diff --git a/squid-3.5.20.tar.xz b/squid-3.5.20.tar.xz deleted file mode 100644 index f38e2c8..0000000 --- a/squid-3.5.20.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:37db73bd33ddd3503fe375bc3f2b47d9fb7309042e439ad3651f21d5dcf2d395 -size 2319780 diff --git a/squid-3.5.20.tar.xz.asc b/squid-3.5.20.tar.xz.asc deleted file mode 100644 index d5020ed..0000000 --- a/squid-3.5.20.tar.xz.asc +++ /dev/null @@ -1,20 +0,0 @@ -File: squid-3.5.20.tar.xz -Date: Fri Jul 1 13:49:42 UTC 2016 -Size: 2319780 -MD5 : 48fb18679a30606de98882528beab3a7 -SHA1: 2bb6d3568e7167c9b99fea092a97287d0e430863 -Key : 0xFF5CF463 - fingerprint = EA31 CC5E 9488 E516 8D2D CC5E B268 E706 FF5C F463 - keyring = http://www.squid-cache.org/pgp.asc - keyserver = subkeys.pgp.net ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1 - -iQEcBAABAgAGBQJXdnW5AAoJELJo5wb/XPRjqzsH+wXT0yt47aqoGWI8D1YpRaW5 -KPYvJdos0zPfgIPFWXxngH+ZpJcSPD21QuiEPS8BqISxm+/+By+0QIljITnHWFOV -/wo1nwL/IMissmD+9bksyBede+BsZdz1PSwl9V1MzvuGL4vwOC0UZD9RT9RYvMwj -Exfw80v/01bAVpV8U3tsBodk4Rz3AWIHhH2Tf9O2EZ/pIAtEHtDbkdLk81rSwNED -tL6yV/n+BoWgAPg/+YPVGRK/h5nD4tBkTD6YBCnxp5PJmybhvAjLr/J96PtPpHdC -or7Vx1lVpKvkXwZjn936+v4pqv19lsvKs5zLtGKBG2wMmoSIo2bf/bGhhT5kBDc= -=znHp ------END PGP SIGNATURE----- diff --git a/squid-3.5.22.tar.xz b/squid-3.5.22.tar.xz new file mode 100644 index 0000000..f86ff17 --- /dev/null +++ b/squid-3.5.22.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1ce95b469257abeb2ed8a1c0417812301c1ef5a4cc40ca504167daa470ad9358 +size 2324164 diff --git a/squid-3.5.22.tar.xz.asc b/squid-3.5.22.tar.xz.asc new file mode 100644 index 0000000..28e8770 --- /dev/null +++ b/squid-3.5.22.tar.xz.asc @@ -0,0 +1,19 @@ +File: squid-3.5.22.tar.xz +Date: Sun Oct 9 23:43:33 UTC 2016 +Size: 2324164 +MD5 : afb82d2748c06c95815c171463b4aa14 +SHA1: 73e9199dd9d2a7f107f78d03454830713a4a571d +Key : 0xFF5CF463 + + keyring = http://www.squid-cache.org/pgp.asc + keyserver = subkeys.pgp.net +-----BEGIN PGP SIGNATURE----- + +iQEcBAABCAAGBQJX+tbSAAoJELJo5wb/XPRjl2gH/ReWuyxU88issJB6RDkqpg1z +ULCFIGXOZieUB1Ec+kh6gkothXfFSmec4U/3nx42N2e1cFlQby9lRY27e7T47na7 +rA8ZiXc8gXNrE06GCtFXIR9AvRQrySAJMES6wJT4LigkfbS3wZt3PvUw+RUgGCcz +RC14yLwFgzaAR7d9RVgZWBIOXlz4NUvdlb/ri+kiHc2mfT09ikm9NX+t5wJ64MfI +S/U2tFJLDeqG0B4Sx/lnl35h7f2mk+c9DPfmTDkZSE1dJScE34GtEpehJQwZcxA9 +EHgPwIP4BFIReywnCwhDMY17JDkC58gXyOBNjSd6v0PzyvXbSQLAYYJu1MKzKi8= +=JCC/ +-----END PGP SIGNATURE----- diff --git a/squid-brokenad.patch b/squid-brokenad.patch index 632df33..29d4a16 100644 --- a/squid-brokenad.patch +++ b/squid-brokenad.patch @@ -18,7 +18,7 @@ Index: helpers/external_acl/kerberos_ldap_group/support_krb5.cc - debug((char *) "%s| %s: DEBUG: Found principal name: %s\n", LogTime(), PROGRAM, principal_name); - found = 1; + if (margs->brokenad == 1) { -+ if (!strncmp(principal_name,"HTTP/",strlen("HTTP/"))==0){ ++ if (strncmp(principal_name,"HTTP/",strlen("HTTP/")) != 0){ + debug((char *) "%s| %s: DEBUG: Found principal without 'HTTP/' service name: %s NOT USING IT\n", LogTime(), PROGRAM, principal_name); + } else { + debug((char *) "%s| %s: DEBUG: Found principal with 'HTTP/' service name: %s\n", LogTime(), PROGRAM, principal_name); @@ -66,7 +66,7 @@ Index: helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc fprintf(stderr, "-l ldap url\n"); fprintf(stderr, "-b ldap bind path\n"); fprintf(stderr, "-s use SSL encryption with Kerberos authentication\n"); -+ fprintf(stderr, "-x force use of HTTP/ principal on ms ad 2008\n"); ++ fprintf(stderr, "-x force use of HTTP/ principal on MS AD 2008\n"); fprintf(stderr, "-a allow SSL without cert verification\n"); fprintf(stderr, "-m maximal depth for recursive searches\n"); fprintf(stderr, "-h help\n"); diff --git a/squid.changes b/squid.changes index 6d85991..fed4aba 100644 --- a/squid.changes +++ b/squid.changes @@ -1,3 +1,70 @@ +------------------------------------------------------------------- +Wed Oct 12 14:51:59 UTC 2016 - adam.majer@suse.de + +- Update Squid to 3.5.22 + * HTTP: MUST ignore a [revalidation] response with an older Date + header. + * Optimized/simplified buffering: Appending nothing is always + possible. + * Avoid segfaults when debugging section 4 at level 9. + * fix #4302 pt2: IPFilter v5 transparent interception + * Bug #4471: revalidation doesn't work when expired cached + object lacks Last-Modified. + * Bug #2833: Collapse internal revalidation requests + (SMP-unaware caches) + * Bug #3819: "fd >= 0" assertion in file_write() during + reconfiguration + * Do not leak url_rewrite_extras and store_id_extras on + reconfigure/shutdown. + * Fix potential ICAP null pointer dereference after rev.14082 + * Fix logged request size (%http::>st) and other size-related + %codes. + +------------------------------------------------------------------- +Tue Sep 13 15:32:34 UTC 2016 - adam.majer@suse.de + +- Merge changes from SLE12 SP2 so we have identical packages + +------------------------------------------------------------------- +Mon Sep 12 09:57:30 UTC 2016 - adam.majer@suse.de + +- Update Squid to 3.5.21 + * fix assertion failure in xcalloc when using many cache_dir + Squid is documented as supporting up to 64 cache directories, + but would crash with a memory allocation error if more than + a few were actually configured. + * fix authentication credentials IP TTL updated incorrectly + This bug caused error in max_user_ip ACL accounting to allow + clients to shift IP address more times than configured. + Fix may have an effect on IPv6 clients using "proviacy adressing" + to rotate IPs. + * fix mal-formed Cache-Control:stale-if-error header + This bug shows up as incorrect stale-if-error values being + relayed by Squid breaking the use of this feature in the + recipients. Squid now relays the header values correctly. + * fix Proxy-Authenticate problem using ICAP server + With this change Squid now treats the ICAP REQMOD adaptation + point as a part of itself with regards to proxy authentication. + The Proxy-Authentication header received from the client is + delivered as part of the HTTP request headers in expectation + that the ICAP service may authenticate and/or + produce 407 response itself. + * fix HTTP: MUST always revalidate Cache-Control:no-cache responses + This bug shows up as Squid not revalidating some responses until + they became stale according to refresh_pattern heuristic rules + (specifically the minimum caching age). Squid now revalidates + these objects on every request. + * fix HTTP: do not allow Proxy-Connection to override Connection + * fix SSL CN wildcard must only match a single domain fragment + This bug shows up as incorrect matching (or non-matching) of the + ss::server_name ACL against TLS certificate values. Squid now + treats the certificate CN fields according to X.509 domain + matching requirements instead of HTTP domain matching + requirements. +- squid-brokenad.patch + * propertly capitalize option name + * make the conditional if() not a riddle + ------------------------------------------------------------------- Mon Jul 18 08:05:42 UTC 2016 - adam.majer@suse.de diff --git a/squid.spec b/squid.spec index f04adad..5d4e775 100644 --- a/squid.spec +++ b/squid.spec @@ -20,7 +20,7 @@ %define squidconfdir %{_sysconfdir}/squid Name: squid -Version: 3.5.20 +Version: 3.5.22 Release: 0 Summary: A fully featured HTTP/1.0 proxy License: GPL-2.0+ @@ -28,7 +28,6 @@ Group: Productivity/Networking/Web/Proxy Url: http://www.squid-cache.org/Versions/v3/3.5 Source0: http://www.squid-cache.org/Versions/v3/3.5/%{name}-%{version}.tar.xz Source1: http://www.squid-cache.org/Versions/v3/3.5/%{name}-%{version}.tar.xz.asc - Source3: squid.init Source4: squid.sysconfig Source5: pam.squid @@ -50,6 +49,10 @@ Patch103: squid-brokenad.patch Patch104: squid-old-kerberos.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build +# BuildRequires: autoconf +# BuildRequires: automake +# If you want to run unit tests, these also need mounted /dev/shm and /proc +# BuildRequires: cppunit-devel BuildRequires: db-devel # needed by bootstrap.sh BuildRequires: cyrus-sasl-devel @@ -131,7 +134,7 @@ The most important of these new features are: %setup -q cp %{SOURCE10} . # upstream patches after RELEASE -# + ##### other patches %patch100 perl -p -i -e 's|%{_prefix}/local/bin/perl|%{_bindir}/perl|' `find -name "*.pl"` @@ -140,6 +143,7 @@ chmod a-x CREDITS %patch104 %build +# autoreconf -fi export CFLAGS="%{optflags} -fPIE -fPIC -DOPENSSL_LOAD_CONF" export CXXFLAGS="%{optflags} -fPIE -fPIC -DOPENSSL_LOAD_CONF" export LDFLAGS="-Wl,--as-needed -Wl,--no-undefined -Wl,-z,relro,-z,now -pie"