diff --git a/SOURCES/squid-3.3-12677.patch b/SOURCES/squid-3.3-12677.patch
new file mode 100644
index 0000000..5707e42
--- /dev/null
+++ b/SOURCES/squid-3.3-12677.patch
@@ -0,0 +1,200 @@
+------------------------------------------------------------
+revno: 12677
+revision-id: squid3@treenet.co.nz-20140309023519-t6wmqou7m816tgnl
+parent: squid3@treenet.co.nz-20140309021524-wtxyrfoagz95ezwp
+author: Alex Rousskov <rousskov@measurement-factory.com>
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.3
+timestamp: Sat 2014-03-08 19:35:19 -0700
+message:
+ Avoid assertions on Range requests that trigger Squid-generated errors.
+
+ Added HttpRequest::ignoreRange() to encapsulate range ignoring logic.
+ Currently the new method only contains the code common among all callers. More
+ work is needed to check whether further caller homogenization is possible.
+
+ Documented that ClientSocketContext::getNextRangeOffset() may sometimes be
+ called before it is ready to do its job.
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20140309023519-t6wmqou7m816tgnl
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.3
+# testament_sha1: 0e0335663a55b0dca989893fb98f81d8d9604572
+# timestamp: 2014-03-09 02:37:50 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.3
+# base_revision_id: squid3@treenet.co.nz-20140309021524-\
+# wtxyrfoagz95ezwp
+#
+# Begin patch
+=== modified file 'src/HttpRequest.cc'
+--- src/HttpRequest.cc 2013-09-11 01:03:45 +0000
++++ src/HttpRequest.cc 2014-03-09 02:35:19 +0000
+@@ -658,6 +658,20 @@
+ return rangeOffsetLimit;
+ }
+
++void
++HttpRequest::ignoreRange(const char *reason)
++{
++ if (range) {
++ debugs(73, 3, static_cast<void*>(range) << " for " << reason);
++ delete range;
++ range = NULL;
++ }
++ // Some callers also reset isRanged but it may not be safe for all callers:
++ // isRanged is used to determine whether a weak ETag comparison is allowed,
++ // and that check should not ignore the Range header if it was present.
++ // TODO: Some callers also delete HDR_RANGE, HDR_REQUEST_RANGE. Should we?
++}
++
+ bool
+ HttpRequest::canHandle1xx() const
+ {
+
+=== modified file 'src/HttpRequest.h'
+--- src/HttpRequest.h 2013-07-26 12:21:20 +0000
++++ src/HttpRequest.h 2014-03-09 02:35:19 +0000
+@@ -246,6 +246,8 @@
+ */
+ CbcPointer<ConnStateData> clientConnectionManager;
+
++ /// forgets about the cached Range header (for a reason)
++ void ignoreRange(const char *reason);
+ int64_t getRangeOffsetLimit(); /* the result of this function gets cached in rangeOffsetLimit */
+
+ private:
+
+=== modified file 'src/client_side.cc'
+--- src/client_side.cc 2013-09-29 17:28:00 +0000
++++ src/client_side.cc 2014-03-09 02:35:19 +0000
+@@ -1281,9 +1281,7 @@
+ * offset data, but we won't be requesting it.
+ * So, we can either re-request, or generate an error
+ */
+- debugs(33, 3, "clientBuildRangeHeader: will not do ranges: " << range_err << ".");
+- delete http->request->range;
+- http->request->range = NULL;
++ http->request->ignoreRange(range_err);
+ } else {
+ /* XXX: TODO: Review, this unconditional set may be wrong. - TODO: review. */
+ httpStatusLineSet(&rep->sline, rep->sline.version,
+@@ -1662,9 +1660,16 @@
+ int64_t
+ ClientSocketContext::getNextRangeOffset() const
+ {
++ debugs (33, 5, "range: " << http->request->range <<
++ "; http offset " << http->out.offset <<
++ "; reply " << reply);
++
++ // XXX: This method is called from many places, including pullData() which
++ // may be called before prepareReply() [on some Squid-generated errors].
++ // Hence, we may not even know yet whether we should honor/do ranges.
++
+ if (http->request->range) {
+ /* offset in range specs does not count the prefix of an http msg */
+- debugs (33, 5, "ClientSocketContext::getNextRangeOffset: http offset " << http->out.offset);
+ /* check: reply was parsed and range iterator was initialized */
+ assert(http->range_iter.valid);
+ /* filter out data according to range specs */
+@@ -1701,7 +1706,7 @@
+ void
+ ClientSocketContext::pullData()
+ {
+- debugs(33, 5, HERE << clientConnection << " attempting to pull upstream data");
++ debugs(33, 5, reply << " written " << http->out.size << " into " << clientConnection);
+
+ /* More data will be coming from the stream. */
+ StoreIOBuffer readBuffer;
+@@ -2492,7 +2497,7 @@
+ clientReplyContext *repContext = dynamic_cast<clientReplyContext *>(node->data.getRaw());
+ assert(repContext);
+ debugs(33, 5, "Responding with delated error for " << http->uri);
+- repContext->setReplyToStoreEntry(sslServerBump->entry);
++ repContext->setReplyToStoreEntry(sslServerBump->entry, "delayed SslBump error");
+
+ // save the original request for logging purposes
+ if (!context->http->al->request)
+
+=== modified file 'src/client_side_reply.cc'
+--- src/client_side_reply.cc 2013-12-15 05:23:23 +0000
++++ src/client_side_reply.cc 2014-03-09 02:35:19 +0000
+@@ -134,13 +134,18 @@
+
+ http->al->http.code = errstate->httpStatus;
+
++ if (http->request)
++ http->request->ignoreRange("responding with a Squid-generated error");
++
+ createStoreEntry(method, RequestFlags());
+ assert(errstate->callback_data == NULL);
+ errorAppendEntry(http->storeEntry(), errstate);
+ /* Now the caller reads to get this */
+ }
+
+-void clientReplyContext::setReplyToStoreEntry(StoreEntry *entry)
++// Assumes that the entry contains an error response without Content-Range.
++// To use with regular entries, make HTTP Range header removal conditional.
++void clientReplyContext::setReplyToStoreEntry(StoreEntry *entry, const char *reason)
+ {
+ entry->lock(); // removeClientStoreReference() unlocks
+ sc = storeClientListAdd(entry, this);
+@@ -149,6 +154,8 @@
+ #endif
+ reqofs = 0;
+ reqsize = 0;
++ if (http->request)
++ http->request->ignoreRange(reason);
+ flags.storelogiccomplete = 1;
+ http->storeEntry(entry);
+ }
+
+=== modified file 'src/client_side_reply.h'
+--- src/client_side_reply.h 2012-09-10 12:49:35 +0000
++++ src/client_side_reply.h 2014-03-09 02:35:19 +0000
+@@ -73,7 +73,7 @@
+ int storeOKTransferDone() const;
+ int storeNotOKTransferDone() const;
+ /// replaces current response store entry with the given one
+- void setReplyToStoreEntry(StoreEntry *e);
++ void setReplyToStoreEntry(StoreEntry *e, const char *reason);
+ /// builds error using clientBuildError() and calls setReplyToError() below
+ void setReplyToError(err_type, http_status, const HttpRequestMethod&, char const *, Ip::Address &, HttpRequest *, const char *,
+ #if USE_AUTH
+
+=== modified file 'src/client_side_request.cc'
+--- src/client_side_request.cc 2014-03-09 02:10:07 +0000
++++ src/client_side_request.cc 2014-03-09 02:35:19 +0000
+@@ -1131,8 +1131,7 @@
+ else {
+ req_hdr->delById(HDR_RANGE);
+ req_hdr->delById(HDR_REQUEST_RANGE);
+- delete request->range;
+- request->range = NULL;
++ request->ignoreRange("neither HEAD nor GET");
+ }
+
+ if (req_hdr->has(HDR_AUTHORIZATION))
+@@ -1664,7 +1663,7 @@
+ clientStreamNode *node = (clientStreamNode *)client_stream.tail->prev->data;
+ clientReplyContext *repContext = dynamic_cast<clientReplyContext *>(node->data.getRaw());
+ assert (repContext);
+- repContext->setReplyToStoreEntry(e);
++ repContext->setReplyToStoreEntry(e, "immediate SslBump error");
+ errorAppendEntry(e, calloutContext->error);
+ calloutContext->error = NULL;
+ if (calloutContext->readNextRequest)
+
+=== modified file 'src/http.cc'
+--- src/http.cc 2013-11-21 21:54:29 +0000
++++ src/http.cc 2014-03-09 02:35:19 +0000
+@@ -1736,8 +1736,7 @@
+ /* don't cache the result */
+ request->flags.cachable = 0;
+ /* pretend it's not a range request */
+- delete request->range;
+- request->range = NULL;
++ request->ignoreRange("want to request the whole object");
+ request->flags.isRanged=false;
+ }
+
+
diff --git a/SOURCES/squid-3.3.8-active-ftp-2.patch b/SOURCES/squid-3.3.8-active-ftp-2.patch
new file mode 100644
index 0000000..268c7f6
--- /dev/null
+++ b/SOURCES/squid-3.3.8-active-ftp-2.patch
@@ -0,0 +1,65 @@
+--- ./src/ftp.cc 2013-07-13 15:22:32.000000000 +0200
++++ ./src/ftp.cc 2013-12-21 15:39:23.015056228 +0100
+@@ -2816,6 +2816,7 @@
+ }
+
+ ftpState->listenForDataChannel(temp, ftpState->entry->url());
++ ftpState->data.listenConn = temp;
+ }
+
+ /// \ingroup ServerProtocolFTPInternal
+@@ -2851,14 +2852,19 @@
+
+ // pull out the internal IP address bytes to send in PORT command...
+ // source them from the listen_conn->local
+-
++ struct sockaddr_in addr;
++ socklen_t addrlen = sizeof(addr);
++ getsockname(ftpState->data.listenConn->fd, (struct sockaddr *) &addr, &addrlen);
++ unsigned char port_high = ntohs(addr.sin_port) >> 8;
++ unsigned char port_low = ntohs(addr.sin_port) & 0xff;
++
+ struct addrinfo *AI = NULL;
+ ftpState->data.listenConn->local.GetAddrInfo(AI, AF_INET);
+ unsigned char *addrptr = (unsigned char *) &((struct sockaddr_in*)AI->ai_addr)->sin_addr;
+- unsigned char *portptr = (unsigned char *) &((struct sockaddr_in*)AI->ai_addr)->sin_port;
++ // unsigned char *portptr = (unsigned char *) &((struct sockaddr_in*)AI->ai_addr)->sin_port;
+ snprintf(cbuf, CTRL_BUFLEN, "PORT %d,%d,%d,%d,%d,%d\r\n",
+ addrptr[0], addrptr[1], addrptr[2], addrptr[3],
+- portptr[0], portptr[1]);
++ port_high, port_low);
+ ftpState->writeCommand(cbuf);
+ ftpState->state = SENT_PORT;
+
+@@ -2907,15 +2913,25 @@
+ ftpFail(ftpState);
+ return;
+ }
+-
+- char buf[MAX_IPSTRLEN];
+-
++ unsigned int port;
++ struct sockaddr_storage addr;
++ socklen_t addrlen = sizeof(addr);
++ getsockname(ftpState->data.listenConn->fd, (struct sockaddr *) &addr, &addrlen);
++ if (addr.ss_family == AF_INET) {
++ struct sockaddr_in *addr4 = (struct sockaddr_in*) &addr;
++ port = ntohs( addr4->sin_port );
++ } else {
++ struct sockaddr_in6 *addr6 = (struct sockaddr_in6 *) &addr;
++ port = ntohs( addr6->sin6_port );
++ }
++
++ char buf[MAX_IPSTRLEN];
+ /* RFC 2428 defines EPRT as IPv6 equivalent to IPv4 PORT command. */
+ /* Which can be used by EITHER protocol. */
+- snprintf(cbuf, CTRL_BUFLEN, "EPRT |%d|%s|%d|\r\n",
++ snprintf(cbuf, CTRL_BUFLEN, "EPRT |%d|%s|%u|\r\n",
+ ( ftpState->data.listenConn->local.IsIPv6() ? 2 : 1 ),
+ ftpState->data.listenConn->local.NtoA(buf,MAX_IPSTRLEN),
+- ftpState->data.listenConn->local.GetPort() );
++ port);
+
+ ftpState->writeCommand(cbuf);
+ ftpState->state = SENT_EPRT;
+
diff --git a/SPECS/squid.spec b/SPECS/squid.spec
index d480c09..aaf19e2 100644
--- a/SPECS/squid.spec
+++ b/SPECS/squid.spec
@@ -4,7 +4,7 @@
Name: squid
Version: 3.3.8
-Release: 2%{?dist}
+Release: 11%{?dist}
Summary: The Squid proxy caching server
Epoch: 7
# See CREDITS for breakdown of non GPLv2+ code
@@ -39,6 +39,11 @@ Patch204: squid-3.2.0.9-fpic.patch
Patch205: squid-3.1.9-ltdl.patch
Patch206: squid-3.3.4-empty-pod2man.patch
Patch207: active-ftp.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=980511
+Patch208: squid-3.3.8-active-ftp-2.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1074873
+# http://www.squid-cache.org/Advisories/SQUID-2014_1.txt
+Patch209: squid-3.3-12677.patch
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: bash >= 2.0
@@ -56,8 +61,6 @@ BuildRequires: pam-devel
BuildRequires: openssl-devel
# squid_kerb_aut requires Kerberos development libs
BuildRequires: krb5-devel
-# squid_session_auth requires DB4
-BuildRequires: db4-devel
# ESI support requires Expat & libxml2
BuildRequires: expat-devel libxml2-devel
# TPROXY requires libcap, and also increases security somewhat
@@ -68,6 +71,8 @@ BuildRequires: libecap-devel
BuildRequires: libtool libtool-ltdl-devel
# For test suite
BuildRequires: cppunit-devel
+# DB helper requires
+BuildRequires: perl-podlators libdb-devel
%description
Squid is a high-performance proxy caching server for Web clients,
@@ -108,6 +113,8 @@ The squid-sysvinit contains SysV initscritps support.
%patch205 -p1 -b .ltdl
%patch206 -p1 -b .empty-pod2man
%patch207 -p1 -b .active-ftp
+%patch208 -p1 -b .active-ftp-2
+%patch209 -p0
%build
%ifarch sparcv9 sparc64 s390 s390x
@@ -136,14 +143,14 @@ LDFLAGS="$RPM_LD_FLAGS -pie -Wl,-z,relro -Wl,-z,now"
--enable-auth-ntlm="smb_lm,fake" \
--enable-auth-digest="file,LDAP,eDirectory" \
--enable-auth-negotiate="kerberos" \
- --enable-external-acl-helpers="ip_user,ldap_group,session,unix_group,wbinfo_group" \
+ --enable-external-acl-helpers="file_userip,LDAP_group,time_quota,session,unix_group,wbinfo_group" \
--enable-cache-digests \
--enable-cachemgr-hostname=localhost \
--enable-delay-pools \
--enable-epoll \
--enable-icap-client \
--enable-ident-lookups \
- %ifnarch ppc64 ia64 x86_64 s390x
+ %ifnarch ppc64 ia64 x86_64 s390x aarch64
--with-large-files \
%endif
--enable-linux-netfilter \
@@ -312,6 +319,34 @@ fi
/sbin/chkconfig --add squid >/dev/null 2>&1 || :
%changelog
+* Mon Mar 17 2014 Pavel Šimerda <psimerda@redhat.com> - 7:3.3.8-11
+- Resolves: #1074873 - CVE-2014-0128 squid: denial of service when using
+ SSL-Bump
+
+* Wed Mar 05 2014 Pavel Šimerda <psimerda@redhat.com>' - 7:3.3.8-10
+- Resolves: #1072973 - don't depend on libdb4
+
+* Tue Feb 11 2014 Pavel Šimerda <psimerda@redhat.com> - 7:3.3.8-9
+- revert: Resolves: #1038160 - avoid running squid's own supervisor process
+
+* Tue Feb 11 2014 Pavel Šimerda <psimerda@redhat.com> - 7:3.3.8-8
+- Resolves: #1063248 - missing helpers
+
+* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 7:3.3.8-7
+- Mass rebuild 2014-01-24
+
+* Thu Jan 02 2014 Pavel Šimerda <psimerda@redhat.com> - 7:3.3.8-6
+- Resolves: #980511 - squid doesn't work with active FTP
+
+* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 7:3.3.8-5
+- Mass rebuild 2013-12-27
+
+* Tue Dec 10 2013 Pavel Šimerda <psimerda@redhat.com> - 7:3.3.8-4
+- Resolves: #1038160 - avoid running squid's own supervisor process
+
+* Thu Nov 21 2013 Pavel Šimerda <psimerda@redhat.com> - 7:3.3.8-3
+- Resolves: #1028588 - fix build on aarch64
+
* Tue Aug 27 2013 Michal Luscon <mluscon@redhat.com> - 7:3.3.8-2
- Fixed: source code url