmp ChangeLog +# install /usr/lib/tmpfiles.d/squid.conf +mkdir -p ${RPM_BUILD_ROOT}%{_tmpfilesdir} +cat > ${RPM_BUILD_ROOT}%{_tmpfilesdir}/squid.conf </dev/null 2>&1 || : %changelog +* Wed Oct 14 2015 Luboš Uhliarik - 7:3.3.8-26 +- Related: #1186768 - removing patch, because of missing tests and + incorrent patch + +* Tue Oct 13 2015 Luboš Uhliarik - 7:3.3.8-25 +- Related: #1102842 - squid rpm package misses /var/run/squid needed for + smp mode. Squid needs write access to /var/run/squid. + +* Fri Oct 09 2015 Luboš Uhliarik - 7:3.3.8-24 +- Related: #1102842 - squid rpm package misses /var/run/squid needed for + smp mode. Creation of /var/run/squid was also needed to be in SPEC file. + +* Tue Oct 06 2015 Luboš Uhliarik - 7:3.3.8-23 +- Related: #1102842 - squid rpm package misses /var/run/squid needed for + smp mode. Creation of this directory was moved to tmpfiles.d conf file. + +* Fri Oct 02 2015 Luboš Uhliarik - 7:3.3.8-22 +- Related: #1102842 - squid rpm package misses /var/run/squid needed for + smp mode. Creation of this directory was moved to service file. + +* Tue Sep 22 2015 Luboš Uhliarik - 7:3.3.8-21 +- Resolves: #1263338 - squid with digest auth on big endian systems + start looping + +* Mon Aug 10 2015 Luboš Uhliarik - 7:3.3.8-20 +- Resolves: #1186768 - security issue: Nonce replay vulnerability + in Digest authentication + +* Tue Jul 14 2015 Luboš Uhliarik - 7:3.3.8-19 +- Resolves: #1225640 - squid crashes by segfault when it reboots + +* Thu Jun 25 2015 Luboš Uhliarik - 7:3.3.8-18 +- Resolves: #1102842 - squid rpm package misses /var/run/squid needed for + smp mode + +* Wed Jun 24 2015 Luboš Uhliarik - 7:3.3.8-17 +- Resolves: #1233265 - CVE-2015-3455 squid: incorrect X509 server + certificate validation + +* Fri Jun 19 2015 Luboš Uhliarik - 7:3.3.8-16 +- Resolves: #1080042 - Supply a firewalld service file with squid + +* Wed Jun 17 2015 Luboš Uhliarik - 7:3.3.8-15 +- Resolves: #1161600 - Squid does not serve cached responses + with Vary headers + +* Wed Jun 17 2015 Luboš Uhliarik - 7:3.3.8-14 +- Resolves: #1198778 - Filedescriptor leaks on snmp + +* Wed Jun 17 2015 Luboš Uhliarik - 7:3.3.8-13 +- Resolves: #1204375 - squid sends incorrect ssl chain breaking newer gnutls + using applications + * Fri Aug 29 2014 Michal Luscon - 7:3.3.8-12 -- Resolves: #1134933 - CVE-2014-3609 assertion failure in header processing +- Resolves: #1134934 - CVE-2014-3609 assertion failure in header processing * Mon Mar 17 2014 Pavel Šimerda - 7:3.3.8-11 - Resolves: #1074873 - CVE-2014-0128 squid: denial of service when using