From patchwork Sun Nov 4 18:09:52 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthias Fischer X-Patchwork-Id: 1980 Return-Path: Received: from mail01.ipfire.org (mail01.ipfire.org [IPv6:2001:470:7183:25::1]) by web02.i.ipfire.org (Postfix) with ESMTP id 2695B60603 for ; Sun, 4 Nov 2018 08:10:04 +0100 (CET) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 5099E204C74E; Sun, 4 Nov 2018 07:10:03 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1541315403; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references:list-id: list-unsubscribe:list-subscribe:list-post; bh=1zppD419UWay0n65uPDhxU6Ba58bPe3wL492ZyDcwJY=; b=AH2hNsT3HX2wS4sHVwdqYCSJFLTwdVmBzjyqDGq3dUxXdeOLCchqvotE99IeH8OwfinhVg ckgWeZL8ZNF6zmzINj4rdayETSxGQVC7lpnCr8yC5uBbc14X/xbjOZREHWDRS/hJOSdn2d lr24wGiKILSfa3xb/grVwGv6LYYedw39LTdr910nW24U13i4QsmZ0zchFCcwICoCdcoLSH mtHWYqReUQOHOtxss/Y09iFMVpGZnknO/dbcNhjfo1Mmig+8y3/QEVzPUI/+hWss+YgMNb ttB21ZIm87QejXyFmqe+h0Jo0auENQi3exiKKDy/PmRLKjkhAPJisJquKPeE9A== Received: from Devel.localdomain (p5B0A157F.dip0.t-ipconnect.de [91.10.21.127]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id F253D21A13CE for ; Sun, 4 Nov 2018 07:09:57 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1541315398; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=1zppD419UWay0n65uPDhxU6Ba58bPe3wL492ZyDcwJY=; b=CeZJ/fozSpWGIsTV/AYU2IMj7TsmH+rUPe7NswtUm1HKmJCdVM2G//KmJYCPUsyZyy3lyU T0nWJnUuFxcLdJQaES7PF3BDSIJj4VfYvPplVzNTqsU/ML/R0Jl6Gxk8xT7ThF7OjpCm47 O3N8nVTIFgdXq9rhczHg7bzA5oR0SwcwDvERZ1Dn94+OiY3DCEycVUhkKSuuUDe/WHYURA W6SyPRemEV7VXYj6y6mw+oCdu64wl27kTzfSVYdBoOBn4EgCBriBsS3i7PTQZOefn+Pohu AYMnBdWIrY9tqbJ5hDv52dUxv507NlU3kLf9LsPuwOCBbjgOdvJcXBC9Tj5Lbw== From: Matthias Fischer To: development@lists.ipfire.org Subject: [PATCH] squid: Update to 4.4 (stable) Date: Sun, 4 Nov 2018 08:09:52 +0100 Message-Id: <20181104070952.7220-1-matthias.fischer@ipfire.org> X-Mailer: git-send-email 2.18.0 Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=mfischer smtp.mailfrom=matthias.fischer@ipfire.org X-Spamd-Result: default: False [-0.16 / 11.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; NEURAL_SPAM(1.94)[0.647,0]; RCPT_COUNT_ONE(0.00)[1]; DKIM_SIGNED(0.00)[]; MID_CONTAINS_FROM(1.00)[]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; ASN(0.00)[asn:3320, ipnet:91.0.0.0/10, country:DE]; RCVD_TLS_ALL(0.00)[]; BAYES_HAM(-3.00)[100.00%] X-Spam-Status: No, score=-0.16 X-Rspamd-Server: mail01.i.ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" For details see: http://www.squid-cache.org/Versions/v4/changesets/ In July 2018, 'squid 4' was "released for production use", see: https://wiki.squid-cache.org/Squid-4 "The features have been set and large code changes are reserved for later versions." I've tested almost all 4.x-versions and patch series before with good results. Right now, 4.4 is running here with no seen problems together with 'squidclamav', 'squidguard' and 'privoxy'. I too would declare this version stable. Best, Matthias Signed-off-by: Matthias Fischer --- lfs/squid | 12 ++-- ...via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch | 72 ------------------- ...ry_leak_when_parsing_SNMP_packet_313.patch | 22 ------ ... squid-4.4-fix-max-file-descriptors.patch} | 4 +- 4 files changed, 8 insertions(+), 102 deletions(-) delete mode 100644 src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch delete mode 100644 src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch rename src/patches/squid/{squid-4.3-fix-max-file-descriptors.patch => squid-4.4-fix-max-file-descriptors.patch} (92%) diff --git a/lfs/squid b/lfs/squid index 11b84d719..e5e799111 100644 --- a/lfs/squid +++ b/lfs/squid @@ -24,7 +24,7 @@ include Config -VER = 3.5.28 +VER = 4.4 THISAPP = squid-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -42,7 +42,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 9367e0375ea53ba0e99f77054d4402c5 +$(DL_FILE)_MD5 = 892504ca9700e1f139a53f84098613bd install : $(TARGET) @@ -72,9 +72,7 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xaf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch - cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5.28-fix-max-file-descriptors.patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-4.4-fix-max-file-descriptors.patch cd $(DIR_APP) && autoreconf -vfi cd $(DIR_APP)/libltdl && autoreconf -vfi @@ -125,7 +123,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --enable-zph-qos \ --with-dl \ --with-filedescriptors=$$(( 16384 * 64 )) \ - --with-large-files + --with-large-files \ + --without-gnutls \ + --without-netfilter-conntrack cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install diff --git a/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch b/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch deleted file mode 100644 index fadb1d48c..000000000 --- a/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch +++ /dev/null @@ -1,72 +0,0 @@ -commit f1657a9decc820f748fa3aff68168d3145258031 -Author: Christos Tsantilas -Date: 2018-10-17 15:14:07 +0000 - - Certificate fields injection via %D in ERR_SECURE_CONNECT_FAIL (#306) - - %ssl_subject, %ssl_ca_name, and %ssl_cn values were not properly escaped when %D code was expanded in HTML context of the ERR_SECURE_CONNECT_FAIL template. This bug affects all - ERR_SECURE_CONNECT_FAIL page templates containing %D, including the default template. - - Other error pages are not vulnerable because Squid does not populate %D with certificate details in other contexts (yet). - - Thanks to Nikolas Lohmann [eBlocker] for identifying the problem. - - TODO: If those certificate details become needed for ACL checks or other non-HTML purposes, make their HTML-escaping conditional. - - This is a Measurement Factory project. - -diff --git a/src/ssl/ErrorDetail.cc b/src/ssl/ErrorDetail.cc -index b5030e3..314e998 100644 ---- a/src/ssl/ErrorDetail.cc -+++ b/src/ssl/ErrorDetail.cc -@@ -8,6 +8,8 @@ - - #include "squid.h" - #include "errorpage.h" -+#include "fatal.h" -+#include "html_quote.h" - #include "ssl/ErrorDetail.h" - - #include -@@ -432,8 +434,11 @@ const char *Ssl::ErrorDetail::subject() const - { - if (broken_cert.get()) { - static char tmpBuffer[256]; // A temporary buffer -- if (X509_NAME_oneline(X509_get_subject_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer))) -- return tmpBuffer; -+ if (X509_NAME_oneline(X509_get_subject_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer))) { -+ // quote to avoid possible html code injection through -+ // certificate subject -+ return html_quote(tmpBuffer); -+ } - } - return "[Not available]"; - } -@@ -461,8 +466,11 @@ const char *Ssl::ErrorDetail::cn() const - static String tmpStr; ///< A temporary string buffer - tmpStr.clean(); - Ssl::matchX509CommonNames(broken_cert.get(), &tmpStr, copy_cn); -- if (tmpStr.size()) -- return tmpStr.termedBuf(); -+ if (tmpStr.size()) { -+ // quote to avoid possible html code injection through -+ // certificate subject -+ return html_quote(tmpStr.termedBuf()); -+ } - } - return "[Not available]"; - } -@@ -474,8 +482,11 @@ const char *Ssl::ErrorDetail::ca_name() const - { - if (broken_cert.get()) { - static char tmpBuffer[256]; // A temporary buffer -- if (X509_NAME_oneline(X509_get_issuer_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer))) -- return tmpBuffer; -+ if (X509_NAME_oneline(X509_get_issuer_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer))) { -+ // quote to avoid possible html code injection through -+ // certificate issuer subject -+ return html_quote(tmpBuffer); -+ } - } - return "[Not available]"; - } diff --git a/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch b/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch deleted file mode 100644 index 2ae034c20..000000000 --- a/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch +++ /dev/null @@ -1,22 +0,0 @@ -commit bc9786119f058a76ddf0625424bc33d36460b9a2 (refs/remotes/origin/v3.5) -Author: flozilla -Date: 2018-10-24 14:12:01 +0200 - - Fix memory leak when parsing SNMP packet (#313) - - SNMP queries denied by snmp_access rules and queries with certain - unsupported SNMPv2 commands were leaking a few hundred bytes each. Such - queries trigger "SNMP agent query DENIED from..." WARNINGs in cache.log. - -diff --git a/src/snmp_core.cc b/src/snmp_core.cc -index c4d21c1..16c2993 100644 ---- a/src/snmp_core.cc -+++ b/src/snmp_core.cc -@@ -409,6 +409,7 @@ snmpDecodePacket(SnmpRequest * rq) - snmpConstructReponse(rq); - } else { - debugs(49, DBG_IMPORTANT, "WARNING: SNMP agent query DENIED from : " << rq->from); -+ snmp_free_pdu(PDU); - } - xfree(Community); - diff --git a/src/patches/squid/squid-4.3-fix-max-file-descriptors.patch b/src/patches/squid/squid-4.4-fix-max-file-descriptors.patch similarity index 92% rename from src/patches/squid/squid-4.3-fix-max-file-descriptors.patch rename to src/patches/squid/squid-4.4-fix-max-file-descriptors.patch index a46390c1e..8d1a4e03a 100644 --- a/src/patches/squid/squid-4.3-fix-max-file-descriptors.patch +++ b/src/patches/squid/squid-4.4-fix-max-file-descriptors.patch @@ -1,6 +1,6 @@ --- configure.ac.~ Wed Apr 20 14:26:07 2016 +++ configure.ac Fri Apr 22 17:20:46 2016 -@@ -3149,6 +3149,9 @@ +@@ -3156,6 +3156,9 @@ ;; esac @@ -10,7 +10,7 @@ dnl --with-maxfd present for compatibility with Squid-2. dnl undocumented in ./configure --help to encourage using the Squid-3 directive AC_ARG_WITH(maxfd,, -@@ -3179,8 +3182,6 @@ +@@ -3186,8 +3189,6 @@ esac ])