Accepting request 263262 from server:proxy:Test

update to 3.4.9, fix for bnc#891268 (CVE-2014-7141, CVE-2014-7142) OBS-URL: https://build.opensuse.org/request/show/263262 OBS-URL: https://build.opensuse.org/package/show/server:proxy/squid?expand=0&rev=61
2014-11-27 20:53:15 +00:00 · 2014-11-27 20:53:15 +00:00 · c3f10526dc
commit c3f10526dc
parent c1113da01b
15 changed files with 217 additions and 179 deletions
--- a/RELEASENOTES.html
+++ b/RELEASENOTES.html
@ -2,10 +2,10 @@
 <HTML>
 <HEAD>
 <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.69">
- <TITLE>Squid 3.4.5 release notes</TITLE>
+ <TITLE>Squid 3.4.7 release notes</TITLE>
 </HEAD>
 <BODY>
-<H1>Squid 3.4.5 release notes</H1>
+<H1>Squid 3.4.7 release notes</H1>

 <H2>Squid Developers</H2>
 <HR>
@ -57,7 +57,7 @@ for Applied Network Research and members of the Web Caching community.</EM>
 <HR>
 <H2><A NAME="s1">1.</A> <A HREF="#toc1">Notice</A></H2>

-<P>The Squid Team are pleased to announce the release of Squid-3.4.5 for testing.</P>
+<P>The Squid Team are pleased to announce the release of Squid-3.4.7 for testing.</P>
 <P>This new release is available for download from 
 <A HREF="http://www.squid-cache.org/Versions/v3/3.4/">http://www.squid-cache.org/Versions/v3/3.4/</A> or the
 <A HREF="http://www.squid-cache.org/Mirrors/http-mirrors.html">mirrors</A>.</P>
--- a/squid-3.4.6.tar.bz2
+++ b/squid-3.4.6.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:37338218562a2c85e855b4fa472848ca8f8a0408f3e04d15636acdaace3811ca
-size 3057715
--- a/squid-3.4.6.tar.bz2.asc
+++ b/squid-3.4.6.tar.bz2.asc
@ -1,20 +0,0 @@
-File: squid-3.4.6.tar.bz2
-Date: Wed Jun 25 15:31:30 UTC 2014
-Size: 3057715
-MD5 : d3ca4ce0a039bbba8258d6b67d6afaa1
-SHA1: 0b8850a0bf73d85797e441e589324da8309cd738
-Key : 0xFF5CF463 <squid3@treenet.co.nz>
-      fingerprint = EA31 CC5E 9488 E516 8D2D  CC5E B268 E706 FF5C F463
-      keyring = http://www.squid-cache.org/pgp.asc
-      keyserver = subkeys.pgp.net
-----BEGIN PGP SIGNATURE-----
-Version: GnuPG v1
-
-iQEcBAABAgAGBQJTqx1kAAoJELJo5wb/XPRjsjEIAOCdBy3rvR5fK5JluK2uUjkf
-+EQbglgl10SoMMxS63mswFI5ZlpyHffPhpuL9RGOSeRxjUV7S9a8I9WuG+1ox6Of
-P6VXZxnUpZNwSWht7MJL8gIUs8oafYsPPlwP9r67VxQeP8Nz42HwsYOaWhNVi72w
-TU2axLEnIg89qg9heG7jN1gFBYOSTW4arW3+1Rzefo5sNvLXjbtE1i6woLYp+9E1
-v/ZXPo/LIW7WoV8/n/kr43PMGExPg40YZXVybdKBtHjybpLzxJSPv61cKqMtzN9C
-b6RRjLNM8BuVGdi8wdEDJuwCcnIbT8Bsqi6SPYDDfkNRhh+CBp8/mA9Rdgg+QVE=
-=OMF0
-----END PGP SIGNATURE-----
--- a/squid-3.4.9.tar.bz2
+++ b/squid-3.4.9.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:42f2ffbfed6679e1e4ba9a29088495c088ff76cc2517d22d5fb792e2b802ce66
+size 3043750
--- a/squid-3.4.9.tar.bz2.asc
+++ b/squid-3.4.9.tar.bz2.asc
@ -0,0 +1,20 @@
+File: squid-3.4.9.tar.bz2
+Date: Fri Oct 31 10:20:30 UTC 2014
+Size: 3043750
+MD5 : bb8ecbee8fa9fa8659b4349a78696fe7
+SHA1: a356cadc324d91c41119f96a7d1a20330866c1ac
+Key : 0xFF5CF463 <squid3@treenet.co.nz>
+      fingerprint = EA31 CC5E 9488 E516 8D2D  CC5E B268 E706 FF5C F463
+      keyring = http://www.squid-cache.org/pgp.asc
+      keyserver = subkeys.pgp.net
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1
+
+iQEcBAABAgAGBQJUU3UxAAoJELJo5wb/XPRjhKUH/0flnkcc6gTQzh7Vh/kusCFk
+pC/sfpt0mrZeZZQxAYS/wJFIym5jo8PkiKrvC2ZgOHchpVlGC3hLn2ENqbzR6VEv
+L5V7M1XGJdgC1ynjj+H9ML4PBmV1E/XfakkOgnhY+3of32DrmuCN8CFuB5iGNcdH
+xHwzXGSeyJkDUjZObourtT2h64Rc12cARz/yXgsq2YKAhf0EM8+rld5Xm40kOWsX
+Vci/kvw3RkXuhMMwrL9jzxv8z5/nrsDHbHmwXy3mw2k0G9AmzbKx8ykdoABG/MH5
+awuHT1MNFQp5IBr6LisM++2BILjb3UNiyp3lhDtXCHbTo6RCik7jUvEih57koqI=
+=BI4b
+-----END PGP SIGNATURE-----
--- a/squid-cert_tool_use_bash_not_ksh.patch
+++ b/squid-cert_tool_use_bash_not_ksh.patch
@ -1,66 +0,0 @@
-diff -rNU 60 ../squid-3.4.6-o/helpers/external_acl/kerberos_ldap_group/cert_tool ./helpers/external_acl/kerberos_ldap_group/cert_tool
--- ../squid-3.4.6-o/helpers/external_acl/kerberos_ldap_group/cert_tool	2014-06-25 16:41:39.000000000 +0200
-+++ ./helpers/external_acl/kerberos_ldap_group/cert_tool	2014-08-14 16:40:59.000000000 +0200
-@@ -1,61 +1,61 @@
-#!/bin/ksh
-+#!/bin/bash
- #
- #  -----------------------------------------------------------------------------
- # 
- #  Author: Markus Moeller (markus_moeller at compuserve.com)
- # 
- #  Copyright (C) 2007 Markus Moeller. All rights reserved.
- # 
- #    This program is free software; you can redistribute it and/or modify
- #    it under the terms of the GNU General Public License as published by
- #    the Free Software Foundation; either version 2 of the License, or
- #    (at your option) any later version.
- # 
- #    This program is distributed in the hope that it will be useful,
- #    but WITHOUT ANY WARRANTY; without even the implied warranty of
- #    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- #    GNU General Public License for more details.
- # 
- #    You should have received a copy of the GNU General Public License
- #    along with this program; if not, write to the Free Software
- #    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307, USA.
- # 
- #  -----------------------------------------------------------------------------
- #
- #
- # creates the following files: 
- # <server>.cert
- # secmod.db
- # key3.db
- # cert8.db
- # 
- #
- if [ -z "$1" ]; then 
-   echo "Usage: `basename $0` ldap-server port"
-   exit 0
- fi
- if [ -z "$2" ]; then
-   port=636
- else
-   port=$2
- fi
- 
- server=$1
- 
- #
- # Remove old files
- #
- rm  ${server}_[0-9]*.cert 2>/dev/null
- #
- # Get certs and store in .cert file
- #
- ( openssl s_client -showcerts -connect $server:$port 2>/dev/null <<!
- QUIT
- !
- ) | awk 'BEGIN{start=0;ostart=0}{if ( $0 ~ /BEGIN CERTIFICATE/ ) { start=start+1 };
-       if  ( start > ostart ) {print $0 >>"'$server'_"start".cert"};
-       if ( $0 ~ /END CERTIFICATE/) { ostart=start } }' 
- 
- #
- # from mozilla-nss-tools
- # /usr/sfw/bin on Solaris
--- a/squid-compiled_without_RPM_OPT_FLAGS.patch
+++ b/squid-compiled_without_RPM_OPT_FLAGS.patch
@ -2,7 +2,7 @@ Index: src/Makefile.am
 ===================================================================
 --- src/Makefile.am.orig
 +++ src/Makefile.am
-@@ -981,7 +981,7 @@ cache_cf.o: cf_parser.cci
+@@ -983,7 +983,7 @@ cache_cf.o: cf_parser.cci
 
 # cf_gen builds the configuration files.
 cf_gen$(EXEEXT): $(cf_gen_SOURCES) $(cf_gen_DEPENDENCIES) cf_gen_defines.cci
@ -15,7 +15,7 @@ Index: src/Makefile.in
 ===================================================================
 --- src/Makefile.in.orig
 +++ src/Makefile.in
-@@ -7295,7 +7295,7 @@ cache_cf.o: cf_parser.cci
+@@ -7742,7 +7742,7 @@ cache_cf.o: cf_parser.cci
 
 # cf_gen builds the configuration files.
 cf_gen$(EXEEXT): $(cf_gen_SOURCES) $(cf_gen_DEPENDENCIES) cf_gen_defines.cci
--- a/squid-config.patch
+++ b/squid-config.patch
@ -2,7 +2,7 @@ Index: src/cf.data.pre
 ===================================================================
 --- src/cf.data.pre.orig
 +++ src/cf.data.pre
-@@ -1350,6 +1350,8 @@ http_access deny manager
+@@ -1361,6 +1361,8 @@ http_access deny manager
 # Adapt localnet in the ACL section to list your (internal) IP networks
 # from where browsing should be allowed
 http_access allow localnet
@ -11,7 +11,7 @@ Index: src/cf.data.pre
 http_access allow localhost
 
 # And finally deny all other access to this proxy
-@@ -3361,6 +3363,10 @@ DOC_START
+@@ -3414,6 +3416,10 @@ DOC_START
 	Instead, if you want Squid to use the entire disk drive,
 	subtract 20% and use that value.
 
@ -22,7 +22,7 @@ Index: src/cf.data.pre
 	'L1' is the number of first-level subdirectories which
 	will be created under the 'Directory'.  The default is 16.
 
-@@ -3494,7 +3500,7 @@ DOC_START
+@@ -3547,7 +3553,7 @@ DOC_START
 NOCOMMENT_START
 
 # Uncomment and adjust the following to add a disk cache directory.
@ -31,7 +31,7 @@ Index: src/cf.data.pre
 NOCOMMENT_END
 DOC_END
 
-@@ -4147,7 +4153,7 @@ DOC_END
+@@ -4178,7 +4184,7 @@ DOC_END
 
 NAME: logfile_rotate
 TYPE: int
--- a/squid-nobuilddates.patch
+++ b/squid-nobuilddates.patch
@ -44,14 +44,14 @@ Index: helpers/external_acl/LM_group/ext_lm_group_acl.cc
 -    debug("External ACL win32 group helper build " __DATE__ ", " __TIME__
 -          " starting up...\n");
 +    debug("External ACL win32 group helper build starting up...\n");
-     if (use_global)
+     if (use_global) {
         debug("Domain Global group mode enabled using '%s' as default domain.\n", DefaultDomain);
-     if (use_case_insensitive_compare)
+     }
 Index: helpers/negotiate_auth/SSPI/negotiate_sspi_auth.cc
 ===================================================================
 --- helpers/negotiate_auth/SSPI/negotiate_sspi_auth.cc.orig
 +++ helpers/negotiate_auth/SSPI/negotiate_sspi_auth.cc
-@@ -272,7 +272,7 @@ main(int argc, char *argv[])
+@@ -274,7 +274,7 @@ main(int argc, char *argv[])
 
     process_options(argc, argv);
 
@ -64,7 +64,7 @@ Index: helpers/ntlm_auth/SSPI/ntlm_sspi_auth.cc
 ===================================================================
 --- helpers/ntlm_auth/SSPI/ntlm_sspi_auth.cc.orig
 +++ helpers/ntlm_auth/SSPI/ntlm_sspi_auth.cc
-@@ -609,7 +609,7 @@ main(int argc, char *argv[])
+@@ -611,7 +611,7 @@ main(int argc, char *argv[])
 
     process_options(argc, argv);
 
--- a/2
+++ b/2
@ -1,5 +1,5 @@
-addFilter("macro-in-comment")
 addFilter("no-manual-page-for-binary")
 addFilter("zero-length")
+addFilter("incorrect-fsf-address")
 # Temporary solution untill it is moved into factory
 setBadness('permissions-unauthorized-file', 333)
--- a/squid.changes
+++ b/squid.changes
@ -1,3 +1,83 @@
+-------------------------------------------------------------------
+Thu Nov 27 13:16:58 UTC 2014 - lmuelle@suse.com
+
+- Changes to 3.4.9 (31 Oct 2014):
+  + Regression fix: ext_kerberos_ldap_group_acl typo in 3.4.7 update
+  + Bug 4102: sslbump cert contains only a dot character in key usage extension
+  + Bug 4093: source-maintenance.sh errors and warnings due to wrong
+    tools/options
+  + Bug 4088: memory leak in external_acl_type helper with cache=0 or ttl=0
+  + Bug 4024: Bad host/IP ::1 when using IPv4-only environment
+  + Bug 3803: ident leaks memory on failure
+  + kerberos_ldap_group/cert_tool: Remove ksh dependency;
+    obsoletes squid-cert_tool_use_bash_not_ksh.patch
+  + ... and some automated code style updates
+  + ... and some documentation updates
+- Changes to 3.4.8 (15 Sep 2014):
+  + Fix off by one in SNMP subsystem
+  + pinger: Fix various ICMP handling issues; CVE-2014-7141; CVE-2014-7142;
+    http://www.squid-cache.org/Advisories/SQUID-2014_4.txt; bnc#891268
+    obsoletes squid-icmp-DoS.patch
+
+-------------------------------------------------------------------
+Wed Nov 26 21:45:48 UTC 2014 - lmuelle@suse.com
+
+- Remove dependency on gpg-offline as signature checking is implemented in the
+  source validator.
+
+-------------------------------------------------------------------
+Wed Sep 24 11:49:04 UTC 2014 - chris@computersalat.de
+
+- fix spec and changes file
+
+-------------------------------------------------------------------
+Tue Sep 16 09:31:35 UTC 2014 - boris@steki.net
+
+- update logrotate file
+  * postrotate now defaults to 'systemd'
+
+-------------------------------------------------------------------
+Tue Sep 16 08:35:11 UTC 2014 - boris@steki.net
+
+- fix for icmp pinger DOS bnc#891268 
+
+-------------------------------------------------------------------
+Mon Sep 15 11:36:51 UTC 2014 - chris@computersalat.de
+
+- some spec cleanup
+- some systemd/SysVinit fixes
+- fix sysconfig file for ! suse_version
+
+-------------------------------------------------------------------
+Thu Sep 11 15:25:01 UTC 2014 - boris@steki.net
+
+- replaced permissions handling using setuid bit with use of
+  linux capabilities (on supported systems)
+- general cleanup of .spec file and systemd handling
+
+-------------------------------------------------------------------
+Fri Sep  5 15:04:47 UTC 2014 - chris@computersalat.de
+
+- Changes to 3.4.7 (28 Aug 2014):
+  * Regression Fix: Kerberos LDAP authorizing groups with principle subdomain
+  * Bug 4080: worker hangs when client identd is not responding
+  * Bug 3966: Add KeyEncipherment when ssl-bump substitues RSA for EC
+  * HTTP/1.1: Ignore Range headers with unidentifiable byte-range values
+  * SSL-bump: Use v3 for fake certificate if we add _any_ certificate extension
+  * Enable compile-time override for MAXTCPLISTENPORTS
+  * ntlm_sspi_auth: Fix various build errors
+  * negotiate_wrapper: Fix build issues with non-portable vfork()
+  * negotiate_sspi_auth: Portability fixes for MinGW
+  * ext_lm_group_acl: Portability fixes for MinGW
+  * ... and several minor memory leaks
+- fix for bnc#894636
+  * fix postrotate for systemd
+- rebase patches
+  * squid-cert_tool_use_bash_not_ksh.patch
+  * squid-compiled_without_RPM_OPT_FLAGS.patch
+  * squid-nobuilddates.patch
+  * squid-config.patch
+
 -------------------------------------------------------------------
 Thu Sep  4 16:02:45 UTC 2014 - chris@computersalat.de

--- a/squid.logrotate
+++ b/squid.logrotate
@ -9,7 +9,7 @@
    create 640 squid root
    sharedscripts
    postrotate
-     /etc/init.d/squid reload
+     /usr/bin/systemctl reload squid.service
    endscript
 }

@ -23,6 +23,6 @@
    missingok
    create 640 squid root
    postrotate
-     /etc/init.d/squid reload
+     /usr/bin/systemctl reload squid.service
    endscript
 }
--- a/squid.permissions.easy
+++ b/squid.permissions.easy
@ -1,4 +1,5 @@
 /var/cache/squid/		squid:root	750
 /var/log/squid/			squid:root	750
-/usr/sbin/pinger		root:squid	4750
+/usr/sbin/pinger		root:squid	750
+ +capabilities cap_net_raw=ep
 /usr/sbin/basic_pam_auth	root:shadow	2750
--- a/squid.permissions.paranoid
+++ b/squid.permissions.paranoid
@ -1,4 +1,5 @@
 /var/cache/squid/		squid:root	750
 /var/log/squid/			squid:root	750
-/usr/sbin/pinger		root:root	755
+/usr/sbin/pinger		root:squid	750
+ +capabilities cap_net_raw=ep
 /usr/sbin/basic_pam_auth	root:root	755
--- a/squid.spec
+++ b/squid.spec
@ -24,12 +24,13 @@ Name:           squid
 Summary:        A fully featured HTTP/1.0 proxy
 License:        GPL-2.0+
 Group:          Productivity/Networking/Web/Proxy
-Version:        3.4.6
+Version:        3.4.9
 Release:        0
+%define majorver   %(echo %version|sed -re 's/^([0-9]).*/\1/g')
+%define majminver  %(echo %version|sed -re 's/^([0-9]\.[0-9]).*/\1/g')
 Url:            http://www.squid-cache.org/Versions/v3/3.4
-#Source0:        http://www.squid-cache.org/Versions/v3/3.3/%{name}-%{version}%{snap}.tar.bz2
-Source0:        http://www.squid-cache.org/Versions/v3/3.4/%{name}-%{version}.tar.bz2
-Source1:        %{name}-%{version}.tar.bz2.asc
+Source0:        http://www.squid-cache.org/Versions/%{majorver}/%{majminver}/%{name}-%{version}.tar.bz2
+Source1:        http://www.squid-cache.org/Versions/%{majorver}/%{majminver}/%{name}-%{version}.tar.bz2.asc
 Source2:        RELEASENOTES.html
 Source3:        squid.init
 Source4:        squid.sysconfig
@ -65,7 +66,7 @@ Patch101:       %{name}-nobuilddates.patch
 Patch102:       %{name}-compiled_without_RPM_OPT_FLAGS.patch
 # patch fixes kerberos principalname handling (http://bugs.squid-cache.org/show_bug.cgi?id=4042)
 Patch103:       squid-brokenad.patch
-Patch104:       %{name}-cert_tool_use_bash_not_ksh.patch
+
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %if 0%{?suse_version}
 PreReq:         %fillup_prereq
@ -88,9 +89,6 @@ BuildRequires:  expat
 BuildRequires:  fdupes
 %endif
 BuildRequires:  gcc-c++
-%if 0%{?suse_version}
-BuildRequires:  gpg-offline
-%endif
 BuildRequires:  krb5-devel
 BuildRequires:  libcap-devel
 BuildRequires:  libexpat-devel
@ -127,7 +125,7 @@ Provides:       %{name}3 = %{version}
 Obsoletes:      %{name}3 < %{version}

 %description
-Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator.
+Squid is a fully-featured HTTP/1.0 proxy which is almost (but not quite - we're getting there!) a fully-featured HTTP/1.1 proxy. Squid offers a rich access control, authorization and logging environment to develop web proxy and content serving applications. Squid offers a rich set of traffic optimization options, most of which are enabled by default for simpler installation and high performance. 

 Squid 3.4 represents a new feature release above 3.3.

@ -140,15 +138,8 @@ The most important of these new features are:
  * Transaction Annotations
  * Multicast DNS 

-Most user-facing changes are reflected in squid.conf (see below).
-
-  First STABLE release Date: 08 Dec 2013
-
 %prep
 #setup -q -n %{name}-%{version}%{snap}
-%if 0%{?suse_version}
-%gpg_verify %{S:1}
-%endif
 %setup -q -n %{name}-%{version}
 cp %{S:10} .
 # upstream patches after RELEASE
@ -160,16 +151,10 @@ chmod a-x CREDITS
 %patch101
 %patch102
 %patch103
-%patch104

 %build
-#if 0%{?sles_version} == 1100
-#export CFLAGS="%{optflags} -fPIE -fPIC -DOPENSSL_LOAD_CONF"
-#export CXXFLAGS="%{optflags} -fPIE -fPIC -DOPENSSL_LOAD_CONF"
-#else
 export CFLAGS="%{optflags} -fPIE -fPIC -DOPENSSL_LOAD_CONF"
 export CXXFLAGS="%{optflags} -fPIE -fPIC -DOPENSSL_LOAD_CONF"
-#endif
 export LDFLAGS='-Wl,-z,relro,-z,now -pie'
 %configure \
 	--disable-strict-error-checking \
@ -233,26 +218,33 @@ make SAMBAPREFIX=/usr %{?_smp_mflags}
 %{_sbindir}/groupadd -g 31 -r %{name} 2>/dev/null || :
 %{_sbindir}/useradd -c "WWW-proxy squid" -d /var/cache/%{name} \
  -g %{name} -o -u 31 -r -s /bin/false 2> /dev/null || :
-install -d %{buildroot}%{_localstatedir}/{cache,log}/%{name}
-chmod 750 %{buildroot}%{_localstatedir}/{cache,log}/%{name}
+
+install -d -m 750 %{buildroot}%{_localstatedir}/{cache,log}/%{name}
 install -d %{buildroot}%{_prefix}/sbin
+
+# make_install
 make install DESTDIR=%{buildroot} SAMBAPREFIX=/usr
+
 mv %{buildroot}{/etc/%{name}/,/usr/share/%{name}/}mime.conf.default
 ln -s /etc/%{name}/mime.conf %{buildroot}%{_datadir}/%{name} # backward compatible
-install -d -m 755 %{buildroot}%{_sysconfdir}/permissions.d
-install -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/permissions.d/%{name}.easy
-# pinger should be secure "enough" anyway paranoid will strip everything :)
-install -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/permissions.d/%{name}.secure
-install -m 644 %{SOURCE15} %{buildroot}%{_sysconfdir}/permissions.d/%{name}.paranoid
-install -d -m 755 %{buildroot}%{_sysconfdir}/logrotate.d
-install -m 644 %{SOURCE7} %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
-%if 0%{?suse_version}
-install -D %{SOURCE3} %{buildroot}%{_sysconfdir}/init.d/%{name}
-%else # lets just assume other are rh based ones...
-install -D %{SOURCE14} %{buildroot}%{_sysconfdir}/init.d/%{name}
+
+# install permissions files
+cp -a %{SOURCE9} %{name}.easy
+cp -a %{SOURCE9} %{name}.secure
+cp -a %{SOURCE15} %{name}.paranoid
+%if !0%{?has_systemd}
+sed -i -re '/capabilities/d;s@^(/usr/sbin/pinger.*)750@\12750@g' %{name}.easy
+sed -i -re '/capabilities/d;s@^(/usr/sbin/pinger.*)750@\12750@g' %{name}.secure
+sed -i -re '/capabilities/d;s@^(/usr/sbin/pinger.*)750@\1750@g' %{name}.paranoid
 %endif
-ln -sf %{_sysconfdir}/init.d/%{name} %{buildroot}%{_sbindir}/rcsquid
-install -D -m644 %{SOURCE4} %{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.%{name}
+
+install -D -m 644 %{name}.easy %{buildroot}%{_sysconfdir}/permissions.d/%{name}.easy
+# pinger should be secure "enough" anyway paranoid will strip everything :)
+install -m 644 %{name}.secure %{buildroot}%{_sysconfdir}/permissions.d/%{name}.secure
+install -m 644 %{name}.paranoid %{buildroot}%{_sysconfdir}/permissions.d/%{name}.paranoid
+
+# install logrotate file
+install -D -m 644 %{SOURCE7} %{buildroot}%{_sysconfdir}/logrotate.d/%{name}

 install -d -m 755 doc/scripts
 install scripts/*.pl doc/scripts
@ -285,7 +277,22 @@ fdupes -q -n -r %{buildroot}%{_prefix}
 %endif

 %if 0%{?has_systemd}
-install -D -m 644 %{SOURCE11} %{buildroot}%{_unitdir}/%{name}.service
+  install -D -m 644 %{SOURCE11} %{buildroot}%{_unitdir}/%{name}.service
+  ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}
+%else # SysVinit
+  # fix postrotate script for SysVinit
+  sed -i -re 's@/usr/bin/systemctl.*@/etc/init.d/squid reload@g' %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
+ %if 0%{?suse_version}
+  install -D %{SOURCE3} %{buildroot}%{_sysconfdir}/init.d/%{name}
+  ln -sf %{_sysconfdir}/init.d/%{name} %{buildroot}%{_sbindir}/rc%{name}
+ %else # lets just assume other are rh based ones...
+  install -D %{SOURCE14} %{buildroot}%{_sysconfdir}/init.d/%{name}
+ %endif
+%endif
+%if 0%{?suse_version}
+ install -D -m644 %{SOURCE4} %{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.%{name}
+%else
+ install -D -m644 %{SOURCE4} %{buildroot}%{_sysconfdir}/sysconfig/%{name}
 %endif

 %pre
@ -314,11 +321,14 @@ fi

 %post
 %if 0%{?suse_version} >= 1140
-%if 0%{?set_permissions:1}
-    %set_permissions %name
-%else
-    %run_permissions
-%endif
+ %if 0%{?set_permissions:1}
+%set_permissions %{_sbindir}/pinger
+%set_permissions %{_sbindir}/basic_pam_auth
+%set_permissions %{_localstatedir}/cache/squid/
+%set_permissions %{_localstatedir}/log/squid/
+ %else
+%run_permissions
+ %endif
 %endif
 # update mode?
 if [ "$1" -gt "1" ]; then
@ -329,50 +339,52 @@ if [ "$1" -gt "1" ]; then
  # default group changed from nogroup to squid
  %{_sbindir}/usermod -g %{name} %{name}
 fi
-%if 0%{?suse_version}
-%{fillup_and_insserv -n "squid"}
-%else
-/sbin/chkconfig --add squid
-%endif

 %if 0%{?has_systemd}
 %service_add_post squid.service
+%else
+ %if 0%{?suse_version}
+%{fillup_and_insserv -n "squid"}
+ %else
+   /sbin/chkconfig --add squid
+ %endif
 %endif

 %preun
-%if 0%{?suse_version}
-%stop_on_removal squid
-%else
-if [ $1 = 0 ] ; then
-        service squid stop >/dev/null 2>&1
-        rm -f /var/log/squid/*
-        /sbin/chkconfig --del squid
-fi
-%endif
-
 %if 0%{?has_systemd}
 %service_del_preun squid.service
+%else
+ %if 0%{?suse_version}
+%stop_on_removal squid
+ %else
+   if [ $1 = 0 ] ; then
+     service squid stop >/dev/null 2>&1
+     rm -f /var/log/squid/*
+     /sbin/chkconfig --del squid
+   fi
+ %endif
 %endif

 %postun
-
-%if 0%{?has_systemd}
-%service_del_postun squid.service
-%endif
-
 %if 0%{?suse_version}
-%restart_on_update squid
-%insserv_cleanup
 %verifyscript
 %verify_permissions -e /usr/sbin/basic_pam_auth
 %verify_permissions -e /usr/sbin/pinger
 %verify_permissions -e /var/cache/squid/
 %verify_permissions -e /var/log/squid/
+%endif

+%if 0%{?has_systemd}
+%service_del_postun squid.service
 %else
-if [ "$1" -ge "1" ] ; then
-        service squid condrestart >/dev/null 2>&1
-fi
+ %if 0%{?suse_version}
+%restart_on_update squid
+%insserv_cleanup
+ %else
+   if [ "$1" -ge "1" ] ; then
+     service squid condrestart >/dev/null 2>&1
+   fi
+ %endif
 %endif

 %files
@ -385,6 +397,8 @@ fi
 %doc %{_mandir}/man?/*
 %if 0%{?has_systemd}
 %{_unitdir}/%{name}.service
+%else
+%{_sysconfdir}/init.d/%{name}
 %endif
 %verify(not user group mode) %attr(750,%{name},root) %dir %{_localstatedir}/cache/%{name}/
 %verify(not user group mode) %attr(750,%{name},root) %dir %{_localstatedir}/log/%{name}/
@ -402,7 +416,6 @@ fi
 %config %{squidconfdir}/%{name}.conf.default
 %config %{squidconfdir}/%{name}.conf.documented
 %config %{_sysconfdir}/pam.d/%{name}
-%config %{_sysconfdir}/init.d/%{name}
 %config %{_sysconfdir}/permissions.d/%{name}.easy
 %config %{_sysconfdir}/permissions.d/%{name}.secure
 %config %{_sysconfdir}/permissions.d/%{name}.paranoid
@ -423,7 +436,7 @@ fi
 %{_sbindir}/basic_ncsa_auth
 %{_sbindir}/basic_nis_auth
 %verify(not user group mode) %attr(2750,root,shadow) %{_sbindir}/basic_pam_auth
-#%%{_sbindir}/basic_pam_auth
+#{_sbindir}/basic_pam_auth
 %{_sbindir}/basic_pop3_auth
 %{_sbindir}/basic_radius_auth
 %{_sbindir}/basic_sasl_auth
@ -450,15 +463,24 @@ fi
 %{_sbindir}/negotiate_wrapper_auth
 %{_sbindir}/ntlm_fake_auth
 %{_sbindir}/ntlm_smb_lm_auth
-%verify(not user group mode) %attr(4750,root,squid) %{_sbindir}/pinger
-%{_sbindir}/rc%{name}
+# not working %%caps(cap_net_raw=ep)
+%if 0%{?has_systemd}
+%verify(not user group mode caps) %attr(750,root,squid) %{_sbindir}/pinger
+%else
+%verify(not user group mode) %attr(2750,root,squid) %{_sbindir}/pinger
+%endif
 %{_sbindir}/%{name}
 %{_sbindir}/ssl_crtd
 %{_sbindir}/storeid_file_rewrite
 %{_sbindir}/unlinkd
 %{_sbindir}/url_fake_rewrite
 %{_sbindir}/url_fake_rewrite.sh
+%if 0%{?suse_version}
+%{_sbindir}/rc%{name}
 %{_localstatedir}/adm/fillup-templates/sysconfig.%{name}
+%else
+%{_sysconfdir}/sysconfig/%{name}
+%endif
 %dir %{_libdir}/%{name}
 %{_libdir}/%{name}/cachemgr.cgi