Accepting request 263262 from server:proxy:Test
update to 3.4.9, fix for bnc#891268 (CVE-2014-7141, CVE-2014-7142) OBS-URL: https://build.opensuse.org/request/show/263262 OBS-URL: https://build.opensuse.org/package/show/server:proxy/squid?expand=0&rev=61
This commit is contained in:
parent
c1113da01b
commit
c3f10526dc
@ -2,10 +2,10 @@
|
||||
<HTML>
|
||||
<HEAD>
|
||||
<META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.69">
|
||||
<TITLE>Squid 3.4.5 release notes</TITLE>
|
||||
<TITLE>Squid 3.4.7 release notes</TITLE>
|
||||
</HEAD>
|
||||
<BODY>
|
||||
<H1>Squid 3.4.5 release notes</H1>
|
||||
<H1>Squid 3.4.7 release notes</H1>
|
||||
|
||||
<H2>Squid Developers</H2>
|
||||
<HR>
|
||||
@ -57,7 +57,7 @@ for Applied Network Research and members of the Web Caching community.</EM>
|
||||
<HR>
|
||||
<H2><A NAME="s1">1.</A> <A HREF="#toc1">Notice</A></H2>
|
||||
|
||||
<P>The Squid Team are pleased to announce the release of Squid-3.4.5 for testing.</P>
|
||||
<P>The Squid Team are pleased to announce the release of Squid-3.4.7 for testing.</P>
|
||||
<P>This new release is available for download from
|
||||
<A HREF="http://www.squid-cache.org/Versions/v3/3.4/">http://www.squid-cache.org/Versions/v3/3.4/</A> or the
|
||||
<A HREF="http://www.squid-cache.org/Mirrors/http-mirrors.html">mirrors</A>.</P>
|
||||
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:37338218562a2c85e855b4fa472848ca8f8a0408f3e04d15636acdaace3811ca
|
||||
size 3057715
|
@ -1,20 +0,0 @@
|
||||
File: squid-3.4.6.tar.bz2
|
||||
Date: Wed Jun 25 15:31:30 UTC 2014
|
||||
Size: 3057715
|
||||
MD5 : d3ca4ce0a039bbba8258d6b67d6afaa1
|
||||
SHA1: 0b8850a0bf73d85797e441e589324da8309cd738
|
||||
Key : 0xFF5CF463 <squid3@treenet.co.nz>
|
||||
fingerprint = EA31 CC5E 9488 E516 8D2D CC5E B268 E706 FF5C F463
|
||||
keyring = http://www.squid-cache.org/pgp.asc
|
||||
keyserver = subkeys.pgp.net
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v1
|
||||
|
||||
iQEcBAABAgAGBQJTqx1kAAoJELJo5wb/XPRjsjEIAOCdBy3rvR5fK5JluK2uUjkf
|
||||
+EQbglgl10SoMMxS63mswFI5ZlpyHffPhpuL9RGOSeRxjUV7S9a8I9WuG+1ox6Of
|
||||
P6VXZxnUpZNwSWht7MJL8gIUs8oafYsPPlwP9r67VxQeP8Nz42HwsYOaWhNVi72w
|
||||
TU2axLEnIg89qg9heG7jN1gFBYOSTW4arW3+1Rzefo5sNvLXjbtE1i6woLYp+9E1
|
||||
v/ZXPo/LIW7WoV8/n/kr43PMGExPg40YZXVybdKBtHjybpLzxJSPv61cKqMtzN9C
|
||||
b6RRjLNM8BuVGdi8wdEDJuwCcnIbT8Bsqi6SPYDDfkNRhh+CBp8/mA9Rdgg+QVE=
|
||||
=OMF0
|
||||
-----END PGP SIGNATURE-----
|
3
squid-3.4.9.tar.bz2
Normal file
3
squid-3.4.9.tar.bz2
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:42f2ffbfed6679e1e4ba9a29088495c088ff76cc2517d22d5fb792e2b802ce66
|
||||
size 3043750
|
20
squid-3.4.9.tar.bz2.asc
Normal file
20
squid-3.4.9.tar.bz2.asc
Normal file
@ -0,0 +1,20 @@
|
||||
File: squid-3.4.9.tar.bz2
|
||||
Date: Fri Oct 31 10:20:30 UTC 2014
|
||||
Size: 3043750
|
||||
MD5 : bb8ecbee8fa9fa8659b4349a78696fe7
|
||||
SHA1: a356cadc324d91c41119f96a7d1a20330866c1ac
|
||||
Key : 0xFF5CF463 <squid3@treenet.co.nz>
|
||||
fingerprint = EA31 CC5E 9488 E516 8D2D CC5E B268 E706 FF5C F463
|
||||
keyring = http://www.squid-cache.org/pgp.asc
|
||||
keyserver = subkeys.pgp.net
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v1
|
||||
|
||||
iQEcBAABAgAGBQJUU3UxAAoJELJo5wb/XPRjhKUH/0flnkcc6gTQzh7Vh/kusCFk
|
||||
pC/sfpt0mrZeZZQxAYS/wJFIym5jo8PkiKrvC2ZgOHchpVlGC3hLn2ENqbzR6VEv
|
||||
L5V7M1XGJdgC1ynjj+H9ML4PBmV1E/XfakkOgnhY+3of32DrmuCN8CFuB5iGNcdH
|
||||
xHwzXGSeyJkDUjZObourtT2h64Rc12cARz/yXgsq2YKAhf0EM8+rld5Xm40kOWsX
|
||||
Vci/kvw3RkXuhMMwrL9jzxv8z5/nrsDHbHmwXy3mw2k0G9AmzbKx8ykdoABG/MH5
|
||||
awuHT1MNFQp5IBr6LisM++2BILjb3UNiyp3lhDtXCHbTo6RCik7jUvEih57koqI=
|
||||
=BI4b
|
||||
-----END PGP SIGNATURE-----
|
@ -1,66 +0,0 @@
|
||||
diff -rNU 60 ../squid-3.4.6-o/helpers/external_acl/kerberos_ldap_group/cert_tool ./helpers/external_acl/kerberos_ldap_group/cert_tool
|
||||
--- ../squid-3.4.6-o/helpers/external_acl/kerberos_ldap_group/cert_tool 2014-06-25 16:41:39.000000000 +0200
|
||||
+++ ./helpers/external_acl/kerberos_ldap_group/cert_tool 2014-08-14 16:40:59.000000000 +0200
|
||||
@@ -1,61 +1,61 @@
|
||||
-#!/bin/ksh
|
||||
+#!/bin/bash
|
||||
#
|
||||
# -----------------------------------------------------------------------------
|
||||
#
|
||||
# Author: Markus Moeller (markus_moeller at compuserve.com)
|
||||
#
|
||||
# Copyright (C) 2007 Markus Moeller. All rights reserved.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation; either version 2 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.
|
||||
#
|
||||
# -----------------------------------------------------------------------------
|
||||
#
|
||||
#
|
||||
# creates the following files:
|
||||
# <server>.cert
|
||||
# secmod.db
|
||||
# key3.db
|
||||
# cert8.db
|
||||
#
|
||||
#
|
||||
if [ -z "$1" ]; then
|
||||
echo "Usage: `basename $0` ldap-server port"
|
||||
exit 0
|
||||
fi
|
||||
if [ -z "$2" ]; then
|
||||
port=636
|
||||
else
|
||||
port=$2
|
||||
fi
|
||||
|
||||
server=$1
|
||||
|
||||
#
|
||||
# Remove old files
|
||||
#
|
||||
rm ${server}_[0-9]*.cert 2>/dev/null
|
||||
#
|
||||
# Get certs and store in .cert file
|
||||
#
|
||||
( openssl s_client -showcerts -connect $server:$port 2>/dev/null <<!
|
||||
QUIT
|
||||
!
|
||||
) | awk 'BEGIN{start=0;ostart=0}{if ( $0 ~ /BEGIN CERTIFICATE/ ) { start=start+1 };
|
||||
if ( start > ostart ) {print $0 >>"'$server'_"start".cert"};
|
||||
if ( $0 ~ /END CERTIFICATE/) { ostart=start } }'
|
||||
|
||||
#
|
||||
# from mozilla-nss-tools
|
||||
# /usr/sfw/bin on Solaris
|
@ -2,7 +2,7 @@ Index: src/Makefile.am
|
||||
===================================================================
|
||||
--- src/Makefile.am.orig
|
||||
+++ src/Makefile.am
|
||||
@@ -981,7 +981,7 @@ cache_cf.o: cf_parser.cci
|
||||
@@ -983,7 +983,7 @@ cache_cf.o: cf_parser.cci
|
||||
|
||||
# cf_gen builds the configuration files.
|
||||
cf_gen$(EXEEXT): $(cf_gen_SOURCES) $(cf_gen_DEPENDENCIES) cf_gen_defines.cci
|
||||
@ -15,7 +15,7 @@ Index: src/Makefile.in
|
||||
===================================================================
|
||||
--- src/Makefile.in.orig
|
||||
+++ src/Makefile.in
|
||||
@@ -7295,7 +7295,7 @@ cache_cf.o: cf_parser.cci
|
||||
@@ -7742,7 +7742,7 @@ cache_cf.o: cf_parser.cci
|
||||
|
||||
# cf_gen builds the configuration files.
|
||||
cf_gen$(EXEEXT): $(cf_gen_SOURCES) $(cf_gen_DEPENDENCIES) cf_gen_defines.cci
|
||||
|
@ -2,7 +2,7 @@ Index: src/cf.data.pre
|
||||
===================================================================
|
||||
--- src/cf.data.pre.orig
|
||||
+++ src/cf.data.pre
|
||||
@@ -1350,6 +1350,8 @@ http_access deny manager
|
||||
@@ -1361,6 +1361,8 @@ http_access deny manager
|
||||
# Adapt localnet in the ACL section to list your (internal) IP networks
|
||||
# from where browsing should be allowed
|
||||
http_access allow localnet
|
||||
@ -11,7 +11,7 @@ Index: src/cf.data.pre
|
||||
http_access allow localhost
|
||||
|
||||
# And finally deny all other access to this proxy
|
||||
@@ -3361,6 +3363,10 @@ DOC_START
|
||||
@@ -3414,6 +3416,10 @@ DOC_START
|
||||
Instead, if you want Squid to use the entire disk drive,
|
||||
subtract 20% and use that value.
|
||||
|
||||
@ -22,7 +22,7 @@ Index: src/cf.data.pre
|
||||
'L1' is the number of first-level subdirectories which
|
||||
will be created under the 'Directory'. The default is 16.
|
||||
|
||||
@@ -3494,7 +3500,7 @@ DOC_START
|
||||
@@ -3547,7 +3553,7 @@ DOC_START
|
||||
NOCOMMENT_START
|
||||
|
||||
# Uncomment and adjust the following to add a disk cache directory.
|
||||
@ -31,7 +31,7 @@ Index: src/cf.data.pre
|
||||
NOCOMMENT_END
|
||||
DOC_END
|
||||
|
||||
@@ -4147,7 +4153,7 @@ DOC_END
|
||||
@@ -4178,7 +4184,7 @@ DOC_END
|
||||
|
||||
NAME: logfile_rotate
|
||||
TYPE: int
|
||||
|
@ -44,14 +44,14 @@ Index: helpers/external_acl/LM_group/ext_lm_group_acl.cc
|
||||
- debug("External ACL win32 group helper build " __DATE__ ", " __TIME__
|
||||
- " starting up...\n");
|
||||
+ debug("External ACL win32 group helper build starting up...\n");
|
||||
if (use_global)
|
||||
if (use_global) {
|
||||
debug("Domain Global group mode enabled using '%s' as default domain.\n", DefaultDomain);
|
||||
if (use_case_insensitive_compare)
|
||||
}
|
||||
Index: helpers/negotiate_auth/SSPI/negotiate_sspi_auth.cc
|
||||
===================================================================
|
||||
--- helpers/negotiate_auth/SSPI/negotiate_sspi_auth.cc.orig
|
||||
+++ helpers/negotiate_auth/SSPI/negotiate_sspi_auth.cc
|
||||
@@ -272,7 +272,7 @@ main(int argc, char *argv[])
|
||||
@@ -274,7 +274,7 @@ main(int argc, char *argv[])
|
||||
|
||||
process_options(argc, argv);
|
||||
|
||||
@ -64,7 +64,7 @@ Index: helpers/ntlm_auth/SSPI/ntlm_sspi_auth.cc
|
||||
===================================================================
|
||||
--- helpers/ntlm_auth/SSPI/ntlm_sspi_auth.cc.orig
|
||||
+++ helpers/ntlm_auth/SSPI/ntlm_sspi_auth.cc
|
||||
@@ -609,7 +609,7 @@ main(int argc, char *argv[])
|
||||
@@ -611,7 +611,7 @@ main(int argc, char *argv[])
|
||||
|
||||
process_options(argc, argv);
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
addFilter("macro-in-comment")
|
||||
addFilter("no-manual-page-for-binary")
|
||||
addFilter("zero-length")
|
||||
addFilter("incorrect-fsf-address")
|
||||
# Temporary solution untill it is moved into factory
|
||||
setBadness('permissions-unauthorized-file', 333)
|
||||
|
@ -1,3 +1,83 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Nov 27 13:16:58 UTC 2014 - lmuelle@suse.com
|
||||
|
||||
- Changes to 3.4.9 (31 Oct 2014):
|
||||
+ Regression fix: ext_kerberos_ldap_group_acl typo in 3.4.7 update
|
||||
+ Bug 4102: sslbump cert contains only a dot character in key usage extension
|
||||
+ Bug 4093: source-maintenance.sh errors and warnings due to wrong
|
||||
tools/options
|
||||
+ Bug 4088: memory leak in external_acl_type helper with cache=0 or ttl=0
|
||||
+ Bug 4024: Bad host/IP ::1 when using IPv4-only environment
|
||||
+ Bug 3803: ident leaks memory on failure
|
||||
+ kerberos_ldap_group/cert_tool: Remove ksh dependency;
|
||||
obsoletes squid-cert_tool_use_bash_not_ksh.patch
|
||||
+ ... and some automated code style updates
|
||||
+ ... and some documentation updates
|
||||
- Changes to 3.4.8 (15 Sep 2014):
|
||||
+ Fix off by one in SNMP subsystem
|
||||
+ pinger: Fix various ICMP handling issues; CVE-2014-7141; CVE-2014-7142;
|
||||
http://www.squid-cache.org/Advisories/SQUID-2014_4.txt; bnc#891268
|
||||
obsoletes squid-icmp-DoS.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Nov 26 21:45:48 UTC 2014 - lmuelle@suse.com
|
||||
|
||||
- Remove dependency on gpg-offline as signature checking is implemented in the
|
||||
source validator.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Sep 24 11:49:04 UTC 2014 - chris@computersalat.de
|
||||
|
||||
- fix spec and changes file
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Sep 16 09:31:35 UTC 2014 - boris@steki.net
|
||||
|
||||
- update logrotate file
|
||||
* postrotate now defaults to 'systemd'
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Sep 16 08:35:11 UTC 2014 - boris@steki.net
|
||||
|
||||
- fix for icmp pinger DOS bnc#891268
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Sep 15 11:36:51 UTC 2014 - chris@computersalat.de
|
||||
|
||||
- some spec cleanup
|
||||
- some systemd/SysVinit fixes
|
||||
- fix sysconfig file for ! suse_version
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Sep 11 15:25:01 UTC 2014 - boris@steki.net
|
||||
|
||||
- replaced permissions handling using setuid bit with use of
|
||||
linux capabilities (on supported systems)
|
||||
- general cleanup of .spec file and systemd handling
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Sep 5 15:04:47 UTC 2014 - chris@computersalat.de
|
||||
|
||||
- Changes to 3.4.7 (28 Aug 2014):
|
||||
* Regression Fix: Kerberos LDAP authorizing groups with principle subdomain
|
||||
* Bug 4080: worker hangs when client identd is not responding
|
||||
* Bug 3966: Add KeyEncipherment when ssl-bump substitues RSA for EC
|
||||
* HTTP/1.1: Ignore Range headers with unidentifiable byte-range values
|
||||
* SSL-bump: Use v3 for fake certificate if we add _any_ certificate extension
|
||||
* Enable compile-time override for MAXTCPLISTENPORTS
|
||||
* ntlm_sspi_auth: Fix various build errors
|
||||
* negotiate_wrapper: Fix build issues with non-portable vfork()
|
||||
* negotiate_sspi_auth: Portability fixes for MinGW
|
||||
* ext_lm_group_acl: Portability fixes for MinGW
|
||||
* ... and several minor memory leaks
|
||||
- fix for bnc#894636
|
||||
* fix postrotate for systemd
|
||||
- rebase patches
|
||||
* squid-cert_tool_use_bash_not_ksh.patch
|
||||
* squid-compiled_without_RPM_OPT_FLAGS.patch
|
||||
* squid-nobuilddates.patch
|
||||
* squid-config.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Sep 4 16:02:45 UTC 2014 - chris@computersalat.de
|
||||
|
||||
|
@ -9,7 +9,7 @@
|
||||
create 640 squid root
|
||||
sharedscripts
|
||||
postrotate
|
||||
/etc/init.d/squid reload
|
||||
/usr/bin/systemctl reload squid.service
|
||||
endscript
|
||||
}
|
||||
|
||||
@ -23,6 +23,6 @@
|
||||
missingok
|
||||
create 640 squid root
|
||||
postrotate
|
||||
/etc/init.d/squid reload
|
||||
/usr/bin/systemctl reload squid.service
|
||||
endscript
|
||||
}
|
||||
|
@ -1,4 +1,5 @@
|
||||
/var/cache/squid/ squid:root 750
|
||||
/var/log/squid/ squid:root 750
|
||||
/usr/sbin/pinger root:squid 4750
|
||||
/usr/sbin/pinger root:squid 750
|
||||
+capabilities cap_net_raw=ep
|
||||
/usr/sbin/basic_pam_auth root:shadow 2750
|
||||
|
@ -1,4 +1,5 @@
|
||||
/var/cache/squid/ squid:root 750
|
||||
/var/log/squid/ squid:root 750
|
||||
/usr/sbin/pinger root:root 755
|
||||
/usr/sbin/pinger root:squid 750
|
||||
+capabilities cap_net_raw=ep
|
||||
/usr/sbin/basic_pam_auth root:root 755
|
||||
|
160
squid.spec
160
squid.spec
@ -24,12 +24,13 @@ Name: squid
|
||||
Summary: A fully featured HTTP/1.0 proxy
|
||||
License: GPL-2.0+
|
||||
Group: Productivity/Networking/Web/Proxy
|
||||
Version: 3.4.6
|
||||
Version: 3.4.9
|
||||
Release: 0
|
||||
%define majorver %(echo %version|sed -re 's/^([0-9]).*/\1/g')
|
||||
%define majminver %(echo %version|sed -re 's/^([0-9]\.[0-9]).*/\1/g')
|
||||
Url: http://www.squid-cache.org/Versions/v3/3.4
|
||||
#Source0: http://www.squid-cache.org/Versions/v3/3.3/%{name}-%{version}%{snap}.tar.bz2
|
||||
Source0: http://www.squid-cache.org/Versions/v3/3.4/%{name}-%{version}.tar.bz2
|
||||
Source1: %{name}-%{version}.tar.bz2.asc
|
||||
Source0: http://www.squid-cache.org/Versions/%{majorver}/%{majminver}/%{name}-%{version}.tar.bz2
|
||||
Source1: http://www.squid-cache.org/Versions/%{majorver}/%{majminver}/%{name}-%{version}.tar.bz2.asc
|
||||
Source2: RELEASENOTES.html
|
||||
Source3: squid.init
|
||||
Source4: squid.sysconfig
|
||||
@ -65,7 +66,7 @@ Patch101: %{name}-nobuilddates.patch
|
||||
Patch102: %{name}-compiled_without_RPM_OPT_FLAGS.patch
|
||||
# patch fixes kerberos principalname handling (http://bugs.squid-cache.org/show_bug.cgi?id=4042)
|
||||
Patch103: squid-brokenad.patch
|
||||
Patch104: %{name}-cert_tool_use_bash_not_ksh.patch
|
||||
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
%if 0%{?suse_version}
|
||||
PreReq: %fillup_prereq
|
||||
@ -88,9 +89,6 @@ BuildRequires: expat
|
||||
BuildRequires: fdupes
|
||||
%endif
|
||||
BuildRequires: gcc-c++
|
||||
%if 0%{?suse_version}
|
||||
BuildRequires: gpg-offline
|
||||
%endif
|
||||
BuildRequires: krb5-devel
|
||||
BuildRequires: libcap-devel
|
||||
BuildRequires: libexpat-devel
|
||||
@ -127,7 +125,7 @@ Provides: %{name}3 = %{version}
|
||||
Obsoletes: %{name}3 < %{version}
|
||||
|
||||
%description
|
||||
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator.
|
||||
Squid is a fully-featured HTTP/1.0 proxy which is almost (but not quite - we're getting there!) a fully-featured HTTP/1.1 proxy. Squid offers a rich access control, authorization and logging environment to develop web proxy and content serving applications. Squid offers a rich set of traffic optimization options, most of which are enabled by default for simpler installation and high performance.
|
||||
|
||||
Squid 3.4 represents a new feature release above 3.3.
|
||||
|
||||
@ -140,15 +138,8 @@ The most important of these new features are:
|
||||
* Transaction Annotations
|
||||
* Multicast DNS
|
||||
|
||||
Most user-facing changes are reflected in squid.conf (see below).
|
||||
|
||||
First STABLE release Date: 08 Dec 2013
|
||||
|
||||
%prep
|
||||
#setup -q -n %{name}-%{version}%{snap}
|
||||
%if 0%{?suse_version}
|
||||
%gpg_verify %{S:1}
|
||||
%endif
|
||||
%setup -q -n %{name}-%{version}
|
||||
cp %{S:10} .
|
||||
# upstream patches after RELEASE
|
||||
@ -160,16 +151,10 @@ chmod a-x CREDITS
|
||||
%patch101
|
||||
%patch102
|
||||
%patch103
|
||||
%patch104
|
||||
|
||||
%build
|
||||
#if 0%{?sles_version} == 1100
|
||||
#export CFLAGS="%{optflags} -fPIE -fPIC -DOPENSSL_LOAD_CONF"
|
||||
#export CXXFLAGS="%{optflags} -fPIE -fPIC -DOPENSSL_LOAD_CONF"
|
||||
#else
|
||||
export CFLAGS="%{optflags} -fPIE -fPIC -DOPENSSL_LOAD_CONF"
|
||||
export CXXFLAGS="%{optflags} -fPIE -fPIC -DOPENSSL_LOAD_CONF"
|
||||
#endif
|
||||
export LDFLAGS='-Wl,-z,relro,-z,now -pie'
|
||||
%configure \
|
||||
--disable-strict-error-checking \
|
||||
@ -233,26 +218,33 @@ make SAMBAPREFIX=/usr %{?_smp_mflags}
|
||||
%{_sbindir}/groupadd -g 31 -r %{name} 2>/dev/null || :
|
||||
%{_sbindir}/useradd -c "WWW-proxy squid" -d /var/cache/%{name} \
|
||||
-g %{name} -o -u 31 -r -s /bin/false 2> /dev/null || :
|
||||
install -d %{buildroot}%{_localstatedir}/{cache,log}/%{name}
|
||||
chmod 750 %{buildroot}%{_localstatedir}/{cache,log}/%{name}
|
||||
|
||||
install -d -m 750 %{buildroot}%{_localstatedir}/{cache,log}/%{name}
|
||||
install -d %{buildroot}%{_prefix}/sbin
|
||||
|
||||
# make_install
|
||||
make install DESTDIR=%{buildroot} SAMBAPREFIX=/usr
|
||||
|
||||
mv %{buildroot}{/etc/%{name}/,/usr/share/%{name}/}mime.conf.default
|
||||
ln -s /etc/%{name}/mime.conf %{buildroot}%{_datadir}/%{name} # backward compatible
|
||||
install -d -m 755 %{buildroot}%{_sysconfdir}/permissions.d
|
||||
install -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/permissions.d/%{name}.easy
|
||||
# pinger should be secure "enough" anyway paranoid will strip everything :)
|
||||
install -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/permissions.d/%{name}.secure
|
||||
install -m 644 %{SOURCE15} %{buildroot}%{_sysconfdir}/permissions.d/%{name}.paranoid
|
||||
install -d -m 755 %{buildroot}%{_sysconfdir}/logrotate.d
|
||||
install -m 644 %{SOURCE7} %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
|
||||
%if 0%{?suse_version}
|
||||
install -D %{SOURCE3} %{buildroot}%{_sysconfdir}/init.d/%{name}
|
||||
%else # lets just assume other are rh based ones...
|
||||
install -D %{SOURCE14} %{buildroot}%{_sysconfdir}/init.d/%{name}
|
||||
|
||||
# install permissions files
|
||||
cp -a %{SOURCE9} %{name}.easy
|
||||
cp -a %{SOURCE9} %{name}.secure
|
||||
cp -a %{SOURCE15} %{name}.paranoid
|
||||
%if !0%{?has_systemd}
|
||||
sed -i -re '/capabilities/d;s@^(/usr/sbin/pinger.*)750@\12750@g' %{name}.easy
|
||||
sed -i -re '/capabilities/d;s@^(/usr/sbin/pinger.*)750@\12750@g' %{name}.secure
|
||||
sed -i -re '/capabilities/d;s@^(/usr/sbin/pinger.*)750@\1750@g' %{name}.paranoid
|
||||
%endif
|
||||
ln -sf %{_sysconfdir}/init.d/%{name} %{buildroot}%{_sbindir}/rcsquid
|
||||
install -D -m644 %{SOURCE4} %{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.%{name}
|
||||
|
||||
install -D -m 644 %{name}.easy %{buildroot}%{_sysconfdir}/permissions.d/%{name}.easy
|
||||
# pinger should be secure "enough" anyway paranoid will strip everything :)
|
||||
install -m 644 %{name}.secure %{buildroot}%{_sysconfdir}/permissions.d/%{name}.secure
|
||||
install -m 644 %{name}.paranoid %{buildroot}%{_sysconfdir}/permissions.d/%{name}.paranoid
|
||||
|
||||
# install logrotate file
|
||||
install -D -m 644 %{SOURCE7} %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
|
||||
|
||||
install -d -m 755 doc/scripts
|
||||
install scripts/*.pl doc/scripts
|
||||
@ -285,7 +277,22 @@ fdupes -q -n -r %{buildroot}%{_prefix}
|
||||
%endif
|
||||
|
||||
%if 0%{?has_systemd}
|
||||
install -D -m 644 %{SOURCE11} %{buildroot}%{_unitdir}/%{name}.service
|
||||
install -D -m 644 %{SOURCE11} %{buildroot}%{_unitdir}/%{name}.service
|
||||
ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}
|
||||
%else # SysVinit
|
||||
# fix postrotate script for SysVinit
|
||||
sed -i -re 's@/usr/bin/systemctl.*@/etc/init.d/squid reload@g' %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
|
||||
%if 0%{?suse_version}
|
||||
install -D %{SOURCE3} %{buildroot}%{_sysconfdir}/init.d/%{name}
|
||||
ln -sf %{_sysconfdir}/init.d/%{name} %{buildroot}%{_sbindir}/rc%{name}
|
||||
%else # lets just assume other are rh based ones...
|
||||
install -D %{SOURCE14} %{buildroot}%{_sysconfdir}/init.d/%{name}
|
||||
%endif
|
||||
%endif
|
||||
%if 0%{?suse_version}
|
||||
install -D -m644 %{SOURCE4} %{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.%{name}
|
||||
%else
|
||||
install -D -m644 %{SOURCE4} %{buildroot}%{_sysconfdir}/sysconfig/%{name}
|
||||
%endif
|
||||
|
||||
%pre
|
||||
@ -314,11 +321,14 @@ fi
|
||||
|
||||
%post
|
||||
%if 0%{?suse_version} >= 1140
|
||||
%if 0%{?set_permissions:1}
|
||||
%set_permissions %name
|
||||
%else
|
||||
%run_permissions
|
||||
%endif
|
||||
%if 0%{?set_permissions:1}
|
||||
%set_permissions %{_sbindir}/pinger
|
||||
%set_permissions %{_sbindir}/basic_pam_auth
|
||||
%set_permissions %{_localstatedir}/cache/squid/
|
||||
%set_permissions %{_localstatedir}/log/squid/
|
||||
%else
|
||||
%run_permissions
|
||||
%endif
|
||||
%endif
|
||||
# update mode?
|
||||
if [ "$1" -gt "1" ]; then
|
||||
@ -329,50 +339,52 @@ if [ "$1" -gt "1" ]; then
|
||||
# default group changed from nogroup to squid
|
||||
%{_sbindir}/usermod -g %{name} %{name}
|
||||
fi
|
||||
%if 0%{?suse_version}
|
||||
%{fillup_and_insserv -n "squid"}
|
||||
%else
|
||||
/sbin/chkconfig --add squid
|
||||
%endif
|
||||
|
||||
%if 0%{?has_systemd}
|
||||
%service_add_post squid.service
|
||||
%else
|
||||
%if 0%{?suse_version}
|
||||
%{fillup_and_insserv -n "squid"}
|
||||
%else
|
||||
/sbin/chkconfig --add squid
|
||||
%endif
|
||||
%endif
|
||||
|
||||
%preun
|
||||
%if 0%{?suse_version}
|
||||
%stop_on_removal squid
|
||||
%if 0%{?has_systemd}
|
||||
%service_del_preun squid.service
|
||||
%else
|
||||
if [ $1 = 0 ] ; then
|
||||
%if 0%{?suse_version}
|
||||
%stop_on_removal squid
|
||||
%else
|
||||
if [ $1 = 0 ] ; then
|
||||
service squid stop >/dev/null 2>&1
|
||||
rm -f /var/log/squid/*
|
||||
/sbin/chkconfig --del squid
|
||||
fi
|
||||
%endif
|
||||
|
||||
%if 0%{?has_systemd}
|
||||
%service_del_preun squid.service
|
||||
fi
|
||||
%endif
|
||||
%endif
|
||||
|
||||
%postun
|
||||
|
||||
%if 0%{?has_systemd}
|
||||
%service_del_postun squid.service
|
||||
%endif
|
||||
|
||||
%if 0%{?suse_version}
|
||||
%restart_on_update squid
|
||||
%insserv_cleanup
|
||||
%verifyscript
|
||||
%verify_permissions -e /usr/sbin/basic_pam_auth
|
||||
%verify_permissions -e /usr/sbin/pinger
|
||||
%verify_permissions -e /var/cache/squid/
|
||||
%verify_permissions -e /var/log/squid/
|
||||
%endif
|
||||
|
||||
%if 0%{?has_systemd}
|
||||
%service_del_postun squid.service
|
||||
%else
|
||||
if [ "$1" -ge "1" ] ; then
|
||||
%if 0%{?suse_version}
|
||||
%restart_on_update squid
|
||||
%insserv_cleanup
|
||||
%else
|
||||
if [ "$1" -ge "1" ] ; then
|
||||
service squid condrestart >/dev/null 2>&1
|
||||
fi
|
||||
fi
|
||||
%endif
|
||||
%endif
|
||||
|
||||
%files
|
||||
@ -385,6 +397,8 @@ fi
|
||||
%doc %{_mandir}/man?/*
|
||||
%if 0%{?has_systemd}
|
||||
%{_unitdir}/%{name}.service
|
||||
%else
|
||||
%{_sysconfdir}/init.d/%{name}
|
||||
%endif
|
||||
%verify(not user group mode) %attr(750,%{name},root) %dir %{_localstatedir}/cache/%{name}/
|
||||
%verify(not user group mode) %attr(750,%{name},root) %dir %{_localstatedir}/log/%{name}/
|
||||
@ -402,7 +416,6 @@ fi
|
||||
%config %{squidconfdir}/%{name}.conf.default
|
||||
%config %{squidconfdir}/%{name}.conf.documented
|
||||
%config %{_sysconfdir}/pam.d/%{name}
|
||||
%config %{_sysconfdir}/init.d/%{name}
|
||||
%config %{_sysconfdir}/permissions.d/%{name}.easy
|
||||
%config %{_sysconfdir}/permissions.d/%{name}.secure
|
||||
%config %{_sysconfdir}/permissions.d/%{name}.paranoid
|
||||
@ -423,7 +436,7 @@ fi
|
||||
%{_sbindir}/basic_ncsa_auth
|
||||
%{_sbindir}/basic_nis_auth
|
||||
%verify(not user group mode) %attr(2750,root,shadow) %{_sbindir}/basic_pam_auth
|
||||
#%%{_sbindir}/basic_pam_auth
|
||||
#{_sbindir}/basic_pam_auth
|
||||
%{_sbindir}/basic_pop3_auth
|
||||
%{_sbindir}/basic_radius_auth
|
||||
%{_sbindir}/basic_sasl_auth
|
||||
@ -450,15 +463,24 @@ fi
|
||||
%{_sbindir}/negotiate_wrapper_auth
|
||||
%{_sbindir}/ntlm_fake_auth
|
||||
%{_sbindir}/ntlm_smb_lm_auth
|
||||
%verify(not user group mode) %attr(4750,root,squid) %{_sbindir}/pinger
|
||||
%{_sbindir}/rc%{name}
|
||||
# not working %%caps(cap_net_raw=ep)
|
||||
%if 0%{?has_systemd}
|
||||
%verify(not user group mode caps) %attr(750,root,squid) %{_sbindir}/pinger
|
||||
%else
|
||||
%verify(not user group mode) %attr(2750,root,squid) %{_sbindir}/pinger
|
||||
%endif
|
||||
%{_sbindir}/%{name}
|
||||
%{_sbindir}/ssl_crtd
|
||||
%{_sbindir}/storeid_file_rewrite
|
||||
%{_sbindir}/unlinkd
|
||||
%{_sbindir}/url_fake_rewrite
|
||||
%{_sbindir}/url_fake_rewrite.sh
|
||||
%if 0%{?suse_version}
|
||||
%{_sbindir}/rc%{name}
|
||||
%{_localstatedir}/adm/fillup-templates/sysconfig.%{name}
|
||||
%else
|
||||
%{_sysconfdir}/sysconfig/%{name}
|
||||
%endif
|
||||
%dir %{_libdir}/%{name}
|
||||
%{_libdir}/%{name}/cachemgr.cgi
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user