Accepting request 263262 from server:proxy:Test
update to 3.4.9, fix for bnc#891268 (CVE-2014-7141, CVE-2014-7142) OBS-URL: https://build.opensuse.org/request/show/263262 OBS-URL: https://build.opensuse.org/package/show/server:proxy/squid?expand=0&rev=61
This commit is contained in:
parent
c1113da01b
commit
c3f10526dc
@ -2,10 +2,10 @@
|
|||||||
<HTML>
|
<HTML>
|
||||||
<HEAD>
|
<HEAD>
|
||||||
<META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.69">
|
<META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.69">
|
||||||
<TITLE>Squid 3.4.5 release notes</TITLE>
|
<TITLE>Squid 3.4.7 release notes</TITLE>
|
||||||
</HEAD>
|
</HEAD>
|
||||||
<BODY>
|
<BODY>
|
||||||
<H1>Squid 3.4.5 release notes</H1>
|
<H1>Squid 3.4.7 release notes</H1>
|
||||||
|
|
||||||
<H2>Squid Developers</H2>
|
<H2>Squid Developers</H2>
|
||||||
<HR>
|
<HR>
|
||||||
@ -57,7 +57,7 @@ for Applied Network Research and members of the Web Caching community.</EM>
|
|||||||
<HR>
|
<HR>
|
||||||
<H2><A NAME="s1">1.</A> <A HREF="#toc1">Notice</A></H2>
|
<H2><A NAME="s1">1.</A> <A HREF="#toc1">Notice</A></H2>
|
||||||
|
|
||||||
<P>The Squid Team are pleased to announce the release of Squid-3.4.5 for testing.</P>
|
<P>The Squid Team are pleased to announce the release of Squid-3.4.7 for testing.</P>
|
||||||
<P>This new release is available for download from
|
<P>This new release is available for download from
|
||||||
<A HREF="http://www.squid-cache.org/Versions/v3/3.4/">http://www.squid-cache.org/Versions/v3/3.4/</A> or the
|
<A HREF="http://www.squid-cache.org/Versions/v3/3.4/">http://www.squid-cache.org/Versions/v3/3.4/</A> or the
|
||||||
<A HREF="http://www.squid-cache.org/Mirrors/http-mirrors.html">mirrors</A>.</P>
|
<A HREF="http://www.squid-cache.org/Mirrors/http-mirrors.html">mirrors</A>.</P>
|
||||||
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:37338218562a2c85e855b4fa472848ca8f8a0408f3e04d15636acdaace3811ca
|
|
||||||
size 3057715
|
|
@ -1,20 +0,0 @@
|
|||||||
File: squid-3.4.6.tar.bz2
|
|
||||||
Date: Wed Jun 25 15:31:30 UTC 2014
|
|
||||||
Size: 3057715
|
|
||||||
MD5 : d3ca4ce0a039bbba8258d6b67d6afaa1
|
|
||||||
SHA1: 0b8850a0bf73d85797e441e589324da8309cd738
|
|
||||||
Key : 0xFF5CF463 <squid3@treenet.co.nz>
|
|
||||||
fingerprint = EA31 CC5E 9488 E516 8D2D CC5E B268 E706 FF5C F463
|
|
||||||
keyring = http://www.squid-cache.org/pgp.asc
|
|
||||||
keyserver = subkeys.pgp.net
|
|
||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
Version: GnuPG v1
|
|
||||||
|
|
||||||
iQEcBAABAgAGBQJTqx1kAAoJELJo5wb/XPRjsjEIAOCdBy3rvR5fK5JluK2uUjkf
|
|
||||||
+EQbglgl10SoMMxS63mswFI5ZlpyHffPhpuL9RGOSeRxjUV7S9a8I9WuG+1ox6Of
|
|
||||||
P6VXZxnUpZNwSWht7MJL8gIUs8oafYsPPlwP9r67VxQeP8Nz42HwsYOaWhNVi72w
|
|
||||||
TU2axLEnIg89qg9heG7jN1gFBYOSTW4arW3+1Rzefo5sNvLXjbtE1i6woLYp+9E1
|
|
||||||
v/ZXPo/LIW7WoV8/n/kr43PMGExPg40YZXVybdKBtHjybpLzxJSPv61cKqMtzN9C
|
|
||||||
b6RRjLNM8BuVGdi8wdEDJuwCcnIbT8Bsqi6SPYDDfkNRhh+CBp8/mA9Rdgg+QVE=
|
|
||||||
=OMF0
|
|
||||||
-----END PGP SIGNATURE-----
|
|
3
squid-3.4.9.tar.bz2
Normal file
3
squid-3.4.9.tar.bz2
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:42f2ffbfed6679e1e4ba9a29088495c088ff76cc2517d22d5fb792e2b802ce66
|
||||||
|
size 3043750
|
20
squid-3.4.9.tar.bz2.asc
Normal file
20
squid-3.4.9.tar.bz2.asc
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
File: squid-3.4.9.tar.bz2
|
||||||
|
Date: Fri Oct 31 10:20:30 UTC 2014
|
||||||
|
Size: 3043750
|
||||||
|
MD5 : bb8ecbee8fa9fa8659b4349a78696fe7
|
||||||
|
SHA1: a356cadc324d91c41119f96a7d1a20330866c1ac
|
||||||
|
Key : 0xFF5CF463 <squid3@treenet.co.nz>
|
||||||
|
fingerprint = EA31 CC5E 9488 E516 8D2D CC5E B268 E706 FF5C F463
|
||||||
|
keyring = http://www.squid-cache.org/pgp.asc
|
||||||
|
keyserver = subkeys.pgp.net
|
||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
Version: GnuPG v1
|
||||||
|
|
||||||
|
iQEcBAABAgAGBQJUU3UxAAoJELJo5wb/XPRjhKUH/0flnkcc6gTQzh7Vh/kusCFk
|
||||||
|
pC/sfpt0mrZeZZQxAYS/wJFIym5jo8PkiKrvC2ZgOHchpVlGC3hLn2ENqbzR6VEv
|
||||||
|
L5V7M1XGJdgC1ynjj+H9ML4PBmV1E/XfakkOgnhY+3of32DrmuCN8CFuB5iGNcdH
|
||||||
|
xHwzXGSeyJkDUjZObourtT2h64Rc12cARz/yXgsq2YKAhf0EM8+rld5Xm40kOWsX
|
||||||
|
Vci/kvw3RkXuhMMwrL9jzxv8z5/nrsDHbHmwXy3mw2k0G9AmzbKx8ykdoABG/MH5
|
||||||
|
awuHT1MNFQp5IBr6LisM++2BILjb3UNiyp3lhDtXCHbTo6RCik7jUvEih57koqI=
|
||||||
|
=BI4b
|
||||||
|
-----END PGP SIGNATURE-----
|
@ -1,66 +0,0 @@
|
|||||||
diff -rNU 60 ../squid-3.4.6-o/helpers/external_acl/kerberos_ldap_group/cert_tool ./helpers/external_acl/kerberos_ldap_group/cert_tool
|
|
||||||
--- ../squid-3.4.6-o/helpers/external_acl/kerberos_ldap_group/cert_tool 2014-06-25 16:41:39.000000000 +0200
|
|
||||||
+++ ./helpers/external_acl/kerberos_ldap_group/cert_tool 2014-08-14 16:40:59.000000000 +0200
|
|
||||||
@@ -1,61 +1,61 @@
|
|
||||||
-#!/bin/ksh
|
|
||||||
+#!/bin/bash
|
|
||||||
#
|
|
||||||
# -----------------------------------------------------------------------------
|
|
||||||
#
|
|
||||||
# Author: Markus Moeller (markus_moeller at compuserve.com)
|
|
||||||
#
|
|
||||||
# Copyright (C) 2007 Markus Moeller. All rights reserved.
|
|
||||||
#
|
|
||||||
# This program is free software; you can redistribute it and/or modify
|
|
||||||
# it under the terms of the GNU General Public License as published by
|
|
||||||
# the Free Software Foundation; either version 2 of the License, or
|
|
||||||
# (at your option) any later version.
|
|
||||||
#
|
|
||||||
# This program is distributed in the hope that it will be useful,
|
|
||||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
# GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public License
|
|
||||||
# along with this program; if not, write to the Free Software
|
|
||||||
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.
|
|
||||||
#
|
|
||||||
# -----------------------------------------------------------------------------
|
|
||||||
#
|
|
||||||
#
|
|
||||||
# creates the following files:
|
|
||||||
# <server>.cert
|
|
||||||
# secmod.db
|
|
||||||
# key3.db
|
|
||||||
# cert8.db
|
|
||||||
#
|
|
||||||
#
|
|
||||||
if [ -z "$1" ]; then
|
|
||||||
echo "Usage: `basename $0` ldap-server port"
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
if [ -z "$2" ]; then
|
|
||||||
port=636
|
|
||||||
else
|
|
||||||
port=$2
|
|
||||||
fi
|
|
||||||
|
|
||||||
server=$1
|
|
||||||
|
|
||||||
#
|
|
||||||
# Remove old files
|
|
||||||
#
|
|
||||||
rm ${server}_[0-9]*.cert 2>/dev/null
|
|
||||||
#
|
|
||||||
# Get certs and store in .cert file
|
|
||||||
#
|
|
||||||
( openssl s_client -showcerts -connect $server:$port 2>/dev/null <<!
|
|
||||||
QUIT
|
|
||||||
!
|
|
||||||
) | awk 'BEGIN{start=0;ostart=0}{if ( $0 ~ /BEGIN CERTIFICATE/ ) { start=start+1 };
|
|
||||||
if ( start > ostart ) {print $0 >>"'$server'_"start".cert"};
|
|
||||||
if ( $0 ~ /END CERTIFICATE/) { ostart=start } }'
|
|
||||||
|
|
||||||
#
|
|
||||||
# from mozilla-nss-tools
|
|
||||||
# /usr/sfw/bin on Solaris
|
|
@ -2,7 +2,7 @@ Index: src/Makefile.am
|
|||||||
===================================================================
|
===================================================================
|
||||||
--- src/Makefile.am.orig
|
--- src/Makefile.am.orig
|
||||||
+++ src/Makefile.am
|
+++ src/Makefile.am
|
||||||
@@ -981,7 +981,7 @@ cache_cf.o: cf_parser.cci
|
@@ -983,7 +983,7 @@ cache_cf.o: cf_parser.cci
|
||||||
|
|
||||||
# cf_gen builds the configuration files.
|
# cf_gen builds the configuration files.
|
||||||
cf_gen$(EXEEXT): $(cf_gen_SOURCES) $(cf_gen_DEPENDENCIES) cf_gen_defines.cci
|
cf_gen$(EXEEXT): $(cf_gen_SOURCES) $(cf_gen_DEPENDENCIES) cf_gen_defines.cci
|
||||||
@ -15,7 +15,7 @@ Index: src/Makefile.in
|
|||||||
===================================================================
|
===================================================================
|
||||||
--- src/Makefile.in.orig
|
--- src/Makefile.in.orig
|
||||||
+++ src/Makefile.in
|
+++ src/Makefile.in
|
||||||
@@ -7295,7 +7295,7 @@ cache_cf.o: cf_parser.cci
|
@@ -7742,7 +7742,7 @@ cache_cf.o: cf_parser.cci
|
||||||
|
|
||||||
# cf_gen builds the configuration files.
|
# cf_gen builds the configuration files.
|
||||||
cf_gen$(EXEEXT): $(cf_gen_SOURCES) $(cf_gen_DEPENDENCIES) cf_gen_defines.cci
|
cf_gen$(EXEEXT): $(cf_gen_SOURCES) $(cf_gen_DEPENDENCIES) cf_gen_defines.cci
|
||||||
|
@ -2,7 +2,7 @@ Index: src/cf.data.pre
|
|||||||
===================================================================
|
===================================================================
|
||||||
--- src/cf.data.pre.orig
|
--- src/cf.data.pre.orig
|
||||||
+++ src/cf.data.pre
|
+++ src/cf.data.pre
|
||||||
@@ -1350,6 +1350,8 @@ http_access deny manager
|
@@ -1361,6 +1361,8 @@ http_access deny manager
|
||||||
# Adapt localnet in the ACL section to list your (internal) IP networks
|
# Adapt localnet in the ACL section to list your (internal) IP networks
|
||||||
# from where browsing should be allowed
|
# from where browsing should be allowed
|
||||||
http_access allow localnet
|
http_access allow localnet
|
||||||
@ -11,7 +11,7 @@ Index: src/cf.data.pre
|
|||||||
http_access allow localhost
|
http_access allow localhost
|
||||||
|
|
||||||
# And finally deny all other access to this proxy
|
# And finally deny all other access to this proxy
|
||||||
@@ -3361,6 +3363,10 @@ DOC_START
|
@@ -3414,6 +3416,10 @@ DOC_START
|
||||||
Instead, if you want Squid to use the entire disk drive,
|
Instead, if you want Squid to use the entire disk drive,
|
||||||
subtract 20% and use that value.
|
subtract 20% and use that value.
|
||||||
|
|
||||||
@ -22,7 +22,7 @@ Index: src/cf.data.pre
|
|||||||
'L1' is the number of first-level subdirectories which
|
'L1' is the number of first-level subdirectories which
|
||||||
will be created under the 'Directory'. The default is 16.
|
will be created under the 'Directory'. The default is 16.
|
||||||
|
|
||||||
@@ -3494,7 +3500,7 @@ DOC_START
|
@@ -3547,7 +3553,7 @@ DOC_START
|
||||||
NOCOMMENT_START
|
NOCOMMENT_START
|
||||||
|
|
||||||
# Uncomment and adjust the following to add a disk cache directory.
|
# Uncomment and adjust the following to add a disk cache directory.
|
||||||
@ -31,7 +31,7 @@ Index: src/cf.data.pre
|
|||||||
NOCOMMENT_END
|
NOCOMMENT_END
|
||||||
DOC_END
|
DOC_END
|
||||||
|
|
||||||
@@ -4147,7 +4153,7 @@ DOC_END
|
@@ -4178,7 +4184,7 @@ DOC_END
|
||||||
|
|
||||||
NAME: logfile_rotate
|
NAME: logfile_rotate
|
||||||
TYPE: int
|
TYPE: int
|
||||||
|
@ -44,14 +44,14 @@ Index: helpers/external_acl/LM_group/ext_lm_group_acl.cc
|
|||||||
- debug("External ACL win32 group helper build " __DATE__ ", " __TIME__
|
- debug("External ACL win32 group helper build " __DATE__ ", " __TIME__
|
||||||
- " starting up...\n");
|
- " starting up...\n");
|
||||||
+ debug("External ACL win32 group helper build starting up...\n");
|
+ debug("External ACL win32 group helper build starting up...\n");
|
||||||
if (use_global)
|
if (use_global) {
|
||||||
debug("Domain Global group mode enabled using '%s' as default domain.\n", DefaultDomain);
|
debug("Domain Global group mode enabled using '%s' as default domain.\n", DefaultDomain);
|
||||||
if (use_case_insensitive_compare)
|
}
|
||||||
Index: helpers/negotiate_auth/SSPI/negotiate_sspi_auth.cc
|
Index: helpers/negotiate_auth/SSPI/negotiate_sspi_auth.cc
|
||||||
===================================================================
|
===================================================================
|
||||||
--- helpers/negotiate_auth/SSPI/negotiate_sspi_auth.cc.orig
|
--- helpers/negotiate_auth/SSPI/negotiate_sspi_auth.cc.orig
|
||||||
+++ helpers/negotiate_auth/SSPI/negotiate_sspi_auth.cc
|
+++ helpers/negotiate_auth/SSPI/negotiate_sspi_auth.cc
|
||||||
@@ -272,7 +272,7 @@ main(int argc, char *argv[])
|
@@ -274,7 +274,7 @@ main(int argc, char *argv[])
|
||||||
|
|
||||||
process_options(argc, argv);
|
process_options(argc, argv);
|
||||||
|
|
||||||
@ -64,7 +64,7 @@ Index: helpers/ntlm_auth/SSPI/ntlm_sspi_auth.cc
|
|||||||
===================================================================
|
===================================================================
|
||||||
--- helpers/ntlm_auth/SSPI/ntlm_sspi_auth.cc.orig
|
--- helpers/ntlm_auth/SSPI/ntlm_sspi_auth.cc.orig
|
||||||
+++ helpers/ntlm_auth/SSPI/ntlm_sspi_auth.cc
|
+++ helpers/ntlm_auth/SSPI/ntlm_sspi_auth.cc
|
||||||
@@ -609,7 +609,7 @@ main(int argc, char *argv[])
|
@@ -611,7 +611,7 @@ main(int argc, char *argv[])
|
||||||
|
|
||||||
process_options(argc, argv);
|
process_options(argc, argv);
|
||||||
|
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
addFilter("macro-in-comment")
|
|
||||||
addFilter("no-manual-page-for-binary")
|
addFilter("no-manual-page-for-binary")
|
||||||
addFilter("zero-length")
|
addFilter("zero-length")
|
||||||
|
addFilter("incorrect-fsf-address")
|
||||||
# Temporary solution untill it is moved into factory
|
# Temporary solution untill it is moved into factory
|
||||||
setBadness('permissions-unauthorized-file', 333)
|
setBadness('permissions-unauthorized-file', 333)
|
||||||
|
@ -1,3 +1,83 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Nov 27 13:16:58 UTC 2014 - lmuelle@suse.com
|
||||||
|
|
||||||
|
- Changes to 3.4.9 (31 Oct 2014):
|
||||||
|
+ Regression fix: ext_kerberos_ldap_group_acl typo in 3.4.7 update
|
||||||
|
+ Bug 4102: sslbump cert contains only a dot character in key usage extension
|
||||||
|
+ Bug 4093: source-maintenance.sh errors and warnings due to wrong
|
||||||
|
tools/options
|
||||||
|
+ Bug 4088: memory leak in external_acl_type helper with cache=0 or ttl=0
|
||||||
|
+ Bug 4024: Bad host/IP ::1 when using IPv4-only environment
|
||||||
|
+ Bug 3803: ident leaks memory on failure
|
||||||
|
+ kerberos_ldap_group/cert_tool: Remove ksh dependency;
|
||||||
|
obsoletes squid-cert_tool_use_bash_not_ksh.patch
|
||||||
|
+ ... and some automated code style updates
|
||||||
|
+ ... and some documentation updates
|
||||||
|
- Changes to 3.4.8 (15 Sep 2014):
|
||||||
|
+ Fix off by one in SNMP subsystem
|
||||||
|
+ pinger: Fix various ICMP handling issues; CVE-2014-7141; CVE-2014-7142;
|
||||||
|
http://www.squid-cache.org/Advisories/SQUID-2014_4.txt; bnc#891268
|
||||||
|
obsoletes squid-icmp-DoS.patch
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Nov 26 21:45:48 UTC 2014 - lmuelle@suse.com
|
||||||
|
|
||||||
|
- Remove dependency on gpg-offline as signature checking is implemented in the
|
||||||
|
source validator.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Sep 24 11:49:04 UTC 2014 - chris@computersalat.de
|
||||||
|
|
||||||
|
- fix spec and changes file
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Sep 16 09:31:35 UTC 2014 - boris@steki.net
|
||||||
|
|
||||||
|
- update logrotate file
|
||||||
|
* postrotate now defaults to 'systemd'
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Sep 16 08:35:11 UTC 2014 - boris@steki.net
|
||||||
|
|
||||||
|
- fix for icmp pinger DOS bnc#891268
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Sep 15 11:36:51 UTC 2014 - chris@computersalat.de
|
||||||
|
|
||||||
|
- some spec cleanup
|
||||||
|
- some systemd/SysVinit fixes
|
||||||
|
- fix sysconfig file for ! suse_version
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Sep 11 15:25:01 UTC 2014 - boris@steki.net
|
||||||
|
|
||||||
|
- replaced permissions handling using setuid bit with use of
|
||||||
|
linux capabilities (on supported systems)
|
||||||
|
- general cleanup of .spec file and systemd handling
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Sep 5 15:04:47 UTC 2014 - chris@computersalat.de
|
||||||
|
|
||||||
|
- Changes to 3.4.7 (28 Aug 2014):
|
||||||
|
* Regression Fix: Kerberos LDAP authorizing groups with principle subdomain
|
||||||
|
* Bug 4080: worker hangs when client identd is not responding
|
||||||
|
* Bug 3966: Add KeyEncipherment when ssl-bump substitues RSA for EC
|
||||||
|
* HTTP/1.1: Ignore Range headers with unidentifiable byte-range values
|
||||||
|
* SSL-bump: Use v3 for fake certificate if we add _any_ certificate extension
|
||||||
|
* Enable compile-time override for MAXTCPLISTENPORTS
|
||||||
|
* ntlm_sspi_auth: Fix various build errors
|
||||||
|
* negotiate_wrapper: Fix build issues with non-portable vfork()
|
||||||
|
* negotiate_sspi_auth: Portability fixes for MinGW
|
||||||
|
* ext_lm_group_acl: Portability fixes for MinGW
|
||||||
|
* ... and several minor memory leaks
|
||||||
|
- fix for bnc#894636
|
||||||
|
* fix postrotate for systemd
|
||||||
|
- rebase patches
|
||||||
|
* squid-cert_tool_use_bash_not_ksh.patch
|
||||||
|
* squid-compiled_without_RPM_OPT_FLAGS.patch
|
||||||
|
* squid-nobuilddates.patch
|
||||||
|
* squid-config.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Thu Sep 4 16:02:45 UTC 2014 - chris@computersalat.de
|
Thu Sep 4 16:02:45 UTC 2014 - chris@computersalat.de
|
||||||
|
|
||||||
|
@ -9,7 +9,7 @@
|
|||||||
create 640 squid root
|
create 640 squid root
|
||||||
sharedscripts
|
sharedscripts
|
||||||
postrotate
|
postrotate
|
||||||
/etc/init.d/squid reload
|
/usr/bin/systemctl reload squid.service
|
||||||
endscript
|
endscript
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -23,6 +23,6 @@
|
|||||||
missingok
|
missingok
|
||||||
create 640 squid root
|
create 640 squid root
|
||||||
postrotate
|
postrotate
|
||||||
/etc/init.d/squid reload
|
/usr/bin/systemctl reload squid.service
|
||||||
endscript
|
endscript
|
||||||
}
|
}
|
||||||
|
@ -1,4 +1,5 @@
|
|||||||
/var/cache/squid/ squid:root 750
|
/var/cache/squid/ squid:root 750
|
||||||
/var/log/squid/ squid:root 750
|
/var/log/squid/ squid:root 750
|
||||||
/usr/sbin/pinger root:squid 4750
|
/usr/sbin/pinger root:squid 750
|
||||||
|
+capabilities cap_net_raw=ep
|
||||||
/usr/sbin/basic_pam_auth root:shadow 2750
|
/usr/sbin/basic_pam_auth root:shadow 2750
|
||||||
|
@ -1,4 +1,5 @@
|
|||||||
/var/cache/squid/ squid:root 750
|
/var/cache/squid/ squid:root 750
|
||||||
/var/log/squid/ squid:root 750
|
/var/log/squid/ squid:root 750
|
||||||
/usr/sbin/pinger root:root 755
|
/usr/sbin/pinger root:squid 750
|
||||||
|
+capabilities cap_net_raw=ep
|
||||||
/usr/sbin/basic_pam_auth root:root 755
|
/usr/sbin/basic_pam_auth root:root 755
|
||||||
|
160
squid.spec
160
squid.spec
@ -24,12 +24,13 @@ Name: squid
|
|||||||
Summary: A fully featured HTTP/1.0 proxy
|
Summary: A fully featured HTTP/1.0 proxy
|
||||||
License: GPL-2.0+
|
License: GPL-2.0+
|
||||||
Group: Productivity/Networking/Web/Proxy
|
Group: Productivity/Networking/Web/Proxy
|
||||||
Version: 3.4.6
|
Version: 3.4.9
|
||||||
Release: 0
|
Release: 0
|
||||||
|
%define majorver %(echo %version|sed -re 's/^([0-9]).*/\1/g')
|
||||||
|
%define majminver %(echo %version|sed -re 's/^([0-9]\.[0-9]).*/\1/g')
|
||||||
Url: http://www.squid-cache.org/Versions/v3/3.4
|
Url: http://www.squid-cache.org/Versions/v3/3.4
|
||||||
#Source0: http://www.squid-cache.org/Versions/v3/3.3/%{name}-%{version}%{snap}.tar.bz2
|
Source0: http://www.squid-cache.org/Versions/%{majorver}/%{majminver}/%{name}-%{version}.tar.bz2
|
||||||
Source0: http://www.squid-cache.org/Versions/v3/3.4/%{name}-%{version}.tar.bz2
|
Source1: http://www.squid-cache.org/Versions/%{majorver}/%{majminver}/%{name}-%{version}.tar.bz2.asc
|
||||||
Source1: %{name}-%{version}.tar.bz2.asc
|
|
||||||
Source2: RELEASENOTES.html
|
Source2: RELEASENOTES.html
|
||||||
Source3: squid.init
|
Source3: squid.init
|
||||||
Source4: squid.sysconfig
|
Source4: squid.sysconfig
|
||||||
@ -65,7 +66,7 @@ Patch101: %{name}-nobuilddates.patch
|
|||||||
Patch102: %{name}-compiled_without_RPM_OPT_FLAGS.patch
|
Patch102: %{name}-compiled_without_RPM_OPT_FLAGS.patch
|
||||||
# patch fixes kerberos principalname handling (http://bugs.squid-cache.org/show_bug.cgi?id=4042)
|
# patch fixes kerberos principalname handling (http://bugs.squid-cache.org/show_bug.cgi?id=4042)
|
||||||
Patch103: squid-brokenad.patch
|
Patch103: squid-brokenad.patch
|
||||||
Patch104: %{name}-cert_tool_use_bash_not_ksh.patch
|
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
%if 0%{?suse_version}
|
%if 0%{?suse_version}
|
||||||
PreReq: %fillup_prereq
|
PreReq: %fillup_prereq
|
||||||
@ -88,9 +89,6 @@ BuildRequires: expat
|
|||||||
BuildRequires: fdupes
|
BuildRequires: fdupes
|
||||||
%endif
|
%endif
|
||||||
BuildRequires: gcc-c++
|
BuildRequires: gcc-c++
|
||||||
%if 0%{?suse_version}
|
|
||||||
BuildRequires: gpg-offline
|
|
||||||
%endif
|
|
||||||
BuildRequires: krb5-devel
|
BuildRequires: krb5-devel
|
||||||
BuildRequires: libcap-devel
|
BuildRequires: libcap-devel
|
||||||
BuildRequires: libexpat-devel
|
BuildRequires: libexpat-devel
|
||||||
@ -127,7 +125,7 @@ Provides: %{name}3 = %{version}
|
|||||||
Obsoletes: %{name}3 < %{version}
|
Obsoletes: %{name}3 < %{version}
|
||||||
|
|
||||||
%description
|
%description
|
||||||
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator.
|
Squid is a fully-featured HTTP/1.0 proxy which is almost (but not quite - we're getting there!) a fully-featured HTTP/1.1 proxy. Squid offers a rich access control, authorization and logging environment to develop web proxy and content serving applications. Squid offers a rich set of traffic optimization options, most of which are enabled by default for simpler installation and high performance.
|
||||||
|
|
||||||
Squid 3.4 represents a new feature release above 3.3.
|
Squid 3.4 represents a new feature release above 3.3.
|
||||||
|
|
||||||
@ -140,15 +138,8 @@ The most important of these new features are:
|
|||||||
* Transaction Annotations
|
* Transaction Annotations
|
||||||
* Multicast DNS
|
* Multicast DNS
|
||||||
|
|
||||||
Most user-facing changes are reflected in squid.conf (see below).
|
|
||||||
|
|
||||||
First STABLE release Date: 08 Dec 2013
|
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
#setup -q -n %{name}-%{version}%{snap}
|
#setup -q -n %{name}-%{version}%{snap}
|
||||||
%if 0%{?suse_version}
|
|
||||||
%gpg_verify %{S:1}
|
|
||||||
%endif
|
|
||||||
%setup -q -n %{name}-%{version}
|
%setup -q -n %{name}-%{version}
|
||||||
cp %{S:10} .
|
cp %{S:10} .
|
||||||
# upstream patches after RELEASE
|
# upstream patches after RELEASE
|
||||||
@ -160,16 +151,10 @@ chmod a-x CREDITS
|
|||||||
%patch101
|
%patch101
|
||||||
%patch102
|
%patch102
|
||||||
%patch103
|
%patch103
|
||||||
%patch104
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
#if 0%{?sles_version} == 1100
|
|
||||||
#export CFLAGS="%{optflags} -fPIE -fPIC -DOPENSSL_LOAD_CONF"
|
|
||||||
#export CXXFLAGS="%{optflags} -fPIE -fPIC -DOPENSSL_LOAD_CONF"
|
|
||||||
#else
|
|
||||||
export CFLAGS="%{optflags} -fPIE -fPIC -DOPENSSL_LOAD_CONF"
|
export CFLAGS="%{optflags} -fPIE -fPIC -DOPENSSL_LOAD_CONF"
|
||||||
export CXXFLAGS="%{optflags} -fPIE -fPIC -DOPENSSL_LOAD_CONF"
|
export CXXFLAGS="%{optflags} -fPIE -fPIC -DOPENSSL_LOAD_CONF"
|
||||||
#endif
|
|
||||||
export LDFLAGS='-Wl,-z,relro,-z,now -pie'
|
export LDFLAGS='-Wl,-z,relro,-z,now -pie'
|
||||||
%configure \
|
%configure \
|
||||||
--disable-strict-error-checking \
|
--disable-strict-error-checking \
|
||||||
@ -233,26 +218,33 @@ make SAMBAPREFIX=/usr %{?_smp_mflags}
|
|||||||
%{_sbindir}/groupadd -g 31 -r %{name} 2>/dev/null || :
|
%{_sbindir}/groupadd -g 31 -r %{name} 2>/dev/null || :
|
||||||
%{_sbindir}/useradd -c "WWW-proxy squid" -d /var/cache/%{name} \
|
%{_sbindir}/useradd -c "WWW-proxy squid" -d /var/cache/%{name} \
|
||||||
-g %{name} -o -u 31 -r -s /bin/false 2> /dev/null || :
|
-g %{name} -o -u 31 -r -s /bin/false 2> /dev/null || :
|
||||||
install -d %{buildroot}%{_localstatedir}/{cache,log}/%{name}
|
|
||||||
chmod 750 %{buildroot}%{_localstatedir}/{cache,log}/%{name}
|
install -d -m 750 %{buildroot}%{_localstatedir}/{cache,log}/%{name}
|
||||||
install -d %{buildroot}%{_prefix}/sbin
|
install -d %{buildroot}%{_prefix}/sbin
|
||||||
|
|
||||||
|
# make_install
|
||||||
make install DESTDIR=%{buildroot} SAMBAPREFIX=/usr
|
make install DESTDIR=%{buildroot} SAMBAPREFIX=/usr
|
||||||
|
|
||||||
mv %{buildroot}{/etc/%{name}/,/usr/share/%{name}/}mime.conf.default
|
mv %{buildroot}{/etc/%{name}/,/usr/share/%{name}/}mime.conf.default
|
||||||
ln -s /etc/%{name}/mime.conf %{buildroot}%{_datadir}/%{name} # backward compatible
|
ln -s /etc/%{name}/mime.conf %{buildroot}%{_datadir}/%{name} # backward compatible
|
||||||
install -d -m 755 %{buildroot}%{_sysconfdir}/permissions.d
|
|
||||||
install -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/permissions.d/%{name}.easy
|
# install permissions files
|
||||||
# pinger should be secure "enough" anyway paranoid will strip everything :)
|
cp -a %{SOURCE9} %{name}.easy
|
||||||
install -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/permissions.d/%{name}.secure
|
cp -a %{SOURCE9} %{name}.secure
|
||||||
install -m 644 %{SOURCE15} %{buildroot}%{_sysconfdir}/permissions.d/%{name}.paranoid
|
cp -a %{SOURCE15} %{name}.paranoid
|
||||||
install -d -m 755 %{buildroot}%{_sysconfdir}/logrotate.d
|
%if !0%{?has_systemd}
|
||||||
install -m 644 %{SOURCE7} %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
|
sed -i -re '/capabilities/d;s@^(/usr/sbin/pinger.*)750@\12750@g' %{name}.easy
|
||||||
%if 0%{?suse_version}
|
sed -i -re '/capabilities/d;s@^(/usr/sbin/pinger.*)750@\12750@g' %{name}.secure
|
||||||
install -D %{SOURCE3} %{buildroot}%{_sysconfdir}/init.d/%{name}
|
sed -i -re '/capabilities/d;s@^(/usr/sbin/pinger.*)750@\1750@g' %{name}.paranoid
|
||||||
%else # lets just assume other are rh based ones...
|
|
||||||
install -D %{SOURCE14} %{buildroot}%{_sysconfdir}/init.d/%{name}
|
|
||||||
%endif
|
%endif
|
||||||
ln -sf %{_sysconfdir}/init.d/%{name} %{buildroot}%{_sbindir}/rcsquid
|
|
||||||
install -D -m644 %{SOURCE4} %{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.%{name}
|
install -D -m 644 %{name}.easy %{buildroot}%{_sysconfdir}/permissions.d/%{name}.easy
|
||||||
|
# pinger should be secure "enough" anyway paranoid will strip everything :)
|
||||||
|
install -m 644 %{name}.secure %{buildroot}%{_sysconfdir}/permissions.d/%{name}.secure
|
||||||
|
install -m 644 %{name}.paranoid %{buildroot}%{_sysconfdir}/permissions.d/%{name}.paranoid
|
||||||
|
|
||||||
|
# install logrotate file
|
||||||
|
install -D -m 644 %{SOURCE7} %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
|
||||||
|
|
||||||
install -d -m 755 doc/scripts
|
install -d -m 755 doc/scripts
|
||||||
install scripts/*.pl doc/scripts
|
install scripts/*.pl doc/scripts
|
||||||
@ -285,7 +277,22 @@ fdupes -q -n -r %{buildroot}%{_prefix}
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if 0%{?has_systemd}
|
%if 0%{?has_systemd}
|
||||||
install -D -m 644 %{SOURCE11} %{buildroot}%{_unitdir}/%{name}.service
|
install -D -m 644 %{SOURCE11} %{buildroot}%{_unitdir}/%{name}.service
|
||||||
|
ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}
|
||||||
|
%else # SysVinit
|
||||||
|
# fix postrotate script for SysVinit
|
||||||
|
sed -i -re 's@/usr/bin/systemctl.*@/etc/init.d/squid reload@g' %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
|
||||||
|
%if 0%{?suse_version}
|
||||||
|
install -D %{SOURCE3} %{buildroot}%{_sysconfdir}/init.d/%{name}
|
||||||
|
ln -sf %{_sysconfdir}/init.d/%{name} %{buildroot}%{_sbindir}/rc%{name}
|
||||||
|
%else # lets just assume other are rh based ones...
|
||||||
|
install -D %{SOURCE14} %{buildroot}%{_sysconfdir}/init.d/%{name}
|
||||||
|
%endif
|
||||||
|
%endif
|
||||||
|
%if 0%{?suse_version}
|
||||||
|
install -D -m644 %{SOURCE4} %{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.%{name}
|
||||||
|
%else
|
||||||
|
install -D -m644 %{SOURCE4} %{buildroot}%{_sysconfdir}/sysconfig/%{name}
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%pre
|
%pre
|
||||||
@ -314,11 +321,14 @@ fi
|
|||||||
|
|
||||||
%post
|
%post
|
||||||
%if 0%{?suse_version} >= 1140
|
%if 0%{?suse_version} >= 1140
|
||||||
%if 0%{?set_permissions:1}
|
%if 0%{?set_permissions:1}
|
||||||
%set_permissions %name
|
%set_permissions %{_sbindir}/pinger
|
||||||
%else
|
%set_permissions %{_sbindir}/basic_pam_auth
|
||||||
%run_permissions
|
%set_permissions %{_localstatedir}/cache/squid/
|
||||||
%endif
|
%set_permissions %{_localstatedir}/log/squid/
|
||||||
|
%else
|
||||||
|
%run_permissions
|
||||||
|
%endif
|
||||||
%endif
|
%endif
|
||||||
# update mode?
|
# update mode?
|
||||||
if [ "$1" -gt "1" ]; then
|
if [ "$1" -gt "1" ]; then
|
||||||
@ -329,50 +339,52 @@ if [ "$1" -gt "1" ]; then
|
|||||||
# default group changed from nogroup to squid
|
# default group changed from nogroup to squid
|
||||||
%{_sbindir}/usermod -g %{name} %{name}
|
%{_sbindir}/usermod -g %{name} %{name}
|
||||||
fi
|
fi
|
||||||
%if 0%{?suse_version}
|
|
||||||
%{fillup_and_insserv -n "squid"}
|
|
||||||
%else
|
|
||||||
/sbin/chkconfig --add squid
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%if 0%{?has_systemd}
|
%if 0%{?has_systemd}
|
||||||
%service_add_post squid.service
|
%service_add_post squid.service
|
||||||
|
%else
|
||||||
|
%if 0%{?suse_version}
|
||||||
|
%{fillup_and_insserv -n "squid"}
|
||||||
|
%else
|
||||||
|
/sbin/chkconfig --add squid
|
||||||
|
%endif
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%preun
|
%preun
|
||||||
%if 0%{?suse_version}
|
%if 0%{?has_systemd}
|
||||||
%stop_on_removal squid
|
%service_del_preun squid.service
|
||||||
%else
|
%else
|
||||||
if [ $1 = 0 ] ; then
|
%if 0%{?suse_version}
|
||||||
|
%stop_on_removal squid
|
||||||
|
%else
|
||||||
|
if [ $1 = 0 ] ; then
|
||||||
service squid stop >/dev/null 2>&1
|
service squid stop >/dev/null 2>&1
|
||||||
rm -f /var/log/squid/*
|
rm -f /var/log/squid/*
|
||||||
/sbin/chkconfig --del squid
|
/sbin/chkconfig --del squid
|
||||||
fi
|
fi
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if 0%{?has_systemd}
|
|
||||||
%service_del_preun squid.service
|
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%postun
|
%postun
|
||||||
|
|
||||||
%if 0%{?has_systemd}
|
|
||||||
%service_del_postun squid.service
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%if 0%{?suse_version}
|
%if 0%{?suse_version}
|
||||||
%restart_on_update squid
|
|
||||||
%insserv_cleanup
|
|
||||||
%verifyscript
|
%verifyscript
|
||||||
%verify_permissions -e /usr/sbin/basic_pam_auth
|
%verify_permissions -e /usr/sbin/basic_pam_auth
|
||||||
%verify_permissions -e /usr/sbin/pinger
|
%verify_permissions -e /usr/sbin/pinger
|
||||||
%verify_permissions -e /var/cache/squid/
|
%verify_permissions -e /var/cache/squid/
|
||||||
%verify_permissions -e /var/log/squid/
|
%verify_permissions -e /var/log/squid/
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%if 0%{?has_systemd}
|
||||||
|
%service_del_postun squid.service
|
||||||
%else
|
%else
|
||||||
if [ "$1" -ge "1" ] ; then
|
%if 0%{?suse_version}
|
||||||
|
%restart_on_update squid
|
||||||
|
%insserv_cleanup
|
||||||
|
%else
|
||||||
|
if [ "$1" -ge "1" ] ; then
|
||||||
service squid condrestart >/dev/null 2>&1
|
service squid condrestart >/dev/null 2>&1
|
||||||
fi
|
fi
|
||||||
|
%endif
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%files
|
%files
|
||||||
@ -385,6 +397,8 @@ fi
|
|||||||
%doc %{_mandir}/man?/*
|
%doc %{_mandir}/man?/*
|
||||||
%if 0%{?has_systemd}
|
%if 0%{?has_systemd}
|
||||||
%{_unitdir}/%{name}.service
|
%{_unitdir}/%{name}.service
|
||||||
|
%else
|
||||||
|
%{_sysconfdir}/init.d/%{name}
|
||||||
%endif
|
%endif
|
||||||
%verify(not user group mode) %attr(750,%{name},root) %dir %{_localstatedir}/cache/%{name}/
|
%verify(not user group mode) %attr(750,%{name},root) %dir %{_localstatedir}/cache/%{name}/
|
||||||
%verify(not user group mode) %attr(750,%{name},root) %dir %{_localstatedir}/log/%{name}/
|
%verify(not user group mode) %attr(750,%{name},root) %dir %{_localstatedir}/log/%{name}/
|
||||||
@ -402,7 +416,6 @@ fi
|
|||||||
%config %{squidconfdir}/%{name}.conf.default
|
%config %{squidconfdir}/%{name}.conf.default
|
||||||
%config %{squidconfdir}/%{name}.conf.documented
|
%config %{squidconfdir}/%{name}.conf.documented
|
||||||
%config %{_sysconfdir}/pam.d/%{name}
|
%config %{_sysconfdir}/pam.d/%{name}
|
||||||
%config %{_sysconfdir}/init.d/%{name}
|
|
||||||
%config %{_sysconfdir}/permissions.d/%{name}.easy
|
%config %{_sysconfdir}/permissions.d/%{name}.easy
|
||||||
%config %{_sysconfdir}/permissions.d/%{name}.secure
|
%config %{_sysconfdir}/permissions.d/%{name}.secure
|
||||||
%config %{_sysconfdir}/permissions.d/%{name}.paranoid
|
%config %{_sysconfdir}/permissions.d/%{name}.paranoid
|
||||||
@ -423,7 +436,7 @@ fi
|
|||||||
%{_sbindir}/basic_ncsa_auth
|
%{_sbindir}/basic_ncsa_auth
|
||||||
%{_sbindir}/basic_nis_auth
|
%{_sbindir}/basic_nis_auth
|
||||||
%verify(not user group mode) %attr(2750,root,shadow) %{_sbindir}/basic_pam_auth
|
%verify(not user group mode) %attr(2750,root,shadow) %{_sbindir}/basic_pam_auth
|
||||||
#%%{_sbindir}/basic_pam_auth
|
#{_sbindir}/basic_pam_auth
|
||||||
%{_sbindir}/basic_pop3_auth
|
%{_sbindir}/basic_pop3_auth
|
||||||
%{_sbindir}/basic_radius_auth
|
%{_sbindir}/basic_radius_auth
|
||||||
%{_sbindir}/basic_sasl_auth
|
%{_sbindir}/basic_sasl_auth
|
||||||
@ -450,15 +463,24 @@ fi
|
|||||||
%{_sbindir}/negotiate_wrapper_auth
|
%{_sbindir}/negotiate_wrapper_auth
|
||||||
%{_sbindir}/ntlm_fake_auth
|
%{_sbindir}/ntlm_fake_auth
|
||||||
%{_sbindir}/ntlm_smb_lm_auth
|
%{_sbindir}/ntlm_smb_lm_auth
|
||||||
%verify(not user group mode) %attr(4750,root,squid) %{_sbindir}/pinger
|
# not working %%caps(cap_net_raw=ep)
|
||||||
%{_sbindir}/rc%{name}
|
%if 0%{?has_systemd}
|
||||||
|
%verify(not user group mode caps) %attr(750,root,squid) %{_sbindir}/pinger
|
||||||
|
%else
|
||||||
|
%verify(not user group mode) %attr(2750,root,squid) %{_sbindir}/pinger
|
||||||
|
%endif
|
||||||
%{_sbindir}/%{name}
|
%{_sbindir}/%{name}
|
||||||
%{_sbindir}/ssl_crtd
|
%{_sbindir}/ssl_crtd
|
||||||
%{_sbindir}/storeid_file_rewrite
|
%{_sbindir}/storeid_file_rewrite
|
||||||
%{_sbindir}/unlinkd
|
%{_sbindir}/unlinkd
|
||||||
%{_sbindir}/url_fake_rewrite
|
%{_sbindir}/url_fake_rewrite
|
||||||
%{_sbindir}/url_fake_rewrite.sh
|
%{_sbindir}/url_fake_rewrite.sh
|
||||||
|
%if 0%{?suse_version}
|
||||||
|
%{_sbindir}/rc%{name}
|
||||||
%{_localstatedir}/adm/fillup-templates/sysconfig.%{name}
|
%{_localstatedir}/adm/fillup-templates/sysconfig.%{name}
|
||||||
|
%else
|
||||||
|
%{_sysconfdir}/sysconfig/%{name}
|
||||||
|
%endif
|
||||||
%dir %{_libdir}/%{name}
|
%dir %{_libdir}/%{name}
|
||||||
%{_libdir}/%{name}/cachemgr.cgi
|
%{_libdir}/%{name}/cachemgr.cgi
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user