Merge branch 'factory' into PED-14462

Since version 6, some previously deprecated features have been removed:
 * Edge Side Includes (ESI)
 * access to the cache manager using the cache_object:// scheme - use http instead
 * the squdclient tool - use curl http://<squid-address>/squid-internal-mgr/menu instead
 * the cachemgr.cgi tool
 * the purge tool - use the http PURGE method instead
 * Ident protocol support
 * basic_smb_lm_auth and ntlm_smb_lm_auth helpers - use Samba's ntlm_auth instead
- Update to 7.3
  - Regression Bug 5520: ERR_INVALID_URL for CONNECT host with leading digit
  - Quit NTLM authenticate() on missing NTLM authorization header
  - Fix Auth::User::absorb() IP list transfer logic
  - Fix type mismatch in new/delete of addrinfo::ai_addr
  - Fix libntlmauth string parsing on big-endian machines
  - ... and some code cleanups
  - ... and some CI improvements
- changes since squid 6.14 (bsc#1252281, CVE-2025-62168)
  - Bug 3390: Proxy auth data visible to scripts
  - Bug 5504: Document that Squid discards invalid rewrite-url
  - Bug 5407: Support at least 1000 groups per Kerberos user
  - Fix parsing of malformed quoted squid.conf strings
  - Fix off-by-one in helper args count assertion
  - Fix UDP log module opening and closing code
  - Fix BodyPipe debugging in handleChunkedRequestBody()
  - Fix debugging of Eui48::lookup() problems
  - Fix memory leak when parsing deprecated %rG logformat code
  - Fix SQUID_YESNO 'syntax error near unexpected token'
  - DNS: fix RRPack memcpy
  - DNS: Do not leak RR data upon RR data unpacking errors
  - FTP: Avoid null dereferences when handling ftp_port traffic

OBS-URL: https://build.opensuse.org/request/show/1316100
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/squid?expand=0&rev=124

.gitattributes

@@ -1,4 +1,4 @@
-## Default LFS
+*.changes merge=merge-changes
 *.7z filter=lfs diff=lfs merge=lfs -text
 *.bsp filter=lfs diff=lfs merge=lfs -text
 *.bz2 filter=lfs diff=lfs merge=lfs -text
@@ -12,6 +12,7 @@
 *.pdf filter=lfs diff=lfs merge=lfs -text
 *.png filter=lfs diff=lfs merge=lfs -text
 *.rpm filter=lfs diff=lfs merge=lfs -text
+*.tar filter=lfs diff=lfs merge=lfs -text
 *.tbz filter=lfs diff=lfs merge=lfs -text
 *.tbz2 filter=lfs diff=lfs merge=lfs -text
 *.tgz filter=lfs diff=lfs merge=lfs -text

.gitignore

@@ -1 +1,4 @@
-.osc
+*.obscpio
+*.osc
+_build.*
+.pbuild

CVE-2024-33427.patch

@@ -1,13 +0,0 @@
-Index: squid-6.9/src/ConfigParser.cc
-===================================================================
---- squid-6.9.orig/src/ConfigParser.cc
-+++ squid-6.9/src/ConfigParser.cc
-@@ -181,7 +181,7 @@ ConfigParser::UnQuote(const char *token,
-     *d = '\0';
- 
-     // We are expecting a separator after quoted string, space or one of "()#"
--    if (*(s + 1) != '\0' && !strchr(w_space "()#", *(s + 1)) && !errorStr) {
-+    if (!errorStr && *(s + 1) != '\0' && !strchr(w_space "()#", *(s + 1))) {
-         errorStr = "Expecting space after the end of quoted token";
-         errorPos = token;
-     }

CVE-2025-59362.patch

@@ -1,49 +0,0 @@
-From 34d90168f4a6905b254c4158b2e0cb79e4e7c05b Mon Sep 17 00:00:00 2001
-From: Alex Rousskov <rousskov@measurement-factory.com>
-Date: Fri, 29 Aug 2025 10:08:59 -0400
-Subject: [PATCH] Support ASN.1 encoding of long SNMP OIDs
-
----
- lib/snmplib/asn1.c | 13 +++++++++++++
- 1 file changed, 13 insertions(+)
-
-diff --git a/lib/snmplib/asn1.c b/lib/snmplib/asn1.c
-index 81f2051fbe7..2852c26b220 100644
---- a/lib/snmplib/asn1.c
-+++ b/lib/snmplib/asn1.c
-@@ -735,6 +735,7 @@ asn_build_objid(u_char * data, int *datalength,
-      * lastbyte ::= 0 7bitvalue
-      */
-     u_char buf[MAX_OID_LEN];
-+    u_char *bufEnd = buf + sizeof(buf);
-     u_char *bp = buf;
-     oid *op = objid;
-     int asnlength;
-@@ -753,6 +754,10 @@ asn_build_objid(u_char * data, int *datalength,
-     while (objidlength-- > 0) {
-         subid = *op++;
-         if (subid < 127) {  /* off by one? */
-+            if (bp >= bufEnd) {
-+                snmp_set_api_error(SNMPERR_ASN_ENCODE);
-+                return (NULL);
-+            }
-             *bp++ = subid;
-         } else {
-             mask = 0x7F;    /* handle subid == 0 case */
-@@ -770,8 +775,16 @@ asn_build_objid(u_char * data, int *datalength,
-                 /* fix a mask that got truncated above */
-                 if (mask == 0x1E00000)
-                     mask = 0xFE00000;
-+                if (bp >= bufEnd) {
-+                    snmp_set_api_error(SNMPERR_ASN_ENCODE);
-+                    return (NULL);
-+                }
-                 *bp++ = (u_char) (((subid & mask) >> bits) | ASN_BIT8);
-             }
-+            if (bp >= bufEnd) {
-+                snmp_set_api_error(SNMPERR_ASN_ENCODE);
-+                return (NULL);
-+            }
-             *bp++ = (u_char) (subid & mask);
-         }
-     }

CVE-2025-62168.patch

@@ -1,200 +0,0 @@
-ported from
-
-commit e7e9073a2435cc93b913553d147b497fda77c1ab
-Author: Amos Jeffries <yadij@users.noreply.github.com>
-Date:   Sat Oct 11 16:33:02 2025 +1300
-
-    Bug 3390: Proxy auth data visible to scripts (#2249)
-    
-    Original changes to redact credentials from error page %R code
-    expansion output was incomplete. It missed the parse failure
-    case where ErrorState::request_hdrs raw buffer contained
-    sensitive information.
-    
-    Also missed was the %W case where full request message headers
-    were generated in a mailto link. This case is especially
-    problematic as it may be delivered over insecure SMTP even if
-    the error was secured with HTTPS.
-    
-    After this change:
-    * The HttpRequest message packing code for error pages is de-duplicated
-      and elides authentication headers for both %R and %W code outputs.
-    * The %R code output includes the CRLF request message terminator.
-    * The email_err_data directive causing advanced details to be added to
-      %W mailto links is disabled by default.
-    
-    Also redact credentials from generated TRACE responses.
-    
-    ---------
-    
-    Co-authored-by: Alex Rousskov <rousskov@measurement-factory.com>
-
-Index: squid-6.12/src/HttpRequest.cc
-===================================================================
---- squid-6.12.orig/src/HttpRequest.cc
-+++ squid-6.12/src/HttpRequest.cc
-@@ -341,7 +341,7 @@ HttpRequest::swapOut(StoreEntry * e)
- 
- /* packs request-line and headers, appends <crlf> terminator */
- void
--HttpRequest::pack(Packable * p) const
-+HttpRequest::pack(Packable * p, const bool maskSensitiveInfo) const
- {
-     assert(p);
-     /* pack request-line */
-@@ -349,8 +349,8 @@ HttpRequest::pack(Packable * p) const
-                SQUIDSBUFPRINT(method.image()), SQUIDSBUFPRINT(url.path()),
-                http_ver.major, http_ver.minor);
-     /* headers */
--    header.packInto(p);
--    /* trailer */
-+    header.packInto(p, maskSensitiveInfo);
-+    /* indicate the end of the header section */
-     p->append("\r\n", 2);
- }
- 
-Index: squid-6.12/src/HttpRequest.h
-===================================================================
---- squid-6.12.orig/src/HttpRequest.h
-+++ squid-6.12/src/HttpRequest.h
-@@ -206,7 +206,7 @@ public:
- 
-     void swapOut(StoreEntry * e);
- 
--    void pack(Packable * p) const;
-+    void pack(Packable * p, bool maskSensitiveInfo = false) const;
- 
-     static void httpRequestPack(void *obj, Packable *p);
- 
-Index: squid-6.12/src/cf.data.pre
-===================================================================
---- squid-6.12.orig/src/cf.data.pre
-+++ squid-6.12/src/cf.data.pre
-@@ -8931,12 +8931,18 @@ NAME: email_err_data
- COMMENT: on|off
- TYPE: onoff
- LOC: Config.onoff.emailErrData
--DEFAULT: on
-+DEFAULT: off
- DOC_START
- 	If enabled, information about the occurred error will be
- 	included in the mailto links of the ERR pages (if %W is set)
- 	so that the email body contains the data.
- 	Syntax is <A HREF="mailto:%w%W">%w</A>
-+
-+	SECURITY WARNING:
-+		Request headers and other included facts may contain
-+		sensitive information about transaction history, the
-+		Squid instance, and its environment which would be
-+		unavailable to error recipients otherwise.
- DOC_END
- 
- NAME: deny_info
-Index: squid-6.12/src/client_side_reply.cc
-===================================================================
---- squid-6.12.orig/src/client_side_reply.cc
-+++ squid-6.12/src/client_side_reply.cc
-@@ -94,7 +94,7 @@ clientReplyContext::clientReplyContext(C
- void
- clientReplyContext::setReplyToError(
-     err_type err, Http::StatusCode status, char const *uri,
--    const ConnStateData *conn, HttpRequest *failedrequest, const char *unparsedrequest,
-+    const ConnStateData *conn, HttpRequest *failedrequest, const char *,
- #if USE_AUTH
-     Auth::UserRequest::Pointer auth_user_request
- #else
-@@ -104,9 +104,6 @@ clientReplyContext::setReplyToError(
- {
-     auto errstate = clientBuildError(err, status, uri, conn, failedrequest, http->al);
- 
--    if (unparsedrequest)
--        errstate->request_hdrs = xstrdup(unparsedrequest);
--
- #if USE_AUTH
-     errstate->auth_user_request = auth_user_request;
- #endif
-@@ -995,11 +992,14 @@ clientReplyContext::traceReply()
-     triggerInitialStoreRead();
-     http->storeEntry()->releaseRequest();
-     http->storeEntry()->buffer();
-+    MemBuf content;
-+    content.init();
-+    http->request->pack(&content, true /* hide authorization data */);
-     const HttpReplyPointer rep(new HttpReply);
--    rep->setHeaders(Http::scOkay, nullptr, "text/plain", http->request->prefixLen(), 0, squid_curtime);
-+    rep->setHeaders(Http::scOkay, nullptr, "message/http", content.contentSize(), 0, squid_curtime);
-+    rep->body.set(SBuf(content.buf, content.size));
-     http->storeEntry()->replaceHttpReply(rep);
--    http->request->swapOut(http->storeEntry());
--    http->storeEntry()->complete();
-+    http->storeEntry()->completeSuccessfully("traceReply() stored the entire response");
- }
- 
- #define SENDING_BODY 0
-Index: squid-6.12/src/errorpage.cc
-===================================================================
---- squid-6.12.orig/src/errorpage.cc
-+++ squid-6.12/src/errorpage.cc
-@@ -792,7 +792,6 @@ ErrorState::~ErrorState()
- {
-     safe_free(redirect_url);
-     safe_free(url);
--    safe_free(request_hdrs);
-     wordlistDestroy(&ftp.server_msg);
-     safe_free(ftp.request);
-     safe_free(ftp.reply);
-@@ -850,7 +849,7 @@ ErrorState::Dump(MemBuf * mb)
-                     SQUIDSBUFPRINT(request->url.path()),
-                     AnyP::ProtocolType_str[request->http_ver.protocol],
-                     request->http_ver.major, request->http_ver.minor);
--        request->header.packInto(&str);
-+        request->header.packInto(&str, true);
-     }
- 
-     str.append("\r\n", 2);
-@@ -1111,17 +1110,9 @@ ErrorState::compileLegacyCode(Build &bui
-             } else
-                 p = "[no request]";
-             break;
--        }
--        if (request) {
--            mb.appendf(SQUIDSBUFPH " " SQUIDSBUFPH " %s/%d.%d\n",
--                       SQUIDSBUFPRINT(request->method.image()),
--                       SQUIDSBUFPRINT(request->url.path()),
--                       AnyP::ProtocolType_str[request->http_ver.protocol],
--                       request->http_ver.major, request->http_ver.minor);
--            request->header.packInto(&mb, true); //hide authorization data
--        } else if (request_hdrs) {
--            p = request_hdrs;
--        } else {
-+        } else if (request) {
-+            request->pack(&mb, true /* hide authorization data */);
-+		} else {
-             p = "[no request]";
-         }
-         break;
-Index: squid-6.12/src/errorpage.h
-===================================================================
---- squid-6.12.orig/src/errorpage.h
-+++ squid-6.12/src/errorpage.h
-@@ -194,7 +194,6 @@ public:
-         MemBuf *listing = nullptr;
-     } ftp;
- 
--    char *request_hdrs = nullptr;
-     char *err_msg = nullptr; /* Preformatted error message from the cache */
- 
-     AccessLogEntryPointer ale; ///< transaction details (or nil)
-Index: squid-6.12/src/tests/stub_HttpRequest.cc
-===================================================================
---- squid-6.12.orig/src/tests/stub_HttpRequest.cc
-+++ squid-6.12/src/tests/stub_HttpRequest.cc
-@@ -45,7 +45,7 @@ bool HttpRequest::expectingBody(const Ht
- bool HttpRequest::bodyNibbled() const STUB_RETVAL(false)
- int HttpRequest::prefixLen() const STUB_RETVAL(0)
- void HttpRequest::swapOut(StoreEntry *) STUB
--void HttpRequest::pack(Packable *) const STUB
-+void HttpRequest::pack(Packable *, bool) const STUB
- void HttpRequest::httpRequestPack(void *, Packable *) STUB
- HttpRequest * HttpRequest::FromUrl(const SBuf &, const MasterXaction::Pointer &, const HttpRequestMethod &) STUB_RETVAL(nullptr)
- HttpRequest * HttpRequest::FromUrlXXX(const char *, const MasterXaction::Pointer &, const HttpRequestMethod &) STUB_RETVAL(nullptr)

harden_squid.service.patch

@@ -3,7 +3,7 @@ Index: squid-6.2/tools/systemd/squid.service
 --- squid-6.2.orig/tools/systemd/squid.service
 +++ squid-6.2/tools/systemd/squid.service
 @@ -11,6 +11,18 @@ Documentation=man:squid(8)
- After=network.target network-online.target nss-lookup.target
+ After=local-fs.target network.target network-online.target nss-lookup.target
  
  [Service]
 +# added automatically, for details please see

squid-6.12.tar.xz.asc

@@ -1,17 +0,0 @@
-File: squid-6.12.tar.xz
-Date: Fri Oct 11 08:30:43 PM UTC 2024
-Size: 2548220
-MD5 : 26a264b234e22e012ea531d4f5d43ed1
-SHA1: 2885015423b66f0b87e2e3ed0dfd17f3f124d7e6
-Key : 29B4B1F7CE03D1B1DED22F3028F85029FEF6E865 <kinkie@squid-cache.org>
-            29B4 B1F7 CE03 D1B1 DED2  2F30 28F8 5029 FEF6 E865
-sub   cv25519 2021-05-15 [E]
-      keyring = http://www.squid-cache.org/pgp.asc
-      keyserver = pool.sks-keyservers.net
------BEGIN PGP SIGNATURE-----
-
-iHUEABYKAB0WIQQptLH3zgPRsd7SLzAo+FAp/vboZQUCZwmLBQAKCRAo+FAp/vbo
-ZYYJAP9pMd7sF4qmLLMlHIu48KMKqGhJdkEEpZJbOvmXS4lpBQD/QzCU3cng78NN
-orwehX0iYHf0lWvY8IjBV/9YEPi9iww=
-=yaaw
------END PGP SIGNATURE-----

squid-7.4.tar.xz.asc

@@ -0,0 +1,18 @@
+File     : squid-7.4.tar.xz
+Date     : Tue, 20 Jan 2026 21:45:55 +0000
+Size     : 2441824
+MD5      : 6744b320a37ff162861b2cc0c04f4528
+SHA1     : 0594cf35b85bd2b830c5bc6bb1b5352e60525703
+SHA256   : e31976edd755c295bd5842a349c9c7dad16a683d066337cc09033c1302b4fed4
+Key      : 29B4B1F7CE03D1B1DED22F3028F85029FEF6E865 <kinkie@squid-cache.org>
+Fingerprint:       29B4 B1F7 CE03 D1B1 DED2  2F30 28F8 5029 FEF6 E865
+sub   cv25519 2021-05-15 [E]
+Keyring  : http://www.squid-cache.org/pgp.asc
+Keyserver: keyserver.ubuntu.com
+-----BEGIN PGP SIGNATURE-----
+
+iHUEABYKAB0WIQQptLH3zgPRsd7SLzAo+FAp/vboZQUCaW/4TwAKCRAo+FAp/vbo
+ZexsAQDX7iY7sOuslBuqIPQwkFvGssqKOx8ZqVSkQBmj/f/srAEAwJi3W62+HGSC
+T+QcND/nbDZ6eofX/1lKSe5luBeE1AA=
+=Jdg5
+-----END PGP SIGNATURE-----

squid-Bug-5390-Non-POD-SquidConfig-ssl_client-sslContext-e.patch

@@ -1,99 +0,0 @@
-From c565067bf2ddf3ce88ed27d71d1d8816ee03047e Mon Sep 17 00:00:00 2001
-From: Eduard Bagdasaryan <eduard.bagdasaryan@measurement-factory.com>
-Date: Sat, 30 Nov 2024 03:04:33 +0000
-Subject: [PATCH] Bug 5390: Non-POD SquidConfig::ssl_client::sslContext exit
- crash (#1952)
-
-Squid may crash when the SquidConfig global is auto-destructed after
-main() ends. Since SquidConfig global is used by cleanup code, we should
-keep its fields alive, essentially emulating "No New Globals" policy
-effects. This surgical fix will be followed up with more changes to
-address general OpenSSL cleanup problems exposed by this bug.
-
-This bug fix facilitates backporting by using FuturePeerContext shim.
-
-tabraham@suse.com: backport of commit c565067bf2ddf3ce88ed27d71d1d8816ee03047e
----
- src/SquidConfig.h                  |  2 +-
- src/cache_cf.cc                    | 10 ++++++----
- src/security/BlindPeerConnector.cc |  2 +-
- src/ssl/PeekingPeerConnector.cc    |  2 +-
- 4 files changed, 9 insertions(+), 7 deletions(-)
-
-diff --git a/src/SquidConfig.h b/src/SquidConfig.h
-index 7cb949b38..84210a5bb 100644
---- a/src/SquidConfig.h
-+++ b/src/SquidConfig.h
-@@ -511,7 +511,7 @@ public:
-     external_acl *externalAclHelperList;
- 
-     struct {
--        Security::ContextPointer sslContext;
-+        Security::ContextPointer *sslContext_;
- #if USE_OPENSSL
-         char *foreignIntermediateCertsPath;
-         acl_access *cert_error;
-diff --git a/src/cache_cf.cc b/src/cache_cf.cc
-index cc1cbc556..4d323f12f 100644
---- a/src/cache_cf.cc
-+++ b/src/cache_cf.cc
-@@ -963,8 +963,9 @@ configDoConfigure(void)
- 
-     if (Security::ProxyOutgoingConfig.encryptTransport) {
-         debugs(3, 2, "initializing https:// proxy context");
--        Config.ssl_client.sslContext = Security::ProxyOutgoingConfig.createClientContext(false);
--        if (!Config.ssl_client.sslContext) {
-+	const auto rawSslContext = Security::ProxyOutgoingConfig.createClientContext(false);
-+	Config.ssl_client.sslContext_ = rawSslContext ? new Security::ContextPointer(rawSslContext) : nullptr;
-+        if (!Config.ssl_client.sslContext_) {
- #if USE_OPENSSL
-             fatal("ERROR: Could not initialize https:// proxy context");
- #else
-@@ -972,7 +973,7 @@ configDoConfigure(void)
- #endif
-         }
- #if USE_OPENSSL
--        Ssl::useSquidUntrusted(Config.ssl_client.sslContext.get());
-+        Ssl::useSquidUntrusted(Config.ssl_client.sslContext_->get());
- #endif
-     }
- 
-@@ -3929,7 +3930,8 @@ configFreeMemory(void)
- {
-     free_all();
-     Dns::ResolveClientAddressesAsap = false;
--    Config.ssl_client.sslContext.reset();
-+    delete Config.ssl_client.sslContext_;
-+    Config.ssl_client.sslContext_ = nullptr;
- #if USE_OPENSSL
-     Ssl::unloadSquidUntrusted();
- #endif
-diff --git a/src/security/BlindPeerConnector.cc b/src/security/BlindPeerConnector.cc
-index 7372df960..2f442edbc 100644
---- a/src/security/BlindPeerConnector.cc
-+++ b/src/security/BlindPeerConnector.cc
-@@ -27,7 +27,7 @@ Security::BlindPeerConnector::getTlsContext()
-     if (peer && peer->secure.encryptTransport)
-         return peer->sslContext;
- 
--    return ::Config.ssl_client.sslContext;
-+    return *Config.ssl_client.sslContext_;
- }
- 
- bool
-diff --git a/src/ssl/PeekingPeerConnector.cc b/src/ssl/PeekingPeerConnector.cc
-index 6098b5ae9..b57b62a98 100644
---- a/src/ssl/PeekingPeerConnector.cc
-+++ b/src/ssl/PeekingPeerConnector.cc
-@@ -145,7 +145,7 @@ Ssl::PeekingPeerConnector::checkForPeekAndSpliceGuess() const
- Security::ContextPointer
- Ssl::PeekingPeerConnector::getTlsContext()
- {
--    return ::Config.ssl_client.sslContext;
-+    return *Config.ssl_client.sslContext_;
- }
- 
- bool
--- 
-2.51.0
-

squid.changes

@@ -1,18 +1,126 @@
 -------------------------------------------------------------------
-Fri Feb 13 16:27:15 UTC 2026 - Adam Majer <adam.majer@suse.de>
+Wed Mar  4 15:29:26 UTC 2026 - Adam Majer <adam.majer@suse.de>
 
-- squid-Bug-5390-Non-POD-SquidConfig-ssl_client-sslContext-e.patch:
-  fix workign with crypto module (bsc#1250223)
+- Update to 7.4
+  - Do not create world-readable directories
+  - digest_edirectory_auth: Fix LDAPS memory leaks
+  - snmplib: Improve handling of zero-length ASN OCTET STRINGs
+  - Debug tls_read_method()/tls_write_method() errors
+  - ICMP: Harden echo paths, fix overflows, UB, and leaks
+  - Set SSL_OP_LEGACY_SERVER_CONNECT when peeking at servers
+  - security_file_certgen: Fix OPENSSL_malloc()/free(3) mismatch
+  - Detect FreeBSD ports Heimdal package
+  - Remove SQUID_CHECK_KRB5_HEIMDAL_BROKEN_KRB5_H macro
+  - Remove SQUID_CHECK_KRB5_SOLARIS_BROKEN_KRB5_H macro
+  - ext_kerberos_ldap_group_acl: Do not prohibit all LDFLAGS
+  - negotiate_sspi_auth: Respond with ERR when FormatMessage() fails
+  - ... and some code cleanups
+  - ... and some CI improvements
 
 -------------------------------------------------------------------
-Thu Nov  6 15:07:07 UTC 2025 - Adam Majer <adam.majer@suse.de>
+Thu Nov  6 18:56:27 UTC 2025 - Adam Majer <adam.majer@suse.de>
 
-- CVE-2025-62168.patch: Proxy auth data visible to scripts (bsc#1252281, CVE-2025-62168)
+Since version 6, some previously deprecated features have been removed:
+ * Edge Side Includes (ESI)
+ * access to the cache manager using the cache_object:// scheme - use http instead
+ * the squdclient tool - use curl http://<squid-address>/squid-internal-mgr/menu instead
+ * the cachemgr.cgi tool
+ * the purge tool - use the http PURGE method instead
+ * Ident protocol support
+ * basic_smb_lm_auth and ntlm_smb_lm_auth helpers - use Samba's ntlm_auth instead
+
+- Update to 7.3 (bsc#1250627, CVE-2025-59362, bsc#1250223)
+  - Regression Bug 5520: ERR_INVALID_URL for CONNECT host with leading digit
+  - Quit NTLM authenticate() on missing NTLM authorization header
+  - Fix Auth::User::absorb() IP list transfer logic
+  - Fix type mismatch in new/delete of addrinfo::ai_addr
+  - Fix libntlmauth string parsing on big-endian machines
+  - ... and some code cleanups
+  - ... and some CI improvements
+
+- changes since squid 6.14 (bsc#1252281, CVE-2025-62168)
+  - Bug 3390: Proxy auth data visible to scripts
+  - Bug 5504: Document that Squid discards invalid rewrite-url
+  - Bug 5407: Support at least 1000 groups per Kerberos user
+  - Fix parsing of malformed quoted squid.conf strings
+  - Fix off-by-one in helper args count assertion
+  - Fix UDP log module opening and closing code
+  - Fix BodyPipe debugging in handleChunkedRequestBody()
+  - Fix debugging of Eui48::lookup() problems
+  - Fix memory leak when parsing deprecated %rG logformat code
+  - Fix SQUID_YESNO 'syntax error near unexpected token'
+  - DNS: fix RRPack memcpy
+  - DNS: Do not leak RR data upon RR data unpacking errors
+  - FTP: Avoid null dereferences when handling ftp_port traffic
+  - FTP: fix response parsing and error handling memory leaks
+  - HTCP: Check for too-small packed and too-large unpacked fields
+  - HTTP: fix purging of entries by relative [Content-]Location URLs
+  - SNMP: Improve parsing of malformed ASN.1 object identifiers
+  - SNMP: Check for objid memory allocation failures
+  - SNMP: Fix ASN.1 encoding of long OIDs
+  - SNMP: Do not assert when debugging requests with long OIDs
+  - SNMP: Match Var allocation/deallocation methods
+  - digest_edirectory_auth: null-terminate NMAS values array
+  - digest_edirectory_auth: safely return password
+  - ext_ad_group_acl: Fix domain lookup error handling
+  - ext_edirectory_userip_acl: Redact password from stdout
+  - ext_file_userip_acl: harden lookups and memory handling
+  - ext_kerberos_ldap_group_acl: avoid freeing getenv() pointer
+  - ext_kerberos_ldap_group_acl: Improve LDAPMessage freeing
+  - ext_ldap_group_acl: avoid infinite loop on login containing '%s'
+  - negotiate_kerberos_auth: Properly align NDR data
+  - negotiate_sspi_auth: Do not exit on the first request
+  - ntlm_sspi_auth: memcmp not memcpy, send newline, no uninit mem
+  - text_backend: avoid memory leaks when reload/clearing
+  - Reduce UDS/segment name clashes across same-service instances
+  - Reject eui64 ACL addresses with trailing garbage
+  - Validate raw-IPv4 when parsing hostnames
+  - Avoid memory leaks when logging to MS Windows syslog
+  - Flip configure --enable-arch-native default
+  - Support no-digest X509 certificate keys like ML-DSA/EdDSA
+  - Do not allow client_ip_max_connections+1 connections
+  - Remove bundled smblib and librfcnb
+  - Bug 5497: Fix detection of duped IPs returned by getaddrinfo()
+  - Remove basic_smb_lm_auth and ntlm_smb_lm_auth helpers
+  - ... and several code cleanups
+  - ... and some documentation improvements
+
+- CVE-2024-33427.patch: upstreamed, removing
 
 -------------------------------------------------------------------
-Thu Oct  2 15:53:06 UTC 2025 - Adam Majer <adam.majer@suse.de>
+Thu Oct 23 13:33:41 UTC 2025 - Joel Baltazor <obs@mtlfab.com>
 
-- CVE-2025-59362.patch: Squid cache buffer overflow (bsc#1250627, CVE-2025-59362)
+- Updated harden_squid.service.patch to include new startup sequence
+  local-fs.target
+
+- Update to 6.14
+ - Bug 5352: Do not get stuck in RESPMOD after pausing peer read(2)
+ - Bug 5489: Fix "make check" linking on Solaris
+ - Fix SNMP cacheNumObjCount -- number of cached objects
+ - Do not duplicate received Surrogate-Capability in sent requests
+ - Fix Mem::Segment::open() stub to fix build without shm_open()
+ - ... and CI and documentation updates
+ 
+- changes since squid-6.13
+ - Bug 5352: Do not get stuck when RESPMOD is slower than read(2)
+ - Bug 5405: Large uploads fill request buffer and die
+ - Bug 5093: List http_port params that https_port/ftp_port lack
+ - Bug 5311: clarify configuration byte units
+ - Bug 5091: document that changes to workers require restart
+ - Bug 5481: Fix GCC v14 build [-Wmaybe-uninitialized]
+ - Nil request dereference in ACLExtUser and SourceDomainCheck ACLs
+ - Fix GCC v14 [-Wanalyzer-null-dereference] warnings in Kerberos
+ - Clarify --enable-ecap failure on missing shared library support
+ - Fix syntax error in configure.ac
+ - Remove GNU'ism in release notes Makefile
+ - Annotate PoolMalloc memory in valgrind builds
+ - Fix systemd startup sequence to require active Local Filesystem
+ - Display Linux variant at ./configure time
+ - Refactor peerRefreshDNS() to clarify its (void*)1 logic
+ - Portability: remove explicit check for libdl
+ - ext_time_quota_acl: remove -l option
+ - ... and some documentation updates
+ - ... and some CI updates
 
 -------------------------------------------------------------------
 Mon Dec  9 13:01:22 UTC 2024 - Adam Majer <adam.majer@suse.de>

squid.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package squid
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -24,14 +24,14 @@
 %define         squidhelperdir %{_sbindir}
 %endif
 Name:           squid
-Version:        6.12
+Version:        7.4
 Release:        0
 Summary:        Caching and forwarding HTTP web proxy
 License:        GPL-2.0-or-later
 Group:          Productivity/Networking/Web/Proxy
 URL:            http://www.squid-cache.org
-Source0:        http://www.squid-cache.org/Versions/v6/squid-%{version}.tar.xz
-Source1:        http://www.squid-cache.org/Versions/v6/squid-%{version}.tar.xz.asc
+Source0:        https://github.com/squid-cache/squid/releases/download/SQUID_7_4/squid-7.4.tar.xz
+Source1:        https://github.com/squid-cache/squid/releases/download/SQUID_7_4/squid-7.4.tar.xz.asc
 Source5:        pam.squid
 Source6:        unsquid.pl
 Source7:        %{name}.logrotate
@@ -48,10 +48,6 @@ Source17:       tmpfilesdir.squid.conf
 Patch1:         missing_installs.patch
 Patch2:         old_nettle_compat.patch
 Patch3:         harden_squid.service.patch
-Patch4:         CVE-2024-33427.patch
-Patch5:         CVE-2025-59362.patch
-Patch6:         CVE-2025-62168.patch
-Patch7:         squid-Bug-5390-Non-POD-SquidConfig-ssl_client-sslContext-e.patch
 BuildRequires:  cppunit-devel
 BuildRequires:  expat
 BuildRequires:  fdupes
@@ -108,10 +104,6 @@ accelerator.
 %setup -q
 cp %{SOURCE10} .
 %patch -P 3 -p1
-%patch -P 4 -p1
-%patch -P 5 -p1
-%patch -P 6 -p1
-%patch -P 7 -p1
 
 # upstream patches after RELEASE
 perl -p -i -e 's|%{_prefix}/local/bin/perl|%{_bindir}/perl|' `find -name "*.pl"`
@@ -158,11 +150,11 @@ export CXX=g++-11
 	--enable-underscores \
 	--enable-auth \
 %if 0%{?suse_version} < 1599
-	--enable-auth-basic="SMB_LM,DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB" \
+	--enable-auth-basic="DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB" \
 %else
-        --enable-auth-basic="SMB_LM,DB,fake,getpwnam,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB" \
+        --enable-auth-basic="DB,fake,getpwnam,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB" \
 %endif
-	--enable-auth-ntlm="SMB_LM,fake" \
+	--enable-auth-ntlm="fake" \
 	--enable-auth-negotiate \
 	--enable-auth-digest \
 	--enable-external-acl-helpers=LDAP_group,eDirectory_userip,file_userip,kerberos_ldap_group,session,unix_group,wbinfo_group,time_quota \
@@ -176,8 +168,8 @@ export CXX=g++-11
 	--enable-security-cert-validators
 #make -O SAMBAPREFIX=%{_prefix} %{?_smp_mflags}
 mkdir src/icmp/tests
-mkdir tools/squidclient/tests
-mkdir tools/sysvinit/tests tools/tests
+#mkdir tools/squidclient/tests
+#mkdir tools/sysvinit/tests tools/tests
 make %{?_smp_mflags}
 %if 0%{?suse_version} >= 1500
 %sysusers_generate_pre %{SOURCE12} squid
@@ -205,18 +197,6 @@ install -Dpm 644 %{SOURCE7} \
 
 install -d -m 755 doc/scripts
 install scripts/*.pl doc/scripts
-cat > doc/scripts/cachemgr.readme <<-EOT
-%if 0%{?suse_version} > 1500 || 0%{?sle_version} >= 150300
-	cachemgr.cgi will now be found in %{squidhelperdir}
-%else
-	cachemgr.cgi will now be found in %{_libdir}/%{name}
-%endif
-EOT
-
-%if 0%{?suse_version} <= 1500 && 0%{?sle_version} < 150300
-install -dpm 755 %{buildroot}/%{_libdir}/%{name}
-mv %{buildroot}%{_sbindir}/cachemgr.cgi %{buildroot}/%{_libdir}/%{name}
-%endif
 
 install -dpm 755 doc/contrib
 install %{SOURCE6} doc/contrib
@@ -355,7 +335,6 @@ fi
 %if 0%{?suse_version} >= 1500
 %{_sysusersdir}/squid-user.conf
 %endif
-%config(noreplace) %{squidconfdir}/cachemgr.conf
 %config(noreplace) %{squidconfdir}/errorpage.css
 %if 0%{?suse_version} > 1500
 %{_distconfdir}/logrotate.d/%{name}
@@ -364,7 +343,6 @@ fi
 %endif
 %config(noreplace) %{squidconfdir}/mime.conf
 %config(noreplace) %{squidconfdir}/%{name}.conf
-%config %{squidconfdir}/cachemgr.conf.default
 %config %{squidconfdir}/errorpage.css.default
 %config %{squidconfdir}/%{name}.conf.default
 %config %{squidconfdir}/%{name}.conf.documented
@@ -381,8 +359,6 @@ fi
 %{_datadir}/%{name}/mime.conf
 %{_datadir}/%{name}/mime.conf.default
 %{_datadir}/snmp/mibs/SQUID-MIB.txt
-%{_bindir}/purge
-%{_bindir}/squidclient
 %{squidhelperdir}/basic_db_auth
 %{squidhelperdir}/basic_fake_auth
 %{squidhelperdir}/basic_getpwnam_auth
@@ -398,7 +374,6 @@ fi
 %{squidhelperdir}/basic_sasl_auth
 %{squidhelperdir}/basic_smb_auth
 %{squidhelperdir}/basic_smb_auth.sh
-%{squidhelperdir}/basic_smb_lm_auth
 %{squidhelperdir}/cert_tool
 %{squidhelperdir}/digest_file_auth
 %{squidhelperdir}/digest_ldap_auth
@@ -417,7 +392,6 @@ fi
 %{squidhelperdir}/negotiate_kerberos_auth_test
 %{squidhelperdir}/negotiate_wrapper_auth
 %{squidhelperdir}/ntlm_fake_auth
-%{squidhelperdir}/ntlm_smb_lm_auth
 %{squidhelperdir}/pinger
 %{squidhelperdir}/security_fake_certverify
 %{squidhelperdir}/security_file_certgen
@@ -431,10 +405,8 @@ fi
 %{_sbindir}/rcsquid
 %if 0%{?suse_version} > 1500 || 0%{?sle_version} >= 150300
 %dir %{squidhelperdir}
-%{squidhelperdir}/cachemgr.cgi
 %else
 %dir %{_libdir}/%{name}
-%{_libdir}/%{name}/cachemgr.cgi
 %endif
 
 %changelog