From 1f7d2548ca94e3fba7656faac73d01996428c4eaa8f9b02dcd199b7f6c4af5b0 Mon Sep 17 00:00:00 2001 From: Adam Majer Date: Mon, 15 Jul 2019 15:22:32 +0000 Subject: [PATCH 1/4] - Update to squid 4.8: + Ignore ECONNABORTED in accept(2) + RFC 7230 forbids generation of userinfo subcomponent of https URL + cachemgr.cgi: unallocated memory access resulting in a potential denial of service. (bsc#1141442, CVE-2019-12854) + terminating c-strings beyond BASE64_DECODE_LENGTH + Replace uudecode with libnettle base64 decoder fixing a denial of service vulnerability (bsc#1141329, CVE-2019-12529) + fix to_localhost does not include :: + Fix GCC-9 build issues + Fix Digest auth parameter parsing preventing a potential denial of service (bsc#1141332, CVE-2019-12525) + Update HttpHeader::getAuth to SBuf which prevents a potential heap overflowing allowing a possible remote code execution attack when processing HTTP Authentication credentials (bsc#1141330, CVE-2019-12527) + Add the NO_TLSv1_3 option to available tls-options values + Fix handling of tiny invalid responses + Fix Memory leak when http_reply_access uses external_acl + Fix Multiple XSS issues in cachemgr.cgi (bsc#1140738, CVE-2019-13345) OBS-URL: https://build.opensuse.org/package/show/server:proxy/squid?expand=0&rev=188 --- squid-4.7.tar.xz | 3 --- squid-4.7.tar.xz.asc | 25 ------------------------- squid-4.8.tar.xz | 3 +++ squid-4.8.tar.xz.asc | 25 +++++++++++++++++++++++++ squid.changes | 25 +++++++++++++++++++++++++ squid.spec | 2 +- 6 files changed, 54 insertions(+), 29 deletions(-) delete mode 100644 squid-4.7.tar.xz delete mode 100644 squid-4.7.tar.xz.asc create mode 100644 squid-4.8.tar.xz create mode 100644 squid-4.8.tar.xz.asc diff --git a/squid-4.7.tar.xz b/squid-4.7.tar.xz deleted file mode 100644 index cba5bac..0000000 --- a/squid-4.7.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:a29cf65f77ab70a8b1cf47e6fe1d2975ec9d04d2446d54669a5afd2aee5e354e -size 2440884 diff --git a/squid-4.7.tar.xz.asc b/squid-4.7.tar.xz.asc deleted file mode 100644 index a4eda62..0000000 --- a/squid-4.7.tar.xz.asc +++ /dev/null @@ -1,25 +0,0 @@ -File: squid-4.7.tar.xz -Date: Tue May 7 07:29:53 UTC 2019 -Size: 2440884 -MD5 : ec7be696032b962eac9ba5726940a3aa -SHA1: 018ec694e5d11124ceae86d391ea157994ac6624 -Key : CD6DBF8EF3B17D3E - B068 84ED B779 C89B 044E 64E3 CD6D BF8E F3B1 7D3E - keyring = http://www.squid-cache.org/pgp.asc - keyserver = pool.sks-keyservers.net ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEEsGiE7bd5yJsETmTjzW2/jvOxfT4FAlzRM/oACgkQzW2/jvOx -fT5q0hAAvmwR3eKNjp5XG2s1DTYixIo1fO2YUnWsq7vlTGoBuYqXA0UGZAW5F9Up -i2BxbnJkbR0Qm4I7F3XqdUuQH12DKRJvrbAuN57ch5yNNu3PgKlGUsk6gSfhrJcp -U0S9/n9rj6cezwsypaZbN1SMET2q0kv7S6NMKyB5dqOsa88QhyyJIdAlB2GMCpGt -0chyK61I6ksJjtLXm2OaZxrxuLGgXz4eoi3vs2aftUT8dGhS4OAaO9l6nkQ2M+PG -/eoh9l3btGPfKgobnr9gyrNexUXDzvNZmdl2wbp+lw3xyIrynFlrtS6u7Cv3UC6o -G3RxjoJd1+VJS3Rgt4HVUl7oEuvVVsizCV0YpWcLBfQb6hI6GNfzDaT9AQs5ck3a -2RvedpYTrsEizu/kHZqH04uDcXgxsxhIPVZSFY2rZ63hXX4RX2oVm+PxfX6nBmUt -euxusYLIk0wh7BKq81WvwjcvQW0nXKCDV/qvb6Xpk31wGoERrCtTalHFAizI8aiS -QEf+K+PRL4uxo4FD5MUbVZuhMITPdru7Mp4cqrcxCxmgHGBbYSaWVL/Rg3kIca7Y -UBtqbDD5CcfbpEcq8hJKUQAVH8sihNIV6PN9tqGV60tQFmUdKY/bOdkH/NliKxcz -V/NX3CUMeXs4MtLW87ebv4OYG2yMYuaju6RL/8cOSIlTd7Qu+wU= -=btfi ------END PGP SIGNATURE----- diff --git a/squid-4.8.tar.xz b/squid-4.8.tar.xz new file mode 100644 index 0000000..ebbd7a2 --- /dev/null +++ b/squid-4.8.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:78cdb324d93341d36d09d5f791060f6e8aaa5ff3179f7c949cd910d023a86210 +size 2440888 diff --git a/squid-4.8.tar.xz.asc b/squid-4.8.tar.xz.asc new file mode 100644 index 0000000..cd638da --- /dev/null +++ b/squid-4.8.tar.xz.asc @@ -0,0 +1,25 @@ +File: squid-4.8.tar.xz +Date: Tue Jul 9 19:30:13 UTC 2019 +Size: 2440888 +MD5 : 08e018f2d8db4911ee90591284fa1ca5 +SHA1: 4ff1390eee3ec20cefa5565cbb56e1a89a12bfc1 +Key : CD6DBF8EF3B17D3E + B068 84ED B779 C89B 044E 64E3 CD6D BF8E F3B1 7D3E + keyring = http://www.squid-cache.org/pgp.asc + keyserver = pool.sks-keyservers.net +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEsGiE7bd5yJsETmTjzW2/jvOxfT4FAl0k60wACgkQzW2/jvOx +fT7tAg/7BB9XyX4Sxi6sdyAwSPJ7vu3sd8ENE2mYdnLlozd3n57g2EDJoDWNGMOV +eym6Xe5TCDyadXKDVHni4LrFm80RgILMRvkkY9RIIRBTac+SEpDPZq/XL5xzxL1K +mRxJ2Mg9dC/1Cja4xAT/NihinJ2g/vqPY/fC+35kHd1q+U3DeQlmRhMN+IoP6kOk +ZFYfl2DkHRZFRVF/yjxy2f2ktSuZOoUcnnAI2IWzgZS5iNR4F5ozNXKNUaAhcROy +Md6/VCnoLvYDVlXgJUBUsn0Qt/Kgl/3h/CUdGVUnG2Lt5+Gh3LZBlCNZ/P/6lBSD +9/hXLPkY4OTKrxkf0LdwNrGH9XZX5FoKAUDvF+qUvEqwFJdgzklyXSAoEQRfFtK2 +KRAjuxR1h/JquiA7lfYchmHaS13FktkpGMAJWrQZFjRRnDcVqjEotGkcpgaIjVfG +/Bw9LLjRf4glYvgd8+wDZBpBGU2mLXOu0/0IfU3gN4nRXnxvum0xPRPRQhmZWzjk +svpUA1W4r7Uy1zog96Gry0NNh5bik+MU7OI/0uJPxSk4DhRFg+HcQ0GHb3eF0yBY +nTv8Ks3CMMsoa9tCzFfqmxKQMHBA0feBSzjOgN5nqibr7BRp9NiJPtj3sOS6oCDK +jBSV1ArI6nyaU26hfelNp375CPHObAFLlBA31+saV55hyr2Ydx4= +=ee2E +-----END PGP SIGNATURE----- diff --git a/squid.changes b/squid.changes index 01a5f73..f54ac86 100644 --- a/squid.changes +++ b/squid.changes @@ -1,3 +1,28 @@ +------------------------------------------------------------------- +Mon Jul 15 14:58:13 UTC 2019 - Adam Majer + +- Update to squid 4.8: + + Ignore ECONNABORTED in accept(2) + + RFC 7230 forbids generation of userinfo subcomponent of https URL + + cachemgr.cgi: unallocated memory access resulting in a potential + denial of service. (bsc#1141442, CVE-2019-12854) + + terminating c-strings beyond BASE64_DECODE_LENGTH + + Replace uudecode with libnettle base64 decoder fixing a denial + of service vulnerability (bsc#1141329, CVE-2019-12529) + + fix to_localhost does not include :: + + Fix GCC-9 build issues + + Fix Digest auth parameter parsing preventing a potential + denial of service (bsc#1141332, CVE-2019-12525) + + Update HttpHeader::getAuth to SBuf which prevents a potential + heap overflowing allowing a possible remote code execution + attack when processing HTTP Authentication credentials + (bsc#1141330, CVE-2019-12527) + + Add the NO_TLSv1_3 option to available tls-options values + + Fix handling of tiny invalid responses + + Fix Memory leak when http_reply_access uses external_acl + + Fix Multiple XSS issues in cachemgr.cgi + (bsc#1140738, CVE-2019-13345) + ------------------------------------------------------------------- Wed May 8 10:41:22 UTC 2019 - Adam Majer diff --git a/squid.spec b/squid.spec index b5f446a..f0e2164 100644 --- a/squid.spec +++ b/squid.spec @@ -19,7 +19,7 @@ %define squidlibdir %{_libdir}/squid %define squidconfdir %{_sysconfdir}/squid Name: squid -Version: 4.7 +Version: 4.8 Release: 0 Summary: Caching and forwarding HTTP web proxy License: GPL-2.0-or-later From 49783ccec7b8c173a2348c92d5f951ae810a58beff2cfcefc26c7a4409812f36 Mon Sep 17 00:00:00 2001 From: Adam Majer Date: Tue, 16 Jul 2019 07:57:43 +0000 Subject: [PATCH 2/4] - disable LTO to as a workaround to tests failing OBS-URL: https://build.opensuse.org/package/show/server:proxy/squid?expand=0&rev=189 --- squid.changes | 1 + squid.spec | 3 +++ 2 files changed, 4 insertions(+) diff --git a/squid.changes b/squid.changes index f54ac86..6782d06 100644 --- a/squid.changes +++ b/squid.changes @@ -22,6 +22,7 @@ Mon Jul 15 14:58:13 UTC 2019 - Adam Majer + Fix Memory leak when http_reply_access uses external_acl + Fix Multiple XSS issues in cachemgr.cgi (bsc#1140738, CVE-2019-13345) +- disable LTO to as a workaround to tests failing ------------------------------------------------------------------- Wed May 8 10:41:22 UTC 2019 - Adam Majer diff --git a/squid.spec b/squid.spec index f0e2164..da83e6b 100644 --- a/squid.spec +++ b/squid.spec @@ -89,10 +89,13 @@ perl -p -i -e 's|%{_prefix}/local/bin/perl|%{_bindir}/perl|' `find -name "*.pl"` %patch1 -p1 %build +%define _lto_cflags %{nil} autoreconf -fi cd libltdl; autoreconf -fi; cd .. export CFLAGS="%{optflags} -fPIE -fPIC -DOPENSSL_LOAD_CONF" export CXXFLAGS="%{optflags} -fPIE -fPIC -DOPENSSL_LOAD_CONF" +#export CFLAGS="-O2 -fPIE -fPIC -DOPENSSL_LOAD_CONF" +#export CXXFLAGS="-O2 -fPIE -fPIC -DOPENSSL_LOAD_CONF" export LDFLAGS="-Wl,--as-needed -Wl,--no-undefined -Wl,-z,relro,-z,now -pie" %configure \ --disable-strict-error-checking \ From fef008683e2d65a85e8c00982edb9e83e45d2c54cbc32597cd4a84ec35208236 Mon Sep 17 00:00:00 2001 From: Adam Majer Date: Tue, 16 Jul 2019 07:58:08 +0000 Subject: [PATCH 3/4] OBS-URL: https://build.opensuse.org/package/show/server:proxy/squid?expand=0&rev=190 --- squid.spec | 2 -- 1 file changed, 2 deletions(-) diff --git a/squid.spec b/squid.spec index da83e6b..284823d 100644 --- a/squid.spec +++ b/squid.spec @@ -94,8 +94,6 @@ autoreconf -fi cd libltdl; autoreconf -fi; cd .. export CFLAGS="%{optflags} -fPIE -fPIC -DOPENSSL_LOAD_CONF" export CXXFLAGS="%{optflags} -fPIE -fPIC -DOPENSSL_LOAD_CONF" -#export CFLAGS="-O2 -fPIE -fPIC -DOPENSSL_LOAD_CONF" -#export CXXFLAGS="-O2 -fPIE -fPIC -DOPENSSL_LOAD_CONF" export LDFLAGS="-Wl,--as-needed -Wl,--no-undefined -Wl,-z,relro,-z,now -pie" %configure \ --disable-strict-error-checking \ From 1b4a15b12713bdd41e1b64b8877fbef3251a787a26c1d2ac7a373d944fcb4f8a Mon Sep 17 00:00:00 2001 From: Adam Majer Date: Tue, 16 Jul 2019 15:33:12 +0000 Subject: [PATCH 4/4] - use unbundled version of libnettle OBS-URL: https://build.opensuse.org/package/show/server:proxy/squid?expand=0&rev=191 --- squid.changes | 3 ++- squid.spec | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/squid.changes b/squid.changes index 6782d06..49dfd45 100644 --- a/squid.changes +++ b/squid.changes @@ -22,7 +22,8 @@ Mon Jul 15 14:58:13 UTC 2019 - Adam Majer + Fix Memory leak when http_reply_access uses external_acl + Fix Multiple XSS issues in cachemgr.cgi (bsc#1140738, CVE-2019-13345) -- disable LTO to as a workaround to tests failing +- use unbundled version of libnettle +- disable LTO as a workaround to tests failing ------------------------------------------------------------------- Wed May 8 10:41:22 UTC 2019 - Adam Majer diff --git a/squid.spec b/squid.spec index 284823d..694f164 100644 --- a/squid.spec +++ b/squid.spec @@ -60,6 +60,7 @@ BuildRequires: pkgconfig(kdb) BuildRequires: pkgconfig(krb5) BuildRequires: pkgconfig(libsasl2) BuildRequires: pkgconfig(libxml-2.0) +BuildRequires: pkgconfig(nettle) Requires: logrotate Requires(pre): permissions Requires(pre): shadow