From patchwork Sun Aug 23 12:42:58 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthias Fischer X-Patchwork-Id: 3396 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4BZFKS12Xfz3x16 for ; Sun, 23 Aug 2020 12:43:08 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4BZFKQ6n2fzk9; Sun, 23 Aug 2020 12:43:06 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4BZFKQ5Ldqz2yK5; Sun, 23 Aug 2020 12:43:06 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4BZFKP65y3z2xkV for ; Sun, 23 Aug 2020 12:43:05 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 4BZFKP0q6bzk9 for ; Sun, 23 Aug 2020 12:43:05 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1598186585; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc; bh=K9SJ11B0+6hssJW6tYT4HbNwxSFP+gbaExaXmSGsUaA=; b=ZX0zgCvdU2bcANgF3VCJhw9WtHslYjueXc0qXt6wnIOiN4pkUBn/Ca8V3o0iDIV7Kc0rJU 43Wezc9nPH+RLZCw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1598186585; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc; bh=K9SJ11B0+6hssJW6tYT4HbNwxSFP+gbaExaXmSGsUaA=; b=mrtfCo/YHldGLATXKSLrKbkGgfgSxkONwdA/V9dfyp0jUZT2b+vMLJsQEo9Qg0lDVun8RE 6uA+CwJ0sH6iYf0cb2MiITrUqBqcI+P53RmUsGHnfmBjq48IQYIhs7Jw7gW9fL1cIDKBLI vVXQ80PxLnh85apmxcfwIGzYrg8Ta8CbiVnv9u/Q6dG6uBkMFumdq3n8ZCryUm+ZVMlI5G iVBO/tySnUtJluZOfTNOkWoRSrEMUwDC3ziQBki8N0Ek+5NCdhXIBOQn47kh9cjsCMwX26 SBYNtFSbIxf8vL7Aqco+tYTjhk53uRGJcxQSsgTTKTQhmQFLi34wQOGL/0yXMg== From: Matthias Fischer To: development@lists.ipfire.org Subject: [PATCH] squid: Update to 4.13 Date: Sun, 23 Aug 2020 14:42:58 +0200 Message-Id: <20200823124258.3114-1-matthias.fischer@ipfire.org> Authentication-Results: mail01.ipfire.org; auth=pass smtp.mailfrom=matthias.fischer@ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" For details see: http://www.squid-cache.org/Versions/v4/changesets/ and http://lists.squid-cache.org/pipermail/squid-users/2020-August/022566.html Fixes (excerpt): "* SQUID-2020:8 HTTP(S) Request Splitting (CVE-2020-15811) This problem is serious because it allows any client, including browser scripts, to bypass local security and poison the browser cache and any downstream caches with content from an arbitrary source. * SQUID-2020:9 Denial of Service processing Cache Digest Response (CVE pending allocation) This problem allows a trusted peer to deliver to perform Denial of Service by consuming all available CPU cycles on the machine running Squid when handling a crafted Cache Digest response message. * SQUID-2020:10 HTTP(S) Request Smuggling (CVE-2020-15810) This problem is serious because it allows any client, including browser scripts, to bypass local security and poison the proxy cache and any downstream caches with content from an arbitrary source. * Bug 5051: Some collapsed revalidation responses never expire * SSL-Bump: Support parsing GREASEd (and future) TLS handshakes * Honor on_unsupported_protocol for intercepted https_port" Signed-off-by: Matthias Fischer --- lfs/squid | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lfs/squid b/lfs/squid index ebd25e42e..3a53315d7 100644 --- a/lfs/squid +++ b/lfs/squid @@ -24,7 +24,7 @@ include Config -VER = 4.12 +VER = 4.13 THISAPP = squid-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -46,7 +46,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = ad7a4a8a0031cae3435717a759173829 +$(DL_FILE)_MD5 = 492e54afc15821141ff1d1d9903854d6 install : $(TARGET)