From 83753ab199ec64ea94bcb009e9bc289290e5f51bbca7b9ff78a3b039edfad731 Mon Sep 17 00:00:00 2001 From: Adam Majer Date: Tue, 28 May 2024 08:50:04 +0000 Subject: [PATCH 1/2] - update to 6.9 - Regression Bug 5349: basic_nis_auth build error: unterminated #ifndef - Bug 5069: Keep listening after getsockname() error - Bug 5360: FwdState::noteDestinationsEnd() assertion "err" - Reduce stale errno usage - Plug memory leak in handling cache manager requests - Fix error: template-id not allowed for constructor in C++20 - Improve release packaging automation - header_fixups.patch: upstreamed, removed - 9be86d8db5e8f40829374d26334d0bb5272c1afd.patch: upstreamed, removed OBS-URL: https://build.opensuse.org/package/show/server:proxy/squid?expand=0&rev=296 --- ...6d8db5e8f40829374d26334d0bb5272c1afd.patch | 29 ------------------- header_fixups.patch | 14 --------- squid-6.8.tar.xz | 3 -- squid-6.8.tar.xz.asc | 17 ----------- squid-6.9.tar.xz | 3 ++ squid-6.9.tar.xz.asc | 17 +++++++++++ squid.changes | 15 ++++++++++ squid.spec | 6 +--- 8 files changed, 36 insertions(+), 68 deletions(-) delete mode 100644 9be86d8db5e8f40829374d26334d0bb5272c1afd.patch delete mode 100644 header_fixups.patch delete mode 100644 squid-6.8.tar.xz delete mode 100644 squid-6.8.tar.xz.asc create mode 100644 squid-6.9.tar.xz create mode 100644 squid-6.9.tar.xz.asc diff --git a/9be86d8db5e8f40829374d26334d0bb5272c1afd.patch b/9be86d8db5e8f40829374d26334d0bb5272c1afd.patch deleted file mode 100644 index 514cd56..0000000 --- a/9be86d8db5e8f40829374d26334d0bb5272c1afd.patch +++ /dev/null @@ -1,29 +0,0 @@ -commit 9be86d8db5e8f40829374d26334d0bb5272c1afd -Author: Alex Rousskov -Date: Fri Mar 1 22:20:20 2024 +0000 - - Bug 5069: Keep listening after getsockname() error (#1713) - - ERROR: Stopped accepting connections: - error: getsockname() failed to locate local-IP on ... - - In many cases, these failures are intermittent client-triggered errors - (e.g., client shut down the accepted socket); Squid will successfully - accept other connections and, hence, should keep listening for them. - -diff --git a/src/comm/TcpAcceptor.cc b/src/comm/TcpAcceptor.cc -index dcc52fbaa..aa082df4b 100644 ---- a/src/comm/TcpAcceptor.cc -+++ b/src/comm/TcpAcceptor.cc -@@ -381,7 +381,10 @@ Comm::TcpAcceptor::acceptInto(Comm::ConnectionPointer &details) - if (getsockname(sock, gai->ai_addr, &gai->ai_addrlen) != 0) { - int xerrno = errno; - Ip::Address::FreeAddr(gai); -- throw TextException(ToSBuf("getsockname() failed to locate local-IP on ", details, ": ", xstrerr(xerrno)), Here()); -+ debugs(50, DBG_IMPORTANT, "ERROR: Closing accepted TCP connection after failing to obtain its local IP address" << -+ Debug::Extra << "accepted connection: " << details << -+ Debug::Extra << "getsockname(2) error: " << xstrerr(xerrno)); -+ return false; - } - details->local = *gai; - Ip::Address::FreeAddr(gai); diff --git a/header_fixups.patch b/header_fixups.patch deleted file mode 100644 index 68d30a5..0000000 --- a/header_fixups.patch +++ /dev/null @@ -1,14 +0,0 @@ -Index: squid-6.8/src/auth/basic/NIS/nis_support.h -=================================================================== ---- squid-6.8.orig/src/auth/basic/NIS/nis_support.h -+++ squid-6.8/src/auth/basic/NIS/nis_support.h -@@ -8,9 +8,6 @@ - #ifndef SQUID_SRC_AUTH_BASIC_NIS_NIS_SUPPORT_H - #define SQUID_SRC_AUTH_BASIC_NIS_NIS_SUPPORT_H - --#ifndef SQUID_SRC_AUTH_BASIC_NIS_NIS_SUPPORT_H --#define SQUID_SRC_AUTH_BASIC_NIS_NIS_SUPPORT_H -- - extern char * get_nis_password(char *user, char *nisdomain, char *nismap); - - #endif /* SQUID_SRC_AUTH_BASIC_NIS_NIS_SUPPORT_H */ diff --git a/squid-6.8.tar.xz b/squid-6.8.tar.xz deleted file mode 100644 index 87bf51e..0000000 --- a/squid-6.8.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:11cc5650b51809d99483ccfae24744a2e51cd16199f5ff0c917e84fce695870f -size 2547796 diff --git a/squid-6.8.tar.xz.asc b/squid-6.8.tar.xz.asc deleted file mode 100644 index fa5f521..0000000 --- a/squid-6.8.tar.xz.asc +++ /dev/null @@ -1,17 +0,0 @@ -File: squid-6.8.tar.xz -Date: Mon Mar 4 06:17:24 AM UTC 2024 -Size: 2547796 -MD5 : d84b0d0ee2b9c1bdb782cb5117a72913 -SHA1: f9092ab57ec1f49720a02589a452e3498c183867 -Key : 29B4B1F7CE03D1B1DED22F3028F85029FEF6E865 - 29B4 B1F7 CE03 D1B1 DED2 2F30 28F8 5029 FEF6 E865 -sub cv25519 2021-05-15 [E] - keyring = http://www.squid-cache.org/pgp.asc - keyserver = pool.sks-keyservers.net ------BEGIN PGP SIGNATURE----- - -iHUEABYIAB0WIQQptLH3zgPRsd7SLzAo+FAp/vboZQUCZeVnkQAKCRAo+FAp/vbo -Zc5eAP96D2jk2kcOdMEo1GVpDXwEjZkavTPmYC6k9oKNwDjJ+QD+LH4um4EPsglW -NedPryEIN/FCWwB5NLriVPwtVe0r7Aw= -=/X4C ------END PGP SIGNATURE----- diff --git a/squid-6.9.tar.xz b/squid-6.9.tar.xz new file mode 100644 index 0000000..2c527ab --- /dev/null +++ b/squid-6.9.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1ad72d46e1cb556e9561214f0fb181adb87c7c47927ef69bc8acd68a03f61882 +size 2557992 diff --git a/squid-6.9.tar.xz.asc b/squid-6.9.tar.xz.asc new file mode 100644 index 0000000..2c1eb4a --- /dev/null +++ b/squid-6.9.tar.xz.asc @@ -0,0 +1,17 @@ +File: squid-6.9.tar.xz +Date: Mon Apr 8 06:31:46 AM UTC 2024 +Size: 2557992 +MD5 : 4888e9dc75c0daa0ed526b34c055cb67 +SHA1: 5e73b30116ce7111589cc2b1c9bfe3c17efa2e75 +Key : 29B4B1F7CE03D1B1DED22F3028F85029FEF6E865 + 29B4 B1F7 CE03 D1B1 DED2 2F30 28F8 5029 FEF6 E865 +sub cv25519 2021-05-15 [E] + keyring = http://www.squid-cache.org/pgp.asc + keyserver = pool.sks-keyservers.net +-----BEGIN PGP SIGNATURE----- + +iHUEABYIAB0WIQQptLH3zgPRsd7SLzAo+FAp/vboZQUCZhOPagAKCRAo+FAp/vbo +ZcUMAP431ZvxTspTtnGMKRksGqYPkQn8t9e3LF21KIKKMgfSQAEA7lUbYqXSX4Av +0kdzaQZt83DNc/doQYeEU+S7Xtz1BA8= +=rcZg +-----END PGP SIGNATURE----- diff --git a/squid.changes b/squid.changes index 5cda8ab..f94dd78 100644 --- a/squid.changes +++ b/squid.changes @@ -1,3 +1,18 @@ +------------------------------------------------------------------- +Tue May 28 08:39:49 UTC 2024 - Adam Majer + +- update to 6.9 + - Regression Bug 5349: basic_nis_auth build error: unterminated #ifndef + - Bug 5069: Keep listening after getsockname() error + - Bug 5360: FwdState::noteDestinationsEnd() assertion "err" + - Reduce stale errno usage + - Plug memory leak in handling cache manager requests + - Fix error: template-id not allowed for constructor in C++20 + - Improve release packaging automation + +- header_fixups.patch: upstreamed, removed +- 9be86d8db5e8f40829374d26334d0bb5272c1afd.patch: upstreamed, removed + ------------------------------------------------------------------- Wed Mar 6 12:02:14 UTC 2024 - Adam Majer diff --git a/squid.spec b/squid.spec index aeca282..3b232d8 100644 --- a/squid.spec +++ b/squid.spec @@ -24,7 +24,7 @@ %define squidhelperdir %{_sbindir} %endif Name: squid -Version: 6.8 +Version: 6.9 Release: 0 Summary: Caching and forwarding HTTP web proxy License: GPL-2.0-or-later @@ -51,8 +51,6 @@ Source17: tmpfilesdir.squid.conf Patch1: missing_installs.patch Patch2: old_nettle_compat.patch Patch3: harden_squid.service.patch -Patch4: header_fixups.patch -Patch5: 9be86d8db5e8f40829374d26334d0bb5272c1afd.patch BuildRequires: cppunit-devel BuildRequires: expat BuildRequires: fdupes @@ -109,8 +107,6 @@ accelerator. %setup -q cp %{SOURCE10} . %patch -P 3 -p1 -%patch -P4 -p1 -%patch -P5 -p1 # upstream patches after RELEASE perl -p -i -e 's|%{_prefix}/local/bin/perl|%{_bindir}/perl|' `find -name "*.pl"` From eb70b5ef0f61de630c699524db096815fdd721f47f05802985c46d689e065d08 Mon Sep 17 00:00:00 2001 From: Adam Majer Date: Tue, 28 May 2024 08:55:47 +0000 Subject: [PATCH 2/2] - CVE-2024-33427.patch: fixes possible buffer overread leading to denial of service (bsc#1225417, CVE-2024-33427) OBS-URL: https://build.opensuse.org/package/show/server:proxy/squid?expand=0&rev=297 --- CVE-2024-33427.patch | 13 +++++++++++++ squid.changes | 2 ++ squid.spec | 2 ++ 3 files changed, 17 insertions(+) create mode 100644 CVE-2024-33427.patch diff --git a/CVE-2024-33427.patch b/CVE-2024-33427.patch new file mode 100644 index 0000000..b5ee2a2 --- /dev/null +++ b/CVE-2024-33427.patch @@ -0,0 +1,13 @@ +Index: squid-6.9/src/ConfigParser.cc +=================================================================== +--- squid-6.9.orig/src/ConfigParser.cc ++++ squid-6.9/src/ConfigParser.cc +@@ -181,7 +181,7 @@ ConfigParser::UnQuote(const char *token, + *d = '\0'; + + // We are expecting a separator after quoted string, space or one of "()#" +- if (*(s + 1) != '\0' && !strchr(w_space "()#", *(s + 1)) && !errorStr) { ++ if (!errorStr && *(s + 1) != '\0' && !strchr(w_space "()#", *(s + 1))) { + errorStr = "Expecting space after the end of quoted token"; + errorPos = token; + } diff --git a/squid.changes b/squid.changes index f94dd78..37b8f6f 100644 --- a/squid.changes +++ b/squid.changes @@ -12,6 +12,8 @@ Tue May 28 08:39:49 UTC 2024 - Adam Majer - header_fixups.patch: upstreamed, removed - 9be86d8db5e8f40829374d26334d0bb5272c1afd.patch: upstreamed, removed +- CVE-2024-33427.patch: fixes possible buffer overread leading to + denial of service (bsc#1225417, CVE-2024-33427) ------------------------------------------------------------------- Wed Mar 6 12:02:14 UTC 2024 - Adam Majer diff --git a/squid.spec b/squid.spec index 3b232d8..96a6cdd 100644 --- a/squid.spec +++ b/squid.spec @@ -51,6 +51,7 @@ Source17: tmpfilesdir.squid.conf Patch1: missing_installs.patch Patch2: old_nettle_compat.patch Patch3: harden_squid.service.patch +Patch4: CVE-2024-33427.patch BuildRequires: cppunit-devel BuildRequires: expat BuildRequires: fdupes @@ -107,6 +108,7 @@ accelerator. %setup -q cp %{SOURCE10} . %patch -P 3 -p1 +%patch -P 4 -p1 # upstream patches after RELEASE perl -p -i -e 's|%{_prefix}/local/bin/perl|%{_bindir}/perl|' `find -name "*.pl"`