Accepting request 1316100 from server:proxy

Since version 6, some previously deprecated features have been removed:
 * Edge Side Includes (ESI)
 * access to the cache manager using the cache_object:// scheme - use http instead
 * the squdclient tool - use curl http://<squid-address>/squid-internal-mgr/menu instead
 * the cachemgr.cgi tool
 * the purge tool - use the http PURGE method instead
 * Ident protocol support
 * basic_smb_lm_auth and ntlm_smb_lm_auth helpers - use Samba's ntlm_auth instead
- Update to 7.3
  - Regression Bug 5520: ERR_INVALID_URL for CONNECT host with leading digit
  - Quit NTLM authenticate() on missing NTLM authorization header
  - Fix Auth::User::absorb() IP list transfer logic
  - Fix type mismatch in new/delete of addrinfo::ai_addr
  - Fix libntlmauth string parsing on big-endian machines
  - ... and some code cleanups
  - ... and some CI improvements
- changes since squid 6.14 (bsc#1252281, CVE-2025-62168)
  - Bug 3390: Proxy auth data visible to scripts
  - Bug 5504: Document that Squid discards invalid rewrite-url
  - Bug 5407: Support at least 1000 groups per Kerberos user
  - Fix parsing of malformed quoted squid.conf strings
  - Fix off-by-one in helper args count assertion
  - Fix UDP log module opening and closing code
  - Fix BodyPipe debugging in handleChunkedRequestBody()
  - Fix debugging of Eui48::lookup() problems
  - Fix memory leak when parsing deprecated %rG logformat code
  - Fix SQUID_YESNO 'syntax error near unexpected token'
  - DNS: fix RRPack memcpy
  - DNS: Do not leak RR data upon RR data unpacking errors
  - FTP: Avoid null dereferences when handling ftp_port traffic

OBS-URL: https://build.opensuse.org/request/show/1316100
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/squid?expand=0&rev=124

CVE-2024-33427.patch

@@ -1,13 +0,0 @@
-Index: squid-6.9/src/ConfigParser.cc
-===================================================================
---- squid-6.9.orig/src/ConfigParser.cc
-+++ squid-6.9/src/ConfigParser.cc
-@@ -181,7 +181,7 @@ ConfigParser::UnQuote(const char *token,
-     *d = '\0';
- 
-     // We are expecting a separator after quoted string, space or one of "()#"
--    if (*(s + 1) != '\0' && !strchr(w_space "()#", *(s + 1)) && !errorStr) {
-+    if (!errorStr && *(s + 1) != '\0' && !strchr(w_space "()#", *(s + 1))) {
-         errorStr = "Expecting space after the end of quoted token";
-         errorPos = token;
-     }

harden_squid.service.patch

@@ -3,7 +3,7 @@ Index: squid-6.2/tools/systemd/squid.service
 --- squid-6.2.orig/tools/systemd/squid.service
 +++ squid-6.2/tools/systemd/squid.service
 @@ -11,6 +11,18 @@ Documentation=man:squid(8)
- After=network.target network-online.target nss-lookup.target
+ After=local-fs.target network.target network-online.target nss-lookup.target
  
  [Service]
 +# added automatically, for details please see

squid-6.10.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:0b07b187e723f04770dd25beb89aec12030a158696aa8892d87c8b26853408a7
-size 2558208

squid-6.10.tar.xz.asc

@@ -1,17 +0,0 @@
-File: squid-6.10.tar.xz
-Date: Sat Jun  8 02:53:29 PM UTC 2024
-Size: 2558208
-MD5 : 86deefa7282c4388be95260aa4d4cf6a
-SHA1: 70e90865df0e4e9ba7765b622da40bda9bb8fc5d
-Key : 29B4B1F7CE03D1B1DED22F3028F85029FEF6E865 <kinkie@squid-cache.org>
-            29B4 B1F7 CE03 D1B1 DED2  2F30 28F8 5029 FEF6 E865
-sub   cv25519 2021-05-15 [E]
-      keyring = http://www.squid-cache.org/pgp.asc
-      keyserver = pool.sks-keyservers.net
------BEGIN PGP SIGNATURE-----
-
-iHUEABYKAB0WIQQptLH3zgPRsd7SLzAo+FAp/vboZQUCZmRwewAKCRAo+FAp/vbo
-ZZV0AP0WDdXJFarEEYCSXSv/zT1l0FrI8jLQCT3Rsp6nTbWxfwD/VYmUMDetPLPJ
-GYHJNrRm7OceMQcsqhQIz6X71SR9AQs=
-=4HPC
------END PGP SIGNATURE-----

squid-7.3.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:dadc2a9a3926ce1b3babeaa7a7d7b21cbb089025876daa3f5c19e7eb6391ddcd
+size 2441828

squid-7.3.tar.xz.asc

@@ -0,0 +1,18 @@
+File     : squid-7.3.tar.xz
+Date     : Tue, 28 Oct 2025 20:25:12 +0000
+Size     : 2441828
+MD5      : 5a137c74c6bb74b2d29ab9fca37f7634
+SHA1     : 135c4a5a3c2d57851f6c33256f6dc6f138e34805
+SHA256   : dadc2a9a3926ce1b3babeaa7a7d7b21cbb089025876daa3f5c19e7eb6391ddcd
+Key      : 29B4B1F7CE03D1B1DED22F3028F85029FEF6E865 <kinkie@squid-cache.org>
+Fingerprint:       29B4 B1F7 CE03 D1B1 DED2  2F30 28F8 5029 FEF6 E865
+sub   cv25519 2021-05-15 [E]
+Keyring  : http://www.squid-cache.org/pgp.asc
+Keyserver: keyserver.ubuntu.com
+-----BEGIN PGP SIGNATURE-----
+
+iHUEABYKAB0WIQQptLH3zgPRsd7SLzAo+FAp/vboZQUCaQEnTQAKCRAo+FAp/vbo
+ZQ+5AP9reExpcMwsaneD8pVVX+Ap/kgRYylbM5lVlxwHD/IVNgEA4EHpjuaHPVb6
+YbJ97+HId+XiiCMAyjjkdgHWQxxjbQA=
+=0ppx
+-----END PGP SIGNATURE-----

squid.changes

@@ -1,3 +1,125 @@
+-------------------------------------------------------------------
+Thu Nov  6 18:56:27 UTC 2025 - Adam Majer <adam.majer@suse.de>
+
+Since version 6, some previously deprecated features have been removed:
+ * Edge Side Includes (ESI)
+ * access to the cache manager using the cache_object:// scheme - use http instead
+ * the squdclient tool - use curl http://<squid-address>/squid-internal-mgr/menu instead
+ * the cachemgr.cgi tool
+ * the purge tool - use the http PURGE method instead
+ * Ident protocol support
+ * basic_smb_lm_auth and ntlm_smb_lm_auth helpers - use Samba's ntlm_auth instead
+
+- Update to 7.3
+  - Regression Bug 5520: ERR_INVALID_URL for CONNECT host with leading digit
+  - Quit NTLM authenticate() on missing NTLM authorization header
+  - Fix Auth::User::absorb() IP list transfer logic
+  - Fix type mismatch in new/delete of addrinfo::ai_addr
+  - Fix libntlmauth string parsing on big-endian machines
+  - ... and some code cleanups
+  - ... and some CI improvements
+
+- changes since squid 6.14 (bsc#1252281, CVE-2025-62168)
+  - Bug 3390: Proxy auth data visible to scripts
+  - Bug 5504: Document that Squid discards invalid rewrite-url
+  - Bug 5407: Support at least 1000 groups per Kerberos user
+  - Fix parsing of malformed quoted squid.conf strings
+  - Fix off-by-one in helper args count assertion
+  - Fix UDP log module opening and closing code
+  - Fix BodyPipe debugging in handleChunkedRequestBody()
+  - Fix debugging of Eui48::lookup() problems
+  - Fix memory leak when parsing deprecated %rG logformat code
+  - Fix SQUID_YESNO 'syntax error near unexpected token'
+  - DNS: fix RRPack memcpy
+  - DNS: Do not leak RR data upon RR data unpacking errors
+  - FTP: Avoid null dereferences when handling ftp_port traffic
+  - FTP: fix response parsing and error handling memory leaks
+  - HTCP: Check for too-small packed and too-large unpacked fields
+  - HTTP: fix purging of entries by relative [Content-]Location URLs
+  - SNMP: Improve parsing of malformed ASN.1 object identifiers
+  - SNMP: Check for objid memory allocation failures
+  - SNMP: Fix ASN.1 encoding of long OIDs
+  - SNMP: Do not assert when debugging requests with long OIDs
+  - SNMP: Match Var allocation/deallocation methods
+  - digest_edirectory_auth: null-terminate NMAS values array
+  - digest_edirectory_auth: safely return password
+  - ext_ad_group_acl: Fix domain lookup error handling
+  - ext_edirectory_userip_acl: Redact password from stdout
+  - ext_file_userip_acl: harden lookups and memory handling
+  - ext_kerberos_ldap_group_acl: avoid freeing getenv() pointer
+  - ext_kerberos_ldap_group_acl: Improve LDAPMessage freeing
+  - ext_ldap_group_acl: avoid infinite loop on login containing '%s'
+  - negotiate_kerberos_auth: Properly align NDR data
+  - negotiate_sspi_auth: Do not exit on the first request
+  - ntlm_sspi_auth: memcmp not memcpy, send newline, no uninit mem
+  - text_backend: avoid memory leaks when reload/clearing
+  - Reduce UDS/segment name clashes across same-service instances
+  - Reject eui64 ACL addresses with trailing garbage
+  - Validate raw-IPv4 when parsing hostnames
+  - Avoid memory leaks when logging to MS Windows syslog
+  - Flip configure --enable-arch-native default
+  - Support no-digest X509 certificate keys like ML-DSA/EdDSA
+  - Do not allow client_ip_max_connections+1 connections
+  - Remove bundled smblib and librfcnb
+  - Bug 5497: Fix detection of duped IPs returned by getaddrinfo()
+  - Remove basic_smb_lm_auth and ntlm_smb_lm_auth helpers
+  - ... and several code cleanups
+  - ... and some documentation improvements
+
+- CVE-2024-33427.patch: upstreamed, removing
+
+-------------------------------------------------------------------
+Thu Oct 23 13:33:41 UTC 2025 - Joel Baltazor <obs@mtlfab.com>
+
+- Updated harden_squid.service.patch to include new startup sequence
+  local-fs.target
+
+- Update to 6.14
+ - Bug 5352: Do not get stuck in RESPMOD after pausing peer read(2)
+ - Bug 5489: Fix "make check" linking on Solaris
+ - Fix SNMP cacheNumObjCount -- number of cached objects
+ - Do not duplicate received Surrogate-Capability in sent requests
+ - Fix Mem::Segment::open() stub to fix build without shm_open()
+ - ... and CI and documentation updates
+ 
+- changes since squid-6.13
+ - Bug 5352: Do not get stuck when RESPMOD is slower than read(2)
+ - Bug 5405: Large uploads fill request buffer and die
+ - Bug 5093: List http_port params that https_port/ftp_port lack
+ - Bug 5311: clarify configuration byte units
+ - Bug 5091: document that changes to workers require restart
+ - Bug 5481: Fix GCC v14 build [-Wmaybe-uninitialized]
+ - Nil request dereference in ACLExtUser and SourceDomainCheck ACLs
+ - Fix GCC v14 [-Wanalyzer-null-dereference] warnings in Kerberos
+ - Clarify --enable-ecap failure on missing shared library support
+ - Fix syntax error in configure.ac
+ - Remove GNU'ism in release notes Makefile
+ - Annotate PoolMalloc memory in valgrind builds
+ - Fix systemd startup sequence to require active Local Filesystem
+ - Display Linux variant at ./configure time
+ - Refactor peerRefreshDNS() to clarify its (void*)1 logic
+ - Portability: remove explicit check for libdl
+ - ext_time_quota_acl: remove -l option
+ - ... and some documentation updates
+ - ... and some CI updates
+
+-------------------------------------------------------------------
+Mon Dec  9 13:01:22 UTC 2024 - Adam Majer <adam.majer@suse.de>
+
+- Update to 6.12
+  - Fix validation of Digest auth header parameters
+
+- changes since squid-6.11:
+  - Fix Kerberos detection when cross-compiling
+  - Improve robustness of DNS code on reconfigure
+  - Prevent slow memory leak in TCP DNS queries
+  - Improve errors emitted when invalid ACLs are parsed
+
+-------------------------------------------------------------------
+Mon Nov 25 11:31:27 UTC 2024 - Adam Majer <adam.majer@suse.de>
+
+- Disble ESI. The code is removed upstream in 7.x (bsc#1232485, CVE-2024-45802)
+
 -------------------------------------------------------------------
 Thu Jun 27 07:00:50 UTC 2024 - Adam Majer <adam.majer@suse.de>
 

squid.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package squid
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -24,14 +24,14 @@
 %define         squidhelperdir %{_sbindir}
 %endif
 Name:           squid
-Version:        6.10
+Version:        7.3
 Release:        0
 Summary:        Caching and forwarding HTTP web proxy
 License:        GPL-2.0-or-later
 Group:          Productivity/Networking/Web/Proxy
 URL:            http://www.squid-cache.org
-Source0:        http://www.squid-cache.org/Versions/v6/squid-%{version}.tar.xz
-Source1:        http://www.squid-cache.org/Versions/v6/squid-%{version}.tar.xz.asc
+Source0:        https://github.com/squid-cache/squid/releases/download/SQUID_7_3/squid-7.3.tar.xz
+Source1:        https://github.com/squid-cache/squid/releases/download/SQUID_7_3/squid-7.3.tar.xz.asc
 Source5:        pam.squid
 Source6:        unsquid.pl
 Source7:        %{name}.logrotate
@@ -48,7 +48,6 @@ Source17:       tmpfilesdir.squid.conf
 Patch1:         missing_installs.patch
 Patch2:         old_nettle_compat.patch
 Patch3:         harden_squid.service.patch
-Patch4:         CVE-2024-33427.patch
 BuildRequires:  cppunit-devel
 BuildRequires:  expat
 BuildRequires:  fdupes
@@ -105,7 +104,6 @@ accelerator.
 %setup -q
 cp %{SOURCE10} .
 %patch -P 3 -p1
-%patch -P 4 -p1
 
 # upstream patches after RELEASE
 perl -p -i -e 's|%{_prefix}/local/bin/perl|%{_bindir}/perl|' `find -name "*.pl"`
@@ -138,7 +136,6 @@ export CXX=g++-11
 	--enable-removal-policies=heap,lru \
 	--enable-icmp \
 	--enable-delay-pools \
-	--enable-esi \
 	--enable-icap-client \
 	--enable-useragent-log \
 	--enable-referer-log \
@@ -153,11 +150,11 @@ export CXX=g++-11
 	--enable-underscores \
 	--enable-auth \
 %if 0%{?suse_version} < 1599
-	--enable-auth-basic="SMB_LM,DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB" \
+	--enable-auth-basic="DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB" \
 %else
-        --enable-auth-basic="SMB_LM,DB,fake,getpwnam,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB" \
+        --enable-auth-basic="DB,fake,getpwnam,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB" \
 %endif
-	--enable-auth-ntlm="SMB_LM,fake" \
+	--enable-auth-ntlm="fake" \
 	--enable-auth-negotiate \
 	--enable-auth-digest \
 	--enable-external-acl-helpers=LDAP_group,eDirectory_userip,file_userip,kerberos_ldap_group,session,unix_group,wbinfo_group,time_quota \
@@ -171,8 +168,8 @@ export CXX=g++-11
 	--enable-security-cert-validators
 #make -O SAMBAPREFIX=%{_prefix} %{?_smp_mflags}
 mkdir src/icmp/tests
-mkdir tools/squidclient/tests
-mkdir tools/sysvinit/tests tools/tests
+#mkdir tools/squidclient/tests
+#mkdir tools/sysvinit/tests tools/tests
 make %{?_smp_mflags}
 %if 0%{?suse_version} >= 1500
 %sysusers_generate_pre %{SOURCE12} squid
@@ -200,18 +197,6 @@ install -Dpm 644 %{SOURCE7} \
 
 install -d -m 755 doc/scripts
 install scripts/*.pl doc/scripts
-cat > doc/scripts/cachemgr.readme <<-EOT
-%if 0%{?suse_version} > 1500 || 0%{?sle_version} >= 150300
-	cachemgr.cgi will now be found in %{squidhelperdir}
-%else
-	cachemgr.cgi will now be found in %{_libdir}/%{name}
-%endif
-EOT
-
-%if 0%{?suse_version} <= 1500 && 0%{?sle_version} < 150300
-install -dpm 755 %{buildroot}/%{_libdir}/%{name}
-mv %{buildroot}%{_sbindir}/cachemgr.cgi %{buildroot}/%{_libdir}/%{name}
-%endif
 
 install -dpm 755 doc/contrib
 install %{SOURCE6} doc/contrib
@@ -350,7 +335,6 @@ fi
 %if 0%{?suse_version} >= 1500
 %{_sysusersdir}/squid-user.conf
 %endif
-%config(noreplace) %{squidconfdir}/cachemgr.conf
 %config(noreplace) %{squidconfdir}/errorpage.css
 %if 0%{?suse_version} > 1500
 %{_distconfdir}/logrotate.d/%{name}
@@ -359,7 +343,6 @@ fi
 %endif
 %config(noreplace) %{squidconfdir}/mime.conf
 %config(noreplace) %{squidconfdir}/%{name}.conf
-%config %{squidconfdir}/cachemgr.conf.default
 %config %{squidconfdir}/errorpage.css.default
 %config %{squidconfdir}/%{name}.conf.default
 %config %{squidconfdir}/%{name}.conf.documented
@@ -376,8 +359,6 @@ fi
 %{_datadir}/%{name}/mime.conf
 %{_datadir}/%{name}/mime.conf.default
 %{_datadir}/snmp/mibs/SQUID-MIB.txt
-%{_bindir}/purge
-%{_bindir}/squidclient
 %{squidhelperdir}/basic_db_auth
 %{squidhelperdir}/basic_fake_auth
 %{squidhelperdir}/basic_getpwnam_auth
@@ -393,7 +374,6 @@ fi
 %{squidhelperdir}/basic_sasl_auth
 %{squidhelperdir}/basic_smb_auth
 %{squidhelperdir}/basic_smb_auth.sh
-%{squidhelperdir}/basic_smb_lm_auth
 %{squidhelperdir}/cert_tool
 %{squidhelperdir}/digest_file_auth
 %{squidhelperdir}/digest_ldap_auth
@@ -412,7 +392,6 @@ fi
 %{squidhelperdir}/negotiate_kerberos_auth_test
 %{squidhelperdir}/negotiate_wrapper_auth
 %{squidhelperdir}/ntlm_fake_auth
-%{squidhelperdir}/ntlm_smb_lm_auth
 %{squidhelperdir}/pinger
 %{squidhelperdir}/security_fake_certverify
 %{squidhelperdir}/security_file_certgen
@@ -426,10 +405,8 @@ fi
 %{_sbindir}/rcsquid
 %if 0%{?suse_version} > 1500 || 0%{?sle_version} >= 150300
 %dir %{squidhelperdir}
-%{squidhelperdir}/cachemgr.cgi
 %else
 %dir %{_libdir}/%{name}
-%{_libdir}/%{name}/cachemgr.cgi
 %endif
 
 %changelog