diff --git a/squid-3.5.10.tar.xz b/squid-3.5.10.tar.xz deleted file mode 100644 index b51be76..0000000 --- a/squid-3.5.10.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:736e69fbddd6e985d2f85c995526f0a2bc4294c46dfb6737c0ccf09274a458b3 -size 2297452 diff --git a/squid-3.5.10.tar.xz.asc b/squid-3.5.10.tar.xz.asc deleted file mode 100644 index d885b4a..0000000 --- a/squid-3.5.10.tar.xz.asc +++ /dev/null @@ -1,20 +0,0 @@ -File: squid-3.5.10.tar.xz -Date: Thu Oct 1 15:37:56 UTC 2015 -Size: 2297452 -MD5 : 5ddc53bd6ff78234691a7ebbcbc6aa38 -SHA1: 804bbf5ef6ccdc277dacde83e086fad30d02da60 -Key : 0xFF5CF463 - fingerprint = EA31 CC5E 9488 E516 8D2D CC5E B268 E706 FF5C F463 - keyring = http://www.squid-cache.org/pgp.asc - keyserver = subkeys.pgp.net ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1 - -iQEcBAABAgAGBQJWDVnkAAoJELJo5wb/XPRjC/MIAMUTJEgzajbcbpCJubfxL8+y -gxV/SjysESmgjjgC7LdtEsz6X156zxPXNYbNC05NKZ0qLrMN0cHy1+LG1uIWie2c -vFL0KmFllIRY9wiV2m4Y3uoEYvGFEWYviaW8edRJstZAEBe2ntSSvD+982rRwRgw -mHDnjIUL9MnJGnjqVq+O3jq1M/lxmAYoiiJrDQM/Jkd6yvs73o4spRp5AVg6+Vfq -sL3qP/Xz2IaLmHTgHmjhwOQsa7y5THAkUhBzv9Q+BSbo2Qb/6orQnvBcDuhCFs7j -DRnm602Axmqa4zTOQjfkg9ag6WXB+8AIeKFnJuX+Ynw9LVRVTq2DCJqyNVhZbNw= -=LrXD ------END PGP SIGNATURE----- diff --git a/squid-4.0.1.tar.xz b/squid-4.0.1.tar.xz new file mode 100644 index 0000000..c601d36 --- /dev/null +++ b/squid-4.0.1.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:170ef2db8a8d9416c27389d03ec0bed565b500e9c579ef17ed3308e338984cef +size 2337656 diff --git a/squid-4.0.1.tar.xz.asc b/squid-4.0.1.tar.xz.asc new file mode 100644 index 0000000..0a8fa43 --- /dev/null +++ b/squid-4.0.1.tar.xz.asc @@ -0,0 +1,20 @@ +File: squid-4.0.1.tar.xz +Date: Wed Oct 14 07:12:20 UTC 2015 +Size: 2337656 +MD5 : 95c2e01bd5ff09185fe9c4afa0ce746a +SHA1: da5c117c4431b2a9fb743466078c4d7e1be8a1f4 +Key : 0xFF5CF463 + fingerprint = EA31 CC5E 9488 E516 8D2D CC5E B268 E706 FF5C F463 + keyring = http://www.squid-cache.org/pgp.asc + keyserver = subkeys.pgp.net +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iQEcBAABAgAGBQJWHgUWAAoJELJo5wb/XPRjY8gH/RZNaVmDq64CpxtZDOCfyk3+ +ye0ae20GuwJ3Ms19el+KwkRWin4SHs0ESNcrpRXjV+B+ponPQW/yAeqC+3TFqVTq +cDw+IWX52cN4zg9v5BEHvkWYSu7Fa/BjNdxweaR9D7tLYv0r/I1kNFuqK0eqecRi +MKilw8gfbq6V+fdGJqAc+Le87ZUkqx0B9YWsYkn5W0HWLLnT+WzAyrXULTbTCAAI +AMpTlAOz091pXI6gJRTBuKLMzXS5OL05BJn+3jq0J7BABXEsy9Ja7OLUPzBe24gL +4MtvVi5b6oFfFcXz4Plxf5/F9mBKT7AKbJTUYijLQ/FkQzdxx4BbUIfCNa9II+g= +=uXim +-----END PGP SIGNATURE----- diff --git a/squid-brokenad.patch b/squid-brokenad.patch index 632df33..0db4b6a 100644 --- a/squid-brokenad.patch +++ b/squid-brokenad.patch @@ -2,7 +2,7 @@ Index: helpers/external_acl/kerberos_ldap_group/support_krb5.cc =================================================================== --- helpers/external_acl/kerberos_ldap_group/support_krb5.cc.orig +++ helpers/external_acl/kerberos_ldap_group/support_krb5.cc -@@ -81,7 +81,7 @@ k5_error(const char* msg, krb5_error_cod +@@ -80,7 +80,7 @@ k5_error(const char* msg, krb5_error_cod * create Kerberos memory cache */ int @@ -10,59 +10,59 @@ Index: helpers/external_acl/kerberos_ldap_group/support_krb5.cc +krb5_create_cache(struct main_args *margs, char *domain) { - krb5_keytab keytab = 0; -@@ -178,8 +178,17 @@ krb5_create_cache(char *domain) - if (code) { - k5_error("Error while unparsing principal name",code); - } else { -- debug((char *) "%s| %s: DEBUG: Found principal name: %s\n", LogTime(), PROGRAM, principal_name); -- found = 1; -+ if (margs->brokenad == 1) { -+ if (!strncmp(principal_name,"HTTP/",strlen("HTTP/"))==0){ -+ debug((char *) "%s| %s: DEBUG: Found principal without 'HTTP/' service name: %s NOT USING IT\n", LogTime(), PROGRAM, principal_name); + krb5_keytab keytab = NULL; +@@ -288,8 +288,17 @@ krb5_create_cache(char *domain) + if (code) { + k5_error("Error while unparsing principal name",code); + } else { +- debug((char *) "%s| %s: DEBUG: Found principal name: %s\n", LogTime(), PROGRAM, principal_name); +- found = 1; ++ if (margs->brokenad == 1) { ++ if (!strncmp(principal_name,"HTTP/",strlen("HTTP/"))==0){ ++ debug((char *) "%s| %s: DEBUG: Found principal without 'HTTP/' service name: %s NOT USING IT\n", LogTime(), PROGRAM, principal_name); ++ } else { ++ debug((char *) "%s| %s: DEBUG: Found principal with 'HTTP/' service name: %s\n", LogTime(), PROGRAM, principal_name); ++ found = 1; ++ } + } else { -+ debug((char *) "%s| %s: DEBUG: Found principal with 'HTTP/' service name: %s\n", LogTime(), PROGRAM, principal_name); ++ debug((char *) "%s| %s: DEBUG: Found principal name: %s\n", LogTime(), PROGRAM, principal_name); + found = 1; + } -+ } else { -+ debug((char *) "%s| %s: DEBUG: Found principal name: %s\n", LogTime(), PROGRAM, principal_name); -+ found = 1; -+ } + } } - } #if USE_HEIMDAL_KRB5 || ( HAVE_KRB5_KT_FREE_ENTRY && HAVE_DECL_KRB5_KT_FREE_ENTRY ) Index: helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc =================================================================== --- helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc.orig +++ helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc -@@ -61,6 +61,7 @@ init_args(struct main_args *margs) - margs->rc_allow = 0; +@@ -66,6 +66,7 @@ init_args(struct main_args *margs) margs->AD = 0; margs->mdepth = 5; + margs->nokerberos = 0; + margs->brokenad = 0; margs->ddomain = NULL; margs->groups = NULL; margs->ndoms = NULL; -@@ -179,7 +180,7 @@ main(int argc, char *const argv[]) +@@ -189,7 +190,7 @@ main(int argc, char *const argv[]) init_args(&margs); -- while (-1 != (opt = getopt(argc, argv, "diasg:D:N:S:u:U:t:T:p:l:b:m:h"))) { -+ while (-1 != (opt = getopt(argc, argv, "diasxg:D:N:S:u:U:t:T:p:l:b:m:h"))) { +- while (-1 != (opt = getopt(argc, argv, "diasng:D:N:S:u:U:t:T:p:l:b:m:h"))) { ++ while (-1 != (opt = getopt(argc, argv, "diasnxg:D:N:S:u:U:t:T:p:l:b:m:h"))) { switch (opt) { case 'd': debug_enabled = 1; -@@ -231,6 +232,9 @@ main(int argc, char *const argv[]) - case 'S': - margs.llist = xstrdup(optarg); +@@ -206,6 +207,9 @@ main(int argc, char *const argv[]) + case 'n': + margs.nokerberos = 1; break; + case 'x': + margs.brokenad = 1; + break; - case 'h': - fprintf(stderr, "Usage: \n"); - fprintf(stderr, "squid_kerb_ldap [-d] [-i] -g group list [-D domain] [-N netbios domain map] [-s] [-u ldap user] [-p ldap user password] [-l ldap url] [-b ldap bind path] [-a] [-m max depth] [-h]\n"); -@@ -247,6 +251,7 @@ main(int argc, char *const argv[]) + case 'g': + margs.glist = xstrdup(optarg); + break; +@@ -261,6 +265,7 @@ main(int argc, char *const argv[]) fprintf(stderr, "-l ldap url\n"); fprintf(stderr, "-b ldap bind path\n"); fprintf(stderr, "-s use SSL encryption with Kerberos authentication\n"); @@ -74,18 +74,18 @@ Index: helpers/external_acl/kerberos_ldap_group/support.h =================================================================== --- helpers/external_acl/kerberos_ldap_group/support.h.orig +++ helpers/external_acl/kerberos_ldap_group/support.h -@@ -105,6 +105,7 @@ struct main_args { - int rc_allow; +@@ -106,6 +106,7 @@ struct main_args { int AD; int mdepth; + int nokerberos; + int brokenad; char *ddomain; struct gdstruct *groups; struct ndstruct *ndoms; -@@ -164,7 +165,7 @@ int create_nd(struct main_args *margs); - int create_ls(struct main_args *margs); - - #ifdef HAVE_KRB5 +@@ -181,7 +182,7 @@ struct kstruct { + char* mem_ccache[MAX_DOMAINS]; + int ncache; + }; -int krb5_create_cache(char *domain); +int krb5_create_cache(struct main_args *margs, char *domain); void krb5_cleanup(void); @@ -95,12 +95,12 @@ Index: helpers/external_acl/kerberos_ldap_group/support_ldap.cc =================================================================== --- helpers/external_acl/kerberos_ldap_group/support_ldap.cc.orig +++ helpers/external_acl/kerberos_ldap_group/support_ldap.cc -@@ -898,7 +898,7 @@ get_memberof(struct main_args *margs, ch - debug((char *) "%s| %s: DEBUG: Setup Kerberos credential cache\n", LogTime(), PROGRAM); - - #if HAVE_KRB5 -- kc = krb5_create_cache(domain); -+ kc = krb5_create_cache(margs,domain); - if (kc) { - error((char *) "%s| %s: ERROR: Error during setup of Kerberos credential cache\n", LogTime(), PROGRAM); - } +@@ -902,7 +902,7 @@ get_memberof(struct main_args *margs, ch + kc = 1; + debug((char *) "%s| %s: DEBUG: Kerberos is disabled. Use username/password with ldap url instead\n", LogTime(), PROGRAM); + } else { +- kc = krb5_create_cache(domain); ++ kc = krb5_create_cache(margs,domain); + if (kc) { + error((char *) "%s| %s: ERROR: Error during setup of Kerberos credential cache\n", LogTime(), PROGRAM); + } diff --git a/squid-config.patch b/squid-config.patch index 2975cdc..098ccdc 100644 --- a/squid-config.patch +++ b/squid-config.patch @@ -2,7 +2,7 @@ Index: src/cf.data.pre =================================================================== --- src/cf.data.pre.orig +++ src/cf.data.pre -@@ -1460,6 +1460,8 @@ http_access deny manager +@@ -1498,6 +1498,8 @@ http_access deny manager # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet @@ -11,7 +11,7 @@ Index: src/cf.data.pre http_access allow localhost # And finally deny all other access to this proxy -@@ -3692,6 +3694,10 @@ DOC_START +@@ -3645,6 +3647,10 @@ DOC_START Instead, if you want Squid to use the entire disk drive, subtract 20% and use that value. @@ -22,7 +22,7 @@ Index: src/cf.data.pre 'L1' is the number of first-level subdirectories which will be created under the 'Directory'. The default is 16. -@@ -3810,7 +3816,7 @@ DOC_START +@@ -3763,7 +3769,7 @@ DOC_START NOCOMMENT_START # Uncomment and adjust the following to add a disk cache directory. @@ -31,7 +31,7 @@ Index: src/cf.data.pre NOCOMMENT_END DOC_END -@@ -4507,7 +4513,7 @@ DOC_END +@@ -4477,7 +4483,7 @@ DOC_END NAME: logfile_rotate TYPE: int @@ -39,4 +39,4 @@ Index: src/cf.data.pre +DEFAULT: 0 LOC: Config.Log.rotateNumber DOC_START - Specifies the number of logfile rotations to make when you + Specifies the default number of logfile rotations to make when you diff --git a/squid.changes b/squid.changes index ef9eca9..2a1c130 100644 --- a/squid.changes +++ b/squid.changes @@ -1,3 +1,68 @@ +------------------------------------------------------------------- +Sat Dec 5 00:36:04 UTC 2015 - boris@steki.net + +- fixes for boo#956989 + - updated pretrans scriptlet so it handles only rpm link vs folders issue + - pre scriptlet updated to not change configuration file without real need + for configuration updates + + +------------------------------------------------------------------- +Tue Oct 27 17:12:19 UTC 2015 - chris@computersalat.de + +- update to 4.0.1 + * Bug 4329: GCC 5.2 no known conversion for argument + * Bug 4292: negotiate_wrapper: Unreleased Resources + * Bug 4269: ignore-must-revalidate broken + * Bug 4190: assertion 'hash_remove_link' from Auth::User::cacheCleanup + * Bug 3920: Splay::remove() reference counting inconsistent + * Bug 3069: CONNECT method bytes sent logging + * Bug 2741 partial: libsecurity API for GnuTLS support + * Bug 1961 partial: redesign of URL handling + * Fix crash when parsing invalid squid.conf + * Fix eCAP: Return 'unknown body size' for bodies with unknown body sizes + * Remove unused OS detection: Sun, SysV, Ultrix, BSDi + * Remove cache_peer_domain directive + * RFC 6176 compliance: Remove SSLv2 support + * HTTP/1.1: Remove refresh_pattern ignore-auth and ignore-must-revalidate + * Remove GCC 2.x and 3.x detection and support + * C++11 compiler support is now mandatory + * Enable flexible transport protocol + * Enable long (--foo) command line parameters on squid binary + * Add per-rule refresh_pattern matching statistics + * Replace sslversion=N with tls-min-version=1.N + * Replace sslproxy_* directives with tls_outgoing_options + * Replace GNU atomics and related hacks with C++11 std::atomic + * Replace external_acl_type format %macros with logformat codes + * Support Ephemeral Elliptic Curve Diffie-Hellman (EECDH) key exchange + * Support Secure ICAP services + * Support rotate=N option on access_log + * Support bypass for non-HTTP intercepted traffic (on_unsupported_protocol) + * Support lifetime timeout for persistent connections (pconn_lifetime) + * Support timeout for URL-rewrite helper lookups (url_rewrite_timeout) + * Support logging fast things (nanosecond log resolution) + * Support ICAP/eCAP adaptation for 100-continue responses + * Support configurable helper queue size, with consistent defaults + and better overflow handling. + * Support named service PID file by default (pid_filename) + * url_lfs_rewrite: Add URL-rewriter based on local file existence + * negotiate_kerberos_auth: output group= kv-pair + * helper-mux: add man(8) page + * purge: convert README to man(1) page + * basic_msnt_multi_domain_auth: Superceeded by basic_smb_lm_auth + * basic_sspi_auth: fix MinGW compile errors + * negotiate_sspi_auth: fix various build errors + * Crypto-NG: libnettle Base64 algorithm support + * Parser-NG: HTTP Parser structural redesign + * libltdl: copyright updated to LGPL version 2.1 + * ... and several performance optimizations + * ... and many documentation changes + * ... and much code cleanup and polishing +- fix dependency (C++11) + * gcc >= 4.7 +- rebase squid-config.patch +- rebase and fix squid-brokenad.patch + ------------------------------------------------------------------- Thu Oct 15 14:57:13 UTC 2015 - jkeil@suse.de diff --git a/squid.spec b/squid.spec index c596b53..7743269 100644 --- a/squid.spec +++ b/squid.spec @@ -20,14 +20,14 @@ %define squidconfdir %{_sysconfdir}/squid Name: squid -Version: 3.5.10 +Version: 4.0.1 Release: 0 Summary: A fully featured HTTP/1.0 proxy License: GPL-2.0+ Group: Productivity/Networking/Web/Proxy -Url: http://www.squid-cache.org/Versions/v3/3.5 -Source0: http://www.squid-cache.org/Versions/v3/3.5/%{name}-%{version}.tar.xz -Source1: http://www.squid-cache.org/Versions/v3/3.5/%{name}-%{version}.tar.xz.asc +Url: http://www.squid-cache.org/Versions/v4 +Source0: http://www.squid-cache.org/Versions/v4/%{name}-%{version}.tar.xz +Source1: http://www.squid-cache.org/Versions/v4/%{name}-%{version}.tar.xz.asc Source3: squid.init Source4: squid.sysconfig @@ -57,7 +57,7 @@ BuildRequires: ed BuildRequires: expat # BuildRequires: fdupes -BuildRequires: gcc-c++ +BuildRequires: gcc-c++ >= 4.7 BuildRequires: krb5-devel BuildRequires: libcap-devel BuildRequires: libexpat-devel @@ -106,26 +106,20 @@ Requires(pre): %insserv_prereq Requires: logrotate Provides: http_proxy -# due to package rename -# Wed Aug 15 17:40:30 UTC 2012 -Provides: %{name}3 = %{version} -Obsoletes: %{name}3 < %{version} - %description -Squid is a fully-featured HTTP/1.0 proxy which is almost (but not quite - we're getting there!) a fully-featured HTTP/1.1 proxy. Squid offers a rich access control, authorization and logging environment to develop web proxy and content serving applications. Squid offers a rich set of traffic optimization options, most of which are enabled by default for simpler installation and high performance. +Squis is a fully-featured HTTP/1.0 proxy which is almost (but not quite - we're getting there!) a fully-featured HTTP/1.1 proxy. Squid offers a rich access control, authorization and logging environment to develop web proxy and content serving applications. Squid offers a rich set of traffic optimization options, most of which are enabled by default for simpler installation and high performance. -Squid 3.5 represents a new feature release above 3.4. +Squid 4 represents a new feature release above 3.5. The most important of these new features are: - * Support libecap v1.0 - * Authentication helper query extensions - * Support named services - * Upgraded squidclient tool - * Helper support for concurrency channels - * Native FTP Relay - * Receive PROXY protocol, Versions 1 & 2 - * Basic authentication MSNT helper changes + Configurable helper queue size + Helper concurrency channels changes + SSL support removal + MSNT-multi-domain helper removal + Secure ICAP + Elliptic Curve Diffie-Hellman (ECDH) + Improved SMP support %prep %setup -q @@ -306,29 +300,34 @@ fi %service_add_pre %{name}.service %endif -%pretrans -# Directory to symlink is not working in RPM so workaround it -# Occurs when updating from 3.4 to 3.5 -error_dir="%{_datadir}/%{name}/errors" -for i in zh-cn zh-tw; do - if [ -d "$error_dir/$i" ]; then - rm -rf "$error_dir/$i" || true - fi -done -# emulate_httpd_log is gone with 3.5 -if [ -e etc/%{name}/%{name}.conf ]; then - sed -i '/emulate_httpd_log/d' /etc/%{name}/%{name}.conf -fi - # update mode? if [ "$1" -gt "1" ]; then if [ -e %{_sysconfdir}/%{name}.conf -a ! -L %{_sysconfdir}/%{name}.conf -a ! -e %{_sysconfdir}/%{name}/%{name}.conf ]; then echo "moving %{_sysconfdir}/%{name}.conf to %{_sysconfdir}/%{name}/%{name}.conf" - mv /%{_sysconfdir}/%{name}.conf /%{_sysconfdir}/%{name}/%{name}.conf + mv %{_sysconfdir}/%{name}.conf %{_sysconfdir}/%{name}/%{name}.conf fi - # default group changed from nogroup to squid - %{_sbindir}/usermod -g %{name} %{name} fi +# emulate_httpd_log is gone with 3.5 +if [ -e %{_sysconfdir}/%{name}/%{name}.conf ]; then + if [ $(grep -c emulate_httpd_log %{_sysconfdir}/%{name}/%{name}.conf) -gt 0 ];then + sed -i '/emulate_httpd_log/d' %{_sysconfdir}/%{name}/%{name}.conf + fi +fi + +%pretrans -p +-- Directory to symlink is not working in RPM so workaround it +-- Occurs when updating from 3.4 to 3.5 +error_dir="%{_datadir}/%{name}/errors/" +bad_ones={"zh-cn","zh-tw"} +print("cleaning up old directories") +for i,f in pairs(bad_ones) do + pstat = posix.stat(error_dir..f) + if pstat and pstat.type == "directory" then + print ("moving away "..error_dir..f.." to "..error_dir..f .. ".rpmmoved") + --posix.rmdir(error_dir..f) + os.rename(error_dir..f, error_dir..f .. ".rpmmoved") + end +end %post %if 0%{?suse_version} >= 1140 @@ -436,7 +435,7 @@ fi %{_sbindir}/digest_edirectory_auth ## will get removed in 3.6 series # http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html#toc2.8 -%{_sbindir}/basic_msnt_multi_domain_auth +#%%{_sbindir}/basic_msnt_multi_domain_auth ## %{_sbindir}/basic_ncsa_auth %{_sbindir}/basic_nis_auth @@ -466,7 +465,7 @@ fi %{_sbindir}/ext_session_acl %{_sbindir}/ext_unix_group_acl %{_sbindir}/ext_wbinfo_group_acl -%{_sbindir}/helper-mux.pl +%{_sbindir}/helper-mux %{_sbindir}/log_db_daemon %{_sbindir}/log_file_daemon %{_sbindir}/negotiate_kerberos_auth @@ -486,6 +485,7 @@ fi %{_sbindir}/unlinkd %{_sbindir}/url_fake_rewrite %{_sbindir}/url_fake_rewrite.sh +%{_sbindir}/url_lfs_rewrite %if 0%{?suse_version} %{_sbindir}/rc%{name} %{_localstatedir}/adm/fillup-templates/sysconfig.%{name}