pool/squid
SHA256
17
0
Fork 1
Code Issues Pull Requests Activity

Compare commits

base: pool:slfo-1.2
Branches Tags
pool:factory pool:slfo-1.2 pool:slfo-main
..
compare: pool:factory
Branches Tags
pool:factory pool:slfo-1.2 pool:slfo-main

3 Commits
slfo-1.2 ... factory

Author SHA256 Message Date
Ana Guerrero
62523a7825 Accepting request 1316100 from server:proxy 
Since version 6, some previously deprecated features have been removed:
 * Edge Side Includes (ESI)
 * access to the cache manager using the cache_object:// scheme - use http instead
 * the squdclient tool - use curl http://<squid-address>/squid-internal-mgr/menu instead
 * the cachemgr.cgi tool
 * the purge tool - use the http PURGE method instead
 * Ident protocol support
 * basic_smb_lm_auth and ntlm_smb_lm_auth helpers - use Samba's ntlm_auth instead
- Update to 7.3
  - Regression Bug 5520: ERR_INVALID_URL for CONNECT host with leading digit
  - Quit NTLM authenticate() on missing NTLM authorization header
  - Fix Auth::User::absorb() IP list transfer logic
  - Fix type mismatch in new/delete of addrinfo::ai_addr
  - Fix libntlmauth string parsing on big-endian machines
  - ... and some code cleanups
  - ... and some CI improvements
- changes since squid 6.14 (bsc#1252281, CVE-2025-62168)
  - Bug 3390: Proxy auth data visible to scripts
  - Bug 5504: Document that Squid discards invalid rewrite-url
  - Bug 5407: Support at least 1000 groups per Kerberos user
  - Fix parsing of malformed quoted squid.conf strings
  - Fix off-by-one in helper args count assertion
  - Fix UDP log module opening and closing code
  - Fix BodyPipe debugging in handleChunkedRequestBody()
  - Fix debugging of Eui48::lookup() problems
  - Fix memory leak when parsing deprecated %rG logformat code
  - Fix SQUID_YESNO 'syntax error near unexpected token'
  - DNS: fix RRPack memcpy
  - DNS: Do not leak RR data upon RR data unpacking errors
  - FTP: Avoid null dereferences when handling ftp_port traffic

OBS-URL: https://build.opensuse.org/request/show/1316100
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/squid?expand=0&rev=124
 2025-11-07 17:21:48 +00:00
Adam Majer
9fb03d5777 Since version 6, some previously deprecated features have been removed: 
* Edge Side Includes (ESI)
 * access to the cache manager using the cache_object:// scheme - use http instead
 * the squdclient tool - use curl http://<squid-address>/squid-internal-mgr/menu instead
 * the cachemgr.cgi tool
 * the purge tool - use the http PURGE method instead
 * Ident protocol support
 * basic_smb_lm_auth and ntlm_smb_lm_auth helpers - use Samba's ntlm_auth instead
- Update to 7.3
  - Regression Bug 5520: ERR_INVALID_URL for CONNECT host with leading digit
  - Quit NTLM authenticate() on missing NTLM authorization header
  - Fix Auth::User::absorb() IP list transfer logic
  - Fix type mismatch in new/delete of addrinfo::ai_addr
  - Fix libntlmauth string parsing on big-endian machines
  - ... and some code cleanups
  - ... and some CI improvements
- changes since squid 6.14 (bsc#1252281, CVE-2025-62168)
  - Bug 3390: Proxy auth data visible to scripts
  - Bug 5504: Document that Squid discards invalid rewrite-url
  - Bug 5407: Support at least 1000 groups per Kerberos user
  - Fix parsing of malformed quoted squid.conf strings
  - Fix off-by-one in helper args count assertion
  - Fix UDP log module opening and closing code
  - Fix BodyPipe debugging in handleChunkedRequestBody()
  - Fix debugging of Eui48::lookup() problems
  - Fix memory leak when parsing deprecated %rG logformat code
  - Fix SQUID_YESNO 'syntax error near unexpected token'
  - DNS: fix RRPack memcpy
  - DNS: Do not leak RR data upon RR data unpacking errors
  - FTP: Avoid null dereferences when handling ftp_port traffic

OBS-URL: https://build.opensuse.org/package/show/server:proxy/squid?expand=0&rev=304
 2025-11-06 19:29:48 +00:00
Adam Majer
d9af867924 - Updated harden_squid.service.patch to include new startup sequence 
local-fs.target
- Update to 6.14
 - Bug 5352: Do not get stuck in RESPMOD after pausing peer read(2)
 - Bug 5489: Fix "make check" linking on Solaris
 - Fix SNMP cacheNumObjCount -- number of cached objects
 - Do not duplicate received Surrogate-Capability in sent requests
 - Fix Mem::Segment::open() stub to fix build without shm_open()
 - ... and CI and documentation updates
 
- changes since squid-6.13
 - Bug 5352: Do not get stuck when RESPMOD is slower than read(2)
 - Bug 5405: Large uploads fill request buffer and die
 - Bug 5093: List http_port params that https_port/ftp_port lack
 - Bug 5311: clarify configuration byte units
 - Bug 5091: document that changes to workers require restart
 - Bug 5481: Fix GCC v14 build [-Wmaybe-uninitialized]
 - Nil request dereference in ACLExtUser and SourceDomainCheck ACLs
 - Fix GCC v14 [-Wanalyzer-null-dereference] warnings in Kerberos
 - Clarify --enable-ecap failure on missing shared library support
 - Fix syntax error in configure.ac
 - Remove GNU'ism in release notes Makefile
 - Annotate PoolMalloc memory in valgrind builds
 - Fix systemd startup sequence to require active Local Filesystem
 - Display Linux variant at ./configure time
 - Refactor peerRefreshDNS() to clarify its (void*)1 logic
 - Portability: remove explicit check for libdl
 - ext_time_quota_acl: remove -l option
 - ... and some documentation updates
 - ... and some CI updates

OBS-URL: https://build.opensuse.org/package/show/server:proxy/squid?expand=0&rev=303
 2025-11-06 18:55:20 +00:00
10 changed files with 130 additions and 322 deletions
Expand all files Collapse all files

13
CVE-2024-33427.patch
View File

@@ -1,13 +0,0 @@
Index: squid-6.9/src/ConfigParser.cc
===================================================================
--- squid-6.9.orig/src/ConfigParser.cc
+++ squid-6.9/src/ConfigParser.cc
@@ -181,7 +181,7 @@ ConfigParser::UnQuote(const char *token,
*d = '\0';
// We are expecting a separator after quoted string, space or one of "()#"
- if (*(s + 1) != '\0' && !strchr(w_space "()#", *(s + 1)) && !errorStr) {
+ if (!errorStr && *(s + 1) != '\0' && !strchr(w_space "()#", *(s + 1))) {
errorStr = "Expecting space after the end of quoted token";
errorPos = token;
}

49
CVE-2025-59362.patch
View File

@@ -1,49 +0,0 @@
From 34d90168f4a6905b254c4158b2e0cb79e4e7c05b Mon Sep 17 00:00:00 2001
From: Alex Rousskov <rousskov@measurement-factory.com>
Date: Fri, 29 Aug 2025 10:08:59 -0400
Subject: [PATCH] Support ASN.1 encoding of long SNMP OIDs
---
lib/snmplib/asn1.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/lib/snmplib/asn1.c b/lib/snmplib/asn1.c
index 81f2051fbe7..2852c26b220 100644
--- a/lib/snmplib/asn1.c
+++ b/lib/snmplib/asn1.c
@@ -735,6 +735,7 @@ asn_build_objid(u_char * data, int *datalength,
* lastbyte ::= 0 7bitvalue
*/
u_char buf[MAX_OID_LEN];
+ u_char *bufEnd = buf + sizeof(buf);
u_char *bp = buf;
oid *op = objid;
int asnlength;
@@ -753,6 +754,10 @@ asn_build_objid(u_char * data, int *datalength,
while (objidlength-- > 0) {
subid = *op++;
if (subid < 127) { /* off by one? */
+ if (bp >= bufEnd) {
+ snmp_set_api_error(SNMPERR_ASN_ENCODE);
+ return (NULL);
+ }
*bp++ = subid;
} else {
mask = 0x7F; /* handle subid == 0 case */
@@ -770,8 +775,16 @@ asn_build_objid(u_char * data, int *datalength,
/* fix a mask that got truncated above */
if (mask == 0x1E00000)
mask = 0xFE00000;
+ if (bp >= bufEnd) {
+ snmp_set_api_error(SNMPERR_ASN_ENCODE);
+ return (NULL);
+ }
*bp++ = (u_char) (((subid & mask) >> bits) | ASN_BIT8);
}
+ if (bp >= bufEnd) {
+ snmp_set_api_error(SNMPERR_ASN_ENCODE);
+ return (NULL);
+ }
*bp++ = (u_char) (subid & mask);
}
}

200
CVE-2025-62168.patch
View File

@@ -1,200 +0,0 @@
ported from
commit e7e9073a2435cc93b913553d147b497fda77c1ab
Author: Amos Jeffries <yadij@users.noreply.github.com>
Date: Sat Oct 11 16:33:02 2025 +1300
Bug 3390: Proxy auth data visible to scripts (#2249)
Original changes to redact credentials from error page %R code
expansion output was incomplete. It missed the parse failure
case where ErrorState::request_hdrs raw buffer contained
sensitive information.
Also missed was the %W case where full request message headers
were generated in a mailto link. This case is especially
problematic as it may be delivered over insecure SMTP even if
the error was secured with HTTPS.
After this change:
* The HttpRequest message packing code for error pages is de-duplicated
and elides authentication headers for both %R and %W code outputs.
* The %R code output includes the CRLF request message terminator.
* The email_err_data directive causing advanced details to be added to
%W mailto links is disabled by default.
Also redact credentials from generated TRACE responses.
---------
Co-authored-by: Alex Rousskov <rousskov@measurement-factory.com>
Index: squid-6.12/src/HttpRequest.cc
===================================================================
--- squid-6.12.orig/src/HttpRequest.cc
+++ squid-6.12/src/HttpRequest.cc
@@ -341,7 +341,7 @@ HttpRequest::swapOut(StoreEntry * e)
/* packs request-line and headers, appends <crlf> terminator */
void
-HttpRequest::pack(Packable * p) const
+HttpRequest::pack(Packable * p, const bool maskSensitiveInfo) const
{
assert(p);
/* pack request-line */
@@ -349,8 +349,8 @@ HttpRequest::pack(Packable * p) const
SQUIDSBUFPRINT(method.image()), SQUIDSBUFPRINT(url.path()),
http_ver.major, http_ver.minor);
/* headers */
- header.packInto(p);
- /* trailer */
+ header.packInto(p, maskSensitiveInfo);
+ /* indicate the end of the header section */
p->append("\r\n", 2);
}
Index: squid-6.12/src/HttpRequest.h
===================================================================
--- squid-6.12.orig/src/HttpRequest.h
+++ squid-6.12/src/HttpRequest.h
@@ -206,7 +206,7 @@ public:
void swapOut(StoreEntry * e);
- void pack(Packable * p) const;
+ void pack(Packable * p, bool maskSensitiveInfo = false) const;
static void httpRequestPack(void *obj, Packable *p);
Index: squid-6.12/src/cf.data.pre
===================================================================
--- squid-6.12.orig/src/cf.data.pre
+++ squid-6.12/src/cf.data.pre
@@ -8931,12 +8931,18 @@ NAME: email_err_data
COMMENT: on|off
TYPE: onoff
LOC: Config.onoff.emailErrData
-DEFAULT: on
+DEFAULT: off
DOC_START
If enabled, information about the occurred error will be
included in the mailto links of the ERR pages (if %W is set)
so that the email body contains the data.
Syntax is <A HREF="mailto:%w%W">%w</A>
+
+ SECURITY WARNING:
+ Request headers and other included facts may contain
+ sensitive information about transaction history, the
+ Squid instance, and its environment which would be
+ unavailable to error recipients otherwise.
DOC_END
NAME: deny_info
Index: squid-6.12/src/client_side_reply.cc
===================================================================
--- squid-6.12.orig/src/client_side_reply.cc
+++ squid-6.12/src/client_side_reply.cc
@@ -94,7 +94,7 @@ clientReplyContext::clientReplyContext(C
void
clientReplyContext::setReplyToError(
err_type err, Http::StatusCode status, char const *uri,
- const ConnStateData *conn, HttpRequest *failedrequest, const char *unparsedrequest,
+ const ConnStateData *conn, HttpRequest *failedrequest, const char *,
#if USE_AUTH
Auth::UserRequest::Pointer auth_user_request
#else
@@ -104,9 +104,6 @@ clientReplyContext::setReplyToError(
{
auto errstate = clientBuildError(err, status, uri, conn, failedrequest, http->al);
- if (unparsedrequest)
- errstate->request_hdrs = xstrdup(unparsedrequest);
-
#if USE_AUTH
errstate->auth_user_request = auth_user_request;
#endif
@@ -995,11 +992,14 @@ clientReplyContext::traceReply()
triggerInitialStoreRead();
http->storeEntry()->releaseRequest();
http->storeEntry()->buffer();
+ MemBuf content;
+ content.init();
+ http->request->pack(&content, true /* hide authorization data */);
const HttpReplyPointer rep(new HttpReply);
- rep->setHeaders(Http::scOkay, nullptr, "text/plain", http->request->prefixLen(), 0, squid_curtime);
+ rep->setHeaders(Http::scOkay, nullptr, "message/http", content.contentSize(), 0, squid_curtime);
+ rep->body.set(SBuf(content.buf, content.size));
http->storeEntry()->replaceHttpReply(rep);
- http->request->swapOut(http->storeEntry());
- http->storeEntry()->complete();
+ http->storeEntry()->completeSuccessfully("traceReply() stored the entire response");
}
#define SENDING_BODY 0
Index: squid-6.12/src/errorpage.cc
===================================================================
--- squid-6.12.orig/src/errorpage.cc
+++ squid-6.12/src/errorpage.cc
@@ -792,7 +792,6 @@ ErrorState::~ErrorState()
{
safe_free(redirect_url);
safe_free(url);
- safe_free(request_hdrs);
wordlistDestroy(&ftp.server_msg);
safe_free(ftp.request);
safe_free(ftp.reply);
@@ -850,7 +849,7 @@ ErrorState::Dump(MemBuf * mb)
SQUIDSBUFPRINT(request->url.path()),
AnyP::ProtocolType_str[request->http_ver.protocol],
request->http_ver.major, request->http_ver.minor);
- request->header.packInto(&str);
+ request->header.packInto(&str, true);
}
str.append("\r\n", 2);
@@ -1111,17 +1110,9 @@ ErrorState::compileLegacyCode(Build &bui
} else
p = "[no request]";
break;
- }
- if (request) {
- mb.appendf(SQUIDSBUFPH " " SQUIDSBUFPH " %s/%d.%d\n",
- SQUIDSBUFPRINT(request->method.image()),
- SQUIDSBUFPRINT(request->url.path()),
- AnyP::ProtocolType_str[request->http_ver.protocol],
- request->http_ver.major, request->http_ver.minor);
- request->header.packInto(&mb, true); //hide authorization data
- } else if (request_hdrs) {
- p = request_hdrs;
- } else {
+ } else if (request) {
+ request->pack(&mb, true /* hide authorization data */);
+ } else {
p = "[no request]";
}
break;
Index: squid-6.12/src/errorpage.h
===================================================================
--- squid-6.12.orig/src/errorpage.h
+++ squid-6.12/src/errorpage.h
@@ -194,7 +194,6 @@ public:
MemBuf *listing = nullptr;
} ftp;
- char *request_hdrs = nullptr;
char *err_msg = nullptr; /* Preformatted error message from the cache */
AccessLogEntryPointer ale; ///< transaction details (or nil)
Index: squid-6.12/src/tests/stub_HttpRequest.cc
===================================================================
--- squid-6.12.orig/src/tests/stub_HttpRequest.cc
+++ squid-6.12/src/tests/stub_HttpRequest.cc
@@ -45,7 +45,7 @@ bool HttpRequest::expectingBody(const Ht
bool HttpRequest::bodyNibbled() const STUB_RETVAL(false)
int HttpRequest::prefixLen() const STUB_RETVAL(0)
void HttpRequest::swapOut(StoreEntry *) STUB
-void HttpRequest::pack(Packable *) const STUB
+void HttpRequest::pack(Packable *, bool) const STUB
void HttpRequest::httpRequestPack(void *, Packable *) STUB
HttpRequest * HttpRequest::FromUrl(const SBuf &, const MasterXaction::Pointer &, const HttpRequestMethod &) STUB_RETVAL(nullptr)
HttpRequest * HttpRequest::FromUrlXXX(const char *, const MasterXaction::Pointer &, const HttpRequestMethod &) STUB_RETVAL(nullptr)

2
harden_squid.service.patch
View File

@@ -3,7 +3,7 @@ Index: squid-6.2/tools/systemd/squid.service
--- squid-6.2.orig/tools/systemd/squid.service
+++ squid-6.2/tools/systemd/squid.service
@@ -11,6 +11,18 @@ Documentation=man:squid(8)
After=network.target network-online.target nss-lookup.target
After=local-fs.target network.target network-online.target nss-lookup.target
[Service]
+# added automatically, for details please see

BIN
squid-6.12.tar.xz LFS
View File

Binary file not shown.

17
squid-6.12.tar.xz.asc
View File

@@ -1,17 +0,0 @@
File: squid-6.12.tar.xz
Date: Fri Oct 11 08:30:43 PM UTC 2024
Size: 2548220
MD5 : 26a264b234e22e012ea531d4f5d43ed1
SHA1: 2885015423b66f0b87e2e3ed0dfd17f3f124d7e6
Key : 29B4B1F7CE03D1B1DED22F3028F85029FEF6E865 <kinkie@squid-cache.org>
29B4 B1F7 CE03 D1B1 DED2 2F30 28F8 5029 FEF6 E865
sub cv25519 2021-05-15 [E]
keyring = http://www.squid-cache.org/pgp.asc
keyserver = pool.sks-keyservers.net
-----BEGIN PGP SIGNATURE-----
iHUEABYKAB0WIQQptLH3zgPRsd7SLzAo+FAp/vboZQUCZwmLBQAKCRAo+FAp/vbo
ZYYJAP9pMd7sF4qmLLMlHIu48KMKqGhJdkEEpZJbOvmXS4lpBQD/QzCU3cng78NN
orwehX0iYHf0lWvY8IjBV/9YEPi9iww=
=yaaw
-----END PGP SIGNATURE-----

3
squid-7.3.tar.xz Normal file
View File

@@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:dadc2a9a3926ce1b3babeaa7a7d7b21cbb089025876daa3f5c19e7eb6391ddcd
size 2441828

18
squid-7.3.tar.xz.asc Normal file
View File

@@ -0,0 +1,18 @@
File : squid-7.3.tar.xz
Date : Tue, 28 Oct 2025 20:25:12 +0000
Size : 2441828
MD5 : 5a137c74c6bb74b2d29ab9fca37f7634
SHA1 : 135c4a5a3c2d57851f6c33256f6dc6f138e34805
SHA256 : dadc2a9a3926ce1b3babeaa7a7d7b21cbb089025876daa3f5c19e7eb6391ddcd
Key : 29B4B1F7CE03D1B1DED22F3028F85029FEF6E865 <kinkie@squid-cache.org>
Fingerprint: 29B4 B1F7 CE03 D1B1 DED2 2F30 28F8 5029 FEF6 E865
sub cv25519 2021-05-15 [E]
Keyring : http://www.squid-cache.org/pgp.asc
Keyserver: keyserver.ubuntu.com
-----BEGIN PGP SIGNATURE-----
iHUEABYKAB0WIQQptLH3zgPRsd7SLzAo+FAp/vboZQUCaQEnTQAKCRAo+FAp/vbo
ZQ+5AP9reExpcMwsaneD8pVVX+Ap/kgRYylbM5lVlxwHD/IVNgEA4EHpjuaHPVb6
YbJ97+HId+XiiCMAyjjkdgHWQxxjbQA=
=0ppx
-----END PGP SIGNATURE-----

103
squid.changes
View File

@@ -1,12 +1,107 @@
-------------------------------------------------------------------
Thu Nov 6 15:07:07 UTC 2025 - Adam Majer <adam.majer@suse.de>
Thu Nov 6 18:56:27 UTC 2025 - Adam Majer <adam.majer@suse.de>
- CVE-2025-62168.patch: Proxy auth data visible to scripts (bsc#1252281, CVE-2025-62168)
Since version 6, some previously deprecated features have been removed:
* Edge Side Includes (ESI)
* access to the cache manager using the cache_object:// scheme - use http instead
* the squdclient tool - use curl http://<squid-address>/squid-internal-mgr/menu instead
* the cachemgr.cgi tool
* the purge tool - use the http PURGE method instead
* Ident protocol support
* basic_smb_lm_auth and ntlm_smb_lm_auth helpers - use Samba's ntlm_auth instead
- Update to 7.3
- Regression Bug 5520: ERR_INVALID_URL for CONNECT host with leading digit
- Quit NTLM authenticate() on missing NTLM authorization header
- Fix Auth::User::absorb() IP list transfer logic
- Fix type mismatch in new/delete of addrinfo::ai_addr
- Fix libntlmauth string parsing on big-endian machines
- ... and some code cleanups
- ... and some CI improvements
- changes since squid 6.14 (bsc#1252281, CVE-2025-62168)
- Bug 3390: Proxy auth data visible to scripts
- Bug 5504: Document that Squid discards invalid rewrite-url
- Bug 5407: Support at least 1000 groups per Kerberos user
- Fix parsing of malformed quoted squid.conf strings
- Fix off-by-one in helper args count assertion
- Fix UDP log module opening and closing code
- Fix BodyPipe debugging in handleChunkedRequestBody()
- Fix debugging of Eui48::lookup() problems
- Fix memory leak when parsing deprecated %rG logformat code
- Fix SQUID_YESNO 'syntax error near unexpected token'
- DNS: fix RRPack memcpy
- DNS: Do not leak RR data upon RR data unpacking errors
- FTP: Avoid null dereferences when handling ftp_port traffic
- FTP: fix response parsing and error handling memory leaks
- HTCP: Check for too-small packed and too-large unpacked fields
- HTTP: fix purging of entries by relative [Content-]Location URLs
- SNMP: Improve parsing of malformed ASN.1 object identifiers
- SNMP: Check for objid memory allocation failures
- SNMP: Fix ASN.1 encoding of long OIDs
- SNMP: Do not assert when debugging requests with long OIDs
- SNMP: Match Var allocation/deallocation methods
- digest_edirectory_auth: null-terminate NMAS values array
- digest_edirectory_auth: safely return password
- ext_ad_group_acl: Fix domain lookup error handling
- ext_edirectory_userip_acl: Redact password from stdout
- ext_file_userip_acl: harden lookups and memory handling
- ext_kerberos_ldap_group_acl: avoid freeing getenv() pointer
- ext_kerberos_ldap_group_acl: Improve LDAPMessage freeing
- ext_ldap_group_acl: avoid infinite loop on login containing '%s'
- negotiate_kerberos_auth: Properly align NDR data
- negotiate_sspi_auth: Do not exit on the first request
- ntlm_sspi_auth: memcmp not memcpy, send newline, no uninit mem
- text_backend: avoid memory leaks when reload/clearing
- Reduce UDS/segment name clashes across same-service instances
- Reject eui64 ACL addresses with trailing garbage
- Validate raw-IPv4 when parsing hostnames
- Avoid memory leaks when logging to MS Windows syslog
- Flip configure --enable-arch-native default
- Support no-digest X509 certificate keys like ML-DSA/EdDSA
- Do not allow client_ip_max_connections+1 connections
- Remove bundled smblib and librfcnb
- Bug 5497: Fix detection of duped IPs returned by getaddrinfo()
- Remove basic_smb_lm_auth and ntlm_smb_lm_auth helpers
- ... and several code cleanups
- ... and some documentation improvements
- CVE-2024-33427.patch: upstreamed, removing
-------------------------------------------------------------------
Thu Oct 2 15:53:06 UTC 2025 - Adam Majer <adam.majer@suse.de>
Thu Oct 23 13:33:41 UTC 2025 - Joel Baltazor <obs@mtlfab.com>
- CVE-2025-59362.patch: Squid cache buffer overflow (bsc#1250627, CVE-2025-59362)
- Updated harden_squid.service.patch to include new startup sequence
local-fs.target
- Update to 6.14
- Bug 5352: Do not get stuck in RESPMOD after pausing peer read(2)
- Bug 5489: Fix "make check" linking on Solaris
- Fix SNMP cacheNumObjCount -- number of cached objects
- Do not duplicate received Surrogate-Capability in sent requests
- Fix Mem::Segment::open() stub to fix build without shm_open()
- ... and CI and documentation updates
- changes since squid-6.13
- Bug 5352: Do not get stuck when RESPMOD is slower than read(2)
- Bug 5405: Large uploads fill request buffer and die
- Bug 5093: List http_port params that https_port/ftp_port lack
- Bug 5311: clarify configuration byte units
- Bug 5091: document that changes to workers require restart
- Bug 5481: Fix GCC v14 build [-Wmaybe-uninitialized]
- Nil request dereference in ACLExtUser and SourceDomainCheck ACLs
- Fix GCC v14 [-Wanalyzer-null-dereference] warnings in Kerberos
- Clarify --enable-ecap failure on missing shared library support
- Fix syntax error in configure.ac
- Remove GNU'ism in release notes Makefile
- Annotate PoolMalloc memory in valgrind builds
- Fix systemd startup sequence to require active Local Filesystem
- Display Linux variant at ./configure time
- Refactor peerRefreshDNS() to clarify its (void*)1 logic
- Portability: remove explicit check for libdl
- ext_time_quota_acl: remove -l option
- ... and some documentation updates
- ... and some CI updates
-------------------------------------------------------------------
Mon Dec 9 13:01:22 UTC 2024 - Adam Majer <adam.majer@suse.de>

44
squid.spec
View File

@@ -1,7 +1,7 @@
#
# spec file for package squid
#
# Copyright (c) 2024 SUSE LLC
# Copyright (c) 2025 SUSE LLC and contributors
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -24,14 +24,14 @@
%define squidhelperdir %{_sbindir}
%endif
Name: squid
Version: 6.12
Version: 7.3
Release: 0
Summary: Caching and forwarding HTTP web proxy
License: GPL-2.0-or-later
Group: Productivity/Networking/Web/Proxy
URL: http://www.squid-cache.org
Source0: http://www.squid-cache.org/Versions/v6/squid-%{version}.tar.xz
Source1: http://www.squid-cache.org/Versions/v6/squid-%{version}.tar.xz.asc
Source0: https://github.com/squid-cache/squid/releases/download/SQUID_7_3/squid-7.3.tar.xz
Source1: https://github.com/squid-cache/squid/releases/download/SQUID_7_3/squid-7.3.tar.xz.asc
Source5: pam.squid
Source6: unsquid.pl
Source7: %{name}.logrotate
@@ -48,9 +48,6 @@ Source17: tmpfilesdir.squid.conf
Patch1: missing_installs.patch
Patch2: old_nettle_compat.patch
Patch3: harden_squid.service.patch
Patch4: CVE-2024-33427.patch
Patch5: CVE-2025-59362.patch
Patch6: CVE-2025-62168.patch
BuildRequires: cppunit-devel
BuildRequires: expat
BuildRequires: fdupes
@@ -107,9 +104,6 @@ accelerator.
%setup -q
cp %{SOURCE10} .
%patch -P 3 -p1
%patch -P 4 -p1
%patch -P 5 -p1
%patch -P 6 -p1
# upstream patches after RELEASE
perl -p -i -e 's|%{_prefix}/local/bin/perl|%{_bindir}/perl|' `find -name "*.pl"`
@@ -156,11 +150,11 @@ export CXX=g++-11
--enable-underscores \
--enable-auth \
%if 0%{?suse_version} < 1599
--enable-auth-basic="SMB_LM,DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB" \
--enable-auth-basic="DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB" \
%else
--enable-auth-basic="SMB_LM,DB,fake,getpwnam,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB" \
--enable-auth-basic="DB,fake,getpwnam,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB" \
%endif
--enable-auth-ntlm="SMB_LM,fake" \
--enable-auth-ntlm="fake" \
--enable-auth-negotiate \
--enable-auth-digest \
--enable-external-acl-helpers=LDAP_group,eDirectory_userip,file_userip,kerberos_ldap_group,session,unix_group,wbinfo_group,time_quota \
@@ -174,8 +168,8 @@ export CXX=g++-11
--enable-security-cert-validators
#make -O SAMBAPREFIX=%{_prefix} %{?_smp_mflags}
mkdir src/icmp/tests
mkdir tools/squidclient/tests
mkdir tools/sysvinit/tests tools/tests
#mkdir tools/squidclient/tests
#mkdir tools/sysvinit/tests tools/tests
make %{?_smp_mflags}
%if 0%{?suse_version} >= 1500
%sysusers_generate_pre %{SOURCE12} squid
@@ -203,18 +197,6 @@ install -Dpm 644 %{SOURCE7} \
install -d -m 755 doc/scripts
install scripts/*.pl doc/scripts
cat > doc/scripts/cachemgr.readme <<-EOT
%if 0%{?suse_version} > 1500 || 0%{?sle_version} >= 150300
cachemgr.cgi will now be found in %{squidhelperdir}
%else
cachemgr.cgi will now be found in %{_libdir}/%{name}
%endif
EOT
%if 0%{?suse_version} <= 1500 && 0%{?sle_version} < 150300
install -dpm 755 %{buildroot}/%{_libdir}/%{name}
mv %{buildroot}%{_sbindir}/cachemgr.cgi %{buildroot}/%{_libdir}/%{name}
%endif
install -dpm 755 doc/contrib
install %{SOURCE6} doc/contrib
@@ -353,7 +335,6 @@ fi
%if 0%{?suse_version} >= 1500
%{_sysusersdir}/squid-user.conf
%endif
%config(noreplace) %{squidconfdir}/cachemgr.conf
%config(noreplace) %{squidconfdir}/errorpage.css
%if 0%{?suse_version} > 1500
%{_distconfdir}/logrotate.d/%{name}
@@ -362,7 +343,6 @@ fi
%endif
%config(noreplace) %{squidconfdir}/mime.conf
%config(noreplace) %{squidconfdir}/%{name}.conf
%config %{squidconfdir}/cachemgr.conf.default
%config %{squidconfdir}/errorpage.css.default
%config %{squidconfdir}/%{name}.conf.default
%config %{squidconfdir}/%{name}.conf.documented
@@ -379,8 +359,6 @@ fi
%{_datadir}/%{name}/mime.conf
%{_datadir}/%{name}/mime.conf.default
%{_datadir}/snmp/mibs/SQUID-MIB.txt
%{_bindir}/purge
%{_bindir}/squidclient
%{squidhelperdir}/basic_db_auth
%{squidhelperdir}/basic_fake_auth
%{squidhelperdir}/basic_getpwnam_auth
@@ -396,7 +374,6 @@ fi
%{squidhelperdir}/basic_sasl_auth
%{squidhelperdir}/basic_smb_auth
%{squidhelperdir}/basic_smb_auth.sh
%{squidhelperdir}/basic_smb_lm_auth
%{squidhelperdir}/cert_tool
%{squidhelperdir}/digest_file_auth
%{squidhelperdir}/digest_ldap_auth
@@ -415,7 +392,6 @@ fi
%{squidhelperdir}/negotiate_kerberos_auth_test
%{squidhelperdir}/negotiate_wrapper_auth
%{squidhelperdir}/ntlm_fake_auth
%{squidhelperdir}/ntlm_smb_lm_auth
%{squidhelperdir}/pinger
%{squidhelperdir}/security_fake_certverify
%{squidhelperdir}/security_file_certgen
@@ -429,10 +405,8 @@ fi
%{_sbindir}/rcsquid
%if 0%{?suse_version} > 1500 || 0%{?sle_version} >= 150300
%dir %{squidhelperdir}
%{squidhelperdir}/cachemgr.cgi
%else
%dir %{_libdir}/%{name}
%{_libdir}/%{name}/cachemgr.cgi
%endif
%changelog