pool/squid
SHA256
17
0
Fork 1
Code Issues Pull Requests Activity

Compare commits

merge into: pool:slfo-1.2
Branches Tags
pool:factory pool:slfo-1.2 pool:slfo-main
...
pull from: pool:factory
Branches Tags
pool:factory pool:slfo-1.2 pool:slfo-main

3 Commits
slfo-1.2 ... factory

Author SHA256 Message Date
Ana Guerrero
62523a7825 Accepting request 1316100 from server:proxy 
Since version 6, some previously deprecated features have been removed:
 * Edge Side Includes (ESI)
 * access to the cache manager using the cache_object:// scheme - use http instead
 * the squdclient tool - use curl http://<squid-address>/squid-internal-mgr/menu instead
 * the cachemgr.cgi tool
 * the purge tool - use the http PURGE method instead
 * Ident protocol support
 * basic_smb_lm_auth and ntlm_smb_lm_auth helpers - use Samba's ntlm_auth instead
- Update to 7.3
  - Regression Bug 5520: ERR_INVALID_URL for CONNECT host with leading digit
  - Quit NTLM authenticate() on missing NTLM authorization header
  - Fix Auth::User::absorb() IP list transfer logic
  - Fix type mismatch in new/delete of addrinfo::ai_addr
  - Fix libntlmauth string parsing on big-endian machines
  - ... and some code cleanups
  - ... and some CI improvements
- changes since squid 6.14 (bsc#1252281, CVE-2025-62168)
  - Bug 3390: Proxy auth data visible to scripts
  - Bug 5504: Document that Squid discards invalid rewrite-url
  - Bug 5407: Support at least 1000 groups per Kerberos user
  - Fix parsing of malformed quoted squid.conf strings
  - Fix off-by-one in helper args count assertion
  - Fix UDP log module opening and closing code
  - Fix BodyPipe debugging in handleChunkedRequestBody()
  - Fix debugging of Eui48::lookup() problems
  - Fix memory leak when parsing deprecated %rG logformat code
  - Fix SQUID_YESNO 'syntax error near unexpected token'
  - DNS: fix RRPack memcpy
  - DNS: Do not leak RR data upon RR data unpacking errors
  - FTP: Avoid null dereferences when handling ftp_port traffic

OBS-URL: https://build.opensuse.org/request/show/1316100
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/squid?expand=0&rev=124
 2025-11-07 17:21:48 +00:00
Adam Majer
9fb03d5777 Since version 6, some previously deprecated features have been removed: 
* Edge Side Includes (ESI)
 * access to the cache manager using the cache_object:// scheme - use http instead
 * the squdclient tool - use curl http://<squid-address>/squid-internal-mgr/menu instead
 * the cachemgr.cgi tool
 * the purge tool - use the http PURGE method instead
 * Ident protocol support
 * basic_smb_lm_auth and ntlm_smb_lm_auth helpers - use Samba's ntlm_auth instead
- Update to 7.3
  - Regression Bug 5520: ERR_INVALID_URL for CONNECT host with leading digit
  - Quit NTLM authenticate() on missing NTLM authorization header
  - Fix Auth::User::absorb() IP list transfer logic
  - Fix type mismatch in new/delete of addrinfo::ai_addr
  - Fix libntlmauth string parsing on big-endian machines
  - ... and some code cleanups
  - ... and some CI improvements
- changes since squid 6.14 (bsc#1252281, CVE-2025-62168)
  - Bug 3390: Proxy auth data visible to scripts
  - Bug 5504: Document that Squid discards invalid rewrite-url
  - Bug 5407: Support at least 1000 groups per Kerberos user
  - Fix parsing of malformed quoted squid.conf strings
  - Fix off-by-one in helper args count assertion
  - Fix UDP log module opening and closing code
  - Fix BodyPipe debugging in handleChunkedRequestBody()
  - Fix debugging of Eui48::lookup() problems
  - Fix memory leak when parsing deprecated %rG logformat code
  - Fix SQUID_YESNO 'syntax error near unexpected token'
  - DNS: fix RRPack memcpy
  - DNS: Do not leak RR data upon RR data unpacking errors
  - FTP: Avoid null dereferences when handling ftp_port traffic

OBS-URL: https://build.opensuse.org/package/show/server:proxy/squid?expand=0&rev=304
 2025-11-06 19:29:48 +00:00
Adam Majer
d9af867924 - Updated harden_squid.service.patch to include new startup sequence 
local-fs.target
- Update to 6.14
 - Bug 5352: Do not get stuck in RESPMOD after pausing peer read(2)
 - Bug 5489: Fix "make check" linking on Solaris
 - Fix SNMP cacheNumObjCount -- number of cached objects
 - Do not duplicate received Surrogate-Capability in sent requests
 - Fix Mem::Segment::open() stub to fix build without shm_open()
 - ... and CI and documentation updates
 
- changes since squid-6.13
 - Bug 5352: Do not get stuck when RESPMOD is slower than read(2)
 - Bug 5405: Large uploads fill request buffer and die
 - Bug 5093: List http_port params that https_port/ftp_port lack
 - Bug 5311: clarify configuration byte units
 - Bug 5091: document that changes to workers require restart
 - Bug 5481: Fix GCC v14 build [-Wmaybe-uninitialized]
 - Nil request dereference in ACLExtUser and SourceDomainCheck ACLs
 - Fix GCC v14 [-Wanalyzer-null-dereference] warnings in Kerberos
 - Clarify --enable-ecap failure on missing shared library support
 - Fix syntax error in configure.ac
 - Remove GNU'ism in release notes Makefile
 - Annotate PoolMalloc memory in valgrind builds
 - Fix systemd startup sequence to require active Local Filesystem
 - Display Linux variant at ./configure time
 - Refactor peerRefreshDNS() to clarify its (void*)1 logic
 - Portability: remove explicit check for libdl
 - ext_time_quota_acl: remove -l option
 - ... and some documentation updates
 - ... and some CI updates

OBS-URL: https://build.opensuse.org/package/show/server:proxy/squid?expand=0&rev=303
 2025-11-06 18:55:20 +00:00
8 changed files with 136 additions and 65 deletions
Expand all files Collapse all files

13
CVE-2024-33427.patch
View File

@@ -1,13 +0,0 @@
Index: squid-6.9/src/ConfigParser.cc
===================================================================
--- squid-6.9.orig/src/ConfigParser.cc
+++ squid-6.9/src/ConfigParser.cc
@@ -181,7 +181,7 @@ ConfigParser::UnQuote(const char *token,
*d = '\0';
// We are expecting a separator after quoted string, space or one of "()#"
- if (*(s + 1) != '\0' && !strchr(w_space "()#", *(s + 1)) && !errorStr) {
+ if (!errorStr && *(s + 1) != '\0' && !strchr(w_space "()#", *(s + 1))) {
errorStr = "Expecting space after the end of quoted token";
errorPos = token;
}

2
harden_squid.service.patch
View File

@@ -3,7 +3,7 @@ Index: squid-6.2/tools/systemd/squid.service
--- squid-6.2.orig/tools/systemd/squid.service
+++ squid-6.2/tools/systemd/squid.service
@@ -11,6 +11,18 @@ Documentation=man:squid(8)
After=network.target network-online.target nss-lookup.target
After=local-fs.target network.target network-online.target nss-lookup.target
[Service]
+# added automatically, for details please see

BIN
squid-6.12.tar.xz LFS
View File

Binary file not shown.

17
squid-6.12.tar.xz.asc
View File

@@ -1,17 +0,0 @@
File: squid-6.12.tar.xz
Date: Fri Oct 11 08:30:43 PM UTC 2024
Size: 2548220
MD5 : 26a264b234e22e012ea531d4f5d43ed1
SHA1: 2885015423b66f0b87e2e3ed0dfd17f3f124d7e6
Key : 29B4B1F7CE03D1B1DED22F3028F85029FEF6E865 <kinkie@squid-cache.org>
29B4 B1F7 CE03 D1B1 DED2 2F30 28F8 5029 FEF6 E865
sub cv25519 2021-05-15 [E]
keyring = http://www.squid-cache.org/pgp.asc
keyserver = pool.sks-keyservers.net
-----BEGIN PGP SIGNATURE-----
iHUEABYKAB0WIQQptLH3zgPRsd7SLzAo+FAp/vboZQUCZwmLBQAKCRAo+FAp/vbo
ZYYJAP9pMd7sF4qmLLMlHIu48KMKqGhJdkEEpZJbOvmXS4lpBQD/QzCU3cng78NN
orwehX0iYHf0lWvY8IjBV/9YEPi9iww=
=yaaw
-----END PGP SIGNATURE-----

3
squid-7.3.tar.xz Normal file
View File

@@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:dadc2a9a3926ce1b3babeaa7a7d7b21cbb089025876daa3f5c19e7eb6391ddcd
size 2441828

18
squid-7.3.tar.xz.asc Normal file
View File

@@ -0,0 +1,18 @@
File : squid-7.3.tar.xz
Date : Tue, 28 Oct 2025 20:25:12 +0000
Size : 2441828
MD5 : 5a137c74c6bb74b2d29ab9fca37f7634
SHA1 : 135c4a5a3c2d57851f6c33256f6dc6f138e34805
SHA256 : dadc2a9a3926ce1b3babeaa7a7d7b21cbb089025876daa3f5c19e7eb6391ddcd
Key : 29B4B1F7CE03D1B1DED22F3028F85029FEF6E865 <kinkie@squid-cache.org>
Fingerprint: 29B4 B1F7 CE03 D1B1 DED2 2F30 28F8 5029 FEF6 E865
sub cv25519 2021-05-15 [E]
Keyring : http://www.squid-cache.org/pgp.asc
Keyserver: keyserver.ubuntu.com
-----BEGIN PGP SIGNATURE-----
iHUEABYKAB0WIQQptLH3zgPRsd7SLzAo+FAp/vboZQUCaQEnTQAKCRAo+FAp/vbo
ZQ+5AP9reExpcMwsaneD8pVVX+Ap/kgRYylbM5lVlxwHD/IVNgEA4EHpjuaHPVb6
YbJ97+HId+XiiCMAyjjkdgHWQxxjbQA=
=0ppx
-----END PGP SIGNATURE-----

105
squid.changes
View File

@@ -1,3 +1,108 @@
-------------------------------------------------------------------
Thu Nov 6 18:56:27 UTC 2025 - Adam Majer <adam.majer@suse.de>
Since version 6, some previously deprecated features have been removed:
* Edge Side Includes (ESI)
* access to the cache manager using the cache_object:// scheme - use http instead
* the squdclient tool - use curl http://<squid-address>/squid-internal-mgr/menu instead
* the cachemgr.cgi tool
* the purge tool - use the http PURGE method instead
* Ident protocol support
* basic_smb_lm_auth and ntlm_smb_lm_auth helpers - use Samba's ntlm_auth instead
- Update to 7.3
- Regression Bug 5520: ERR_INVALID_URL for CONNECT host with leading digit
- Quit NTLM authenticate() on missing NTLM authorization header
- Fix Auth::User::absorb() IP list transfer logic
- Fix type mismatch in new/delete of addrinfo::ai_addr
- Fix libntlmauth string parsing on big-endian machines
- ... and some code cleanups
- ... and some CI improvements
- changes since squid 6.14 (bsc#1252281, CVE-2025-62168)
- Bug 3390: Proxy auth data visible to scripts
- Bug 5504: Document that Squid discards invalid rewrite-url
- Bug 5407: Support at least 1000 groups per Kerberos user
- Fix parsing of malformed quoted squid.conf strings
- Fix off-by-one in helper args count assertion
- Fix UDP log module opening and closing code
- Fix BodyPipe debugging in handleChunkedRequestBody()
- Fix debugging of Eui48::lookup() problems
- Fix memory leak when parsing deprecated %rG logformat code
- Fix SQUID_YESNO 'syntax error near unexpected token'
- DNS: fix RRPack memcpy
- DNS: Do not leak RR data upon RR data unpacking errors
- FTP: Avoid null dereferences when handling ftp_port traffic
- FTP: fix response parsing and error handling memory leaks
- HTCP: Check for too-small packed and too-large unpacked fields
- HTTP: fix purging of entries by relative [Content-]Location URLs
- SNMP: Improve parsing of malformed ASN.1 object identifiers
- SNMP: Check for objid memory allocation failures
- SNMP: Fix ASN.1 encoding of long OIDs
- SNMP: Do not assert when debugging requests with long OIDs
- SNMP: Match Var allocation/deallocation methods
- digest_edirectory_auth: null-terminate NMAS values array
- digest_edirectory_auth: safely return password
- ext_ad_group_acl: Fix domain lookup error handling
- ext_edirectory_userip_acl: Redact password from stdout
- ext_file_userip_acl: harden lookups and memory handling
- ext_kerberos_ldap_group_acl: avoid freeing getenv() pointer
- ext_kerberos_ldap_group_acl: Improve LDAPMessage freeing
- ext_ldap_group_acl: avoid infinite loop on login containing '%s'
- negotiate_kerberos_auth: Properly align NDR data
- negotiate_sspi_auth: Do not exit on the first request
- ntlm_sspi_auth: memcmp not memcpy, send newline, no uninit mem
- text_backend: avoid memory leaks when reload/clearing
- Reduce UDS/segment name clashes across same-service instances
- Reject eui64 ACL addresses with trailing garbage
- Validate raw-IPv4 when parsing hostnames
- Avoid memory leaks when logging to MS Windows syslog
- Flip configure --enable-arch-native default
- Support no-digest X509 certificate keys like ML-DSA/EdDSA
- Do not allow client_ip_max_connections+1 connections
- Remove bundled smblib and librfcnb
- Bug 5497: Fix detection of duped IPs returned by getaddrinfo()
- Remove basic_smb_lm_auth and ntlm_smb_lm_auth helpers
- ... and several code cleanups
- ... and some documentation improvements
- CVE-2024-33427.patch: upstreamed, removing
-------------------------------------------------------------------
Thu Oct 23 13:33:41 UTC 2025 - Joel Baltazor <obs@mtlfab.com>
- Updated harden_squid.service.patch to include new startup sequence
local-fs.target
- Update to 6.14
- Bug 5352: Do not get stuck in RESPMOD after pausing peer read(2)
- Bug 5489: Fix "make check" linking on Solaris
- Fix SNMP cacheNumObjCount -- number of cached objects
- Do not duplicate received Surrogate-Capability in sent requests
- Fix Mem::Segment::open() stub to fix build without shm_open()
- ... and CI and documentation updates
- changes since squid-6.13
- Bug 5352: Do not get stuck when RESPMOD is slower than read(2)
- Bug 5405: Large uploads fill request buffer and die
- Bug 5093: List http_port params that https_port/ftp_port lack
- Bug 5311: clarify configuration byte units
- Bug 5091: document that changes to workers require restart
- Bug 5481: Fix GCC v14 build [-Wmaybe-uninitialized]
- Nil request dereference in ACLExtUser and SourceDomainCheck ACLs
- Fix GCC v14 [-Wanalyzer-null-dereference] warnings in Kerberos
- Clarify --enable-ecap failure on missing shared library support
- Fix syntax error in configure.ac
- Remove GNU'ism in release notes Makefile
- Annotate PoolMalloc memory in valgrind builds
- Fix systemd startup sequence to require active Local Filesystem
- Display Linux variant at ./configure time
- Refactor peerRefreshDNS() to clarify its (void*)1 logic
- Portability: remove explicit check for libdl
- ext_time_quota_acl: remove -l option
- ... and some documentation updates
- ... and some CI updates
-------------------------------------------------------------------
Mon Dec 9 13:01:22 UTC 2024 - Adam Majer <adam.majer@suse.de>

40
squid.spec
View File

@@ -1,7 +1,7 @@
#
# spec file for package squid
#
# Copyright (c) 2024 SUSE LLC
# Copyright (c) 2025 SUSE LLC and contributors
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -24,14 +24,14 @@
%define squidhelperdir %{_sbindir}
%endif
Name: squid
Version: 6.12
Version: 7.3
Release: 0
Summary: Caching and forwarding HTTP web proxy
License: GPL-2.0-or-later
Group: Productivity/Networking/Web/Proxy
URL: http://www.squid-cache.org
Source0: http://www.squid-cache.org/Versions/v6/squid-%{version}.tar.xz
Source1: http://www.squid-cache.org/Versions/v6/squid-%{version}.tar.xz.asc
Source0: https://github.com/squid-cache/squid/releases/download/SQUID_7_3/squid-7.3.tar.xz
Source1: https://github.com/squid-cache/squid/releases/download/SQUID_7_3/squid-7.3.tar.xz.asc
Source5: pam.squid
Source6: unsquid.pl
Source7: %{name}.logrotate
@@ -48,7 +48,6 @@ Source17: tmpfilesdir.squid.conf
Patch1: missing_installs.patch
Patch2: old_nettle_compat.patch
Patch3: harden_squid.service.patch
Patch4: CVE-2024-33427.patch
BuildRequires: cppunit-devel
BuildRequires: expat
BuildRequires: fdupes
@@ -105,7 +104,6 @@ accelerator.
%setup -q
cp %{SOURCE10} .
%patch -P 3 -p1
%patch -P 4 -p1
# upstream patches after RELEASE
perl -p -i -e 's|%{_prefix}/local/bin/perl|%{_bindir}/perl|' `find -name "*.pl"`
@@ -152,11 +150,11 @@ export CXX=g++-11
--enable-underscores \
--enable-auth \
%if 0%{?suse_version} < 1599
--enable-auth-basic="SMB_LM,DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB" \
--enable-auth-basic="DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB" \
%else
--enable-auth-basic="SMB_LM,DB,fake,getpwnam,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB" \
--enable-auth-basic="DB,fake,getpwnam,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB" \
%endif
--enable-auth-ntlm="SMB_LM,fake" \
--enable-auth-ntlm="fake" \
--enable-auth-negotiate \
--enable-auth-digest \
--enable-external-acl-helpers=LDAP_group,eDirectory_userip,file_userip,kerberos_ldap_group,session,unix_group,wbinfo_group,time_quota \
@@ -170,8 +168,8 @@ export CXX=g++-11
--enable-security-cert-validators
#make -O SAMBAPREFIX=%{_prefix} %{?_smp_mflags}
mkdir src/icmp/tests
mkdir tools/squidclient/tests
mkdir tools/sysvinit/tests tools/tests
#mkdir tools/squidclient/tests
#mkdir tools/sysvinit/tests tools/tests
make %{?_smp_mflags}
%if 0%{?suse_version} >= 1500
%sysusers_generate_pre %{SOURCE12} squid
@@ -199,18 +197,6 @@ install -Dpm 644 %{SOURCE7} \
install -d -m 755 doc/scripts
install scripts/*.pl doc/scripts
cat > doc/scripts/cachemgr.readme <<-EOT
%if 0%{?suse_version} > 1500 || 0%{?sle_version} >= 150300
cachemgr.cgi will now be found in %{squidhelperdir}
%else
cachemgr.cgi will now be found in %{_libdir}/%{name}
%endif
EOT
%if 0%{?suse_version} <= 1500 && 0%{?sle_version} < 150300
install -dpm 755 %{buildroot}/%{_libdir}/%{name}
mv %{buildroot}%{_sbindir}/cachemgr.cgi %{buildroot}/%{_libdir}/%{name}
%endif
install -dpm 755 doc/contrib
install %{SOURCE6} doc/contrib
@@ -349,7 +335,6 @@ fi
%if 0%{?suse_version} >= 1500
%{_sysusersdir}/squid-user.conf
%endif
%config(noreplace) %{squidconfdir}/cachemgr.conf
%config(noreplace) %{squidconfdir}/errorpage.css
%if 0%{?suse_version} > 1500
%{_distconfdir}/logrotate.d/%{name}
@@ -358,7 +343,6 @@ fi
%endif
%config(noreplace) %{squidconfdir}/mime.conf
%config(noreplace) %{squidconfdir}/%{name}.conf
%config %{squidconfdir}/cachemgr.conf.default
%config %{squidconfdir}/errorpage.css.default
%config %{squidconfdir}/%{name}.conf.default
%config %{squidconfdir}/%{name}.conf.documented
@@ -375,8 +359,6 @@ fi
%{_datadir}/%{name}/mime.conf
%{_datadir}/%{name}/mime.conf.default
%{_datadir}/snmp/mibs/SQUID-MIB.txt
%{_bindir}/purge
%{_bindir}/squidclient
%{squidhelperdir}/basic_db_auth
%{squidhelperdir}/basic_fake_auth
%{squidhelperdir}/basic_getpwnam_auth
@@ -392,7 +374,6 @@ fi
%{squidhelperdir}/basic_sasl_auth
%{squidhelperdir}/basic_smb_auth
%{squidhelperdir}/basic_smb_auth.sh
%{squidhelperdir}/basic_smb_lm_auth
%{squidhelperdir}/cert_tool
%{squidhelperdir}/digest_file_auth
%{squidhelperdir}/digest_ldap_auth
@@ -411,7 +392,6 @@ fi
%{squidhelperdir}/negotiate_kerberos_auth_test
%{squidhelperdir}/negotiate_wrapper_auth
%{squidhelperdir}/ntlm_fake_auth
%{squidhelperdir}/ntlm_smb_lm_auth
%{squidhelperdir}/pinger
%{squidhelperdir}/security_fake_certverify
%{squidhelperdir}/security_file_certgen
@@ -425,10 +405,8 @@ fi
%{_sbindir}/rcsquid
%if 0%{?suse_version} > 1500 || 0%{?sle_version} >= 150300
%dir %{squidhelperdir}
%{squidhelperdir}/cachemgr.cgi
%else
%dir %{_libdir}/%{name}
%{_libdir}/%{name}/cachemgr.cgi
%endif
%changelog