From 5fc2c3b43cfb2f153bad68eb741d05773db18878 Mon Sep 17 00:00:00 2001 From: Lubos Uhliarik Date: Fri, 12 Feb 2021 04:22:45 +0100 Subject: [PATCH 01/61] new version 5.0.5 --- sources | 4 +- squid-3.0.STABLE1-perlpath.patch | 2 +- squid-4.0.21-large-acl.patch | 178 ------------------------------- squid-5.0.5-build-errors.patch | 116 ++++++++++++++++++++ squid-gcc11.patch | 24 ----- squid.spec | 26 +++-- 6 files changed, 135 insertions(+), 215 deletions(-) delete mode 100644 squid-4.0.21-large-acl.patch create mode 100644 squid-5.0.5-build-errors.patch delete mode 100644 squid-gcc11.patch diff --git a/sources b/sources index b026e38..cf080d9 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-4.13.tar.xz) = 06807f82ed01e12afe2dd843aa0a94f69c351765b1889c4c5c3da1cf2ecb06ac3a4be6a24a62f04397299c8fc0df5397f76f64df5422ff78b37a9382d5fdf7fc -SHA512 (squid-4.13.tar.xz.asc) = be1265376927dcb3c96ea0c8c1b0f1d6bd7e3deb0fdd38ff80030c31f53f77345a8b8564c6b8cc79d7449aa361d4bdf1ba10d02f5f08af245ee35b484977b93a +SHA512 (squid-5.0.5.tar.xz) = e0f816296d9d32fc97b98249dde077b321651dac70c212fe8eb9566003ce04f13a83665e387531e06bffbab1ec21277e3e0549a16caee426b6a749e18bf77991 +SHA512 (squid-5.0.5.tar.xz.asc) = ca1b170bef9cca5afe1108e8a439282f3a19bea48d2dba42847acd1cf039d38ccc8c714e27fc9e49fe9e3027963f64e9ab19e6a358e6e038c78f85cc77657a3b SHA512 (pgp.asc) = 09f7012030d68831dfc083d67ca63ee54ed851482ca8d0e9505b444ee3e7ddeed62369b53f2917c9b2e0e57cc0533fce46e8cafd2ebcd1c6cb186b516efd0ad2 diff --git a/squid-3.0.STABLE1-perlpath.patch b/squid-3.0.STABLE1-perlpath.patch index 087469d..9cb5e81 100644 --- a/squid-3.0.STABLE1-perlpath.patch +++ b/squid-3.0.STABLE1-perlpath.patch @@ -6,5 +6,5 @@ index 4cb0480..4b89910 100755 -#!/usr/local/bin/perl -Tw +#!/usr/bin/perl -Tw # - # * Copyright (C) 1996-2020 The Squid Software Foundation and contributors + # * Copyright (C) 1996-2021 The Squid Software Foundation and contributors # * diff --git a/squid-4.0.21-large-acl.patch b/squid-4.0.21-large-acl.patch deleted file mode 100644 index 8aacf38..0000000 --- a/squid-4.0.21-large-acl.patch +++ /dev/null @@ -1,178 +0,0 @@ -diff --git a/src/acl/RegexData.cc b/src/acl/RegexData.cc -index 01a4c12..b5c1679 100644 ---- a/src/acl/RegexData.cc -+++ b/src/acl/RegexData.cc -@@ -22,6 +22,7 @@ - #include "ConfigParser.h" - #include "Debug.h" - #include "sbuf/List.h" -+#include "sbuf/Algorithms.h" - - ACLRegexData::~ACLRegexData() - { -@@ -129,6 +130,18 @@ compileRE(std::list &curlist, const char * RE, int flags) - return true; - } - -+static bool -+compileRE(std::list &curlist, const SBufList &RE, int flags) -+{ -+ if (RE.empty()) -+ return curlist.empty(); // XXX: old code did this. It looks wrong. -+ SBuf regexp; -+ static const SBuf openparen("("), closeparen(")"), separator(")|("); -+ JoinContainerIntoSBuf(regexp, RE.begin(), RE.end(), separator, openparen, -+ closeparen); -+ return compileRE(curlist, regexp.c_str(), flags); -+} -+ - /** Compose and compile one large RE from a set of (small) REs. - * The ultimate goal is to have only one RE per ACL so that match() is - * called only once per ACL. -@@ -137,16 +150,11 @@ static int - compileOptimisedREs(std::list &curlist, const SBufList &sl) - { - std::list newlist; -- int numREs = 0; -+ SBufList accumulatedRE; -+ int numREs = 0, reSize = 0; - int flags = REG_EXTENDED | REG_NOSUB; -- int largeREindex = 0; -- char largeRE[BUFSIZ]; -- *largeRE = 0; - - for (const SBuf & configurationLineWord : sl) { -- int RElen; -- RElen = configurationLineWord.length(); -- - static const SBuf minus_i("-i"); - static const SBuf plus_i("+i"); - if (configurationLineWord == minus_i) { -@@ -155,10 +163,11 @@ compileOptimisedREs(std::list &curlist, const SBufList &sl) - debugs(28, 2, "optimisation of -i ... -i" ); - } else { - debugs(28, 2, "-i" ); -- if (!compileRE(newlist, largeRE, flags)) -+ if (!compileRE(newlist, accumulatedRE, flags)) - return 0; - flags |= REG_ICASE; -- largeRE[largeREindex=0] = '\0'; -+ accumulatedRE.clear(); -+ reSize = 0; - } - } else if (configurationLineWord == plus_i) { - if ((flags & REG_ICASE) == 0) { -@@ -166,37 +175,34 @@ compileOptimisedREs(std::list &curlist, const SBufList &sl) - debugs(28, 2, "optimisation of +i ... +i"); - } else { - debugs(28, 2, "+i"); -- if (!compileRE(newlist, largeRE, flags)) -+ if (!compileRE(newlist, accumulatedRE, flags)) - return 0; - flags &= ~REG_ICASE; -- largeRE[largeREindex=0] = '\0'; -+ accumulatedRE.clear(); -+ reSize = 0; - } -- } else if (RElen + largeREindex + 3 < BUFSIZ-1) { -+ } else if (reSize < 1024) { - debugs(28, 2, "adding RE '" << configurationLineWord << "'"); -- if (largeREindex > 0) { -- largeRE[largeREindex] = '|'; -- ++largeREindex; -- } -- largeRE[largeREindex] = '('; -- ++largeREindex; -- configurationLineWord.copy(largeRE+largeREindex, BUFSIZ-largeREindex); -- largeREindex += configurationLineWord.length(); -- largeRE[largeREindex] = ')'; -- ++largeREindex; -- largeRE[largeREindex] = '\0'; -+ accumulatedRE.push_back(configurationLineWord); - ++numREs; -+ reSize += configurationLineWord.length(); - } else { - debugs(28, 2, "buffer full, generating new optimised RE..." ); -- if (!compileRE(newlist, largeRE, flags)) -+ accumulatedRE.push_back(configurationLineWord); -+ if (!compileRE(newlist, accumulatedRE, flags)) - return 0; -- largeRE[largeREindex=0] = '\0'; -+ accumulatedRE.clear(); -+ reSize = 0; - continue; /* do the loop again to add the RE to largeRE */ - } - } - -- if (!compileRE(newlist, largeRE, flags)) -+ if (!compileRE(newlist, accumulatedRE, flags)) - return 0; - -+ accumulatedRE.clear(); -+ reSize = 0; -+ - /* all was successful, so put the new list at the tail */ - curlist.splice(curlist.end(), newlist); - -diff --git a/src/sbuf/Algorithms.h b/src/sbuf/Algorithms.h -index 21ee889..338e9c0 100644 ---- a/src/sbuf/Algorithms.h -+++ b/src/sbuf/Algorithms.h -@@ -81,6 +81,57 @@ SBufContainerJoin(const Container &items, const SBuf& separator) - return rv; - } - -+/** Join container of SBufs and append to supplied target -+ * -+ * append to the target SBuf all elements in the [begin,end) range from -+ * an iterable container, prefixed by prefix, separated by separator and -+ * followed by suffix. Prefix and suffix are added also in case of empty -+ * iterable -+ * -+ * \return the modified dest -+ */ -+template -+SBuf& -+JoinContainerIntoSBuf(SBuf &dest, const ContainerIterator &begin, -+ const ContainerIterator &end, const SBuf& separator, -+ const SBuf& prefix = SBuf(), const SBuf& suffix = SBuf()) -+{ -+ if (begin == end) { -+ dest.append(prefix).append(suffix); -+ return dest; -+ } -+ -+ // optimization: pre-calculate needed storage -+ const SBuf::size_type totalContainerSize = -+ std::accumulate(begin, end, 0, SBufAddLength(separator)) + -+ dest.length() + prefix.length() + suffix.length(); -+ SBufReservationRequirements req; -+ req.minSpace = totalContainerSize; -+ dest.reserve(req); -+ -+ auto i = begin; -+ dest.append(prefix); -+ dest.append(*i); -+ ++i; -+ for (; i != end; ++i) -+ dest.append(separator).append(*i); -+ dest.append(suffix); -+ return dest; -+} -+ -+ -+/// convenience wrapper of JoinContainerIntoSBuf with no caller-supplied SBuf -+template -+SBuf -+JoinContainerToSBuf(const ContainerIterator &begin, -+ const ContainerIterator &end, const SBuf& separator, -+ const SBuf& prefix = SBuf(), const SBuf& suffix = SBuf()) -+{ -+ SBuf rv; -+ return JoinContainerIntoSBuf(rv, begin, end, separator, prefix, suffix); -+} -+ -+ - namespace std { - /// default hash functor to support std::unordered_map - template <> diff --git a/squid-5.0.5-build-errors.patch b/squid-5.0.5-build-errors.patch new file mode 100644 index 0000000..4293d67 --- /dev/null +++ b/squid-5.0.5-build-errors.patch @@ -0,0 +1,116 @@ +diff --git a/src/Makefile.am b/src/Makefile.am +index 81403a7..5e2a493 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -2477,6 +2477,7 @@ tests_testHttpRequest_LDADD = \ + $(SSLLIB) \ + $(KRB5LIBS) \ + $(LIBCPPUNIT_LIBS) \ ++ $(SYSTEMD_LIBS) \ + $(COMPAT_LIB) \ + $(XTRA_LIBS) + tests_testHttpRequest_LDFLAGS = $(LIBADD_DL) +@@ -2781,6 +2782,7 @@ tests_testCacheManager_LDADD = \ + $(SSLLIB) \ + $(KRB5LIBS) \ + $(LIBCPPUNIT_LIBS) \ ++ $(SYSTEMD_LIBS) \ + $(COMPAT_LIB) \ + $(XTRA_LIBS) + tests_testCacheManager_LDFLAGS = $(LIBADD_DL) +@@ -3101,6 +3103,7 @@ tests_testEvent_LDADD = \ + $(SSLLIB) \ + $(KRB5LIBS) \ + $(LIBCPPUNIT_LIBS) \ ++ $(SYSTEMD_LIBS) \ + $(COMPAT_LIB) \ + $(XTRA_LIBS) + tests_testEvent_LDFLAGS = $(LIBADD_DL) +@@ -3339,6 +3342,7 @@ tests_testEventLoop_LDADD = \ + $(SSLLIB) \ + $(KRB5LIBS) \ + $(LIBCPPUNIT_LIBS) \ ++ $(SYSTEMD_LIBS) \ + $(COMPAT_LIB) \ + $(XTRA_LIBS) + tests_testEventLoop_LDFLAGS = $(LIBADD_DL) +diff --git a/src/Makefile.in b/src/Makefile.in +index fda6de6..4e047cc 100644 +--- a/src/Makefile.in ++++ b/src/Makefile.in +@@ -4581,6 +4581,7 @@ tests_test_http_range_LDADD = \ + $(SSLLIB) \ + $(KRB5LIBS) \ + $(LIBCPPUNIT_LIBS) \ ++ $(SYSTEMD_LIBS) \ + $(COMPAT_LIB) \ + $(XTRA_LIBS) + +@@ -4972,6 +4973,7 @@ tests_testHttpRequest_LDADD = \ + $(SSLLIB) \ + $(KRB5LIBS) \ + $(LIBCPPUNIT_LIBS) \ ++ $(SYSTEMD_LIBS) \ + $(COMPAT_LIB) \ + $(XTRA_LIBS) + +@@ -5274,6 +5276,7 @@ tests_testCacheManager_LDADD = \ + $(SSLLIB) \ + $(KRB5LIBS) \ + $(LIBCPPUNIT_LIBS) \ ++ $(SYSTEMD_LIBS) \ + $(COMPAT_LIB) \ + $(XTRA_LIBS) + +@@ -5593,6 +5596,7 @@ tests_testEvent_LDADD = \ + $(SSLLIB) \ + $(KRB5LIBS) \ + $(LIBCPPUNIT_LIBS) \ ++ $(SYSTEMD_LIBS) \ + $(COMPAT_LIB) \ + $(XTRA_LIBS) + +@@ -5832,6 +5836,7 @@ tests_testEventLoop_LDADD = \ + $(SSLLIB) \ + $(KRB5LIBS) \ + $(LIBCPPUNIT_LIBS) \ ++ $(SYSTEMD_LIBS) \ + $(COMPAT_LIB) \ + $(XTRA_LIBS) + +diff --git a/src/proxyp/Parser.cc b/src/proxyp/Parser.cc +index 328d207..2f358a7 100644 +--- a/src/proxyp/Parser.cc ++++ b/src/proxyp/Parser.cc +@@ -15,6 +15,7 @@ + #include "sbuf/Stream.h" + + #include ++#include + + #if HAVE_SYS_SOCKET_H + #include +diff --git a/src/security/ServerOptions.cc b/src/security/ServerOptions.cc +index e114ed8..22bce84 100644 +--- a/src/security/ServerOptions.cc ++++ b/src/security/ServerOptions.cc +@@ -18,6 +18,7 @@ + #if USE_OPENSSL + #include "compat/openssl.h" + #include "ssl/support.h" ++#include + + #if HAVE_OPENSSL_ERR_H + #include +diff --git a/src/acl/ConnMark.cc b/src/acl/ConnMark.cc +index 1fdae0c..213cf39 100644 +--- a/src/acl/ConnMark.cc ++++ b/src/acl/ConnMark.cc +@@ -15,6 +15,7 @@ + #include "Debug.h" + #include "http/Stream.h" + #include "sbuf/Stream.h" ++#include + + bool + Acl::ConnMark::empty() const diff --git a/squid-gcc11.patch b/squid-gcc11.patch deleted file mode 100644 index c87ade5..0000000 --- a/squid-gcc11.patch +++ /dev/null @@ -1,24 +0,0 @@ -diff --git a/src/acl/ConnMark.cc b/src/acl/ConnMark.cc -index 1fdae0c..213cf39 100644 ---- a/src/acl/ConnMark.cc -+++ b/src/acl/ConnMark.cc -@@ -15,6 +15,7 @@ - #include "Debug.h" - #include "http/Stream.h" - #include "sbuf/Stream.h" -+#include - - bool - Acl::ConnMark::empty() const -diff --git a/src/security/ServerOptions.cc b/src/security/ServerOptions.cc -index 5cd81ab..3f73892 100644 ---- a/src/security/ServerOptions.cc -+++ b/src/security/ServerOptions.cc -@@ -6,6 +6,7 @@ - * Please see the COPYING and CONTRIBUTORS files for details. - */ - -+#include - #include "squid.h" - #include "anyp/PortCfg.h" - #include "base/Packable.h" diff --git a/squid.spec b/squid.spec index 140ad3f..8267755 100644 --- a/squid.spec +++ b/squid.spec @@ -1,16 +1,16 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 4.13 -Release: 3%{?dist} +Version: 5.0.5 +Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code License: GPLv2+ and (LGPLv2+ and MIT and BSD and Public Domain) URL: http://www.squid-cache.org -Source0: http://www.squid-cache.org/Versions/v4/squid-%{version}.tar.xz -Source1: http://www.squid-cache.org/Versions/v4/squid-%{version}.tar.xz.asc +Source0: http://www.squid-cache.org/Versions/v5/squid-%{version}.tar.xz +Source1: http://www.squid-cache.org/Versions/v5/squid-%{version}.tar.xz.asc Source2: http://www.squid-cache.org/pgp.asc Source3: squid.logrotate Source4: squid.sysconfig @@ -32,8 +32,7 @@ Patch201: squid-4.0.11-config.patch Patch202: squid-3.1.0.9-location.patch Patch203: squid-3.0.STABLE1-perlpath.patch Patch204: squid-3.5.9-include-guards.patch -Patch205: squid-4.0.21-large-acl.patch -Patch206: squid-gcc11.patch +Patch205: squid-5.0.5-build-errors.patch # cache_swap.sh Requires: bash gawk @@ -52,8 +51,8 @@ BuildRequires: pam-devel BuildRequires: openssl-devel # squid_kerb_aut requires Kerberos development libs BuildRequires: krb5-devel -# time_quota requires DB -BuildRequires: libdb-devel +# time_quota requires TrivialDB +BuildRequires: libtdb-devel # ESI support requires Expat & libxml2 BuildRequires: expat-devel libxml2-devel # TPROXY requires libcap, and also increases security somewhat @@ -103,8 +102,7 @@ lookup program (dnsserver), a program for retrieving FTP data %patch202 -p1 -b .location %patch203 -p1 -b .perlpath %patch204 -p0 -b .include-guards -%patch205 -p1 -b .large_acl -%patch206 -p1 -b .gcc11 +%patch205 -p1 -b .build-errors # https://bugzilla.redhat.com/show_bug.cgi?id=1679526 # Patch in the vendor documentation and used different location for documentation @@ -162,6 +160,11 @@ sed -i 's|@SYSCONFDIR@/squid.conf.documented|%{_pkgdocdir}/squid.conf.documented --disable-strict-error-checking \ --with-swapdir=%{_localstatedir}/spool/squid +# workaround to build squid v5 +mkdir -p src/icmp/tests +mkdir -p tools/squidclient/tests +mkdir -p tools/tests + %make_build %check @@ -300,6 +303,9 @@ fi %changelog +* Wed Feb 10 2021 Lubos Uhliarik - 7:5.0.5-1 +- new version 5.0.5 + * Wed Jan 27 2021 Fedora Release Engineering - 7:4.13-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild From c0914fb70e161c1d9a540c9a6a484bbb44c0e435 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 2 Mar 2021 16:12:16 +0100 Subject: [PATCH 02/61] Rebuilt for updated systemd-rpm-macros See https://pagure.io/fesco/issue/2583. --- squid.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/squid.spec b/squid.spec index 8267755..fd92e86 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 5.0.5 -Release: 1%{?dist} +Release: 2%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -303,6 +303,10 @@ fi %changelog +* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 7:5.0.5-2 +- Rebuilt for updated systemd-rpm-macros + See https://pagure.io/fesco/issue/2583. + * Wed Feb 10 2021 Lubos Uhliarik - 7:5.0.5-1 - new version 5.0.5 From c1eca09b2428a6d0241e00f99c1b7a0b7f7da342 Mon Sep 17 00:00:00 2001 From: Lubos Uhliarik Date: Mon, 8 Mar 2021 13:25:55 +0100 Subject: [PATCH 03/61] new version 5.0.5 --- squid.spec | 36 +++++++++++++++++++++++++++++++++++- 1 file changed, 35 insertions(+), 1 deletion(-) diff --git a/squid.spec b/squid.spec index fd92e86..7747c55 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 5.0.5 -Release: 2%{?dist} +Release: 3%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -225,6 +225,7 @@ rm -f $RPM_BUILD_ROOT%{_sysconfdir}/squid/squid.conf.documented # remove unpackaged files from the buildroot rm -f $RPM_BUILD_ROOT/squid.httpd.tmp + %files %license COPYING %doc CONTRIBUTORS README ChangeLog QUICKSTART src/squid.conf.documented @@ -285,6 +286,36 @@ done exit 0 +%pretrans -p +-- previously /usr/share/squid/errors/es-mx was symlink, now it is directory since squid v5 +-- see https://docs.fedoraproject.org/en-US/packaging-guidelines/Directory_Replacement/ +-- Define the path to the symlink being replaced below. +path = "/usr/share/squid/errors/es-mx" +st = posix.stat(path) +if st and st.type == "link" then + os.remove(path) +end + +-- Due to a bug #447156 +paths = {"/usr/share/squid/errors/zh-cn", "/usr/share/squid/errors/zh-tw"} +for key,path in ipairs(paths) +do + st = posix.stat(path) + if st and st.type == "directory" then + status = os.rename(path, path .. ".rpmmoved") + if not status then + suffix = 0 + while not status do + suffix = suffix + 1 + status = os.rename(path .. ".rpmmoved", path .. ".rpmmoved." .. suffix) + end + os.rename(path, path .. ".rpmmoved") + end + end +end + + + %post %systemd_post squid.service @@ -303,6 +334,9 @@ fi %changelog +* Fri Mar 05 2021 Lubos Uhliarik - 7:5.0.5-3 +- Resolves: #1934919 - squid update attempts fail with file conflicts + * Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 7:5.0.5-2 - Rebuilt for updated systemd-rpm-macros See https://pagure.io/fesco/issue/2583. From 3f98a4414b8b7a825d846e8987b9af59526b0bc9 Mon Sep 17 00:00:00 2001 From: Iveta Cesalova Date: Tue, 9 Mar 2021 10:51:40 +0100 Subject: [PATCH 04/61] add fmf plan --- plans/all.fmf | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 plans/all.fmf diff --git a/plans/all.fmf b/plans/all.fmf new file mode 100644 index 0000000..cdfc481 --- /dev/null +++ b/plans/all.fmf @@ -0,0 +1,6 @@ +summary: Test plan with all beakerlib tests +discover: + how: fmf + url: https://src.fedoraproject.org/tests/squid.git +execute: + how: tmt From e841b1b13912e32632fed18180b4d939f3fb0844 Mon Sep 17 00:00:00 2001 From: Iveta Cesalova Date: Tue, 9 Mar 2021 11:17:15 +0100 Subject: [PATCH 05/61] fmf metadata added --- .fmf/version | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 .fmf/version diff --git a/.fmf/version b/.fmf/version new file mode 100644 index 0000000..e69de29 From 606d4437da26076eefdf39530653c8cb0b5fd61d Mon Sep 17 00:00:00 2001 From: Iveta Cesalova Date: Tue, 9 Mar 2021 16:37:11 +0100 Subject: [PATCH 06/61] fix version --- .fmf/version | 1 + 1 file changed, 1 insertion(+) diff --git a/.fmf/version b/.fmf/version index e69de29..d00491f 100644 --- a/.fmf/version +++ b/.fmf/version @@ -0,0 +1 @@ +1 From fc2d4c0be126a5b9da59ca7caa79b0e0102ddbf1 Mon Sep 17 00:00:00 2001 From: Lubos Uhliarik Date: Fri, 23 Apr 2021 14:21:07 +0200 Subject: [PATCH 07/61] Related: #1934919 - squid update attempts fail with file conflicts --- squid-5.0.5-symlink-lang-err.patch | 80 ++++++++++++++++++++++++++++++ squid.spec | 22 +++++--- 2 files changed, 96 insertions(+), 6 deletions(-) create mode 100644 squid-5.0.5-symlink-lang-err.patch diff --git a/squid-5.0.5-symlink-lang-err.patch b/squid-5.0.5-symlink-lang-err.patch new file mode 100644 index 0000000..29b5e2c --- /dev/null +++ b/squid-5.0.5-symlink-lang-err.patch @@ -0,0 +1,80 @@ +From fc01451000eaa5592cd5afbd6aee14e53f7dd2c3 Mon Sep 17 00:00:00 2001 +From: Amos Jeffries +Date: Sun, 18 Oct 2020 20:23:10 +1300 +Subject: [PATCH] Update translations integration + +* Add credits for es-mx translation moderator +* Use es-mx for default of all Spanish (Central America) texts +* Update translation related .am files +--- + doc/manuals/language.am | 2 +- + errors/TRANSLATORS | 1 + + errors/aliases | 3 ++- + errors/language.am | 3 ++- + errors/template.am | 2 +- + 5 files changed, 7 insertions(+), 4 deletions(-) + +diff --git a/doc/manuals/language.am b/doc/manuals/language.am +index 7670c88380c..f03c4cf71b4 100644 +--- a/doc/manuals/language.am ++++ b/doc/manuals/language.am +@@ -18,4 +18,4 @@ TRANSLATE_LANGUAGES = \ + oc.lang \ + pt.lang \ + ro.lang \ +- ru.lang ++ ru.lang +diff --git a/errors/TRANSLATORS b/errors/TRANSLATORS +index e29bf707678..6ee2df637ad 100644 +--- a/errors/TRANSLATORS ++++ b/errors/TRANSLATORS +@@ -21,6 +21,7 @@ and ideas to make Squid available as multi-langual software. + George Machitidze + Henrik Nordström + Ivan Masár ++ Javier Pacheco + John 'Profic' Ustiuzhanin + Leandro Cesar Nardini Frasson + liuyongbing +diff --git a/errors/aliases b/errors/aliases +index 36f17f4b80f..cf0116f297d 100644 +--- a/errors/aliases ++++ b/errors/aliases +@@ -14,7 +14,8 @@ da da-dk + de de-at de-ch de-de de-li de-lu + el el-gr + en en-au en-bz en-ca en-cn en-gb en-ie en-in en-jm en-nz en-ph en-sg en-tt en-uk en-us en-za en-zw +-es es-ar es-bo es-cl es-co es-cr es-do es-ec es-es es-gt es-hn es-mx es-ni es-pa es-pe es-pr es-py es-sv es-us es-uy es-ve es-xl ++es es-ar es-bo es-cl es-cu es-co es-do es-ec es-es es-pe es-pr es-py es-us es-uy es-ve es-xl spq ++es-mx es-bz es-cr es-gt es-hn es-ni es-pa es-sv + et et-ee + fa fa-fa fa-ir + fi fi-fi +diff --git a/errors/language.am b/errors/language.am +index 12b1b2b3b43..029e8c1eb2f 100644 +--- a/errors/language.am ++++ b/errors/language.am +@@ -17,6 +17,7 @@ TRANSLATE_LANGUAGES = \ + de.lang \ + el.lang \ + en.lang \ ++ es-mx.lang \ + es.lang \ + et.lang \ + fa.lang \ +@@ -51,4 +52,4 @@ TRANSLATE_LANGUAGES = \ + uz.lang \ + vi.lang \ + zh-hans.lang \ +- zh-hant.lang ++ zh-hant.lang +diff --git a/errors/template.am b/errors/template.am +index 6c12781e6f4..715c65aa22b 100644 +--- a/errors/template.am ++++ b/errors/template.am +@@ -48,4 +48,4 @@ ERROR_TEMPLATES = \ + templates/ERR_UNSUP_REQ \ + templates/ERR_URN_RESOLVE \ + templates/ERR_WRITE_ERROR \ +- templates/ERR_ZERO_SIZE_OBJECT ++ templates/ERR_ZERO_SIZE_OBJECT diff --git a/squid.spec b/squid.spec index 7747c55..261681b 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 5.0.5 -Release: 3%{?dist} +Release: 4%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -33,6 +33,9 @@ Patch202: squid-3.1.0.9-location.patch Patch203: squid-3.0.STABLE1-perlpath.patch Patch204: squid-3.5.9-include-guards.patch Patch205: squid-5.0.5-build-errors.patch +# revert this upstream patch - https://bugzilla.redhat.com/show_bug.cgi?id=1936422 +# workaround for #1934919 +Patch206: squid-5.0.5-symlink-lang-err.patch # cache_swap.sh Requires: bash gawk @@ -103,6 +106,7 @@ lookup program (dnsserver), a program for retrieving FTP data %patch203 -p1 -b .perlpath %patch204 -p0 -b .include-guards %patch205 -p1 -b .build-errors +%patch206 -p1 -R -b .symlink-lang-err # https://bugzilla.redhat.com/show_bug.cgi?id=1679526 # Patch in the vendor documentation and used different location for documentation @@ -287,14 +291,17 @@ done exit 0 %pretrans -p +-- temporarilly commented until https://bugzilla.redhat.com/show_bug.cgi?id=1936422 is resolved +-- -- previously /usr/share/squid/errors/es-mx was symlink, now it is directory since squid v5 -- see https://docs.fedoraproject.org/en-US/packaging-guidelines/Directory_Replacement/ -- Define the path to the symlink being replaced below. -path = "/usr/share/squid/errors/es-mx" -st = posix.stat(path) -if st and st.type == "link" then - os.remove(path) -end +-- +-- path = "/usr/share/squid/errors/es-mx" +-- st = posix.stat(path) +-- if st and st.type == "link" then +-- os.remove(path) +-- end -- Due to a bug #447156 paths = {"/usr/share/squid/errors/zh-cn", "/usr/share/squid/errors/zh-tw"} @@ -334,6 +341,9 @@ fi %changelog +* Fri Apr 23 2021 Lubos Uhliarik - 7:5.0.5-4 +- Related: #1934919 - squid update attempts fail with file conflicts + * Fri Mar 05 2021 Lubos Uhliarik - 7:5.0.5-3 - Resolves: #1934919 - squid update attempts fail with file conflicts From 7836ba99c11169208960592771012b99c5f67ec0 Mon Sep 17 00:00:00 2001 From: Lubos Uhliarik Date: Mon, 17 May 2021 16:52:49 +0200 Subject: [PATCH 08/61] new version 5.0.6 --- sources | 4 ++-- squid.spec | 13 +++++++------ 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/sources b/sources index cf080d9..95161c1 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-5.0.5.tar.xz) = e0f816296d9d32fc97b98249dde077b321651dac70c212fe8eb9566003ce04f13a83665e387531e06bffbab1ec21277e3e0549a16caee426b6a749e18bf77991 -SHA512 (squid-5.0.5.tar.xz.asc) = ca1b170bef9cca5afe1108e8a439282f3a19bea48d2dba42847acd1cf039d38ccc8c714e27fc9e49fe9e3027963f64e9ab19e6a358e6e038c78f85cc77657a3b +SHA512 (squid-5.0.6.tar.xz) = 97300844145ea5488a88a531fc0fbbf3c96051169eb20f8b95ba9a4c37f73edfbbedb69ee446e81f45b663e5c7c9a82e2978239c2613da7e5da2365fdaeceb6e +SHA512 (squid-5.0.6.tar.xz.asc) = 5caafb63926356813a0409f3c6a303c70e938f71cdd4cbc8bbbbbbb4a858b1aa91d59edcca4b63e1452ca95c18da46963c43b9e8f63f2e459342e447a02f2107 SHA512 (pgp.asc) = 09f7012030d68831dfc083d67ca63ee54ed851482ca8d0e9505b444ee3e7ddeed62369b53f2917c9b2e0e57cc0533fce46e8cafd2ebcd1c6cb186b516efd0ad2 diff --git a/squid.spec b/squid.spec index 261681b..0d69483 100644 --- a/squid.spec +++ b/squid.spec @@ -1,8 +1,8 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 5.0.5 -Release: 4%{?dist} +Version: 5.0.6 +Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -32,10 +32,9 @@ Patch201: squid-4.0.11-config.patch Patch202: squid-3.1.0.9-location.patch Patch203: squid-3.0.STABLE1-perlpath.patch Patch204: squid-3.5.9-include-guards.patch -Patch205: squid-5.0.5-build-errors.patch # revert this upstream patch - https://bugzilla.redhat.com/show_bug.cgi?id=1936422 # workaround for #1934919 -Patch206: squid-5.0.5-symlink-lang-err.patch +Patch205: squid-5.0.5-symlink-lang-err.patch # cache_swap.sh Requires: bash gawk @@ -105,8 +104,7 @@ lookup program (dnsserver), a program for retrieving FTP data %patch202 -p1 -b .location %patch203 -p1 -b .perlpath %patch204 -p0 -b .include-guards -%patch205 -p1 -b .build-errors -%patch206 -p1 -R -b .symlink-lang-err +%patch205 -p1 -R -b .symlink-lang-err # https://bugzilla.redhat.com/show_bug.cgi?id=1679526 # Patch in the vendor documentation and used different location for documentation @@ -341,6 +339,9 @@ fi %changelog +* Mon May 17 2021 Lubos Uhliarik - 7:5.0.6-1 +- new version 5.0.6 + * Fri Apr 23 2021 Lubos Uhliarik - 7:5.0.5-4 - Related: #1934919 - squid update attempts fail with file conflicts From c2c7db535e9b6eead38c019c800a5ea8d06b8f4e Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 23 Jul 2021 18:11:38 +0000 Subject: [PATCH 09/61] - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- squid.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/squid.spec b/squid.spec index 0d69483..85dc517 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 5.0.6 -Release: 1%{?dist} +Release: 2%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -339,6 +339,9 @@ fi %changelog +* Fri Jul 23 2021 Fedora Release Engineering - 7:5.0.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + * Mon May 17 2021 Lubos Uhliarik - 7:5.0.6-1 - new version 5.0.6 From f7fef10385c1ddb7e100cb988e428389661d4e00 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Thu, 5 Aug 2021 17:00:09 +0200 Subject: [PATCH 10/61] new version 5.1 --- sources | 4 ++-- squid.spec | 7 +++++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/sources b/sources index 95161c1..cadf4d7 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-5.0.6.tar.xz) = 97300844145ea5488a88a531fc0fbbf3c96051169eb20f8b95ba9a4c37f73edfbbedb69ee446e81f45b663e5c7c9a82e2978239c2613da7e5da2365fdaeceb6e -SHA512 (squid-5.0.6.tar.xz.asc) = 5caafb63926356813a0409f3c6a303c70e938f71cdd4cbc8bbbbbbb4a858b1aa91d59edcca4b63e1452ca95c18da46963c43b9e8f63f2e459342e447a02f2107 +SHA512 (squid-5.1.tar.xz) = 55792ab268e360132336f074b1e674a11931bf2f89745775aa047d85bfc4fd7bd9c97e9d1358a46e599def1173fefa4f1886dd3f0ba35e6c80da5241cf5bf581 +SHA512 (squid-5.1.tar.xz.asc) = cb1b7ca9a29ccecc7bdf39433f448a8e6022ae3610110653c16e57c642bd8c415ad4ad78c8d6e09a93ebb4787725b6ea147a865dcb27f840dd7af0af61195f07 SHA512 (pgp.asc) = 09f7012030d68831dfc083d67ca63ee54ed851482ca8d0e9505b444ee3e7ddeed62369b53f2917c9b2e0e57cc0533fce46e8cafd2ebcd1c6cb186b516efd0ad2 diff --git a/squid.spec b/squid.spec index 85dc517..b7b89fa 100644 --- a/squid.spec +++ b/squid.spec @@ -1,8 +1,8 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 5.0.6 -Release: 2%{?dist} +Version: 5.1 +Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -339,6 +339,9 @@ fi %changelog +* Thu Aug 05 2021 Luboš Uhliarik - 7:5.1-1 +- new version 5.1 + * Fri Jul 23 2021 Fedora Release Engineering - 7:5.0.6-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild From 1f442bae8a43380cbb7760764738a75599596711 Mon Sep 17 00:00:00 2001 From: Sahana Prasad Date: Tue, 14 Sep 2021 19:15:33 +0200 Subject: [PATCH 11/61] Rebuilt with OpenSSL 3.0.0 --- squid.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/squid.spec b/squid.spec index b7b89fa..dec81a3 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 5.1 -Release: 1%{?dist} +Release: 2%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -339,6 +339,9 @@ fi %changelog +* Tue Sep 14 2021 Sahana Prasad - 7:5.1-2 +- Rebuilt with OpenSSL 3.0.0 + * Thu Aug 05 2021 Luboš Uhliarik - 7:5.1-1 - new version 5.1 From c5a28774577b32ddc6267f5b1e01c595a3e968d2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Tue, 5 Oct 2021 13:08:18 +0200 Subject: [PATCH 12/61] new version 5.2 (#2010109) Resolves: #1934559 - squid: out-of-bounds read in WCCP protocol --- sources | 4 ++-- squid.spec | 17 ++++++++++++----- 2 files changed, 14 insertions(+), 7 deletions(-) diff --git a/sources b/sources index cadf4d7..0f57160 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-5.1.tar.xz) = 55792ab268e360132336f074b1e674a11931bf2f89745775aa047d85bfc4fd7bd9c97e9d1358a46e599def1173fefa4f1886dd3f0ba35e6c80da5241cf5bf581 -SHA512 (squid-5.1.tar.xz.asc) = cb1b7ca9a29ccecc7bdf39433f448a8e6022ae3610110653c16e57c642bd8c415ad4ad78c8d6e09a93ebb4787725b6ea147a865dcb27f840dd7af0af61195f07 +SHA512 (squid-5.2.tar.xz) = 0e5d57baf50a9a35ac4b28fee86d736311c7736ee460de8a7e739534aa4b24f8697836797c33da5c4899763672275af03ffabf4f811c7b833ba569e977c1a7e5 +SHA512 (squid-5.2.tar.xz.asc) = 0af0c51186b0533fd2670b62111438ca5d8de33343996fd254129ad1bf96ff8c0f9dfeeaefa1426bcd9802ae0b5503785cdfe7c1dc185224a2234d4fcf8c67b3 SHA512 (pgp.asc) = 09f7012030d68831dfc083d67ca63ee54ed851482ca8d0e9505b444ee3e7ddeed62369b53f2917c9b2e0e57cc0533fce46e8cafd2ebcd1c6cb186b516efd0ad2 diff --git a/squid.spec b/squid.spec index dec81a3..02c62df 100644 --- a/squid.spec +++ b/squid.spec @@ -1,8 +1,8 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 5.1 -Release: 2%{?dist} +Version: 5.2 +Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -35,6 +35,10 @@ Patch204: squid-3.5.9-include-guards.patch # revert this upstream patch - https://bugzilla.redhat.com/show_bug.cgi?id=1936422 # workaround for #1934919 Patch205: squid-5.0.5-symlink-lang-err.patch +# fix openssl3 build failures +Patch206: squid-5.2-openssl3.patch +# fix -lto build failure +Patch207: squid-5.2-test-store-cppsuite.patch # cache_swap.sh Requires: bash gawk @@ -105,15 +109,14 @@ lookup program (dnsserver), a program for retrieving FTP data %patch203 -p1 -b .perlpath %patch204 -p0 -b .include-guards %patch205 -p1 -R -b .symlink-lang-err +%patch206 -p1 -b .openssl3 +%patch207 -p1 -b .flto # https://bugzilla.redhat.com/show_bug.cgi?id=1679526 # Patch in the vendor documentation and used different location for documentation sed -i 's|@SYSCONFDIR@/squid.conf.documented|%{_pkgdocdir}/squid.conf.documented|' src/squid.8.in %build -# This package fails its testsuite when LTO is enabled. This needs further -# investigation -%define _lto_cflags %{nil} # NIS helper has been removed because of the following bug # https://bugzilla.redhat.com/show_bug.cgi?id=1531540 @@ -339,6 +342,10 @@ fi %changelog +* Tue Oct 05 2021 Luboš Uhliarik - 7:5.2-1 +- new version 5.2 (#2010109) +- Resolves: #1934559 - squid: out-of-bounds read in WCCP protocol + * Tue Sep 14 2021 Sahana Prasad - 7:5.1-2 - Rebuilt with OpenSSL 3.0.0 From ed2947e56b61a1b40f01474d534664fb0be25dc1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Tue, 5 Oct 2021 13:20:38 +0200 Subject: [PATCH 13/61] Add missing patch file fixing openssl3 build. --- squid-5.2-openssl3.patch | 185 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 185 insertions(+) create mode 100644 squid-5.2-openssl3.patch diff --git a/squid-5.2-openssl3.patch b/squid-5.2-openssl3.patch new file mode 100644 index 0000000..32ff6ee --- /dev/null +++ b/squid-5.2-openssl3.patch @@ -0,0 +1,185 @@ +diff --git a/src/ssl/support.cc b/src/ssl/support.cc +index 3ad135d..73912ce 100644 +--- a/src/ssl/support.cc ++++ b/src/ssl/support.cc +@@ -557,7 +557,11 @@ Ssl::VerifyCallbackParameters::At(Security::Connection &sconn) + } + + // "dup" function for SSL_get_ex_new_index("cert_err_check") +-#if SQUID_USE_CONST_CRYPTO_EX_DATA_DUP ++#if OPENSSL_VERSION_MAJOR >= 3 ++static int ++ssl_dupAclChecklist(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void **, ++ int, long, void *) ++#elif SQUID_USE_CONST_CRYPTO_EX_DATA_DUP + static int + ssl_dupAclChecklist(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void *, + int, long, void *) +diff --git a/src/security/PeerOptions.cc b/src/security/PeerOptions.cc +index cf1d4ba..4346ba5 100644 +--- a/src/security/PeerOptions.cc ++++ b/src/security/PeerOptions.cc +@@ -297,130 +297,130 @@ static struct ssl_option { + + } ssl_options[] = { + +-#if SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG ++#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG + { + "NETSCAPE_REUSE_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG + }, + #endif +-#if SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG ++#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG + { + "SSLREF2_REUSE_CERT_TYPE_BUG", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG + }, + #endif +-#if SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER ++#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER + { + "MICROSOFT_BIG_SSLV3_BUFFER", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER + }, + #endif +-#if SSL_OP_SSLEAY_080_CLIENT_DH_BUG ++#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG + { + "SSLEAY_080_CLIENT_DH_BUG", SSL_OP_SSLEAY_080_CLIENT_DH_BUG + }, + #endif +-#if SSL_OP_TLS_D5_BUG ++#ifdef SSL_OP_TLS_D5_BUG + { + "TLS_D5_BUG", SSL_OP_TLS_D5_BUG + }, + #endif +-#if SSL_OP_TLS_BLOCK_PADDING_BUG ++#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG + { + "TLS_BLOCK_PADDING_BUG", SSL_OP_TLS_BLOCK_PADDING_BUG + }, + #endif +-#if SSL_OP_TLS_ROLLBACK_BUG ++#ifdef SSL_OP_TLS_ROLLBACK_BUG + { + "TLS_ROLLBACK_BUG", SSL_OP_TLS_ROLLBACK_BUG + }, + #endif +-#if SSL_OP_ALL ++#ifdef SSL_OP_ALL + { + "ALL", (long)SSL_OP_ALL + }, + #endif +-#if SSL_OP_SINGLE_DH_USE ++#ifdef SSL_OP_SINGLE_DH_USE + { + "SINGLE_DH_USE", SSL_OP_SINGLE_DH_USE + }, + #endif +-#if SSL_OP_EPHEMERAL_RSA ++#ifdef SSL_OP_EPHEMERAL_RSA + { + "EPHEMERAL_RSA", SSL_OP_EPHEMERAL_RSA + }, + #endif +-#if SSL_OP_PKCS1_CHECK_1 ++#ifdef SSL_OP_PKCS1_CHECK_1 + { + "PKCS1_CHECK_1", SSL_OP_PKCS1_CHECK_1 + }, + #endif +-#if SSL_OP_PKCS1_CHECK_2 ++#ifdef SSL_OP_PKCS1_CHECK_2 + { + "PKCS1_CHECK_2", SSL_OP_PKCS1_CHECK_2 + }, + #endif +-#if SSL_OP_NETSCAPE_CA_DN_BUG ++#ifdef SSL_OP_NETSCAPE_CA_DN_BUG + { + "NETSCAPE_CA_DN_BUG", SSL_OP_NETSCAPE_CA_DN_BUG + }, + #endif +-#if SSL_OP_NON_EXPORT_FIRST ++#ifdef SSL_OP_NON_EXPORT_FIRST + { + "NON_EXPORT_FIRST", SSL_OP_NON_EXPORT_FIRST + }, + #endif +-#if SSL_OP_CIPHER_SERVER_PREFERENCE ++#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE + { + "CIPHER_SERVER_PREFERENCE", SSL_OP_CIPHER_SERVER_PREFERENCE + }, + #endif +-#if SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG ++#ifdef SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG + { + "NETSCAPE_DEMO_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG + }, + #endif +-#if SSL_OP_NO_SSLv3 ++#ifdef SSL_OP_NO_SSLv3 + { + "NO_SSLv3", SSL_OP_NO_SSLv3 + }, + #endif +-#if SSL_OP_NO_TLSv1 ++#ifdef SSL_OP_NO_TLSv1 + { + "NO_TLSv1", SSL_OP_NO_TLSv1 + }, + #else + { "NO_TLSv1", 0 }, + #endif +-#if SSL_OP_NO_TLSv1_1 ++#ifdef SSL_OP_NO_TLSv1_1 + { + "NO_TLSv1_1", SSL_OP_NO_TLSv1_1 + }, + #else + { "NO_TLSv1_1", 0 }, + #endif +-#if SSL_OP_NO_TLSv1_2 ++#ifdef SSL_OP_NO_TLSv1_2 + { + "NO_TLSv1_2", SSL_OP_NO_TLSv1_2 + }, + #else + { "NO_TLSv1_2", 0 }, + #endif +-#if SSL_OP_NO_TLSv1_3 ++#ifdef SSL_OP_NO_TLSv1_3 + { + "NO_TLSv1_3", SSL_OP_NO_TLSv1_3 + }, + #else + { "NO_TLSv1_3", 0 }, + #endif +-#if SSL_OP_NO_COMPRESSION ++#ifdef SSL_OP_NO_COMPRESSION + { + "No_Compression", SSL_OP_NO_COMPRESSION + }, + #endif +-#if SSL_OP_NO_TICKET ++#ifdef SSL_OP_NO_TICKET + { + "NO_TICKET", SSL_OP_NO_TICKET + }, + #endif +-#if SSL_OP_SINGLE_ECDH_USE ++#ifdef SSL_OP_SINGLE_ECDH_USE + { + "SINGLE_ECDH_USE", SSL_OP_SINGLE_ECDH_USE + }, +@@ -512,7 +512,7 @@ Security::PeerOptions::parseOptions() + + } + +-#if SSL_OP_NO_SSLv2 ++#ifdef SSL_OP_NO_SSLv2 + // compliance with RFC 6176: Prohibiting Secure Sockets Layer (SSL) Version 2.0 + op = op | SSL_OP_NO_SSLv2; + #endif From d1a0600227fdb02763656a5b93b6875ac30cc8b9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Tue, 5 Oct 2021 13:28:35 +0200 Subject: [PATCH 14/61] CI: Add gating.yaml file --- gating.yaml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 gating.yaml diff --git a/gating.yaml b/gating.yaml new file mode 100644 index 0000000..0c1cc35 --- /dev/null +++ b/gating.yaml @@ -0,0 +1,7 @@ +--- !Policy +product_versions: + - fedora-* +decision_contexts: [bodhi_update_push_stable] +subject_type: koji_build +rules: + - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional} From 16f685d837dd97bca2dbc0295eaa400fec9c110c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Tue, 5 Oct 2021 13:44:36 +0200 Subject: [PATCH 15/61] Add another missing patch... --- squid-5.2-test-store-cppsuite.patch | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 squid-5.2-test-store-cppsuite.patch diff --git a/squid-5.2-test-store-cppsuite.patch b/squid-5.2-test-store-cppsuite.patch new file mode 100644 index 0000000..d7c52be --- /dev/null +++ b/squid-5.2-test-store-cppsuite.patch @@ -0,0 +1,24 @@ +diff --git a/src/tests/testStoreHashIndex.cc b/src/tests/testStoreHashIndex.cc +index 0564380..fcd60b9 100644 +--- a/src/tests/testStoreHashIndex.cc ++++ b/src/tests/testStoreHashIndex.cc +@@ -102,6 +102,8 @@ void commonInit() + if (inited) + return; + ++ inited = true; ++ + Mem::Init(); + + Config.Store.avgObjectSize = 1024; +@@ -109,6 +111,10 @@ void commonInit() + Config.Store.objectsPerBucket = 20; + + Config.Store.maxObjectSize = 2048; ++ ++ Config.memShared.defaultTo(false); ++ ++ Config.store_dir_select_algorithm = xstrdup("round-robin"); + } + + /* TODO make this a cbdata class */ From b6515114b288c559b053a7c52552a027be1a92c7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Branislav=20N=C3=A1ter?= Date: Wed, 10 Nov 2021 14:18:37 +0100 Subject: [PATCH 16/61] Adding 'testing' decision context --- gating.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/gating.yaml b/gating.yaml index 0c1cc35..d2f0c2e 100644 --- a/gating.yaml +++ b/gating.yaml @@ -1,4 +1,13 @@ --- !Policy +product_versions: + - fedora-* +decision_contexts: [bodhi_update_push_testing] +subject_type: koji_build +rules: + - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional} + +#gating rawhide +--- !Policy product_versions: - fedora-* decision_contexts: [bodhi_update_push_stable] From 7628dce7d8930e752d6288c15811e6d340f30911 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 22 Jan 2022 01:34:00 +0000 Subject: [PATCH 17/61] - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- squid.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/squid.spec b/squid.spec index 02c62df..f3a41f0 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 5.2 -Release: 1%{?dist} +Release: 2%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -342,6 +342,9 @@ fi %changelog +* Sat Jan 22 2022 Fedora Release Engineering - 7:5.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + * Tue Oct 05 2021 Luboš Uhliarik - 7:5.2-1 - new version 5.2 (#2010109) - Resolves: #1934559 - squid: out-of-bounds read in WCCP protocol From 1cd94f5079ab808de5003d36ecf0fc46b7aacc0c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Wed, 9 Feb 2022 03:10:23 +0100 Subject: [PATCH 18/61] new version 5.4 --- sources | 4 ++-- squid-3.0.STABLE1-perlpath.patch | 2 +- squid-5.0.5-symlink-lang-err.patch | 12 ------------ squid.spec | 7 +++++-- 4 files changed, 8 insertions(+), 17 deletions(-) diff --git a/sources b/sources index 0f57160..273cc3a 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-5.2.tar.xz) = 0e5d57baf50a9a35ac4b28fee86d736311c7736ee460de8a7e739534aa4b24f8697836797c33da5c4899763672275af03ffabf4f811c7b833ba569e977c1a7e5 -SHA512 (squid-5.2.tar.xz.asc) = 0af0c51186b0533fd2670b62111438ca5d8de33343996fd254129ad1bf96ff8c0f9dfeeaefa1426bcd9802ae0b5503785cdfe7c1dc185224a2234d4fcf8c67b3 +SHA512 (squid-5.4.tar.xz) = db0a4de8cd21199c12fad95c53b622f1334994f831f950a7f8d7383d1ea3c931545912faa03ca955bb736eebb89493c0b195f0aede1fecc54f28f6dfc11fe8af +SHA512 (squid-5.4.tar.xz.asc) = bc3a6eee5e7b11b619f1181458908fe728cf9a5a12f045238098b360c577ac70f914cefff6db3a8f1b28dea65b1fa70c0f6f122c0e12ada01630a1970f8f34c4 SHA512 (pgp.asc) = 09f7012030d68831dfc083d67ca63ee54ed851482ca8d0e9505b444ee3e7ddeed62369b53f2917c9b2e0e57cc0533fce46e8cafd2ebcd1c6cb186b516efd0ad2 diff --git a/squid-3.0.STABLE1-perlpath.patch b/squid-3.0.STABLE1-perlpath.patch index 9cb5e81..d927e43 100644 --- a/squid-3.0.STABLE1-perlpath.patch +++ b/squid-3.0.STABLE1-perlpath.patch @@ -6,5 +6,5 @@ index 4cb0480..4b89910 100755 -#!/usr/local/bin/perl -Tw +#!/usr/bin/perl -Tw # - # * Copyright (C) 1996-2021 The Squid Software Foundation and contributors + # * Copyright (C) 1996-2022 The Squid Software Foundation and contributors # * diff --git a/squid-5.0.5-symlink-lang-err.patch b/squid-5.0.5-symlink-lang-err.patch index 29b5e2c..45d6fe9 100644 --- a/squid-5.0.5-symlink-lang-err.patch +++ b/squid-5.0.5-symlink-lang-err.patch @@ -24,18 +24,6 @@ index 7670c88380c..f03c4cf71b4 100644 ro.lang \ - ru.lang + ru.lang -diff --git a/errors/TRANSLATORS b/errors/TRANSLATORS -index e29bf707678..6ee2df637ad 100644 ---- a/errors/TRANSLATORS -+++ b/errors/TRANSLATORS -@@ -21,6 +21,7 @@ and ideas to make Squid available as multi-langual software. - George Machitidze - Henrik Nordström - Ivan Masár -+ Javier Pacheco - John 'Profic' Ustiuzhanin - Leandro Cesar Nardini Frasson - liuyongbing diff --git a/errors/aliases b/errors/aliases index 36f17f4b80f..cf0116f297d 100644 --- a/errors/aliases diff --git a/squid.spec b/squid.spec index f3a41f0..f838ba8 100644 --- a/squid.spec +++ b/squid.spec @@ -1,8 +1,8 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 5.2 -Release: 2%{?dist} +Version: 5.4 +Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -342,6 +342,9 @@ fi %changelog +* Wed Feb 09 2022 Luboš Uhliarik - 7:5.4-1 +- new version 5.4 + * Sat Jan 22 2022 Fedora Release Engineering - 7:5.2-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild From 87b80ce965f88776e4dfde892c8f84661a02ad5e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Wed, 20 Apr 2022 09:34:04 +0200 Subject: [PATCH 19/61] new version 5.5 Resolves: #2053799 - squid-5.5 is available --- sources | 4 ++-- squid.spec | 6 +++++- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/sources b/sources index 273cc3a..994fe87 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-5.4.tar.xz) = db0a4de8cd21199c12fad95c53b622f1334994f831f950a7f8d7383d1ea3c931545912faa03ca955bb736eebb89493c0b195f0aede1fecc54f28f6dfc11fe8af -SHA512 (squid-5.4.tar.xz.asc) = bc3a6eee5e7b11b619f1181458908fe728cf9a5a12f045238098b360c577ac70f914cefff6db3a8f1b28dea65b1fa70c0f6f122c0e12ada01630a1970f8f34c4 +SHA512 (squid-5.5.tar.xz) = f506f8cc01d59e36432d08eebd68332ef002c931425d6f95bbae7ed35281bbca453db85aba3d765913ce5d38160c48a328c322b31a1bcdcfc7f0a821d420d2c0 +SHA512 (squid-5.5.tar.xz.asc) = 57d5d5b6f714fc26e427a3756756296ecba3e61a48b4dcbfff2da2330f036f3c6c1bc7f05acf59fc33c855972e57bc0a4d8fb2c3bdd82fb1487eb5a6d4518a8f SHA512 (pgp.asc) = 09f7012030d68831dfc083d67ca63ee54ed851482ca8d0e9505b444ee3e7ddeed62369b53f2917c9b2e0e57cc0533fce46e8cafd2ebcd1c6cb186b516efd0ad2 diff --git a/squid.spec b/squid.spec index f838ba8..c71c6c6 100644 --- a/squid.spec +++ b/squid.spec @@ -1,7 +1,7 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 5.4 +Version: 5.5 Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 @@ -342,6 +342,10 @@ fi %changelog +* Wed Apr 20 2022 Luboš Uhliarik - 7:5.5-1 +- new version 5.5 +- Resolves: #2053799 - squid-5.5 is available + * Wed Feb 09 2022 Luboš Uhliarik - 7:5.4-1 - new version 5.4 From 0f548f718dcb3fb5db886164010b07fc0c37b2b2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Mon, 27 Jun 2022 14:15:40 +0200 Subject: [PATCH 20/61] new version 5.6 --- sources | 4 ++-- squid.spec | 5 ++++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/sources b/sources index 994fe87..523d744 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-5.5.tar.xz) = f506f8cc01d59e36432d08eebd68332ef002c931425d6f95bbae7ed35281bbca453db85aba3d765913ce5d38160c48a328c322b31a1bcdcfc7f0a821d420d2c0 -SHA512 (squid-5.5.tar.xz.asc) = 57d5d5b6f714fc26e427a3756756296ecba3e61a48b4dcbfff2da2330f036f3c6c1bc7f05acf59fc33c855972e57bc0a4d8fb2c3bdd82fb1487eb5a6d4518a8f +SHA512 (squid-5.6.tar.xz) = 940a4d21ea8e3384642951d80c501a192178d1220f06a59a7bc54ce86d49caea0a86b6e789e28bcb7125ffa2a564ca1aca886a96cccf6356314121a81f38221a +SHA512 (squid-5.6.tar.xz.asc) = dcb3c33c098200a5bb289fcefe0cb8d69c8d65c99dfc536c0b9d1b2ef51427e5e05e987b3e31eab33b2c1e48885d5cfa2ec33a50cf6b3685306fd16a35a4d0bf SHA512 (pgp.asc) = 09f7012030d68831dfc083d67ca63ee54ed851482ca8d0e9505b444ee3e7ddeed62369b53f2917c9b2e0e57cc0533fce46e8cafd2ebcd1c6cb186b516efd0ad2 diff --git a/squid.spec b/squid.spec index c71c6c6..efddac7 100644 --- a/squid.spec +++ b/squid.spec @@ -1,7 +1,7 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 5.5 +Version: 5.6 Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 @@ -342,6 +342,9 @@ fi %changelog +* Mon Jun 27 2022 Luboš Uhliarik - 7:5.6-1 +- new version 5.6 + * Wed Apr 20 2022 Luboš Uhliarik - 7:5.5-1 - new version 5.5 - Resolves: #2053799 - squid-5.5 is available From 429921391fa5689f85412949f71eaa205ad55290 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 23 Jul 2022 09:19:10 +0000 Subject: [PATCH 21/61] Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- squid.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/squid.spec b/squid.spec index efddac7..449f18b 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 5.6 -Release: 1%{?dist} +Release: 2%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -342,6 +342,9 @@ fi %changelog +* Sat Jul 23 2022 Fedora Release Engineering - 7:5.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + * Mon Jun 27 2022 Luboš Uhliarik - 7:5.6-1 - new version 5.6 From b6675637de95c4685a687111375aa85c7b937cf3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Tue, 6 Sep 2022 09:17:41 +0200 Subject: [PATCH 22/61] - new version 5.7 - remove openssl3 patch - already in upstream - remove -lfto patch which is also alrady in upstream --- sources | 4 +- squid-5.2-openssl3.patch | 185 ---------------------------- squid-5.2-test-store-cppsuite.patch | 24 ---- squid.spec | 13 +- 4 files changed, 7 insertions(+), 219 deletions(-) delete mode 100644 squid-5.2-openssl3.patch delete mode 100644 squid-5.2-test-store-cppsuite.patch diff --git a/sources b/sources index 523d744..5bea984 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-5.6.tar.xz) = 940a4d21ea8e3384642951d80c501a192178d1220f06a59a7bc54ce86d49caea0a86b6e789e28bcb7125ffa2a564ca1aca886a96cccf6356314121a81f38221a -SHA512 (squid-5.6.tar.xz.asc) = dcb3c33c098200a5bb289fcefe0cb8d69c8d65c99dfc536c0b9d1b2ef51427e5e05e987b3e31eab33b2c1e48885d5cfa2ec33a50cf6b3685306fd16a35a4d0bf +SHA512 (squid-5.7.tar.xz) = 624a39041a6ceda6c470dc0937616f1aa67200f3db02b4d74095d8d706ed31d6df5e0417dcacde45f6be40b617bee018849793d52c96a626aab32a2b182972aa +SHA512 (squid-5.7.tar.xz.asc) = e8578d3dc0ecff0cb4a0d53375564f782b51c218276413a1b3b924396846a2cbca1f3ff8d53b247d210e4f63e553d89795a5b8b6972b7712d87c33b556076238 SHA512 (pgp.asc) = 09f7012030d68831dfc083d67ca63ee54ed851482ca8d0e9505b444ee3e7ddeed62369b53f2917c9b2e0e57cc0533fce46e8cafd2ebcd1c6cb186b516efd0ad2 diff --git a/squid-5.2-openssl3.patch b/squid-5.2-openssl3.patch deleted file mode 100644 index 32ff6ee..0000000 --- a/squid-5.2-openssl3.patch +++ /dev/null @@ -1,185 +0,0 @@ -diff --git a/src/ssl/support.cc b/src/ssl/support.cc -index 3ad135d..73912ce 100644 ---- a/src/ssl/support.cc -+++ b/src/ssl/support.cc -@@ -557,7 +557,11 @@ Ssl::VerifyCallbackParameters::At(Security::Connection &sconn) - } - - // "dup" function for SSL_get_ex_new_index("cert_err_check") --#if SQUID_USE_CONST_CRYPTO_EX_DATA_DUP -+#if OPENSSL_VERSION_MAJOR >= 3 -+static int -+ssl_dupAclChecklist(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void **, -+ int, long, void *) -+#elif SQUID_USE_CONST_CRYPTO_EX_DATA_DUP - static int - ssl_dupAclChecklist(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void *, - int, long, void *) -diff --git a/src/security/PeerOptions.cc b/src/security/PeerOptions.cc -index cf1d4ba..4346ba5 100644 ---- a/src/security/PeerOptions.cc -+++ b/src/security/PeerOptions.cc -@@ -297,130 +297,130 @@ static struct ssl_option { - - } ssl_options[] = { - --#if SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG -+#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG - { - "NETSCAPE_REUSE_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG - }, - #endif --#if SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG -+#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG - { - "SSLREF2_REUSE_CERT_TYPE_BUG", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG - }, - #endif --#if SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER -+#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER - { - "MICROSOFT_BIG_SSLV3_BUFFER", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER - }, - #endif --#if SSL_OP_SSLEAY_080_CLIENT_DH_BUG -+#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG - { - "SSLEAY_080_CLIENT_DH_BUG", SSL_OP_SSLEAY_080_CLIENT_DH_BUG - }, - #endif --#if SSL_OP_TLS_D5_BUG -+#ifdef SSL_OP_TLS_D5_BUG - { - "TLS_D5_BUG", SSL_OP_TLS_D5_BUG - }, - #endif --#if SSL_OP_TLS_BLOCK_PADDING_BUG -+#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG - { - "TLS_BLOCK_PADDING_BUG", SSL_OP_TLS_BLOCK_PADDING_BUG - }, - #endif --#if SSL_OP_TLS_ROLLBACK_BUG -+#ifdef SSL_OP_TLS_ROLLBACK_BUG - { - "TLS_ROLLBACK_BUG", SSL_OP_TLS_ROLLBACK_BUG - }, - #endif --#if SSL_OP_ALL -+#ifdef SSL_OP_ALL - { - "ALL", (long)SSL_OP_ALL - }, - #endif --#if SSL_OP_SINGLE_DH_USE -+#ifdef SSL_OP_SINGLE_DH_USE - { - "SINGLE_DH_USE", SSL_OP_SINGLE_DH_USE - }, - #endif --#if SSL_OP_EPHEMERAL_RSA -+#ifdef SSL_OP_EPHEMERAL_RSA - { - "EPHEMERAL_RSA", SSL_OP_EPHEMERAL_RSA - }, - #endif --#if SSL_OP_PKCS1_CHECK_1 -+#ifdef SSL_OP_PKCS1_CHECK_1 - { - "PKCS1_CHECK_1", SSL_OP_PKCS1_CHECK_1 - }, - #endif --#if SSL_OP_PKCS1_CHECK_2 -+#ifdef SSL_OP_PKCS1_CHECK_2 - { - "PKCS1_CHECK_2", SSL_OP_PKCS1_CHECK_2 - }, - #endif --#if SSL_OP_NETSCAPE_CA_DN_BUG -+#ifdef SSL_OP_NETSCAPE_CA_DN_BUG - { - "NETSCAPE_CA_DN_BUG", SSL_OP_NETSCAPE_CA_DN_BUG - }, - #endif --#if SSL_OP_NON_EXPORT_FIRST -+#ifdef SSL_OP_NON_EXPORT_FIRST - { - "NON_EXPORT_FIRST", SSL_OP_NON_EXPORT_FIRST - }, - #endif --#if SSL_OP_CIPHER_SERVER_PREFERENCE -+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE - { - "CIPHER_SERVER_PREFERENCE", SSL_OP_CIPHER_SERVER_PREFERENCE - }, - #endif --#if SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG -+#ifdef SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG - { - "NETSCAPE_DEMO_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG - }, - #endif --#if SSL_OP_NO_SSLv3 -+#ifdef SSL_OP_NO_SSLv3 - { - "NO_SSLv3", SSL_OP_NO_SSLv3 - }, - #endif --#if SSL_OP_NO_TLSv1 -+#ifdef SSL_OP_NO_TLSv1 - { - "NO_TLSv1", SSL_OP_NO_TLSv1 - }, - #else - { "NO_TLSv1", 0 }, - #endif --#if SSL_OP_NO_TLSv1_1 -+#ifdef SSL_OP_NO_TLSv1_1 - { - "NO_TLSv1_1", SSL_OP_NO_TLSv1_1 - }, - #else - { "NO_TLSv1_1", 0 }, - #endif --#if SSL_OP_NO_TLSv1_2 -+#ifdef SSL_OP_NO_TLSv1_2 - { - "NO_TLSv1_2", SSL_OP_NO_TLSv1_2 - }, - #else - { "NO_TLSv1_2", 0 }, - #endif --#if SSL_OP_NO_TLSv1_3 -+#ifdef SSL_OP_NO_TLSv1_3 - { - "NO_TLSv1_3", SSL_OP_NO_TLSv1_3 - }, - #else - { "NO_TLSv1_3", 0 }, - #endif --#if SSL_OP_NO_COMPRESSION -+#ifdef SSL_OP_NO_COMPRESSION - { - "No_Compression", SSL_OP_NO_COMPRESSION - }, - #endif --#if SSL_OP_NO_TICKET -+#ifdef SSL_OP_NO_TICKET - { - "NO_TICKET", SSL_OP_NO_TICKET - }, - #endif --#if SSL_OP_SINGLE_ECDH_USE -+#ifdef SSL_OP_SINGLE_ECDH_USE - { - "SINGLE_ECDH_USE", SSL_OP_SINGLE_ECDH_USE - }, -@@ -512,7 +512,7 @@ Security::PeerOptions::parseOptions() - - } - --#if SSL_OP_NO_SSLv2 -+#ifdef SSL_OP_NO_SSLv2 - // compliance with RFC 6176: Prohibiting Secure Sockets Layer (SSL) Version 2.0 - op = op | SSL_OP_NO_SSLv2; - #endif diff --git a/squid-5.2-test-store-cppsuite.patch b/squid-5.2-test-store-cppsuite.patch deleted file mode 100644 index d7c52be..0000000 --- a/squid-5.2-test-store-cppsuite.patch +++ /dev/null @@ -1,24 +0,0 @@ -diff --git a/src/tests/testStoreHashIndex.cc b/src/tests/testStoreHashIndex.cc -index 0564380..fcd60b9 100644 ---- a/src/tests/testStoreHashIndex.cc -+++ b/src/tests/testStoreHashIndex.cc -@@ -102,6 +102,8 @@ void commonInit() - if (inited) - return; - -+ inited = true; -+ - Mem::Init(); - - Config.Store.avgObjectSize = 1024; -@@ -109,6 +111,10 @@ void commonInit() - Config.Store.objectsPerBucket = 20; - - Config.Store.maxObjectSize = 2048; -+ -+ Config.memShared.defaultTo(false); -+ -+ Config.store_dir_select_algorithm = xstrdup("round-robin"); - } - - /* TODO make this a cbdata class */ diff --git a/squid.spec b/squid.spec index 449f18b..40a161f 100644 --- a/squid.spec +++ b/squid.spec @@ -1,8 +1,8 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 5.6 -Release: 2%{?dist} +Version: 5.7 +Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -35,10 +35,6 @@ Patch204: squid-3.5.9-include-guards.patch # revert this upstream patch - https://bugzilla.redhat.com/show_bug.cgi?id=1936422 # workaround for #1934919 Patch205: squid-5.0.5-symlink-lang-err.patch -# fix openssl3 build failures -Patch206: squid-5.2-openssl3.patch -# fix -lto build failure -Patch207: squid-5.2-test-store-cppsuite.patch # cache_swap.sh Requires: bash gawk @@ -109,8 +105,6 @@ lookup program (dnsserver), a program for retrieving FTP data %patch203 -p1 -b .perlpath %patch204 -p0 -b .include-guards %patch205 -p1 -R -b .symlink-lang-err -%patch206 -p1 -b .openssl3 -%patch207 -p1 -b .flto # https://bugzilla.redhat.com/show_bug.cgi?id=1679526 # Patch in the vendor documentation and used different location for documentation @@ -342,6 +336,9 @@ fi %changelog +* Tue Sep 06 2022 Luboš Uhliarik - 7:5.7-1 +- new version 5.7 + * Sat Jul 23 2022 Fedora Release Engineering - 7:5.6-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild From 1e6d0f7e8cb8ddfe44e177bd22bd2b0d23abf10e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Wed, 12 Oct 2022 13:46:39 +0200 Subject: [PATCH 23/61] Provide a sysusers.d file to get user() and group() provides (#2134071) --- squid.spec | 26 +++++++++++++------------- squid.sysusers | 2 ++ 2 files changed, 15 insertions(+), 13 deletions(-) create mode 100644 squid.sysusers diff --git a/squid.spec b/squid.spec index 40a161f..c660e3e 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 5.7 -Release: 1%{?dist} +Release: 2%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -18,6 +18,7 @@ Source5: squid.pam Source6: squid.nm Source7: squid.service Source8: cache_swap.sh +Source9: squid.sysusers Source98: perl-requires-squid.sh @@ -41,9 +42,10 @@ Requires: bash gawk # for httpd conf file - cachemgr script alias Requires: httpd-filesystem Requires(pre): shadow-utils -Requires(post): systemd -Requires(preun): systemd -Requires(postun): systemd + +%systemd_requires +%{?sysusers_requires_compat} + # squid_ldap_auth and other LDAP helpers require OpenLDAP BuildRequires: make BuildRequires: openldap-devel @@ -224,6 +226,8 @@ rm -f $RPM_BUILD_ROOT%{_sysconfdir}/squid/squid.conf.documented # remove unpackaged files from the buildroot rm -f $RPM_BUILD_ROOT/squid.httpd.tmp +# sysusers.d +install -p -D -m 0644 %{SOURCE9} %{buildroot}%{_sysusersdir}/squid.conf %files %license COPYING @@ -265,15 +269,10 @@ rm -f $RPM_BUILD_ROOT/squid.httpd.tmp %{_libdir}/squid/* %{_datadir}/snmp/mibs/SQUID-MIB.txt %{_tmpfilesdir}/squid.conf +%{_sysusersdir}/squid.conf %pre -if ! getent group squid >/dev/null 2>&1; then - /usr/sbin/groupadd -g 23 squid -fi - -if ! getent passwd squid >/dev/null 2>&1 ; then - /usr/sbin/useradd -g 23 -u 23 -d /var/spool/squid -r -s /sbin/nologin squid >/dev/null 2>&1 || exit 1 -fi +%sysusers_create_compat %{SOURCE9} for i in /var/log/squid /var/spool/squid ; do if [ -d $i ] ; then @@ -316,8 +315,6 @@ do end end - - %post %systemd_post squid.service @@ -336,6 +333,9 @@ fi %changelog +* Wed Oct 12 2022 Luboš Uhliarik - 7:5.7-2 +- Provide a sysusers.d file to get user() and group() provides (#2134071) + * Tue Sep 06 2022 Luboš Uhliarik - 7:5.7-1 - new version 5.7 diff --git a/squid.sysusers b/squid.sysusers new file mode 100644 index 0000000..f9cc56b --- /dev/null +++ b/squid.sysusers @@ -0,0 +1,2 @@ +g squid 23 - +u squid 23 "Squid proxy user" /var/spool/squid /sbin/nologin From 3d9c5a32eb74cbf49edacb29be7b8c9ed77b1641 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Wed, 12 Oct 2022 14:55:57 +0200 Subject: [PATCH 24/61] Fix spec file & build --- squid.spec | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/squid.spec b/squid.spec index c660e3e..2cf01e6 100644 --- a/squid.spec +++ b/squid.spec @@ -41,10 +41,6 @@ Patch205: squid-5.0.5-symlink-lang-err.patch Requires: bash gawk # for httpd conf file - cachemgr script alias Requires: httpd-filesystem -Requires(pre): shadow-utils - -%systemd_requires -%{?sysusers_requires_compat} # squid_ldap_auth and other LDAP helpers require OpenLDAP BuildRequires: make @@ -77,6 +73,8 @@ BuildRequires: systemd-rpm-macros # systemd notify BuildRequires: systemd-devel +%{?systemd_requires} +%{?sysusers_requires_compat} # Old NetworkManager expects the dispatcher scripts in a different place Conflicts: NetworkManager < 1.20 From d298212c7742da5c42bb97431d940eec9d50efc4 Mon Sep 17 00:00:00 2001 From: Tomas Korbar Date: Mon, 5 Dec 2022 15:07:20 +0100 Subject: [PATCH 25/61] Backport adding IP_BIND_ADDRESS_NO_PORT flag to outgoing connections --- squid-5.7-ip-bind-address-no-port.patch | 156 ++++++++++++++++++++++++ squid.spec | 7 +- 2 files changed, 162 insertions(+), 1 deletion(-) create mode 100644 squid-5.7-ip-bind-address-no-port.patch diff --git a/squid-5.7-ip-bind-address-no-port.patch b/squid-5.7-ip-bind-address-no-port.patch new file mode 100644 index 0000000..55d9597 --- /dev/null +++ b/squid-5.7-ip-bind-address-no-port.patch @@ -0,0 +1,156 @@ +commit c54122584d175cf1d292b239a5b70f2d1aa77c3a +Author: Tomas Korbar +Date: Mon Dec 5 15:03:07 2022 +0100 + + Backport adding IP_BIND_ADDRESS_NO_PORT flag to outgoing connections + +diff --git a/src/comm.cc b/src/comm.cc +index b4818f3..b18d175 100644 +--- a/src/comm.cc ++++ b/src/comm.cc +@@ -59,6 +59,7 @@ + */ + + static IOCB commHalfClosedReader; ++static int comm_openex(int sock_type, int proto, Ip::Address &, int flags, const char *note); + static void comm_init_opened(const Comm::ConnectionPointer &conn, const char *note, struct addrinfo *AI); + static int comm_apply_flags(int new_socket, Ip::Address &addr, int flags, struct addrinfo *AI); + +@@ -76,6 +77,7 @@ static EVH commHalfClosedCheck; + static void commPlanHalfClosedCheck(); + + static Comm::Flag commBind(int s, struct addrinfo &); ++static void commSetBindAddressNoPort(int); + static void commSetReuseAddr(int); + static void commSetNoLinger(int); + #ifdef TCP_NODELAY +@@ -202,6 +204,22 @@ comm_local_port(int fd) + return F->local_addr.port(); + } + ++/// sets the IP_BIND_ADDRESS_NO_PORT socket option to optimize ephemeral port ++/// reuse by outgoing TCP connections that must bind(2) to a source IP address ++static void ++commSetBindAddressNoPort(const int fd) ++{ ++#if defined(IP_BIND_ADDRESS_NO_PORT) ++ int flag = 1; ++ if (setsockopt(fd, IPPROTO_IP, IP_BIND_ADDRESS_NO_PORT, reinterpret_cast(&flag), sizeof(flag)) < 0) { ++ const auto savedErrno = errno; ++ debugs(50, DBG_IMPORTANT, "ERROR: setsockopt(IP_BIND_ADDRESS_NO_PORT) failure: " << xstrerr(savedErrno)); ++ } ++#else ++ (void)fd; ++#endif ++} ++ + static Comm::Flag + commBind(int s, struct addrinfo &inaddr) + { +@@ -228,6 +246,10 @@ comm_open(int sock_type, + int flags, + const char *note) + { ++ // assume zero-port callers do not need to know the assigned port right away ++ if (sock_type == SOCK_STREAM && addr.port() == 0 && ((flags & COMM_DOBIND) || !addr.isAnyAddr())) ++ flags |= COMM_DOBIND_PORT_LATER; ++ + return comm_openex(sock_type, proto, addr, flags, note); + } + +@@ -329,7 +351,7 @@ comm_set_transparent(int fd) + * Create a socket. Default is blocking, stream (TCP) socket. IO_TYPE + * is OR of flags specified in defines.h:COMM_* + */ +-int ++static int + comm_openex(int sock_type, + int proto, + Ip::Address &addr, +@@ -488,6 +510,9 @@ comm_apply_flags(int new_socket, + } + } + #endif ++ if ((flags & COMM_DOBIND_PORT_LATER)) ++ commSetBindAddressNoPort(new_socket); ++ + if (commBind(new_socket, *AI) != Comm::OK) { + comm_close(new_socket); + return -1; +diff --git a/src/comm.h b/src/comm.h +index 5a1a7c2..a9f33db 100644 +--- a/src/comm.h ++++ b/src/comm.h +@@ -43,7 +43,6 @@ void comm_import_opened(const Comm::ConnectionPointer &, const char *note, struc + + /** + * Open a port specially bound for listening or sending through a specific port. +- * This is a wrapper providing IPv4/IPv6 failover around comm_openex(). + * Please use for all listening sockets and bind() outbound sockets. + * + * It will open a socket bound for: +@@ -59,7 +58,6 @@ void comm_import_opened(const Comm::ConnectionPointer &, const char *note, struc + int comm_open_listener(int sock_type, int proto, Ip::Address &addr, int flags, const char *note); + void comm_open_listener(int sock_type, int proto, Comm::ConnectionPointer &conn, const char *note); + +-int comm_openex(int, int, Ip::Address &, int, const char *); + unsigned short comm_local_port(int fd); + + int comm_udp_sendto(int sock, const Ip::Address &to, const void *buf, int buflen); +diff --git a/src/comm/ConnOpener.cc b/src/comm/ConnOpener.cc +index 19c1237..79fa2ed 100644 +--- a/src/comm/ConnOpener.cc ++++ b/src/comm/ConnOpener.cc +@@ -285,7 +285,7 @@ Comm::ConnOpener::createFd() + if (callback_ == NULL || callback_->canceled()) + return false; + +- temporaryFd_ = comm_openex(SOCK_STREAM, IPPROTO_TCP, conn_->local, conn_->flags, host_); ++ temporaryFd_ = comm_open(SOCK_STREAM, IPPROTO_TCP, conn_->local, conn_->flags, host_); + if (temporaryFd_ < 0) { + sendAnswer(Comm::ERR_CONNECT, 0, "Comm::ConnOpener::createFd"); + return false; +diff --git a/src/comm/Connection.h b/src/comm/Connection.h +index 40c2249..2641f4e 100644 +--- a/src/comm/Connection.h ++++ b/src/comm/Connection.h +@@ -52,6 +52,8 @@ namespace Comm + #define COMM_REUSEPORT 0x40 //< needs SO_REUSEPORT + /// not registered with Comm and not owned by any connection-closing code + #define COMM_ORPHANED 0x40 ++/// Internal Comm optimization: Keep the source port unassigned until connect(2) ++#define COMM_DOBIND_PORT_LATER 0x100 + + /** + * Store data about the physical and logical attributes of a connection. +diff --git a/src/ipc.cc b/src/ipc.cc +index 45cab52..42e11e6 100644 +--- a/src/ipc.cc ++++ b/src/ipc.cc +@@ -95,12 +95,12 @@ ipcCreate(int type, const char *prog, const char *const args[], const char *name + } else void(0) + + if (type == IPC_TCP_SOCKET) { +- crfd = cwfd = comm_open(SOCK_STREAM, ++ crfd = cwfd = comm_open_listener(SOCK_STREAM, + 0, + local_addr, + COMM_NOCLOEXEC, + name); +- prfd = pwfd = comm_open(SOCK_STREAM, ++ prfd = pwfd = comm_open_listener(SOCK_STREAM, + 0, /* protocol */ + local_addr, + 0, /* blocking */ +diff --git a/src/tests/stub_comm.cc b/src/tests/stub_comm.cc +index a1d33d6..bf4bea6 100644 +--- a/src/tests/stub_comm.cc ++++ b/src/tests/stub_comm.cc +@@ -48,7 +48,6 @@ int comm_open_uds(int sock_type, int proto, struct sockaddr_un* addr, int flags) + void comm_import_opened(const Comm::ConnectionPointer &, const char *note, struct addrinfo *AI) STUB + int comm_open_listener(int sock_type, int proto, Ip::Address &addr, int flags, const char *note) STUB_RETVAL(-1) + void comm_open_listener(int sock_type, int proto, Comm::ConnectionPointer &conn, const char *note) STUB +-int comm_openex(int, int, Ip::Address &, int, tos_t tos, nfmark_t nfmark, const char *) STUB_RETVAL(-1) + unsigned short comm_local_port(int fd) STUB_RETVAL(0) + int comm_udp_sendto(int sock, const Ip::Address &to, const void *buf, int buflen) STUB_RETVAL(-1) + void commCallCloseHandlers(int fd) STUB diff --git a/squid.spec b/squid.spec index 2cf01e6..68cb116 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 5.7 -Release: 2%{?dist} +Release: 3%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -25,6 +25,7 @@ Source98: perl-requires-squid.sh # Upstream patches # Backported patches +Patch101: squid-5.7-ip-bind-address-no-port.patch # Local patches # Applying upstream patches first makes it less likely that local patches @@ -98,6 +99,7 @@ lookup program (dnsserver), a program for retrieving FTP data # Upstream patches # Backported patches +%patch101 -p1 -b .ip-bind-address-no-port # Local patches %patch201 -p1 -b .config @@ -331,6 +333,9 @@ fi %changelog +* Mon Dec 05 2022 Tomas Korbar - 7:5.7-3 +- Backport adding IP_BIND_ADDRESS_NO_PORT flag to outgoing connections + * Wed Oct 12 2022 Luboš Uhliarik - 7:5.7-2 - Provide a sysusers.d file to get user() and group() provides (#2134071) From e59f77ea78ea664f764e448f14b157f717b207f3 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 21 Jan 2023 03:57:27 +0000 Subject: [PATCH 26/61] Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- squid.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/squid.spec b/squid.spec index 68cb116..aeb4b7e 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 5.7 -Release: 3%{?dist} +Release: 4%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -333,6 +333,9 @@ fi %changelog +* Sat Jan 21 2023 Fedora Release Engineering - 7:5.7-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + * Mon Dec 05 2022 Tomas Korbar - 7:5.7-3 - Backport adding IP_BIND_ADDRESS_NO_PORT flag to outgoing connections From c4d9b668ca2a9caf3f357c3f7afd66af5061262c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Tue, 28 Feb 2023 18:28:13 +0100 Subject: [PATCH 27/61] new version 5.8 --- sources | 4 ++-- squid-3.0.STABLE1-perlpath.patch | 2 +- squid.spec | 7 +++++-- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/sources b/sources index 5bea984..01b250d 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-5.7.tar.xz) = 624a39041a6ceda6c470dc0937616f1aa67200f3db02b4d74095d8d706ed31d6df5e0417dcacde45f6be40b617bee018849793d52c96a626aab32a2b182972aa -SHA512 (squid-5.7.tar.xz.asc) = e8578d3dc0ecff0cb4a0d53375564f782b51c218276413a1b3b924396846a2cbca1f3ff8d53b247d210e4f63e553d89795a5b8b6972b7712d87c33b556076238 +SHA512 (squid-5.8.tar.xz) = 81a9a7d1dfcb58476369e08e99feb76411dd3242a3374feb175408fa0dc8161545a9a903603219c6fa2bcfb615461901e093428e97ac74cf4c596a7065d3247d +SHA512 (squid-5.8.tar.xz.asc) = d1cbadb6c0abb4bea7261818e5ed6558d2ea6a51f6249e222647fb68138b84730e10676bca8a75c8162f73fe8b6133b91df0182e682f04a32ffa98020eaeaba6 SHA512 (pgp.asc) = 09f7012030d68831dfc083d67ca63ee54ed851482ca8d0e9505b444ee3e7ddeed62369b53f2917c9b2e0e57cc0533fce46e8cafd2ebcd1c6cb186b516efd0ad2 diff --git a/squid-3.0.STABLE1-perlpath.patch b/squid-3.0.STABLE1-perlpath.patch index d927e43..5ab22a0 100644 --- a/squid-3.0.STABLE1-perlpath.patch +++ b/squid-3.0.STABLE1-perlpath.patch @@ -6,5 +6,5 @@ index 4cb0480..4b89910 100755 -#!/usr/local/bin/perl -Tw +#!/usr/bin/perl -Tw # - # * Copyright (C) 1996-2022 The Squid Software Foundation and contributors + # * Copyright (C) 1996-2023 The Squid Software Foundation and contributors # * diff --git a/squid.spec b/squid.spec index aeb4b7e..53c3bcc 100644 --- a/squid.spec +++ b/squid.spec @@ -1,8 +1,8 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 5.7 -Release: 4%{?dist} +Version: 5.8 +Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -333,6 +333,9 @@ fi %changelog +* Tue Feb 28 2023 Luboš Uhliarik - 7:5.8-1 +- new version 5.8 + * Sat Jan 21 2023 Fedora Release Engineering - 7:5.7-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild From e8590f9b27a483a79b621507bf44d6e3610279c2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Tue, 9 May 2023 11:48:39 +0200 Subject: [PATCH 28/61] new version 5.9 --- sources | 4 ++-- squid.spec | 5 ++++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/sources b/sources index 01b250d..65abcc4 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-5.8.tar.xz) = 81a9a7d1dfcb58476369e08e99feb76411dd3242a3374feb175408fa0dc8161545a9a903603219c6fa2bcfb615461901e093428e97ac74cf4c596a7065d3247d -SHA512 (squid-5.8.tar.xz.asc) = d1cbadb6c0abb4bea7261818e5ed6558d2ea6a51f6249e222647fb68138b84730e10676bca8a75c8162f73fe8b6133b91df0182e682f04a32ffa98020eaeaba6 +SHA512 (squid-5.9.tar.xz) = 7dc366ef6b2a397ca6adec993c05876949de5f5e72a8a4409c9c9c52c42a8a4b37f58e85a171eebd36a166951f6c764176cfebec30019b299abe34a5adc4e5ac +SHA512 (squid-5.9.tar.xz.asc) = e2852d45645effc1a94f3ff13471a6dfc0721b42c9c162c06d7ac8613a46e4e3e580ec2dd8371b93ef68d2d197008398926003c35c4e8468cae2871d740491a0 SHA512 (pgp.asc) = 09f7012030d68831dfc083d67ca63ee54ed851482ca8d0e9505b444ee3e7ddeed62369b53f2917c9b2e0e57cc0533fce46e8cafd2ebcd1c6cb186b516efd0ad2 diff --git a/squid.spec b/squid.spec index 53c3bcc..7db39f3 100644 --- a/squid.spec +++ b/squid.spec @@ -1,7 +1,7 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 5.8 +Version: 5.9 Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 @@ -333,6 +333,9 @@ fi %changelog +* Tue May 09 2023 Luboš Uhliarik - 7:5.9-1 +- new version 5.9 + * Tue Feb 28 2023 Luboš Uhliarik - 7:5.8-1 - new version 5.8 From d682c6288b2fa2b6dedab71063bae911f42bd853 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Tue, 11 Jul 2023 20:23:30 +0200 Subject: [PATCH 29/61] new version 6.1 --- .gitignore | 2 +- sources | 5 +- squid-3.5.9-include-guards.patch | 95 ----------- squid-5.0.5-build-errors.patch | 116 ------------- squid-5.0.5-symlink-lang-err.patch | 68 -------- squid-5.7-ip-bind-address-no-port.patch | 156 ------------------ ....11-config.patch => squid-6.1-config.patch | 11 +- ...location.patch => squid-6.1-location.patch | 0 ...perlpath.patch => squid-6.1-perlpath.patch | 2 +- squid-6.1-symlink-lang-err.patch | 26 +++ squid.spec | 34 ++-- 11 files changed, 55 insertions(+), 460 deletions(-) delete mode 100644 squid-3.5.9-include-guards.patch delete mode 100644 squid-5.0.5-build-errors.patch delete mode 100644 squid-5.0.5-symlink-lang-err.patch delete mode 100644 squid-5.7-ip-bind-address-no-port.patch rename squid-4.0.11-config.patch => squid-6.1-config.patch (61%) rename squid-3.1.0.9-location.patch => squid-6.1-location.patch (100%) rename squid-3.0.STABLE1-perlpath.patch => squid-6.1-perlpath.patch (90%) create mode 100644 squid-6.1-symlink-lang-err.patch diff --git a/.gitignore b/.gitignore index c2dc451..e16a3d0 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ /*.asc -/*.xz +/*.xz \ No newline at end of file diff --git a/sources b/sources index 65abcc4..8ab4e23 100644 --- a/sources +++ b/sources @@ -1,3 +1,4 @@ -SHA512 (squid-5.9.tar.xz) = 7dc366ef6b2a397ca6adec993c05876949de5f5e72a8a4409c9c9c52c42a8a4b37f58e85a171eebd36a166951f6c764176cfebec30019b299abe34a5adc4e5ac -SHA512 (squid-5.9.tar.xz.asc) = e2852d45645effc1a94f3ff13471a6dfc0721b42c9c162c06d7ac8613a46e4e3e580ec2dd8371b93ef68d2d197008398926003c35c4e8468cae2871d740491a0 +SHA512 (squid-6.1.tar.xz) = 1e3d5b4cf40d84f94fa108ac7fcd592b55e477a12bb7bca68dd5d58e6614b4f8918d05ca9200ae13b6c4632bdb66e088656fb4efa2cfb6b66fca6bb9c2f91247 +SHA512 (squid-6.1.tar.xz.asc) = 4243e2c547dc7383fce58e5b463a0ef198a9591cfe22b01c5b3b8f79b26bff2e7968a87e900bbbbbbc7abea4863d6aa55e624fcf30ab533fc41b0ad52cf3fc8e SHA512 (pgp.asc) = 09f7012030d68831dfc083d67ca63ee54ed851482ca8d0e9505b444ee3e7ddeed62369b53f2917c9b2e0e57cc0533fce46e8cafd2ebcd1c6cb186b516efd0ad2 + diff --git a/squid-3.5.9-include-guards.patch b/squid-3.5.9-include-guards.patch deleted file mode 100644 index e2d4ff9..0000000 --- a/squid-3.5.9-include-guards.patch +++ /dev/null @@ -1,95 +0,0 @@ ------------------------------------------------------------- -revno: 14311 -revision-id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4 -parent: squid3@treenet.co.nz-20150924032241-6cx3g6hwz9xfoybr ------------------------------------------------------------- -revno: 14311 -revision-id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4 -parent: squid3@treenet.co.nz-20150924032241-6cx3g6hwz9xfoybr -fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4323 -author: Francesco Chemolli -committer: Amos Jeffries -branch nick: trunk -timestamp: Thu 2015-09-24 06:05:37 -0700 -message: - Bug 4323: Netfilter broken cross-includes with Linux 4.2 ------------------------------------------------------------- -# Bazaar merge directive format 2 (Bazaar 0.90) -# revision_id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4 -# target_branch: http://bzr.squid-cache.org/bzr/squid3/trunk/ -# testament_sha1: c67cfca81040f3845d7c4caf2f40518511f14d0b -# timestamp: 2015-09-24 13:06:33 +0000 -# source_branch: http://bzr.squid-cache.org/bzr/squid3/trunk -# base_revision_id: squid3@treenet.co.nz-20150924032241-\ -# 6cx3g6hwz9xfoybr -# -# Begin patch -=== modified file 'compat/os/linux.h' ---- compat/os/linux.h 2015-01-13 07:25:36 +0000 -+++ compat/os/linux.h 2015-09-24 13:05:37 +0000 -@@ -30,6 +30,21 @@ - #endif - - /* -+ * Netfilter header madness. (see Bug 4323) -+ * -+ * Netfilter have a history of defining their own versions of network protocol -+ * primitives without sufficient protection against the POSIX defines which are -+ * aways present in Linux. -+ * -+ * netinet/in.h must be included before any other sys header in order to properly -+ * activate include guards in the kernel maintainers added -+ * to workaround it. -+ */ -+#if HAVE_NETINET_IN_H -+#include -+#endif -+ -+/* - * sys/capability.h is only needed in Linux apparently. - * - * HACK: LIBCAP_BROKEN Ugly glue to get around linux header madness colliding with glibc -fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4323 -author: Francesco Chemolli -committer: Amos Jeffries -branch nick: trunk -timestamp: Thu 2015-09-24 06:05:37 -0700 -message: - Bug 4323: Netfilter broken cross-includes with Linux 4.2 ------------------------------------------------------------- -# Bazaar merge directive format 2 (Bazaar 0.90) -# revision_id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4 -# target_branch: http://bzr.squid-cache.org/bzr/squid3/trunk/ -# testament_sha1: c67cfca81040f3845d7c4caf2f40518511f14d0b -# timestamp: 2015-09-24 13:06:33 +0000 -# source_branch: http://bzr.squid-cache.org/bzr/squid3/trunk -# base_revision_id: squid3@treenet.co.nz-20150924032241-\ -# 6cx3g6hwz9xfoybr -# -# Begin patch -=== modified file 'compat/os/linux.h' ---- compat/os/linux.h 2015-01-13 07:25:36 +0000 -+++ compat/os/linux.h 2015-09-24 13:05:37 +0000 -@@ -30,6 +30,21 @@ - #endif - - /* -+ * Netfilter header madness. (see Bug 4323) -+ * -+ * Netfilter have a history of defining their own versions of network protocol -+ * primitives without sufficient protection against the POSIX defines which are -+ * aways present in Linux. -+ * -+ * netinet/in.h must be included before any other sys header in order to properly -+ * activate include guards in the kernel maintainers added -+ * to workaround it. -+ */ -+#if HAVE_NETINET_IN_H -+#include -+#endif -+ -+/* - * sys/capability.h is only needed in Linux apparently. - * - * HACK: LIBCAP_BROKEN Ugly glue to get around linux header madness colliding with glibc - diff --git a/squid-5.0.5-build-errors.patch b/squid-5.0.5-build-errors.patch deleted file mode 100644 index 4293d67..0000000 --- a/squid-5.0.5-build-errors.patch +++ /dev/null @@ -1,116 +0,0 @@ -diff --git a/src/Makefile.am b/src/Makefile.am -index 81403a7..5e2a493 100644 ---- a/src/Makefile.am -+++ b/src/Makefile.am -@@ -2477,6 +2477,7 @@ tests_testHttpRequest_LDADD = \ - $(SSLLIB) \ - $(KRB5LIBS) \ - $(LIBCPPUNIT_LIBS) \ -+ $(SYSTEMD_LIBS) \ - $(COMPAT_LIB) \ - $(XTRA_LIBS) - tests_testHttpRequest_LDFLAGS = $(LIBADD_DL) -@@ -2781,6 +2782,7 @@ tests_testCacheManager_LDADD = \ - $(SSLLIB) \ - $(KRB5LIBS) \ - $(LIBCPPUNIT_LIBS) \ -+ $(SYSTEMD_LIBS) \ - $(COMPAT_LIB) \ - $(XTRA_LIBS) - tests_testCacheManager_LDFLAGS = $(LIBADD_DL) -@@ -3101,6 +3103,7 @@ tests_testEvent_LDADD = \ - $(SSLLIB) \ - $(KRB5LIBS) \ - $(LIBCPPUNIT_LIBS) \ -+ $(SYSTEMD_LIBS) \ - $(COMPAT_LIB) \ - $(XTRA_LIBS) - tests_testEvent_LDFLAGS = $(LIBADD_DL) -@@ -3339,6 +3342,7 @@ tests_testEventLoop_LDADD = \ - $(SSLLIB) \ - $(KRB5LIBS) \ - $(LIBCPPUNIT_LIBS) \ -+ $(SYSTEMD_LIBS) \ - $(COMPAT_LIB) \ - $(XTRA_LIBS) - tests_testEventLoop_LDFLAGS = $(LIBADD_DL) -diff --git a/src/Makefile.in b/src/Makefile.in -index fda6de6..4e047cc 100644 ---- a/src/Makefile.in -+++ b/src/Makefile.in -@@ -4581,6 +4581,7 @@ tests_test_http_range_LDADD = \ - $(SSLLIB) \ - $(KRB5LIBS) \ - $(LIBCPPUNIT_LIBS) \ -+ $(SYSTEMD_LIBS) \ - $(COMPAT_LIB) \ - $(XTRA_LIBS) - -@@ -4972,6 +4973,7 @@ tests_testHttpRequest_LDADD = \ - $(SSLLIB) \ - $(KRB5LIBS) \ - $(LIBCPPUNIT_LIBS) \ -+ $(SYSTEMD_LIBS) \ - $(COMPAT_LIB) \ - $(XTRA_LIBS) - -@@ -5274,6 +5276,7 @@ tests_testCacheManager_LDADD = \ - $(SSLLIB) \ - $(KRB5LIBS) \ - $(LIBCPPUNIT_LIBS) \ -+ $(SYSTEMD_LIBS) \ - $(COMPAT_LIB) \ - $(XTRA_LIBS) - -@@ -5593,6 +5596,7 @@ tests_testEvent_LDADD = \ - $(SSLLIB) \ - $(KRB5LIBS) \ - $(LIBCPPUNIT_LIBS) \ -+ $(SYSTEMD_LIBS) \ - $(COMPAT_LIB) \ - $(XTRA_LIBS) - -@@ -5832,6 +5836,7 @@ tests_testEventLoop_LDADD = \ - $(SSLLIB) \ - $(KRB5LIBS) \ - $(LIBCPPUNIT_LIBS) \ -+ $(SYSTEMD_LIBS) \ - $(COMPAT_LIB) \ - $(XTRA_LIBS) - -diff --git a/src/proxyp/Parser.cc b/src/proxyp/Parser.cc -index 328d207..2f358a7 100644 ---- a/src/proxyp/Parser.cc -+++ b/src/proxyp/Parser.cc -@@ -15,6 +15,7 @@ - #include "sbuf/Stream.h" - - #include -+#include - - #if HAVE_SYS_SOCKET_H - #include -diff --git a/src/security/ServerOptions.cc b/src/security/ServerOptions.cc -index e114ed8..22bce84 100644 ---- a/src/security/ServerOptions.cc -+++ b/src/security/ServerOptions.cc -@@ -18,6 +18,7 @@ - #if USE_OPENSSL - #include "compat/openssl.h" - #include "ssl/support.h" -+#include - - #if HAVE_OPENSSL_ERR_H - #include -diff --git a/src/acl/ConnMark.cc b/src/acl/ConnMark.cc -index 1fdae0c..213cf39 100644 ---- a/src/acl/ConnMark.cc -+++ b/src/acl/ConnMark.cc -@@ -15,6 +15,7 @@ - #include "Debug.h" - #include "http/Stream.h" - #include "sbuf/Stream.h" -+#include - - bool - Acl::ConnMark::empty() const diff --git a/squid-5.0.5-symlink-lang-err.patch b/squid-5.0.5-symlink-lang-err.patch deleted file mode 100644 index 45d6fe9..0000000 --- a/squid-5.0.5-symlink-lang-err.patch +++ /dev/null @@ -1,68 +0,0 @@ -From fc01451000eaa5592cd5afbd6aee14e53f7dd2c3 Mon Sep 17 00:00:00 2001 -From: Amos Jeffries -Date: Sun, 18 Oct 2020 20:23:10 +1300 -Subject: [PATCH] Update translations integration - -* Add credits for es-mx translation moderator -* Use es-mx for default of all Spanish (Central America) texts -* Update translation related .am files ---- - doc/manuals/language.am | 2 +- - errors/TRANSLATORS | 1 + - errors/aliases | 3 ++- - errors/language.am | 3 ++- - errors/template.am | 2 +- - 5 files changed, 7 insertions(+), 4 deletions(-) - -diff --git a/doc/manuals/language.am b/doc/manuals/language.am -index 7670c88380c..f03c4cf71b4 100644 ---- a/doc/manuals/language.am -+++ b/doc/manuals/language.am -@@ -18,4 +18,4 @@ TRANSLATE_LANGUAGES = \ - oc.lang \ - pt.lang \ - ro.lang \ -- ru.lang -+ ru.lang -diff --git a/errors/aliases b/errors/aliases -index 36f17f4b80f..cf0116f297d 100644 ---- a/errors/aliases -+++ b/errors/aliases -@@ -14,7 +14,8 @@ da da-dk - de de-at de-ch de-de de-li de-lu - el el-gr - en en-au en-bz en-ca en-cn en-gb en-ie en-in en-jm en-nz en-ph en-sg en-tt en-uk en-us en-za en-zw --es es-ar es-bo es-cl es-co es-cr es-do es-ec es-es es-gt es-hn es-mx es-ni es-pa es-pe es-pr es-py es-sv es-us es-uy es-ve es-xl -+es es-ar es-bo es-cl es-cu es-co es-do es-ec es-es es-pe es-pr es-py es-us es-uy es-ve es-xl spq -+es-mx es-bz es-cr es-gt es-hn es-ni es-pa es-sv - et et-ee - fa fa-fa fa-ir - fi fi-fi -diff --git a/errors/language.am b/errors/language.am -index 12b1b2b3b43..029e8c1eb2f 100644 ---- a/errors/language.am -+++ b/errors/language.am -@@ -17,6 +17,7 @@ TRANSLATE_LANGUAGES = \ - de.lang \ - el.lang \ - en.lang \ -+ es-mx.lang \ - es.lang \ - et.lang \ - fa.lang \ -@@ -51,4 +52,4 @@ TRANSLATE_LANGUAGES = \ - uz.lang \ - vi.lang \ - zh-hans.lang \ -- zh-hant.lang -+ zh-hant.lang -diff --git a/errors/template.am b/errors/template.am -index 6c12781e6f4..715c65aa22b 100644 ---- a/errors/template.am -+++ b/errors/template.am -@@ -48,4 +48,4 @@ ERROR_TEMPLATES = \ - templates/ERR_UNSUP_REQ \ - templates/ERR_URN_RESOLVE \ - templates/ERR_WRITE_ERROR \ -- templates/ERR_ZERO_SIZE_OBJECT -+ templates/ERR_ZERO_SIZE_OBJECT diff --git a/squid-5.7-ip-bind-address-no-port.patch b/squid-5.7-ip-bind-address-no-port.patch deleted file mode 100644 index 55d9597..0000000 --- a/squid-5.7-ip-bind-address-no-port.patch +++ /dev/null @@ -1,156 +0,0 @@ -commit c54122584d175cf1d292b239a5b70f2d1aa77c3a -Author: Tomas Korbar -Date: Mon Dec 5 15:03:07 2022 +0100 - - Backport adding IP_BIND_ADDRESS_NO_PORT flag to outgoing connections - -diff --git a/src/comm.cc b/src/comm.cc -index b4818f3..b18d175 100644 ---- a/src/comm.cc -+++ b/src/comm.cc -@@ -59,6 +59,7 @@ - */ - - static IOCB commHalfClosedReader; -+static int comm_openex(int sock_type, int proto, Ip::Address &, int flags, const char *note); - static void comm_init_opened(const Comm::ConnectionPointer &conn, const char *note, struct addrinfo *AI); - static int comm_apply_flags(int new_socket, Ip::Address &addr, int flags, struct addrinfo *AI); - -@@ -76,6 +77,7 @@ static EVH commHalfClosedCheck; - static void commPlanHalfClosedCheck(); - - static Comm::Flag commBind(int s, struct addrinfo &); -+static void commSetBindAddressNoPort(int); - static void commSetReuseAddr(int); - static void commSetNoLinger(int); - #ifdef TCP_NODELAY -@@ -202,6 +204,22 @@ comm_local_port(int fd) - return F->local_addr.port(); - } - -+/// sets the IP_BIND_ADDRESS_NO_PORT socket option to optimize ephemeral port -+/// reuse by outgoing TCP connections that must bind(2) to a source IP address -+static void -+commSetBindAddressNoPort(const int fd) -+{ -+#if defined(IP_BIND_ADDRESS_NO_PORT) -+ int flag = 1; -+ if (setsockopt(fd, IPPROTO_IP, IP_BIND_ADDRESS_NO_PORT, reinterpret_cast(&flag), sizeof(flag)) < 0) { -+ const auto savedErrno = errno; -+ debugs(50, DBG_IMPORTANT, "ERROR: setsockopt(IP_BIND_ADDRESS_NO_PORT) failure: " << xstrerr(savedErrno)); -+ } -+#else -+ (void)fd; -+#endif -+} -+ - static Comm::Flag - commBind(int s, struct addrinfo &inaddr) - { -@@ -228,6 +246,10 @@ comm_open(int sock_type, - int flags, - const char *note) - { -+ // assume zero-port callers do not need to know the assigned port right away -+ if (sock_type == SOCK_STREAM && addr.port() == 0 && ((flags & COMM_DOBIND) || !addr.isAnyAddr())) -+ flags |= COMM_DOBIND_PORT_LATER; -+ - return comm_openex(sock_type, proto, addr, flags, note); - } - -@@ -329,7 +351,7 @@ comm_set_transparent(int fd) - * Create a socket. Default is blocking, stream (TCP) socket. IO_TYPE - * is OR of flags specified in defines.h:COMM_* - */ --int -+static int - comm_openex(int sock_type, - int proto, - Ip::Address &addr, -@@ -488,6 +510,9 @@ comm_apply_flags(int new_socket, - } - } - #endif -+ if ((flags & COMM_DOBIND_PORT_LATER)) -+ commSetBindAddressNoPort(new_socket); -+ - if (commBind(new_socket, *AI) != Comm::OK) { - comm_close(new_socket); - return -1; -diff --git a/src/comm.h b/src/comm.h -index 5a1a7c2..a9f33db 100644 ---- a/src/comm.h -+++ b/src/comm.h -@@ -43,7 +43,6 @@ void comm_import_opened(const Comm::ConnectionPointer &, const char *note, struc - - /** - * Open a port specially bound for listening or sending through a specific port. -- * This is a wrapper providing IPv4/IPv6 failover around comm_openex(). - * Please use for all listening sockets and bind() outbound sockets. - * - * It will open a socket bound for: -@@ -59,7 +58,6 @@ void comm_import_opened(const Comm::ConnectionPointer &, const char *note, struc - int comm_open_listener(int sock_type, int proto, Ip::Address &addr, int flags, const char *note); - void comm_open_listener(int sock_type, int proto, Comm::ConnectionPointer &conn, const char *note); - --int comm_openex(int, int, Ip::Address &, int, const char *); - unsigned short comm_local_port(int fd); - - int comm_udp_sendto(int sock, const Ip::Address &to, const void *buf, int buflen); -diff --git a/src/comm/ConnOpener.cc b/src/comm/ConnOpener.cc -index 19c1237..79fa2ed 100644 ---- a/src/comm/ConnOpener.cc -+++ b/src/comm/ConnOpener.cc -@@ -285,7 +285,7 @@ Comm::ConnOpener::createFd() - if (callback_ == NULL || callback_->canceled()) - return false; - -- temporaryFd_ = comm_openex(SOCK_STREAM, IPPROTO_TCP, conn_->local, conn_->flags, host_); -+ temporaryFd_ = comm_open(SOCK_STREAM, IPPROTO_TCP, conn_->local, conn_->flags, host_); - if (temporaryFd_ < 0) { - sendAnswer(Comm::ERR_CONNECT, 0, "Comm::ConnOpener::createFd"); - return false; -diff --git a/src/comm/Connection.h b/src/comm/Connection.h -index 40c2249..2641f4e 100644 ---- a/src/comm/Connection.h -+++ b/src/comm/Connection.h -@@ -52,6 +52,8 @@ namespace Comm - #define COMM_REUSEPORT 0x40 //< needs SO_REUSEPORT - /// not registered with Comm and not owned by any connection-closing code - #define COMM_ORPHANED 0x40 -+/// Internal Comm optimization: Keep the source port unassigned until connect(2) -+#define COMM_DOBIND_PORT_LATER 0x100 - - /** - * Store data about the physical and logical attributes of a connection. -diff --git a/src/ipc.cc b/src/ipc.cc -index 45cab52..42e11e6 100644 ---- a/src/ipc.cc -+++ b/src/ipc.cc -@@ -95,12 +95,12 @@ ipcCreate(int type, const char *prog, const char *const args[], const char *name - } else void(0) - - if (type == IPC_TCP_SOCKET) { -- crfd = cwfd = comm_open(SOCK_STREAM, -+ crfd = cwfd = comm_open_listener(SOCK_STREAM, - 0, - local_addr, - COMM_NOCLOEXEC, - name); -- prfd = pwfd = comm_open(SOCK_STREAM, -+ prfd = pwfd = comm_open_listener(SOCK_STREAM, - 0, /* protocol */ - local_addr, - 0, /* blocking */ -diff --git a/src/tests/stub_comm.cc b/src/tests/stub_comm.cc -index a1d33d6..bf4bea6 100644 ---- a/src/tests/stub_comm.cc -+++ b/src/tests/stub_comm.cc -@@ -48,7 +48,6 @@ int comm_open_uds(int sock_type, int proto, struct sockaddr_un* addr, int flags) - void comm_import_opened(const Comm::ConnectionPointer &, const char *note, struct addrinfo *AI) STUB - int comm_open_listener(int sock_type, int proto, Ip::Address &addr, int flags, const char *note) STUB_RETVAL(-1) - void comm_open_listener(int sock_type, int proto, Comm::ConnectionPointer &conn, const char *note) STUB --int comm_openex(int, int, Ip::Address &, int, tos_t tos, nfmark_t nfmark, const char *) STUB_RETVAL(-1) - unsigned short comm_local_port(int fd) STUB_RETVAL(0) - int comm_udp_sendto(int sock, const Ip::Address &to, const void *buf, int buflen) STUB_RETVAL(-1) - void commCallCloseHandlers(int fd) STUB diff --git a/squid-4.0.11-config.patch b/squid-6.1-config.patch similarity index 61% rename from squid-4.0.11-config.patch rename to squid-6.1-config.patch index a4faae8..9d2b192 100644 --- a/squid-4.0.11-config.patch +++ b/squid-6.1-config.patch @@ -1,7 +1,8 @@ -diff -up squid-4.0.11/src/cf.data.pre.config squid-4.0.11/src/cf.data.pre ---- squid-4.0.11/src/cf.data.pre.config 2016-06-09 22:32:57.000000000 +0200 -+++ squid-4.0.11/src/cf.data.pre 2016-07-11 21:08:35.090976840 +0200 -@@ -4658,7 +4658,7 @@ DOC_END +diff --git a/src/cf.data.pre b/src/cf.data.pre +index 44aa34d..12225bc 100644 +--- a/src/cf.data.pre ++++ b/src/cf.data.pre +@@ -5453,7 +5453,7 @@ DOC_END NAME: logfile_rotate TYPE: int @@ -10,7 +11,7 @@ diff -up squid-4.0.11/src/cf.data.pre.config squid-4.0.11/src/cf.data.pre LOC: Config.Log.rotateNumber DOC_START Specifies the default number of logfile rotations to make when you -@@ -6444,11 +6444,11 @@ COMMENT_END +@@ -7447,11 +7447,11 @@ COMMENT_END NAME: cache_mgr TYPE: string diff --git a/squid-3.1.0.9-location.patch b/squid-6.1-location.patch similarity index 100% rename from squid-3.1.0.9-location.patch rename to squid-6.1-location.patch diff --git a/squid-3.0.STABLE1-perlpath.patch b/squid-6.1-perlpath.patch similarity index 90% rename from squid-3.0.STABLE1-perlpath.patch rename to squid-6.1-perlpath.patch index 5ab22a0..fe37759 100644 --- a/squid-3.0.STABLE1-perlpath.patch +++ b/squid-6.1-perlpath.patch @@ -1,5 +1,5 @@ diff --git a/contrib/url-normalizer.pl b/contrib/url-normalizer.pl -index 4cb0480..4b89910 100755 +index e965e9e..ed5ffcb 100755 --- a/contrib/url-normalizer.pl +++ b/contrib/url-normalizer.pl @@ -1,4 +1,4 @@ diff --git a/squid-6.1-symlink-lang-err.patch b/squid-6.1-symlink-lang-err.patch new file mode 100644 index 0000000..a29274b --- /dev/null +++ b/squid-6.1-symlink-lang-err.patch @@ -0,0 +1,26 @@ +diff --git a/errors/aliases b/errors/aliases +index c256106..38c123a 100644 +--- a/errors/aliases ++++ b/errors/aliases +@@ -14,8 +14,7 @@ da da-dk + de de-at de-ch de-de de-li de-lu + el el-gr + en en-au en-bz en-ca en-cn en-gb en-ie en-in en-jm en-nz en-ph en-sg en-tt en-uk en-us en-za en-zw +-es es-ar es-bo es-cl es-cu es-co es-do es-ec es-es es-pe es-pr es-py es-us es-uy es-ve es-xl spq +-es-mx es-bz es-cr es-gt es-hn es-ni es-pa es-sv ++es es-ar es-bo es-cl es-co es-cr es-do es-ec es-es es-gt es-hn es-mx es-ni es-pa es-pe es-pr es-py es-sv es-us es-uy es-ve es-xl + et et-ee + fa fa-fa fa-ir + fi fi-fi +diff --git a/errors/language.am b/errors/language.am +index a437d17..f2fe463 100644 +--- a/errors/language.am ++++ b/errors/language.am +@@ -19,7 +19,6 @@ LANGUAGE_FILES = \ + de.lang \ + el.lang \ + en.lang \ +- es-mx.lang \ + es.lang \ + et.lang \ + fa.lang \ diff --git a/squid.spec b/squid.spec index 7db39f3..e5accda 100644 --- a/squid.spec +++ b/squid.spec @@ -1,7 +1,7 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 5.9 +Version: 6.1 Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 @@ -9,8 +9,8 @@ Epoch: 7 License: GPLv2+ and (LGPLv2+ and MIT and BSD and Public Domain) URL: http://www.squid-cache.org -Source0: http://www.squid-cache.org/Versions/v5/squid-%{version}.tar.xz -Source1: http://www.squid-cache.org/Versions/v5/squid-%{version}.tar.xz.asc +Source0: http://www.squid-cache.org/Versions/v6/squid-%{version}.tar.xz +Source1: http://www.squid-cache.org/Versions/v6/squid-%{version}.tar.xz.asc Source2: http://www.squid-cache.org/pgp.asc Source3: squid.logrotate Source4: squid.sysconfig @@ -25,18 +25,17 @@ Source98: perl-requires-squid.sh # Upstream patches # Backported patches -Patch101: squid-5.7-ip-bind-address-no-port.patch +# Patch101: patch # Local patches # Applying upstream patches first makes it less likely that local patches # will break upstream ones. -Patch201: squid-4.0.11-config.patch -Patch202: squid-3.1.0.9-location.patch -Patch203: squid-3.0.STABLE1-perlpath.patch -Patch204: squid-3.5.9-include-guards.patch +Patch201: squid-6.1-config.patch +Patch202: squid-6.1-location.patch +Patch203: squid-6.1-perlpath.patch # revert this upstream patch - https://bugzilla.redhat.com/show_bug.cgi?id=1936422 # workaround for #1934919 -Patch205: squid-5.0.5-symlink-lang-err.patch +Patch204: squid-6.1-symlink-lang-err.patch # cache_swap.sh Requires: bash gawk @@ -99,14 +98,13 @@ lookup program (dnsserver), a program for retrieving FTP data # Upstream patches # Backported patches -%patch101 -p1 -b .ip-bind-address-no-port +# %patch101 -p1 -b .patch # Local patches -%patch201 -p1 -b .config -%patch202 -p1 -b .location -%patch203 -p1 -b .perlpath -%patch204 -p0 -b .include-guards -%patch205 -p1 -R -b .symlink-lang-err +%patch -P 201 -p1 -b .config +%patch -P 202 -p1 -b .location +%patch -P 203 -p1 -b .perlpath +%patch -P 204 -p1 -b .symlink-lang-err # https://bugzilla.redhat.com/show_bug.cgi?id=1679526 # Patch in the vendor documentation and used different location for documentation @@ -159,7 +157,8 @@ sed -i 's|@SYSCONFDIR@/squid.conf.documented|%{_pkgdocdir}/squid.conf.documented --disable-arch-native \ --disable-security-cert-validators \ --disable-strict-error-checking \ - --with-swapdir=%{_localstatedir}/spool/squid + --with-swapdir=%{_localstatedir}/spool/squid \ + --enable-translation # workaround to build squid v5 mkdir -p src/icmp/tests @@ -333,6 +332,9 @@ fi %changelog +* Tue Jul 11 2023 Luboš Uhliarik - 7:6.1-1 +- new version 6.1 + * Tue May 09 2023 Luboš Uhliarik - 7:5.9-1 - new version 5.9 From 45aa5f8be15879d8b532e024e0babb4f02613250 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 22 Jul 2023 02:24:49 +0000 Subject: [PATCH 30/61] Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- squid.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/squid.spec b/squid.spec index e5accda..94cf540 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 6.1 -Release: 1%{?dist} +Release: 2%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -332,6 +332,9 @@ fi %changelog +* Sat Jul 22 2023 Fedora Release Engineering - 7:6.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + * Tue Jul 11 2023 Luboš Uhliarik - 7:6.1-1 - new version 6.1 From fb5d65bd298a33525db7a189eb2c7d8be58cb057 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Tue, 8 Aug 2023 16:53:27 +0200 Subject: [PATCH 31/61] Fix "!commHasHalfClosedMonitor(fd)" assertion --- squid-6.1-crash-half-closed.patch | 158 ++++++++++++++++++++++++++++++ squid.spec | 8 +- 2 files changed, 165 insertions(+), 1 deletion(-) create mode 100644 squid-6.1-crash-half-closed.patch diff --git a/squid-6.1-crash-half-closed.patch b/squid-6.1-crash-half-closed.patch new file mode 100644 index 0000000..901ece2 --- /dev/null +++ b/squid-6.1-crash-half-closed.patch @@ -0,0 +1,158 @@ +diff --git a/src/client_side.cc b/src/client_side.cc +index f488fc4..69586df 100644 +--- a/src/client_side.cc ++++ b/src/client_side.cc +@@ -932,7 +932,7 @@ ConnStateData::kick() + * We are done with the response, and we are either still receiving request + * body (early response!) or have already stopped receiving anything. + * +- * If we are still receiving, then clientParseRequest() below will fail. ++ * If we are still receiving, then parseRequests() below will fail. + * (XXX: but then we will call readNextRequest() which may succeed and + * execute a smuggled request as we are not done with the current request). + * +@@ -952,28 +952,12 @@ ConnStateData::kick() + * Attempt to parse a request from the request buffer. + * If we've been fed a pipelined request it may already + * be in our read buffer. +- * +- \par +- * This needs to fall through - if we're unlucky and parse the _last_ request +- * from our read buffer we may never re-register for another client read. + */ + +- if (clientParseRequests()) { +- debugs(33, 3, clientConnection << ": parsed next request from buffer"); +- } ++ parseRequests(); + +- /** \par +- * Either we need to kick-start another read or, if we have +- * a half-closed connection, kill it after the last request. +- * This saves waiting for half-closed connections to finished being +- * half-closed _AND_ then, sometimes, spending "Timeout" time in +- * the keepalive "Waiting for next request" state. +- */ +- if (commIsHalfClosed(clientConnection->fd) && pipeline.empty()) { +- debugs(33, 3, "half-closed client with no pending requests, closing"); +- clientConnection->close(); ++ if (!isOpen()) + return; +- } + + /** \par + * At this point we either have a parsed request (which we've +@@ -1893,16 +1877,11 @@ ConnStateData::receivedFirstByte() + resetReadTimeout(Config.Timeout.request); + } + +-/** +- * Attempt to parse one or more requests from the input buffer. +- * Returns true after completing parsing of at least one request [header]. That +- * includes cases where parsing ended with an error (e.g., a huge request). +- */ +-bool +-ConnStateData::clientParseRequests() ++/// Attempt to parse one or more requests from the input buffer. ++/// May close the connection. ++void ++ConnStateData::parseRequests() + { +- bool parsed_req = false; +- + debugs(33, 5, clientConnection << ": attempting to parse"); + + // Loop while we have read bytes that are not needed for producing the body +@@ -1947,8 +1926,6 @@ ConnStateData::clientParseRequests() + + processParsedRequest(context); + +- parsed_req = true; // XXX: do we really need to parse everything right NOW ? +- + if (context->mayUseConnection()) { + debugs(33, 3, "Not parsing new requests, as this request may need the connection"); + break; +@@ -1961,8 +1938,19 @@ ConnStateData::clientParseRequests() + } + } + +- /* XXX where to 'finish' the parsing pass? */ +- return parsed_req; ++ debugs(33, 7, "buffered leftovers: " << inBuf.length()); ++ ++ if (isOpen() && commIsHalfClosed(clientConnection->fd)) { ++ if (pipeline.empty()) { ++ // we processed what we could parse, and no more data is coming ++ debugs(33, 5, "closing half-closed without parsed requests: " << clientConnection); ++ clientConnection->close(); ++ } else { ++ // we parsed what we could, and no more data is coming ++ debugs(33, 5, "monitoring half-closed while processing parsed requests: " << clientConnection); ++ flags.readMore = false; // may already be false ++ } ++ } + } + + void +@@ -1979,18 +1967,7 @@ ConnStateData::afterClientRead() + if (pipeline.empty()) + fd_note(clientConnection->fd, "Reading next request"); + +- if (!clientParseRequests()) { +- if (!isOpen()) +- return; +- // We may get here if the client half-closed after sending a partial +- // request. See doClientRead() and shouldCloseOnEof(). +- // XXX: This partially duplicates ConnStateData::kick(). +- if (pipeline.empty() && commIsHalfClosed(clientConnection->fd)) { +- debugs(33, 5, clientConnection << ": half-closed connection, no completed request parsed, connection closing."); +- clientConnection->close(); +- return; +- } +- } ++ parseRequests(); + + if (!isOpen()) + return; +@@ -3775,7 +3752,7 @@ ConnStateData::notePinnedConnectionBecameIdle(PinnedIdleContext pic) + startPinnedConnectionMonitoring(); + + if (pipeline.empty()) +- kick(); // in case clientParseRequests() was blocked by a busy pic.connection ++ kick(); // in case parseRequests() was blocked by a busy pic.connection + } + + /// Forward future client requests using the given server connection. +diff --git a/src/client_side.h b/src/client_side.h +index 6027b31..60b99b1 100644 +--- a/src/client_side.h ++++ b/src/client_side.h +@@ -98,7 +98,6 @@ public: + void doneWithControlMsg() override; + + /// Traffic parsing +- bool clientParseRequests(); + void readNextRequest(); + + /// try to make progress on a transaction or read more I/O +@@ -443,6 +442,7 @@ private: + + void checkLogging(); + ++ void parseRequests(); + void clientAfterReadingRequests(); + bool concurrentRequestQueueFilled() const; + +diff --git a/src/tests/stub_client_side.cc b/src/tests/stub_client_side.cc +index 8c160e5..f49d5dc 100644 +--- a/src/tests/stub_client_side.cc ++++ b/src/tests/stub_client_side.cc +@@ -14,7 +14,7 @@ + #include "tests/STUB.h" + + #include "client_side.h" +-bool ConnStateData::clientParseRequests() STUB_RETVAL(false) ++void ConnStateData::parseRequests() STUB + void ConnStateData::readNextRequest() STUB + bool ConnStateData::isOpen() const STUB_RETVAL(false) + void ConnStateData::kick() STUB diff --git a/squid.spec b/squid.spec index 94cf540..51f5852 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 6.1 -Release: 2%{?dist} +Release: 3%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -36,6 +36,8 @@ Patch203: squid-6.1-perlpath.patch # revert this upstream patch - https://bugzilla.redhat.com/show_bug.cgi?id=1936422 # workaround for #1934919 Patch204: squid-6.1-symlink-lang-err.patch +# Upstream PR: https://github.com/squid-cache/squid/pull/1442 +Patch205: squid-6.1-crash-half-closed.patch # cache_swap.sh Requires: bash gawk @@ -105,6 +107,7 @@ lookup program (dnsserver), a program for retrieving FTP data %patch -P 202 -p1 -b .location %patch -P 203 -p1 -b .perlpath %patch -P 204 -p1 -b .symlink-lang-err +%patch -P 205 -p1 -b .crash-half-closed # https://bugzilla.redhat.com/show_bug.cgi?id=1679526 # Patch in the vendor documentation and used different location for documentation @@ -332,6 +335,9 @@ fi %changelog +* Fri Aug 04 2023 Luboš Uhliarik - 7:6.1-3 +- Fix "!commHasHalfClosedMonitor(fd)" assertion + * Sat Jul 22 2023 Fedora Release Engineering - 7:6.1-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild From b5e1d7b9e6a78ea63b7cedae3f381a77ec9c4f3d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Wed, 16 Aug 2023 17:31:00 +0200 Subject: [PATCH 32/61] new version 6.2 --- sources | 5 ++--- squid.spec | 7 +++++-- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/sources b/sources index 8ab4e23..bab2980 100644 --- a/sources +++ b/sources @@ -1,4 +1,3 @@ -SHA512 (squid-6.1.tar.xz) = 1e3d5b4cf40d84f94fa108ac7fcd592b55e477a12bb7bca68dd5d58e6614b4f8918d05ca9200ae13b6c4632bdb66e088656fb4efa2cfb6b66fca6bb9c2f91247 -SHA512 (squid-6.1.tar.xz.asc) = 4243e2c547dc7383fce58e5b463a0ef198a9591cfe22b01c5b3b8f79b26bff2e7968a87e900bbbbbbc7abea4863d6aa55e624fcf30ab533fc41b0ad52cf3fc8e +SHA512 (squid-6.2.tar.xz) = a2f3ad666b88708ddc52958e610222778e4f64c2ac097b821867ae4022ca35dcbe225f2c5bba42a69fa56f89feebf63764d1a936444e4debce7e55e87b7366db +SHA512 (squid-6.2.tar.xz.asc) = d178eb1d89e8dbe03033378125038be1a4b153846efa53aff396405e7cbadd985842098ab16b68f68d2d23bf3cfca609c535b97ef67df903ee4998d6f0406656 SHA512 (pgp.asc) = 09f7012030d68831dfc083d67ca63ee54ed851482ca8d0e9505b444ee3e7ddeed62369b53f2917c9b2e0e57cc0533fce46e8cafd2ebcd1c6cb186b516efd0ad2 - diff --git a/squid.spec b/squid.spec index 51f5852..2528d8c 100644 --- a/squid.spec +++ b/squid.spec @@ -1,8 +1,8 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 6.1 -Release: 3%{?dist} +Version: 6.2 +Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -335,6 +335,9 @@ fi %changelog +* Wed Aug 16 2023 Luboš Uhliarik - 7:6.2-1 +- new version 6.2 + * Fri Aug 04 2023 Luboš Uhliarik - 7:6.1-3 - Fix "!commHasHalfClosedMonitor(fd)" assertion From 986386af0e951f6ea82e2bd5cc6a476438d88187 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Tue, 5 Sep 2023 14:08:40 +0200 Subject: [PATCH 33/61] new version 6.3 --- sources | 4 ++-- squid.spec | 5 ++++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/sources b/sources index bab2980..9585a3a 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-6.2.tar.xz) = a2f3ad666b88708ddc52958e610222778e4f64c2ac097b821867ae4022ca35dcbe225f2c5bba42a69fa56f89feebf63764d1a936444e4debce7e55e87b7366db -SHA512 (squid-6.2.tar.xz.asc) = d178eb1d89e8dbe03033378125038be1a4b153846efa53aff396405e7cbadd985842098ab16b68f68d2d23bf3cfca609c535b97ef67df903ee4998d6f0406656 +SHA512 (squid-6.3.tar.xz) = add8718895ceccc130d31e6cbf9fbdb7fd45a778a617e9f02bf310babe72106e1dc14ac8b3dc81d31e1f4cace66d9d72176dd82f1652d7248a478fa10ffb6b87 +SHA512 (squid-6.3.tar.xz.asc) = 39a4a1b426e06cf990cca1afc64f78623954e32079fb9562154518eeec4124b3b19f28f6c6cb998117aae176be707b25185fe66f98acb205f660396de59bd829 SHA512 (pgp.asc) = 09f7012030d68831dfc083d67ca63ee54ed851482ca8d0e9505b444ee3e7ddeed62369b53f2917c9b2e0e57cc0533fce46e8cafd2ebcd1c6cb186b516efd0ad2 diff --git a/squid.spec b/squid.spec index 2528d8c..1730441 100644 --- a/squid.spec +++ b/squid.spec @@ -1,7 +1,7 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 6.2 +Version: 6.3 Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 @@ -335,6 +335,9 @@ fi %changelog +* Tue Sep 05 2023 Luboš Uhliarik - 7:6.3-1 +- new version 6.3 + * Wed Aug 16 2023 Luboš Uhliarik - 7:6.2-1 - new version 6.2 From 92b68088588ad74f1e9634c204a350d94887942a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Thu, 14 Sep 2023 14:36:09 +0200 Subject: [PATCH 34/61] SPDX migration --- squid.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/squid.spec b/squid.spec index 1730441..a529327 100644 --- a/squid.spec +++ b/squid.spec @@ -2,11 +2,11 @@ Name: squid Version: 6.3 -Release: 1%{?dist} +Release: 2%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code -License: GPLv2+ and (LGPLv2+ and MIT and BSD and Public Domain) +License: GPL-2.0-or-later AND (LGPL-2.0-or-later AND MIT AND BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND BSD-4-Clause-UC AND LicenseRef-Fedora-Public-Domain AND Beerware) URL: http://www.squid-cache.org Source0: http://www.squid-cache.org/Versions/v6/squid-%{version}.tar.xz @@ -335,6 +335,9 @@ fi %changelog +* Thu Sep 14 2023 Luboš Uhliarik - 7:6.3-2 +- SPDX migration + * Tue Sep 05 2023 Luboš Uhliarik - 7:6.3-1 - new version 6.3 From 32a0233ae79b27d44b12389ce6dd38fb30396e76 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Tue, 24 Oct 2023 22:39:39 +0200 Subject: [PATCH 35/61] new version 6.4 --- sources | 4 ++-- squid.spec | 7 +++++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/sources b/sources index 9585a3a..975ec82 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-6.3.tar.xz) = add8718895ceccc130d31e6cbf9fbdb7fd45a778a617e9f02bf310babe72106e1dc14ac8b3dc81d31e1f4cace66d9d72176dd82f1652d7248a478fa10ffb6b87 -SHA512 (squid-6.3.tar.xz.asc) = 39a4a1b426e06cf990cca1afc64f78623954e32079fb9562154518eeec4124b3b19f28f6c6cb998117aae176be707b25185fe66f98acb205f660396de59bd829 +SHA512 (squid-6.4.tar.xz) = 7bbf759841448874090a145699ee01f67696c19da147e433b1ecc80a856095cbfae611ef910bc4f2c44218101d89f2ee13796f5b7ada2e21e95638d4dae077ab +SHA512 (squid-6.4.tar.xz.asc) = e61ea2f81a73ead4f6a8553410822ba51f0910546c7cbfb93e26f73f862f0a526fcb5c26308109f49e9f0fd0fbce702804a919fe8234b085a32251d62c891803 SHA512 (pgp.asc) = 09f7012030d68831dfc083d67ca63ee54ed851482ca8d0e9505b444ee3e7ddeed62369b53f2917c9b2e0e57cc0533fce46e8cafd2ebcd1c6cb186b516efd0ad2 diff --git a/squid.spec b/squid.spec index a529327..c1fffcf 100644 --- a/squid.spec +++ b/squid.spec @@ -1,8 +1,8 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 6.3 -Release: 2%{?dist} +Version: 6.4 +Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -335,6 +335,9 @@ fi %changelog +* Tue Oct 24 2023 Luboš Uhliarik - 7:6.4-1 +- new version 6.4 + * Thu Sep 14 2023 Luboš Uhliarik - 7:6.3-2 - SPDX migration From 014ff8bb7a1d9f2f3d3ab300bd7b6bfdf8728137 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Tue, 7 Nov 2023 21:24:03 +0100 Subject: [PATCH 36/61] new version 6.5 --- sources | 4 ++-- squid.spec | 5 ++++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/sources b/sources index 975ec82..24c2ba7 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-6.4.tar.xz) = 7bbf759841448874090a145699ee01f67696c19da147e433b1ecc80a856095cbfae611ef910bc4f2c44218101d89f2ee13796f5b7ada2e21e95638d4dae077ab -SHA512 (squid-6.4.tar.xz.asc) = e61ea2f81a73ead4f6a8553410822ba51f0910546c7cbfb93e26f73f862f0a526fcb5c26308109f49e9f0fd0fbce702804a919fe8234b085a32251d62c891803 +SHA512 (squid-6.5.tar.xz) = d3a40f5f390f0042a8e981ca28755a90dd520230a06b4246ba7bec0c98025ce1cdc7426797a666f769addd60238e28e1f04d2c701ea2ef2d7329dbe87b830d70 +SHA512 (squid-6.5.tar.xz.asc) = bf6ab7128a6261ac63115f402925311be5f59ad9085d19813f842cfac4b385b47eb07c9398c85654896ef04f6678a4ea645edcbed503f4ac18a3920b6a03ed04 SHA512 (pgp.asc) = 09f7012030d68831dfc083d67ca63ee54ed851482ca8d0e9505b444ee3e7ddeed62369b53f2917c9b2e0e57cc0533fce46e8cafd2ebcd1c6cb186b516efd0ad2 diff --git a/squid.spec b/squid.spec index c1fffcf..a3f6dba 100644 --- a/squid.spec +++ b/squid.spec @@ -1,7 +1,7 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 6.4 +Version: 6.5 Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 @@ -335,6 +335,9 @@ fi %changelog +* Tue Nov 07 2023 Luboš Uhliarik - 7:6.5-1 +- new version 6.5 + * Tue Oct 24 2023 Luboš Uhliarik - 7:6.4-1 - new version 6.4 From 5580eab2d9db7b0f14a66cd8e8c17fa905490a51 Mon Sep 17 00:00:00 2001 From: Yaakov Selkowitz Date: Tue, 12 Dec 2023 22:32:30 -0500 Subject: [PATCH 37/61] new version 6.6 --- sources | 4 ++-- squid.spec | 5 ++++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/sources b/sources index 24c2ba7..6823720 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-6.5.tar.xz) = d3a40f5f390f0042a8e981ca28755a90dd520230a06b4246ba7bec0c98025ce1cdc7426797a666f769addd60238e28e1f04d2c701ea2ef2d7329dbe87b830d70 -SHA512 (squid-6.5.tar.xz.asc) = bf6ab7128a6261ac63115f402925311be5f59ad9085d19813f842cfac4b385b47eb07c9398c85654896ef04f6678a4ea645edcbed503f4ac18a3920b6a03ed04 +SHA512 (squid-6.6.tar.xz) = 4ab261ed85ad674288467500aca9d8a48e3918b55f777635c0ba7a2551f248d35536848a5fbf2c946490a818004727f2aed33144f0a3ebab0be36cc4cffb020c +SHA512 (squid-6.6.tar.xz.asc) = 08550569759c403a1a9747d08ea7055751fbf251355691074f6d09baca76a0987c5dff36e1f01b64edd446d568c7244b14124f6f8a1b19ccfc30293eed83a297 SHA512 (pgp.asc) = 09f7012030d68831dfc083d67ca63ee54ed851482ca8d0e9505b444ee3e7ddeed62369b53f2917c9b2e0e57cc0533fce46e8cafd2ebcd1c6cb186b516efd0ad2 diff --git a/squid.spec b/squid.spec index a3f6dba..8938081 100644 --- a/squid.spec +++ b/squid.spec @@ -1,7 +1,7 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 6.5 +Version: 6.6 Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 @@ -335,6 +335,9 @@ fi %changelog +* Wed Dec 13 2023 Yaakov Selkowitz - 7:6.6-1 +- new version 6.6 + * Tue Nov 07 2023 Luboš Uhliarik - 7:6.5-1 - new version 6.5 From ded59a53104e787986fdd65b98a0e3f599b67d4b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Wed, 20 Dec 2023 14:54:02 +0100 Subject: [PATCH 38/61] Remove gopher mention from SPEC file, since gopher support has been removed --- squid.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/squid.spec b/squid.spec index 8938081..ba852f7 100644 --- a/squid.spec +++ b/squid.spec @@ -83,7 +83,7 @@ Conflicts: NetworkManager < 1.20 %description Squid is a high-performance proxy caching server for Web clients, -supporting FTP, gopher, and HTTP data objects. Unlike traditional +supporting FTP and HTTP data objects. Unlike traditional caching software, Squid handles all requests in a single, non-blocking, I/O-driven process. Squid keeps meta data and especially hot objects cached in RAM, caches DNS lookups, supports non-blocking From 2af86284bc59404eec4b917537854c9e1d021fd0 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 27 Jan 2024 04:14:57 +0000 Subject: [PATCH 39/61] Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild --- squid.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/squid.spec b/squid.spec index ba852f7..e34a531 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 6.6 -Release: 1%{?dist} +Release: 2%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -335,6 +335,9 @@ fi %changelog +* Sat Jan 27 2024 Fedora Release Engineering - 7:6.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + * Wed Dec 13 2023 Yaakov Selkowitz - 7:6.6-1 - new version 6.6 From 24c56d185eaafd4fb39fc1d3094b74ee9acd0a33 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Wed, 14 Feb 2024 00:34:23 +0100 Subject: [PATCH 40/61] new version 6.7 switch to autosetup fix FTBFS when using gcc14 --- sources | 6 +- squid-6.7-gcc-14.patch | 123 +++++++++++++++++++++++++++++++++++++++++ squid.spec | 24 ++++---- 3 files changed, 136 insertions(+), 17 deletions(-) create mode 100644 squid-6.7-gcc-14.patch diff --git a/sources b/sources index 6823720..d17889d 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-6.6.tar.xz) = 4ab261ed85ad674288467500aca9d8a48e3918b55f777635c0ba7a2551f248d35536848a5fbf2c946490a818004727f2aed33144f0a3ebab0be36cc4cffb020c -SHA512 (squid-6.6.tar.xz.asc) = 08550569759c403a1a9747d08ea7055751fbf251355691074f6d09baca76a0987c5dff36e1f01b64edd446d568c7244b14124f6f8a1b19ccfc30293eed83a297 -SHA512 (pgp.asc) = 09f7012030d68831dfc083d67ca63ee54ed851482ca8d0e9505b444ee3e7ddeed62369b53f2917c9b2e0e57cc0533fce46e8cafd2ebcd1c6cb186b516efd0ad2 +SHA512 (squid-6.7.tar.xz) = 6221437056c600119fe9ff1ceeeaa9955cf9f21df481ad29a3515f8439a41b779d51f37b820b75641d0d4d6de54554f6f924dbd347834bf4a6ad6b5b317084a0 +SHA512 (squid-6.7.tar.xz.asc) = 4a1f9d123ce6b5a600d9d2dd3af95a7ce98bfe28ba42d1281ab1f3d7f220f8738a4320afb85eeba1bf9d31e722ffaccd2d89cbefcd11e6b6ea31fe237ccf9a8c +SHA512 (pgp.asc) = b1e1dd5ead34711f064a12a324b2f156ad4835330d861eae4032926b8a6cd07c0eacc76f52518d47ed5a8ead4695f5abd02f2b4190af8e7833bd3ea31453569d diff --git a/squid-6.7-gcc-14.patch b/squid-6.7-gcc-14.patch new file mode 100644 index 0000000..283f5ec --- /dev/null +++ b/squid-6.7-gcc-14.patch @@ -0,0 +1,123 @@ +From 7080c9ea3c761f4ac67e3341bbc371383e4e739b Mon Sep 17 00:00:00 2001 +From: Amos Jeffries +Date: Wed, 14 Feb 2024 03:07:20 +1300 +Subject: [PATCH 1/4] Fix undefined std::find + +--- + src/helper/Reply.cc | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/helper/Reply.cc b/src/helper/Reply.cc +index 93cd5c84322..2e5e92aa2be 100644 +--- a/src/helper/Reply.cc ++++ b/src/helper/Reply.cc +@@ -17,6 +17,8 @@ + #include "rfc1738.h" + #include "SquidString.h" + ++#include ++ + Helper::Reply::Reply() : + result(Helper::Unknown) + { + +From 906884bf2565025cbc5b322c47425defa07f1f8e Mon Sep 17 00:00:00 2001 +From: Amos Jeffries +Date: Wed, 14 Feb 2024 03:51:17 +1300 +Subject: [PATCH 2/4] Fix error: 'InstanceId<...>::InstanceId(const + InstanceId<...> &)' is private within this context + +--- + src/base/InstanceId.h | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/src/base/InstanceId.h b/src/base/InstanceId.h +index a48be882cc4..c4dd4090b00 100644 +--- a/src/base/InstanceId.h ++++ b/src/base/InstanceId.h +@@ -49,6 +49,7 @@ class InstanceId + typedef ValueType Value; ///< id storage type + + InstanceId() {change();} ++ InstanceId(const InstanceId &); ///< no copying; IDs are unique + + operator Value() const { return value; } + bool operator ==(const InstanceId &o) const { return value == o.value; } +@@ -67,10 +68,6 @@ class InstanceId + + public: + Value value = Value(); ///< instance identifier +- +-private: +- InstanceId(const InstanceId &); ///< not implemented; IDs are unique +- InstanceId& operator=(const InstanceId &); ///< not implemented + }; + + /// An InstanceIdDefinitions() helper. Avoid direct use. + +From 2631e20bf8adc2102ba039baf86c1c64c158431f Mon Sep 17 00:00:00 2001 +From: Amos Jeffries +Date: Wed, 14 Feb 2024 03:58:47 +1300 +Subject: [PATCH 3/4] =?UTF-8?q?Fix=20error:=20=E2=80=98void*=20calloc(size?= + =?UTF-8?q?=5Ft,=20size=5Ft)=E2=80=99=20sizes?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +... specified with ‘sizeof’ in the earlier argument +and not in the later argument [-Werror=calloc-transposed-args] +--- + src/auth/basic/LDAP/basic_ldap_auth.cc | 2 +- + src/auth/digest/eDirectory/edir_ldapext.cc | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/auth/basic/LDAP/basic_ldap_auth.cc b/src/auth/basic/LDAP/basic_ldap_auth.cc +index 4d9a78574cb..f79a5b88984 100644 +--- a/src/auth/basic/LDAP/basic_ldap_auth.cc ++++ b/src/auth/basic/LDAP/basic_ldap_auth.cc +@@ -795,7 +795,7 @@ readSecret(const char *filename) + if ((e = strrchr(buf, '\r'))) + *e = 0; + +- passwd = (char *) calloc(sizeof(char), strlen(buf) + 1); ++ passwd = static_cast(calloc(strlen(buf) + 1, sizeof(char))); + if (!passwd) { + fprintf(stderr, PROGRAM_NAME " ERROR: can not allocate memory\n"); + exit(EXIT_FAILURE); +diff --git a/src/auth/digest/eDirectory/edir_ldapext.cc b/src/auth/digest/eDirectory/edir_ldapext.cc +index f34341c912c..13e7daca67b 100644 +--- a/src/auth/digest/eDirectory/edir_ldapext.cc ++++ b/src/auth/digest/eDirectory/edir_ldapext.cc +@@ -69,7 +69,7 @@ + + #define NMAS_LDAP_EXT_VERSION 1 + +-#define SMB_MALLOC_ARRAY(type, nelem) calloc(sizeof(type), nelem) ++#define SMB_MALLOC_ARRAY(type, nelem) calloc(nelem, sizeof(type)) + #define DEBUG(level, args) + + /********************************************************************** + +From 535606d99e04f3479af07c471768af688ff790cb Mon Sep 17 00:00:00 2001 +From: Amos Jeffries +Date: Wed, 14 Feb 2024 05:52:05 +1300 +Subject: [PATCH 4/4] Update src/base/InstanceId.h + +Co-authored-by: Alex Rousskov +--- + src/base/InstanceId.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/base/InstanceId.h b/src/base/InstanceId.h +index c4dd4090b00..d3e2ebb2b2e 100644 +--- a/src/base/InstanceId.h ++++ b/src/base/InstanceId.h +@@ -49,7 +49,7 @@ class InstanceId + typedef ValueType Value; ///< id storage type + + InstanceId() {change();} +- InstanceId(const InstanceId &); ///< no copying; IDs are unique ++ InstanceId(InstanceId &&) = delete; // no copying/moving of any kind + + operator Value() const { return value; } + bool operator ==(const InstanceId &o) const { return value == o.value; } diff --git a/squid.spec b/squid.spec index e34a531..490653c 100644 --- a/squid.spec +++ b/squid.spec @@ -1,8 +1,8 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 6.6 -Release: 2%{?dist} +Version: 6.7 +Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -38,6 +38,8 @@ Patch203: squid-6.1-perlpath.patch Patch204: squid-6.1-symlink-lang-err.patch # Upstream PR: https://github.com/squid-cache/squid/pull/1442 Patch205: squid-6.1-crash-half-closed.patch +# https://github.com/squid-cache/squid/pull/1673 +Patch206: squid-6.7-gcc-14.patch # cache_swap.sh Requires: bash gawk @@ -95,19 +97,8 @@ lookup program (dnsserver), a program for retrieving FTP data %prep %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' -%setup -q -# Upstream patches - -# Backported patches -# %patch101 -p1 -b .patch - -# Local patches -%patch -P 201 -p1 -b .config -%patch -P 202 -p1 -b .location -%patch -P 203 -p1 -b .perlpath -%patch -P 204 -p1 -b .symlink-lang-err -%patch -P 205 -p1 -b .crash-half-closed +%autosetup -p1 # https://bugzilla.redhat.com/show_bug.cgi?id=1679526 # Patch in the vendor documentation and used different location for documentation @@ -335,6 +326,11 @@ fi %changelog +* Mon Feb 12 2024 Luboš Uhliarik - 7:6.7-1 +- new version 6.7 +- switch to autosetup +- fix FTBFS when using gcc14 + * Sat Jan 27 2024 Fedora Release Engineering - 7:6.6-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild From 5c7c3985cfee87f8be71b06ad85957ce4483c247 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Sat, 9 Mar 2024 04:10:00 +0100 Subject: [PATCH 41/61] new version 6.8 --- sources | 4 +- squid-6.7-gcc-14.patch | 123 ----------------------------------------- squid.spec | 7 ++- 3 files changed, 6 insertions(+), 128 deletions(-) delete mode 100644 squid-6.7-gcc-14.patch diff --git a/sources b/sources index d17889d..8d6d769 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-6.7.tar.xz) = 6221437056c600119fe9ff1ceeeaa9955cf9f21df481ad29a3515f8439a41b779d51f37b820b75641d0d4d6de54554f6f924dbd347834bf4a6ad6b5b317084a0 -SHA512 (squid-6.7.tar.xz.asc) = 4a1f9d123ce6b5a600d9d2dd3af95a7ce98bfe28ba42d1281ab1f3d7f220f8738a4320afb85eeba1bf9d31e722ffaccd2d89cbefcd11e6b6ea31fe237ccf9a8c +SHA512 (squid-6.8.tar.xz) = 25509662de0b16af763a7aca090937b16c9ae15cb29ae1275634db9091eba511de33e9119ef8552fda936b7a7cfd1b7e51f6082c039c8e9e9f7da64d5efac992 +SHA512 (squid-6.8.tar.xz.asc) = 118c6b2022ee0b62c83484742a6ae3ee6402ddb06d5f8e953b67185499070e5b1b04cb97953d4f73e91c420e86956f73787ea2208609e451ec2c24a7701a9f24 SHA512 (pgp.asc) = b1e1dd5ead34711f064a12a324b2f156ad4835330d861eae4032926b8a6cd07c0eacc76f52518d47ed5a8ead4695f5abd02f2b4190af8e7833bd3ea31453569d diff --git a/squid-6.7-gcc-14.patch b/squid-6.7-gcc-14.patch deleted file mode 100644 index 283f5ec..0000000 --- a/squid-6.7-gcc-14.patch +++ /dev/null @@ -1,123 +0,0 @@ -From 7080c9ea3c761f4ac67e3341bbc371383e4e739b Mon Sep 17 00:00:00 2001 -From: Amos Jeffries -Date: Wed, 14 Feb 2024 03:07:20 +1300 -Subject: [PATCH 1/4] Fix undefined std::find - ---- - src/helper/Reply.cc | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/helper/Reply.cc b/src/helper/Reply.cc -index 93cd5c84322..2e5e92aa2be 100644 ---- a/src/helper/Reply.cc -+++ b/src/helper/Reply.cc -@@ -17,6 +17,8 @@ - #include "rfc1738.h" - #include "SquidString.h" - -+#include -+ - Helper::Reply::Reply() : - result(Helper::Unknown) - { - -From 906884bf2565025cbc5b322c47425defa07f1f8e Mon Sep 17 00:00:00 2001 -From: Amos Jeffries -Date: Wed, 14 Feb 2024 03:51:17 +1300 -Subject: [PATCH 2/4] Fix error: 'InstanceId<...>::InstanceId(const - InstanceId<...> &)' is private within this context - ---- - src/base/InstanceId.h | 5 +---- - 1 file changed, 1 insertion(+), 4 deletions(-) - -diff --git a/src/base/InstanceId.h b/src/base/InstanceId.h -index a48be882cc4..c4dd4090b00 100644 ---- a/src/base/InstanceId.h -+++ b/src/base/InstanceId.h -@@ -49,6 +49,7 @@ class InstanceId - typedef ValueType Value; ///< id storage type - - InstanceId() {change();} -+ InstanceId(const InstanceId &); ///< no copying; IDs are unique - - operator Value() const { return value; } - bool operator ==(const InstanceId &o) const { return value == o.value; } -@@ -67,10 +68,6 @@ class InstanceId - - public: - Value value = Value(); ///< instance identifier -- --private: -- InstanceId(const InstanceId &); ///< not implemented; IDs are unique -- InstanceId& operator=(const InstanceId &); ///< not implemented - }; - - /// An InstanceIdDefinitions() helper. Avoid direct use. - -From 2631e20bf8adc2102ba039baf86c1c64c158431f Mon Sep 17 00:00:00 2001 -From: Amos Jeffries -Date: Wed, 14 Feb 2024 03:58:47 +1300 -Subject: [PATCH 3/4] =?UTF-8?q?Fix=20error:=20=E2=80=98void*=20calloc(size?= - =?UTF-8?q?=5Ft,=20size=5Ft)=E2=80=99=20sizes?= -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -... specified with ‘sizeof’ in the earlier argument -and not in the later argument [-Werror=calloc-transposed-args] ---- - src/auth/basic/LDAP/basic_ldap_auth.cc | 2 +- - src/auth/digest/eDirectory/edir_ldapext.cc | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/auth/basic/LDAP/basic_ldap_auth.cc b/src/auth/basic/LDAP/basic_ldap_auth.cc -index 4d9a78574cb..f79a5b88984 100644 ---- a/src/auth/basic/LDAP/basic_ldap_auth.cc -+++ b/src/auth/basic/LDAP/basic_ldap_auth.cc -@@ -795,7 +795,7 @@ readSecret(const char *filename) - if ((e = strrchr(buf, '\r'))) - *e = 0; - -- passwd = (char *) calloc(sizeof(char), strlen(buf) + 1); -+ passwd = static_cast(calloc(strlen(buf) + 1, sizeof(char))); - if (!passwd) { - fprintf(stderr, PROGRAM_NAME " ERROR: can not allocate memory\n"); - exit(EXIT_FAILURE); -diff --git a/src/auth/digest/eDirectory/edir_ldapext.cc b/src/auth/digest/eDirectory/edir_ldapext.cc -index f34341c912c..13e7daca67b 100644 ---- a/src/auth/digest/eDirectory/edir_ldapext.cc -+++ b/src/auth/digest/eDirectory/edir_ldapext.cc -@@ -69,7 +69,7 @@ - - #define NMAS_LDAP_EXT_VERSION 1 - --#define SMB_MALLOC_ARRAY(type, nelem) calloc(sizeof(type), nelem) -+#define SMB_MALLOC_ARRAY(type, nelem) calloc(nelem, sizeof(type)) - #define DEBUG(level, args) - - /********************************************************************** - -From 535606d99e04f3479af07c471768af688ff790cb Mon Sep 17 00:00:00 2001 -From: Amos Jeffries -Date: Wed, 14 Feb 2024 05:52:05 +1300 -Subject: [PATCH 4/4] Update src/base/InstanceId.h - -Co-authored-by: Alex Rousskov ---- - src/base/InstanceId.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/base/InstanceId.h b/src/base/InstanceId.h -index c4dd4090b00..d3e2ebb2b2e 100644 ---- a/src/base/InstanceId.h -+++ b/src/base/InstanceId.h -@@ -49,7 +49,7 @@ class InstanceId - typedef ValueType Value; ///< id storage type - - InstanceId() {change();} -- InstanceId(const InstanceId &); ///< no copying; IDs are unique -+ InstanceId(InstanceId &&) = delete; // no copying/moving of any kind - - operator Value() const { return value; } - bool operator ==(const InstanceId &o) const { return value == o.value; } diff --git a/squid.spec b/squid.spec index 490653c..94a138d 100644 --- a/squid.spec +++ b/squid.spec @@ -1,7 +1,7 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 6.7 +Version: 6.8 Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 @@ -38,8 +38,6 @@ Patch203: squid-6.1-perlpath.patch Patch204: squid-6.1-symlink-lang-err.patch # Upstream PR: https://github.com/squid-cache/squid/pull/1442 Patch205: squid-6.1-crash-half-closed.patch -# https://github.com/squid-cache/squid/pull/1673 -Patch206: squid-6.7-gcc-14.patch # cache_swap.sh Requires: bash gawk @@ -326,6 +324,9 @@ fi %changelog +* Sat Mar 09 2024 Luboš Uhliarik - 7:6.8-1 +- new version 6.8 + * Mon Feb 12 2024 Luboš Uhliarik - 7:6.7-1 - new version 6.7 - switch to autosetup From 8f425c9ec24cef71e2cca266d6e2906ab6c7a21a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Wed, 17 Apr 2024 01:26:51 +0200 Subject: [PATCH 42/61] Resolves: #2262715 - squid-6.9 is available --- sources | 4 ++-- squid.spec | 5 ++++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/sources b/sources index 8d6d769..a42cd14 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-6.8.tar.xz) = 25509662de0b16af763a7aca090937b16c9ae15cb29ae1275634db9091eba511de33e9119ef8552fda936b7a7cfd1b7e51f6082c039c8e9e9f7da64d5efac992 -SHA512 (squid-6.8.tar.xz.asc) = 118c6b2022ee0b62c83484742a6ae3ee6402ddb06d5f8e953b67185499070e5b1b04cb97953d4f73e91c420e86956f73787ea2208609e451ec2c24a7701a9f24 +SHA512 (squid-6.9.tar.xz) = 2666551caca39fa6ca49b56b537645dd043ee0c99b805c433cf714172e6062590fd6ed942043df1a3b543f30c039f3ab701493187dc6a0a4a8311217417c366e +SHA512 (squid-6.9.tar.xz.asc) = ccd053476e91544bf797cf38a7e57acdc1c02c1edb2804230f061d9b24abbbd2e06abbaaa0fe2b209951631c0369510f60f0b7137fe950f3ccf59e8a212bc0fa SHA512 (pgp.asc) = b1e1dd5ead34711f064a12a324b2f156ad4835330d861eae4032926b8a6cd07c0eacc76f52518d47ed5a8ead4695f5abd02f2b4190af8e7833bd3ea31453569d diff --git a/squid.spec b/squid.spec index 94a138d..6e8a194 100644 --- a/squid.spec +++ b/squid.spec @@ -1,7 +1,7 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 6.8 +Version: 6.9 Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 @@ -324,6 +324,9 @@ fi %changelog +* Tue Apr 16 2024 Luboš Uhliarik - 7:6.9-1 +- Resolves: #2262715 - squid-6.9 is available + * Sat Mar 09 2024 Luboš Uhliarik - 7:6.8-1 - new version 6.8 From 71d404cc388ccce1a343081da6ee97a4a3aaf069 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Mon, 1 Jul 2024 11:20:18 +0200 Subject: [PATCH 43/61] new version 6.10 Resolves: #2294354 - CVE-2024-37894 squid: Out-of-bounds write error may lead to Denial of Service --- sources | 4 ++-- squid.spec | 7 ++++++- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/sources b/sources index a42cd14..38903ce 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-6.9.tar.xz) = 2666551caca39fa6ca49b56b537645dd043ee0c99b805c433cf714172e6062590fd6ed942043df1a3b543f30c039f3ab701493187dc6a0a4a8311217417c366e -SHA512 (squid-6.9.tar.xz.asc) = ccd053476e91544bf797cf38a7e57acdc1c02c1edb2804230f061d9b24abbbd2e06abbaaa0fe2b209951631c0369510f60f0b7137fe950f3ccf59e8a212bc0fa +SHA512 (squid-6.10.tar.xz) = c0b75c3d383b1cd234b30dd02e84e1c5655fc53f63b75704bf4bac9ee0b86ba27e4656116893aff8b95dea19ff1befabcbb9dab3875da52fcb65f1d30f0fe5a9 +SHA512 (squid-6.10.tar.xz.asc) = 5e9d053db90549760f7a675d9f4703ecde460906cb09dff489f9db5d0f7826fb30487c9b009cc4577f3f061f3c7b3a667418af298f55f882f696884dc536bf53 SHA512 (pgp.asc) = b1e1dd5ead34711f064a12a324b2f156ad4835330d861eae4032926b8a6cd07c0eacc76f52518d47ed5a8ead4695f5abd02f2b4190af8e7833bd3ea31453569d diff --git a/squid.spec b/squid.spec index 6e8a194..8d0f9e2 100644 --- a/squid.spec +++ b/squid.spec @@ -1,7 +1,7 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 6.9 +Version: 6.10 Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 @@ -324,6 +324,11 @@ fi %changelog +* Mon Jul 01 2024 Luboš Uhliarik - 7:6.10-1 +- new version 6.10 +- Resolves: #2294354 - CVE-2024-37894 squid: Out-of-bounds write error may + lead to Denial of Service + * Tue Apr 16 2024 Luboš Uhliarik - 7:6.9-1 - Resolves: #2262715 - squid-6.9 is available From bc07278a7c3b6e94716a0b71bb92f443ecffd70e Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 20 Jul 2024 06:20:17 +0000 Subject: [PATCH 44/61] Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild --- squid.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/squid.spec b/squid.spec index 8d0f9e2..c02c88b 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 6.10 -Release: 1%{?dist} +Release: 2%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -324,6 +324,9 @@ fi %changelog +* Sat Jul 20 2024 Fedora Release Engineering - 7:6.10-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild + * Mon Jul 01 2024 Luboš Uhliarik - 7:6.10-1 - new version 6.10 - Resolves: #2294354 - CVE-2024-37894 squid: Out-of-bounds write error may From 259e6f50ca2a8f1bceb11ecc23318c4947c5adca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Wed, 25 Sep 2024 15:38:12 +0200 Subject: [PATCH 45/61] new version 6.11 --- sources | 4 ++-- squid-6.1-perlpath.patch | 2 +- squid.spec | 7 +++++-- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/sources b/sources index 38903ce..469e7e0 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-6.10.tar.xz) = c0b75c3d383b1cd234b30dd02e84e1c5655fc53f63b75704bf4bac9ee0b86ba27e4656116893aff8b95dea19ff1befabcbb9dab3875da52fcb65f1d30f0fe5a9 -SHA512 (squid-6.10.tar.xz.asc) = 5e9d053db90549760f7a675d9f4703ecde460906cb09dff489f9db5d0f7826fb30487c9b009cc4577f3f061f3c7b3a667418af298f55f882f696884dc536bf53 +SHA512 (squid-6.11.tar.xz) = 669f658b0a58514f98c2b33df874706d40b9ed0837e1f32e08e274c79617063e06e706932011a34b115dcc96d43125f9cea30fba459cd31a88e3afd9b6076d7a +SHA512 (squid-6.11.tar.xz.asc) = e4bf8a77fe431eb6ba7ff9c10511d987692438d66c4aa72739b4fedf73aa6e6704e4da756ffcfeb82b9d76be9a3e4bb963dd523132cda732077898785cc6bbb9 SHA512 (pgp.asc) = b1e1dd5ead34711f064a12a324b2f156ad4835330d861eae4032926b8a6cd07c0eacc76f52518d47ed5a8ead4695f5abd02f2b4190af8e7833bd3ea31453569d diff --git a/squid-6.1-perlpath.patch b/squid-6.1-perlpath.patch index fe37759..7539001 100644 --- a/squid-6.1-perlpath.patch +++ b/squid-6.1-perlpath.patch @@ -6,5 +6,5 @@ index e965e9e..ed5ffcb 100755 -#!/usr/local/bin/perl -Tw +#!/usr/bin/perl -Tw # - # * Copyright (C) 1996-2023 The Squid Software Foundation and contributors + # * Copyright (C) 1996-2024 The Squid Software Foundation and contributors # * diff --git a/squid.spec b/squid.spec index c02c88b..f4fd37a 100644 --- a/squid.spec +++ b/squid.spec @@ -1,8 +1,8 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 6.10 -Release: 2%{?dist} +Version: 6.11 +Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -324,6 +324,9 @@ fi %changelog +* Wed Sep 25 2024 Luboš Uhliarik - 7:6.11-1 +- new version 6.11 + * Sat Jul 20 2024 Fedora Release Engineering - 7:6.10-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild From 8504f8d8faa18c410053b85036e2522d738b3d03 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Fri, 11 Oct 2024 20:22:16 +0200 Subject: [PATCH 46/61] ignore SP and HTAB chars after chunk-size --- squid-6.11-ignore-wsp-after-chunk-size.patch | 367 +++++++++++++++++++ squid.spec | 7 +- 2 files changed, 373 insertions(+), 1 deletion(-) create mode 100644 squid-6.11-ignore-wsp-after-chunk-size.patch diff --git a/squid-6.11-ignore-wsp-after-chunk-size.patch b/squid-6.11-ignore-wsp-after-chunk-size.patch new file mode 100644 index 0000000..ea4025f --- /dev/null +++ b/squid-6.11-ignore-wsp-after-chunk-size.patch @@ -0,0 +1,367 @@ +From 8d0ee420a4d91ac7fd97316338f1e28b4b060cbf Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= +Date: Thu, 10 Oct 2024 19:26:27 +0200 +Subject: [PATCH 1/6] Ignore whitespace chars after chunk-size + +Previously (before #1498 change), squid was accepting TE-chunked replies +with whitespaces after chunk-size and missing chunk-ext data. After + +It turned out that replies with such whitespace chars are pretty +common and other webservers which can act as forward proxies (e.g. +nginx, httpd...) are accepting them. + +This change will allow to proxy chunked responses from origin server, +which had whitespaces inbetween chunk-size and CRLF. +--- + src/http/one/TeChunkedParser.cc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/http/one/TeChunkedParser.cc b/src/http/one/TeChunkedParser.cc +index 9cce10fdc91..04753395e16 100644 +--- a/src/http/one/TeChunkedParser.cc ++++ b/src/http/one/TeChunkedParser.cc +@@ -125,6 +125,7 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok) + // Code becomes much simpler when incremental parsing functions throw on + // bad or insufficient input, like in the code below. TODO: Expand up. + try { ++ tok.skipAll(CharacterSet::WSP); // Some servers send SP/TAB after chunk-size + parseChunkExtensions(tok); // a possibly empty chunk-ext list + tok.skipRequired("CRLF after [chunk-ext]", Http1::CrLf()); + buf_ = tok.remaining(); + +From 9c8d35f899035fa06021ab3fe6919f892c2f0c6b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= +Date: Fri, 11 Oct 2024 02:06:31 +0200 +Subject: [PATCH 2/6] Added new argument to Http::One::ParseBws() + +Depending on new wsp_only argument in ParseBws() it will be decided +which set of whitespaces characters will be parsed. If wsp_only is set +to true, only SP and HTAB chars will be parsed. + +Also optimized number of ParseBws calls. +--- + src/http/one/Parser.cc | 4 ++-- + src/http/one/Parser.h | 3 ++- + src/http/one/TeChunkedParser.cc | 13 +++++++++---- + src/http/one/TeChunkedParser.h | 2 +- + 4 files changed, 14 insertions(+), 8 deletions(-) + +diff --git a/src/http/one/Parser.cc b/src/http/one/Parser.cc +index b1908316a0b..01d7e3bc0e8 100644 +--- a/src/http/one/Parser.cc ++++ b/src/http/one/Parser.cc +@@ -273,9 +273,9 @@ Http::One::ErrorLevel() + + // BWS = *( SP / HTAB ) ; WhitespaceCharacters() may relax this RFC 7230 rule + void +-Http::One::ParseBws(Parser::Tokenizer &tok) ++Http::One::ParseBws(Parser::Tokenizer &tok, const bool wsp_only) + { +- const auto count = tok.skipAll(Parser::WhitespaceCharacters()); ++ const auto count = tok.skipAll(wsp_only ? CharacterSet::WSP : Parser::WhitespaceCharacters()); + + if (tok.atEnd()) + throw InsufficientInput(); // even if count is positive +diff --git a/src/http/one/Parser.h b/src/http/one/Parser.h +index d9a0ac8c273..08200371cd6 100644 +--- a/src/http/one/Parser.h ++++ b/src/http/one/Parser.h +@@ -163,8 +163,9 @@ class Parser : public RefCountable + }; + + /// skips and, if needed, warns about RFC 7230 BWS ("bad" whitespace) ++/// \param wsp_only force skipping of whitespaces only, don't consider skipping relaxed delimeter chars + /// \throws InsufficientInput when the end of BWS cannot be confirmed +-void ParseBws(Parser::Tokenizer &); ++void ParseBws(Parser::Tokenizer &, const bool wsp_only = false); + + /// the right debugs() level for logging HTTP violation messages + int ErrorLevel(); +diff --git a/src/http/one/TeChunkedParser.cc b/src/http/one/TeChunkedParser.cc +index 04753395e16..41e1e5ddaea 100644 +--- a/src/http/one/TeChunkedParser.cc ++++ b/src/http/one/TeChunkedParser.cc +@@ -125,8 +125,11 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok) + // Code becomes much simpler when incremental parsing functions throw on + // bad or insufficient input, like in the code below. TODO: Expand up. + try { +- tok.skipAll(CharacterSet::WSP); // Some servers send SP/TAB after chunk-size +- parseChunkExtensions(tok); // a possibly empty chunk-ext list ++ // A possibly empty chunk-ext list. If no chunk-ext has been found, ++ // try to skip trailing BWS, because some servers send "chunk-size BWS CRLF". ++ if (!parseChunkExtensions(tok)) ++ ParseBws(tok, true); ++ + tok.skipRequired("CRLF after [chunk-ext]", Http1::CrLf()); + buf_ = tok.remaining(); + parsingStage_ = theChunkSize ? Http1::HTTP_PARSE_CHUNK : Http1::HTTP_PARSE_MIME; +@@ -140,20 +143,22 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok) + + /// Parses the chunk-ext list (RFC 9112 section 7.1.1: + /// chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] ) +-void ++bool + Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &callerTok) + { ++ bool foundChunkExt = false; + do { + auto tok = callerTok; + + ParseBws(tok); // Bug 4492: IBM_HTTP_Server sends SP after chunk-size + + if (!tok.skip(';')) +- return; // reached the end of extensions (if any) ++ return foundChunkExt; // reached the end of extensions (if any) + + parseOneChunkExtension(tok); + buf_ = tok.remaining(); // got one extension + callerTok = tok; ++ foundChunkExt = true; + } while (true); + } + +diff --git a/src/http/one/TeChunkedParser.h b/src/http/one/TeChunkedParser.h +index 02eacd1bb89..8c5d4bb4cba 100644 +--- a/src/http/one/TeChunkedParser.h ++++ b/src/http/one/TeChunkedParser.h +@@ -71,7 +71,7 @@ class TeChunkedParser : public Http1::Parser + private: + bool parseChunkSize(Tokenizer &tok); + bool parseChunkMetadataSuffix(Tokenizer &); +- void parseChunkExtensions(Tokenizer &); ++ bool parseChunkExtensions(Tokenizer &); + void parseOneChunkExtension(Tokenizer &); + bool parseChunkBody(Tokenizer &tok); + bool parseChunkEnd(Tokenizer &tok); + +From 81e67f97f9c386bdd0bb4a5e182395c46adb70ad Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= +Date: Fri, 11 Oct 2024 02:44:33 +0200 +Subject: [PATCH 3/6] Fix typo in Parser.h + +--- + src/http/one/Parser.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/http/one/Parser.h b/src/http/one/Parser.h +index 08200371cd6..3ef4c5f7752 100644 +--- a/src/http/one/Parser.h ++++ b/src/http/one/Parser.h +@@ -163,7 +163,7 @@ class Parser : public RefCountable + }; + + /// skips and, if needed, warns about RFC 7230 BWS ("bad" whitespace) +-/// \param wsp_only force skipping of whitespaces only, don't consider skipping relaxed delimeter chars ++/// \param wsp_only force skipping of whitespaces only, don't consider skipping relaxed delimiter chars + /// \throws InsufficientInput when the end of BWS cannot be confirmed + void ParseBws(Parser::Tokenizer &, const bool wsp_only = false); + + +From a0d4fe1794e605f8299a5c118c758a807453f016 Mon Sep 17 00:00:00 2001 +From: Alex Rousskov +Date: Thu, 10 Oct 2024 22:39:42 -0400 +Subject: [PATCH 4/6] Bug 5449 is a regression of Bug 4492! + +Both bugs deal with "chunk-size SP+ CRLF" use cases. Bug 4492 had _two_ +spaces after chunk-size, which answers one of the PR review questions: +Should we skip just one space? No, we should not. + +The lines moved around in many commits, but I believe this regression +was introduced in commit 951013d0 because that commit stopped consuming +partially parsed chunk-ext sequences. That consumption was wrong, but it +had a positive side effect -- fixing Bug 4492... +--- + src/http/one/TeChunkedParser.cc | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/http/one/TeChunkedParser.cc b/src/http/one/TeChunkedParser.cc +index 41e1e5ddaea..aa4a840fdcf 100644 +--- a/src/http/one/TeChunkedParser.cc ++++ b/src/http/one/TeChunkedParser.cc +@@ -125,10 +125,10 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok) + // Code becomes much simpler when incremental parsing functions throw on + // bad or insufficient input, like in the code below. TODO: Expand up. + try { +- // A possibly empty chunk-ext list. If no chunk-ext has been found, +- // try to skip trailing BWS, because some servers send "chunk-size BWS CRLF". +- if (!parseChunkExtensions(tok)) +- ParseBws(tok, true); ++ // Bug 4492: IBM_HTTP_Server sends SP after chunk-size ++ ParseBws(tok, true); ++ ++ parseChunkExtensions(tok); + + tok.skipRequired("CRLF after [chunk-ext]", Http1::CrLf()); + buf_ = tok.remaining(); +@@ -150,7 +150,7 @@ Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &callerTok) + do { + auto tok = callerTok; + +- ParseBws(tok); // Bug 4492: IBM_HTTP_Server sends SP after chunk-size ++ ParseBws(tok); + + if (!tok.skip(';')) + return foundChunkExt; // reached the end of extensions (if any) + +From f837f5ff61301a17008f16ce1fb793c2abf19786 Mon Sep 17 00:00:00 2001 +From: Alex Rousskov +Date: Thu, 10 Oct 2024 23:06:42 -0400 +Subject: [PATCH 5/6] fixup: Fewer conditionals/ifs and more explicit spelling + +... to draw code reader attention when something unusual is going on. +--- + src/http/one/Parser.cc | 22 ++++++++++++++++++---- + src/http/one/Parser.h | 10 ++++++++-- + src/http/one/TeChunkedParser.cc | 14 ++++++-------- + src/http/one/TeChunkedParser.h | 2 +- + 4 files changed, 33 insertions(+), 15 deletions(-) + +diff --git a/src/http/one/Parser.cc b/src/http/one/Parser.cc +index 01d7e3bc0e8..d3937e5e96b 100644 +--- a/src/http/one/Parser.cc ++++ b/src/http/one/Parser.cc +@@ -271,11 +271,12 @@ Http::One::ErrorLevel() + return Config.onoff.relaxed_header_parser < 0 ? DBG_IMPORTANT : 5; + } + +-// BWS = *( SP / HTAB ) ; WhitespaceCharacters() may relax this RFC 7230 rule +-void +-Http::One::ParseBws(Parser::Tokenizer &tok, const bool wsp_only) ++/// common part of ParseBws() and ParseStrctBws() ++namespace Http::One { ++static void ++ParseBws_(Parser::Tokenizer &tok, const CharacterSet &bwsChars) + { +- const auto count = tok.skipAll(wsp_only ? CharacterSet::WSP : Parser::WhitespaceCharacters()); ++ const auto count = tok.skipAll(bwsChars); + + if (tok.atEnd()) + throw InsufficientInput(); // even if count is positive +@@ -290,4 +291,17 @@ Http::One::ParseBws(Parser::Tokenizer &tok, const bool wsp_only) + + // success: no more BWS characters expected + } ++} // namespace Http::One ++ ++void ++Http::One::ParseBws(Parser::Tokenizer &tok) ++{ ++ ParseBws_(tok, CharacterSet::WSP); ++} ++ ++void ++Http::One::ParseStrictBws(Parser::Tokenizer &tok) ++{ ++ ParseBws_(tok, Parser::WhitespaceCharacters()); ++} + +diff --git a/src/http/one/Parser.h b/src/http/one/Parser.h +index 3ef4c5f7752..49e399de546 100644 +--- a/src/http/one/Parser.h ++++ b/src/http/one/Parser.h +@@ -163,9 +163,15 @@ class Parser : public RefCountable + }; + + /// skips and, if needed, warns about RFC 7230 BWS ("bad" whitespace) +-/// \param wsp_only force skipping of whitespaces only, don't consider skipping relaxed delimiter chars + /// \throws InsufficientInput when the end of BWS cannot be confirmed +-void ParseBws(Parser::Tokenizer &, const bool wsp_only = false); ++/// \sa WhitespaceCharacters() for the definition of BWS characters ++/// \sa ParseStrictBws() that avoids WhitespaceCharacters() uncertainties ++void ParseBws(Parser::Tokenizer &); ++ ++/// Like ParseBws() but only skips CharacterSet::WSP characters. This variation ++/// must be used if the next element may start with CR or any other character ++/// from RelaxedDelimiterCharacters(). ++void ParseStrictBws(Parser::Tokenizer &); + + /// the right debugs() level for logging HTTP violation messages + int ErrorLevel(); +diff --git a/src/http/one/TeChunkedParser.cc b/src/http/one/TeChunkedParser.cc +index aa4a840fdcf..859471b8c77 100644 +--- a/src/http/one/TeChunkedParser.cc ++++ b/src/http/one/TeChunkedParser.cc +@@ -125,11 +125,11 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok) + // Code becomes much simpler when incremental parsing functions throw on + // bad or insufficient input, like in the code below. TODO: Expand up. + try { +- // Bug 4492: IBM_HTTP_Server sends SP after chunk-size +- ParseBws(tok, true); +- +- parseChunkExtensions(tok); ++ // Bug 4492: IBM_HTTP_Server sends SP after chunk-size. ++ // No ParseBws() here because it may consume CR required further below. ++ ParseStrictBws(tok); + ++ parseChunkExtensions(tok); // a possibly empty chunk-ext list + tok.skipRequired("CRLF after [chunk-ext]", Http1::CrLf()); + buf_ = tok.remaining(); + parsingStage_ = theChunkSize ? Http1::HTTP_PARSE_CHUNK : Http1::HTTP_PARSE_MIME; +@@ -143,22 +143,20 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok) + + /// Parses the chunk-ext list (RFC 9112 section 7.1.1: + /// chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] ) +-bool ++void + Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &callerTok) + { +- bool foundChunkExt = false; + do { + auto tok = callerTok; + + ParseBws(tok); + + if (!tok.skip(';')) +- return foundChunkExt; // reached the end of extensions (if any) ++ return; // reached the end of extensions (if any) + + parseOneChunkExtension(tok); + buf_ = tok.remaining(); // got one extension + callerTok = tok; +- foundChunkExt = true; + } while (true); + } + +diff --git a/src/http/one/TeChunkedParser.h b/src/http/one/TeChunkedParser.h +index 8c5d4bb4cba..02eacd1bb89 100644 +--- a/src/http/one/TeChunkedParser.h ++++ b/src/http/one/TeChunkedParser.h +@@ -71,7 +71,7 @@ class TeChunkedParser : public Http1::Parser + private: + bool parseChunkSize(Tokenizer &tok); + bool parseChunkMetadataSuffix(Tokenizer &); +- bool parseChunkExtensions(Tokenizer &); ++ void parseChunkExtensions(Tokenizer &); + void parseOneChunkExtension(Tokenizer &); + bool parseChunkBody(Tokenizer &tok); + bool parseChunkEnd(Tokenizer &tok); + +From f79936a234e722adb2dd08f31cf6019d81ee712c Mon Sep 17 00:00:00 2001 +From: Alex Rousskov +Date: Thu, 10 Oct 2024 23:31:08 -0400 +Subject: [PATCH 6/6] fixup: Deadly typo + +--- + src/http/one/Parser.cc | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/http/one/Parser.cc b/src/http/one/Parser.cc +index d3937e5e96b..7403a9163a2 100644 +--- a/src/http/one/Parser.cc ++++ b/src/http/one/Parser.cc +@@ -296,12 +296,12 @@ ParseBws_(Parser::Tokenizer &tok, const CharacterSet &bwsChars) + void + Http::One::ParseBws(Parser::Tokenizer &tok) + { +- ParseBws_(tok, CharacterSet::WSP); ++ ParseBws_(tok, Parser::WhitespaceCharacters()); + } + + void + Http::One::ParseStrictBws(Parser::Tokenizer &tok) + { +- ParseBws_(tok, Parser::WhitespaceCharacters()); ++ ParseBws_(tok, CharacterSet::WSP); + } + + diff --git a/squid.spec b/squid.spec index f4fd37a..bfed799 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 6.11 -Release: 1%{?dist} +Release: 2%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -38,6 +38,8 @@ Patch203: squid-6.1-perlpath.patch Patch204: squid-6.1-symlink-lang-err.patch # Upstream PR: https://github.com/squid-cache/squid/pull/1442 Patch205: squid-6.1-crash-half-closed.patch +# Upstream PR: https://github.com/squid-cache/squid/pull/1914 +Patch206: squid-6.11-ignore-wsp-after-chunk-size.patch # cache_swap.sh Requires: bash gawk @@ -324,6 +326,9 @@ fi %changelog +* Fri Oct 11 2024 Luboš Uhliarik - 7:6.11-2 +- ignore SP and HTAB chars after chunk-size + * Wed Sep 25 2024 Luboš Uhliarik - 7:6.11-1 - new version 6.11 From 9e3214a7297593a7cf0ea6a40bd892d351137976 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Wed, 23 Oct 2024 21:35:04 +0200 Subject: [PATCH 47/61] new version 6.12 Fix TCP_MISS_ABORTED/100 erros when uploading --- sources | 4 +- squid-6.12-large-upload-buffer-dies.patch | 117 ++++++++++++++++++++++ squid.spec | 10 +- 3 files changed, 127 insertions(+), 4 deletions(-) create mode 100644 squid-6.12-large-upload-buffer-dies.patch diff --git a/sources b/sources index 469e7e0..f79692e 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-6.11.tar.xz) = 669f658b0a58514f98c2b33df874706d40b9ed0837e1f32e08e274c79617063e06e706932011a34b115dcc96d43125f9cea30fba459cd31a88e3afd9b6076d7a -SHA512 (squid-6.11.tar.xz.asc) = e4bf8a77fe431eb6ba7ff9c10511d987692438d66c4aa72739b4fedf73aa6e6704e4da756ffcfeb82b9d76be9a3e4bb963dd523132cda732077898785cc6bbb9 +SHA512 (squid-6.12.tar.xz) = 7ab61f19416426fb8284de7bddc1ea9a5a7b3148fc54c018a243071ba5854610ef38a248f6a22634a2acb7d3ea408b582af1f48818dfe698ade0b7b8c00fd183 +SHA512 (squid-6.12.tar.xz.asc) = 34cd6e9f6f908626184ea6995bcb340a939c00b6254f4427967282fb6e4b89e5cf9c02f8df9f61f2ae9ea08a4ec3796840eeb327e123299e26683a5ecb9b9a0f SHA512 (pgp.asc) = b1e1dd5ead34711f064a12a324b2f156ad4835330d861eae4032926b8a6cd07c0eacc76f52518d47ed5a8ead4695f5abd02f2b4190af8e7833bd3ea31453569d diff --git a/squid-6.12-large-upload-buffer-dies.patch b/squid-6.12-large-upload-buffer-dies.patch new file mode 100644 index 0000000..459d528 --- /dev/null +++ b/squid-6.12-large-upload-buffer-dies.patch @@ -0,0 +1,117 @@ +From 4d6dd3ddba5e850a42c86d8233735165a371c31c Mon Sep 17 00:00:00 2001 +From: Alex Rousskov +Date: Sun, 1 Sep 2024 00:39:34 +0000 +Subject: [PATCH] Bug 5405: Large uploads fill request buffer and die (#1887) + + maybeMakeSpaceAvailable: request buffer full + ReadNow: ... size 0, retval 0, errno 0 + terminateAll: 1/1 after ERR_CLIENT_GONE/WITH_CLIENT + %Ss=TCP_MISS_ABORTED + +This bug is triggered by a combination of the following two conditions: + +* HTTP client upload fills Squid request buffer faster than it is + drained by an origin server, cache_peer, or REQMOD service. The buffer + accumulates 576 KB (default 512 KB client_request_buffer_max_size + 64 + KB internal "pipe" buffer). + +* The affected server or service consumes a few bytes after the critical + accumulation is reached. In other words, the bug cannot be triggered + if nothing is consumed after the first condition above is met. + +Comm::ReadNow() must not be called with a full buffer: Related +FD_READ_METHOD() code cannot distinguish "received EOF" from "had no +buffer space" outcomes. Server::readSomeData() tried to prevent such +calls, but the corresponding check had two problems: + +* The check had an unsigned integer underflow bug[^1] that made it + ineffective when inBuf length exceeded Config.maxRequestBufferSize. + That length could exceed the limit due to reconfiguration and when + inBuf space size first grew outside of maybeMakeSpaceAvailable() + protections (e.g., during an inBuf.c_str() call) and then got filled + with newly read data. That growth started happening after 2020 commit + 1dfbca06 optimized SBuf::cow() to merge leading and trailing space. + Prior to that commit, Bug 5405 could probably only affect Squid + reconfigurations that lower client_request_buffer_max_size. + +* The check was separated from the ReadNow() call it was meant to + protect. While ConnStateData was waiting for the socket to become + ready for reading, various asynchronous events could alter inBuf or + Config.maxRequestBufferSize. + +This change fixes both problems. + +This change also fixes Squid Bug 5214. + +[^1]: That underflow bug was probably introduced in 2015 commit 4d1376d7 +while trying to emulate the original "do not read less than two bytes" +ConnStateData::In::maybeMakeSpaceAvailable() condition. That condition +itself looks like a leftover from manual zero-terminated input buffer +days that ended with 2014 commit e7287625. It is now removed. +--- + +diff --git a/src/servers/Server.cc b/src/servers/Server.cc +index 70fd10b..dd20619 100644 +--- a/src/servers/Server.cc ++++ b/src/servers/Server.cc +@@ -83,16 +83,25 @@ Server::maybeMakeSpaceAvailable() + debugs(33, 4, "request buffer full: client_request_buffer_max_size=" << Config.maxRequestBufferSize); + } + ++bool ++Server::mayBufferMoreRequestBytes() const ++{ ++ // TODO: Account for bodyPipe buffering as well. ++ if (inBuf.length() >= Config.maxRequestBufferSize) { ++ debugs(33, 4, "no: " << inBuf.length() << '-' << Config.maxRequestBufferSize << '=' << (inBuf.length() - Config.maxRequestBufferSize)); ++ return false; ++ } ++ debugs(33, 7, "yes: " << Config.maxRequestBufferSize << '-' << inBuf.length() << '=' << (Config.maxRequestBufferSize - inBuf.length())); ++ return true; ++} ++ + void + Server::readSomeData() + { + if (reading()) + return; + +- debugs(33, 4, clientConnection << ": reading request..."); +- +- // we can only read if there is more than 1 byte of space free +- if (Config.maxRequestBufferSize - inBuf.length() < 2) ++ if (!mayBufferMoreRequestBytes()) + return; + + typedef CommCbMemFunT Dialer; +@@ -123,7 +132,16 @@ Server::doClientRead(const CommIoCbParams &io) + * Plus, it breaks our lame *HalfClosed() detection + */ + ++ // mayBufferMoreRequestBytes() was true during readSomeData(), but variables ++ // like Config.maxRequestBufferSize may have changed since that check ++ if (!mayBufferMoreRequestBytes()) { ++ // XXX: If we avoid Comm::ReadNow(), we should not Comm::Read() again ++ // when the wait is over; resume these doClientRead() checks instead. ++ return; // wait for noteMoreBodySpaceAvailable() or a similar inBuf draining event ++ } + maybeMakeSpaceAvailable(); ++ Assure(inBuf.spaceSize()); ++ + CommIoCbParams rd(this); // will be expanded with ReadNow results + rd.conn = io.conn; + switch (Comm::ReadNow(rd, inBuf)) { +diff --git a/src/servers/Server.h b/src/servers/Server.h +index ef105f5..6e549b3 100644 +--- a/src/servers/Server.h ++++ b/src/servers/Server.h +@@ -119,6 +119,9 @@ protected: + /// abort any pending transactions and prevent new ones (by closing) + virtual void terminateAll(const Error &, const LogTagsErrors &) = 0; + ++ /// whether client_request_buffer_max_size allows inBuf.length() increase ++ bool mayBufferMoreRequestBytes() const; ++ + void doClientRead(const CommIoCbParams &io); + void clientWriteDone(const CommIoCbParams &io); + diff --git a/squid.spec b/squid.spec index bfed799..2ee61da 100644 --- a/squid.spec +++ b/squid.spec @@ -1,8 +1,8 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 6.11 -Release: 2%{?dist} +Version: 6.12 +Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -40,6 +40,8 @@ Patch204: squid-6.1-symlink-lang-err.patch Patch205: squid-6.1-crash-half-closed.patch # Upstream PR: https://github.com/squid-cache/squid/pull/1914 Patch206: squid-6.11-ignore-wsp-after-chunk-size.patch +# https://bugs.squid-cache.org/show_bug.cgi?id=5214 +Patch207: squid-6.12-large-upload-buffer-dies.patch # cache_swap.sh Requires: bash gawk @@ -326,6 +328,10 @@ fi %changelog +* Wed Oct 23 2024 Luboš Uhliarik - 7:6.12-1 +- new version 6.12 +- Fix TCP_MISS_ABORTED/100 erros when uploading + * Fri Oct 11 2024 Luboš Uhliarik - 7:6.11-2 - ignore SP and HTAB chars after chunk-size From e91b352f108c5c8897982cbb51d468ce421d61b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Fri, 1 Nov 2024 16:39:14 +0100 Subject: [PATCH 48/61] Disable ESI support since ESI support has been also removed from squid 7 Resolves: CVE-2024-45802 squid: Denial of Service processing ESI response content --- squid.spec | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/squid.spec b/squid.spec index 2ee61da..0631e68 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 6.12 -Release: 1%{?dist} +Release: 2%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -59,8 +59,6 @@ BuildRequires: openssl-devel BuildRequires: krb5-devel # time_quota requires TrivialDB BuildRequires: libtdb-devel -# ESI support requires Expat & libxml2 -BuildRequires: expat-devel libxml2-devel # TPROXY requires libcap, and also increases security somewhat BuildRequires: libcap-devel # eCAP support @@ -143,7 +141,7 @@ sed -i 's|@SYSCONFDIR@/squid.conf.documented|%{_pkgdocdir}/squid.conf.documented --enable-storeio="aufs,diskd,ufs,rock" \ --enable-diskio \ --enable-wccpv2 \ - --enable-esi \ + --disable-esi \ --enable-ecap \ --with-aio \ --with-default-user="squid" \ @@ -328,6 +326,11 @@ fi %changelog +* Fri Nov 01 2024 Luboš Uhliarik - 7:6.12-2 +- Disable ESI support since ESI support has been also removed from squid 7 +- Resolves: CVE-2024-45802 squid: Denial of Service processing ESI + response content + * Wed Oct 23 2024 Luboš Uhliarik - 7:6.12-1 - new version 6.12 - Fix TCP_MISS_ABORTED/100 erros when uploading From 789f7c9b18f6158643a288de505436f575b8f1c6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Fri, 1 Nov 2024 21:44:15 +0100 Subject: [PATCH 49/61] better error handling in cache_swap.sh added RuntimeDirectory to systemd service file --- cache_swap.sh | 5 ++++- squid.service | 9 ++++++--- squid.spec | 19 ++++++------------- 3 files changed, 16 insertions(+), 17 deletions(-) diff --git a/cache_swap.sh b/cache_swap.sh index 77d06ac..89f3478 100644 --- a/cache_swap.sh +++ b/cache_swap.sh @@ -17,5 +17,8 @@ done if [ $init_cache_dirs -ne 0 ]; then echo "" - squid --foreground -z -f "$SQUID_CONF" >> /var/log/squid/squid.out 2>&1 + if ! squid --foreground -z -f "$SQUID_CONF" >> /var/log/squid/squid.out 2>&1; then + echo "init_cache_dir failed, see /var/log/squid/squid.out for more information" + exit 1 + fi fi diff --git a/squid.service b/squid.service index 6978032..09c68cc 100644 --- a/squid.service +++ b/squid.service @@ -8,11 +8,14 @@ Type=notify LimitNOFILE=16384 PIDFile=/run/squid.pid EnvironmentFile=/etc/sysconfig/squid -ExecStartPre=/usr/libexec/squid/cache_swap.sh -ExecStart=/usr/sbin/squid --foreground $SQUID_OPTS -f ${SQUID_CONF} -ExecReload=/usr/bin/kill -HUP $MAINPID +ExecStartPre=!/usr/libexec/squid/cache_swap.sh +ExecStart=!/usr/sbin/squid --foreground $SQUID_OPTS -f ${SQUID_CONF} +ExecReload=!/usr/bin/kill -HUP $MAINPID KillMode=mixed NotifyAccess=all +User=squid +Group=squid +RuntimeDirectory=squid [Install] WantedBy=multi-user.target diff --git a/squid.spec b/squid.spec index 0631e68..5cbe6b9 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 6.12 -Release: 2%{?dist} +Release: 3%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -71,7 +71,7 @@ BuildRequires: perl-generators BuildRequires: pkgconfig(cppunit) # For verifying downloded src tarball BuildRequires: gnupg2 -# for _tmpfilesdir and _unitdir macro +# for _unitdir macro # see https://docs.fedoraproject.org/en-US/packaging-guidelines/Systemd/#_packaging BuildRequires: systemd-rpm-macros # systemd notify @@ -198,17 +198,8 @@ install -m 644 $RPM_BUILD_ROOT/squid.httpd.tmp $RPM_BUILD_ROOT%{_sysconfdir}/htt install -m 755 %{SOURCE6} $RPM_BUILD_ROOT%{_prefix}/lib/NetworkManager/dispatcher.d/20-squid mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/log/squid mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/spool/squid -mkdir -p $RPM_BUILD_ROOT/run/squid chmod 644 contrib/url-normalizer.pl contrib/user-agents.pl -# install /usr/lib/tmpfiles.d/squid.conf -mkdir -p ${RPM_BUILD_ROOT}%{_tmpfilesdir} -cat > ${RPM_BUILD_ROOT}%{_tmpfilesdir}/squid.conf < - 7:6.12-3 +- better error handling in cache_swap.sh +- added RuntimeDirectory to systemd service file + * Fri Nov 01 2024 Luboš Uhliarik - 7:6.12-2 - Disable ESI support since ESI support has been also removed from squid 7 - Resolves: CVE-2024-45802 squid: Denial of Service processing ESI From d3ada053730bd30c73f430ff270c4b92b86ef5ca Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sun, 19 Jan 2025 11:31:35 +0000 Subject: [PATCH 50/61] Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild --- squid.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/squid.spec b/squid.spec index 5cbe6b9..22786ee 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 6.12 -Release: 3%{?dist} +Release: 4%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -315,6 +315,9 @@ fi %changelog +* Sun Jan 19 2025 Fedora Release Engineering - 7:6.12-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild + * Fri Nov 01 2024 Luboš Uhliarik - 7:6.12-3 - better error handling in cache_swap.sh - added RuntimeDirectory to systemd service file From 5403d2498221ec36a496d79a1797054f64e78fa4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= Date: Sat, 1 Feb 2025 19:57:33 +0100 Subject: [PATCH 51/61] Add explicit BR: libxcrypt-devel MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Björn Esser --- squid.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/squid.spec b/squid.spec index 22786ee..ff41802 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 6.12 -Release: 4%{?dist} +Release: 5%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -66,6 +66,7 @@ BuildRequires: libecap-devel #ip_user helper requires BuildRequires: gcc-c++ BuildRequires: libtool libtool-ltdl-devel +BuildRequires: libxcrypt-devel BuildRequires: perl-generators # For test suite BuildRequires: pkgconfig(cppunit) @@ -315,6 +316,9 @@ fi %changelog +* Sat Feb 01 2025 Björn Esser - 7:6.12-5 +- Add explicit BR: libxcrypt-devel + * Sun Jan 19 2025 Fedora Release Engineering - 7:6.12-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild From 9c651e4fe8d7da27226525e8fc3c7c84f7d724bf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Tue, 4 Feb 2025 18:38:52 +0100 Subject: [PATCH 52/61] new version 6.13 --- sources | 4 +- squid-6.12-large-upload-buffer-dies.patch | 117 ---------------------- squid.spec | 9 +- 3 files changed, 7 insertions(+), 123 deletions(-) delete mode 100644 squid-6.12-large-upload-buffer-dies.patch diff --git a/sources b/sources index f79692e..83d969f 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-6.12.tar.xz) = 7ab61f19416426fb8284de7bddc1ea9a5a7b3148fc54c018a243071ba5854610ef38a248f6a22634a2acb7d3ea408b582af1f48818dfe698ade0b7b8c00fd183 -SHA512 (squid-6.12.tar.xz.asc) = 34cd6e9f6f908626184ea6995bcb340a939c00b6254f4427967282fb6e4b89e5cf9c02f8df9f61f2ae9ea08a4ec3796840eeb327e123299e26683a5ecb9b9a0f +SHA512 (squid-6.13.tar.xz) = a67276a7eb38d00271962b67bff7f08e760db73bc6b0f94ab71297d520405033df65ebb0b38ee5db02bd6c00d81cd600b60d918fe7fff64e06255deaf78f00c1 +SHA512 (squid-6.13.tar.xz.asc) = 66d8d657793ca3bd20e4a728dc0d3568fac078334d57f3105bb67f1c6fbc5e89e21b757f38048f2361b670938ff350d1afd956ba3dfa5d55dfb54d13e4620fc9 SHA512 (pgp.asc) = b1e1dd5ead34711f064a12a324b2f156ad4835330d861eae4032926b8a6cd07c0eacc76f52518d47ed5a8ead4695f5abd02f2b4190af8e7833bd3ea31453569d diff --git a/squid-6.12-large-upload-buffer-dies.patch b/squid-6.12-large-upload-buffer-dies.patch deleted file mode 100644 index 459d528..0000000 --- a/squid-6.12-large-upload-buffer-dies.patch +++ /dev/null @@ -1,117 +0,0 @@ -From 4d6dd3ddba5e850a42c86d8233735165a371c31c Mon Sep 17 00:00:00 2001 -From: Alex Rousskov -Date: Sun, 1 Sep 2024 00:39:34 +0000 -Subject: [PATCH] Bug 5405: Large uploads fill request buffer and die (#1887) - - maybeMakeSpaceAvailable: request buffer full - ReadNow: ... size 0, retval 0, errno 0 - terminateAll: 1/1 after ERR_CLIENT_GONE/WITH_CLIENT - %Ss=TCP_MISS_ABORTED - -This bug is triggered by a combination of the following two conditions: - -* HTTP client upload fills Squid request buffer faster than it is - drained by an origin server, cache_peer, or REQMOD service. The buffer - accumulates 576 KB (default 512 KB client_request_buffer_max_size + 64 - KB internal "pipe" buffer). - -* The affected server or service consumes a few bytes after the critical - accumulation is reached. In other words, the bug cannot be triggered - if nothing is consumed after the first condition above is met. - -Comm::ReadNow() must not be called with a full buffer: Related -FD_READ_METHOD() code cannot distinguish "received EOF" from "had no -buffer space" outcomes. Server::readSomeData() tried to prevent such -calls, but the corresponding check had two problems: - -* The check had an unsigned integer underflow bug[^1] that made it - ineffective when inBuf length exceeded Config.maxRequestBufferSize. - That length could exceed the limit due to reconfiguration and when - inBuf space size first grew outside of maybeMakeSpaceAvailable() - protections (e.g., during an inBuf.c_str() call) and then got filled - with newly read data. That growth started happening after 2020 commit - 1dfbca06 optimized SBuf::cow() to merge leading and trailing space. - Prior to that commit, Bug 5405 could probably only affect Squid - reconfigurations that lower client_request_buffer_max_size. - -* The check was separated from the ReadNow() call it was meant to - protect. While ConnStateData was waiting for the socket to become - ready for reading, various asynchronous events could alter inBuf or - Config.maxRequestBufferSize. - -This change fixes both problems. - -This change also fixes Squid Bug 5214. - -[^1]: That underflow bug was probably introduced in 2015 commit 4d1376d7 -while trying to emulate the original "do not read less than two bytes" -ConnStateData::In::maybeMakeSpaceAvailable() condition. That condition -itself looks like a leftover from manual zero-terminated input buffer -days that ended with 2014 commit e7287625. It is now removed. ---- - -diff --git a/src/servers/Server.cc b/src/servers/Server.cc -index 70fd10b..dd20619 100644 ---- a/src/servers/Server.cc -+++ b/src/servers/Server.cc -@@ -83,16 +83,25 @@ Server::maybeMakeSpaceAvailable() - debugs(33, 4, "request buffer full: client_request_buffer_max_size=" << Config.maxRequestBufferSize); - } - -+bool -+Server::mayBufferMoreRequestBytes() const -+{ -+ // TODO: Account for bodyPipe buffering as well. -+ if (inBuf.length() >= Config.maxRequestBufferSize) { -+ debugs(33, 4, "no: " << inBuf.length() << '-' << Config.maxRequestBufferSize << '=' << (inBuf.length() - Config.maxRequestBufferSize)); -+ return false; -+ } -+ debugs(33, 7, "yes: " << Config.maxRequestBufferSize << '-' << inBuf.length() << '=' << (Config.maxRequestBufferSize - inBuf.length())); -+ return true; -+} -+ - void - Server::readSomeData() - { - if (reading()) - return; - -- debugs(33, 4, clientConnection << ": reading request..."); -- -- // we can only read if there is more than 1 byte of space free -- if (Config.maxRequestBufferSize - inBuf.length() < 2) -+ if (!mayBufferMoreRequestBytes()) - return; - - typedef CommCbMemFunT Dialer; -@@ -123,7 +132,16 @@ Server::doClientRead(const CommIoCbParams &io) - * Plus, it breaks our lame *HalfClosed() detection - */ - -+ // mayBufferMoreRequestBytes() was true during readSomeData(), but variables -+ // like Config.maxRequestBufferSize may have changed since that check -+ if (!mayBufferMoreRequestBytes()) { -+ // XXX: If we avoid Comm::ReadNow(), we should not Comm::Read() again -+ // when the wait is over; resume these doClientRead() checks instead. -+ return; // wait for noteMoreBodySpaceAvailable() or a similar inBuf draining event -+ } - maybeMakeSpaceAvailable(); -+ Assure(inBuf.spaceSize()); -+ - CommIoCbParams rd(this); // will be expanded with ReadNow results - rd.conn = io.conn; - switch (Comm::ReadNow(rd, inBuf)) { -diff --git a/src/servers/Server.h b/src/servers/Server.h -index ef105f5..6e549b3 100644 ---- a/src/servers/Server.h -+++ b/src/servers/Server.h -@@ -119,6 +119,9 @@ protected: - /// abort any pending transactions and prevent new ones (by closing) - virtual void terminateAll(const Error &, const LogTagsErrors &) = 0; - -+ /// whether client_request_buffer_max_size allows inBuf.length() increase -+ bool mayBufferMoreRequestBytes() const; -+ - void doClientRead(const CommIoCbParams &io); - void clientWriteDone(const CommIoCbParams &io); - diff --git a/squid.spec b/squid.spec index ff41802..d73d7be 100644 --- a/squid.spec +++ b/squid.spec @@ -1,8 +1,8 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 6.12 -Release: 5%{?dist} +Version: 6.13 +Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -40,8 +40,6 @@ Patch204: squid-6.1-symlink-lang-err.patch Patch205: squid-6.1-crash-half-closed.patch # Upstream PR: https://github.com/squid-cache/squid/pull/1914 Patch206: squid-6.11-ignore-wsp-after-chunk-size.patch -# https://bugs.squid-cache.org/show_bug.cgi?id=5214 -Patch207: squid-6.12-large-upload-buffer-dies.patch # cache_swap.sh Requires: bash gawk @@ -316,6 +314,9 @@ fi %changelog +* Tue Feb 04 2025 Luboš Uhliarik - 7:6.13-1 +- new version 6.13 + * Sat Feb 01 2025 Björn Esser - 7:6.12-5 - Add explicit BR: libxcrypt-devel From 22a11a4a8b6f73f9ba9abe9490f09f5628b42b6d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Wed, 5 Feb 2025 18:12:27 +0100 Subject: [PATCH 53/61] Source URL change Use the GitHub URL as the source URL instead of the obsolete one. --- squid.spec | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/squid.spec b/squid.spec index d73d7be..dbdcc3a 100644 --- a/squid.spec +++ b/squid.spec @@ -1,4 +1,5 @@ %define __perl_requires %{SOURCE98} +%define version_underscore %(echo %{version} | tr '.' '_') Name: squid Version: 6.13 @@ -9,8 +10,8 @@ Epoch: 7 License: GPL-2.0-or-later AND (LGPL-2.0-or-later AND MIT AND BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND BSD-4-Clause-UC AND LicenseRef-Fedora-Public-Domain AND Beerware) URL: http://www.squid-cache.org -Source0: http://www.squid-cache.org/Versions/v6/squid-%{version}.tar.xz -Source1: http://www.squid-cache.org/Versions/v6/squid-%{version}.tar.xz.asc +Source0: https://github.com/squid-cache/squid/releases/download/SQUID_%{version_underscore}/squid-%{version}.tar.xz +Source1: https://github.com/squid-cache/squid/releases/download/SQUID_%{version_underscore}/squid-%{version}.tar.xz.asc Source2: http://www.squid-cache.org/pgp.asc Source3: squid.logrotate Source4: squid.sysconfig From 3f92dc8816e1639138e4fcb01ac2d293dc49ff8b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Thu, 10 Apr 2025 14:34:13 +0200 Subject: [PATCH 54/61] Do not blame cache_peer for 4xx CONNECT responses --- squid-6.13-cache-peer-connect-errors.patch | 287 +++++++++++++++++++++ squid.spec | 16 +- 2 files changed, 297 insertions(+), 6 deletions(-) create mode 100644 squid-6.13-cache-peer-connect-errors.patch diff --git a/squid-6.13-cache-peer-connect-errors.patch b/squid-6.13-cache-peer-connect-errors.patch new file mode 100644 index 0000000..339d9ec --- /dev/null +++ b/squid-6.13-cache-peer-connect-errors.patch @@ -0,0 +1,287 @@ +From 2e7dea3cedd3ef2f071dee82867c4147f17376dd Mon Sep 17 00:00:00 2001 +From: Alex Rousskov +Date: Tue, 2 Apr 2024 20:37:31 +0000 +Subject: [PATCH] Do not blame cache_peer for CONNECT errors (#1772) + + ERROR: Connection to [such-and-such-cache_peer] failed + TCP_TUNNEL/503 CONNECT nxdomain.test:443 FIRSTUP_PARENT + +Squid does not alert an admin about (and decrease health level of) a +cache_peer that responded with an error to a GET request. Just like GET +responses from a cache_peer, CONNECT responses may (and often do!) +reflect client or origin server failures. We should not penalize +cache_peers (and alert admins) until we can distinguish these frequent +client/origin failures from (relatively rare) cache_peer problems. This +change absolves cache_peers of CONNECT problems, restoring parity with +GETs and restoring v4 behavior changed (probably by accident) in v5. + +Also removed Http::StatusCode parameter from failure notification +functions because it became essentially unused after the primary +Http::Tunneler changes. Tunneler was the only source of status code +information that (in some cases) used received HTTP response to compute +that status code. All other cases extracted that status code from +Squid-generated errors. Those errors were arguably never meant to supply +status code information for "this failure is not our fault" decision, +and they do not supply 4xx status codes driving that decision. + +### Problem evolution + +2019 commit f5e1794 effectively started blaming cache_peer for all +FwdState CONNECT errors. That functionality change was probably +accidental, likely influenced by the names of noteConnectFailure() and +peerConnectFailed() functions that abbreviated "Connection", making the +functions look as applicable to CONNECT failures. Prior to that commit, +the functions were never used for CONNECT errors. After it, FwdState +started calling peerConnectFailed() for all CONNECT failures. + +In 2020 commit 25b0ce4, TunnelStateData started blaming cache_peers as +well (by moving that FwdState-only error handling code into Tunneler). +The same "accidental functionality change" speculations apply here. + +In 2022 commit 022dbab, we made an exception for 4xx CONNECT errors as +folks deploying newer code started complaining about cache_peers getting +blamed for client-caused errors (e.g., HTTP 403 Forbidden replies). We +did not realize that the blaming code itself was an unwanted accident. + +Now we are getting complaints about cache_peers getting blamed for 502 +and 503 CONNECT errors caused by, for example, domain names without IPs: +As these CONNECT error responses are propagated from parent to child +caches, every child cache in the chain logs ERRORs and every cache_peer +in the chain gets its health counter decreased! +--- + src/CachePeer.cc | 11 +---------- + src/CachePeer.h | 12 +++++------- + src/HappyConnOpener.cc | 2 +- + src/PeerPoolMgr.cc | 2 +- + src/clients/HttpTunneler.cc | 10 ++++++---- + src/clients/HttpTunneler.h | 2 +- + src/neighbors.cc | 2 +- + src/security/BlindPeerConnector.cc | 2 +- + src/security/PeerConnector.cc | 8 ++++---- + src/security/PeerConnector.h | 2 +- + src/tests/stub_libsecurity.cc | 2 +- + 11 files changed, 23 insertions(+), 32 deletions(-) + +diff --git a/src/CachePeer.cc b/src/CachePeer.cc +index a5c3adf..91045ef 100644 +--- a/src/CachePeer.cc ++++ b/src/CachePeer.cc +@@ -68,20 +68,11 @@ CachePeer::noteSuccess() + } + } + +-void +-CachePeer::noteFailure(const Http::StatusCode code) +-{ +- if (Http::Is4xx(code)) +- return; // this failure is not our fault +- +- countFailure(); +-} +- + // TODO: Require callers to detail failures instead of using one (and often + // misleading!) "connection failed" phrase for all of them. + /// noteFailure() helper for handling failures attributed to this peer + void +-CachePeer::countFailure() ++CachePeer::noteFailure() + { + stats.last_connect_failure = squid_curtime; + if (tcp_up > 0) +diff --git a/src/CachePeer.h b/src/CachePeer.h +index 5b13e29..14e40ff 100644 +--- a/src/CachePeer.h ++++ b/src/CachePeer.h +@@ -38,9 +38,8 @@ public: + /// reacts to a successful establishment of a connection to this cache_peer + void noteSuccess(); + +- /// reacts to a failure on a connection to this cache_peer +- /// \param code a received response status code, if any +- void noteFailure(Http::StatusCode code); ++ /// reacts to a failed attempt to establish a connection to this cache_peer ++ void noteFailure(); + + /// (re)configure cache_peer name=value + void rename(const char *); +@@ -238,14 +237,13 @@ NoteOutgoingConnectionSuccess(CachePeer * const peer) + peer->noteSuccess(); + } + +-/// reacts to a failure on a connection to an origin server or cache_peer ++/// reacts to a failed attempt to establish a connection to an origin server or cache_peer + /// \param peer nil if the connection is to an origin server +-/// \param code a received response status code, if any + inline void +-NoteOutgoingConnectionFailure(CachePeer * const peer, const Http::StatusCode code) ++NoteOutgoingConnectionFailure(CachePeer * const peer) + { + if (peer) +- peer->noteFailure(code); ++ peer->noteFailure(); + } + + /// identify the given cache peer in cache.log messages and such +diff --git a/src/HappyConnOpener.cc b/src/HappyConnOpener.cc +index 5ab9294..5e17a76 100644 +--- a/src/HappyConnOpener.cc ++++ b/src/HappyConnOpener.cc +@@ -638,7 +638,7 @@ HappyConnOpener::handleConnOpenerAnswer(Attempt &attempt, const CommConnectCbPar + lastError = makeError(ERR_CONNECT_FAIL); + lastError->xerrno = params.xerrno; + +- NoteOutgoingConnectionFailure(params.conn->getPeer(), lastError->httpStatus); ++ NoteOutgoingConnectionFailure(params.conn->getPeer()); + + if (spareWaiting) + updateSpareWaitAfterPrimeFailure(); +diff --git a/src/PeerPoolMgr.cc b/src/PeerPoolMgr.cc +index 9cb038e..6fb5b09 100644 +--- a/src/PeerPoolMgr.cc ++++ b/src/PeerPoolMgr.cc +@@ -86,7 +86,7 @@ PeerPoolMgr::handleOpenedConnection(const CommConnectCbParams ¶ms) + } + + if (params.flag != Comm::OK) { +- NoteOutgoingConnectionFailure(peer, Http::scNone); ++ NoteOutgoingConnectionFailure(peer); + checkpoint("conn opening failure"); // may retry + return; + } +diff --git a/src/clients/HttpTunneler.cc b/src/clients/HttpTunneler.cc +index 2fbc3fb..a6e49db 100644 +--- a/src/clients/HttpTunneler.cc ++++ b/src/clients/HttpTunneler.cc +@@ -90,7 +90,7 @@ Http::Tunneler::handleConnectionClosure(const CommCloseCbParams &) + { + closer = nullptr; + if (connection) { +- countFailingConnection(nullptr); ++ countFailingConnection(); + connection->noteClosure(); + connection = nullptr; + } +@@ -355,7 +355,7 @@ Http::Tunneler::bailWith(ErrorState *error) + + if (const auto failingConnection = connection) { + // TODO: Reuse to-peer connections after a CONNECT error response. +- countFailingConnection(error); ++ countFailingConnection(); + disconnect(); + failingConnection->close(); + } +@@ -374,10 +374,12 @@ Http::Tunneler::sendSuccess() + } + + void +-Http::Tunneler::countFailingConnection(const ErrorState * const error) ++Http::Tunneler::countFailingConnection() + { + assert(connection); +- NoteOutgoingConnectionFailure(connection->getPeer(), error ? error->httpStatus : Http::scNone); ++ // No NoteOutgoingConnectionFailure(connection->getPeer()) call here because ++ // we do not blame cache_peer for CONNECT failures (on top of a successfully ++ // established connection to that cache_peer). + if (noteFwdPconnUse && connection->isOpen()) + fwdPconnPool->noteUses(fd_table[connection->fd].pconn.uses); + } +diff --git a/src/clients/HttpTunneler.h b/src/clients/HttpTunneler.h +index 7886f09..596efcf 100644 +--- a/src/clients/HttpTunneler.h ++++ b/src/clients/HttpTunneler.h +@@ -80,7 +80,7 @@ private: + void disconnect(); + + /// updates connection usage history before the connection is closed +- void countFailingConnection(const ErrorState *); ++ void countFailingConnection(); + + AsyncCall::Pointer writer; ///< called when the request has been written + AsyncCall::Pointer reader; ///< called when the response should be read +diff --git a/src/neighbors.cc b/src/neighbors.cc +index 04b69c1..75f56c9 100644 +--- a/src/neighbors.cc ++++ b/src/neighbors.cc +@@ -1320,7 +1320,7 @@ peerProbeConnectDone(const Comm::ConnectionPointer &conn, Comm::Flag status, int + if (status == Comm::OK) + p->noteSuccess(); + else +- p->noteFailure(Http::scNone); ++ p->noteFailure(); + + -- p->testing_now; + conn->close(); +diff --git a/src/security/BlindPeerConnector.cc b/src/security/BlindPeerConnector.cc +index b9e5659..4c37f34 100644 +--- a/src/security/BlindPeerConnector.cc ++++ b/src/security/BlindPeerConnector.cc +@@ -76,7 +76,7 @@ Security::BlindPeerConnector::noteNegotiationDone(ErrorState *error) + // based on TCP results, SSL results, or both. And the code is probably not + // consistent in this aspect across tunnelling and forwarding modules. + if (peer && peer->secure.encryptTransport) +- peer->noteFailure(error->httpStatus); ++ peer->noteFailure(); + return; + } + +diff --git a/src/security/PeerConnector.cc b/src/security/PeerConnector.cc +index d458f99..d0131a1 100644 +--- a/src/security/PeerConnector.cc ++++ b/src/security/PeerConnector.cc +@@ -115,7 +115,7 @@ Security::PeerConnector::commCloseHandler(const CommCloseCbParams ¶ms) + err->detailError(d); + + if (serverConn) { +- countFailingConnection(err); ++ countFailingConnection(); + serverConn->noteClosure(); + serverConn = nullptr; + } +@@ -507,7 +507,7 @@ Security::PeerConnector::bail(ErrorState *error) + answer().error = error; + + if (const auto failingConnection = serverConn) { +- countFailingConnection(error); ++ countFailingConnection(); + disconnect(); + failingConnection->close(); + } +@@ -525,10 +525,10 @@ Security::PeerConnector::sendSuccess() + } + + void +-Security::PeerConnector::countFailingConnection(const ErrorState * const error) ++Security::PeerConnector::countFailingConnection() + { + assert(serverConn); +- NoteOutgoingConnectionFailure(serverConn->getPeer(), error ? error->httpStatus : Http::scNone); ++ NoteOutgoingConnectionFailure(serverConn->getPeer()); + // TODO: Calling PconnPool::noteUses() should not be our responsibility. + if (noteFwdPconnUse && serverConn->isOpen()) + fwdPconnPool->noteUses(fd_table[serverConn->fd].pconn.uses); +diff --git a/src/security/PeerConnector.h b/src/security/PeerConnector.h +index a1d5ef9..401df06 100644 +--- a/src/security/PeerConnector.h ++++ b/src/security/PeerConnector.h +@@ -150,7 +150,7 @@ protected: + void disconnect(); + + /// updates connection usage history before the connection is closed +- void countFailingConnection(const ErrorState *); ++ void countFailingConnection(); + + /// If called the certificates validator will not used + void bypassCertValidator() {useCertValidator_ = false;} +diff --git a/src/tests/stub_libsecurity.cc b/src/tests/stub_libsecurity.cc +index 6bd6204..b513a22 100644 +--- a/src/tests/stub_libsecurity.cc ++++ b/src/tests/stub_libsecurity.cc +@@ -97,7 +97,7 @@ void PeerConnector::bail(ErrorState *) STUB + void PeerConnector::sendSuccess() STUB + void PeerConnector::callBack() STUB + void PeerConnector::disconnect() STUB +-void PeerConnector::countFailingConnection(const ErrorState *) STUB ++void PeerConnector::countFailingConnection() STUB + void PeerConnector::recordNegotiationDetails() STUB + EncryptorAnswer &PeerConnector::answer() STUB_RETREF(EncryptorAnswer) + } diff --git a/squid.spec b/squid.spec index dbdcc3a..fea08a9 100644 --- a/squid.spec +++ b/squid.spec @@ -3,7 +3,7 @@ Name: squid Version: 6.13 -Release: 1%{?dist} +Release: 2%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -26,7 +26,12 @@ Source98: perl-requires-squid.sh # Upstream patches # Backported patches -# Patch101: patch +# Upstream PR: https://github.com/squid-cache/squid/pull/1442 +Patch101: squid-6.1-crash-half-closed.patch +# Upstream PR: https://github.com/squid-cache/squid/pull/1914 +Patch102: squid-6.11-ignore-wsp-after-chunk-size.patch +# Upstream commit: https://github.com/squid-cache/squid/commit/022dbabd89249f839d1861aa87c1ab9e1a008a47 +Patch103: squid-6.13-cache-peer-connect-errors.patch # Local patches # Applying upstream patches first makes it less likely that local patches @@ -37,10 +42,6 @@ Patch203: squid-6.1-perlpath.patch # revert this upstream patch - https://bugzilla.redhat.com/show_bug.cgi?id=1936422 # workaround for #1934919 Patch204: squid-6.1-symlink-lang-err.patch -# Upstream PR: https://github.com/squid-cache/squid/pull/1442 -Patch205: squid-6.1-crash-half-closed.patch -# Upstream PR: https://github.com/squid-cache/squid/pull/1914 -Patch206: squid-6.11-ignore-wsp-after-chunk-size.patch # cache_swap.sh Requires: bash gawk @@ -315,6 +316,9 @@ fi %changelog +* Wed Mar 12 2025 Luboš Uhliarik - 7:6.13-2 +- Do not blame cache_peer for 4xx CONNECT responses + * Tue Feb 04 2025 Luboš Uhliarik - 7:6.13-1 - new version 6.13 From 383c43dd7bcf46924ab261bf4a0937745a2e356e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Mon, 21 Jul 2025 19:36:11 +0200 Subject: [PATCH 55/61] new version 6.14 --- sources | 4 ++-- squid-6.1-perlpath.patch | 2 +- squid.spec | 7 +++++-- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/sources b/sources index 83d969f..02e8a81 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-6.13.tar.xz) = a67276a7eb38d00271962b67bff7f08e760db73bc6b0f94ab71297d520405033df65ebb0b38ee5db02bd6c00d81cd600b60d918fe7fff64e06255deaf78f00c1 -SHA512 (squid-6.13.tar.xz.asc) = 66d8d657793ca3bd20e4a728dc0d3568fac078334d57f3105bb67f1c6fbc5e89e21b757f38048f2361b670938ff350d1afd956ba3dfa5d55dfb54d13e4620fc9 +SHA512 (squid-6.14.tar.xz) = 5905060ae8d70128516c26cf379ed5b434c02525efe0e17ac56d4e060af7542b4a7a41ac3eca5ba5a00867791aed18ed5ed0e247b18a376e1ae7bc13039782f5 +SHA512 (squid-6.14.tar.xz.asc) = 5cc102787796db1cf4c71e9e21d3462becdd869eb72cd69a5c4ca74f60628a98a5543aabe7a0d0bc74c99a62bae0678d3ae6eab9dfe0e4dfb9c063678005f2e3 SHA512 (pgp.asc) = b1e1dd5ead34711f064a12a324b2f156ad4835330d861eae4032926b8a6cd07c0eacc76f52518d47ed5a8ead4695f5abd02f2b4190af8e7833bd3ea31453569d diff --git a/squid-6.1-perlpath.patch b/squid-6.1-perlpath.patch index 7539001..8bfdbdf 100644 --- a/squid-6.1-perlpath.patch +++ b/squid-6.1-perlpath.patch @@ -6,5 +6,5 @@ index e965e9e..ed5ffcb 100755 -#!/usr/local/bin/perl -Tw +#!/usr/bin/perl -Tw # - # * Copyright (C) 1996-2024 The Squid Software Foundation and contributors + # * Copyright (C) 1996-2025 The Squid Software Foundation and contributors # * diff --git a/squid.spec b/squid.spec index fea08a9..5c4ee42 100644 --- a/squid.spec +++ b/squid.spec @@ -2,8 +2,8 @@ %define version_underscore %(echo %{version} | tr '.' '_') Name: squid -Version: 6.13 -Release: 2%{?dist} +Version: 6.14 +Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -316,6 +316,9 @@ fi %changelog +* Mon Jul 21 2025 Luboš Uhliarik - 7:6.14-1 +- new version 6.14 + * Wed Mar 12 2025 Luboš Uhliarik - 7:6.13-2 - Do not blame cache_peer for 4xx CONNECT responses From fea9e4c688052db60dc2833d2786c511f44d6b29 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 25 Jul 2025 18:41:07 +0000 Subject: [PATCH 56/61] Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild --- squid.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/squid.spec b/squid.spec index 5c4ee42..352f5a2 100644 --- a/squid.spec +++ b/squid.spec @@ -3,7 +3,7 @@ Name: squid Version: 6.14 -Release: 1%{?dist} +Release: 2%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -316,6 +316,9 @@ fi %changelog +* Fri Jul 25 2025 Fedora Release Engineering - 7:6.14-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild + * Mon Jul 21 2025 Luboš Uhliarik - 7:6.14-1 - new version 6.14 From 6e12cc940ee289ffca223c00616510350e50c89f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Thu, 14 Aug 2025 22:29:23 +0200 Subject: [PATCH 57/61] new version 7.1 removed squidclient removed purge removed cachemgr.cgi removed basic_smb_lm_auth and ntlm_smb_lm_auth helpers --- sources | 4 +- squid-6.1-crash-half-closed.patch | 158 -------- squid-6.11-ignore-wsp-after-chunk-size.patch | 367 ------------------- squid-6.13-cache-peer-connect-errors.patch | 287 --------------- squid.spec | 33 +- 5 files changed, 17 insertions(+), 832 deletions(-) delete mode 100644 squid-6.1-crash-half-closed.patch delete mode 100644 squid-6.11-ignore-wsp-after-chunk-size.patch delete mode 100644 squid-6.13-cache-peer-connect-errors.patch diff --git a/sources b/sources index 02e8a81..700eafd 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-6.14.tar.xz) = 5905060ae8d70128516c26cf379ed5b434c02525efe0e17ac56d4e060af7542b4a7a41ac3eca5ba5a00867791aed18ed5ed0e247b18a376e1ae7bc13039782f5 -SHA512 (squid-6.14.tar.xz.asc) = 5cc102787796db1cf4c71e9e21d3462becdd869eb72cd69a5c4ca74f60628a98a5543aabe7a0d0bc74c99a62bae0678d3ae6eab9dfe0e4dfb9c063678005f2e3 +SHA512 (squid-7.1.tar.xz) = f12d4cac78576eecf19193cbb88f374b2d1bf3f480e684008a562bdda55eedae643b1a5766846c04673030ad1e89a608a62f52078312a80a3664fdccfc5f44df +SHA512 (squid-7.1.tar.xz.asc) = 4c7be2b32b7ce6cd1a99fe49c397fcd4d294817f96c4aaf5e66ad8c2de0c51b9debb4c85cf877efce87b1c44c2ebbb795a170859ca38124389b050e9fbaa1ff6 SHA512 (pgp.asc) = b1e1dd5ead34711f064a12a324b2f156ad4835330d861eae4032926b8a6cd07c0eacc76f52518d47ed5a8ead4695f5abd02f2b4190af8e7833bd3ea31453569d diff --git a/squid-6.1-crash-half-closed.patch b/squid-6.1-crash-half-closed.patch deleted file mode 100644 index 901ece2..0000000 --- a/squid-6.1-crash-half-closed.patch +++ /dev/null @@ -1,158 +0,0 @@ -diff --git a/src/client_side.cc b/src/client_side.cc -index f488fc4..69586df 100644 ---- a/src/client_side.cc -+++ b/src/client_side.cc -@@ -932,7 +932,7 @@ ConnStateData::kick() - * We are done with the response, and we are either still receiving request - * body (early response!) or have already stopped receiving anything. - * -- * If we are still receiving, then clientParseRequest() below will fail. -+ * If we are still receiving, then parseRequests() below will fail. - * (XXX: but then we will call readNextRequest() which may succeed and - * execute a smuggled request as we are not done with the current request). - * -@@ -952,28 +952,12 @@ ConnStateData::kick() - * Attempt to parse a request from the request buffer. - * If we've been fed a pipelined request it may already - * be in our read buffer. -- * -- \par -- * This needs to fall through - if we're unlucky and parse the _last_ request -- * from our read buffer we may never re-register for another client read. - */ - -- if (clientParseRequests()) { -- debugs(33, 3, clientConnection << ": parsed next request from buffer"); -- } -+ parseRequests(); - -- /** \par -- * Either we need to kick-start another read or, if we have -- * a half-closed connection, kill it after the last request. -- * This saves waiting for half-closed connections to finished being -- * half-closed _AND_ then, sometimes, spending "Timeout" time in -- * the keepalive "Waiting for next request" state. -- */ -- if (commIsHalfClosed(clientConnection->fd) && pipeline.empty()) { -- debugs(33, 3, "half-closed client with no pending requests, closing"); -- clientConnection->close(); -+ if (!isOpen()) - return; -- } - - /** \par - * At this point we either have a parsed request (which we've -@@ -1893,16 +1877,11 @@ ConnStateData::receivedFirstByte() - resetReadTimeout(Config.Timeout.request); - } - --/** -- * Attempt to parse one or more requests from the input buffer. -- * Returns true after completing parsing of at least one request [header]. That -- * includes cases where parsing ended with an error (e.g., a huge request). -- */ --bool --ConnStateData::clientParseRequests() -+/// Attempt to parse one or more requests from the input buffer. -+/// May close the connection. -+void -+ConnStateData::parseRequests() - { -- bool parsed_req = false; -- - debugs(33, 5, clientConnection << ": attempting to parse"); - - // Loop while we have read bytes that are not needed for producing the body -@@ -1947,8 +1926,6 @@ ConnStateData::clientParseRequests() - - processParsedRequest(context); - -- parsed_req = true; // XXX: do we really need to parse everything right NOW ? -- - if (context->mayUseConnection()) { - debugs(33, 3, "Not parsing new requests, as this request may need the connection"); - break; -@@ -1961,8 +1938,19 @@ ConnStateData::clientParseRequests() - } - } - -- /* XXX where to 'finish' the parsing pass? */ -- return parsed_req; -+ debugs(33, 7, "buffered leftovers: " << inBuf.length()); -+ -+ if (isOpen() && commIsHalfClosed(clientConnection->fd)) { -+ if (pipeline.empty()) { -+ // we processed what we could parse, and no more data is coming -+ debugs(33, 5, "closing half-closed without parsed requests: " << clientConnection); -+ clientConnection->close(); -+ } else { -+ // we parsed what we could, and no more data is coming -+ debugs(33, 5, "monitoring half-closed while processing parsed requests: " << clientConnection); -+ flags.readMore = false; // may already be false -+ } -+ } - } - - void -@@ -1979,18 +1967,7 @@ ConnStateData::afterClientRead() - if (pipeline.empty()) - fd_note(clientConnection->fd, "Reading next request"); - -- if (!clientParseRequests()) { -- if (!isOpen()) -- return; -- // We may get here if the client half-closed after sending a partial -- // request. See doClientRead() and shouldCloseOnEof(). -- // XXX: This partially duplicates ConnStateData::kick(). -- if (pipeline.empty() && commIsHalfClosed(clientConnection->fd)) { -- debugs(33, 5, clientConnection << ": half-closed connection, no completed request parsed, connection closing."); -- clientConnection->close(); -- return; -- } -- } -+ parseRequests(); - - if (!isOpen()) - return; -@@ -3775,7 +3752,7 @@ ConnStateData::notePinnedConnectionBecameIdle(PinnedIdleContext pic) - startPinnedConnectionMonitoring(); - - if (pipeline.empty()) -- kick(); // in case clientParseRequests() was blocked by a busy pic.connection -+ kick(); // in case parseRequests() was blocked by a busy pic.connection - } - - /// Forward future client requests using the given server connection. -diff --git a/src/client_side.h b/src/client_side.h -index 6027b31..60b99b1 100644 ---- a/src/client_side.h -+++ b/src/client_side.h -@@ -98,7 +98,6 @@ public: - void doneWithControlMsg() override; - - /// Traffic parsing -- bool clientParseRequests(); - void readNextRequest(); - - /// try to make progress on a transaction or read more I/O -@@ -443,6 +442,7 @@ private: - - void checkLogging(); - -+ void parseRequests(); - void clientAfterReadingRequests(); - bool concurrentRequestQueueFilled() const; - -diff --git a/src/tests/stub_client_side.cc b/src/tests/stub_client_side.cc -index 8c160e5..f49d5dc 100644 ---- a/src/tests/stub_client_side.cc -+++ b/src/tests/stub_client_side.cc -@@ -14,7 +14,7 @@ - #include "tests/STUB.h" - - #include "client_side.h" --bool ConnStateData::clientParseRequests() STUB_RETVAL(false) -+void ConnStateData::parseRequests() STUB - void ConnStateData::readNextRequest() STUB - bool ConnStateData::isOpen() const STUB_RETVAL(false) - void ConnStateData::kick() STUB diff --git a/squid-6.11-ignore-wsp-after-chunk-size.patch b/squid-6.11-ignore-wsp-after-chunk-size.patch deleted file mode 100644 index ea4025f..0000000 --- a/squid-6.11-ignore-wsp-after-chunk-size.patch +++ /dev/null @@ -1,367 +0,0 @@ -From 8d0ee420a4d91ac7fd97316338f1e28b4b060cbf Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= -Date: Thu, 10 Oct 2024 19:26:27 +0200 -Subject: [PATCH 1/6] Ignore whitespace chars after chunk-size - -Previously (before #1498 change), squid was accepting TE-chunked replies -with whitespaces after chunk-size and missing chunk-ext data. After - -It turned out that replies with such whitespace chars are pretty -common and other webservers which can act as forward proxies (e.g. -nginx, httpd...) are accepting them. - -This change will allow to proxy chunked responses from origin server, -which had whitespaces inbetween chunk-size and CRLF. ---- - src/http/one/TeChunkedParser.cc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/http/one/TeChunkedParser.cc b/src/http/one/TeChunkedParser.cc -index 9cce10fdc91..04753395e16 100644 ---- a/src/http/one/TeChunkedParser.cc -+++ b/src/http/one/TeChunkedParser.cc -@@ -125,6 +125,7 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok) - // Code becomes much simpler when incremental parsing functions throw on - // bad or insufficient input, like in the code below. TODO: Expand up. - try { -+ tok.skipAll(CharacterSet::WSP); // Some servers send SP/TAB after chunk-size - parseChunkExtensions(tok); // a possibly empty chunk-ext list - tok.skipRequired("CRLF after [chunk-ext]", Http1::CrLf()); - buf_ = tok.remaining(); - -From 9c8d35f899035fa06021ab3fe6919f892c2f0c6b Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= -Date: Fri, 11 Oct 2024 02:06:31 +0200 -Subject: [PATCH 2/6] Added new argument to Http::One::ParseBws() - -Depending on new wsp_only argument in ParseBws() it will be decided -which set of whitespaces characters will be parsed. If wsp_only is set -to true, only SP and HTAB chars will be parsed. - -Also optimized number of ParseBws calls. ---- - src/http/one/Parser.cc | 4 ++-- - src/http/one/Parser.h | 3 ++- - src/http/one/TeChunkedParser.cc | 13 +++++++++---- - src/http/one/TeChunkedParser.h | 2 +- - 4 files changed, 14 insertions(+), 8 deletions(-) - -diff --git a/src/http/one/Parser.cc b/src/http/one/Parser.cc -index b1908316a0b..01d7e3bc0e8 100644 ---- a/src/http/one/Parser.cc -+++ b/src/http/one/Parser.cc -@@ -273,9 +273,9 @@ Http::One::ErrorLevel() - - // BWS = *( SP / HTAB ) ; WhitespaceCharacters() may relax this RFC 7230 rule - void --Http::One::ParseBws(Parser::Tokenizer &tok) -+Http::One::ParseBws(Parser::Tokenizer &tok, const bool wsp_only) - { -- const auto count = tok.skipAll(Parser::WhitespaceCharacters()); -+ const auto count = tok.skipAll(wsp_only ? CharacterSet::WSP : Parser::WhitespaceCharacters()); - - if (tok.atEnd()) - throw InsufficientInput(); // even if count is positive -diff --git a/src/http/one/Parser.h b/src/http/one/Parser.h -index d9a0ac8c273..08200371cd6 100644 ---- a/src/http/one/Parser.h -+++ b/src/http/one/Parser.h -@@ -163,8 +163,9 @@ class Parser : public RefCountable - }; - - /// skips and, if needed, warns about RFC 7230 BWS ("bad" whitespace) -+/// \param wsp_only force skipping of whitespaces only, don't consider skipping relaxed delimeter chars - /// \throws InsufficientInput when the end of BWS cannot be confirmed --void ParseBws(Parser::Tokenizer &); -+void ParseBws(Parser::Tokenizer &, const bool wsp_only = false); - - /// the right debugs() level for logging HTTP violation messages - int ErrorLevel(); -diff --git a/src/http/one/TeChunkedParser.cc b/src/http/one/TeChunkedParser.cc -index 04753395e16..41e1e5ddaea 100644 ---- a/src/http/one/TeChunkedParser.cc -+++ b/src/http/one/TeChunkedParser.cc -@@ -125,8 +125,11 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok) - // Code becomes much simpler when incremental parsing functions throw on - // bad or insufficient input, like in the code below. TODO: Expand up. - try { -- tok.skipAll(CharacterSet::WSP); // Some servers send SP/TAB after chunk-size -- parseChunkExtensions(tok); // a possibly empty chunk-ext list -+ // A possibly empty chunk-ext list. If no chunk-ext has been found, -+ // try to skip trailing BWS, because some servers send "chunk-size BWS CRLF". -+ if (!parseChunkExtensions(tok)) -+ ParseBws(tok, true); -+ - tok.skipRequired("CRLF after [chunk-ext]", Http1::CrLf()); - buf_ = tok.remaining(); - parsingStage_ = theChunkSize ? Http1::HTTP_PARSE_CHUNK : Http1::HTTP_PARSE_MIME; -@@ -140,20 +143,22 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok) - - /// Parses the chunk-ext list (RFC 9112 section 7.1.1: - /// chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] ) --void -+bool - Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &callerTok) - { -+ bool foundChunkExt = false; - do { - auto tok = callerTok; - - ParseBws(tok); // Bug 4492: IBM_HTTP_Server sends SP after chunk-size - - if (!tok.skip(';')) -- return; // reached the end of extensions (if any) -+ return foundChunkExt; // reached the end of extensions (if any) - - parseOneChunkExtension(tok); - buf_ = tok.remaining(); // got one extension - callerTok = tok; -+ foundChunkExt = true; - } while (true); - } - -diff --git a/src/http/one/TeChunkedParser.h b/src/http/one/TeChunkedParser.h -index 02eacd1bb89..8c5d4bb4cba 100644 ---- a/src/http/one/TeChunkedParser.h -+++ b/src/http/one/TeChunkedParser.h -@@ -71,7 +71,7 @@ class TeChunkedParser : public Http1::Parser - private: - bool parseChunkSize(Tokenizer &tok); - bool parseChunkMetadataSuffix(Tokenizer &); -- void parseChunkExtensions(Tokenizer &); -+ bool parseChunkExtensions(Tokenizer &); - void parseOneChunkExtension(Tokenizer &); - bool parseChunkBody(Tokenizer &tok); - bool parseChunkEnd(Tokenizer &tok); - -From 81e67f97f9c386bdd0bb4a5e182395c46adb70ad Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= -Date: Fri, 11 Oct 2024 02:44:33 +0200 -Subject: [PATCH 3/6] Fix typo in Parser.h - ---- - src/http/one/Parser.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/http/one/Parser.h b/src/http/one/Parser.h -index 08200371cd6..3ef4c5f7752 100644 ---- a/src/http/one/Parser.h -+++ b/src/http/one/Parser.h -@@ -163,7 +163,7 @@ class Parser : public RefCountable - }; - - /// skips and, if needed, warns about RFC 7230 BWS ("bad" whitespace) --/// \param wsp_only force skipping of whitespaces only, don't consider skipping relaxed delimeter chars -+/// \param wsp_only force skipping of whitespaces only, don't consider skipping relaxed delimiter chars - /// \throws InsufficientInput when the end of BWS cannot be confirmed - void ParseBws(Parser::Tokenizer &, const bool wsp_only = false); - - -From a0d4fe1794e605f8299a5c118c758a807453f016 Mon Sep 17 00:00:00 2001 -From: Alex Rousskov -Date: Thu, 10 Oct 2024 22:39:42 -0400 -Subject: [PATCH 4/6] Bug 5449 is a regression of Bug 4492! - -Both bugs deal with "chunk-size SP+ CRLF" use cases. Bug 4492 had _two_ -spaces after chunk-size, which answers one of the PR review questions: -Should we skip just one space? No, we should not. - -The lines moved around in many commits, but I believe this regression -was introduced in commit 951013d0 because that commit stopped consuming -partially parsed chunk-ext sequences. That consumption was wrong, but it -had a positive side effect -- fixing Bug 4492... ---- - src/http/one/TeChunkedParser.cc | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/src/http/one/TeChunkedParser.cc b/src/http/one/TeChunkedParser.cc -index 41e1e5ddaea..aa4a840fdcf 100644 ---- a/src/http/one/TeChunkedParser.cc -+++ b/src/http/one/TeChunkedParser.cc -@@ -125,10 +125,10 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok) - // Code becomes much simpler when incremental parsing functions throw on - // bad or insufficient input, like in the code below. TODO: Expand up. - try { -- // A possibly empty chunk-ext list. If no chunk-ext has been found, -- // try to skip trailing BWS, because some servers send "chunk-size BWS CRLF". -- if (!parseChunkExtensions(tok)) -- ParseBws(tok, true); -+ // Bug 4492: IBM_HTTP_Server sends SP after chunk-size -+ ParseBws(tok, true); -+ -+ parseChunkExtensions(tok); - - tok.skipRequired("CRLF after [chunk-ext]", Http1::CrLf()); - buf_ = tok.remaining(); -@@ -150,7 +150,7 @@ Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &callerTok) - do { - auto tok = callerTok; - -- ParseBws(tok); // Bug 4492: IBM_HTTP_Server sends SP after chunk-size -+ ParseBws(tok); - - if (!tok.skip(';')) - return foundChunkExt; // reached the end of extensions (if any) - -From f837f5ff61301a17008f16ce1fb793c2abf19786 Mon Sep 17 00:00:00 2001 -From: Alex Rousskov -Date: Thu, 10 Oct 2024 23:06:42 -0400 -Subject: [PATCH 5/6] fixup: Fewer conditionals/ifs and more explicit spelling - -... to draw code reader attention when something unusual is going on. ---- - src/http/one/Parser.cc | 22 ++++++++++++++++++---- - src/http/one/Parser.h | 10 ++++++++-- - src/http/one/TeChunkedParser.cc | 14 ++++++-------- - src/http/one/TeChunkedParser.h | 2 +- - 4 files changed, 33 insertions(+), 15 deletions(-) - -diff --git a/src/http/one/Parser.cc b/src/http/one/Parser.cc -index 01d7e3bc0e8..d3937e5e96b 100644 ---- a/src/http/one/Parser.cc -+++ b/src/http/one/Parser.cc -@@ -271,11 +271,12 @@ Http::One::ErrorLevel() - return Config.onoff.relaxed_header_parser < 0 ? DBG_IMPORTANT : 5; - } - --// BWS = *( SP / HTAB ) ; WhitespaceCharacters() may relax this RFC 7230 rule --void --Http::One::ParseBws(Parser::Tokenizer &tok, const bool wsp_only) -+/// common part of ParseBws() and ParseStrctBws() -+namespace Http::One { -+static void -+ParseBws_(Parser::Tokenizer &tok, const CharacterSet &bwsChars) - { -- const auto count = tok.skipAll(wsp_only ? CharacterSet::WSP : Parser::WhitespaceCharacters()); -+ const auto count = tok.skipAll(bwsChars); - - if (tok.atEnd()) - throw InsufficientInput(); // even if count is positive -@@ -290,4 +291,17 @@ Http::One::ParseBws(Parser::Tokenizer &tok, const bool wsp_only) - - // success: no more BWS characters expected - } -+} // namespace Http::One -+ -+void -+Http::One::ParseBws(Parser::Tokenizer &tok) -+{ -+ ParseBws_(tok, CharacterSet::WSP); -+} -+ -+void -+Http::One::ParseStrictBws(Parser::Tokenizer &tok) -+{ -+ ParseBws_(tok, Parser::WhitespaceCharacters()); -+} - -diff --git a/src/http/one/Parser.h b/src/http/one/Parser.h -index 3ef4c5f7752..49e399de546 100644 ---- a/src/http/one/Parser.h -+++ b/src/http/one/Parser.h -@@ -163,9 +163,15 @@ class Parser : public RefCountable - }; - - /// skips and, if needed, warns about RFC 7230 BWS ("bad" whitespace) --/// \param wsp_only force skipping of whitespaces only, don't consider skipping relaxed delimiter chars - /// \throws InsufficientInput when the end of BWS cannot be confirmed --void ParseBws(Parser::Tokenizer &, const bool wsp_only = false); -+/// \sa WhitespaceCharacters() for the definition of BWS characters -+/// \sa ParseStrictBws() that avoids WhitespaceCharacters() uncertainties -+void ParseBws(Parser::Tokenizer &); -+ -+/// Like ParseBws() but only skips CharacterSet::WSP characters. This variation -+/// must be used if the next element may start with CR or any other character -+/// from RelaxedDelimiterCharacters(). -+void ParseStrictBws(Parser::Tokenizer &); - - /// the right debugs() level for logging HTTP violation messages - int ErrorLevel(); -diff --git a/src/http/one/TeChunkedParser.cc b/src/http/one/TeChunkedParser.cc -index aa4a840fdcf..859471b8c77 100644 ---- a/src/http/one/TeChunkedParser.cc -+++ b/src/http/one/TeChunkedParser.cc -@@ -125,11 +125,11 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok) - // Code becomes much simpler when incremental parsing functions throw on - // bad or insufficient input, like in the code below. TODO: Expand up. - try { -- // Bug 4492: IBM_HTTP_Server sends SP after chunk-size -- ParseBws(tok, true); -- -- parseChunkExtensions(tok); -+ // Bug 4492: IBM_HTTP_Server sends SP after chunk-size. -+ // No ParseBws() here because it may consume CR required further below. -+ ParseStrictBws(tok); - -+ parseChunkExtensions(tok); // a possibly empty chunk-ext list - tok.skipRequired("CRLF after [chunk-ext]", Http1::CrLf()); - buf_ = tok.remaining(); - parsingStage_ = theChunkSize ? Http1::HTTP_PARSE_CHUNK : Http1::HTTP_PARSE_MIME; -@@ -143,22 +143,20 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok) - - /// Parses the chunk-ext list (RFC 9112 section 7.1.1: - /// chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] ) --bool -+void - Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &callerTok) - { -- bool foundChunkExt = false; - do { - auto tok = callerTok; - - ParseBws(tok); - - if (!tok.skip(';')) -- return foundChunkExt; // reached the end of extensions (if any) -+ return; // reached the end of extensions (if any) - - parseOneChunkExtension(tok); - buf_ = tok.remaining(); // got one extension - callerTok = tok; -- foundChunkExt = true; - } while (true); - } - -diff --git a/src/http/one/TeChunkedParser.h b/src/http/one/TeChunkedParser.h -index 8c5d4bb4cba..02eacd1bb89 100644 ---- a/src/http/one/TeChunkedParser.h -+++ b/src/http/one/TeChunkedParser.h -@@ -71,7 +71,7 @@ class TeChunkedParser : public Http1::Parser - private: - bool parseChunkSize(Tokenizer &tok); - bool parseChunkMetadataSuffix(Tokenizer &); -- bool parseChunkExtensions(Tokenizer &); -+ void parseChunkExtensions(Tokenizer &); - void parseOneChunkExtension(Tokenizer &); - bool parseChunkBody(Tokenizer &tok); - bool parseChunkEnd(Tokenizer &tok); - -From f79936a234e722adb2dd08f31cf6019d81ee712c Mon Sep 17 00:00:00 2001 -From: Alex Rousskov -Date: Thu, 10 Oct 2024 23:31:08 -0400 -Subject: [PATCH 6/6] fixup: Deadly typo - ---- - src/http/one/Parser.cc | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/http/one/Parser.cc b/src/http/one/Parser.cc -index d3937e5e96b..7403a9163a2 100644 ---- a/src/http/one/Parser.cc -+++ b/src/http/one/Parser.cc -@@ -296,12 +296,12 @@ ParseBws_(Parser::Tokenizer &tok, const CharacterSet &bwsChars) - void - Http::One::ParseBws(Parser::Tokenizer &tok) - { -- ParseBws_(tok, CharacterSet::WSP); -+ ParseBws_(tok, Parser::WhitespaceCharacters()); - } - - void - Http::One::ParseStrictBws(Parser::Tokenizer &tok) - { -- ParseBws_(tok, Parser::WhitespaceCharacters()); -+ ParseBws_(tok, CharacterSet::WSP); - } - - diff --git a/squid-6.13-cache-peer-connect-errors.patch b/squid-6.13-cache-peer-connect-errors.patch deleted file mode 100644 index 339d9ec..0000000 --- a/squid-6.13-cache-peer-connect-errors.patch +++ /dev/null @@ -1,287 +0,0 @@ -From 2e7dea3cedd3ef2f071dee82867c4147f17376dd Mon Sep 17 00:00:00 2001 -From: Alex Rousskov -Date: Tue, 2 Apr 2024 20:37:31 +0000 -Subject: [PATCH] Do not blame cache_peer for CONNECT errors (#1772) - - ERROR: Connection to [such-and-such-cache_peer] failed - TCP_TUNNEL/503 CONNECT nxdomain.test:443 FIRSTUP_PARENT - -Squid does not alert an admin about (and decrease health level of) a -cache_peer that responded with an error to a GET request. Just like GET -responses from a cache_peer, CONNECT responses may (and often do!) -reflect client or origin server failures. We should not penalize -cache_peers (and alert admins) until we can distinguish these frequent -client/origin failures from (relatively rare) cache_peer problems. This -change absolves cache_peers of CONNECT problems, restoring parity with -GETs and restoring v4 behavior changed (probably by accident) in v5. - -Also removed Http::StatusCode parameter from failure notification -functions because it became essentially unused after the primary -Http::Tunneler changes. Tunneler was the only source of status code -information that (in some cases) used received HTTP response to compute -that status code. All other cases extracted that status code from -Squid-generated errors. Those errors were arguably never meant to supply -status code information for "this failure is not our fault" decision, -and they do not supply 4xx status codes driving that decision. - -### Problem evolution - -2019 commit f5e1794 effectively started blaming cache_peer for all -FwdState CONNECT errors. That functionality change was probably -accidental, likely influenced by the names of noteConnectFailure() and -peerConnectFailed() functions that abbreviated "Connection", making the -functions look as applicable to CONNECT failures. Prior to that commit, -the functions were never used for CONNECT errors. After it, FwdState -started calling peerConnectFailed() for all CONNECT failures. - -In 2020 commit 25b0ce4, TunnelStateData started blaming cache_peers as -well (by moving that FwdState-only error handling code into Tunneler). -The same "accidental functionality change" speculations apply here. - -In 2022 commit 022dbab, we made an exception for 4xx CONNECT errors as -folks deploying newer code started complaining about cache_peers getting -blamed for client-caused errors (e.g., HTTP 403 Forbidden replies). We -did not realize that the blaming code itself was an unwanted accident. - -Now we are getting complaints about cache_peers getting blamed for 502 -and 503 CONNECT errors caused by, for example, domain names without IPs: -As these CONNECT error responses are propagated from parent to child -caches, every child cache in the chain logs ERRORs and every cache_peer -in the chain gets its health counter decreased! ---- - src/CachePeer.cc | 11 +---------- - src/CachePeer.h | 12 +++++------- - src/HappyConnOpener.cc | 2 +- - src/PeerPoolMgr.cc | 2 +- - src/clients/HttpTunneler.cc | 10 ++++++---- - src/clients/HttpTunneler.h | 2 +- - src/neighbors.cc | 2 +- - src/security/BlindPeerConnector.cc | 2 +- - src/security/PeerConnector.cc | 8 ++++---- - src/security/PeerConnector.h | 2 +- - src/tests/stub_libsecurity.cc | 2 +- - 11 files changed, 23 insertions(+), 32 deletions(-) - -diff --git a/src/CachePeer.cc b/src/CachePeer.cc -index a5c3adf..91045ef 100644 ---- a/src/CachePeer.cc -+++ b/src/CachePeer.cc -@@ -68,20 +68,11 @@ CachePeer::noteSuccess() - } - } - --void --CachePeer::noteFailure(const Http::StatusCode code) --{ -- if (Http::Is4xx(code)) -- return; // this failure is not our fault -- -- countFailure(); --} -- - // TODO: Require callers to detail failures instead of using one (and often - // misleading!) "connection failed" phrase for all of them. - /// noteFailure() helper for handling failures attributed to this peer - void --CachePeer::countFailure() -+CachePeer::noteFailure() - { - stats.last_connect_failure = squid_curtime; - if (tcp_up > 0) -diff --git a/src/CachePeer.h b/src/CachePeer.h -index 5b13e29..14e40ff 100644 ---- a/src/CachePeer.h -+++ b/src/CachePeer.h -@@ -38,9 +38,8 @@ public: - /// reacts to a successful establishment of a connection to this cache_peer - void noteSuccess(); - -- /// reacts to a failure on a connection to this cache_peer -- /// \param code a received response status code, if any -- void noteFailure(Http::StatusCode code); -+ /// reacts to a failed attempt to establish a connection to this cache_peer -+ void noteFailure(); - - /// (re)configure cache_peer name=value - void rename(const char *); -@@ -238,14 +237,13 @@ NoteOutgoingConnectionSuccess(CachePeer * const peer) - peer->noteSuccess(); - } - --/// reacts to a failure on a connection to an origin server or cache_peer -+/// reacts to a failed attempt to establish a connection to an origin server or cache_peer - /// \param peer nil if the connection is to an origin server --/// \param code a received response status code, if any - inline void --NoteOutgoingConnectionFailure(CachePeer * const peer, const Http::StatusCode code) -+NoteOutgoingConnectionFailure(CachePeer * const peer) - { - if (peer) -- peer->noteFailure(code); -+ peer->noteFailure(); - } - - /// identify the given cache peer in cache.log messages and such -diff --git a/src/HappyConnOpener.cc b/src/HappyConnOpener.cc -index 5ab9294..5e17a76 100644 ---- a/src/HappyConnOpener.cc -+++ b/src/HappyConnOpener.cc -@@ -638,7 +638,7 @@ HappyConnOpener::handleConnOpenerAnswer(Attempt &attempt, const CommConnectCbPar - lastError = makeError(ERR_CONNECT_FAIL); - lastError->xerrno = params.xerrno; - -- NoteOutgoingConnectionFailure(params.conn->getPeer(), lastError->httpStatus); -+ NoteOutgoingConnectionFailure(params.conn->getPeer()); - - if (spareWaiting) - updateSpareWaitAfterPrimeFailure(); -diff --git a/src/PeerPoolMgr.cc b/src/PeerPoolMgr.cc -index 9cb038e..6fb5b09 100644 ---- a/src/PeerPoolMgr.cc -+++ b/src/PeerPoolMgr.cc -@@ -86,7 +86,7 @@ PeerPoolMgr::handleOpenedConnection(const CommConnectCbParams ¶ms) - } - - if (params.flag != Comm::OK) { -- NoteOutgoingConnectionFailure(peer, Http::scNone); -+ NoteOutgoingConnectionFailure(peer); - checkpoint("conn opening failure"); // may retry - return; - } -diff --git a/src/clients/HttpTunneler.cc b/src/clients/HttpTunneler.cc -index 2fbc3fb..a6e49db 100644 ---- a/src/clients/HttpTunneler.cc -+++ b/src/clients/HttpTunneler.cc -@@ -90,7 +90,7 @@ Http::Tunneler::handleConnectionClosure(const CommCloseCbParams &) - { - closer = nullptr; - if (connection) { -- countFailingConnection(nullptr); -+ countFailingConnection(); - connection->noteClosure(); - connection = nullptr; - } -@@ -355,7 +355,7 @@ Http::Tunneler::bailWith(ErrorState *error) - - if (const auto failingConnection = connection) { - // TODO: Reuse to-peer connections after a CONNECT error response. -- countFailingConnection(error); -+ countFailingConnection(); - disconnect(); - failingConnection->close(); - } -@@ -374,10 +374,12 @@ Http::Tunneler::sendSuccess() - } - - void --Http::Tunneler::countFailingConnection(const ErrorState * const error) -+Http::Tunneler::countFailingConnection() - { - assert(connection); -- NoteOutgoingConnectionFailure(connection->getPeer(), error ? error->httpStatus : Http::scNone); -+ // No NoteOutgoingConnectionFailure(connection->getPeer()) call here because -+ // we do not blame cache_peer for CONNECT failures (on top of a successfully -+ // established connection to that cache_peer). - if (noteFwdPconnUse && connection->isOpen()) - fwdPconnPool->noteUses(fd_table[connection->fd].pconn.uses); - } -diff --git a/src/clients/HttpTunneler.h b/src/clients/HttpTunneler.h -index 7886f09..596efcf 100644 ---- a/src/clients/HttpTunneler.h -+++ b/src/clients/HttpTunneler.h -@@ -80,7 +80,7 @@ private: - void disconnect(); - - /// updates connection usage history before the connection is closed -- void countFailingConnection(const ErrorState *); -+ void countFailingConnection(); - - AsyncCall::Pointer writer; ///< called when the request has been written - AsyncCall::Pointer reader; ///< called when the response should be read -diff --git a/src/neighbors.cc b/src/neighbors.cc -index 04b69c1..75f56c9 100644 ---- a/src/neighbors.cc -+++ b/src/neighbors.cc -@@ -1320,7 +1320,7 @@ peerProbeConnectDone(const Comm::ConnectionPointer &conn, Comm::Flag status, int - if (status == Comm::OK) - p->noteSuccess(); - else -- p->noteFailure(Http::scNone); -+ p->noteFailure(); - - -- p->testing_now; - conn->close(); -diff --git a/src/security/BlindPeerConnector.cc b/src/security/BlindPeerConnector.cc -index b9e5659..4c37f34 100644 ---- a/src/security/BlindPeerConnector.cc -+++ b/src/security/BlindPeerConnector.cc -@@ -76,7 +76,7 @@ Security::BlindPeerConnector::noteNegotiationDone(ErrorState *error) - // based on TCP results, SSL results, or both. And the code is probably not - // consistent in this aspect across tunnelling and forwarding modules. - if (peer && peer->secure.encryptTransport) -- peer->noteFailure(error->httpStatus); -+ peer->noteFailure(); - return; - } - -diff --git a/src/security/PeerConnector.cc b/src/security/PeerConnector.cc -index d458f99..d0131a1 100644 ---- a/src/security/PeerConnector.cc -+++ b/src/security/PeerConnector.cc -@@ -115,7 +115,7 @@ Security::PeerConnector::commCloseHandler(const CommCloseCbParams ¶ms) - err->detailError(d); - - if (serverConn) { -- countFailingConnection(err); -+ countFailingConnection(); - serverConn->noteClosure(); - serverConn = nullptr; - } -@@ -507,7 +507,7 @@ Security::PeerConnector::bail(ErrorState *error) - answer().error = error; - - if (const auto failingConnection = serverConn) { -- countFailingConnection(error); -+ countFailingConnection(); - disconnect(); - failingConnection->close(); - } -@@ -525,10 +525,10 @@ Security::PeerConnector::sendSuccess() - } - - void --Security::PeerConnector::countFailingConnection(const ErrorState * const error) -+Security::PeerConnector::countFailingConnection() - { - assert(serverConn); -- NoteOutgoingConnectionFailure(serverConn->getPeer(), error ? error->httpStatus : Http::scNone); -+ NoteOutgoingConnectionFailure(serverConn->getPeer()); - // TODO: Calling PconnPool::noteUses() should not be our responsibility. - if (noteFwdPconnUse && serverConn->isOpen()) - fwdPconnPool->noteUses(fd_table[serverConn->fd].pconn.uses); -diff --git a/src/security/PeerConnector.h b/src/security/PeerConnector.h -index a1d5ef9..401df06 100644 ---- a/src/security/PeerConnector.h -+++ b/src/security/PeerConnector.h -@@ -150,7 +150,7 @@ protected: - void disconnect(); - - /// updates connection usage history before the connection is closed -- void countFailingConnection(const ErrorState *); -+ void countFailingConnection(); - - /// If called the certificates validator will not used - void bypassCertValidator() {useCertValidator_ = false;} -diff --git a/src/tests/stub_libsecurity.cc b/src/tests/stub_libsecurity.cc -index 6bd6204..b513a22 100644 ---- a/src/tests/stub_libsecurity.cc -+++ b/src/tests/stub_libsecurity.cc -@@ -97,7 +97,7 @@ void PeerConnector::bail(ErrorState *) STUB - void PeerConnector::sendSuccess() STUB - void PeerConnector::callBack() STUB - void PeerConnector::disconnect() STUB --void PeerConnector::countFailingConnection(const ErrorState *) STUB -+void PeerConnector::countFailingConnection() STUB - void PeerConnector::recordNegotiationDetails() STUB - EncryptorAnswer &PeerConnector::answer() STUB_RETREF(EncryptorAnswer) - } diff --git a/squid.spec b/squid.spec index 352f5a2..bf7b2f2 100644 --- a/squid.spec +++ b/squid.spec @@ -2,8 +2,8 @@ %define version_underscore %(echo %{version} | tr '.' '_') Name: squid -Version: 6.14 -Release: 2%{?dist} +Version: 7.1 +Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -26,12 +26,7 @@ Source98: perl-requires-squid.sh # Upstream patches # Backported patches -# Upstream PR: https://github.com/squid-cache/squid/pull/1442 -Patch101: squid-6.1-crash-half-closed.patch -# Upstream PR: https://github.com/squid-cache/squid/pull/1914 -Patch102: squid-6.11-ignore-wsp-after-chunk-size.patch -# Upstream commit: https://github.com/squid-cache/squid/commit/022dbabd89249f839d1861aa87c1ab9e1a008a47 -Patch103: squid-6.13-cache-peer-connect-errors.patch +# Patch101: squid-7.1-.....patch # Local patches # Applying upstream patches first makes it less likely that local patches @@ -119,8 +114,8 @@ sed -i 's|@SYSCONFDIR@/squid.conf.documented|%{_pkgdocdir}/squid.conf.documented --enable-eui \ --enable-follow-x-forwarded-for \ --enable-auth \ - --enable-auth-basic="DB,fake,getpwnam,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB,SMB_LM" \ - --enable-auth-ntlm="SMB_LM,fake" \ + --enable-auth-basic="DB,fake,getpwnam,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB" \ + --enable-auth-ntlm="fake" \ --enable-auth-digest="file,LDAP" \ --enable-auth-negotiate="kerberos" \ --enable-external-acl-helpers="LDAP_group,time_quota,session,unix_group,wbinfo_group,kerberos_ldap_group" \ @@ -156,9 +151,9 @@ sed -i 's|@SYSCONFDIR@/squid.conf.documented|%{_pkgdocdir}/squid.conf.documented --enable-translation # workaround to build squid v5 -mkdir -p src/icmp/tests -mkdir -p tools/squidclient/tests -mkdir -p tools/tests +#mkdir -p src/icmp/tests +#mkdir -p tools/squidclient/tests +#mkdir -p tools/tests %make_build @@ -229,7 +224,6 @@ install -p -D -m 0644 %{SOURCE9} %{buildroot}%{_sysusersdir}/squid.conf %config(noreplace) %attr(644,root,root) %{_sysconfdir}/httpd/conf.d/squid.conf %config(noreplace) %attr(640,root,squid) %{_sysconfdir}/squid/squid.conf -%config(noreplace) %attr(644,root,squid) %{_sysconfdir}/squid/cachemgr.conf %config(noreplace) %{_sysconfdir}/squid/mime.conf %config(noreplace) %{_sysconfdir}/squid/errorpage.css %config(noreplace) %{_sysconfdir}/sysconfig/squid @@ -237,7 +231,6 @@ install -p -D -m 0644 %{SOURCE9} %{buildroot}%{_sysusersdir}/squid.conf %config %{_sysconfdir}/squid/squid.conf.default %config %{_sysconfdir}/squid/mime.conf.default %config %{_sysconfdir}/squid/errorpage.css.default -%config %{_sysconfdir}/squid/cachemgr.conf.default %config(noreplace) %{_sysconfdir}/pam.d/squid %config(noreplace) %{_sysconfdir}/logrotate.d/squid @@ -246,10 +239,7 @@ install -p -D -m 0644 %{SOURCE9} %{buildroot}%{_sysusersdir}/squid.conf %{_prefix}/lib/NetworkManager %{_datadir}/squid/icons %{_sbindir}/squid -%{_bindir}/squidclient -%{_bindir}/purge %{_mandir}/man8/* -%{_mandir}/man1/* %{_libdir}/squid/* %{_datadir}/snmp/mibs/SQUID-MIB.txt %{_sysusersdir}/squid.conf @@ -316,6 +306,13 @@ fi %changelog +* Thu Aug 14 2025 Luboš Uhliarik - 7:7.1-1 +- new version 7.1 +- removed squidclient +- removed purge +- removed cachemgr.cgi +- removed basic_smb_lm_auth and ntlm_smb_lm_auth helpers + * Fri Jul 25 2025 Fedora Release Engineering - 7:6.14-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild From 3b10dff1195943f7da91454604681981c150b47e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Fri, 12 Sep 2025 01:25:20 +0200 Subject: [PATCH 58/61] Support provider keys that require NULL digest --- squid-7.1-provider-keys-digest.patch | 36 ++++++++++++++++++++++++++++ squid.spec | 6 ++++- 2 files changed, 41 insertions(+), 1 deletion(-) create mode 100644 squid-7.1-provider-keys-digest.patch diff --git a/squid-7.1-provider-keys-digest.patch b/squid-7.1-provider-keys-digest.patch new file mode 100644 index 0000000..bd62ea1 --- /dev/null +++ b/squid-7.1-provider-keys-digest.patch @@ -0,0 +1,36 @@ +diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc +index 09bad6d..59171b7 100644 +--- a/src/ssl/gadgets.cc ++++ b/src/ssl/gadgets.cc +@@ -15,6 +15,19 @@ + #include "security/Io.h" + #include "ssl/gadgets.h" + ++/// whether the given key requires a digest when signing ++static bool ++keyNeedsDigest(const EVP_PKEY * const pkey) { ++ if (EVP_PKEY_is_a(pkey, "ML-DSA-44") || ++ EVP_PKEY_is_a(pkey, "ML-DSA-65") || ++ EVP_PKEY_is_a(pkey, "ML-DSA-87") || ++ EVP_PKEY_is_a(pkey, "ED25519") || ++ EVP_PKEY_is_a(pkey, "ED448")) ++ return false; // no digest needed ++ ++ return true; // require a digest for all other types ++} ++ + void + Ssl::ForgetErrors() + { +@@ -677,9 +690,9 @@ static bool generateFakeSslCertificate(Security::CertPointer & certToStore, Secu + assert(hash); + /*Now sign the request */ + if (properties.signAlgorithm != Ssl::algSignSelf && properties.signWithPkey.get()) +- ret = X509_sign(cert.get(), properties.signWithPkey.get(), hash); ++ ret = X509_sign(cert.get(), properties.signWithPkey.get(), keyNeedsDigest(properties.signWithPkey.get()) ? hash : nullptr); + else //else sign with self key (self signed request) +- ret = X509_sign(cert.get(), pkey.get(), hash); ++ ret = X509_sign(cert.get(), pkey.get(), keyNeedsDigest(pkey.get()) ? hash : nullptr); + + if (!ret) + return false; diff --git a/squid.spec b/squid.spec index bf7b2f2..ec105a4 100644 --- a/squid.spec +++ b/squid.spec @@ -3,7 +3,7 @@ Name: squid Version: 7.1 -Release: 1%{?dist} +Release: 2%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -37,6 +37,7 @@ Patch203: squid-6.1-perlpath.patch # revert this upstream patch - https://bugzilla.redhat.com/show_bug.cgi?id=1936422 # workaround for #1934919 Patch204: squid-6.1-symlink-lang-err.patch +Patch205: squid-7.1-provider-keys-digest.patch # cache_swap.sh Requires: bash gawk @@ -306,6 +307,9 @@ fi %changelog +* Thu Sep 11 2025 Luboš Uhliarik - 7:7.1-2 +- Support provider keys that require NULL digest + * Thu Aug 14 2025 Luboš Uhliarik - 7:7.1-1 - new version 7.1 - removed squidclient From a70045fc305bb0ab6afd4178e67b35ed38d041b3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Wed, 24 Sep 2025 10:05:39 +0200 Subject: [PATCH 59/61] Support provider keys that require NULL digest - use upstream patch --- squid-7.1-provider-keys-digest.patch | 51 ++++++++++++++++++++-------- squid.spec | 4 +-- 2 files changed, 39 insertions(+), 16 deletions(-) diff --git a/squid-7.1-provider-keys-digest.patch b/squid-7.1-provider-keys-digest.patch index bd62ea1..961a506 100644 --- a/squid-7.1-provider-keys-digest.patch +++ b/squid-7.1-provider-keys-digest.patch @@ -1,36 +1,59 @@ diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc -index 09bad6d..59171b7 100644 +index 1f8ac9d..3f54e3d 100644 --- a/src/ssl/gadgets.cc +++ b/src/ssl/gadgets.cc -@@ -15,6 +15,19 @@ +@@ -13,6 +13,42 @@ #include "security/Io.h" #include "ssl/gadgets.h" -+/// whether the given key requires a digest when signing ++/// whether to supply a digest algorithm name when calling X509_sign() with the given key +static bool -+keyNeedsDigest(const EVP_PKEY * const pkey) { -+ if (EVP_PKEY_is_a(pkey, "ML-DSA-44") || -+ EVP_PKEY_is_a(pkey, "ML-DSA-65") || -+ EVP_PKEY_is_a(pkey, "ML-DSA-87") || -+ EVP_PKEY_is_a(pkey, "ED25519") || -+ EVP_PKEY_is_a(pkey, "ED448")) -+ return false; // no digest needed ++signWithDigest(const Security::PrivateKeyPointer &key) { ++ Assure(key); // TODO: Add and use Security::PrivateKey (here and in caller). ++ const auto pkey = key.get(); + -+ return true; // require a digest for all other types ++ // OpenSSL does not define a maximum name size, but does terminate longer ++ // names without returning an error to the caller. Many similar callers in ++ // OpenSSL sources use 80-byte buffers. ++ char defaultDigestName[80] = ""; ++ const auto nameGetterResult = EVP_PKEY_get_default_digest_name(pkey, defaultDigestName, sizeof(defaultDigestName)); ++ debugs(83, 3, "nameGetterResult=" << nameGetterResult << " defaultDigestName=" << defaultDigestName); ++ if (nameGetterResult <= 0) { ++ debugs(83, 3, "ERROR: EVP_PKEY_get_default_digest_name() failure: " << Ssl::ReportAndForgetErrors); ++ // Backward compatibility: On error, assume digest should be used. ++ // TODO: Return false for -2 nameGetterResult as it "indicates the ++ // operation is not supported by the public key algorithm"? ++ return true; ++ } ++ ++ // The name "UNDEF" signifies that a digest must (for return value 2) or may ++ // (for return value 1) be left unspecified. ++ if (nameGetterResult == 2 && strcmp(defaultDigestName, "UNDEF") == 0) ++ return false; ++ ++ // Defined mandatory algorithms and "may be left unspecified" cases mentioned above. ++ return true; ++} ++ ++/// OpenSSL X509_sign() wrapper ++static auto ++Sign(Security::Certificate &cert, const Security::PrivateKeyPointer &key, const EVP_MD &availableDigest) { ++ const auto digestOrNil = signWithDigest(key) ? &availableDigest : nullptr; ++ return X509_sign(&cert, key.get(), digestOrNil); +} + void Ssl::ForgetErrors() { -@@ -677,9 +690,9 @@ static bool generateFakeSslCertificate(Security::CertPointer & certToStore, Secu +@@ -618,9 +654,9 @@ static bool generateFakeSslCertificate(Security::CertPointer & certToStore, Secu assert(hash); /*Now sign the request */ if (properties.signAlgorithm != Ssl::algSignSelf && properties.signWithPkey.get()) - ret = X509_sign(cert.get(), properties.signWithPkey.get(), hash); -+ ret = X509_sign(cert.get(), properties.signWithPkey.get(), keyNeedsDigest(properties.signWithPkey.get()) ? hash : nullptr); ++ ret = Sign(*cert, properties.signWithPkey, *hash); else //else sign with self key (self signed request) - ret = X509_sign(cert.get(), pkey.get(), hash); -+ ret = X509_sign(cert.get(), pkey.get(), keyNeedsDigest(pkey.get()) ? hash : nullptr); ++ ret = Sign(*cert, pkey, *hash); if (!ret) return false; diff --git a/squid.spec b/squid.spec index ec105a4..1a32214 100644 --- a/squid.spec +++ b/squid.spec @@ -3,7 +3,7 @@ Name: squid Version: 7.1 -Release: 2%{?dist} +Release: 3%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -307,7 +307,7 @@ fi %changelog -* Thu Sep 11 2025 Luboš Uhliarik - 7:7.1-2 +* Thu Sep 11 2025 Luboš Uhliarik - 7:7.1-3 - Support provider keys that require NULL digest * Thu Aug 14 2025 Luboš Uhliarik - 7:7.1-1 From 8c77c2eb9851b794b03226cccaedf594ad0d3615 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Fri, 17 Oct 2025 10:53:46 +0200 Subject: [PATCH 60/61] new version 7.2 --- sources | 4 +- squid-7.1-provider-keys-digest.patch | 59 ---------------------------- squid.spec | 8 ++-- 3 files changed, 7 insertions(+), 64 deletions(-) delete mode 100644 squid-7.1-provider-keys-digest.patch diff --git a/sources b/sources index 700eafd..1a01cad 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-7.1.tar.xz) = f12d4cac78576eecf19193cbb88f374b2d1bf3f480e684008a562bdda55eedae643b1a5766846c04673030ad1e89a608a62f52078312a80a3664fdccfc5f44df -SHA512 (squid-7.1.tar.xz.asc) = 4c7be2b32b7ce6cd1a99fe49c397fcd4d294817f96c4aaf5e66ad8c2de0c51b9debb4c85cf877efce87b1c44c2ebbb795a170859ca38124389b050e9fbaa1ff6 +SHA512 (squid-7.2.tar.xz) = 424c425dde7b399531c9ed5a700ef84bf8e828b1896f0bd037da121e9b4c8ad0fb0c2b8daad1a0a5308269cc5ffbda42e4c1815421c0bdd6a4046d92dcb56fa7 +SHA512 (squid-7.2.tar.xz.asc) = 688dac65470fa27551579046061130c6a4a623070fda56fdb873ca1c6008afbf2c5fe328f2a93135bec3645444b9636137b9ec32fb2c041fdad8924dc91ccf5f SHA512 (pgp.asc) = b1e1dd5ead34711f064a12a324b2f156ad4835330d861eae4032926b8a6cd07c0eacc76f52518d47ed5a8ead4695f5abd02f2b4190af8e7833bd3ea31453569d diff --git a/squid-7.1-provider-keys-digest.patch b/squid-7.1-provider-keys-digest.patch deleted file mode 100644 index 961a506..0000000 --- a/squid-7.1-provider-keys-digest.patch +++ /dev/null @@ -1,59 +0,0 @@ -diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc -index 1f8ac9d..3f54e3d 100644 ---- a/src/ssl/gadgets.cc -+++ b/src/ssl/gadgets.cc -@@ -13,6 +13,42 @@ - #include "security/Io.h" - #include "ssl/gadgets.h" - -+/// whether to supply a digest algorithm name when calling X509_sign() with the given key -+static bool -+signWithDigest(const Security::PrivateKeyPointer &key) { -+ Assure(key); // TODO: Add and use Security::PrivateKey (here and in caller). -+ const auto pkey = key.get(); -+ -+ // OpenSSL does not define a maximum name size, but does terminate longer -+ // names without returning an error to the caller. Many similar callers in -+ // OpenSSL sources use 80-byte buffers. -+ char defaultDigestName[80] = ""; -+ const auto nameGetterResult = EVP_PKEY_get_default_digest_name(pkey, defaultDigestName, sizeof(defaultDigestName)); -+ debugs(83, 3, "nameGetterResult=" << nameGetterResult << " defaultDigestName=" << defaultDigestName); -+ if (nameGetterResult <= 0) { -+ debugs(83, 3, "ERROR: EVP_PKEY_get_default_digest_name() failure: " << Ssl::ReportAndForgetErrors); -+ // Backward compatibility: On error, assume digest should be used. -+ // TODO: Return false for -2 nameGetterResult as it "indicates the -+ // operation is not supported by the public key algorithm"? -+ return true; -+ } -+ -+ // The name "UNDEF" signifies that a digest must (for return value 2) or may -+ // (for return value 1) be left unspecified. -+ if (nameGetterResult == 2 && strcmp(defaultDigestName, "UNDEF") == 0) -+ return false; -+ -+ // Defined mandatory algorithms and "may be left unspecified" cases mentioned above. -+ return true; -+} -+ -+/// OpenSSL X509_sign() wrapper -+static auto -+Sign(Security::Certificate &cert, const Security::PrivateKeyPointer &key, const EVP_MD &availableDigest) { -+ const auto digestOrNil = signWithDigest(key) ? &availableDigest : nullptr; -+ return X509_sign(&cert, key.get(), digestOrNil); -+} -+ - void - Ssl::ForgetErrors() - { -@@ -618,9 +654,9 @@ static bool generateFakeSslCertificate(Security::CertPointer & certToStore, Secu - assert(hash); - /*Now sign the request */ - if (properties.signAlgorithm != Ssl::algSignSelf && properties.signWithPkey.get()) -- ret = X509_sign(cert.get(), properties.signWithPkey.get(), hash); -+ ret = Sign(*cert, properties.signWithPkey, *hash); - else //else sign with self key (self signed request) -- ret = X509_sign(cert.get(), pkey.get(), hash); -+ ret = Sign(*cert, pkey, *hash); - - if (!ret) - return false; diff --git a/squid.spec b/squid.spec index 1a32214..5d3f86e 100644 --- a/squid.spec +++ b/squid.spec @@ -2,8 +2,8 @@ %define version_underscore %(echo %{version} | tr '.' '_') Name: squid -Version: 7.1 -Release: 3%{?dist} +Version: 7.2 +Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -37,7 +37,6 @@ Patch203: squid-6.1-perlpath.patch # revert this upstream patch - https://bugzilla.redhat.com/show_bug.cgi?id=1936422 # workaround for #1934919 Patch204: squid-6.1-symlink-lang-err.patch -Patch205: squid-7.1-provider-keys-digest.patch # cache_swap.sh Requires: bash gawk @@ -307,6 +306,9 @@ fi %changelog +* Fri Oct 17 2025 Luboš Uhliarik - 7:7.2-1 +- new version 7.2 + * Thu Sep 11 2025 Luboš Uhliarik - 7:7.1-3 - Support provider keys that require NULL digest From d9e38f92158f83eef6f4a9cf9ddad9931d703413 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Wed, 29 Oct 2025 11:01:53 +0100 Subject: [PATCH 61/61] new version 7.3 --- sources | 4 ++-- squid.spec | 5 ++++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/sources b/sources index 1a01cad..304c790 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-7.2.tar.xz) = 424c425dde7b399531c9ed5a700ef84bf8e828b1896f0bd037da121e9b4c8ad0fb0c2b8daad1a0a5308269cc5ffbda42e4c1815421c0bdd6a4046d92dcb56fa7 -SHA512 (squid-7.2.tar.xz.asc) = 688dac65470fa27551579046061130c6a4a623070fda56fdb873ca1c6008afbf2c5fe328f2a93135bec3645444b9636137b9ec32fb2c041fdad8924dc91ccf5f +SHA512 (squid-7.3.tar.xz) = ad6bbe518d79d079f7fe5d1ee9ae7a3f49b28ba75afdb1f0db16675e1e4127be2bc30dd246b00576f29e987c08c41dbff50c8227166ae3955c460ff837a89e2b +SHA512 (squid-7.3.tar.xz.asc) = c6774627e0408d1feed5a00489ca95467f001261b201b82c3ab9c450856fe5ad27e50d43db7a2afe2aaff88930981f783315a1b764cac5619543852e93338273 SHA512 (pgp.asc) = b1e1dd5ead34711f064a12a324b2f156ad4835330d861eae4032926b8a6cd07c0eacc76f52518d47ed5a8ead4695f5abd02f2b4190af8e7833bd3ea31453569d diff --git a/squid.spec b/squid.spec index 5d3f86e..84d079b 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ %define version_underscore %(echo %{version} | tr '.' '_') Name: squid -Version: 7.2 +Version: 7.3 Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 @@ -306,6 +306,9 @@ fi %changelog +* Wed Oct 29 2025 Luboš Uhliarik - 7:7.3-1 +- new version 7.3 + * Fri Oct 17 2025 Luboš Uhliarik - 7:7.2-1 - new version 7.2