diff --git a/.gitignore b/.gitignore index aa9cebb..da80573 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/squid-4.4.tar.xz +SOURCES/squid-4.11.tar.xz diff --git a/.squid.metadata b/.squid.metadata index 70ddf1b..94d7ed2 100644 --- a/.squid.metadata +++ b/.squid.metadata @@ -1 +1 @@ -0ab6b133f65866d825bf72cbbe8cef209768b2fa SOURCES/squid-4.4.tar.xz +053277bf5497163ffc9261b9807abda5959bb6fc SOURCES/squid-4.11.tar.xz diff --git a/SOURCES/squid-3.0.STABLE1-perlpath.patch b/SOURCES/squid-3.0.STABLE1-perlpath.patch deleted file mode 100644 index 052b8d7..0000000 --- a/SOURCES/squid-3.0.STABLE1-perlpath.patch +++ /dev/null @@ -1,10 +0,0 @@ -diff --git a/contrib/url-normalizer.pl b/contrib/url-normalizer.pl -index 90ac6a4..8dbed90 100755 ---- a/contrib/url-normalizer.pl -+++ b/contrib/url-normalizer.pl -@@ -1,4 +1,4 @@ --#!/usr/local/bin/perl -Tw -+#!/usr/bin/perl -Tw - # - # * Copyright (C) 1996-2018 The Squid Software Foundation and contributors - # * diff --git a/SOURCES/squid-3.1.0.9-location.patch b/SOURCES/squid-3.1.0.9-location.patch deleted file mode 100644 index 4abd519..0000000 --- a/SOURCES/squid-3.1.0.9-location.patch +++ /dev/null @@ -1,32 +0,0 @@ -diff -up squid-3.1.0.9/QUICKSTART.location squid-3.1.0.9/QUICKSTART ---- squid-3.1.0.9/QUICKSTART.location 2009-06-26 12:35:27.000000000 +0200 -+++ squid-3.1.0.9/QUICKSTART 2009-07-17 14:03:10.000000000 +0200 -@@ -10,10 +10,9 @@ After you retrieved, compiled and instal - INSTALL in the same directory), you have to configure the squid.conf - file. This is the list of the values you *need* to change, because no - sensible defaults could be defined. Do not touch the other variables --for now. We assume you have installed Squid in the default location: --/usr/local/squid -+for now. - --Uncomment and edit the following lines in /usr/local/squid/etc/squid.conf: -+Uncomment and edit the following lines in /etc/squid/squid.conf: - - ============================================================================== - -@@ -82,12 +81,12 @@ After editing squid.conf to your liking, - line TWICE: - - To create any disk cache_dir configured: -- % /usr/local/squid/sbin/squid -z -+ % /usr/sbin/squid -z - - To start squid: -- % /usr/local/squid/sbin/squid -+ % /usr/sbin/squid - --Check in the cache.log (/usr/local/squid/var/logs/cache.log) that -+Check in the cache.log (/var/log/squid/cache.log) that - everything is all right. - - Once Squid created all its files (it can take several minutes on some diff --git a/SOURCES/squid-3.5.9-include-guards.patch b/SOURCES/squid-3.5.9-include-guards.patch deleted file mode 100644 index e2d4ff9..0000000 --- a/SOURCES/squid-3.5.9-include-guards.patch +++ /dev/null @@ -1,95 +0,0 @@ ------------------------------------------------------------- -revno: 14311 -revision-id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4 -parent: squid3@treenet.co.nz-20150924032241-6cx3g6hwz9xfoybr ------------------------------------------------------------- -revno: 14311 -revision-id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4 -parent: squid3@treenet.co.nz-20150924032241-6cx3g6hwz9xfoybr -fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4323 -author: Francesco Chemolli -committer: Amos Jeffries -branch nick: trunk -timestamp: Thu 2015-09-24 06:05:37 -0700 -message: - Bug 4323: Netfilter broken cross-includes with Linux 4.2 ------------------------------------------------------------- -# Bazaar merge directive format 2 (Bazaar 0.90) -# revision_id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4 -# target_branch: http://bzr.squid-cache.org/bzr/squid3/trunk/ -# testament_sha1: c67cfca81040f3845d7c4caf2f40518511f14d0b -# timestamp: 2015-09-24 13:06:33 +0000 -# source_branch: http://bzr.squid-cache.org/bzr/squid3/trunk -# base_revision_id: squid3@treenet.co.nz-20150924032241-\ -# 6cx3g6hwz9xfoybr -# -# Begin patch -=== modified file 'compat/os/linux.h' ---- compat/os/linux.h 2015-01-13 07:25:36 +0000 -+++ compat/os/linux.h 2015-09-24 13:05:37 +0000 -@@ -30,6 +30,21 @@ - #endif - - /* -+ * Netfilter header madness. (see Bug 4323) -+ * -+ * Netfilter have a history of defining their own versions of network protocol -+ * primitives without sufficient protection against the POSIX defines which are -+ * aways present in Linux. -+ * -+ * netinet/in.h must be included before any other sys header in order to properly -+ * activate include guards in the kernel maintainers added -+ * to workaround it. -+ */ -+#if HAVE_NETINET_IN_H -+#include -+#endif -+ -+/* - * sys/capability.h is only needed in Linux apparently. - * - * HACK: LIBCAP_BROKEN Ugly glue to get around linux header madness colliding with glibc -fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4323 -author: Francesco Chemolli -committer: Amos Jeffries -branch nick: trunk -timestamp: Thu 2015-09-24 06:05:37 -0700 -message: - Bug 4323: Netfilter broken cross-includes with Linux 4.2 ------------------------------------------------------------- -# Bazaar merge directive format 2 (Bazaar 0.90) -# revision_id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4 -# target_branch: http://bzr.squid-cache.org/bzr/squid3/trunk/ -# testament_sha1: c67cfca81040f3845d7c4caf2f40518511f14d0b -# timestamp: 2015-09-24 13:06:33 +0000 -# source_branch: http://bzr.squid-cache.org/bzr/squid3/trunk -# base_revision_id: squid3@treenet.co.nz-20150924032241-\ -# 6cx3g6hwz9xfoybr -# -# Begin patch -=== modified file 'compat/os/linux.h' ---- compat/os/linux.h 2015-01-13 07:25:36 +0000 -+++ compat/os/linux.h 2015-09-24 13:05:37 +0000 -@@ -30,6 +30,21 @@ - #endif - - /* -+ * Netfilter header madness. (see Bug 4323) -+ * -+ * Netfilter have a history of defining their own versions of network protocol -+ * primitives without sufficient protection against the POSIX defines which are -+ * aways present in Linux. -+ * -+ * netinet/in.h must be included before any other sys header in order to properly -+ * activate include guards in the kernel maintainers added -+ * to workaround it. -+ */ -+#if HAVE_NETINET_IN_H -+#include -+#endif -+ -+/* - * sys/capability.h is only needed in Linux apparently. - * - * HACK: LIBCAP_BROKEN Ugly glue to get around linux header madness colliding with glibc - diff --git a/SOURCES/squid-4.0.11-config.patch b/SOURCES/squid-4.0.11-config.patch deleted file mode 100644 index a4faae8..0000000 --- a/SOURCES/squid-4.0.11-config.patch +++ /dev/null @@ -1,26 +0,0 @@ -diff -up squid-4.0.11/src/cf.data.pre.config squid-4.0.11/src/cf.data.pre ---- squid-4.0.11/src/cf.data.pre.config 2016-06-09 22:32:57.000000000 +0200 -+++ squid-4.0.11/src/cf.data.pre 2016-07-11 21:08:35.090976840 +0200 -@@ -4658,7 +4658,7 @@ DOC_END - - NAME: logfile_rotate - TYPE: int --DEFAULT: 10 -+DEFAULT: 0 - LOC: Config.Log.rotateNumber - DOC_START - Specifies the default number of logfile rotations to make when you -@@ -6444,11 +6444,11 @@ COMMENT_END - - NAME: cache_mgr - TYPE: string --DEFAULT: webmaster -+DEFAULT: root - LOC: Config.adminEmail - DOC_START - Email-address of local cache manager who will receive -- mail if the cache dies. The default is "webmaster". -+ mail if the cache dies. The default is "root". - DOC_END - - NAME: mail_from diff --git a/SOURCES/squid-4.0.21-large-acl.patch b/SOURCES/squid-4.0.21-large-acl.patch deleted file mode 100644 index 8aacf38..0000000 --- a/SOURCES/squid-4.0.21-large-acl.patch +++ /dev/null @@ -1,178 +0,0 @@ -diff --git a/src/acl/RegexData.cc b/src/acl/RegexData.cc -index 01a4c12..b5c1679 100644 ---- a/src/acl/RegexData.cc -+++ b/src/acl/RegexData.cc -@@ -22,6 +22,7 @@ - #include "ConfigParser.h" - #include "Debug.h" - #include "sbuf/List.h" -+#include "sbuf/Algorithms.h" - - ACLRegexData::~ACLRegexData() - { -@@ -129,6 +130,18 @@ compileRE(std::list &curlist, const char * RE, int flags) - return true; - } - -+static bool -+compileRE(std::list &curlist, const SBufList &RE, int flags) -+{ -+ if (RE.empty()) -+ return curlist.empty(); // XXX: old code did this. It looks wrong. -+ SBuf regexp; -+ static const SBuf openparen("("), closeparen(")"), separator(")|("); -+ JoinContainerIntoSBuf(regexp, RE.begin(), RE.end(), separator, openparen, -+ closeparen); -+ return compileRE(curlist, regexp.c_str(), flags); -+} -+ - /** Compose and compile one large RE from a set of (small) REs. - * The ultimate goal is to have only one RE per ACL so that match() is - * called only once per ACL. -@@ -137,16 +150,11 @@ static int - compileOptimisedREs(std::list &curlist, const SBufList &sl) - { - std::list newlist; -- int numREs = 0; -+ SBufList accumulatedRE; -+ int numREs = 0, reSize = 0; - int flags = REG_EXTENDED | REG_NOSUB; -- int largeREindex = 0; -- char largeRE[BUFSIZ]; -- *largeRE = 0; - - for (const SBuf & configurationLineWord : sl) { -- int RElen; -- RElen = configurationLineWord.length(); -- - static const SBuf minus_i("-i"); - static const SBuf plus_i("+i"); - if (configurationLineWord == minus_i) { -@@ -155,10 +163,11 @@ compileOptimisedREs(std::list &curlist, const SBufList &sl) - debugs(28, 2, "optimisation of -i ... -i" ); - } else { - debugs(28, 2, "-i" ); -- if (!compileRE(newlist, largeRE, flags)) -+ if (!compileRE(newlist, accumulatedRE, flags)) - return 0; - flags |= REG_ICASE; -- largeRE[largeREindex=0] = '\0'; -+ accumulatedRE.clear(); -+ reSize = 0; - } - } else if (configurationLineWord == plus_i) { - if ((flags & REG_ICASE) == 0) { -@@ -166,37 +175,34 @@ compileOptimisedREs(std::list &curlist, const SBufList &sl) - debugs(28, 2, "optimisation of +i ... +i"); - } else { - debugs(28, 2, "+i"); -- if (!compileRE(newlist, largeRE, flags)) -+ if (!compileRE(newlist, accumulatedRE, flags)) - return 0; - flags &= ~REG_ICASE; -- largeRE[largeREindex=0] = '\0'; -+ accumulatedRE.clear(); -+ reSize = 0; - } -- } else if (RElen + largeREindex + 3 < BUFSIZ-1) { -+ } else if (reSize < 1024) { - debugs(28, 2, "adding RE '" << configurationLineWord << "'"); -- if (largeREindex > 0) { -- largeRE[largeREindex] = '|'; -- ++largeREindex; -- } -- largeRE[largeREindex] = '('; -- ++largeREindex; -- configurationLineWord.copy(largeRE+largeREindex, BUFSIZ-largeREindex); -- largeREindex += configurationLineWord.length(); -- largeRE[largeREindex] = ')'; -- ++largeREindex; -- largeRE[largeREindex] = '\0'; -+ accumulatedRE.push_back(configurationLineWord); - ++numREs; -+ reSize += configurationLineWord.length(); - } else { - debugs(28, 2, "buffer full, generating new optimised RE..." ); -- if (!compileRE(newlist, largeRE, flags)) -+ accumulatedRE.push_back(configurationLineWord); -+ if (!compileRE(newlist, accumulatedRE, flags)) - return 0; -- largeRE[largeREindex=0] = '\0'; -+ accumulatedRE.clear(); -+ reSize = 0; - continue; /* do the loop again to add the RE to largeRE */ - } - } - -- if (!compileRE(newlist, largeRE, flags)) -+ if (!compileRE(newlist, accumulatedRE, flags)) - return 0; - -+ accumulatedRE.clear(); -+ reSize = 0; -+ - /* all was successful, so put the new list at the tail */ - curlist.splice(curlist.end(), newlist); - -diff --git a/src/sbuf/Algorithms.h b/src/sbuf/Algorithms.h -index 21ee889..338e9c0 100644 ---- a/src/sbuf/Algorithms.h -+++ b/src/sbuf/Algorithms.h -@@ -81,6 +81,57 @@ SBufContainerJoin(const Container &items, const SBuf& separator) - return rv; - } - -+/** Join container of SBufs and append to supplied target -+ * -+ * append to the target SBuf all elements in the [begin,end) range from -+ * an iterable container, prefixed by prefix, separated by separator and -+ * followed by suffix. Prefix and suffix are added also in case of empty -+ * iterable -+ * -+ * \return the modified dest -+ */ -+template -+SBuf& -+JoinContainerIntoSBuf(SBuf &dest, const ContainerIterator &begin, -+ const ContainerIterator &end, const SBuf& separator, -+ const SBuf& prefix = SBuf(), const SBuf& suffix = SBuf()) -+{ -+ if (begin == end) { -+ dest.append(prefix).append(suffix); -+ return dest; -+ } -+ -+ // optimization: pre-calculate needed storage -+ const SBuf::size_type totalContainerSize = -+ std::accumulate(begin, end, 0, SBufAddLength(separator)) + -+ dest.length() + prefix.length() + suffix.length(); -+ SBufReservationRequirements req; -+ req.minSpace = totalContainerSize; -+ dest.reserve(req); -+ -+ auto i = begin; -+ dest.append(prefix); -+ dest.append(*i); -+ ++i; -+ for (; i != end; ++i) -+ dest.append(separator).append(*i); -+ dest.append(suffix); -+ return dest; -+} -+ -+ -+/// convenience wrapper of JoinContainerIntoSBuf with no caller-supplied SBuf -+template -+SBuf -+JoinContainerToSBuf(const ContainerIterator &begin, -+ const ContainerIterator &end, const SBuf& separator, -+ const SBuf& prefix = SBuf(), const SBuf& suffix = SBuf()) -+{ -+ SBuf rv; -+ return JoinContainerIntoSBuf(rv, begin, end, separator, prefix, suffix); -+} -+ -+ - namespace std { - /// default hash functor to support std::unordered_map - template <> diff --git a/SOURCES/squid-4.11-active-ftp.patch b/SOURCES/squid-4.11-active-ftp.patch new file mode 100644 index 0000000..00a9b56 --- /dev/null +++ b/SOURCES/squid-4.11-active-ftp.patch @@ -0,0 +1,127 @@ +diff --git a/src/clients/FtpClient.cc b/src/clients/FtpClient.cc +index b665bcf..d287e55 100644 +--- a/src/clients/FtpClient.cc ++++ b/src/clients/FtpClient.cc +@@ -778,7 +778,8 @@ Ftp::Client::connectDataChannel() + bool + Ftp::Client::openListenSocket() + { +- return false; ++ debugs(9, 3, HERE); ++ return false; + } + + /// creates a data channel Comm close callback +diff --git a/src/clients/FtpClient.h b/src/clients/FtpClient.h +index a76a5a0..218d696 100644 +--- a/src/clients/FtpClient.h ++++ b/src/clients/FtpClient.h +@@ -118,7 +118,7 @@ public: + bool sendPort(); + bool sendPassive(); + void connectDataChannel(); +- bool openListenSocket(); ++ virtual bool openListenSocket(); + void switchTimeoutToDataChannel(); + + CtrlChannel ctrl; ///< FTP control channel state +diff --git a/src/clients/FtpGateway.cc b/src/clients/FtpGateway.cc +index 411bce9..31d3e36 100644 +--- a/src/clients/FtpGateway.cc ++++ b/src/clients/FtpGateway.cc +@@ -87,6 +87,13 @@ struct GatewayFlags { + class Gateway; + typedef void (StateMethod)(Ftp::Gateway *); + ++} // namespace FTP ++ ++static void ftpOpenListenSocket(Ftp::Gateway * ftpState, int fallback); ++ ++namespace Ftp ++{ ++ + /// FTP Gateway: An FTP client that takes an HTTP request with an ftp:// URI, + /// converts it into one or more FTP commands, and then + /// converts one or more FTP responses into the final HTTP response. +@@ -137,7 +144,11 @@ public: + + /// create a data channel acceptor and start listening. + void listenForDataChannel(const Comm::ConnectionPointer &conn); +- ++ virtual bool openListenSocket() { ++ debugs(9, 3, HERE); ++ ftpOpenListenSocket(this, 0); ++ return Comm::IsConnOpen(data.conn); ++ } + int checkAuth(const HttpHeader * req_hdr); + void checkUrlpath(); + void buildTitleUrl(); +@@ -1787,6 +1798,7 @@ ftpOpenListenSocket(Ftp::Gateway * ftpState, int fallback) + } + + ftpState->listenForDataChannel(temp); ++ ftpState->data.listenConn = temp; + } + + static void +@@ -1822,13 +1834,19 @@ ftpSendPORT(Ftp::Gateway * ftpState) + // pull out the internal IP address bytes to send in PORT command... + // source them from the listen_conn->local + ++ struct sockaddr_in addr; ++ socklen_t addrlen = sizeof(addr); ++ getsockname(ftpState->data.listenConn->fd, (struct sockaddr *) &addr, &addrlen); ++ unsigned char port_high = ntohs(addr.sin_port) >> 8; ++ unsigned char port_low = ntohs(addr.sin_port) & 0xff; ++ + struct addrinfo *AI = NULL; + ftpState->data.listenConn->local.getAddrInfo(AI, AF_INET); + unsigned char *addrptr = (unsigned char *) &((struct sockaddr_in*)AI->ai_addr)->sin_addr; +- unsigned char *portptr = (unsigned char *) &((struct sockaddr_in*)AI->ai_addr)->sin_port; ++ // unsigned char *portptr = (unsigned char *) &((struct sockaddr_in*)AI->ai_addr)->sin_port; + snprintf(cbuf, CTRL_BUFLEN, "PORT %d,%d,%d,%d,%d,%d\r\n", + addrptr[0], addrptr[1], addrptr[2], addrptr[3], +- portptr[0], portptr[1]); ++ port_high, port_low); + ftpState->writeCommand(cbuf); + ftpState->state = Ftp::Client::SENT_PORT; + +@@ -1881,14 +1899,27 @@ ftpSendEPRT(Ftp::Gateway * ftpState) + return; + } + ++ ++ unsigned int port; ++ struct sockaddr_storage addr; ++ socklen_t addrlen = sizeof(addr); ++ getsockname(ftpState->data.listenConn->fd, (struct sockaddr *) &addr, &addrlen); ++ if (addr.ss_family == AF_INET) { ++ struct sockaddr_in *addr4 = (struct sockaddr_in*) &addr; ++ port = ntohs( addr4->sin_port ); ++ } else { ++ struct sockaddr_in6 *addr6 = (struct sockaddr_in6 *) &addr; ++ port = ntohs( addr6->sin6_port ); ++ } ++ + char buf[MAX_IPSTRLEN]; + + /* RFC 2428 defines EPRT as IPv6 equivalent to IPv4 PORT command. */ + /* Which can be used by EITHER protocol. */ +- snprintf(cbuf, CTRL_BUFLEN, "EPRT |%d|%s|%d|\r\n", ++ snprintf(cbuf, CTRL_BUFLEN, "EPRT |%d|%s|%u|\r\n", + ( ftpState->data.listenConn->local.isIPv6() ? 2 : 1 ), + ftpState->data.listenConn->local.toStr(buf,MAX_IPSTRLEN), +- ftpState->data.listenConn->local.port() ); ++ port); + + ftpState->writeCommand(cbuf); + ftpState->state = Ftp::Client::SENT_EPRT; +@@ -1907,7 +1938,7 @@ ftpReadEPRT(Ftp::Gateway * ftpState) + ftpSendPORT(ftpState); + return; + } +- ++ ftpState->ctrl.message = NULL; + ftpRestOrList(ftpState); + } + diff --git a/SOURCES/squid-4.11-config.patch b/SOURCES/squid-4.11-config.patch new file mode 100644 index 0000000..9b0e2d8 --- /dev/null +++ b/SOURCES/squid-4.11-config.patch @@ -0,0 +1,27 @@ +diff --git a/src/cf.data.pre b/src/cf.data.pre +index 26ef576..30d5509 100644 +--- a/src/cf.data.pre ++++ b/src/cf.data.pre +@@ -5006,7 +5006,7 @@ DOC_END + + NAME: logfile_rotate + TYPE: int +-DEFAULT: 10 ++DEFAULT: 0 + LOC: Config.Log.rotateNumber + DOC_START + Specifies the default number of logfile rotations to make when you +@@ -6857,11 +6857,11 @@ COMMENT_END + + NAME: cache_mgr + TYPE: string +-DEFAULT: webmaster ++DEFAULT: root + LOC: Config.adminEmail + DOC_START + Email-address of local cache manager who will receive +- mail if the cache dies. The default is "webmaster". ++ mail if the cache dies. The default is "root". + DOC_END + + NAME: mail_from diff --git a/SOURCES/squid-4.11-include-guards.patch b/SOURCES/squid-4.11-include-guards.patch new file mode 100644 index 0000000..fb96c57 --- /dev/null +++ b/SOURCES/squid-4.11-include-guards.patch @@ -0,0 +1,41 @@ +diff --git a/compat/os/linux.h b/compat/os/linux.h +index 0ff05c6..d51389b 100644 +--- a/compat/os/linux.h ++++ b/compat/os/linux.h +@@ -44,6 +44,36 @@ + #include + #endif + ++/* ++ * Netfilter header madness. (see Bug 4323) ++ * ++ * Netfilter have a history of defining their own versions of network protocol ++ * primitives without sufficient protection against the POSIX defines which are ++ * aways present in Linux. ++ * ++ * netinet/in.h must be included before any other sys header in order to properly ++ * activate include guards in the kernel maintainers added ++ * to workaround it. ++ */ ++#if HAVE_NETINET_IN_H ++#include ++#endif ++ ++/* ++ * Netfilter header madness. (see Bug 4323) ++ * ++ * Netfilter have a history of defining their own versions of network protocol ++ * primitives without sufficient protection against the POSIX defines which are ++ * aways present in Linux. ++ * ++ * netinet/in.h must be included before any other sys header in order to properly ++ * activate include guards in the kernel maintainers added ++ * to workaround it. ++ */ ++#if HAVE_NETINET_IN_H ++#include ++#endif ++ + /* + * sys/capability.h is only needed in Linux apparently. + * diff --git a/SOURCES/squid-4.11-large-acl.patch b/SOURCES/squid-4.11-large-acl.patch new file mode 100644 index 0000000..8aacf38 --- /dev/null +++ b/SOURCES/squid-4.11-large-acl.patch @@ -0,0 +1,178 @@ +diff --git a/src/acl/RegexData.cc b/src/acl/RegexData.cc +index 01a4c12..b5c1679 100644 +--- a/src/acl/RegexData.cc ++++ b/src/acl/RegexData.cc +@@ -22,6 +22,7 @@ + #include "ConfigParser.h" + #include "Debug.h" + #include "sbuf/List.h" ++#include "sbuf/Algorithms.h" + + ACLRegexData::~ACLRegexData() + { +@@ -129,6 +130,18 @@ compileRE(std::list &curlist, const char * RE, int flags) + return true; + } + ++static bool ++compileRE(std::list &curlist, const SBufList &RE, int flags) ++{ ++ if (RE.empty()) ++ return curlist.empty(); // XXX: old code did this. It looks wrong. ++ SBuf regexp; ++ static const SBuf openparen("("), closeparen(")"), separator(")|("); ++ JoinContainerIntoSBuf(regexp, RE.begin(), RE.end(), separator, openparen, ++ closeparen); ++ return compileRE(curlist, regexp.c_str(), flags); ++} ++ + /** Compose and compile one large RE from a set of (small) REs. + * The ultimate goal is to have only one RE per ACL so that match() is + * called only once per ACL. +@@ -137,16 +150,11 @@ static int + compileOptimisedREs(std::list &curlist, const SBufList &sl) + { + std::list newlist; +- int numREs = 0; ++ SBufList accumulatedRE; ++ int numREs = 0, reSize = 0; + int flags = REG_EXTENDED | REG_NOSUB; +- int largeREindex = 0; +- char largeRE[BUFSIZ]; +- *largeRE = 0; + + for (const SBuf & configurationLineWord : sl) { +- int RElen; +- RElen = configurationLineWord.length(); +- + static const SBuf minus_i("-i"); + static const SBuf plus_i("+i"); + if (configurationLineWord == minus_i) { +@@ -155,10 +163,11 @@ compileOptimisedREs(std::list &curlist, const SBufList &sl) + debugs(28, 2, "optimisation of -i ... -i" ); + } else { + debugs(28, 2, "-i" ); +- if (!compileRE(newlist, largeRE, flags)) ++ if (!compileRE(newlist, accumulatedRE, flags)) + return 0; + flags |= REG_ICASE; +- largeRE[largeREindex=0] = '\0'; ++ accumulatedRE.clear(); ++ reSize = 0; + } + } else if (configurationLineWord == plus_i) { + if ((flags & REG_ICASE) == 0) { +@@ -166,37 +175,34 @@ compileOptimisedREs(std::list &curlist, const SBufList &sl) + debugs(28, 2, "optimisation of +i ... +i"); + } else { + debugs(28, 2, "+i"); +- if (!compileRE(newlist, largeRE, flags)) ++ if (!compileRE(newlist, accumulatedRE, flags)) + return 0; + flags &= ~REG_ICASE; +- largeRE[largeREindex=0] = '\0'; ++ accumulatedRE.clear(); ++ reSize = 0; + } +- } else if (RElen + largeREindex + 3 < BUFSIZ-1) { ++ } else if (reSize < 1024) { + debugs(28, 2, "adding RE '" << configurationLineWord << "'"); +- if (largeREindex > 0) { +- largeRE[largeREindex] = '|'; +- ++largeREindex; +- } +- largeRE[largeREindex] = '('; +- ++largeREindex; +- configurationLineWord.copy(largeRE+largeREindex, BUFSIZ-largeREindex); +- largeREindex += configurationLineWord.length(); +- largeRE[largeREindex] = ')'; +- ++largeREindex; +- largeRE[largeREindex] = '\0'; ++ accumulatedRE.push_back(configurationLineWord); + ++numREs; ++ reSize += configurationLineWord.length(); + } else { + debugs(28, 2, "buffer full, generating new optimised RE..." ); +- if (!compileRE(newlist, largeRE, flags)) ++ accumulatedRE.push_back(configurationLineWord); ++ if (!compileRE(newlist, accumulatedRE, flags)) + return 0; +- largeRE[largeREindex=0] = '\0'; ++ accumulatedRE.clear(); ++ reSize = 0; + continue; /* do the loop again to add the RE to largeRE */ + } + } + +- if (!compileRE(newlist, largeRE, flags)) ++ if (!compileRE(newlist, accumulatedRE, flags)) + return 0; + ++ accumulatedRE.clear(); ++ reSize = 0; ++ + /* all was successful, so put the new list at the tail */ + curlist.splice(curlist.end(), newlist); + +diff --git a/src/sbuf/Algorithms.h b/src/sbuf/Algorithms.h +index 21ee889..338e9c0 100644 +--- a/src/sbuf/Algorithms.h ++++ b/src/sbuf/Algorithms.h +@@ -81,6 +81,57 @@ SBufContainerJoin(const Container &items, const SBuf& separator) + return rv; + } + ++/** Join container of SBufs and append to supplied target ++ * ++ * append to the target SBuf all elements in the [begin,end) range from ++ * an iterable container, prefixed by prefix, separated by separator and ++ * followed by suffix. Prefix and suffix are added also in case of empty ++ * iterable ++ * ++ * \return the modified dest ++ */ ++template ++SBuf& ++JoinContainerIntoSBuf(SBuf &dest, const ContainerIterator &begin, ++ const ContainerIterator &end, const SBuf& separator, ++ const SBuf& prefix = SBuf(), const SBuf& suffix = SBuf()) ++{ ++ if (begin == end) { ++ dest.append(prefix).append(suffix); ++ return dest; ++ } ++ ++ // optimization: pre-calculate needed storage ++ const SBuf::size_type totalContainerSize = ++ std::accumulate(begin, end, 0, SBufAddLength(separator)) + ++ dest.length() + prefix.length() + suffix.length(); ++ SBufReservationRequirements req; ++ req.minSpace = totalContainerSize; ++ dest.reserve(req); ++ ++ auto i = begin; ++ dest.append(prefix); ++ dest.append(*i); ++ ++i; ++ for (; i != end; ++i) ++ dest.append(separator).append(*i); ++ dest.append(suffix); ++ return dest; ++} ++ ++ ++/// convenience wrapper of JoinContainerIntoSBuf with no caller-supplied SBuf ++template ++SBuf ++JoinContainerToSBuf(const ContainerIterator &begin, ++ const ContainerIterator &end, const SBuf& separator, ++ const SBuf& prefix = SBuf(), const SBuf& suffix = SBuf()) ++{ ++ SBuf rv; ++ return JoinContainerIntoSBuf(rv, begin, end, separator, prefix, suffix); ++} ++ ++ + namespace std { + /// default hash functor to support std::unordered_map + template <> diff --git a/SOURCES/squid-4.11-location.patch b/SOURCES/squid-4.11-location.patch new file mode 100644 index 0000000..e33e9a0 --- /dev/null +++ b/SOURCES/squid-4.11-location.patch @@ -0,0 +1,33 @@ +diff --git a/QUICKSTART b/QUICKSTART +index e5299b4..a243437 100644 +--- a/QUICKSTART ++++ b/QUICKSTART +@@ -10,10 +10,9 @@ After you retrieved, compiled and installed the Squid software (see + INSTALL in the same directory), you have to configure the squid.conf + file. This is the list of the values you *need* to change, because no + sensible defaults could be defined. Do not touch the other variables +-for now. We assume you have installed Squid in the default location: +-/usr/local/squid ++for now. + +-Uncomment and edit the following lines in /usr/local/squid/etc/squid.conf: ++Uncomment and edit the following lines in /etc/squid/squid.conf: + + ============================================================================== + +@@ -80,12 +79,12 @@ After editing squid.conf to your liking, run Squid from the command + line TWICE: + + To create any disk cache_dir configured: +- % /usr/local/squid/sbin/squid -z ++ % /usr/sbin/squid -z + + To start squid: +- % /usr/local/squid/sbin/squid ++ % /usr/sbin/squid + +-Check in the cache.log (/usr/local/squid/var/logs/cache.log) that ++Check in the cache.log (/var/log/squid/cache.log) that + everything is all right. + + Once Squid created all its files (it can take several minutes on some diff --git a/SOURCES/squid-4.11-perlpath.patch b/SOURCES/squid-4.11-perlpath.patch new file mode 100644 index 0000000..18c74a6 --- /dev/null +++ b/SOURCES/squid-4.11-perlpath.patch @@ -0,0 +1,10 @@ +diff --git a/contrib/url-normalizer.pl b/contrib/url-normalizer.pl +index 90ac6a4..8dbed90 100755 +--- a/contrib/url-normalizer.pl ++++ b/contrib/url-normalizer.pl +@@ -1,4 +1,4 @@ +-#!/usr/local/bin/perl -Tw ++#!/usr/bin/perl -Tw + # + # * Copyright (C) 1996-2020 The Squid Software Foundation and contributors + # * diff --git a/SOURCES/squid-4.11-systemd.patch b/SOURCES/squid-4.11-systemd.patch new file mode 100644 index 0000000..a461881 --- /dev/null +++ b/SOURCES/squid-4.11-systemd.patch @@ -0,0 +1,39 @@ +diff --git a/configure b/configure +index 17b2ebf..9530f6b 100755 +--- a/configure ++++ b/configure +@@ -33915,6 +33915,7 @@ done + fi + if test "x$SYSTEMD_LIBS" != "x" ; then + CXXFLAGS="$SYSTEMD_CFLAGS $CXXFLAGS" ++ LDFLAGS="$SYSTEMD_LIBS $LDFLAGS" + + $as_echo "#define USE_SYSTEMD 1" >>confdefs.h + +diff --git a/src/Debug.h b/src/Debug.h +index 6eecd01..ddd9e38 100644 +--- a/src/Debug.h ++++ b/src/Debug.h +@@ -99,6 +99,10 @@ public: + + /// configures the active debugging context to write syslog ALERT + static void ForceAlert(); ++ ++ /// prefixes each grouped debugs() line after the first one in the group ++ static std::ostream& Extra(std::ostream &os) { return os << "\n "; } ++ + private: + static Context *Current; ///< deepest active context; nil outside debugs() + }; +diff --git a/configure.ac b/configure.ac +index d3c5da8..806302c 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -2162,6 +2162,7 @@ if test "x$with_systemd" != "xno" -a "x$squid_host_os" = "xlinux"; then + fi + if test "x$SYSTEMD_LIBS" != "x" ; then + CXXFLAGS="$SYSTEMD_CFLAGS $CXXFLAGS" ++ LDFLAGS="$SYSTEMD_LIBS $LDFLAGS" + AC_DEFINE(USE_SYSTEMD,1,[systemd support is available]) + else + with_systemd=no diff --git a/SOURCES/squid-4.11.tar.xz.asc b/SOURCES/squid-4.11.tar.xz.asc new file mode 100644 index 0000000..79a79ee --- /dev/null +++ b/SOURCES/squid-4.11.tar.xz.asc @@ -0,0 +1,25 @@ +File: squid-4.11.tar.xz +Date: Sun Apr 19 12:56:37 UTC 2020 +Size: 2447700 +MD5 : 10f34e852153a9996aa4614670e2bda1 +SHA1: 053277bf5497163ffc9261b9807abda5959bb6fc +Key : CD6DBF8EF3B17D3E + B068 84ED B779 C89B 044E 64E3 CD6D BF8E F3B1 7D3E + keyring = http://www.squid-cache.org/pgp.asc + keyserver = pool.sks-keyservers.net +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEsGiE7bd5yJsETmTjzW2/jvOxfT4FAl6cSpEACgkQzW2/jvOx +fT6YbA/6A+IbIbNBJUW45oj23Io9Tw/CzAcTeLHR+McKwV77qMbR+L+kQ+fUdM5F +rHAmd8bVVlyHc4WanVfWItEmzBzHA/ifTNvVpefSGGEbDb80RF66k7ACiZUokg1b +kkPwc/SjDhe2wvketIaBiVVd7pylrlCdVvazcF8gE9MWDOIlJND5mnHXidXvwkbJ +T2//8JZVEmcmN9pdFGNAUVckFm+AnwWXcRM1SQPYDGSVUtjVlqido8snLTA1mZwl +rIpjppujMV54OOWlj+Gqa3MZkpNzIaMCAfphzUFlsQY+/sRUYAOv1wmxw2WclxlK +WlWM+fw8OsYNDMwkOScKZZWceoAkq6UsUHzCAdJIdLqV/R6mZ9nfuZ6BHIr0+2dP +bDf9MU4KXbwEuXiRD/KPziUxxOZwSPivbm3wy9DqTTZfO9V+Iq6FVHX+ahxJ0XbM +JWRYA3GW+DRLjorfsWxU5r4UJsrnBfhItPUAfGPjPjEGZ/pn8r9G6MGenNGPLMKy +wP1rMlOhrZPwerzokzAvKx8G0WWkfN+IPv2JK3rDot6RiJIOuvnZZd4RIuVNTGbh +liO7M24JlWX3WD2wHBzxQag46+plb3VvrrVChwIQnZ2Qzpf50w0Bife/wtNBGpK0 +k/Xi/nocO796YS8GZBnmhS1lEGEwp/YpJBFWmIjTWMUMEOcswVA= +=PKl0 +-----END PGP SIGNATURE----- diff --git a/SOURCES/squid-4.4.0-CVE-2019-12527.patch b/SOURCES/squid-4.4.0-CVE-2019-12527.patch deleted file mode 100644 index ea950f5..0000000 --- a/SOURCES/squid-4.4.0-CVE-2019-12527.patch +++ /dev/null @@ -1,139 +0,0 @@ -commit 7f73e9c5d17664b882ed32590e6af310c247f320 -Author: Amos Jeffries -Date: 2019-06-19 05:58:36 +0000 - - Update HttpHeader::getAuth to SBuf (#416) - - Replace the fixed-size buffer for decoding base64 tokens with an - SBuf to avoid decoder issues on large inputs. - - Update callers to SBuf API operations for more efficient memory - management. - -diff --git a/src/HttpHeader.cc b/src/HttpHeader.cc -index 1e2b650..284a057 100644 ---- a/src/HttpHeader.cc -+++ b/src/HttpHeader.cc -@@ -1268,43 +1268,46 @@ HttpHeader::getContRange() const - return cr; - } - --const char * --HttpHeader::getAuth(Http::HdrType id, const char *auth_scheme) const -+SBuf -+HttpHeader::getAuthToken(Http::HdrType id, const char *auth_scheme) const - { - const char *field; - int l; - assert(auth_scheme); - field = getStr(id); - -+ static const SBuf nil; - if (!field) /* no authorization field */ -- return NULL; -+ return nil; - - l = strlen(auth_scheme); - - if (!l || strncasecmp(field, auth_scheme, l)) /* wrong scheme */ -- return NULL; -+ return nil; - - field += l; - - if (!xisspace(*field)) /* wrong scheme */ -- return NULL; -+ return nil; - - /* skip white space */ - for (; field && xisspace(*field); ++field); - - if (!*field) /* no authorization cookie */ -- return NULL; -+ return nil; - -- static char decodedAuthToken[8192]; -+ const auto fieldLen = strlen(field); -+ SBuf result; -+ char *decodedAuthToken = result.rawAppendStart(BASE64_DECODE_LENGTH(fieldLen)); - struct base64_decode_ctx ctx; - base64_decode_init(&ctx); - size_t decodedLen = 0; -- if (!base64_decode_update(&ctx, &decodedLen, reinterpret_cast(decodedAuthToken), strlen(field), field) || -+ if (!base64_decode_update(&ctx, &decodedLen, reinterpret_cast(decodedAuthToken), fieldLen, field) || - !base64_decode_final(&ctx)) { -- return NULL; -+ return nil; - } -- decodedAuthToken[decodedLen] = '\0'; -- return decodedAuthToken; -+ result.rawAppendFinish(decodedAuthToken, decodedLen); -+ return result; - } - - ETag -diff --git a/src/HttpHeader.h b/src/HttpHeader.h -index a26b127..3b262be 100644 ---- a/src/HttpHeader.h -+++ b/src/HttpHeader.h -@@ -134,7 +134,7 @@ public: - HttpHdrRange *getRange() const; - HttpHdrSc *getSc() const; - HttpHdrContRange *getContRange() const; -- const char *getAuth(Http::HdrType id, const char *auth_scheme) const; -+ SBuf getAuthToken(Http::HdrType id, const char *auth_scheme) const; - ETag getETag(Http::HdrType id) const; - TimeOrTag getTimeOrTag(Http::HdrType id) const; - int hasListMember(Http::HdrType id, const char *member, const char separator) const; -diff --git a/src/cache_manager.cc b/src/cache_manager.cc -index da22f7a..2fae767 100644 ---- a/src/cache_manager.cc -+++ b/src/cache_manager.cc -@@ -27,6 +27,7 @@ - #include "mgr/FunAction.h" - #include "mgr/QueryParams.h" - #include "protos.h" -+#include "sbuf/StringConvert.h" - #include "SquidConfig.h" - #include "SquidTime.h" - #include "Store.h" -@@ -243,20 +244,20 @@ CacheManager::ParseHeaders(const HttpRequest * request, Mgr::ActionParams ¶m - // TODO: use the authentication system decode to retrieve these details properly. - - /* base 64 _decoded_ user:passwd pair */ -- const char *basic_cookie = request->header.getAuth(Http::HdrType::AUTHORIZATION, "Basic"); -+ const auto basic_cookie(request->header.getAuthToken(Http::HdrType::AUTHORIZATION, "Basic")); - -- if (!basic_cookie) -+ if (basic_cookie.isEmpty()) - return; - -- const char *passwd_del; -- if (!(passwd_del = strchr(basic_cookie, ':'))) { -+ const auto colonPos = basic_cookie.find(':'); -+ if (colonPos == SBuf::npos) { - debugs(16, DBG_IMPORTANT, "CacheManager::ParseHeaders: unknown basic_cookie format '" << basic_cookie << "'"); - return; - } - - /* found user:password pair, reset old values */ -- params.userName.limitInit(basic_cookie, passwd_del - basic_cookie); -- params.password = passwd_del + 1; -+ params.userName = SBufToString(basic_cookie.substr(0, colonPos)); -+ params.password = SBufToString(basic_cookie.substr(colonPos+1)); - - /* warning: this prints decoded password which maybe not be what you want to do @?@ @?@ */ - debugs(16, 9, "CacheManager::ParseHeaders: got user: '" << -diff --git a/src/clients/FtpGateway.cc b/src/clients/FtpGateway.cc -index b958b14..7ca5d24 100644 ---- a/src/clients/FtpGateway.cc -+++ b/src/clients/FtpGateway.cc -@@ -1050,7 +1050,7 @@ Ftp::Gateway::checkAuth(const HttpHeader * req_hdr) - - #if HAVE_AUTH_MODULE_BASIC - /* Check HTTP Authorization: headers (better than defaults, but less than URL) */ -- const SBuf auth(req_hdr->getAuth(Http::HdrType::AUTHORIZATION, "Basic")); -+ const auto auth(req_hdr->getAuthToken(Http::HdrType::AUTHORIZATION, "Basic")); - if (!auth.isEmpty()) { - flags.authenticated = 1; - loginParser(auth, false); diff --git a/SOURCES/squid-4.4.0-CVE-2019-13345.patch b/SOURCES/squid-4.4.0-CVE-2019-13345.patch deleted file mode 100644 index 9a5754e..0000000 --- a/SOURCES/squid-4.4.0-CVE-2019-13345.patch +++ /dev/null @@ -1,64 +0,0 @@ -diff --git a/tools/cachemgr.cc b/tools/cachemgr.cc -index 0c745c2..8a67eba 100644 ---- a/tools/cachemgr.cc -+++ b/tools/cachemgr.cc -@@ -355,7 +355,7 @@ auth_html(const char *host, int port, const char *user_name) - - printf("Manager name:\n", user_name); -+ printf("size=\"30\" VALUE=\"%s\">\n", rfc1738_escape(user_name)); - - printf("Password:hostname, - req->port, -- safe_str(req->user_name), -+ rfc1738_escape(safe_str(req->user_name)), - action, - safe_str(req->pub_auth)); - return url; -@@ -1074,8 +1074,8 @@ make_pub_auth(cachemgr_request * req) - const int bufLen = snprintf(buf, sizeof(buf), "%s|%d|%s|%s", - req->hostname, - (int) now, -- req->user_name ? req->user_name : "", -- req->passwd); -+ rfc1738_escape(safe_str(req->user_name)), -+ rfc1738_escape(req->passwd)); - debug("cmgr: pre-encoded for pub: %s\n", buf); - - const int encodedLen = base64_encode_len(bufLen); -@@ -1094,8 +1094,6 @@ decode_pub_auth(cachemgr_request * req) - char *buf; - const char *host_name; - const char *time_str; -- const char *user_name; -- const char *passwd; - - debug("cmgr: decoding pub: '%s'\n", safe_str(req->pub_auth)); - safe_free(req->passwd); -@@ -1131,17 +1129,21 @@ decode_pub_auth(cachemgr_request * req) - - debug("cmgr: decoded time: '%s' (now: %d)\n", time_str, (int) now); - -+ char *user_name; - if ((user_name = strtok(NULL, "|")) == NULL) { - xfree(buf); - return; - } -+ rfc1738_unescape(user_name); - - debug("cmgr: decoded uname: '%s'\n", user_name); - -+ char *passwd; - if ((passwd = strtok(NULL, "|")) == NULL) { - xfree(buf); - return; - } -+ rfc1738_unescape(passwd); - - debug("cmgr: decoded passwd: '%s'\n", passwd); - diff --git a/SOURCES/squid-4.4.0-active-ftp.patch b/SOURCES/squid-4.4.0-active-ftp.patch deleted file mode 100644 index 64988fe..0000000 --- a/SOURCES/squid-4.4.0-active-ftp.patch +++ /dev/null @@ -1,127 +0,0 @@ -diff --git a/src/clients/FtpClient.cc b/src/clients/FtpClient.cc -index 777210c..4c80511 100644 ---- a/src/clients/FtpClient.cc -+++ b/src/clients/FtpClient.cc -@@ -778,7 +778,8 @@ Ftp::Client::connectDataChannel() - bool - Ftp::Client::openListenSocket() - { -- return false; -+ debugs(9, 3, HERE); -+ return false; - } - - /// creates a data channel Comm close callback -diff --git a/src/clients/FtpClient.h b/src/clients/FtpClient.h -index 465fdb7..75dbd3b 100644 ---- a/src/clients/FtpClient.h -+++ b/src/clients/FtpClient.h -@@ -118,7 +118,7 @@ public: - bool sendPort(); - bool sendPassive(); - void connectDataChannel(); -- bool openListenSocket(); -+ virtual bool openListenSocket(); - void switchTimeoutToDataChannel(); - - CtrlChannel ctrl; ///< FTP control channel state -diff --git a/src/clients/FtpGateway.cc b/src/clients/FtpGateway.cc -index a13cdda..b958b14 100644 ---- a/src/clients/FtpGateway.cc -+++ b/src/clients/FtpGateway.cc -@@ -87,6 +87,13 @@ struct GatewayFlags { - class Gateway; - typedef void (StateMethod)(Ftp::Gateway *); - -+} // namespace FTP -+ -+static void ftpOpenListenSocket(Ftp::Gateway * ftpState, int fallback); -+ -+namespace Ftp -+{ -+ - /// FTP Gateway: An FTP client that takes an HTTP request with an ftp:// URI, - /// converts it into one or more FTP commands, and then - /// converts one or more FTP responses into the final HTTP response. -@@ -137,7 +144,11 @@ public: - - /// create a data channel acceptor and start listening. - void listenForDataChannel(const Comm::ConnectionPointer &conn); -- -+ virtual bool openListenSocket() { -+ debugs(9, 3, HERE); -+ ftpOpenListenSocket(this, 0); -+ return Comm::IsConnOpen(data.conn); -+ } - int checkAuth(const HttpHeader * req_hdr); - void checkUrlpath(); - void buildTitleUrl(); -@@ -1792,6 +1803,7 @@ ftpOpenListenSocket(Ftp::Gateway * ftpState, int fallback) - } - - ftpState->listenForDataChannel(temp); -+ ftpState->data.listenConn = temp; - } - - static void -@@ -1827,13 +1839,19 @@ ftpSendPORT(Ftp::Gateway * ftpState) - // pull out the internal IP address bytes to send in PORT command... - // source them from the listen_conn->local - -+ struct sockaddr_in addr; -+ socklen_t addrlen = sizeof(addr); -+ getsockname(ftpState->data.listenConn->fd, (struct sockaddr *) &addr, &addrlen); -+ unsigned char port_high = ntohs(addr.sin_port) >> 8; -+ unsigned char port_low = ntohs(addr.sin_port) & 0xff; -+ - struct addrinfo *AI = NULL; - ftpState->data.listenConn->local.getAddrInfo(AI, AF_INET); - unsigned char *addrptr = (unsigned char *) &((struct sockaddr_in*)AI->ai_addr)->sin_addr; -- unsigned char *portptr = (unsigned char *) &((struct sockaddr_in*)AI->ai_addr)->sin_port; -+ // unsigned char *portptr = (unsigned char *) &((struct sockaddr_in*)AI->ai_addr)->sin_port; - snprintf(cbuf, CTRL_BUFLEN, "PORT %d,%d,%d,%d,%d,%d\r\n", - addrptr[0], addrptr[1], addrptr[2], addrptr[3], -- portptr[0], portptr[1]); -+ port_high, port_low); - ftpState->writeCommand(cbuf); - ftpState->state = Ftp::Client::SENT_PORT; - -@@ -1886,14 +1904,27 @@ ftpSendEPRT(Ftp::Gateway * ftpState) - return; - } - -+ -+ unsigned int port; -+ struct sockaddr_storage addr; -+ socklen_t addrlen = sizeof(addr); -+ getsockname(ftpState->data.listenConn->fd, (struct sockaddr *) &addr, &addrlen); -+ if (addr.ss_family == AF_INET) { -+ struct sockaddr_in *addr4 = (struct sockaddr_in*) &addr; -+ port = ntohs( addr4->sin_port ); -+ } else { -+ struct sockaddr_in6 *addr6 = (struct sockaddr_in6 *) &addr; -+ port = ntohs( addr6->sin6_port ); -+ } -+ - char buf[MAX_IPSTRLEN]; - - /* RFC 2428 defines EPRT as IPv6 equivalent to IPv4 PORT command. */ - /* Which can be used by EITHER protocol. */ -- snprintf(cbuf, CTRL_BUFLEN, "EPRT |%d|%s|%d|\r\n", -+ snprintf(cbuf, CTRL_BUFLEN, "EPRT |%d|%s|%u|\r\n", - ( ftpState->data.listenConn->local.isIPv6() ? 2 : 1 ), - ftpState->data.listenConn->local.toStr(buf,MAX_IPSTRLEN), -- ftpState->data.listenConn->local.port() ); -+ port); - - ftpState->writeCommand(cbuf); - ftpState->state = Ftp::Client::SENT_EPRT; -@@ -1912,7 +1943,7 @@ ftpReadEPRT(Ftp::Gateway * ftpState) - ftpSendPORT(ftpState); - return; - } -- -+ ftpState->ctrl.message = NULL; - ftpRestOrList(ftpState); - } - diff --git a/SOURCES/squid-4.4.0-lower-cachepeer.patch b/SOURCES/squid-4.4.0-lower-cachepeer.patch deleted file mode 100644 index 42bc2aa..0000000 --- a/SOURCES/squid-4.4.0-lower-cachepeer.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff --git a/src/cache_cf.cc b/src/cache_cf.cc -index 9165ef99c..32a3df322 100644 ---- a/src/cache_cf.cc -+++ b/src/cache_cf.cc -@@ -2081,6 +2081,7 @@ parse_peer(CachePeer ** head) - - CachePeer *p = new CachePeer; - p->host = xstrdup(host_str); -+ Tolower(p->host); - p->name = xstrdup(host_str); - p->type = parseNeighborType(token); - diff --git a/SOURCES/squid-4.4.0-man-pages.patch b/SOURCES/squid-4.4.0-man-pages.patch deleted file mode 100644 index 974795d..0000000 --- a/SOURCES/squid-4.4.0-man-pages.patch +++ /dev/null @@ -1,26 +0,0 @@ -diff --git a/src/http/url_rewriters/LFS/url_lfs_rewrite.8 b/src/http/url_rewriters/LFS/url_lfs_rewrite.8 -index 3053180..1d295fb 100644 ---- a/src/http/url_rewriters/LFS/url_lfs_rewrite.8 -+++ b/src/http/url_rewriters/LFS/url_lfs_rewrite.8 -@@ -135,7 +135,7 @@ - .if n .ad l - .nh - .SH "NAME" --url_lfs_rewrite -+\& url_lfs_rewrite \- a URL-rewriter based on local file existence - .SH "SYNOPSIS" - .IX Header "SYNOPSIS" - .Vb 1 -diff --git a/src/http/url_rewriters/LFS/url_lfs_rewrite.pl.in b/src/http/url_rewriters/LFS/url_lfs_rewrite.pl.in -index a7168e0..da7055c 100755 ---- a/src/http/url_rewriters/LFS/url_lfs_rewrite.pl.in -+++ b/src/http/url_rewriters/LFS/url_lfs_rewrite.pl.in -@@ -8,7 +8,7 @@ use Pod::Usage; - - =head1 NAME - --B -+B - a URL-rewriter based on local file existence - - =head1 SYNOPSIS - diff --git a/SOURCES/squid-4.4.tar.xz.asc b/SOURCES/squid-4.4.tar.xz.asc deleted file mode 100644 index a0f8623..0000000 --- a/SOURCES/squid-4.4.tar.xz.asc +++ /dev/null @@ -1,25 +0,0 @@ -File: squid-4.4.tar.xz -Date: Sat Oct 27 21:20:24 UTC 2018 -Size: 2436468 -MD5 : 892504ca9700e1f139a53f84098613bd -SHA1: 0ab6b133f65866d825bf72cbbe8cef209768b2fa -Key : CD6DBF8EF3B17D3E - B068 84ED B779 C89B 044E 64E3 CD6D BF8E F3B1 7D3E - keyring = http://www.squid-cache.org/pgp.asc - keyserver = pool.sks-keyservers.net ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEEsGiE7bd5yJsETmTjzW2/jvOxfT4FAlvU1qAACgkQzW2/jvOx -fT5Y3Q//R3/ZtDHal9H9c4VUB1fEzkk22JfgXTzRRUdzNkN+XxDkVGmM9R0E0Opo -9E/lsE9PcLX1EBtBXbPfwLESzfMe4QJgqq1B4FocpJcdtfCQX6ADU4Qdfc+oo8Z1 -J/xCf8XrU3yUgXn3pMnQ9DT+IuPYe+Jte7Awm148mC15GMC49NBAYAd793XZ+L2t -fVPCbVYA40AU3xVJkxlblh7O0E8UEQ7zQMxcXM2jJJ4jJOjqecOIoJt6lyPD59q3 -UjD0EmcjTj54BpaU8r++kAc2TkLyBvFV1vWQuQRNG5IAMEOF3H8OfujCXl3lX9fD -Tvi9763f9LxdImLJttkzgTt20XAudlUmKOdpj6t1uF+7EmNJg/ChowyLsLzlLLST -1mGNdcUdP9VhX2aoTXN/ctn8BTQ/cNIx2VY8kKWsXB+ymFcCJRBW1cBAr3R+UzuX -KVlsDzlxP6Dp8EFvKN3sIbM/QtpstKgbTkxro7d9XBkeldsasd5uI2Yt5PSMIs+y -VtscqCnwDjxAIW6FNqB96J4hcOYECdWHDL3s46wEDnQaiR0IdBAN5QHn1imzM5e1 -eHuwZimqBW6vE4rPnVpPIr1Gml5OlLl3te2jsbUVmBiOwDVlQLZJQGzI5UTazvnN -eR3QeTW+ggSAdVc6GEApELARfKPRxywLQTOlAhEPn0xayy4ByME= -=1eSQ ------END PGP SIGNATURE----- diff --git a/SOURCES/squid.service b/SOURCES/squid.service index f49d7db..6978032 100644 --- a/SOURCES/squid.service +++ b/SOURCES/squid.service @@ -4,14 +4,15 @@ Documentation=man:squid(8) After=network.target network-online.target nss-lookup.target [Service] -Type=forking +Type=notify LimitNOFILE=16384 +PIDFile=/run/squid.pid EnvironmentFile=/etc/sysconfig/squid ExecStartPre=/usr/libexec/squid/cache_swap.sh -ExecStart=/usr/sbin/squid $SQUID_OPTS -f $SQUID_CONF -ExecReload=/usr/sbin/squid $SQUID_OPTS -k reconfigure -f $SQUID_CONF -ExecStop=/usr/sbin/squid -k shutdown -f $SQUID_CONF -TimeoutSec=0 +ExecStart=/usr/sbin/squid --foreground $SQUID_OPTS -f ${SQUID_CONF} +ExecReload=/usr/bin/kill -HUP $MAINPID +KillMode=mixed +NotifyAccess=all [Install] WantedBy=multi-user.target diff --git a/SPECS/squid.spec b/SPECS/squid.spec index 81f9470..e1d36a2 100644 --- a/SPECS/squid.spec +++ b/SPECS/squid.spec @@ -1,8 +1,8 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 4.4 -Release: 8%{?dist} +Version: 4.11 +Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -26,23 +26,17 @@ Source98: perl-requires-squid.sh # Local patches # Applying upstream patches first makes it less likely that local patches # will break upstream ones. -Patch201: squid-4.0.11-config.patch -Patch202: squid-3.1.0.9-location.patch -Patch203: squid-3.0.STABLE1-perlpath.patch -Patch204: squid-3.5.9-include-guards.patch -Patch205: squid-4.0.21-large-acl.patch +Patch201: squid-4.11-config.patch +Patch202: squid-4.11-location.patch +Patch203: squid-4.11-perlpath.patch +Patch204: squid-4.11-include-guards.patch +Patch205: squid-4.11-large-acl.patch # https://bugzilla.redhat.com/show_bug.cgi?id=980511 -Patch206: squid-4.4.0-active-ftp.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1612524 -Patch207: squid-4.4.0-man-pages.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1691741 -Patch208: squid-4.4.0-lower-cachepeer.patch +Patch206: squid-4.11-active-ftp.patch +# https://github.com/squid-cache/squid/commit/c26cd1cb6a60ff196ef13c00e82576d3bfeb2e30 +Patch207: squid-4.11-systemd.patch # Security fixes -# https://bugzilla.redhat.com/show_bug.cgi?id=1729436 -Patch500: squid-4.4.0-CVE-2019-13345.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1738485 -Patch501: squid-4.4.0-CVE-2019-12527.patch Requires: bash >= 2.0 Requires(pre): shadow-utils @@ -72,6 +66,8 @@ BuildRequires: perl-generators # For test suite BuildRequires: pkgconfig(cppunit) BuildRequires: autoconf +# systemd notify +BuildRequires: systemd-devel %description Squid is a high-performance proxy caching server for Web clients, @@ -96,14 +92,10 @@ lookup program (dnsserver), a program for retrieving FTP data %patch201 -p1 -b .config %patch202 -p1 -b .location %patch203 -p1 -b .perlpath -%patch204 -p0 -b .include-guards +%patch204 -p1 -b .include-guards %patch205 -p1 -b .large_acl %patch206 -p1 -b .active-ftp -%patch207 -p1 -b .man-pages -%patch208 -p1 -b .lower-cachepeer - -%patch500 -p1 -b .CVE-2019-13345 -%patch501 -p1 -b .CVE-2019-12527 +%patch207 -p1 -b .systemd # https://bugzilla.redhat.com/show_bug.cgi?id=1679526 # Patch in the vendor documentation and used different location for documentation @@ -320,6 +312,47 @@ fi %changelog +* Thu May 07 2020 Lubos Uhliarik - 7:4.11-1 +- new version 4.11 +- libsystemd integration +- Resolves: #1829467 - squid:4 rebase +- Resolves: #1828378 - CVE-2019-12521 squid:4/squid: off-by-one error in + addStackElement allows for a heap buffer overflow and a crash +- Resolves: #1828377 - CVE-2019-12520 squid:4/squid: improper input validation + in request allows for proxy manipulation +- Resolves: #1828375 - CVE-2019-12524 squid:4/squid: improper access restriction + in url_regex may lead to security bypass +- Resolves: #1820664 - CVE-2019-18860 squid: mishandles HTML in the host + parameter to cachemgr.cgi which could result in squid behaving in unsecure way +- Resolves: #1802514 - CVE-2020-8449 squid:4/squid: Improper input validation + issues in HTTP Request processing +- Resolves: #1802513 - CVE-2020-8450 squid:4/squid: Buffer overflow in a Squid + acting as reverse-proxy +- Resolves: #1802512 - CVE-2019-12528 squid:4/squid: Information Disclosure + issue in FTP Gateway +- Resolves: #1771288 - CVE-2019-18678 squid:4/squid: HTTP Request Splitting + issue in HTTP message processing +- Resolves: #1771283 - CVE-2019-18679 squid:4/squid: Information Disclosure + issue in HTTP Digest Authentication +- Resolves: #1771280 - CVE-2019-18677 squid:4/squid: Cross-Site Request Forgery + issue in HTTP Request processing +- Resolves: #1771275 - CVE-2019-12523 squid:4/squid: Improper input validation + in URI processor +- Resolves: #1771272 - CVE-2019-18676 squid:4/squid: Buffer overflow in URI + processor +- Resolves: #1771264 - CVE-2019-12526 squid:4/squid: Heap overflow issue in URN + processing +- Resolves: #1738581 - CVE-2019-12529 squid: OOB read in Proxy-Authorization + header causes DoS + +* Tue Apr 28 2020 Lubos Uhliarik - 7:4.4-9 +- Resolves: #1738583 - CVE-2019-12525 squid:4/squid: parsing of header + Proxy-Authentication leads to memory corruption +- Resolves: #1828369 - CVE-2020-11945 squid: improper access restriction upon + Digest Authentication nonce replay could lead to remote code execution +- Resolves: #1828370 - CVE-2019-12519 squid: improper check for new member in + ESIExpression::Evaluate allows for stack buffer overflow + * Fri Aug 23 2019 Lubos Uhliarik - 7:4.4-8 - Resolves: # 1738485 - CVE-2019-12527 squid:4/squid: heap-based buffer overflow in HttpHeader::getAuth