squid: Update to 4.4 (stable)
Commit Message
For details see:
http://www.squid-cache.org/Versions/v4/changesets/
In July 2018, 'squid 4' was "released for production use", see:
https://wiki.squid-cache.org/Squid-4
"The features have been set and large code changes are reserved for later versions."
I've tested almost all 4.x-versions and patch series before with good results.
Right now, 4.4 is running here with no seen problems together with
'squidclamav', 'squidguard' and 'privoxy'.
I too would declare this version stable.
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
---
lfs/squid | 12 ++--
...via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch | 72 -------------------
...ry_leak_when_parsing_SNMP_packet_313.patch | 22 ------
... squid-4.4-fix-max-file-descriptors.patch} | 4 +-
4 files changed, 8 insertions(+), 102 deletions(-)
delete mode 100644 src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch
delete mode 100644 src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch
rename src/patches/squid/{squid-4.3-fix-max-file-descriptors.patch => squid-4.4-fix-max-file-descriptors.patch} (92%)
Comments
Hey,
this is a fairly small looking patch but bringing a lot of changes with it.
Looks great what the squid devs have done.
However, one of my first thoughts was: Does this require no changes to the
configuration/CGI? Can you confirm?
Best,
-Michael
On Sun, 2018-11-04 at 08:09 +0100, Matthias Fischer wrote:
> For details see:
> http://www.squid-cache.org/Versions/v4/changesets/
>
> In July 2018, 'squid 4' was "released for production use", see:
> https://wiki.squid-cache.org/Squid-4
>
> "The features have been set and large code changes are reserved for later
> versions."
>
> I've tested almost all 4.x-versions and patch series before with good results.
> Right now, 4.4 is running here with no seen problems together with
> 'squidclamav', 'squidguard' and 'privoxy'.
>
> I too would declare this version stable.
>
> Best,
> Matthias
>
> Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
> ---
> lfs/squid | 12 ++--
> ...via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch | 72 -------------------
> ...ry_leak_when_parsing_SNMP_packet_313.patch | 22 ------
> ... squid-4.4-fix-max-file-descriptors.patch} | 4 +-
> 4 files changed, 8 insertions(+), 102 deletions(-)
> delete mode 100644
> src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNECT_
> FAIL_306.patch
> delete mode 100644
> src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch
> rename src/patches/squid/{squid-4.3-fix-max-file-descriptors.patch => squid-
> 4.4-fix-max-file-descriptors.patch} (92%)
>
> diff --git a/lfs/squid b/lfs/squid
> index 11b84d719..e5e799111 100644
> --- a/lfs/squid
> +++ b/lfs/squid
> @@ -24,7 +24,7 @@
>
> include Config
>
> -VER = 3.5.28
> +VER = 4.4
>
> THISAPP = squid-$(VER)
> DL_FILE = $(THISAPP).tar.xz
> @@ -42,7 +42,7 @@ objects = $(DL_FILE)
>
> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>
> -$(DL_FILE)_MD5 = 9367e0375ea53ba0e99f77054d4402c5
> +$(DL_FILE)_MD5 = 892504ca9700e1f139a53f84098613bd
>
> install : $(TARGET)
>
> @@ -72,9 +72,7 @@ $(subst %,%_MD5,$(objects)) :
> $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> @$(PREBUILD)
> @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xaf $(DIR_DL)/$(DL_FILE)
> - cd $(DIR_APP) && patch -Np1 -i
> $(DIR_SRC)/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECU
> RE_CONNECT_FAIL_306.patch
> - cd $(DIR_APP) && patch -Np1 -i
> $(DIR_SRC)/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.p
> atch
> - cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-
> 3.5.28-fix-max-file-descriptors.patch
> + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-4.4-
> fix-max-file-descriptors.patch
>
> cd $(DIR_APP) && autoreconf -vfi
> cd $(DIR_APP)/libltdl && autoreconf -vfi
> @@ -125,7 +123,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> --enable-zph-qos \
> --with-dl \
> --with-filedescriptors=$$(( 16384 * 64 )) \
> - --with-large-files
> + --with-large-files \
> + --without-gnutls \
> + --without-netfilter-conntrack
>
> cd $(DIR_APP) && make $(MAKETUNING)
> cd $(DIR_APP) && make install
> diff --git
> a/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNEC
> T_FAIL_306.patch
> b/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNEC
> T_FAIL_306.patch
> deleted file mode 100644
> index fadb1d48c..000000000
> ---
> a/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNEC
> T_FAIL_306.patch
> +++ /dev/null
> @@ -1,72 +0,0 @@
> -commit f1657a9decc820f748fa3aff68168d3145258031
> -Author: Christos Tsantilas <christos@chtsanti.net>
> -Date: 2018-10-17 15:14:07 +0000
> -
> - Certificate fields injection via %D in ERR_SECURE_CONNECT_FAIL (#306)
> -
> - %ssl_subject, %ssl_ca_name, and %ssl_cn values were not properly escaped
> when %D code was expanded in HTML context of the ERR_SECURE_CONNECT_FAIL
> template. This bug affects all
> - ERR_SECURE_CONNECT_FAIL page templates containing %D, including the
> default template.
> -
> - Other error pages are not vulnerable because Squid does not populate %D
> with certificate details in other contexts (yet).
> -
> - Thanks to Nikolas Lohmann [eBlocker] for identifying the problem.
> -
> - TODO: If those certificate details become needed for ACL checks or other
> non-HTML purposes, make their HTML-escaping conditional.
> -
> - This is a Measurement Factory project.
> -
> -diff --git a/src/ssl/ErrorDetail.cc b/src/ssl/ErrorDetail.cc
> -index b5030e3..314e998 100644
> ---- a/src/ssl/ErrorDetail.cc
> -+++ b/src/ssl/ErrorDetail.cc
> -@@ -8,6 +8,8 @@
> -
> - #include "squid.h"
> - #include "errorpage.h"
> -+#include "fatal.h"
> -+#include "html_quote.h"
> - #include "ssl/ErrorDetail.h"
> -
> - #include <climits>
> -@@ -432,8 +434,11 @@ const char *Ssl::ErrorDetail::subject() const
> - {
> - if (broken_cert.get()) {
> - static char tmpBuffer[256]; // A temporary buffer
> -- if (X509_NAME_oneline(X509_get_subject_name(broken_cert.get()),
> tmpBuffer, sizeof(tmpBuffer)))
> -- return tmpBuffer;
> -+ if (X509_NAME_oneline(X509_get_subject_name(broken_cert.get()),
> tmpBuffer, sizeof(tmpBuffer))) {
> -+ // quote to avoid possible html code injection through
> -+ // certificate subject
> -+ return html_quote(tmpBuffer);
> -+ }
> - }
> - return "[Not available]";
> - }
> -@@ -461,8 +466,11 @@ const char *Ssl::ErrorDetail::cn() const
> - static String tmpStr; ///< A temporary string buffer
> - tmpStr.clean();
> - Ssl::matchX509CommonNames(broken_cert.get(), &tmpStr, copy_cn);
> -- if (tmpStr.size())
> -- return tmpStr.termedBuf();
> -+ if (tmpStr.size()) {
> -+ // quote to avoid possible html code injection through
> -+ // certificate subject
> -+ return html_quote(tmpStr.termedBuf());
> -+ }
> - }
> - return "[Not available]";
> - }
> -@@ -474,8 +482,11 @@ const char *Ssl::ErrorDetail::ca_name() const
> - {
> - if (broken_cert.get()) {
> - static char tmpBuffer[256]; // A temporary buffer
> -- if (X509_NAME_oneline(X509_get_issuer_name(broken_cert.get()),
> tmpBuffer, sizeof(tmpBuffer)))
> -- return tmpBuffer;
> -+ if (X509_NAME_oneline(X509_get_issuer_name(broken_cert.get()),
> tmpBuffer, sizeof(tmpBuffer))) {
> -+ // quote to avoid possible html code injection through
> -+ // certificate issuer subject
> -+ return html_quote(tmpBuffer);
> -+ }
> - }
> - return "[Not available]";
> - }
> diff --git
> a/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch
> b/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch
> deleted file mode 100644
> index 2ae034c20..000000000
> --- a/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch
> +++ /dev/null
> @@ -1,22 +0,0 @@
> -commit bc9786119f058a76ddf0625424bc33d36460b9a2 (refs/remotes/origin/v3.5)
> -Author: flozilla <fishyflow@gmail.com>
> -Date: 2018-10-24 14:12:01 +0200
> -
> - Fix memory leak when parsing SNMP packet (#313)
> -
> - SNMP queries denied by snmp_access rules and queries with certain
> - unsupported SNMPv2 commands were leaking a few hundred bytes each. Such
> - queries trigger "SNMP agent query DENIED from..." WARNINGs in cache.log.
> -
> -diff --git a/src/snmp_core.cc b/src/snmp_core.cc
> -index c4d21c1..16c2993 100644
> ---- a/src/snmp_core.cc
> -+++ b/src/snmp_core.cc
> -@@ -409,6 +409,7 @@ snmpDecodePacket(SnmpRequest * rq)
> - snmpConstructReponse(rq);
> - } else {
> - debugs(49, DBG_IMPORTANT, "WARNING: SNMP agent query DENIED from
> : " << rq->from);
> -+ snmp_free_pdu(PDU);
> - }
> - xfree(Community);
> -
> diff --git a/src/patches/squid/squid-4.3-fix-max-file-descriptors.patch
> b/src/patches/squid/squid-4.4-fix-max-file-descriptors.patch
> similarity index 92%
> rename from src/patches/squid/squid-4.3-fix-max-file-descriptors.patch
> rename to src/patches/squid/squid-4.4-fix-max-file-descriptors.patch
> index a46390c1e..8d1a4e03a 100644
> --- a/src/patches/squid/squid-4.3-fix-max-file-descriptors.patch
> +++ b/src/patches/squid/squid-4.4-fix-max-file-descriptors.patch
> @@ -1,6 +1,6 @@
> --- configure.ac.~ Wed Apr 20 14:26:07 2016
> +++ configure.ac Fri Apr 22 17:20:46 2016
> -@@ -3149,6 +3149,9 @@
> +@@ -3156,6 +3156,9 @@
> ;;
> esac
>
> @@ -10,7 +10,7 @@
> dnl --with-maxfd present for compatibility with Squid-2.
> dnl undocumented in ./configure --help to encourage using the Squid-3
> directive
> AC_ARG_WITH(maxfd,,
> -@@ -3179,8 +3182,6 @@
> +@@ -3186,8 +3189,6 @@
> esac
> ])
>
On 09.11.2018 16:22, Michael Tremer wrote:
> Hey,
Hi,
> this is a fairly small looking patch but bringing a lot of changes with it.
> Looks great what the squid devs have done.
>
> However, one of my first thoughts was: Does this require no changes to the
> configuration/CGI? Can you confirm?
Confirmed. I never needed any GUI changes.
Best,
Matthias
> Best,
> -Michael
>
> On Sun, 2018-11-04 at 08:09 +0100, Matthias Fischer wrote:
>> For details see:
>> http://www.squid-cache.org/Versions/v4/changesets/
>>
>> In July 2018, 'squid 4' was "released for production use", see:
>> https://wiki.squid-cache.org/Squid-4
>>
>> "The features have been set and large code changes are reserved for later
>> versions."
>>
>> I've tested almost all 4.x-versions and patch series before with good results.
>> Right now, 4.4 is running here with no seen problems together with
>> 'squidclamav', 'squidguard' and 'privoxy'.
>>
>> I too would declare this version stable.
>>
>> Best,
>> Matthias
>>
>> Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
>> ---
>> lfs/squid | 12 ++--
>> ...via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch | 72 -------------------
>> ...ry_leak_when_parsing_SNMP_packet_313.patch | 22 ------
>> ... squid-4.4-fix-max-file-descriptors.patch} | 4 +-
>> 4 files changed, 8 insertions(+), 102 deletions(-)
>> delete mode 100644
>> src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNECT_
>> FAIL_306.patch
>> delete mode 100644
>> src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch
>> rename src/patches/squid/{squid-4.3-fix-max-file-descriptors.patch => squid-
>> 4.4-fix-max-file-descriptors.patch} (92%)
>>
>> diff --git a/lfs/squid b/lfs/squid
>> index 11b84d719..e5e799111 100644
>> --- a/lfs/squid
>> +++ b/lfs/squid
>> @@ -24,7 +24,7 @@
>>
>> include Config
>>
>> -VER = 3.5.28
>> +VER = 4.4
>>
>> THISAPP = squid-$(VER)
>> DL_FILE = $(THISAPP).tar.xz
>> @@ -42,7 +42,7 @@ objects = $(DL_FILE)
>>
>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>>
>> -$(DL_FILE)_MD5 = 9367e0375ea53ba0e99f77054d4402c5
>> +$(DL_FILE)_MD5 = 892504ca9700e1f139a53f84098613bd
>>
>> install : $(TARGET)
>>
>> @@ -72,9 +72,7 @@ $(subst %,%_MD5,$(objects)) :
>> $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>> @$(PREBUILD)
>> @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xaf $(DIR_DL)/$(DL_FILE)
>> - cd $(DIR_APP) && patch -Np1 -i
>> $(DIR_SRC)/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECU
>> RE_CONNECT_FAIL_306.patch
>> - cd $(DIR_APP) && patch -Np1 -i
>> $(DIR_SRC)/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.p
>> atch
>> - cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-
>> 3.5.28-fix-max-file-descriptors.patch
>> + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-4.4-
>> fix-max-file-descriptors.patch
>>
>> cd $(DIR_APP) && autoreconf -vfi
>> cd $(DIR_APP)/libltdl && autoreconf -vfi
>> @@ -125,7 +123,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>> --enable-zph-qos \
>> --with-dl \
>> --with-filedescriptors=$$(( 16384 * 64 )) \
>> - --with-large-files
>> + --with-large-files \
>> + --without-gnutls \
>> + --without-netfilter-conntrack
>>
>> cd $(DIR_APP) && make $(MAKETUNING)
>> cd $(DIR_APP) && make install
>> diff --git
>> a/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNEC
>> T_FAIL_306.patch
>> b/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNEC
>> T_FAIL_306.patch
>> deleted file mode 100644
>> index fadb1d48c..000000000
>> ---
>> a/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNEC
>> T_FAIL_306.patch
>> +++ /dev/null
>> @@ -1,72 +0,0 @@
>> -commit f1657a9decc820f748fa3aff68168d3145258031
>> -Author: Christos Tsantilas <christos@chtsanti.net>
>> -Date: 2018-10-17 15:14:07 +0000
>> -
>> - Certificate fields injection via %D in ERR_SECURE_CONNECT_FAIL (#306)
>> -
>> - %ssl_subject, %ssl_ca_name, and %ssl_cn values were not properly escaped
>> when %D code was expanded in HTML context of the ERR_SECURE_CONNECT_FAIL
>> template. This bug affects all
>> - ERR_SECURE_CONNECT_FAIL page templates containing %D, including the
>> default template.
>> -
>> - Other error pages are not vulnerable because Squid does not populate %D
>> with certificate details in other contexts (yet).
>> -
>> - Thanks to Nikolas Lohmann [eBlocker] for identifying the problem.
>> -
>> - TODO: If those certificate details become needed for ACL checks or other
>> non-HTML purposes, make their HTML-escaping conditional.
>> -
>> - This is a Measurement Factory project.
>> -
>> -diff --git a/src/ssl/ErrorDetail.cc b/src/ssl/ErrorDetail.cc
>> -index b5030e3..314e998 100644
>> ---- a/src/ssl/ErrorDetail.cc
>> -+++ b/src/ssl/ErrorDetail.cc
>> -@@ -8,6 +8,8 @@
>> -
>> - #include "squid.h"
>> - #include "errorpage.h"
>> -+#include "fatal.h"
>> -+#include "html_quote.h"
>> - #include "ssl/ErrorDetail.h"
>> -
>> - #include <climits>
>> -@@ -432,8 +434,11 @@ const char *Ssl::ErrorDetail::subject() const
>> - {
>> - if (broken_cert.get()) {
>> - static char tmpBuffer[256]; // A temporary buffer
>> -- if (X509_NAME_oneline(X509_get_subject_name(broken_cert.get()),
>> tmpBuffer, sizeof(tmpBuffer)))
>> -- return tmpBuffer;
>> -+ if (X509_NAME_oneline(X509_get_subject_name(broken_cert.get()),
>> tmpBuffer, sizeof(tmpBuffer))) {
>> -+ // quote to avoid possible html code injection through
>> -+ // certificate subject
>> -+ return html_quote(tmpBuffer);
>> -+ }
>> - }
>> - return "[Not available]";
>> - }
>> -@@ -461,8 +466,11 @@ const char *Ssl::ErrorDetail::cn() const
>> - static String tmpStr; ///< A temporary string buffer
>> - tmpStr.clean();
>> - Ssl::matchX509CommonNames(broken_cert.get(), &tmpStr, copy_cn);
>> -- if (tmpStr.size())
>> -- return tmpStr.termedBuf();
>> -+ if (tmpStr.size()) {
>> -+ // quote to avoid possible html code injection through
>> -+ // certificate subject
>> -+ return html_quote(tmpStr.termedBuf());
>> -+ }
>> - }
>> - return "[Not available]";
>> - }
>> -@@ -474,8 +482,11 @@ const char *Ssl::ErrorDetail::ca_name() const
>> - {
>> - if (broken_cert.get()) {
>> - static char tmpBuffer[256]; // A temporary buffer
>> -- if (X509_NAME_oneline(X509_get_issuer_name(broken_cert.get()),
>> tmpBuffer, sizeof(tmpBuffer)))
>> -- return tmpBuffer;
>> -+ if (X509_NAME_oneline(X509_get_issuer_name(broken_cert.get()),
>> tmpBuffer, sizeof(tmpBuffer))) {
>> -+ // quote to avoid possible html code injection through
>> -+ // certificate issuer subject
>> -+ return html_quote(tmpBuffer);
>> -+ }
>> - }
>> - return "[Not available]";
>> - }
>> diff --git
>> a/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch
>> b/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch
>> deleted file mode 100644
>> index 2ae034c20..000000000
>> --- a/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch
>> +++ /dev/null
>> @@ -1,22 +0,0 @@
>> -commit bc9786119f058a76ddf0625424bc33d36460b9a2 (refs/remotes/origin/v3.5)
>> -Author: flozilla <fishyflow@gmail.com>
>> -Date: 2018-10-24 14:12:01 +0200
>> -
>> - Fix memory leak when parsing SNMP packet (#313)
>> -
>> - SNMP queries denied by snmp_access rules and queries with certain
>> - unsupported SNMPv2 commands were leaking a few hundred bytes each. Such
>> - queries trigger "SNMP agent query DENIED from..." WARNINGs in cache.log.
>> -
>> -diff --git a/src/snmp_core.cc b/src/snmp_core.cc
>> -index c4d21c1..16c2993 100644
>> ---- a/src/snmp_core.cc
>> -+++ b/src/snmp_core.cc
>> -@@ -409,6 +409,7 @@ snmpDecodePacket(SnmpRequest * rq)
>> - snmpConstructReponse(rq);
>> - } else {
>> - debugs(49, DBG_IMPORTANT, "WARNING: SNMP agent query DENIED from
>> : " << rq->from);
>> -+ snmp_free_pdu(PDU);
>> - }
>> - xfree(Community);
>> -
>> diff --git a/src/patches/squid/squid-4.3-fix-max-file-descriptors.patch
>> b/src/patches/squid/squid-4.4-fix-max-file-descriptors.patch
>> similarity index 92%
>> rename from src/patches/squid/squid-4.3-fix-max-file-descriptors.patch
>> rename to src/patches/squid/squid-4.4-fix-max-file-descriptors.patch
>> index a46390c1e..8d1a4e03a 100644
>> --- a/src/patches/squid/squid-4.3-fix-max-file-descriptors.patch
>> +++ b/src/patches/squid/squid-4.4-fix-max-file-descriptors.patch
>> @@ -1,6 +1,6 @@
>> --- configure.ac.~ Wed Apr 20 14:26:07 2016
>> +++ configure.ac Fri Apr 22 17:20:46 2016
>> -@@ -3149,6 +3149,9 @@
>> +@@ -3156,6 +3156,9 @@
>> ;;
>> esac
>>
>> @@ -10,7 +10,7 @@
>> dnl --with-maxfd present for compatibility with Squid-2.
>> dnl undocumented in ./configure --help to encourage using the Squid-3
>> directive
>> AC_ARG_WITH(maxfd,,
>> -@@ -3179,8 +3182,6 @@
>> +@@ -3186,8 +3189,6 @@
>> esac
>> ])
>>
>
>
@@ -24,7 +24,7 @@
include Config
-VER = 3.5.28
+VER = 4.4
THISAPP = squid-$(VER)
DL_FILE = $(THISAPP).tar.xz
@@ -42,7 +42,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 9367e0375ea53ba0e99f77054d4402c5
+$(DL_FILE)_MD5 = 892504ca9700e1f139a53f84098613bd
install : $(TARGET)
@@ -72,9 +72,7 @@ $(subst %,%_MD5,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xaf $(DIR_DL)/$(DL_FILE)
- cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch
- cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch
- cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5.28-fix-max-file-descriptors.patch
+ cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-4.4-fix-max-file-descriptors.patch
cd $(DIR_APP) && autoreconf -vfi
cd $(DIR_APP)/libltdl && autoreconf -vfi
@@ -125,7 +123,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
--enable-zph-qos \
--with-dl \
--with-filedescriptors=$$(( 16384 * 64 )) \
- --with-large-files
+ --with-large-files \
+ --without-gnutls \
+ --without-netfilter-conntrack
cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install
deleted file mode 100644
@@ -1,72 +0,0 @@
-commit f1657a9decc820f748fa3aff68168d3145258031
-Author: Christos Tsantilas <christos@chtsanti.net>
-Date: 2018-10-17 15:14:07 +0000
-
- Certificate fields injection via %D in ERR_SECURE_CONNECT_FAIL (#306)
-
- %ssl_subject, %ssl_ca_name, and %ssl_cn values were not properly escaped when %D code was expanded in HTML context of the ERR_SECURE_CONNECT_FAIL template. This bug affects all
- ERR_SECURE_CONNECT_FAIL page templates containing %D, including the default template.
-
- Other error pages are not vulnerable because Squid does not populate %D with certificate details in other contexts (yet).
-
- Thanks to Nikolas Lohmann [eBlocker] for identifying the problem.
-
- TODO: If those certificate details become needed for ACL checks or other non-HTML purposes, make their HTML-escaping conditional.
-
- This is a Measurement Factory project.
-
-diff --git a/src/ssl/ErrorDetail.cc b/src/ssl/ErrorDetail.cc
-index b5030e3..314e998 100644
---- a/src/ssl/ErrorDetail.cc
-+++ b/src/ssl/ErrorDetail.cc
-@@ -8,6 +8,8 @@
-
- #include "squid.h"
- #include "errorpage.h"
-+#include "fatal.h"
-+#include "html_quote.h"
- #include "ssl/ErrorDetail.h"
-
- #include <climits>
-@@ -432,8 +434,11 @@ const char *Ssl::ErrorDetail::subject() const
- {
- if (broken_cert.get()) {
- static char tmpBuffer[256]; // A temporary buffer
-- if (X509_NAME_oneline(X509_get_subject_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer)))
-- return tmpBuffer;
-+ if (X509_NAME_oneline(X509_get_subject_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer))) {
-+ // quote to avoid possible html code injection through
-+ // certificate subject
-+ return html_quote(tmpBuffer);
-+ }
- }
- return "[Not available]";
- }
-@@ -461,8 +466,11 @@ const char *Ssl::ErrorDetail::cn() const
- static String tmpStr; ///< A temporary string buffer
- tmpStr.clean();
- Ssl::matchX509CommonNames(broken_cert.get(), &tmpStr, copy_cn);
-- if (tmpStr.size())
-- return tmpStr.termedBuf();
-+ if (tmpStr.size()) {
-+ // quote to avoid possible html code injection through
-+ // certificate subject
-+ return html_quote(tmpStr.termedBuf());
-+ }
- }
- return "[Not available]";
- }
-@@ -474,8 +482,11 @@ const char *Ssl::ErrorDetail::ca_name() const
- {
- if (broken_cert.get()) {
- static char tmpBuffer[256]; // A temporary buffer
-- if (X509_NAME_oneline(X509_get_issuer_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer)))
-- return tmpBuffer;
-+ if (X509_NAME_oneline(X509_get_issuer_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer))) {
-+ // quote to avoid possible html code injection through
-+ // certificate issuer subject
-+ return html_quote(tmpBuffer);
-+ }
- }
- return "[Not available]";
- }
deleted file mode 100644
@@ -1,22 +0,0 @@
-commit bc9786119f058a76ddf0625424bc33d36460b9a2 (refs/remotes/origin/v3.5)
-Author: flozilla <fishyflow@gmail.com>
-Date: 2018-10-24 14:12:01 +0200
-
- Fix memory leak when parsing SNMP packet (#313)
-
- SNMP queries denied by snmp_access rules and queries with certain
- unsupported SNMPv2 commands were leaking a few hundred bytes each. Such
- queries trigger "SNMP agent query DENIED from..." WARNINGs in cache.log.
-
-diff --git a/src/snmp_core.cc b/src/snmp_core.cc
-index c4d21c1..16c2993 100644
---- a/src/snmp_core.cc
-+++ b/src/snmp_core.cc
-@@ -409,6 +409,7 @@ snmpDecodePacket(SnmpRequest * rq)
- snmpConstructReponse(rq);
- } else {
- debugs(49, DBG_IMPORTANT, "WARNING: SNMP agent query DENIED from : " << rq->from);
-+ snmp_free_pdu(PDU);
- }
- xfree(Community);
-
similarity index 92%
rename from src/patches/squid/squid-4.3-fix-max-file-descriptors.patch
rename to src/patches/squid/squid-4.4-fix-max-file-descriptors.patch
@@ -1,6 +1,6 @@
--- configure.ac.~ Wed Apr 20 14:26:07 2016
+++ configure.ac Fri Apr 22 17:20:46 2016
-@@ -3149,6 +3149,9 @@
+@@ -3156,6 +3156,9 @@
;;
esac
@@ -10,7 +10,7 @@
dnl --with-maxfd present for compatibility with Squid-2.
dnl undocumented in ./configure --help to encourage using the Squid-3 directive
AC_ARG_WITH(maxfd,,
-@@ -3179,8 +3182,6 @@
+@@ -3186,8 +3189,6 @@
esac
])