Accepting request 1155563 from server:proxy

- update to 6.8
  - Fix marking of problematic cached IP addresses (#1691)
  - Bug 5344: mgr:config segfaults without logformat (#1680)
  - Fix infinite recursion when parsing HTTP chunks (#1553)
    (bsc#1216715, CVE-2024-25111)
- changes in 6.7
  - Bug 5337: workaround for crash on startup if -a option is used
  - Bug 5274: Successful tunnels logged as TCP_TUNNEL/500
  - Fix crash when NTLM and Negotiate helpers are queried with no HTTP request
  - Fix SslBump memory leak when mimicking certificates with Authority Key Identifier
  - Fix memory leak on SslBump certificates with Authority Key Identifier extension
  - Fix a possible integer overflow in FTP Gateway
  - Extend cache_log_message to Bug 5187 and job invalidation BUGs
  - Remove incorrect beta version warning
- squid.keyring: updated
- header_fixups.patch: added
- 9be86d8db5e8f40829374d26334d0bb5272c1afd.patch: don't throw on
  client errors

 - Fix handling of expanding HTTP header values (bsc#1219960, CVE-2024-25617)

OBS-URL: https://build.opensuse.org/request/show/1155563
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/squid?expand=0&rev=120

9be86d8db5e8f40829374d26334d0bb5272c1afd.patch

@@ -0,0 +1,29 @@
+commit 9be86d8db5e8f40829374d26334d0bb5272c1afd
+Author: Alex Rousskov <rousskov@measurement-factory.com>
+Date:   Fri Mar 1 22:20:20 2024 +0000
+
+    Bug 5069: Keep listening after getsockname() error (#1713)
+    
+        ERROR: Stopped accepting connections:
+        error: getsockname() failed to locate local-IP on ...
+    
+    In many cases, these failures are intermittent client-triggered errors
+    (e.g., client shut down the accepted socket); Squid will successfully
+    accept other connections and, hence, should keep listening for them.
+
+diff --git a/src/comm/TcpAcceptor.cc b/src/comm/TcpAcceptor.cc
+index dcc52fbaa..aa082df4b 100644
+--- a/src/comm/TcpAcceptor.cc
++++ b/src/comm/TcpAcceptor.cc
+@@ -381,7 +381,10 @@ Comm::TcpAcceptor::acceptInto(Comm::ConnectionPointer &details)
+     if (getsockname(sock, gai->ai_addr, &gai->ai_addrlen) != 0) {
+         int xerrno = errno;
+         Ip::Address::FreeAddr(gai);
+-        throw TextException(ToSBuf("getsockname() failed to locate local-IP on ", details, ": ", xstrerr(xerrno)), Here());
++        debugs(50, DBG_IMPORTANT, "ERROR: Closing accepted TCP connection after failing to obtain its local IP address" <<
++               Debug::Extra << "accepted connection: " << details <<
++               Debug::Extra << "getsockname(2) error: " << xstrerr(xerrno));
++        return false;
+     }
+     details->local = *gai;
+     Ip::Address::FreeAddr(gai);

header_fixups.patch

@@ -0,0 +1,14 @@
+Index: squid-6.8/src/auth/basic/NIS/nis_support.h
+===================================================================
+--- squid-6.8.orig/src/auth/basic/NIS/nis_support.h
++++ squid-6.8/src/auth/basic/NIS/nis_support.h
+@@ -8,9 +8,6 @@
+ #ifndef SQUID_SRC_AUTH_BASIC_NIS_NIS_SUPPORT_H
+ #define SQUID_SRC_AUTH_BASIC_NIS_NIS_SUPPORT_H
+ 
+-#ifndef SQUID_SRC_AUTH_BASIC_NIS_NIS_SUPPORT_H
+-#define SQUID_SRC_AUTH_BASIC_NIS_NIS_SUPPORT_H
+-
+ extern char * get_nis_password(char *user, char *nisdomain, char *nismap);
+ 
+ #endif /* SQUID_SRC_AUTH_BASIC_NIS_NIS_SUPPORT_H */

squid-6.6.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:55bd7f9f4898153161ea1228998acb551bf840832b9e5b90fc8ecd2942420318
-size 2554824

squid-6.6.tar.xz.asc

@@ -1,25 +0,0 @@
-File: squid-6.6.tar.xz
-Date: Thu 07 Dec 2023 04:03:46 UTC
-Size: 2554824
-MD5 : 5a41134ee1b7e75f62088acdec92d2ca
-SHA1: f05e06a9dd3bf7501d2844e43d9ae1bd00e9edcc
-Key : CD6DBF8EF3B17D3E <squid3@treenet.co.nz>
-            B068 84ED B779 C89B 044E  64E3 CD6D BF8E F3B1 7D3E
-      keyring = http://www.squid-cache.org/pgp.asc
-      keyserver = pool.sks-keyservers.net
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEsGiE7bd5yJsETmTjzW2/jvOxfT4FAmVxRCsACgkQzW2/jvOx
-fT5VtQ/+M+mhaGYCp9YBi1GG9vyQwkkIyngL3vPpz7UxZHAR+mzk29zwlgdDgwWA
-Zasaomg8S1Clq2dhNr7oo6RuZ7mKlhEeHba2WvL+1/VcBsPnazUwzYQiW7k9KxYe
-n1At62duit+YnswTNnj6HJRKKK0nKlPmJycL1AThh9Tj6oHTsWBCItnSZ5eUjGX0
-aKiMrkrHtq3qheWkVZPCJEFDs88ECDrJD7s9cpAhun+/0v+4ECE65uJ2bZHK4f/E
-TH5OIf8vltEB8sA/SSanMM/C+gZObET3TssrgHz92j0svMOlALLtitb0aHly21JV
-fEKB200Ngac2y6rq3xDNiznmMn+SeCNUsiDcdauCrsUHNW9S9FhOxeWXy/Z7JK4A
-mqVnnqvN9GFvv2EEC8J9lj+cwGOdaSW6L2aPVkub8Ij5O+e2Tg+uBm4ZC8vcACYz
-+1oo8YyvcfO9EmNRE0vpFTWH9Ux5ptgdvsIxv41QN40RUYN7FBbOgey59mP3uq2Q
-0g/b8lr1PnrwB74OrVGcXLwREFLXtkRC9vcdNjvdchCg60KlBNWEPSGJA2adS8HJ
-4AGyVpU8GCpV3q74rJxIG6FUffL85CfT+1HRmQhzYiGJDzy1AaUJmcelyS4e6cjn
-urAWH3mlAaPzj87OuaeZYGAZMWh/5iAarU+VHkZn6vI2Mvl9yMA=
-=oyMI
------END PGP SIGNATURE-----

squid-6.8.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:11cc5650b51809d99483ccfae24744a2e51cd16199f5ff0c917e84fce695870f
+size 2547796

squid-6.8.tar.xz.asc

@@ -0,0 +1,17 @@
+File: squid-6.8.tar.xz
+Date: Mon Mar  4 06:17:24 AM UTC 2024
+Size: 2547796
+MD5 : d84b0d0ee2b9c1bdb782cb5117a72913
+SHA1: f9092ab57ec1f49720a02589a452e3498c183867
+Key : 29B4B1F7CE03D1B1DED22F3028F85029FEF6E865 <kinkie@squid-cache.org>
+            29B4 B1F7 CE03 D1B1 DED2  2F30 28F8 5029 FEF6 E865
+sub   cv25519 2021-05-15 [E]
+      keyring = http://www.squid-cache.org/pgp.asc
+      keyserver = pool.sks-keyservers.net
+-----BEGIN PGP SIGNATURE-----
+
+iHUEABYIAB0WIQQptLH3zgPRsd7SLzAo+FAp/vboZQUCZeVnkQAKCRAo+FAp/vbo
+Zc5eAP96D2jk2kcOdMEo1GVpDXwEjZkavTPmYC6k9oKNwDjJ+QD+LH4um4EPsglW
+NedPryEIN/FCWwB5NLriVPwtVe0r7Aw=
+=/X4C
+-----END PGP SIGNATURE-----

squid.changes

@@ -1,3 +1,27 @@
+-------------------------------------------------------------------
+Wed Mar  6 12:02:14 UTC 2024 - Adam Majer <adam.majer@suse.de>
+
+- update to 6.8
+  - Fix marking of problematic cached IP addresses (#1691)
+  - Bug 5344: mgr:config segfaults without logformat (#1680)
+  - Fix infinite recursion when parsing HTTP chunks (#1553)
+    (bsc#1216715, CVE-2024-25111)
+
+- changes in 6.7
+  - Bug 5337: workaround for crash on startup if -a option is used
+  - Bug 5274: Successful tunnels logged as TCP_TUNNEL/500
+  - Fix crash when NTLM and Negotiate helpers are queried with no HTTP request
+  - Fix SslBump memory leak when mimicking certificates with Authority Key Identifier
+  - Fix memory leak on SslBump certificates with Authority Key Identifier extension
+  - Fix a possible integer overflow in FTP Gateway
+  - Extend cache_log_message to Bug 5187 and job invalidation BUGs
+  - Remove incorrect beta version warning
+
+- squid.keyring: updated
+- header_fixups.patch: added
+- 9be86d8db5e8f40829374d26334d0bb5272c1afd.patch: don't throw on
+  client errors
+
 -------------------------------------------------------------------
 Mon Feb 26 13:37:08 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
 
@@ -21,7 +45,7 @@ Thu Dec 28 22:12:14 UTC 2023 - Sean Lewis <seanlew@opensuse.org>
 - changes in 6.5:
  - Bug 5309: frequent "lowestOffset () <= target_offset" assertion
  - Bug 4977: Remove mem_hdr::freeDataUpto() assertion
- - Fix handling of expanding HTTP header values
+ - Fix handling of expanding HTTP header values (bsc#1219960, CVE-2024-25617)
  - Fix RFC 1123 date parsing (bsc#1217813, CVE-2023-49285)
  - Gracefully shutdown when helper process startup fails (bsc#1217815, CVE-2023-49286)
 

squid.spec

@@ -24,7 +24,7 @@
 %define         squidhelperdir %{_sbindir}
 %endif
 Name:           squid
-Version:        6.6
+Version:        6.8
 Release:        0
 Summary:        Caching and forwarding HTTP web proxy
 License:        GPL-2.0-or-later
@@ -51,6 +51,8 @@ Source17:       tmpfilesdir.squid.conf
 Patch1:         missing_installs.patch
 Patch2:         old_nettle_compat.patch
 Patch3:         harden_squid.service.patch
+Patch4:         header_fixups.patch
+Patch5:         9be86d8db5e8f40829374d26334d0bb5272c1afd.patch
 BuildRequires:  cppunit-devel
 BuildRequires:  expat
 BuildRequires:  fdupes
@@ -107,6 +109,8 @@ accelerator.
 %setup -q
 cp %{SOURCE10} .
 %patch -P 3 -p1
+%patch -P4 -p1
+%patch -P5 -p1
 
 # upstream patches after RELEASE
 perl -p -i -e 's|%{_prefix}/local/bin/perl|%{_bindir}/perl|' `find -name "*.pl"`