From d53179c2b0ca837abe11802a4e8154206c38e1135da0e65119bf352e907f3f89 Mon Sep 17 00:00:00 2001 From: Martin Pluskal Date: Tue, 19 Jun 2018 07:13:53 +0000 Subject: [PATCH] Accepting request 617514 from home:adamm:branches:server:proxy - New upstream version 4.0.25: + Fixed regression: querying private entries for HTCP/ICP + Fixed regression: deny_info %R macro not being expanded + Fixed regression: proxy_auth ACL -i/+i flags not working + Fixed regression: filter chain certificates for validity when loading + Fixed regression: Transient reader locking broken in 4.0.24 + Fixed NegotiateSsl crash on aborting transaction + Fixed IPC shared memory leaks when disker queue overflows + Update negotiate_kerberos_auth helper protocol to v3.4 + Fixed: purge tool does not obey --sysconfdir= build option + Add timestamps to (most) FATAL messages - a3f6783.patch: upstreamed, obsolete. OBS-URL: https://build.opensuse.org/request/show/617514 OBS-URL: https://build.opensuse.org/package/show/server:proxy/squid?expand=0&rev=159 --- a3f6783.patch | 87 ----------------------------------------- squid-4.0.24.tar.xz | 3 -- squid-4.0.24.tar.xz.asc | 25 ------------ squid-4.0.25.tar.xz | 3 ++ squid-4.0.25.tar.xz.asc | 25 ++++++++++++ squid.changes | 17 ++++++++ squid.spec | 4 +- 7 files changed, 46 insertions(+), 118 deletions(-) delete mode 100644 a3f6783.patch delete mode 100644 squid-4.0.24.tar.xz delete mode 100644 squid-4.0.24.tar.xz.asc create mode 100644 squid-4.0.25.tar.xz create mode 100644 squid-4.0.25.tar.xz.asc diff --git a/a3f6783.patch b/a3f6783.patch deleted file mode 100644 index d3a09b0..0000000 --- a/a3f6783.patch +++ /dev/null @@ -1,87 +0,0 @@ -commit a3f6783b1cfe4b8067312fa65828fcd925757c38 -Author: Amos Jeffries -Date: Tue Jun 5 06:11:29 2018 +0000 - - Bug 4831: filter chain certificates for validity when loading (#187) - - 51e09c08a5e6c582e7d93af99a8f2cfcb14ea9e6 adding - GnuTLS support required splitting the way - certificate chains were loaded. This resulted in the - leaf certificate being added twice at the prefix of a - chain in the serverHello. - - It turns out that some recipients validate strictly that the - chain delivered by a serverHello does not contain extra - certificates and reject the handshake if they do. - - This patch implements the XXX about filtering certificates - for chain sequence order and self-sign properties, added - in the initial PR. Resolving the bug 4831 regression and also - reporting failures at startup/reconfigure for admins. - - Also, add debug display of certificate names for simpler - detection and administrative fix when loaded files fail - these tests. - -diff --git a/src/security/KeyData.cc b/src/security/KeyData.cc -index 23d123954..052c64ffd 100644 ---- a/src/security/KeyData.cc -+++ b/src/security/KeyData.cc -@@ -86,8 +86,6 @@ void - Security::KeyData::loadX509ChainFromFile() - { - #if USE_OPENSSL -- // XXX: This BIO loads the public cert as first chain cert, -- // so the code appending chains sends it twice in handshakes. - const char *certFilename = certFile.c_str(); - Ssl::BIO_Pointer bio(BIO_new(BIO_s_file())); - if (!bio || !BIO_read_filename(bio.get(), certFilename)) { -@@ -96,14 +94,41 @@ Security::KeyData::loadX509ChainFromFile() - return; - } - -- if (X509_check_issued(cert.get(), cert.get()) == X509_V_OK) -- debugs(83, 5, "Certificate is self-signed, will not be chained"); -- else { -+#if TLS_CHAIN_NO_SELFSIGNED // ignore self-signed certs in the chain -+ if (X509_check_issued(cert.get(), cert.get()) == X509_V_OK) { -+ char *nameStr = X509_NAME_oneline(X509_get_subject_name(cert.get()), nullptr, 0); -+ debugs(83, DBG_PARSE_NOTE(2), "Certificate is self-signed, will not be chained: " << nameStr); -+ OPENSSL_free(nameStr); -+ } else -+#endif -+ { -+ debugs(83, DBG_PARSE_NOTE(3), "Using certificate chain in " << certFile); - // and add to the chain any other certificate exist in the file -- while (X509 *ca = PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr)) { -- // XXX: self-signed check should be applied to all certs loaded. -- // XXX: missing checks that the chained certs are actually part of a chain for validating cert. -- chain.emplace_front(Security::CertPointer(ca)); -+ CertPointer latestCert = cert; -+ -+ while (auto ca = PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr)) { -+ // get Issuer name of the cert for debug display -+ char *nameStr = X509_NAME_oneline(X509_get_subject_name(ca), nullptr, 0); -+ -+#if TLS_CHAIN_NO_SELFSIGNED // ignore self-signed certs in the chain -+ // self-signed certificates are not valid in a sent chain -+ if (X509_check_issued(ca, ca) == X509_V_OK) { -+ debugs(83, DBG_PARSE_NOTE(2), "CA " << nameStr << " is self-signed, will not be chained: " << nameStr); -+ OPENSSL_free(nameStr); -+ continue; -+ } -+#endif -+ // checks that the chained certs are actually part of a chain for validating cert -+ if (X509_check_issued(ca, latestCert.get()) == X509_V_OK) { -+ debugs(83, DBG_PARSE_NOTE(3), "Adding issuer CA: " << nameStr); -+ // OpenSSL API requires that we order certificates such that the -+ // chain can be appended directly into the on-wire traffic. -+ latestCert = CertPointer(ca); -+ chain.emplace_front(latestCert); -+ } else { -+ debugs(83, DBG_PARSE_NOTE(2), "Ignoring non-issuer CA from " << certFile << ": " << nameStr); -+ } -+ OPENSSL_free(nameStr); - } - } - diff --git a/squid-4.0.24.tar.xz b/squid-4.0.24.tar.xz deleted file mode 100644 index fc36236..0000000 --- a/squid-4.0.24.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:091da0d763307dcc0f5c784ab07ea0c5a093f6dfac60f17ff26e2a6d50f76a07 -size 2420076 diff --git a/squid-4.0.24.tar.xz.asc b/squid-4.0.24.tar.xz.asc deleted file mode 100644 index bb0c3d9..0000000 --- a/squid-4.0.24.tar.xz.asc +++ /dev/null @@ -1,25 +0,0 @@ -File: squid-4.0.24.tar.xz -Date: Wed Mar 7 15:09:08 UTC 2018 -Size: 2420076 -MD5 : dcb167d7677ff469c1c59b0baad8a5be -SHA1: 8c9bbe539af5f1060d93d30d7e099a6badc1f3e1 -Key : CD6DBF8EF3B17D3E - B068 84ED B779 C89B 044E 64E3 CD6D BF8E F3B1 7D3E - keyring = http://www.squid-cache.org/pgp.asc - keyserver = pool.sks-keyservers.net ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEEsGiE7bd5yJsETmTjzW2/jvOxfT4FAlqgAJwACgkQzW2/jvOx -fT7HgBAAnyzIsJ95aFGQGKsXxxzXMQkjrWu2XQS6Fg9oJ/jFtS99msvoRZXLzpTs -m5/n0QIk9h9xXPs8iOsfJLUymslw8LLOMIfljFVfxBId8pb4wcKf+OTGRjnmrqFy -5btu1xr5kZuKSbNzP5KXet6KOitkkC+siuCfaZ5a8Zuf+aJRQBoc9v9ETbfnXesg -kJWUd7G7BgvxCYC8x/dstabi3iA8qWk1zE01fZ2V9Xa5Cx4zYe7G6XFqG79VoMyd -uaLBWhC055Xf8Pt87KSBDrSgQMrFTlnwi/ybAROIXbF3B0FEVtBbRmjI9YvOAhIM -dMassujNGwFFcIFq2ghh6EHgChreV+zRqLOghGRy5+A0d9lUNKRGTOFHhJAMauKs -ipMFJuc6oKL22TGaFyRJmQjY+F/Fkow99k7M3XMtMp8Ybl0APgCU35ac0F9UkeSh -lU68Y4ZzBn2//z+vRDF4AtJuwCAec1uHWFp8LsXjVMJHa3xKONy766LYIZJnYU4p -Pco0UGDT0bKl5xSA0a3Awx2FYsQn7Ng9TSmgk2G+GJrWNfqEPqdZ9xaCuW78GwvG -41QYQTALAsfWjzVYVvPxSkELPNdZp7tn8PKrJZhEoLDkxO3cC1p1WrOUrLFzsTi+ -+iDtv9RNtvHpGuzQ8MDl5Ek7pYOlNhP/ecDAJQ1/gXljspYZoIo= -=3OwY ------END PGP SIGNATURE----- diff --git a/squid-4.0.25.tar.xz b/squid-4.0.25.tar.xz new file mode 100644 index 0000000..5c2374d --- /dev/null +++ b/squid-4.0.25.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f70dc75148895c3cc0d232596fee0eb346d92f5457c7180d493f133410c2d626 +size 2424644 diff --git a/squid-4.0.25.tar.xz.asc b/squid-4.0.25.tar.xz.asc new file mode 100644 index 0000000..5730b5b --- /dev/null +++ b/squid-4.0.25.tar.xz.asc @@ -0,0 +1,25 @@ +File: squid-4.0.25.tar.xz +Date: Mon Jun 11 17:15:25 UTC 2018 +Size: 2424644 +MD5 : a0b5f7bd39216aa7d8fce332441bbff7 +SHA1: 306117ebc37dc475cad5d8dc29a3fdf89a75e5c3 +Key : CD6DBF8EF3B17D3E + B068 84ED B779 C89B 044E 64E3 CD6D BF8E F3B1 7D3E + keyring = http://www.squid-cache.org/pgp.asc + keyserver = pool.sks-keyservers.net +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEsGiE7bd5yJsETmTjzW2/jvOxfT4FAlserjcACgkQzW2/jvOx +fT7aGQ//Sez7N4o7uzBlmrd3h3O0/plPhxNcbvWgMjz8RNGZDPIhNwYt8QUpeyTG +47Uw01ukmIKJstekYvjHYlu8LGY1Sgc0OGv7VxdreOOKN2pewnoJ0c3JFHSl/Lu+ +pH8ePWPVSWWWAWIOsjCkbiEHzUtp3F1U/xUlpUuSDPepEE+RPe/6n11ugAMlKQUW +TfVJ4+9BBb1hbGcrMjdyn6OohsiXZtH3+kk9rV4KkKfoyAUCBgDgb9mW30yRcHip +B2CEOxzwRyCPZaT3uc7kPg9mThtLKAkvsLlamYw35nGzzwt1Kr/e49Q8TJBMdXkK +AWP6N9tfr3Hsi4akcV12ZyiMZzPJGIS/E/KDGlh5049lzCoHcMEwuc9C37N+oZCg +esBraPiXEF8y0wEIHQ1DOEBx2qAETlVsqj+D8LV3LiRJcKzqqQRPmJ3963lKxo83 +LYRgA1OFL4O39TI7SdgctMkOfpWDosTqX6nqzVAvmmXLxspE+L2VS7ydZGZH3tG2 +inGyf4i0nWCDoqkkcGEfZaq3zysceiL3KdsyqMra9I+QW/S4TRYiTO0pqbJXHgq7 +/8YdUdbCRH2UR9OYHO7Oq1KtzRQNMNR0H/fMgQ6yGWnvqmXLhPnGkZoUq0RIHqwV +p3QX0TOtD90zg5Zi6ppysZIk6GdhmVxl0w80BT/hZ8En3yQaI1Q= +=EpT6 +-----END PGP SIGNATURE----- diff --git a/squid.changes b/squid.changes index 2e106b1..01fb8ae 100644 --- a/squid.changes +++ b/squid.changes @@ -1,3 +1,20 @@ +------------------------------------------------------------------- +Mon Jun 18 13:04:17 UTC 2018 - adam.majer@suse.de + +- New upstream version 4.0.25: + + Fixed regression: querying private entries for HTCP/ICP + + Fixed regression: deny_info %R macro not being expanded + + Fixed regression: proxy_auth ACL -i/+i flags not working + + Fixed regression: filter chain certificates for validity + when loading + + Fixed regression: Transient reader locking broken in 4.0.24 + + Fixed NegotiateSsl crash on aborting transaction + + Fixed IPC shared memory leaks when disker queue overflows + + Update negotiate_kerberos_auth helper protocol to v3.4 + + Fixed: purge tool does not obey --sysconfdir= build option + + Add timestamps to (most) FATAL messages +- a3f6783.patch: upstreamed, obsolete. + ------------------------------------------------------------------- Wed Jun 6 13:52:01 UTC 2018 - adam.majer@suse.de diff --git a/squid.spec b/squid.spec index db402fd..f2c65f7 100644 --- a/squid.spec +++ b/squid.spec @@ -19,7 +19,7 @@ %define squidlibdir %{_libdir}/squid %define squidconfdir %{_sysconfdir}/squid Name: squid -Version: 4.0.24 +Version: 4.0.25 Release: 0 Summary: Caching and forwarding HTTP web proxy License: GPL-2.0-or-later @@ -38,7 +38,6 @@ Source13: http://www.squid-cache.org/pgp.asc#/squid.keyring Source15: cache_dir.sed Source16: initialize_cache_if_needed.sh Patch1: missing_installs.patch -Patch2: a3f6783.patch BuildRequires: cppunit-devel BuildRequires: db-devel BuildRequires: ed @@ -87,7 +86,6 @@ cp %{SOURCE10} . # upstream patches after RELEASE perl -p -i -e 's|%{_prefix}/local/bin/perl|%{_bindir}/perl|' `find -name "*.pl"` %patch1 -p1 -%patch2 -p1 %build autoreconf -fi