From 014ff8bb7a1d9f2f3d3ab300bd7b6bfdf8728137 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Tue, 7 Nov 2023 21:24:03 +0100 Subject: [PATCH 01/26] new version 6.5 --- sources | 4 ++-- squid.spec | 5 ++++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/sources b/sources index 975ec82..24c2ba7 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-6.4.tar.xz) = 7bbf759841448874090a145699ee01f67696c19da147e433b1ecc80a856095cbfae611ef910bc4f2c44218101d89f2ee13796f5b7ada2e21e95638d4dae077ab -SHA512 (squid-6.4.tar.xz.asc) = e61ea2f81a73ead4f6a8553410822ba51f0910546c7cbfb93e26f73f862f0a526fcb5c26308109f49e9f0fd0fbce702804a919fe8234b085a32251d62c891803 +SHA512 (squid-6.5.tar.xz) = d3a40f5f390f0042a8e981ca28755a90dd520230a06b4246ba7bec0c98025ce1cdc7426797a666f769addd60238e28e1f04d2c701ea2ef2d7329dbe87b830d70 +SHA512 (squid-6.5.tar.xz.asc) = bf6ab7128a6261ac63115f402925311be5f59ad9085d19813f842cfac4b385b47eb07c9398c85654896ef04f6678a4ea645edcbed503f4ac18a3920b6a03ed04 SHA512 (pgp.asc) = 09f7012030d68831dfc083d67ca63ee54ed851482ca8d0e9505b444ee3e7ddeed62369b53f2917c9b2e0e57cc0533fce46e8cafd2ebcd1c6cb186b516efd0ad2 diff --git a/squid.spec b/squid.spec index c1fffcf..a3f6dba 100644 --- a/squid.spec +++ b/squid.spec @@ -1,7 +1,7 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 6.4 +Version: 6.5 Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 @@ -335,6 +335,9 @@ fi %changelog +* Tue Nov 07 2023 Luboš Uhliarik - 7:6.5-1 +- new version 6.5 + * Tue Oct 24 2023 Luboš Uhliarik - 7:6.4-1 - new version 6.4 From 5580eab2d9db7b0f14a66cd8e8c17fa905490a51 Mon Sep 17 00:00:00 2001 From: Yaakov Selkowitz Date: Tue, 12 Dec 2023 22:32:30 -0500 Subject: [PATCH 02/26] new version 6.6 --- sources | 4 ++-- squid.spec | 5 ++++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/sources b/sources index 24c2ba7..6823720 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-6.5.tar.xz) = d3a40f5f390f0042a8e981ca28755a90dd520230a06b4246ba7bec0c98025ce1cdc7426797a666f769addd60238e28e1f04d2c701ea2ef2d7329dbe87b830d70 -SHA512 (squid-6.5.tar.xz.asc) = bf6ab7128a6261ac63115f402925311be5f59ad9085d19813f842cfac4b385b47eb07c9398c85654896ef04f6678a4ea645edcbed503f4ac18a3920b6a03ed04 +SHA512 (squid-6.6.tar.xz) = 4ab261ed85ad674288467500aca9d8a48e3918b55f777635c0ba7a2551f248d35536848a5fbf2c946490a818004727f2aed33144f0a3ebab0be36cc4cffb020c +SHA512 (squid-6.6.tar.xz.asc) = 08550569759c403a1a9747d08ea7055751fbf251355691074f6d09baca76a0987c5dff36e1f01b64edd446d568c7244b14124f6f8a1b19ccfc30293eed83a297 SHA512 (pgp.asc) = 09f7012030d68831dfc083d67ca63ee54ed851482ca8d0e9505b444ee3e7ddeed62369b53f2917c9b2e0e57cc0533fce46e8cafd2ebcd1c6cb186b516efd0ad2 diff --git a/squid.spec b/squid.spec index a3f6dba..8938081 100644 --- a/squid.spec +++ b/squid.spec @@ -1,7 +1,7 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 6.5 +Version: 6.6 Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 @@ -335,6 +335,9 @@ fi %changelog +* Wed Dec 13 2023 Yaakov Selkowitz - 7:6.6-1 +- new version 6.6 + * Tue Nov 07 2023 Luboš Uhliarik - 7:6.5-1 - new version 6.5 From ded59a53104e787986fdd65b98a0e3f599b67d4b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Wed, 20 Dec 2023 14:54:02 +0100 Subject: [PATCH 03/26] Remove gopher mention from SPEC file, since gopher support has been removed --- squid.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/squid.spec b/squid.spec index 8938081..ba852f7 100644 --- a/squid.spec +++ b/squid.spec @@ -83,7 +83,7 @@ Conflicts: NetworkManager < 1.20 %description Squid is a high-performance proxy caching server for Web clients, -supporting FTP, gopher, and HTTP data objects. Unlike traditional +supporting FTP and HTTP data objects. Unlike traditional caching software, Squid handles all requests in a single, non-blocking, I/O-driven process. Squid keeps meta data and especially hot objects cached in RAM, caches DNS lookups, supports non-blocking From 2af86284bc59404eec4b917537854c9e1d021fd0 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 27 Jan 2024 04:14:57 +0000 Subject: [PATCH 04/26] Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild --- squid.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/squid.spec b/squid.spec index ba852f7..e34a531 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 6.6 -Release: 1%{?dist} +Release: 2%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -335,6 +335,9 @@ fi %changelog +* Sat Jan 27 2024 Fedora Release Engineering - 7:6.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + * Wed Dec 13 2023 Yaakov Selkowitz - 7:6.6-1 - new version 6.6 From 24c56d185eaafd4fb39fc1d3094b74ee9acd0a33 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Wed, 14 Feb 2024 00:34:23 +0100 Subject: [PATCH 05/26] new version 6.7 switch to autosetup fix FTBFS when using gcc14 --- sources | 6 +- squid-6.7-gcc-14.patch | 123 +++++++++++++++++++++++++++++++++++++++++ squid.spec | 24 ++++---- 3 files changed, 136 insertions(+), 17 deletions(-) create mode 100644 squid-6.7-gcc-14.patch diff --git a/sources b/sources index 6823720..d17889d 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-6.6.tar.xz) = 4ab261ed85ad674288467500aca9d8a48e3918b55f777635c0ba7a2551f248d35536848a5fbf2c946490a818004727f2aed33144f0a3ebab0be36cc4cffb020c -SHA512 (squid-6.6.tar.xz.asc) = 08550569759c403a1a9747d08ea7055751fbf251355691074f6d09baca76a0987c5dff36e1f01b64edd446d568c7244b14124f6f8a1b19ccfc30293eed83a297 -SHA512 (pgp.asc) = 09f7012030d68831dfc083d67ca63ee54ed851482ca8d0e9505b444ee3e7ddeed62369b53f2917c9b2e0e57cc0533fce46e8cafd2ebcd1c6cb186b516efd0ad2 +SHA512 (squid-6.7.tar.xz) = 6221437056c600119fe9ff1ceeeaa9955cf9f21df481ad29a3515f8439a41b779d51f37b820b75641d0d4d6de54554f6f924dbd347834bf4a6ad6b5b317084a0 +SHA512 (squid-6.7.tar.xz.asc) = 4a1f9d123ce6b5a600d9d2dd3af95a7ce98bfe28ba42d1281ab1f3d7f220f8738a4320afb85eeba1bf9d31e722ffaccd2d89cbefcd11e6b6ea31fe237ccf9a8c +SHA512 (pgp.asc) = b1e1dd5ead34711f064a12a324b2f156ad4835330d861eae4032926b8a6cd07c0eacc76f52518d47ed5a8ead4695f5abd02f2b4190af8e7833bd3ea31453569d diff --git a/squid-6.7-gcc-14.patch b/squid-6.7-gcc-14.patch new file mode 100644 index 0000000..283f5ec --- /dev/null +++ b/squid-6.7-gcc-14.patch @@ -0,0 +1,123 @@ +From 7080c9ea3c761f4ac67e3341bbc371383e4e739b Mon Sep 17 00:00:00 2001 +From: Amos Jeffries +Date: Wed, 14 Feb 2024 03:07:20 +1300 +Subject: [PATCH 1/4] Fix undefined std::find + +--- + src/helper/Reply.cc | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/helper/Reply.cc b/src/helper/Reply.cc +index 93cd5c84322..2e5e92aa2be 100644 +--- a/src/helper/Reply.cc ++++ b/src/helper/Reply.cc +@@ -17,6 +17,8 @@ + #include "rfc1738.h" + #include "SquidString.h" + ++#include ++ + Helper::Reply::Reply() : + result(Helper::Unknown) + { + +From 906884bf2565025cbc5b322c47425defa07f1f8e Mon Sep 17 00:00:00 2001 +From: Amos Jeffries +Date: Wed, 14 Feb 2024 03:51:17 +1300 +Subject: [PATCH 2/4] Fix error: 'InstanceId<...>::InstanceId(const + InstanceId<...> &)' is private within this context + +--- + src/base/InstanceId.h | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/src/base/InstanceId.h b/src/base/InstanceId.h +index a48be882cc4..c4dd4090b00 100644 +--- a/src/base/InstanceId.h ++++ b/src/base/InstanceId.h +@@ -49,6 +49,7 @@ class InstanceId + typedef ValueType Value; ///< id storage type + + InstanceId() {change();} ++ InstanceId(const InstanceId &); ///< no copying; IDs are unique + + operator Value() const { return value; } + bool operator ==(const InstanceId &o) const { return value == o.value; } +@@ -67,10 +68,6 @@ class InstanceId + + public: + Value value = Value(); ///< instance identifier +- +-private: +- InstanceId(const InstanceId &); ///< not implemented; IDs are unique +- InstanceId& operator=(const InstanceId &); ///< not implemented + }; + + /// An InstanceIdDefinitions() helper. Avoid direct use. + +From 2631e20bf8adc2102ba039baf86c1c64c158431f Mon Sep 17 00:00:00 2001 +From: Amos Jeffries +Date: Wed, 14 Feb 2024 03:58:47 +1300 +Subject: [PATCH 3/4] =?UTF-8?q?Fix=20error:=20=E2=80=98void*=20calloc(size?= + =?UTF-8?q?=5Ft,=20size=5Ft)=E2=80=99=20sizes?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +... specified with ‘sizeof’ in the earlier argument +and not in the later argument [-Werror=calloc-transposed-args] +--- + src/auth/basic/LDAP/basic_ldap_auth.cc | 2 +- + src/auth/digest/eDirectory/edir_ldapext.cc | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/auth/basic/LDAP/basic_ldap_auth.cc b/src/auth/basic/LDAP/basic_ldap_auth.cc +index 4d9a78574cb..f79a5b88984 100644 +--- a/src/auth/basic/LDAP/basic_ldap_auth.cc ++++ b/src/auth/basic/LDAP/basic_ldap_auth.cc +@@ -795,7 +795,7 @@ readSecret(const char *filename) + if ((e = strrchr(buf, '\r'))) + *e = 0; + +- passwd = (char *) calloc(sizeof(char), strlen(buf) + 1); ++ passwd = static_cast(calloc(strlen(buf) + 1, sizeof(char))); + if (!passwd) { + fprintf(stderr, PROGRAM_NAME " ERROR: can not allocate memory\n"); + exit(EXIT_FAILURE); +diff --git a/src/auth/digest/eDirectory/edir_ldapext.cc b/src/auth/digest/eDirectory/edir_ldapext.cc +index f34341c912c..13e7daca67b 100644 +--- a/src/auth/digest/eDirectory/edir_ldapext.cc ++++ b/src/auth/digest/eDirectory/edir_ldapext.cc +@@ -69,7 +69,7 @@ + + #define NMAS_LDAP_EXT_VERSION 1 + +-#define SMB_MALLOC_ARRAY(type, nelem) calloc(sizeof(type), nelem) ++#define SMB_MALLOC_ARRAY(type, nelem) calloc(nelem, sizeof(type)) + #define DEBUG(level, args) + + /********************************************************************** + +From 535606d99e04f3479af07c471768af688ff790cb Mon Sep 17 00:00:00 2001 +From: Amos Jeffries +Date: Wed, 14 Feb 2024 05:52:05 +1300 +Subject: [PATCH 4/4] Update src/base/InstanceId.h + +Co-authored-by: Alex Rousskov +--- + src/base/InstanceId.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/base/InstanceId.h b/src/base/InstanceId.h +index c4dd4090b00..d3e2ebb2b2e 100644 +--- a/src/base/InstanceId.h ++++ b/src/base/InstanceId.h +@@ -49,7 +49,7 @@ class InstanceId + typedef ValueType Value; ///< id storage type + + InstanceId() {change();} +- InstanceId(const InstanceId &); ///< no copying; IDs are unique ++ InstanceId(InstanceId &&) = delete; // no copying/moving of any kind + + operator Value() const { return value; } + bool operator ==(const InstanceId &o) const { return value == o.value; } diff --git a/squid.spec b/squid.spec index e34a531..490653c 100644 --- a/squid.spec +++ b/squid.spec @@ -1,8 +1,8 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 6.6 -Release: 2%{?dist} +Version: 6.7 +Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -38,6 +38,8 @@ Patch203: squid-6.1-perlpath.patch Patch204: squid-6.1-symlink-lang-err.patch # Upstream PR: https://github.com/squid-cache/squid/pull/1442 Patch205: squid-6.1-crash-half-closed.patch +# https://github.com/squid-cache/squid/pull/1673 +Patch206: squid-6.7-gcc-14.patch # cache_swap.sh Requires: bash gawk @@ -95,19 +97,8 @@ lookup program (dnsserver), a program for retrieving FTP data %prep %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' -%setup -q -# Upstream patches - -# Backported patches -# %patch101 -p1 -b .patch - -# Local patches -%patch -P 201 -p1 -b .config -%patch -P 202 -p1 -b .location -%patch -P 203 -p1 -b .perlpath -%patch -P 204 -p1 -b .symlink-lang-err -%patch -P 205 -p1 -b .crash-half-closed +%autosetup -p1 # https://bugzilla.redhat.com/show_bug.cgi?id=1679526 # Patch in the vendor documentation and used different location for documentation @@ -335,6 +326,11 @@ fi %changelog +* Mon Feb 12 2024 Luboš Uhliarik - 7:6.7-1 +- new version 6.7 +- switch to autosetup +- fix FTBFS when using gcc14 + * Sat Jan 27 2024 Fedora Release Engineering - 7:6.6-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild From 5c7c3985cfee87f8be71b06ad85957ce4483c247 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Sat, 9 Mar 2024 04:10:00 +0100 Subject: [PATCH 06/26] new version 6.8 --- sources | 4 +- squid-6.7-gcc-14.patch | 123 ----------------------------------------- squid.spec | 7 ++- 3 files changed, 6 insertions(+), 128 deletions(-) delete mode 100644 squid-6.7-gcc-14.patch diff --git a/sources b/sources index d17889d..8d6d769 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-6.7.tar.xz) = 6221437056c600119fe9ff1ceeeaa9955cf9f21df481ad29a3515f8439a41b779d51f37b820b75641d0d4d6de54554f6f924dbd347834bf4a6ad6b5b317084a0 -SHA512 (squid-6.7.tar.xz.asc) = 4a1f9d123ce6b5a600d9d2dd3af95a7ce98bfe28ba42d1281ab1f3d7f220f8738a4320afb85eeba1bf9d31e722ffaccd2d89cbefcd11e6b6ea31fe237ccf9a8c +SHA512 (squid-6.8.tar.xz) = 25509662de0b16af763a7aca090937b16c9ae15cb29ae1275634db9091eba511de33e9119ef8552fda936b7a7cfd1b7e51f6082c039c8e9e9f7da64d5efac992 +SHA512 (squid-6.8.tar.xz.asc) = 118c6b2022ee0b62c83484742a6ae3ee6402ddb06d5f8e953b67185499070e5b1b04cb97953d4f73e91c420e86956f73787ea2208609e451ec2c24a7701a9f24 SHA512 (pgp.asc) = b1e1dd5ead34711f064a12a324b2f156ad4835330d861eae4032926b8a6cd07c0eacc76f52518d47ed5a8ead4695f5abd02f2b4190af8e7833bd3ea31453569d diff --git a/squid-6.7-gcc-14.patch b/squid-6.7-gcc-14.patch deleted file mode 100644 index 283f5ec..0000000 --- a/squid-6.7-gcc-14.patch +++ /dev/null @@ -1,123 +0,0 @@ -From 7080c9ea3c761f4ac67e3341bbc371383e4e739b Mon Sep 17 00:00:00 2001 -From: Amos Jeffries -Date: Wed, 14 Feb 2024 03:07:20 +1300 -Subject: [PATCH 1/4] Fix undefined std::find - ---- - src/helper/Reply.cc | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/helper/Reply.cc b/src/helper/Reply.cc -index 93cd5c84322..2e5e92aa2be 100644 ---- a/src/helper/Reply.cc -+++ b/src/helper/Reply.cc -@@ -17,6 +17,8 @@ - #include "rfc1738.h" - #include "SquidString.h" - -+#include -+ - Helper::Reply::Reply() : - result(Helper::Unknown) - { - -From 906884bf2565025cbc5b322c47425defa07f1f8e Mon Sep 17 00:00:00 2001 -From: Amos Jeffries -Date: Wed, 14 Feb 2024 03:51:17 +1300 -Subject: [PATCH 2/4] Fix error: 'InstanceId<...>::InstanceId(const - InstanceId<...> &)' is private within this context - ---- - src/base/InstanceId.h | 5 +---- - 1 file changed, 1 insertion(+), 4 deletions(-) - -diff --git a/src/base/InstanceId.h b/src/base/InstanceId.h -index a48be882cc4..c4dd4090b00 100644 ---- a/src/base/InstanceId.h -+++ b/src/base/InstanceId.h -@@ -49,6 +49,7 @@ class InstanceId - typedef ValueType Value; ///< id storage type - - InstanceId() {change();} -+ InstanceId(const InstanceId &); ///< no copying; IDs are unique - - operator Value() const { return value; } - bool operator ==(const InstanceId &o) const { return value == o.value; } -@@ -67,10 +68,6 @@ class InstanceId - - public: - Value value = Value(); ///< instance identifier -- --private: -- InstanceId(const InstanceId &); ///< not implemented; IDs are unique -- InstanceId& operator=(const InstanceId &); ///< not implemented - }; - - /// An InstanceIdDefinitions() helper. Avoid direct use. - -From 2631e20bf8adc2102ba039baf86c1c64c158431f Mon Sep 17 00:00:00 2001 -From: Amos Jeffries -Date: Wed, 14 Feb 2024 03:58:47 +1300 -Subject: [PATCH 3/4] =?UTF-8?q?Fix=20error:=20=E2=80=98void*=20calloc(size?= - =?UTF-8?q?=5Ft,=20size=5Ft)=E2=80=99=20sizes?= -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -... specified with ‘sizeof’ in the earlier argument -and not in the later argument [-Werror=calloc-transposed-args] ---- - src/auth/basic/LDAP/basic_ldap_auth.cc | 2 +- - src/auth/digest/eDirectory/edir_ldapext.cc | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/auth/basic/LDAP/basic_ldap_auth.cc b/src/auth/basic/LDAP/basic_ldap_auth.cc -index 4d9a78574cb..f79a5b88984 100644 ---- a/src/auth/basic/LDAP/basic_ldap_auth.cc -+++ b/src/auth/basic/LDAP/basic_ldap_auth.cc -@@ -795,7 +795,7 @@ readSecret(const char *filename) - if ((e = strrchr(buf, '\r'))) - *e = 0; - -- passwd = (char *) calloc(sizeof(char), strlen(buf) + 1); -+ passwd = static_cast(calloc(strlen(buf) + 1, sizeof(char))); - if (!passwd) { - fprintf(stderr, PROGRAM_NAME " ERROR: can not allocate memory\n"); - exit(EXIT_FAILURE); -diff --git a/src/auth/digest/eDirectory/edir_ldapext.cc b/src/auth/digest/eDirectory/edir_ldapext.cc -index f34341c912c..13e7daca67b 100644 ---- a/src/auth/digest/eDirectory/edir_ldapext.cc -+++ b/src/auth/digest/eDirectory/edir_ldapext.cc -@@ -69,7 +69,7 @@ - - #define NMAS_LDAP_EXT_VERSION 1 - --#define SMB_MALLOC_ARRAY(type, nelem) calloc(sizeof(type), nelem) -+#define SMB_MALLOC_ARRAY(type, nelem) calloc(nelem, sizeof(type)) - #define DEBUG(level, args) - - /********************************************************************** - -From 535606d99e04f3479af07c471768af688ff790cb Mon Sep 17 00:00:00 2001 -From: Amos Jeffries -Date: Wed, 14 Feb 2024 05:52:05 +1300 -Subject: [PATCH 4/4] Update src/base/InstanceId.h - -Co-authored-by: Alex Rousskov ---- - src/base/InstanceId.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/base/InstanceId.h b/src/base/InstanceId.h -index c4dd4090b00..d3e2ebb2b2e 100644 ---- a/src/base/InstanceId.h -+++ b/src/base/InstanceId.h -@@ -49,7 +49,7 @@ class InstanceId - typedef ValueType Value; ///< id storage type - - InstanceId() {change();} -- InstanceId(const InstanceId &); ///< no copying; IDs are unique -+ InstanceId(InstanceId &&) = delete; // no copying/moving of any kind - - operator Value() const { return value; } - bool operator ==(const InstanceId &o) const { return value == o.value; } diff --git a/squid.spec b/squid.spec index 490653c..94a138d 100644 --- a/squid.spec +++ b/squid.spec @@ -1,7 +1,7 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 6.7 +Version: 6.8 Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 @@ -38,8 +38,6 @@ Patch203: squid-6.1-perlpath.patch Patch204: squid-6.1-symlink-lang-err.patch # Upstream PR: https://github.com/squid-cache/squid/pull/1442 Patch205: squid-6.1-crash-half-closed.patch -# https://github.com/squid-cache/squid/pull/1673 -Patch206: squid-6.7-gcc-14.patch # cache_swap.sh Requires: bash gawk @@ -326,6 +324,9 @@ fi %changelog +* Sat Mar 09 2024 Luboš Uhliarik - 7:6.8-1 +- new version 6.8 + * Mon Feb 12 2024 Luboš Uhliarik - 7:6.7-1 - new version 6.7 - switch to autosetup From 8f425c9ec24cef71e2cca266d6e2906ab6c7a21a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Wed, 17 Apr 2024 01:26:51 +0200 Subject: [PATCH 07/26] Resolves: #2262715 - squid-6.9 is available --- sources | 4 ++-- squid.spec | 5 ++++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/sources b/sources index 8d6d769..a42cd14 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-6.8.tar.xz) = 25509662de0b16af763a7aca090937b16c9ae15cb29ae1275634db9091eba511de33e9119ef8552fda936b7a7cfd1b7e51f6082c039c8e9e9f7da64d5efac992 -SHA512 (squid-6.8.tar.xz.asc) = 118c6b2022ee0b62c83484742a6ae3ee6402ddb06d5f8e953b67185499070e5b1b04cb97953d4f73e91c420e86956f73787ea2208609e451ec2c24a7701a9f24 +SHA512 (squid-6.9.tar.xz) = 2666551caca39fa6ca49b56b537645dd043ee0c99b805c433cf714172e6062590fd6ed942043df1a3b543f30c039f3ab701493187dc6a0a4a8311217417c366e +SHA512 (squid-6.9.tar.xz.asc) = ccd053476e91544bf797cf38a7e57acdc1c02c1edb2804230f061d9b24abbbd2e06abbaaa0fe2b209951631c0369510f60f0b7137fe950f3ccf59e8a212bc0fa SHA512 (pgp.asc) = b1e1dd5ead34711f064a12a324b2f156ad4835330d861eae4032926b8a6cd07c0eacc76f52518d47ed5a8ead4695f5abd02f2b4190af8e7833bd3ea31453569d diff --git a/squid.spec b/squid.spec index 94a138d..6e8a194 100644 --- a/squid.spec +++ b/squid.spec @@ -1,7 +1,7 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 6.8 +Version: 6.9 Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 @@ -324,6 +324,9 @@ fi %changelog +* Tue Apr 16 2024 Luboš Uhliarik - 7:6.9-1 +- Resolves: #2262715 - squid-6.9 is available + * Sat Mar 09 2024 Luboš Uhliarik - 7:6.8-1 - new version 6.8 From 71d404cc388ccce1a343081da6ee97a4a3aaf069 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Mon, 1 Jul 2024 11:20:18 +0200 Subject: [PATCH 08/26] new version 6.10 Resolves: #2294354 - CVE-2024-37894 squid: Out-of-bounds write error may lead to Denial of Service --- sources | 4 ++-- squid.spec | 7 ++++++- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/sources b/sources index a42cd14..38903ce 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-6.9.tar.xz) = 2666551caca39fa6ca49b56b537645dd043ee0c99b805c433cf714172e6062590fd6ed942043df1a3b543f30c039f3ab701493187dc6a0a4a8311217417c366e -SHA512 (squid-6.9.tar.xz.asc) = ccd053476e91544bf797cf38a7e57acdc1c02c1edb2804230f061d9b24abbbd2e06abbaaa0fe2b209951631c0369510f60f0b7137fe950f3ccf59e8a212bc0fa +SHA512 (squid-6.10.tar.xz) = c0b75c3d383b1cd234b30dd02e84e1c5655fc53f63b75704bf4bac9ee0b86ba27e4656116893aff8b95dea19ff1befabcbb9dab3875da52fcb65f1d30f0fe5a9 +SHA512 (squid-6.10.tar.xz.asc) = 5e9d053db90549760f7a675d9f4703ecde460906cb09dff489f9db5d0f7826fb30487c9b009cc4577f3f061f3c7b3a667418af298f55f882f696884dc536bf53 SHA512 (pgp.asc) = b1e1dd5ead34711f064a12a324b2f156ad4835330d861eae4032926b8a6cd07c0eacc76f52518d47ed5a8ead4695f5abd02f2b4190af8e7833bd3ea31453569d diff --git a/squid.spec b/squid.spec index 6e8a194..8d0f9e2 100644 --- a/squid.spec +++ b/squid.spec @@ -1,7 +1,7 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 6.9 +Version: 6.10 Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 @@ -324,6 +324,11 @@ fi %changelog +* Mon Jul 01 2024 Luboš Uhliarik - 7:6.10-1 +- new version 6.10 +- Resolves: #2294354 - CVE-2024-37894 squid: Out-of-bounds write error may + lead to Denial of Service + * Tue Apr 16 2024 Luboš Uhliarik - 7:6.9-1 - Resolves: #2262715 - squid-6.9 is available From bc07278a7c3b6e94716a0b71bb92f443ecffd70e Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 20 Jul 2024 06:20:17 +0000 Subject: [PATCH 09/26] Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild --- squid.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/squid.spec b/squid.spec index 8d0f9e2..c02c88b 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 6.10 -Release: 1%{?dist} +Release: 2%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -324,6 +324,9 @@ fi %changelog +* Sat Jul 20 2024 Fedora Release Engineering - 7:6.10-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild + * Mon Jul 01 2024 Luboš Uhliarik - 7:6.10-1 - new version 6.10 - Resolves: #2294354 - CVE-2024-37894 squid: Out-of-bounds write error may From 259e6f50ca2a8f1bceb11ecc23318c4947c5adca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Wed, 25 Sep 2024 15:38:12 +0200 Subject: [PATCH 10/26] new version 6.11 --- sources | 4 ++-- squid-6.1-perlpath.patch | 2 +- squid.spec | 7 +++++-- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/sources b/sources index 38903ce..469e7e0 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-6.10.tar.xz) = c0b75c3d383b1cd234b30dd02e84e1c5655fc53f63b75704bf4bac9ee0b86ba27e4656116893aff8b95dea19ff1befabcbb9dab3875da52fcb65f1d30f0fe5a9 -SHA512 (squid-6.10.tar.xz.asc) = 5e9d053db90549760f7a675d9f4703ecde460906cb09dff489f9db5d0f7826fb30487c9b009cc4577f3f061f3c7b3a667418af298f55f882f696884dc536bf53 +SHA512 (squid-6.11.tar.xz) = 669f658b0a58514f98c2b33df874706d40b9ed0837e1f32e08e274c79617063e06e706932011a34b115dcc96d43125f9cea30fba459cd31a88e3afd9b6076d7a +SHA512 (squid-6.11.tar.xz.asc) = e4bf8a77fe431eb6ba7ff9c10511d987692438d66c4aa72739b4fedf73aa6e6704e4da756ffcfeb82b9d76be9a3e4bb963dd523132cda732077898785cc6bbb9 SHA512 (pgp.asc) = b1e1dd5ead34711f064a12a324b2f156ad4835330d861eae4032926b8a6cd07c0eacc76f52518d47ed5a8ead4695f5abd02f2b4190af8e7833bd3ea31453569d diff --git a/squid-6.1-perlpath.patch b/squid-6.1-perlpath.patch index fe37759..7539001 100644 --- a/squid-6.1-perlpath.patch +++ b/squid-6.1-perlpath.patch @@ -6,5 +6,5 @@ index e965e9e..ed5ffcb 100755 -#!/usr/local/bin/perl -Tw +#!/usr/bin/perl -Tw # - # * Copyright (C) 1996-2023 The Squid Software Foundation and contributors + # * Copyright (C) 1996-2024 The Squid Software Foundation and contributors # * diff --git a/squid.spec b/squid.spec index c02c88b..f4fd37a 100644 --- a/squid.spec +++ b/squid.spec @@ -1,8 +1,8 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 6.10 -Release: 2%{?dist} +Version: 6.11 +Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -324,6 +324,9 @@ fi %changelog +* Wed Sep 25 2024 Luboš Uhliarik - 7:6.11-1 +- new version 6.11 + * Sat Jul 20 2024 Fedora Release Engineering - 7:6.10-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild From 8504f8d8faa18c410053b85036e2522d738b3d03 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Fri, 11 Oct 2024 20:22:16 +0200 Subject: [PATCH 11/26] ignore SP and HTAB chars after chunk-size --- squid-6.11-ignore-wsp-after-chunk-size.patch | 367 +++++++++++++++++++ squid.spec | 7 +- 2 files changed, 373 insertions(+), 1 deletion(-) create mode 100644 squid-6.11-ignore-wsp-after-chunk-size.patch diff --git a/squid-6.11-ignore-wsp-after-chunk-size.patch b/squid-6.11-ignore-wsp-after-chunk-size.patch new file mode 100644 index 0000000..ea4025f --- /dev/null +++ b/squid-6.11-ignore-wsp-after-chunk-size.patch @@ -0,0 +1,367 @@ +From 8d0ee420a4d91ac7fd97316338f1e28b4b060cbf Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= +Date: Thu, 10 Oct 2024 19:26:27 +0200 +Subject: [PATCH 1/6] Ignore whitespace chars after chunk-size + +Previously (before #1498 change), squid was accepting TE-chunked replies +with whitespaces after chunk-size and missing chunk-ext data. After + +It turned out that replies with such whitespace chars are pretty +common and other webservers which can act as forward proxies (e.g. +nginx, httpd...) are accepting them. + +This change will allow to proxy chunked responses from origin server, +which had whitespaces inbetween chunk-size and CRLF. +--- + src/http/one/TeChunkedParser.cc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/http/one/TeChunkedParser.cc b/src/http/one/TeChunkedParser.cc +index 9cce10fdc91..04753395e16 100644 +--- a/src/http/one/TeChunkedParser.cc ++++ b/src/http/one/TeChunkedParser.cc +@@ -125,6 +125,7 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok) + // Code becomes much simpler when incremental parsing functions throw on + // bad or insufficient input, like in the code below. TODO: Expand up. + try { ++ tok.skipAll(CharacterSet::WSP); // Some servers send SP/TAB after chunk-size + parseChunkExtensions(tok); // a possibly empty chunk-ext list + tok.skipRequired("CRLF after [chunk-ext]", Http1::CrLf()); + buf_ = tok.remaining(); + +From 9c8d35f899035fa06021ab3fe6919f892c2f0c6b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= +Date: Fri, 11 Oct 2024 02:06:31 +0200 +Subject: [PATCH 2/6] Added new argument to Http::One::ParseBws() + +Depending on new wsp_only argument in ParseBws() it will be decided +which set of whitespaces characters will be parsed. If wsp_only is set +to true, only SP and HTAB chars will be parsed. + +Also optimized number of ParseBws calls. +--- + src/http/one/Parser.cc | 4 ++-- + src/http/one/Parser.h | 3 ++- + src/http/one/TeChunkedParser.cc | 13 +++++++++---- + src/http/one/TeChunkedParser.h | 2 +- + 4 files changed, 14 insertions(+), 8 deletions(-) + +diff --git a/src/http/one/Parser.cc b/src/http/one/Parser.cc +index b1908316a0b..01d7e3bc0e8 100644 +--- a/src/http/one/Parser.cc ++++ b/src/http/one/Parser.cc +@@ -273,9 +273,9 @@ Http::One::ErrorLevel() + + // BWS = *( SP / HTAB ) ; WhitespaceCharacters() may relax this RFC 7230 rule + void +-Http::One::ParseBws(Parser::Tokenizer &tok) ++Http::One::ParseBws(Parser::Tokenizer &tok, const bool wsp_only) + { +- const auto count = tok.skipAll(Parser::WhitespaceCharacters()); ++ const auto count = tok.skipAll(wsp_only ? CharacterSet::WSP : Parser::WhitespaceCharacters()); + + if (tok.atEnd()) + throw InsufficientInput(); // even if count is positive +diff --git a/src/http/one/Parser.h b/src/http/one/Parser.h +index d9a0ac8c273..08200371cd6 100644 +--- a/src/http/one/Parser.h ++++ b/src/http/one/Parser.h +@@ -163,8 +163,9 @@ class Parser : public RefCountable + }; + + /// skips and, if needed, warns about RFC 7230 BWS ("bad" whitespace) ++/// \param wsp_only force skipping of whitespaces only, don't consider skipping relaxed delimeter chars + /// \throws InsufficientInput when the end of BWS cannot be confirmed +-void ParseBws(Parser::Tokenizer &); ++void ParseBws(Parser::Tokenizer &, const bool wsp_only = false); + + /// the right debugs() level for logging HTTP violation messages + int ErrorLevel(); +diff --git a/src/http/one/TeChunkedParser.cc b/src/http/one/TeChunkedParser.cc +index 04753395e16..41e1e5ddaea 100644 +--- a/src/http/one/TeChunkedParser.cc ++++ b/src/http/one/TeChunkedParser.cc +@@ -125,8 +125,11 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok) + // Code becomes much simpler when incremental parsing functions throw on + // bad or insufficient input, like in the code below. TODO: Expand up. + try { +- tok.skipAll(CharacterSet::WSP); // Some servers send SP/TAB after chunk-size +- parseChunkExtensions(tok); // a possibly empty chunk-ext list ++ // A possibly empty chunk-ext list. If no chunk-ext has been found, ++ // try to skip trailing BWS, because some servers send "chunk-size BWS CRLF". ++ if (!parseChunkExtensions(tok)) ++ ParseBws(tok, true); ++ + tok.skipRequired("CRLF after [chunk-ext]", Http1::CrLf()); + buf_ = tok.remaining(); + parsingStage_ = theChunkSize ? Http1::HTTP_PARSE_CHUNK : Http1::HTTP_PARSE_MIME; +@@ -140,20 +143,22 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok) + + /// Parses the chunk-ext list (RFC 9112 section 7.1.1: + /// chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] ) +-void ++bool + Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &callerTok) + { ++ bool foundChunkExt = false; + do { + auto tok = callerTok; + + ParseBws(tok); // Bug 4492: IBM_HTTP_Server sends SP after chunk-size + + if (!tok.skip(';')) +- return; // reached the end of extensions (if any) ++ return foundChunkExt; // reached the end of extensions (if any) + + parseOneChunkExtension(tok); + buf_ = tok.remaining(); // got one extension + callerTok = tok; ++ foundChunkExt = true; + } while (true); + } + +diff --git a/src/http/one/TeChunkedParser.h b/src/http/one/TeChunkedParser.h +index 02eacd1bb89..8c5d4bb4cba 100644 +--- a/src/http/one/TeChunkedParser.h ++++ b/src/http/one/TeChunkedParser.h +@@ -71,7 +71,7 @@ class TeChunkedParser : public Http1::Parser + private: + bool parseChunkSize(Tokenizer &tok); + bool parseChunkMetadataSuffix(Tokenizer &); +- void parseChunkExtensions(Tokenizer &); ++ bool parseChunkExtensions(Tokenizer &); + void parseOneChunkExtension(Tokenizer &); + bool parseChunkBody(Tokenizer &tok); + bool parseChunkEnd(Tokenizer &tok); + +From 81e67f97f9c386bdd0bb4a5e182395c46adb70ad Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= +Date: Fri, 11 Oct 2024 02:44:33 +0200 +Subject: [PATCH 3/6] Fix typo in Parser.h + +--- + src/http/one/Parser.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/http/one/Parser.h b/src/http/one/Parser.h +index 08200371cd6..3ef4c5f7752 100644 +--- a/src/http/one/Parser.h ++++ b/src/http/one/Parser.h +@@ -163,7 +163,7 @@ class Parser : public RefCountable + }; + + /// skips and, if needed, warns about RFC 7230 BWS ("bad" whitespace) +-/// \param wsp_only force skipping of whitespaces only, don't consider skipping relaxed delimeter chars ++/// \param wsp_only force skipping of whitespaces only, don't consider skipping relaxed delimiter chars + /// \throws InsufficientInput when the end of BWS cannot be confirmed + void ParseBws(Parser::Tokenizer &, const bool wsp_only = false); + + +From a0d4fe1794e605f8299a5c118c758a807453f016 Mon Sep 17 00:00:00 2001 +From: Alex Rousskov +Date: Thu, 10 Oct 2024 22:39:42 -0400 +Subject: [PATCH 4/6] Bug 5449 is a regression of Bug 4492! + +Both bugs deal with "chunk-size SP+ CRLF" use cases. Bug 4492 had _two_ +spaces after chunk-size, which answers one of the PR review questions: +Should we skip just one space? No, we should not. + +The lines moved around in many commits, but I believe this regression +was introduced in commit 951013d0 because that commit stopped consuming +partially parsed chunk-ext sequences. That consumption was wrong, but it +had a positive side effect -- fixing Bug 4492... +--- + src/http/one/TeChunkedParser.cc | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/http/one/TeChunkedParser.cc b/src/http/one/TeChunkedParser.cc +index 41e1e5ddaea..aa4a840fdcf 100644 +--- a/src/http/one/TeChunkedParser.cc ++++ b/src/http/one/TeChunkedParser.cc +@@ -125,10 +125,10 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok) + // Code becomes much simpler when incremental parsing functions throw on + // bad or insufficient input, like in the code below. TODO: Expand up. + try { +- // A possibly empty chunk-ext list. If no chunk-ext has been found, +- // try to skip trailing BWS, because some servers send "chunk-size BWS CRLF". +- if (!parseChunkExtensions(tok)) +- ParseBws(tok, true); ++ // Bug 4492: IBM_HTTP_Server sends SP after chunk-size ++ ParseBws(tok, true); ++ ++ parseChunkExtensions(tok); + + tok.skipRequired("CRLF after [chunk-ext]", Http1::CrLf()); + buf_ = tok.remaining(); +@@ -150,7 +150,7 @@ Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &callerTok) + do { + auto tok = callerTok; + +- ParseBws(tok); // Bug 4492: IBM_HTTP_Server sends SP after chunk-size ++ ParseBws(tok); + + if (!tok.skip(';')) + return foundChunkExt; // reached the end of extensions (if any) + +From f837f5ff61301a17008f16ce1fb793c2abf19786 Mon Sep 17 00:00:00 2001 +From: Alex Rousskov +Date: Thu, 10 Oct 2024 23:06:42 -0400 +Subject: [PATCH 5/6] fixup: Fewer conditionals/ifs and more explicit spelling + +... to draw code reader attention when something unusual is going on. +--- + src/http/one/Parser.cc | 22 ++++++++++++++++++---- + src/http/one/Parser.h | 10 ++++++++-- + src/http/one/TeChunkedParser.cc | 14 ++++++-------- + src/http/one/TeChunkedParser.h | 2 +- + 4 files changed, 33 insertions(+), 15 deletions(-) + +diff --git a/src/http/one/Parser.cc b/src/http/one/Parser.cc +index 01d7e3bc0e8..d3937e5e96b 100644 +--- a/src/http/one/Parser.cc ++++ b/src/http/one/Parser.cc +@@ -271,11 +271,12 @@ Http::One::ErrorLevel() + return Config.onoff.relaxed_header_parser < 0 ? DBG_IMPORTANT : 5; + } + +-// BWS = *( SP / HTAB ) ; WhitespaceCharacters() may relax this RFC 7230 rule +-void +-Http::One::ParseBws(Parser::Tokenizer &tok, const bool wsp_only) ++/// common part of ParseBws() and ParseStrctBws() ++namespace Http::One { ++static void ++ParseBws_(Parser::Tokenizer &tok, const CharacterSet &bwsChars) + { +- const auto count = tok.skipAll(wsp_only ? CharacterSet::WSP : Parser::WhitespaceCharacters()); ++ const auto count = tok.skipAll(bwsChars); + + if (tok.atEnd()) + throw InsufficientInput(); // even if count is positive +@@ -290,4 +291,17 @@ Http::One::ParseBws(Parser::Tokenizer &tok, const bool wsp_only) + + // success: no more BWS characters expected + } ++} // namespace Http::One ++ ++void ++Http::One::ParseBws(Parser::Tokenizer &tok) ++{ ++ ParseBws_(tok, CharacterSet::WSP); ++} ++ ++void ++Http::One::ParseStrictBws(Parser::Tokenizer &tok) ++{ ++ ParseBws_(tok, Parser::WhitespaceCharacters()); ++} + +diff --git a/src/http/one/Parser.h b/src/http/one/Parser.h +index 3ef4c5f7752..49e399de546 100644 +--- a/src/http/one/Parser.h ++++ b/src/http/one/Parser.h +@@ -163,9 +163,15 @@ class Parser : public RefCountable + }; + + /// skips and, if needed, warns about RFC 7230 BWS ("bad" whitespace) +-/// \param wsp_only force skipping of whitespaces only, don't consider skipping relaxed delimiter chars + /// \throws InsufficientInput when the end of BWS cannot be confirmed +-void ParseBws(Parser::Tokenizer &, const bool wsp_only = false); ++/// \sa WhitespaceCharacters() for the definition of BWS characters ++/// \sa ParseStrictBws() that avoids WhitespaceCharacters() uncertainties ++void ParseBws(Parser::Tokenizer &); ++ ++/// Like ParseBws() but only skips CharacterSet::WSP characters. This variation ++/// must be used if the next element may start with CR or any other character ++/// from RelaxedDelimiterCharacters(). ++void ParseStrictBws(Parser::Tokenizer &); + + /// the right debugs() level for logging HTTP violation messages + int ErrorLevel(); +diff --git a/src/http/one/TeChunkedParser.cc b/src/http/one/TeChunkedParser.cc +index aa4a840fdcf..859471b8c77 100644 +--- a/src/http/one/TeChunkedParser.cc ++++ b/src/http/one/TeChunkedParser.cc +@@ -125,11 +125,11 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok) + // Code becomes much simpler when incremental parsing functions throw on + // bad or insufficient input, like in the code below. TODO: Expand up. + try { +- // Bug 4492: IBM_HTTP_Server sends SP after chunk-size +- ParseBws(tok, true); +- +- parseChunkExtensions(tok); ++ // Bug 4492: IBM_HTTP_Server sends SP after chunk-size. ++ // No ParseBws() here because it may consume CR required further below. ++ ParseStrictBws(tok); + ++ parseChunkExtensions(tok); // a possibly empty chunk-ext list + tok.skipRequired("CRLF after [chunk-ext]", Http1::CrLf()); + buf_ = tok.remaining(); + parsingStage_ = theChunkSize ? Http1::HTTP_PARSE_CHUNK : Http1::HTTP_PARSE_MIME; +@@ -143,22 +143,20 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok) + + /// Parses the chunk-ext list (RFC 9112 section 7.1.1: + /// chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] ) +-bool ++void + Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &callerTok) + { +- bool foundChunkExt = false; + do { + auto tok = callerTok; + + ParseBws(tok); + + if (!tok.skip(';')) +- return foundChunkExt; // reached the end of extensions (if any) ++ return; // reached the end of extensions (if any) + + parseOneChunkExtension(tok); + buf_ = tok.remaining(); // got one extension + callerTok = tok; +- foundChunkExt = true; + } while (true); + } + +diff --git a/src/http/one/TeChunkedParser.h b/src/http/one/TeChunkedParser.h +index 8c5d4bb4cba..02eacd1bb89 100644 +--- a/src/http/one/TeChunkedParser.h ++++ b/src/http/one/TeChunkedParser.h +@@ -71,7 +71,7 @@ class TeChunkedParser : public Http1::Parser + private: + bool parseChunkSize(Tokenizer &tok); + bool parseChunkMetadataSuffix(Tokenizer &); +- bool parseChunkExtensions(Tokenizer &); ++ void parseChunkExtensions(Tokenizer &); + void parseOneChunkExtension(Tokenizer &); + bool parseChunkBody(Tokenizer &tok); + bool parseChunkEnd(Tokenizer &tok); + +From f79936a234e722adb2dd08f31cf6019d81ee712c Mon Sep 17 00:00:00 2001 +From: Alex Rousskov +Date: Thu, 10 Oct 2024 23:31:08 -0400 +Subject: [PATCH 6/6] fixup: Deadly typo + +--- + src/http/one/Parser.cc | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/http/one/Parser.cc b/src/http/one/Parser.cc +index d3937e5e96b..7403a9163a2 100644 +--- a/src/http/one/Parser.cc ++++ b/src/http/one/Parser.cc +@@ -296,12 +296,12 @@ ParseBws_(Parser::Tokenizer &tok, const CharacterSet &bwsChars) + void + Http::One::ParseBws(Parser::Tokenizer &tok) + { +- ParseBws_(tok, CharacterSet::WSP); ++ ParseBws_(tok, Parser::WhitespaceCharacters()); + } + + void + Http::One::ParseStrictBws(Parser::Tokenizer &tok) + { +- ParseBws_(tok, Parser::WhitespaceCharacters()); ++ ParseBws_(tok, CharacterSet::WSP); + } + + diff --git a/squid.spec b/squid.spec index f4fd37a..bfed799 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 6.11 -Release: 1%{?dist} +Release: 2%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -38,6 +38,8 @@ Patch203: squid-6.1-perlpath.patch Patch204: squid-6.1-symlink-lang-err.patch # Upstream PR: https://github.com/squid-cache/squid/pull/1442 Patch205: squid-6.1-crash-half-closed.patch +# Upstream PR: https://github.com/squid-cache/squid/pull/1914 +Patch206: squid-6.11-ignore-wsp-after-chunk-size.patch # cache_swap.sh Requires: bash gawk @@ -324,6 +326,9 @@ fi %changelog +* Fri Oct 11 2024 Luboš Uhliarik - 7:6.11-2 +- ignore SP and HTAB chars after chunk-size + * Wed Sep 25 2024 Luboš Uhliarik - 7:6.11-1 - new version 6.11 From 9e3214a7297593a7cf0ea6a40bd892d351137976 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Wed, 23 Oct 2024 21:35:04 +0200 Subject: [PATCH 12/26] new version 6.12 Fix TCP_MISS_ABORTED/100 erros when uploading --- sources | 4 +- squid-6.12-large-upload-buffer-dies.patch | 117 ++++++++++++++++++++++ squid.spec | 10 +- 3 files changed, 127 insertions(+), 4 deletions(-) create mode 100644 squid-6.12-large-upload-buffer-dies.patch diff --git a/sources b/sources index 469e7e0..f79692e 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-6.11.tar.xz) = 669f658b0a58514f98c2b33df874706d40b9ed0837e1f32e08e274c79617063e06e706932011a34b115dcc96d43125f9cea30fba459cd31a88e3afd9b6076d7a -SHA512 (squid-6.11.tar.xz.asc) = e4bf8a77fe431eb6ba7ff9c10511d987692438d66c4aa72739b4fedf73aa6e6704e4da756ffcfeb82b9d76be9a3e4bb963dd523132cda732077898785cc6bbb9 +SHA512 (squid-6.12.tar.xz) = 7ab61f19416426fb8284de7bddc1ea9a5a7b3148fc54c018a243071ba5854610ef38a248f6a22634a2acb7d3ea408b582af1f48818dfe698ade0b7b8c00fd183 +SHA512 (squid-6.12.tar.xz.asc) = 34cd6e9f6f908626184ea6995bcb340a939c00b6254f4427967282fb6e4b89e5cf9c02f8df9f61f2ae9ea08a4ec3796840eeb327e123299e26683a5ecb9b9a0f SHA512 (pgp.asc) = b1e1dd5ead34711f064a12a324b2f156ad4835330d861eae4032926b8a6cd07c0eacc76f52518d47ed5a8ead4695f5abd02f2b4190af8e7833bd3ea31453569d diff --git a/squid-6.12-large-upload-buffer-dies.patch b/squid-6.12-large-upload-buffer-dies.patch new file mode 100644 index 0000000..459d528 --- /dev/null +++ b/squid-6.12-large-upload-buffer-dies.patch @@ -0,0 +1,117 @@ +From 4d6dd3ddba5e850a42c86d8233735165a371c31c Mon Sep 17 00:00:00 2001 +From: Alex Rousskov +Date: Sun, 1 Sep 2024 00:39:34 +0000 +Subject: [PATCH] Bug 5405: Large uploads fill request buffer and die (#1887) + + maybeMakeSpaceAvailable: request buffer full + ReadNow: ... size 0, retval 0, errno 0 + terminateAll: 1/1 after ERR_CLIENT_GONE/WITH_CLIENT + %Ss=TCP_MISS_ABORTED + +This bug is triggered by a combination of the following two conditions: + +* HTTP client upload fills Squid request buffer faster than it is + drained by an origin server, cache_peer, or REQMOD service. The buffer + accumulates 576 KB (default 512 KB client_request_buffer_max_size + 64 + KB internal "pipe" buffer). + +* The affected server or service consumes a few bytes after the critical + accumulation is reached. In other words, the bug cannot be triggered + if nothing is consumed after the first condition above is met. + +Comm::ReadNow() must not be called with a full buffer: Related +FD_READ_METHOD() code cannot distinguish "received EOF" from "had no +buffer space" outcomes. Server::readSomeData() tried to prevent such +calls, but the corresponding check had two problems: + +* The check had an unsigned integer underflow bug[^1] that made it + ineffective when inBuf length exceeded Config.maxRequestBufferSize. + That length could exceed the limit due to reconfiguration and when + inBuf space size first grew outside of maybeMakeSpaceAvailable() + protections (e.g., during an inBuf.c_str() call) and then got filled + with newly read data. That growth started happening after 2020 commit + 1dfbca06 optimized SBuf::cow() to merge leading and trailing space. + Prior to that commit, Bug 5405 could probably only affect Squid + reconfigurations that lower client_request_buffer_max_size. + +* The check was separated from the ReadNow() call it was meant to + protect. While ConnStateData was waiting for the socket to become + ready for reading, various asynchronous events could alter inBuf or + Config.maxRequestBufferSize. + +This change fixes both problems. + +This change also fixes Squid Bug 5214. + +[^1]: That underflow bug was probably introduced in 2015 commit 4d1376d7 +while trying to emulate the original "do not read less than two bytes" +ConnStateData::In::maybeMakeSpaceAvailable() condition. That condition +itself looks like a leftover from manual zero-terminated input buffer +days that ended with 2014 commit e7287625. It is now removed. +--- + +diff --git a/src/servers/Server.cc b/src/servers/Server.cc +index 70fd10b..dd20619 100644 +--- a/src/servers/Server.cc ++++ b/src/servers/Server.cc +@@ -83,16 +83,25 @@ Server::maybeMakeSpaceAvailable() + debugs(33, 4, "request buffer full: client_request_buffer_max_size=" << Config.maxRequestBufferSize); + } + ++bool ++Server::mayBufferMoreRequestBytes() const ++{ ++ // TODO: Account for bodyPipe buffering as well. ++ if (inBuf.length() >= Config.maxRequestBufferSize) { ++ debugs(33, 4, "no: " << inBuf.length() << '-' << Config.maxRequestBufferSize << '=' << (inBuf.length() - Config.maxRequestBufferSize)); ++ return false; ++ } ++ debugs(33, 7, "yes: " << Config.maxRequestBufferSize << '-' << inBuf.length() << '=' << (Config.maxRequestBufferSize - inBuf.length())); ++ return true; ++} ++ + void + Server::readSomeData() + { + if (reading()) + return; + +- debugs(33, 4, clientConnection << ": reading request..."); +- +- // we can only read if there is more than 1 byte of space free +- if (Config.maxRequestBufferSize - inBuf.length() < 2) ++ if (!mayBufferMoreRequestBytes()) + return; + + typedef CommCbMemFunT Dialer; +@@ -123,7 +132,16 @@ Server::doClientRead(const CommIoCbParams &io) + * Plus, it breaks our lame *HalfClosed() detection + */ + ++ // mayBufferMoreRequestBytes() was true during readSomeData(), but variables ++ // like Config.maxRequestBufferSize may have changed since that check ++ if (!mayBufferMoreRequestBytes()) { ++ // XXX: If we avoid Comm::ReadNow(), we should not Comm::Read() again ++ // when the wait is over; resume these doClientRead() checks instead. ++ return; // wait for noteMoreBodySpaceAvailable() or a similar inBuf draining event ++ } + maybeMakeSpaceAvailable(); ++ Assure(inBuf.spaceSize()); ++ + CommIoCbParams rd(this); // will be expanded with ReadNow results + rd.conn = io.conn; + switch (Comm::ReadNow(rd, inBuf)) { +diff --git a/src/servers/Server.h b/src/servers/Server.h +index ef105f5..6e549b3 100644 +--- a/src/servers/Server.h ++++ b/src/servers/Server.h +@@ -119,6 +119,9 @@ protected: + /// abort any pending transactions and prevent new ones (by closing) + virtual void terminateAll(const Error &, const LogTagsErrors &) = 0; + ++ /// whether client_request_buffer_max_size allows inBuf.length() increase ++ bool mayBufferMoreRequestBytes() const; ++ + void doClientRead(const CommIoCbParams &io); + void clientWriteDone(const CommIoCbParams &io); + diff --git a/squid.spec b/squid.spec index bfed799..2ee61da 100644 --- a/squid.spec +++ b/squid.spec @@ -1,8 +1,8 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 6.11 -Release: 2%{?dist} +Version: 6.12 +Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -40,6 +40,8 @@ Patch204: squid-6.1-symlink-lang-err.patch Patch205: squid-6.1-crash-half-closed.patch # Upstream PR: https://github.com/squid-cache/squid/pull/1914 Patch206: squid-6.11-ignore-wsp-after-chunk-size.patch +# https://bugs.squid-cache.org/show_bug.cgi?id=5214 +Patch207: squid-6.12-large-upload-buffer-dies.patch # cache_swap.sh Requires: bash gawk @@ -326,6 +328,10 @@ fi %changelog +* Wed Oct 23 2024 Luboš Uhliarik - 7:6.12-1 +- new version 6.12 +- Fix TCP_MISS_ABORTED/100 erros when uploading + * Fri Oct 11 2024 Luboš Uhliarik - 7:6.11-2 - ignore SP and HTAB chars after chunk-size From e91b352f108c5c8897982cbb51d468ce421d61b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Fri, 1 Nov 2024 16:39:14 +0100 Subject: [PATCH 13/26] Disable ESI support since ESI support has been also removed from squid 7 Resolves: CVE-2024-45802 squid: Denial of Service processing ESI response content --- squid.spec | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/squid.spec b/squid.spec index 2ee61da..0631e68 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 6.12 -Release: 1%{?dist} +Release: 2%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -59,8 +59,6 @@ BuildRequires: openssl-devel BuildRequires: krb5-devel # time_quota requires TrivialDB BuildRequires: libtdb-devel -# ESI support requires Expat & libxml2 -BuildRequires: expat-devel libxml2-devel # TPROXY requires libcap, and also increases security somewhat BuildRequires: libcap-devel # eCAP support @@ -143,7 +141,7 @@ sed -i 's|@SYSCONFDIR@/squid.conf.documented|%{_pkgdocdir}/squid.conf.documented --enable-storeio="aufs,diskd,ufs,rock" \ --enable-diskio \ --enable-wccpv2 \ - --enable-esi \ + --disable-esi \ --enable-ecap \ --with-aio \ --with-default-user="squid" \ @@ -328,6 +326,11 @@ fi %changelog +* Fri Nov 01 2024 Luboš Uhliarik - 7:6.12-2 +- Disable ESI support since ESI support has been also removed from squid 7 +- Resolves: CVE-2024-45802 squid: Denial of Service processing ESI + response content + * Wed Oct 23 2024 Luboš Uhliarik - 7:6.12-1 - new version 6.12 - Fix TCP_MISS_ABORTED/100 erros when uploading From 789f7c9b18f6158643a288de505436f575b8f1c6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Fri, 1 Nov 2024 21:44:15 +0100 Subject: [PATCH 14/26] better error handling in cache_swap.sh added RuntimeDirectory to systemd service file --- cache_swap.sh | 5 ++++- squid.service | 9 ++++++--- squid.spec | 19 ++++++------------- 3 files changed, 16 insertions(+), 17 deletions(-) diff --git a/cache_swap.sh b/cache_swap.sh index 77d06ac..89f3478 100644 --- a/cache_swap.sh +++ b/cache_swap.sh @@ -17,5 +17,8 @@ done if [ $init_cache_dirs -ne 0 ]; then echo "" - squid --foreground -z -f "$SQUID_CONF" >> /var/log/squid/squid.out 2>&1 + if ! squid --foreground -z -f "$SQUID_CONF" >> /var/log/squid/squid.out 2>&1; then + echo "init_cache_dir failed, see /var/log/squid/squid.out for more information" + exit 1 + fi fi diff --git a/squid.service b/squid.service index 6978032..09c68cc 100644 --- a/squid.service +++ b/squid.service @@ -8,11 +8,14 @@ Type=notify LimitNOFILE=16384 PIDFile=/run/squid.pid EnvironmentFile=/etc/sysconfig/squid -ExecStartPre=/usr/libexec/squid/cache_swap.sh -ExecStart=/usr/sbin/squid --foreground $SQUID_OPTS -f ${SQUID_CONF} -ExecReload=/usr/bin/kill -HUP $MAINPID +ExecStartPre=!/usr/libexec/squid/cache_swap.sh +ExecStart=!/usr/sbin/squid --foreground $SQUID_OPTS -f ${SQUID_CONF} +ExecReload=!/usr/bin/kill -HUP $MAINPID KillMode=mixed NotifyAccess=all +User=squid +Group=squid +RuntimeDirectory=squid [Install] WantedBy=multi-user.target diff --git a/squid.spec b/squid.spec index 0631e68..5cbe6b9 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 6.12 -Release: 2%{?dist} +Release: 3%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -71,7 +71,7 @@ BuildRequires: perl-generators BuildRequires: pkgconfig(cppunit) # For verifying downloded src tarball BuildRequires: gnupg2 -# for _tmpfilesdir and _unitdir macro +# for _unitdir macro # see https://docs.fedoraproject.org/en-US/packaging-guidelines/Systemd/#_packaging BuildRequires: systemd-rpm-macros # systemd notify @@ -198,17 +198,8 @@ install -m 644 $RPM_BUILD_ROOT/squid.httpd.tmp $RPM_BUILD_ROOT%{_sysconfdir}/htt install -m 755 %{SOURCE6} $RPM_BUILD_ROOT%{_prefix}/lib/NetworkManager/dispatcher.d/20-squid mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/log/squid mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/spool/squid -mkdir -p $RPM_BUILD_ROOT/run/squid chmod 644 contrib/url-normalizer.pl contrib/user-agents.pl -# install /usr/lib/tmpfiles.d/squid.conf -mkdir -p ${RPM_BUILD_ROOT}%{_tmpfilesdir} -cat > ${RPM_BUILD_ROOT}%{_tmpfilesdir}/squid.conf < - 7:6.12-3 +- better error handling in cache_swap.sh +- added RuntimeDirectory to systemd service file + * Fri Nov 01 2024 Luboš Uhliarik - 7:6.12-2 - Disable ESI support since ESI support has been also removed from squid 7 - Resolves: CVE-2024-45802 squid: Denial of Service processing ESI From d3ada053730bd30c73f430ff270c4b92b86ef5ca Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sun, 19 Jan 2025 11:31:35 +0000 Subject: [PATCH 15/26] Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild --- squid.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/squid.spec b/squid.spec index 5cbe6b9..22786ee 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 6.12 -Release: 3%{?dist} +Release: 4%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -315,6 +315,9 @@ fi %changelog +* Sun Jan 19 2025 Fedora Release Engineering - 7:6.12-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild + * Fri Nov 01 2024 Luboš Uhliarik - 7:6.12-3 - better error handling in cache_swap.sh - added RuntimeDirectory to systemd service file From 5403d2498221ec36a496d79a1797054f64e78fa4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= Date: Sat, 1 Feb 2025 19:57:33 +0100 Subject: [PATCH 16/26] Add explicit BR: libxcrypt-devel MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Björn Esser --- squid.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/squid.spec b/squid.spec index 22786ee..ff41802 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 6.12 -Release: 4%{?dist} +Release: 5%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -66,6 +66,7 @@ BuildRequires: libecap-devel #ip_user helper requires BuildRequires: gcc-c++ BuildRequires: libtool libtool-ltdl-devel +BuildRequires: libxcrypt-devel BuildRequires: perl-generators # For test suite BuildRequires: pkgconfig(cppunit) @@ -315,6 +316,9 @@ fi %changelog +* Sat Feb 01 2025 Björn Esser - 7:6.12-5 +- Add explicit BR: libxcrypt-devel + * Sun Jan 19 2025 Fedora Release Engineering - 7:6.12-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild From 9c651e4fe8d7da27226525e8fc3c7c84f7d724bf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Tue, 4 Feb 2025 18:38:52 +0100 Subject: [PATCH 17/26] new version 6.13 --- sources | 4 +- squid-6.12-large-upload-buffer-dies.patch | 117 ---------------------- squid.spec | 9 +- 3 files changed, 7 insertions(+), 123 deletions(-) delete mode 100644 squid-6.12-large-upload-buffer-dies.patch diff --git a/sources b/sources index f79692e..83d969f 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-6.12.tar.xz) = 7ab61f19416426fb8284de7bddc1ea9a5a7b3148fc54c018a243071ba5854610ef38a248f6a22634a2acb7d3ea408b582af1f48818dfe698ade0b7b8c00fd183 -SHA512 (squid-6.12.tar.xz.asc) = 34cd6e9f6f908626184ea6995bcb340a939c00b6254f4427967282fb6e4b89e5cf9c02f8df9f61f2ae9ea08a4ec3796840eeb327e123299e26683a5ecb9b9a0f +SHA512 (squid-6.13.tar.xz) = a67276a7eb38d00271962b67bff7f08e760db73bc6b0f94ab71297d520405033df65ebb0b38ee5db02bd6c00d81cd600b60d918fe7fff64e06255deaf78f00c1 +SHA512 (squid-6.13.tar.xz.asc) = 66d8d657793ca3bd20e4a728dc0d3568fac078334d57f3105bb67f1c6fbc5e89e21b757f38048f2361b670938ff350d1afd956ba3dfa5d55dfb54d13e4620fc9 SHA512 (pgp.asc) = b1e1dd5ead34711f064a12a324b2f156ad4835330d861eae4032926b8a6cd07c0eacc76f52518d47ed5a8ead4695f5abd02f2b4190af8e7833bd3ea31453569d diff --git a/squid-6.12-large-upload-buffer-dies.patch b/squid-6.12-large-upload-buffer-dies.patch deleted file mode 100644 index 459d528..0000000 --- a/squid-6.12-large-upload-buffer-dies.patch +++ /dev/null @@ -1,117 +0,0 @@ -From 4d6dd3ddba5e850a42c86d8233735165a371c31c Mon Sep 17 00:00:00 2001 -From: Alex Rousskov -Date: Sun, 1 Sep 2024 00:39:34 +0000 -Subject: [PATCH] Bug 5405: Large uploads fill request buffer and die (#1887) - - maybeMakeSpaceAvailable: request buffer full - ReadNow: ... size 0, retval 0, errno 0 - terminateAll: 1/1 after ERR_CLIENT_GONE/WITH_CLIENT - %Ss=TCP_MISS_ABORTED - -This bug is triggered by a combination of the following two conditions: - -* HTTP client upload fills Squid request buffer faster than it is - drained by an origin server, cache_peer, or REQMOD service. The buffer - accumulates 576 KB (default 512 KB client_request_buffer_max_size + 64 - KB internal "pipe" buffer). - -* The affected server or service consumes a few bytes after the critical - accumulation is reached. In other words, the bug cannot be triggered - if nothing is consumed after the first condition above is met. - -Comm::ReadNow() must not be called with a full buffer: Related -FD_READ_METHOD() code cannot distinguish "received EOF" from "had no -buffer space" outcomes. Server::readSomeData() tried to prevent such -calls, but the corresponding check had two problems: - -* The check had an unsigned integer underflow bug[^1] that made it - ineffective when inBuf length exceeded Config.maxRequestBufferSize. - That length could exceed the limit due to reconfiguration and when - inBuf space size first grew outside of maybeMakeSpaceAvailable() - protections (e.g., during an inBuf.c_str() call) and then got filled - with newly read data. That growth started happening after 2020 commit - 1dfbca06 optimized SBuf::cow() to merge leading and trailing space. - Prior to that commit, Bug 5405 could probably only affect Squid - reconfigurations that lower client_request_buffer_max_size. - -* The check was separated from the ReadNow() call it was meant to - protect. While ConnStateData was waiting for the socket to become - ready for reading, various asynchronous events could alter inBuf or - Config.maxRequestBufferSize. - -This change fixes both problems. - -This change also fixes Squid Bug 5214. - -[^1]: That underflow bug was probably introduced in 2015 commit 4d1376d7 -while trying to emulate the original "do not read less than two bytes" -ConnStateData::In::maybeMakeSpaceAvailable() condition. That condition -itself looks like a leftover from manual zero-terminated input buffer -days that ended with 2014 commit e7287625. It is now removed. ---- - -diff --git a/src/servers/Server.cc b/src/servers/Server.cc -index 70fd10b..dd20619 100644 ---- a/src/servers/Server.cc -+++ b/src/servers/Server.cc -@@ -83,16 +83,25 @@ Server::maybeMakeSpaceAvailable() - debugs(33, 4, "request buffer full: client_request_buffer_max_size=" << Config.maxRequestBufferSize); - } - -+bool -+Server::mayBufferMoreRequestBytes() const -+{ -+ // TODO: Account for bodyPipe buffering as well. -+ if (inBuf.length() >= Config.maxRequestBufferSize) { -+ debugs(33, 4, "no: " << inBuf.length() << '-' << Config.maxRequestBufferSize << '=' << (inBuf.length() - Config.maxRequestBufferSize)); -+ return false; -+ } -+ debugs(33, 7, "yes: " << Config.maxRequestBufferSize << '-' << inBuf.length() << '=' << (Config.maxRequestBufferSize - inBuf.length())); -+ return true; -+} -+ - void - Server::readSomeData() - { - if (reading()) - return; - -- debugs(33, 4, clientConnection << ": reading request..."); -- -- // we can only read if there is more than 1 byte of space free -- if (Config.maxRequestBufferSize - inBuf.length() < 2) -+ if (!mayBufferMoreRequestBytes()) - return; - - typedef CommCbMemFunT Dialer; -@@ -123,7 +132,16 @@ Server::doClientRead(const CommIoCbParams &io) - * Plus, it breaks our lame *HalfClosed() detection - */ - -+ // mayBufferMoreRequestBytes() was true during readSomeData(), but variables -+ // like Config.maxRequestBufferSize may have changed since that check -+ if (!mayBufferMoreRequestBytes()) { -+ // XXX: If we avoid Comm::ReadNow(), we should not Comm::Read() again -+ // when the wait is over; resume these doClientRead() checks instead. -+ return; // wait for noteMoreBodySpaceAvailable() or a similar inBuf draining event -+ } - maybeMakeSpaceAvailable(); -+ Assure(inBuf.spaceSize()); -+ - CommIoCbParams rd(this); // will be expanded with ReadNow results - rd.conn = io.conn; - switch (Comm::ReadNow(rd, inBuf)) { -diff --git a/src/servers/Server.h b/src/servers/Server.h -index ef105f5..6e549b3 100644 ---- a/src/servers/Server.h -+++ b/src/servers/Server.h -@@ -119,6 +119,9 @@ protected: - /// abort any pending transactions and prevent new ones (by closing) - virtual void terminateAll(const Error &, const LogTagsErrors &) = 0; - -+ /// whether client_request_buffer_max_size allows inBuf.length() increase -+ bool mayBufferMoreRequestBytes() const; -+ - void doClientRead(const CommIoCbParams &io); - void clientWriteDone(const CommIoCbParams &io); - diff --git a/squid.spec b/squid.spec index ff41802..d73d7be 100644 --- a/squid.spec +++ b/squid.spec @@ -1,8 +1,8 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 6.12 -Release: 5%{?dist} +Version: 6.13 +Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -40,8 +40,6 @@ Patch204: squid-6.1-symlink-lang-err.patch Patch205: squid-6.1-crash-half-closed.patch # Upstream PR: https://github.com/squid-cache/squid/pull/1914 Patch206: squid-6.11-ignore-wsp-after-chunk-size.patch -# https://bugs.squid-cache.org/show_bug.cgi?id=5214 -Patch207: squid-6.12-large-upload-buffer-dies.patch # cache_swap.sh Requires: bash gawk @@ -316,6 +314,9 @@ fi %changelog +* Tue Feb 04 2025 Luboš Uhliarik - 7:6.13-1 +- new version 6.13 + * Sat Feb 01 2025 Björn Esser - 7:6.12-5 - Add explicit BR: libxcrypt-devel From 22a11a4a8b6f73f9ba9abe9490f09f5628b42b6d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Wed, 5 Feb 2025 18:12:27 +0100 Subject: [PATCH 18/26] Source URL change Use the GitHub URL as the source URL instead of the obsolete one. --- squid.spec | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/squid.spec b/squid.spec index d73d7be..dbdcc3a 100644 --- a/squid.spec +++ b/squid.spec @@ -1,4 +1,5 @@ %define __perl_requires %{SOURCE98} +%define version_underscore %(echo %{version} | tr '.' '_') Name: squid Version: 6.13 @@ -9,8 +10,8 @@ Epoch: 7 License: GPL-2.0-or-later AND (LGPL-2.0-or-later AND MIT AND BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND BSD-4-Clause-UC AND LicenseRef-Fedora-Public-Domain AND Beerware) URL: http://www.squid-cache.org -Source0: http://www.squid-cache.org/Versions/v6/squid-%{version}.tar.xz -Source1: http://www.squid-cache.org/Versions/v6/squid-%{version}.tar.xz.asc +Source0: https://github.com/squid-cache/squid/releases/download/SQUID_%{version_underscore}/squid-%{version}.tar.xz +Source1: https://github.com/squid-cache/squid/releases/download/SQUID_%{version_underscore}/squid-%{version}.tar.xz.asc Source2: http://www.squid-cache.org/pgp.asc Source3: squid.logrotate Source4: squid.sysconfig From 3f92dc8816e1639138e4fcb01ac2d293dc49ff8b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Thu, 10 Apr 2025 14:34:13 +0200 Subject: [PATCH 19/26] Do not blame cache_peer for 4xx CONNECT responses --- squid-6.13-cache-peer-connect-errors.patch | 287 +++++++++++++++++++++ squid.spec | 16 +- 2 files changed, 297 insertions(+), 6 deletions(-) create mode 100644 squid-6.13-cache-peer-connect-errors.patch diff --git a/squid-6.13-cache-peer-connect-errors.patch b/squid-6.13-cache-peer-connect-errors.patch new file mode 100644 index 0000000..339d9ec --- /dev/null +++ b/squid-6.13-cache-peer-connect-errors.patch @@ -0,0 +1,287 @@ +From 2e7dea3cedd3ef2f071dee82867c4147f17376dd Mon Sep 17 00:00:00 2001 +From: Alex Rousskov +Date: Tue, 2 Apr 2024 20:37:31 +0000 +Subject: [PATCH] Do not blame cache_peer for CONNECT errors (#1772) + + ERROR: Connection to [such-and-such-cache_peer] failed + TCP_TUNNEL/503 CONNECT nxdomain.test:443 FIRSTUP_PARENT + +Squid does not alert an admin about (and decrease health level of) a +cache_peer that responded with an error to a GET request. Just like GET +responses from a cache_peer, CONNECT responses may (and often do!) +reflect client or origin server failures. We should not penalize +cache_peers (and alert admins) until we can distinguish these frequent +client/origin failures from (relatively rare) cache_peer problems. This +change absolves cache_peers of CONNECT problems, restoring parity with +GETs and restoring v4 behavior changed (probably by accident) in v5. + +Also removed Http::StatusCode parameter from failure notification +functions because it became essentially unused after the primary +Http::Tunneler changes. Tunneler was the only source of status code +information that (in some cases) used received HTTP response to compute +that status code. All other cases extracted that status code from +Squid-generated errors. Those errors were arguably never meant to supply +status code information for "this failure is not our fault" decision, +and they do not supply 4xx status codes driving that decision. + +### Problem evolution + +2019 commit f5e1794 effectively started blaming cache_peer for all +FwdState CONNECT errors. That functionality change was probably +accidental, likely influenced by the names of noteConnectFailure() and +peerConnectFailed() functions that abbreviated "Connection", making the +functions look as applicable to CONNECT failures. Prior to that commit, +the functions were never used for CONNECT errors. After it, FwdState +started calling peerConnectFailed() for all CONNECT failures. + +In 2020 commit 25b0ce4, TunnelStateData started blaming cache_peers as +well (by moving that FwdState-only error handling code into Tunneler). +The same "accidental functionality change" speculations apply here. + +In 2022 commit 022dbab, we made an exception for 4xx CONNECT errors as +folks deploying newer code started complaining about cache_peers getting +blamed for client-caused errors (e.g., HTTP 403 Forbidden replies). We +did not realize that the blaming code itself was an unwanted accident. + +Now we are getting complaints about cache_peers getting blamed for 502 +and 503 CONNECT errors caused by, for example, domain names without IPs: +As these CONNECT error responses are propagated from parent to child +caches, every child cache in the chain logs ERRORs and every cache_peer +in the chain gets its health counter decreased! +--- + src/CachePeer.cc | 11 +---------- + src/CachePeer.h | 12 +++++------- + src/HappyConnOpener.cc | 2 +- + src/PeerPoolMgr.cc | 2 +- + src/clients/HttpTunneler.cc | 10 ++++++---- + src/clients/HttpTunneler.h | 2 +- + src/neighbors.cc | 2 +- + src/security/BlindPeerConnector.cc | 2 +- + src/security/PeerConnector.cc | 8 ++++---- + src/security/PeerConnector.h | 2 +- + src/tests/stub_libsecurity.cc | 2 +- + 11 files changed, 23 insertions(+), 32 deletions(-) + +diff --git a/src/CachePeer.cc b/src/CachePeer.cc +index a5c3adf..91045ef 100644 +--- a/src/CachePeer.cc ++++ b/src/CachePeer.cc +@@ -68,20 +68,11 @@ CachePeer::noteSuccess() + } + } + +-void +-CachePeer::noteFailure(const Http::StatusCode code) +-{ +- if (Http::Is4xx(code)) +- return; // this failure is not our fault +- +- countFailure(); +-} +- + // TODO: Require callers to detail failures instead of using one (and often + // misleading!) "connection failed" phrase for all of them. + /// noteFailure() helper for handling failures attributed to this peer + void +-CachePeer::countFailure() ++CachePeer::noteFailure() + { + stats.last_connect_failure = squid_curtime; + if (tcp_up > 0) +diff --git a/src/CachePeer.h b/src/CachePeer.h +index 5b13e29..14e40ff 100644 +--- a/src/CachePeer.h ++++ b/src/CachePeer.h +@@ -38,9 +38,8 @@ public: + /// reacts to a successful establishment of a connection to this cache_peer + void noteSuccess(); + +- /// reacts to a failure on a connection to this cache_peer +- /// \param code a received response status code, if any +- void noteFailure(Http::StatusCode code); ++ /// reacts to a failed attempt to establish a connection to this cache_peer ++ void noteFailure(); + + /// (re)configure cache_peer name=value + void rename(const char *); +@@ -238,14 +237,13 @@ NoteOutgoingConnectionSuccess(CachePeer * const peer) + peer->noteSuccess(); + } + +-/// reacts to a failure on a connection to an origin server or cache_peer ++/// reacts to a failed attempt to establish a connection to an origin server or cache_peer + /// \param peer nil if the connection is to an origin server +-/// \param code a received response status code, if any + inline void +-NoteOutgoingConnectionFailure(CachePeer * const peer, const Http::StatusCode code) ++NoteOutgoingConnectionFailure(CachePeer * const peer) + { + if (peer) +- peer->noteFailure(code); ++ peer->noteFailure(); + } + + /// identify the given cache peer in cache.log messages and such +diff --git a/src/HappyConnOpener.cc b/src/HappyConnOpener.cc +index 5ab9294..5e17a76 100644 +--- a/src/HappyConnOpener.cc ++++ b/src/HappyConnOpener.cc +@@ -638,7 +638,7 @@ HappyConnOpener::handleConnOpenerAnswer(Attempt &attempt, const CommConnectCbPar + lastError = makeError(ERR_CONNECT_FAIL); + lastError->xerrno = params.xerrno; + +- NoteOutgoingConnectionFailure(params.conn->getPeer(), lastError->httpStatus); ++ NoteOutgoingConnectionFailure(params.conn->getPeer()); + + if (spareWaiting) + updateSpareWaitAfterPrimeFailure(); +diff --git a/src/PeerPoolMgr.cc b/src/PeerPoolMgr.cc +index 9cb038e..6fb5b09 100644 +--- a/src/PeerPoolMgr.cc ++++ b/src/PeerPoolMgr.cc +@@ -86,7 +86,7 @@ PeerPoolMgr::handleOpenedConnection(const CommConnectCbParams ¶ms) + } + + if (params.flag != Comm::OK) { +- NoteOutgoingConnectionFailure(peer, Http::scNone); ++ NoteOutgoingConnectionFailure(peer); + checkpoint("conn opening failure"); // may retry + return; + } +diff --git a/src/clients/HttpTunneler.cc b/src/clients/HttpTunneler.cc +index 2fbc3fb..a6e49db 100644 +--- a/src/clients/HttpTunneler.cc ++++ b/src/clients/HttpTunneler.cc +@@ -90,7 +90,7 @@ Http::Tunneler::handleConnectionClosure(const CommCloseCbParams &) + { + closer = nullptr; + if (connection) { +- countFailingConnection(nullptr); ++ countFailingConnection(); + connection->noteClosure(); + connection = nullptr; + } +@@ -355,7 +355,7 @@ Http::Tunneler::bailWith(ErrorState *error) + + if (const auto failingConnection = connection) { + // TODO: Reuse to-peer connections after a CONNECT error response. +- countFailingConnection(error); ++ countFailingConnection(); + disconnect(); + failingConnection->close(); + } +@@ -374,10 +374,12 @@ Http::Tunneler::sendSuccess() + } + + void +-Http::Tunneler::countFailingConnection(const ErrorState * const error) ++Http::Tunneler::countFailingConnection() + { + assert(connection); +- NoteOutgoingConnectionFailure(connection->getPeer(), error ? error->httpStatus : Http::scNone); ++ // No NoteOutgoingConnectionFailure(connection->getPeer()) call here because ++ // we do not blame cache_peer for CONNECT failures (on top of a successfully ++ // established connection to that cache_peer). + if (noteFwdPconnUse && connection->isOpen()) + fwdPconnPool->noteUses(fd_table[connection->fd].pconn.uses); + } +diff --git a/src/clients/HttpTunneler.h b/src/clients/HttpTunneler.h +index 7886f09..596efcf 100644 +--- a/src/clients/HttpTunneler.h ++++ b/src/clients/HttpTunneler.h +@@ -80,7 +80,7 @@ private: + void disconnect(); + + /// updates connection usage history before the connection is closed +- void countFailingConnection(const ErrorState *); ++ void countFailingConnection(); + + AsyncCall::Pointer writer; ///< called when the request has been written + AsyncCall::Pointer reader; ///< called when the response should be read +diff --git a/src/neighbors.cc b/src/neighbors.cc +index 04b69c1..75f56c9 100644 +--- a/src/neighbors.cc ++++ b/src/neighbors.cc +@@ -1320,7 +1320,7 @@ peerProbeConnectDone(const Comm::ConnectionPointer &conn, Comm::Flag status, int + if (status == Comm::OK) + p->noteSuccess(); + else +- p->noteFailure(Http::scNone); ++ p->noteFailure(); + + -- p->testing_now; + conn->close(); +diff --git a/src/security/BlindPeerConnector.cc b/src/security/BlindPeerConnector.cc +index b9e5659..4c37f34 100644 +--- a/src/security/BlindPeerConnector.cc ++++ b/src/security/BlindPeerConnector.cc +@@ -76,7 +76,7 @@ Security::BlindPeerConnector::noteNegotiationDone(ErrorState *error) + // based on TCP results, SSL results, or both. And the code is probably not + // consistent in this aspect across tunnelling and forwarding modules. + if (peer && peer->secure.encryptTransport) +- peer->noteFailure(error->httpStatus); ++ peer->noteFailure(); + return; + } + +diff --git a/src/security/PeerConnector.cc b/src/security/PeerConnector.cc +index d458f99..d0131a1 100644 +--- a/src/security/PeerConnector.cc ++++ b/src/security/PeerConnector.cc +@@ -115,7 +115,7 @@ Security::PeerConnector::commCloseHandler(const CommCloseCbParams ¶ms) + err->detailError(d); + + if (serverConn) { +- countFailingConnection(err); ++ countFailingConnection(); + serverConn->noteClosure(); + serverConn = nullptr; + } +@@ -507,7 +507,7 @@ Security::PeerConnector::bail(ErrorState *error) + answer().error = error; + + if (const auto failingConnection = serverConn) { +- countFailingConnection(error); ++ countFailingConnection(); + disconnect(); + failingConnection->close(); + } +@@ -525,10 +525,10 @@ Security::PeerConnector::sendSuccess() + } + + void +-Security::PeerConnector::countFailingConnection(const ErrorState * const error) ++Security::PeerConnector::countFailingConnection() + { + assert(serverConn); +- NoteOutgoingConnectionFailure(serverConn->getPeer(), error ? error->httpStatus : Http::scNone); ++ NoteOutgoingConnectionFailure(serverConn->getPeer()); + // TODO: Calling PconnPool::noteUses() should not be our responsibility. + if (noteFwdPconnUse && serverConn->isOpen()) + fwdPconnPool->noteUses(fd_table[serverConn->fd].pconn.uses); +diff --git a/src/security/PeerConnector.h b/src/security/PeerConnector.h +index a1d5ef9..401df06 100644 +--- a/src/security/PeerConnector.h ++++ b/src/security/PeerConnector.h +@@ -150,7 +150,7 @@ protected: + void disconnect(); + + /// updates connection usage history before the connection is closed +- void countFailingConnection(const ErrorState *); ++ void countFailingConnection(); + + /// If called the certificates validator will not used + void bypassCertValidator() {useCertValidator_ = false;} +diff --git a/src/tests/stub_libsecurity.cc b/src/tests/stub_libsecurity.cc +index 6bd6204..b513a22 100644 +--- a/src/tests/stub_libsecurity.cc ++++ b/src/tests/stub_libsecurity.cc +@@ -97,7 +97,7 @@ void PeerConnector::bail(ErrorState *) STUB + void PeerConnector::sendSuccess() STUB + void PeerConnector::callBack() STUB + void PeerConnector::disconnect() STUB +-void PeerConnector::countFailingConnection(const ErrorState *) STUB ++void PeerConnector::countFailingConnection() STUB + void PeerConnector::recordNegotiationDetails() STUB + EncryptorAnswer &PeerConnector::answer() STUB_RETREF(EncryptorAnswer) + } diff --git a/squid.spec b/squid.spec index dbdcc3a..fea08a9 100644 --- a/squid.spec +++ b/squid.spec @@ -3,7 +3,7 @@ Name: squid Version: 6.13 -Release: 1%{?dist} +Release: 2%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -26,7 +26,12 @@ Source98: perl-requires-squid.sh # Upstream patches # Backported patches -# Patch101: patch +# Upstream PR: https://github.com/squid-cache/squid/pull/1442 +Patch101: squid-6.1-crash-half-closed.patch +# Upstream PR: https://github.com/squid-cache/squid/pull/1914 +Patch102: squid-6.11-ignore-wsp-after-chunk-size.patch +# Upstream commit: https://github.com/squid-cache/squid/commit/022dbabd89249f839d1861aa87c1ab9e1a008a47 +Patch103: squid-6.13-cache-peer-connect-errors.patch # Local patches # Applying upstream patches first makes it less likely that local patches @@ -37,10 +42,6 @@ Patch203: squid-6.1-perlpath.patch # revert this upstream patch - https://bugzilla.redhat.com/show_bug.cgi?id=1936422 # workaround for #1934919 Patch204: squid-6.1-symlink-lang-err.patch -# Upstream PR: https://github.com/squid-cache/squid/pull/1442 -Patch205: squid-6.1-crash-half-closed.patch -# Upstream PR: https://github.com/squid-cache/squid/pull/1914 -Patch206: squid-6.11-ignore-wsp-after-chunk-size.patch # cache_swap.sh Requires: bash gawk @@ -315,6 +316,9 @@ fi %changelog +* Wed Mar 12 2025 Luboš Uhliarik - 7:6.13-2 +- Do not blame cache_peer for 4xx CONNECT responses + * Tue Feb 04 2025 Luboš Uhliarik - 7:6.13-1 - new version 6.13 From 383c43dd7bcf46924ab261bf4a0937745a2e356e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Mon, 21 Jul 2025 19:36:11 +0200 Subject: [PATCH 20/26] new version 6.14 --- sources | 4 ++-- squid-6.1-perlpath.patch | 2 +- squid.spec | 7 +++++-- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/sources b/sources index 83d969f..02e8a81 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-6.13.tar.xz) = a67276a7eb38d00271962b67bff7f08e760db73bc6b0f94ab71297d520405033df65ebb0b38ee5db02bd6c00d81cd600b60d918fe7fff64e06255deaf78f00c1 -SHA512 (squid-6.13.tar.xz.asc) = 66d8d657793ca3bd20e4a728dc0d3568fac078334d57f3105bb67f1c6fbc5e89e21b757f38048f2361b670938ff350d1afd956ba3dfa5d55dfb54d13e4620fc9 +SHA512 (squid-6.14.tar.xz) = 5905060ae8d70128516c26cf379ed5b434c02525efe0e17ac56d4e060af7542b4a7a41ac3eca5ba5a00867791aed18ed5ed0e247b18a376e1ae7bc13039782f5 +SHA512 (squid-6.14.tar.xz.asc) = 5cc102787796db1cf4c71e9e21d3462becdd869eb72cd69a5c4ca74f60628a98a5543aabe7a0d0bc74c99a62bae0678d3ae6eab9dfe0e4dfb9c063678005f2e3 SHA512 (pgp.asc) = b1e1dd5ead34711f064a12a324b2f156ad4835330d861eae4032926b8a6cd07c0eacc76f52518d47ed5a8ead4695f5abd02f2b4190af8e7833bd3ea31453569d diff --git a/squid-6.1-perlpath.patch b/squid-6.1-perlpath.patch index 7539001..8bfdbdf 100644 --- a/squid-6.1-perlpath.patch +++ b/squid-6.1-perlpath.patch @@ -6,5 +6,5 @@ index e965e9e..ed5ffcb 100755 -#!/usr/local/bin/perl -Tw +#!/usr/bin/perl -Tw # - # * Copyright (C) 1996-2024 The Squid Software Foundation and contributors + # * Copyright (C) 1996-2025 The Squid Software Foundation and contributors # * diff --git a/squid.spec b/squid.spec index fea08a9..5c4ee42 100644 --- a/squid.spec +++ b/squid.spec @@ -2,8 +2,8 @@ %define version_underscore %(echo %{version} | tr '.' '_') Name: squid -Version: 6.13 -Release: 2%{?dist} +Version: 6.14 +Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -316,6 +316,9 @@ fi %changelog +* Mon Jul 21 2025 Luboš Uhliarik - 7:6.14-1 +- new version 6.14 + * Wed Mar 12 2025 Luboš Uhliarik - 7:6.13-2 - Do not blame cache_peer for 4xx CONNECT responses From fea9e4c688052db60dc2833d2786c511f44d6b29 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 25 Jul 2025 18:41:07 +0000 Subject: [PATCH 21/26] Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild --- squid.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/squid.spec b/squid.spec index 5c4ee42..352f5a2 100644 --- a/squid.spec +++ b/squid.spec @@ -3,7 +3,7 @@ Name: squid Version: 6.14 -Release: 1%{?dist} +Release: 2%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -316,6 +316,9 @@ fi %changelog +* Fri Jul 25 2025 Fedora Release Engineering - 7:6.14-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild + * Mon Jul 21 2025 Luboš Uhliarik - 7:6.14-1 - new version 6.14 From 6e12cc940ee289ffca223c00616510350e50c89f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Thu, 14 Aug 2025 22:29:23 +0200 Subject: [PATCH 22/26] new version 7.1 removed squidclient removed purge removed cachemgr.cgi removed basic_smb_lm_auth and ntlm_smb_lm_auth helpers --- sources | 4 +- squid-6.1-crash-half-closed.patch | 158 -------- squid-6.11-ignore-wsp-after-chunk-size.patch | 367 ------------------- squid-6.13-cache-peer-connect-errors.patch | 287 --------------- squid.spec | 33 +- 5 files changed, 17 insertions(+), 832 deletions(-) delete mode 100644 squid-6.1-crash-half-closed.patch delete mode 100644 squid-6.11-ignore-wsp-after-chunk-size.patch delete mode 100644 squid-6.13-cache-peer-connect-errors.patch diff --git a/sources b/sources index 02e8a81..700eafd 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-6.14.tar.xz) = 5905060ae8d70128516c26cf379ed5b434c02525efe0e17ac56d4e060af7542b4a7a41ac3eca5ba5a00867791aed18ed5ed0e247b18a376e1ae7bc13039782f5 -SHA512 (squid-6.14.tar.xz.asc) = 5cc102787796db1cf4c71e9e21d3462becdd869eb72cd69a5c4ca74f60628a98a5543aabe7a0d0bc74c99a62bae0678d3ae6eab9dfe0e4dfb9c063678005f2e3 +SHA512 (squid-7.1.tar.xz) = f12d4cac78576eecf19193cbb88f374b2d1bf3f480e684008a562bdda55eedae643b1a5766846c04673030ad1e89a608a62f52078312a80a3664fdccfc5f44df +SHA512 (squid-7.1.tar.xz.asc) = 4c7be2b32b7ce6cd1a99fe49c397fcd4d294817f96c4aaf5e66ad8c2de0c51b9debb4c85cf877efce87b1c44c2ebbb795a170859ca38124389b050e9fbaa1ff6 SHA512 (pgp.asc) = b1e1dd5ead34711f064a12a324b2f156ad4835330d861eae4032926b8a6cd07c0eacc76f52518d47ed5a8ead4695f5abd02f2b4190af8e7833bd3ea31453569d diff --git a/squid-6.1-crash-half-closed.patch b/squid-6.1-crash-half-closed.patch deleted file mode 100644 index 901ece2..0000000 --- a/squid-6.1-crash-half-closed.patch +++ /dev/null @@ -1,158 +0,0 @@ -diff --git a/src/client_side.cc b/src/client_side.cc -index f488fc4..69586df 100644 ---- a/src/client_side.cc -+++ b/src/client_side.cc -@@ -932,7 +932,7 @@ ConnStateData::kick() - * We are done with the response, and we are either still receiving request - * body (early response!) or have already stopped receiving anything. - * -- * If we are still receiving, then clientParseRequest() below will fail. -+ * If we are still receiving, then parseRequests() below will fail. - * (XXX: but then we will call readNextRequest() which may succeed and - * execute a smuggled request as we are not done with the current request). - * -@@ -952,28 +952,12 @@ ConnStateData::kick() - * Attempt to parse a request from the request buffer. - * If we've been fed a pipelined request it may already - * be in our read buffer. -- * -- \par -- * This needs to fall through - if we're unlucky and parse the _last_ request -- * from our read buffer we may never re-register for another client read. - */ - -- if (clientParseRequests()) { -- debugs(33, 3, clientConnection << ": parsed next request from buffer"); -- } -+ parseRequests(); - -- /** \par -- * Either we need to kick-start another read or, if we have -- * a half-closed connection, kill it after the last request. -- * This saves waiting for half-closed connections to finished being -- * half-closed _AND_ then, sometimes, spending "Timeout" time in -- * the keepalive "Waiting for next request" state. -- */ -- if (commIsHalfClosed(clientConnection->fd) && pipeline.empty()) { -- debugs(33, 3, "half-closed client with no pending requests, closing"); -- clientConnection->close(); -+ if (!isOpen()) - return; -- } - - /** \par - * At this point we either have a parsed request (which we've -@@ -1893,16 +1877,11 @@ ConnStateData::receivedFirstByte() - resetReadTimeout(Config.Timeout.request); - } - --/** -- * Attempt to parse one or more requests from the input buffer. -- * Returns true after completing parsing of at least one request [header]. That -- * includes cases where parsing ended with an error (e.g., a huge request). -- */ --bool --ConnStateData::clientParseRequests() -+/// Attempt to parse one or more requests from the input buffer. -+/// May close the connection. -+void -+ConnStateData::parseRequests() - { -- bool parsed_req = false; -- - debugs(33, 5, clientConnection << ": attempting to parse"); - - // Loop while we have read bytes that are not needed for producing the body -@@ -1947,8 +1926,6 @@ ConnStateData::clientParseRequests() - - processParsedRequest(context); - -- parsed_req = true; // XXX: do we really need to parse everything right NOW ? -- - if (context->mayUseConnection()) { - debugs(33, 3, "Not parsing new requests, as this request may need the connection"); - break; -@@ -1961,8 +1938,19 @@ ConnStateData::clientParseRequests() - } - } - -- /* XXX where to 'finish' the parsing pass? */ -- return parsed_req; -+ debugs(33, 7, "buffered leftovers: " << inBuf.length()); -+ -+ if (isOpen() && commIsHalfClosed(clientConnection->fd)) { -+ if (pipeline.empty()) { -+ // we processed what we could parse, and no more data is coming -+ debugs(33, 5, "closing half-closed without parsed requests: " << clientConnection); -+ clientConnection->close(); -+ } else { -+ // we parsed what we could, and no more data is coming -+ debugs(33, 5, "monitoring half-closed while processing parsed requests: " << clientConnection); -+ flags.readMore = false; // may already be false -+ } -+ } - } - - void -@@ -1979,18 +1967,7 @@ ConnStateData::afterClientRead() - if (pipeline.empty()) - fd_note(clientConnection->fd, "Reading next request"); - -- if (!clientParseRequests()) { -- if (!isOpen()) -- return; -- // We may get here if the client half-closed after sending a partial -- // request. See doClientRead() and shouldCloseOnEof(). -- // XXX: This partially duplicates ConnStateData::kick(). -- if (pipeline.empty() && commIsHalfClosed(clientConnection->fd)) { -- debugs(33, 5, clientConnection << ": half-closed connection, no completed request parsed, connection closing."); -- clientConnection->close(); -- return; -- } -- } -+ parseRequests(); - - if (!isOpen()) - return; -@@ -3775,7 +3752,7 @@ ConnStateData::notePinnedConnectionBecameIdle(PinnedIdleContext pic) - startPinnedConnectionMonitoring(); - - if (pipeline.empty()) -- kick(); // in case clientParseRequests() was blocked by a busy pic.connection -+ kick(); // in case parseRequests() was blocked by a busy pic.connection - } - - /// Forward future client requests using the given server connection. -diff --git a/src/client_side.h b/src/client_side.h -index 6027b31..60b99b1 100644 ---- a/src/client_side.h -+++ b/src/client_side.h -@@ -98,7 +98,6 @@ public: - void doneWithControlMsg() override; - - /// Traffic parsing -- bool clientParseRequests(); - void readNextRequest(); - - /// try to make progress on a transaction or read more I/O -@@ -443,6 +442,7 @@ private: - - void checkLogging(); - -+ void parseRequests(); - void clientAfterReadingRequests(); - bool concurrentRequestQueueFilled() const; - -diff --git a/src/tests/stub_client_side.cc b/src/tests/stub_client_side.cc -index 8c160e5..f49d5dc 100644 ---- a/src/tests/stub_client_side.cc -+++ b/src/tests/stub_client_side.cc -@@ -14,7 +14,7 @@ - #include "tests/STUB.h" - - #include "client_side.h" --bool ConnStateData::clientParseRequests() STUB_RETVAL(false) -+void ConnStateData::parseRequests() STUB - void ConnStateData::readNextRequest() STUB - bool ConnStateData::isOpen() const STUB_RETVAL(false) - void ConnStateData::kick() STUB diff --git a/squid-6.11-ignore-wsp-after-chunk-size.patch b/squid-6.11-ignore-wsp-after-chunk-size.patch deleted file mode 100644 index ea4025f..0000000 --- a/squid-6.11-ignore-wsp-after-chunk-size.patch +++ /dev/null @@ -1,367 +0,0 @@ -From 8d0ee420a4d91ac7fd97316338f1e28b4b060cbf Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= -Date: Thu, 10 Oct 2024 19:26:27 +0200 -Subject: [PATCH 1/6] Ignore whitespace chars after chunk-size - -Previously (before #1498 change), squid was accepting TE-chunked replies -with whitespaces after chunk-size and missing chunk-ext data. After - -It turned out that replies with such whitespace chars are pretty -common and other webservers which can act as forward proxies (e.g. -nginx, httpd...) are accepting them. - -This change will allow to proxy chunked responses from origin server, -which had whitespaces inbetween chunk-size and CRLF. ---- - src/http/one/TeChunkedParser.cc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/http/one/TeChunkedParser.cc b/src/http/one/TeChunkedParser.cc -index 9cce10fdc91..04753395e16 100644 ---- a/src/http/one/TeChunkedParser.cc -+++ b/src/http/one/TeChunkedParser.cc -@@ -125,6 +125,7 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok) - // Code becomes much simpler when incremental parsing functions throw on - // bad or insufficient input, like in the code below. TODO: Expand up. - try { -+ tok.skipAll(CharacterSet::WSP); // Some servers send SP/TAB after chunk-size - parseChunkExtensions(tok); // a possibly empty chunk-ext list - tok.skipRequired("CRLF after [chunk-ext]", Http1::CrLf()); - buf_ = tok.remaining(); - -From 9c8d35f899035fa06021ab3fe6919f892c2f0c6b Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= -Date: Fri, 11 Oct 2024 02:06:31 +0200 -Subject: [PATCH 2/6] Added new argument to Http::One::ParseBws() - -Depending on new wsp_only argument in ParseBws() it will be decided -which set of whitespaces characters will be parsed. If wsp_only is set -to true, only SP and HTAB chars will be parsed. - -Also optimized number of ParseBws calls. ---- - src/http/one/Parser.cc | 4 ++-- - src/http/one/Parser.h | 3 ++- - src/http/one/TeChunkedParser.cc | 13 +++++++++---- - src/http/one/TeChunkedParser.h | 2 +- - 4 files changed, 14 insertions(+), 8 deletions(-) - -diff --git a/src/http/one/Parser.cc b/src/http/one/Parser.cc -index b1908316a0b..01d7e3bc0e8 100644 ---- a/src/http/one/Parser.cc -+++ b/src/http/one/Parser.cc -@@ -273,9 +273,9 @@ Http::One::ErrorLevel() - - // BWS = *( SP / HTAB ) ; WhitespaceCharacters() may relax this RFC 7230 rule - void --Http::One::ParseBws(Parser::Tokenizer &tok) -+Http::One::ParseBws(Parser::Tokenizer &tok, const bool wsp_only) - { -- const auto count = tok.skipAll(Parser::WhitespaceCharacters()); -+ const auto count = tok.skipAll(wsp_only ? CharacterSet::WSP : Parser::WhitespaceCharacters()); - - if (tok.atEnd()) - throw InsufficientInput(); // even if count is positive -diff --git a/src/http/one/Parser.h b/src/http/one/Parser.h -index d9a0ac8c273..08200371cd6 100644 ---- a/src/http/one/Parser.h -+++ b/src/http/one/Parser.h -@@ -163,8 +163,9 @@ class Parser : public RefCountable - }; - - /// skips and, if needed, warns about RFC 7230 BWS ("bad" whitespace) -+/// \param wsp_only force skipping of whitespaces only, don't consider skipping relaxed delimeter chars - /// \throws InsufficientInput when the end of BWS cannot be confirmed --void ParseBws(Parser::Tokenizer &); -+void ParseBws(Parser::Tokenizer &, const bool wsp_only = false); - - /// the right debugs() level for logging HTTP violation messages - int ErrorLevel(); -diff --git a/src/http/one/TeChunkedParser.cc b/src/http/one/TeChunkedParser.cc -index 04753395e16..41e1e5ddaea 100644 ---- a/src/http/one/TeChunkedParser.cc -+++ b/src/http/one/TeChunkedParser.cc -@@ -125,8 +125,11 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok) - // Code becomes much simpler when incremental parsing functions throw on - // bad or insufficient input, like in the code below. TODO: Expand up. - try { -- tok.skipAll(CharacterSet::WSP); // Some servers send SP/TAB after chunk-size -- parseChunkExtensions(tok); // a possibly empty chunk-ext list -+ // A possibly empty chunk-ext list. If no chunk-ext has been found, -+ // try to skip trailing BWS, because some servers send "chunk-size BWS CRLF". -+ if (!parseChunkExtensions(tok)) -+ ParseBws(tok, true); -+ - tok.skipRequired("CRLF after [chunk-ext]", Http1::CrLf()); - buf_ = tok.remaining(); - parsingStage_ = theChunkSize ? Http1::HTTP_PARSE_CHUNK : Http1::HTTP_PARSE_MIME; -@@ -140,20 +143,22 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok) - - /// Parses the chunk-ext list (RFC 9112 section 7.1.1: - /// chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] ) --void -+bool - Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &callerTok) - { -+ bool foundChunkExt = false; - do { - auto tok = callerTok; - - ParseBws(tok); // Bug 4492: IBM_HTTP_Server sends SP after chunk-size - - if (!tok.skip(';')) -- return; // reached the end of extensions (if any) -+ return foundChunkExt; // reached the end of extensions (if any) - - parseOneChunkExtension(tok); - buf_ = tok.remaining(); // got one extension - callerTok = tok; -+ foundChunkExt = true; - } while (true); - } - -diff --git a/src/http/one/TeChunkedParser.h b/src/http/one/TeChunkedParser.h -index 02eacd1bb89..8c5d4bb4cba 100644 ---- a/src/http/one/TeChunkedParser.h -+++ b/src/http/one/TeChunkedParser.h -@@ -71,7 +71,7 @@ class TeChunkedParser : public Http1::Parser - private: - bool parseChunkSize(Tokenizer &tok); - bool parseChunkMetadataSuffix(Tokenizer &); -- void parseChunkExtensions(Tokenizer &); -+ bool parseChunkExtensions(Tokenizer &); - void parseOneChunkExtension(Tokenizer &); - bool parseChunkBody(Tokenizer &tok); - bool parseChunkEnd(Tokenizer &tok); - -From 81e67f97f9c386bdd0bb4a5e182395c46adb70ad Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= -Date: Fri, 11 Oct 2024 02:44:33 +0200 -Subject: [PATCH 3/6] Fix typo in Parser.h - ---- - src/http/one/Parser.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/http/one/Parser.h b/src/http/one/Parser.h -index 08200371cd6..3ef4c5f7752 100644 ---- a/src/http/one/Parser.h -+++ b/src/http/one/Parser.h -@@ -163,7 +163,7 @@ class Parser : public RefCountable - }; - - /// skips and, if needed, warns about RFC 7230 BWS ("bad" whitespace) --/// \param wsp_only force skipping of whitespaces only, don't consider skipping relaxed delimeter chars -+/// \param wsp_only force skipping of whitespaces only, don't consider skipping relaxed delimiter chars - /// \throws InsufficientInput when the end of BWS cannot be confirmed - void ParseBws(Parser::Tokenizer &, const bool wsp_only = false); - - -From a0d4fe1794e605f8299a5c118c758a807453f016 Mon Sep 17 00:00:00 2001 -From: Alex Rousskov -Date: Thu, 10 Oct 2024 22:39:42 -0400 -Subject: [PATCH 4/6] Bug 5449 is a regression of Bug 4492! - -Both bugs deal with "chunk-size SP+ CRLF" use cases. Bug 4492 had _two_ -spaces after chunk-size, which answers one of the PR review questions: -Should we skip just one space? No, we should not. - -The lines moved around in many commits, but I believe this regression -was introduced in commit 951013d0 because that commit stopped consuming -partially parsed chunk-ext sequences. That consumption was wrong, but it -had a positive side effect -- fixing Bug 4492... ---- - src/http/one/TeChunkedParser.cc | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/src/http/one/TeChunkedParser.cc b/src/http/one/TeChunkedParser.cc -index 41e1e5ddaea..aa4a840fdcf 100644 ---- a/src/http/one/TeChunkedParser.cc -+++ b/src/http/one/TeChunkedParser.cc -@@ -125,10 +125,10 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok) - // Code becomes much simpler when incremental parsing functions throw on - // bad or insufficient input, like in the code below. TODO: Expand up. - try { -- // A possibly empty chunk-ext list. If no chunk-ext has been found, -- // try to skip trailing BWS, because some servers send "chunk-size BWS CRLF". -- if (!parseChunkExtensions(tok)) -- ParseBws(tok, true); -+ // Bug 4492: IBM_HTTP_Server sends SP after chunk-size -+ ParseBws(tok, true); -+ -+ parseChunkExtensions(tok); - - tok.skipRequired("CRLF after [chunk-ext]", Http1::CrLf()); - buf_ = tok.remaining(); -@@ -150,7 +150,7 @@ Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &callerTok) - do { - auto tok = callerTok; - -- ParseBws(tok); // Bug 4492: IBM_HTTP_Server sends SP after chunk-size -+ ParseBws(tok); - - if (!tok.skip(';')) - return foundChunkExt; // reached the end of extensions (if any) - -From f837f5ff61301a17008f16ce1fb793c2abf19786 Mon Sep 17 00:00:00 2001 -From: Alex Rousskov -Date: Thu, 10 Oct 2024 23:06:42 -0400 -Subject: [PATCH 5/6] fixup: Fewer conditionals/ifs and more explicit spelling - -... to draw code reader attention when something unusual is going on. ---- - src/http/one/Parser.cc | 22 ++++++++++++++++++---- - src/http/one/Parser.h | 10 ++++++++-- - src/http/one/TeChunkedParser.cc | 14 ++++++-------- - src/http/one/TeChunkedParser.h | 2 +- - 4 files changed, 33 insertions(+), 15 deletions(-) - -diff --git a/src/http/one/Parser.cc b/src/http/one/Parser.cc -index 01d7e3bc0e8..d3937e5e96b 100644 ---- a/src/http/one/Parser.cc -+++ b/src/http/one/Parser.cc -@@ -271,11 +271,12 @@ Http::One::ErrorLevel() - return Config.onoff.relaxed_header_parser < 0 ? DBG_IMPORTANT : 5; - } - --// BWS = *( SP / HTAB ) ; WhitespaceCharacters() may relax this RFC 7230 rule --void --Http::One::ParseBws(Parser::Tokenizer &tok, const bool wsp_only) -+/// common part of ParseBws() and ParseStrctBws() -+namespace Http::One { -+static void -+ParseBws_(Parser::Tokenizer &tok, const CharacterSet &bwsChars) - { -- const auto count = tok.skipAll(wsp_only ? CharacterSet::WSP : Parser::WhitespaceCharacters()); -+ const auto count = tok.skipAll(bwsChars); - - if (tok.atEnd()) - throw InsufficientInput(); // even if count is positive -@@ -290,4 +291,17 @@ Http::One::ParseBws(Parser::Tokenizer &tok, const bool wsp_only) - - // success: no more BWS characters expected - } -+} // namespace Http::One -+ -+void -+Http::One::ParseBws(Parser::Tokenizer &tok) -+{ -+ ParseBws_(tok, CharacterSet::WSP); -+} -+ -+void -+Http::One::ParseStrictBws(Parser::Tokenizer &tok) -+{ -+ ParseBws_(tok, Parser::WhitespaceCharacters()); -+} - -diff --git a/src/http/one/Parser.h b/src/http/one/Parser.h -index 3ef4c5f7752..49e399de546 100644 ---- a/src/http/one/Parser.h -+++ b/src/http/one/Parser.h -@@ -163,9 +163,15 @@ class Parser : public RefCountable - }; - - /// skips and, if needed, warns about RFC 7230 BWS ("bad" whitespace) --/// \param wsp_only force skipping of whitespaces only, don't consider skipping relaxed delimiter chars - /// \throws InsufficientInput when the end of BWS cannot be confirmed --void ParseBws(Parser::Tokenizer &, const bool wsp_only = false); -+/// \sa WhitespaceCharacters() for the definition of BWS characters -+/// \sa ParseStrictBws() that avoids WhitespaceCharacters() uncertainties -+void ParseBws(Parser::Tokenizer &); -+ -+/// Like ParseBws() but only skips CharacterSet::WSP characters. This variation -+/// must be used if the next element may start with CR or any other character -+/// from RelaxedDelimiterCharacters(). -+void ParseStrictBws(Parser::Tokenizer &); - - /// the right debugs() level for logging HTTP violation messages - int ErrorLevel(); -diff --git a/src/http/one/TeChunkedParser.cc b/src/http/one/TeChunkedParser.cc -index aa4a840fdcf..859471b8c77 100644 ---- a/src/http/one/TeChunkedParser.cc -+++ b/src/http/one/TeChunkedParser.cc -@@ -125,11 +125,11 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok) - // Code becomes much simpler when incremental parsing functions throw on - // bad or insufficient input, like in the code below. TODO: Expand up. - try { -- // Bug 4492: IBM_HTTP_Server sends SP after chunk-size -- ParseBws(tok, true); -- -- parseChunkExtensions(tok); -+ // Bug 4492: IBM_HTTP_Server sends SP after chunk-size. -+ // No ParseBws() here because it may consume CR required further below. -+ ParseStrictBws(tok); - -+ parseChunkExtensions(tok); // a possibly empty chunk-ext list - tok.skipRequired("CRLF after [chunk-ext]", Http1::CrLf()); - buf_ = tok.remaining(); - parsingStage_ = theChunkSize ? Http1::HTTP_PARSE_CHUNK : Http1::HTTP_PARSE_MIME; -@@ -143,22 +143,20 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok) - - /// Parses the chunk-ext list (RFC 9112 section 7.1.1: - /// chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] ) --bool -+void - Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &callerTok) - { -- bool foundChunkExt = false; - do { - auto tok = callerTok; - - ParseBws(tok); - - if (!tok.skip(';')) -- return foundChunkExt; // reached the end of extensions (if any) -+ return; // reached the end of extensions (if any) - - parseOneChunkExtension(tok); - buf_ = tok.remaining(); // got one extension - callerTok = tok; -- foundChunkExt = true; - } while (true); - } - -diff --git a/src/http/one/TeChunkedParser.h b/src/http/one/TeChunkedParser.h -index 8c5d4bb4cba..02eacd1bb89 100644 ---- a/src/http/one/TeChunkedParser.h -+++ b/src/http/one/TeChunkedParser.h -@@ -71,7 +71,7 @@ class TeChunkedParser : public Http1::Parser - private: - bool parseChunkSize(Tokenizer &tok); - bool parseChunkMetadataSuffix(Tokenizer &); -- bool parseChunkExtensions(Tokenizer &); -+ void parseChunkExtensions(Tokenizer &); - void parseOneChunkExtension(Tokenizer &); - bool parseChunkBody(Tokenizer &tok); - bool parseChunkEnd(Tokenizer &tok); - -From f79936a234e722adb2dd08f31cf6019d81ee712c Mon Sep 17 00:00:00 2001 -From: Alex Rousskov -Date: Thu, 10 Oct 2024 23:31:08 -0400 -Subject: [PATCH 6/6] fixup: Deadly typo - ---- - src/http/one/Parser.cc | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/http/one/Parser.cc b/src/http/one/Parser.cc -index d3937e5e96b..7403a9163a2 100644 ---- a/src/http/one/Parser.cc -+++ b/src/http/one/Parser.cc -@@ -296,12 +296,12 @@ ParseBws_(Parser::Tokenizer &tok, const CharacterSet &bwsChars) - void - Http::One::ParseBws(Parser::Tokenizer &tok) - { -- ParseBws_(tok, CharacterSet::WSP); -+ ParseBws_(tok, Parser::WhitespaceCharacters()); - } - - void - Http::One::ParseStrictBws(Parser::Tokenizer &tok) - { -- ParseBws_(tok, Parser::WhitespaceCharacters()); -+ ParseBws_(tok, CharacterSet::WSP); - } - - diff --git a/squid-6.13-cache-peer-connect-errors.patch b/squid-6.13-cache-peer-connect-errors.patch deleted file mode 100644 index 339d9ec..0000000 --- a/squid-6.13-cache-peer-connect-errors.patch +++ /dev/null @@ -1,287 +0,0 @@ -From 2e7dea3cedd3ef2f071dee82867c4147f17376dd Mon Sep 17 00:00:00 2001 -From: Alex Rousskov -Date: Tue, 2 Apr 2024 20:37:31 +0000 -Subject: [PATCH] Do not blame cache_peer for CONNECT errors (#1772) - - ERROR: Connection to [such-and-such-cache_peer] failed - TCP_TUNNEL/503 CONNECT nxdomain.test:443 FIRSTUP_PARENT - -Squid does not alert an admin about (and decrease health level of) a -cache_peer that responded with an error to a GET request. Just like GET -responses from a cache_peer, CONNECT responses may (and often do!) -reflect client or origin server failures. We should not penalize -cache_peers (and alert admins) until we can distinguish these frequent -client/origin failures from (relatively rare) cache_peer problems. This -change absolves cache_peers of CONNECT problems, restoring parity with -GETs and restoring v4 behavior changed (probably by accident) in v5. - -Also removed Http::StatusCode parameter from failure notification -functions because it became essentially unused after the primary -Http::Tunneler changes. Tunneler was the only source of status code -information that (in some cases) used received HTTP response to compute -that status code. All other cases extracted that status code from -Squid-generated errors. Those errors were arguably never meant to supply -status code information for "this failure is not our fault" decision, -and they do not supply 4xx status codes driving that decision. - -### Problem evolution - -2019 commit f5e1794 effectively started blaming cache_peer for all -FwdState CONNECT errors. That functionality change was probably -accidental, likely influenced by the names of noteConnectFailure() and -peerConnectFailed() functions that abbreviated "Connection", making the -functions look as applicable to CONNECT failures. Prior to that commit, -the functions were never used for CONNECT errors. After it, FwdState -started calling peerConnectFailed() for all CONNECT failures. - -In 2020 commit 25b0ce4, TunnelStateData started blaming cache_peers as -well (by moving that FwdState-only error handling code into Tunneler). -The same "accidental functionality change" speculations apply here. - -In 2022 commit 022dbab, we made an exception for 4xx CONNECT errors as -folks deploying newer code started complaining about cache_peers getting -blamed for client-caused errors (e.g., HTTP 403 Forbidden replies). We -did not realize that the blaming code itself was an unwanted accident. - -Now we are getting complaints about cache_peers getting blamed for 502 -and 503 CONNECT errors caused by, for example, domain names without IPs: -As these CONNECT error responses are propagated from parent to child -caches, every child cache in the chain logs ERRORs and every cache_peer -in the chain gets its health counter decreased! ---- - src/CachePeer.cc | 11 +---------- - src/CachePeer.h | 12 +++++------- - src/HappyConnOpener.cc | 2 +- - src/PeerPoolMgr.cc | 2 +- - src/clients/HttpTunneler.cc | 10 ++++++---- - src/clients/HttpTunneler.h | 2 +- - src/neighbors.cc | 2 +- - src/security/BlindPeerConnector.cc | 2 +- - src/security/PeerConnector.cc | 8 ++++---- - src/security/PeerConnector.h | 2 +- - src/tests/stub_libsecurity.cc | 2 +- - 11 files changed, 23 insertions(+), 32 deletions(-) - -diff --git a/src/CachePeer.cc b/src/CachePeer.cc -index a5c3adf..91045ef 100644 ---- a/src/CachePeer.cc -+++ b/src/CachePeer.cc -@@ -68,20 +68,11 @@ CachePeer::noteSuccess() - } - } - --void --CachePeer::noteFailure(const Http::StatusCode code) --{ -- if (Http::Is4xx(code)) -- return; // this failure is not our fault -- -- countFailure(); --} -- - // TODO: Require callers to detail failures instead of using one (and often - // misleading!) "connection failed" phrase for all of them. - /// noteFailure() helper for handling failures attributed to this peer - void --CachePeer::countFailure() -+CachePeer::noteFailure() - { - stats.last_connect_failure = squid_curtime; - if (tcp_up > 0) -diff --git a/src/CachePeer.h b/src/CachePeer.h -index 5b13e29..14e40ff 100644 ---- a/src/CachePeer.h -+++ b/src/CachePeer.h -@@ -38,9 +38,8 @@ public: - /// reacts to a successful establishment of a connection to this cache_peer - void noteSuccess(); - -- /// reacts to a failure on a connection to this cache_peer -- /// \param code a received response status code, if any -- void noteFailure(Http::StatusCode code); -+ /// reacts to a failed attempt to establish a connection to this cache_peer -+ void noteFailure(); - - /// (re)configure cache_peer name=value - void rename(const char *); -@@ -238,14 +237,13 @@ NoteOutgoingConnectionSuccess(CachePeer * const peer) - peer->noteSuccess(); - } - --/// reacts to a failure on a connection to an origin server or cache_peer -+/// reacts to a failed attempt to establish a connection to an origin server or cache_peer - /// \param peer nil if the connection is to an origin server --/// \param code a received response status code, if any - inline void --NoteOutgoingConnectionFailure(CachePeer * const peer, const Http::StatusCode code) -+NoteOutgoingConnectionFailure(CachePeer * const peer) - { - if (peer) -- peer->noteFailure(code); -+ peer->noteFailure(); - } - - /// identify the given cache peer in cache.log messages and such -diff --git a/src/HappyConnOpener.cc b/src/HappyConnOpener.cc -index 5ab9294..5e17a76 100644 ---- a/src/HappyConnOpener.cc -+++ b/src/HappyConnOpener.cc -@@ -638,7 +638,7 @@ HappyConnOpener::handleConnOpenerAnswer(Attempt &attempt, const CommConnectCbPar - lastError = makeError(ERR_CONNECT_FAIL); - lastError->xerrno = params.xerrno; - -- NoteOutgoingConnectionFailure(params.conn->getPeer(), lastError->httpStatus); -+ NoteOutgoingConnectionFailure(params.conn->getPeer()); - - if (spareWaiting) - updateSpareWaitAfterPrimeFailure(); -diff --git a/src/PeerPoolMgr.cc b/src/PeerPoolMgr.cc -index 9cb038e..6fb5b09 100644 ---- a/src/PeerPoolMgr.cc -+++ b/src/PeerPoolMgr.cc -@@ -86,7 +86,7 @@ PeerPoolMgr::handleOpenedConnection(const CommConnectCbParams ¶ms) - } - - if (params.flag != Comm::OK) { -- NoteOutgoingConnectionFailure(peer, Http::scNone); -+ NoteOutgoingConnectionFailure(peer); - checkpoint("conn opening failure"); // may retry - return; - } -diff --git a/src/clients/HttpTunneler.cc b/src/clients/HttpTunneler.cc -index 2fbc3fb..a6e49db 100644 ---- a/src/clients/HttpTunneler.cc -+++ b/src/clients/HttpTunneler.cc -@@ -90,7 +90,7 @@ Http::Tunneler::handleConnectionClosure(const CommCloseCbParams &) - { - closer = nullptr; - if (connection) { -- countFailingConnection(nullptr); -+ countFailingConnection(); - connection->noteClosure(); - connection = nullptr; - } -@@ -355,7 +355,7 @@ Http::Tunneler::bailWith(ErrorState *error) - - if (const auto failingConnection = connection) { - // TODO: Reuse to-peer connections after a CONNECT error response. -- countFailingConnection(error); -+ countFailingConnection(); - disconnect(); - failingConnection->close(); - } -@@ -374,10 +374,12 @@ Http::Tunneler::sendSuccess() - } - - void --Http::Tunneler::countFailingConnection(const ErrorState * const error) -+Http::Tunneler::countFailingConnection() - { - assert(connection); -- NoteOutgoingConnectionFailure(connection->getPeer(), error ? error->httpStatus : Http::scNone); -+ // No NoteOutgoingConnectionFailure(connection->getPeer()) call here because -+ // we do not blame cache_peer for CONNECT failures (on top of a successfully -+ // established connection to that cache_peer). - if (noteFwdPconnUse && connection->isOpen()) - fwdPconnPool->noteUses(fd_table[connection->fd].pconn.uses); - } -diff --git a/src/clients/HttpTunneler.h b/src/clients/HttpTunneler.h -index 7886f09..596efcf 100644 ---- a/src/clients/HttpTunneler.h -+++ b/src/clients/HttpTunneler.h -@@ -80,7 +80,7 @@ private: - void disconnect(); - - /// updates connection usage history before the connection is closed -- void countFailingConnection(const ErrorState *); -+ void countFailingConnection(); - - AsyncCall::Pointer writer; ///< called when the request has been written - AsyncCall::Pointer reader; ///< called when the response should be read -diff --git a/src/neighbors.cc b/src/neighbors.cc -index 04b69c1..75f56c9 100644 ---- a/src/neighbors.cc -+++ b/src/neighbors.cc -@@ -1320,7 +1320,7 @@ peerProbeConnectDone(const Comm::ConnectionPointer &conn, Comm::Flag status, int - if (status == Comm::OK) - p->noteSuccess(); - else -- p->noteFailure(Http::scNone); -+ p->noteFailure(); - - -- p->testing_now; - conn->close(); -diff --git a/src/security/BlindPeerConnector.cc b/src/security/BlindPeerConnector.cc -index b9e5659..4c37f34 100644 ---- a/src/security/BlindPeerConnector.cc -+++ b/src/security/BlindPeerConnector.cc -@@ -76,7 +76,7 @@ Security::BlindPeerConnector::noteNegotiationDone(ErrorState *error) - // based on TCP results, SSL results, or both. And the code is probably not - // consistent in this aspect across tunnelling and forwarding modules. - if (peer && peer->secure.encryptTransport) -- peer->noteFailure(error->httpStatus); -+ peer->noteFailure(); - return; - } - -diff --git a/src/security/PeerConnector.cc b/src/security/PeerConnector.cc -index d458f99..d0131a1 100644 ---- a/src/security/PeerConnector.cc -+++ b/src/security/PeerConnector.cc -@@ -115,7 +115,7 @@ Security::PeerConnector::commCloseHandler(const CommCloseCbParams ¶ms) - err->detailError(d); - - if (serverConn) { -- countFailingConnection(err); -+ countFailingConnection(); - serverConn->noteClosure(); - serverConn = nullptr; - } -@@ -507,7 +507,7 @@ Security::PeerConnector::bail(ErrorState *error) - answer().error = error; - - if (const auto failingConnection = serverConn) { -- countFailingConnection(error); -+ countFailingConnection(); - disconnect(); - failingConnection->close(); - } -@@ -525,10 +525,10 @@ Security::PeerConnector::sendSuccess() - } - - void --Security::PeerConnector::countFailingConnection(const ErrorState * const error) -+Security::PeerConnector::countFailingConnection() - { - assert(serverConn); -- NoteOutgoingConnectionFailure(serverConn->getPeer(), error ? error->httpStatus : Http::scNone); -+ NoteOutgoingConnectionFailure(serverConn->getPeer()); - // TODO: Calling PconnPool::noteUses() should not be our responsibility. - if (noteFwdPconnUse && serverConn->isOpen()) - fwdPconnPool->noteUses(fd_table[serverConn->fd].pconn.uses); -diff --git a/src/security/PeerConnector.h b/src/security/PeerConnector.h -index a1d5ef9..401df06 100644 ---- a/src/security/PeerConnector.h -+++ b/src/security/PeerConnector.h -@@ -150,7 +150,7 @@ protected: - void disconnect(); - - /// updates connection usage history before the connection is closed -- void countFailingConnection(const ErrorState *); -+ void countFailingConnection(); - - /// If called the certificates validator will not used - void bypassCertValidator() {useCertValidator_ = false;} -diff --git a/src/tests/stub_libsecurity.cc b/src/tests/stub_libsecurity.cc -index 6bd6204..b513a22 100644 ---- a/src/tests/stub_libsecurity.cc -+++ b/src/tests/stub_libsecurity.cc -@@ -97,7 +97,7 @@ void PeerConnector::bail(ErrorState *) STUB - void PeerConnector::sendSuccess() STUB - void PeerConnector::callBack() STUB - void PeerConnector::disconnect() STUB --void PeerConnector::countFailingConnection(const ErrorState *) STUB -+void PeerConnector::countFailingConnection() STUB - void PeerConnector::recordNegotiationDetails() STUB - EncryptorAnswer &PeerConnector::answer() STUB_RETREF(EncryptorAnswer) - } diff --git a/squid.spec b/squid.spec index 352f5a2..bf7b2f2 100644 --- a/squid.spec +++ b/squid.spec @@ -2,8 +2,8 @@ %define version_underscore %(echo %{version} | tr '.' '_') Name: squid -Version: 6.14 -Release: 2%{?dist} +Version: 7.1 +Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -26,12 +26,7 @@ Source98: perl-requires-squid.sh # Upstream patches # Backported patches -# Upstream PR: https://github.com/squid-cache/squid/pull/1442 -Patch101: squid-6.1-crash-half-closed.patch -# Upstream PR: https://github.com/squid-cache/squid/pull/1914 -Patch102: squid-6.11-ignore-wsp-after-chunk-size.patch -# Upstream commit: https://github.com/squid-cache/squid/commit/022dbabd89249f839d1861aa87c1ab9e1a008a47 -Patch103: squid-6.13-cache-peer-connect-errors.patch +# Patch101: squid-7.1-.....patch # Local patches # Applying upstream patches first makes it less likely that local patches @@ -119,8 +114,8 @@ sed -i 's|@SYSCONFDIR@/squid.conf.documented|%{_pkgdocdir}/squid.conf.documented --enable-eui \ --enable-follow-x-forwarded-for \ --enable-auth \ - --enable-auth-basic="DB,fake,getpwnam,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB,SMB_LM" \ - --enable-auth-ntlm="SMB_LM,fake" \ + --enable-auth-basic="DB,fake,getpwnam,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB" \ + --enable-auth-ntlm="fake" \ --enable-auth-digest="file,LDAP" \ --enable-auth-negotiate="kerberos" \ --enable-external-acl-helpers="LDAP_group,time_quota,session,unix_group,wbinfo_group,kerberos_ldap_group" \ @@ -156,9 +151,9 @@ sed -i 's|@SYSCONFDIR@/squid.conf.documented|%{_pkgdocdir}/squid.conf.documented --enable-translation # workaround to build squid v5 -mkdir -p src/icmp/tests -mkdir -p tools/squidclient/tests -mkdir -p tools/tests +#mkdir -p src/icmp/tests +#mkdir -p tools/squidclient/tests +#mkdir -p tools/tests %make_build @@ -229,7 +224,6 @@ install -p -D -m 0644 %{SOURCE9} %{buildroot}%{_sysusersdir}/squid.conf %config(noreplace) %attr(644,root,root) %{_sysconfdir}/httpd/conf.d/squid.conf %config(noreplace) %attr(640,root,squid) %{_sysconfdir}/squid/squid.conf -%config(noreplace) %attr(644,root,squid) %{_sysconfdir}/squid/cachemgr.conf %config(noreplace) %{_sysconfdir}/squid/mime.conf %config(noreplace) %{_sysconfdir}/squid/errorpage.css %config(noreplace) %{_sysconfdir}/sysconfig/squid @@ -237,7 +231,6 @@ install -p -D -m 0644 %{SOURCE9} %{buildroot}%{_sysusersdir}/squid.conf %config %{_sysconfdir}/squid/squid.conf.default %config %{_sysconfdir}/squid/mime.conf.default %config %{_sysconfdir}/squid/errorpage.css.default -%config %{_sysconfdir}/squid/cachemgr.conf.default %config(noreplace) %{_sysconfdir}/pam.d/squid %config(noreplace) %{_sysconfdir}/logrotate.d/squid @@ -246,10 +239,7 @@ install -p -D -m 0644 %{SOURCE9} %{buildroot}%{_sysusersdir}/squid.conf %{_prefix}/lib/NetworkManager %{_datadir}/squid/icons %{_sbindir}/squid -%{_bindir}/squidclient -%{_bindir}/purge %{_mandir}/man8/* -%{_mandir}/man1/* %{_libdir}/squid/* %{_datadir}/snmp/mibs/SQUID-MIB.txt %{_sysusersdir}/squid.conf @@ -316,6 +306,13 @@ fi %changelog +* Thu Aug 14 2025 Luboš Uhliarik - 7:7.1-1 +- new version 7.1 +- removed squidclient +- removed purge +- removed cachemgr.cgi +- removed basic_smb_lm_auth and ntlm_smb_lm_auth helpers + * Fri Jul 25 2025 Fedora Release Engineering - 7:6.14-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild From 3b10dff1195943f7da91454604681981c150b47e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Fri, 12 Sep 2025 01:25:20 +0200 Subject: [PATCH 23/26] Support provider keys that require NULL digest --- squid-7.1-provider-keys-digest.patch | 36 ++++++++++++++++++++++++++++ squid.spec | 6 ++++- 2 files changed, 41 insertions(+), 1 deletion(-) create mode 100644 squid-7.1-provider-keys-digest.patch diff --git a/squid-7.1-provider-keys-digest.patch b/squid-7.1-provider-keys-digest.patch new file mode 100644 index 0000000..bd62ea1 --- /dev/null +++ b/squid-7.1-provider-keys-digest.patch @@ -0,0 +1,36 @@ +diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc +index 09bad6d..59171b7 100644 +--- a/src/ssl/gadgets.cc ++++ b/src/ssl/gadgets.cc +@@ -15,6 +15,19 @@ + #include "security/Io.h" + #include "ssl/gadgets.h" + ++/// whether the given key requires a digest when signing ++static bool ++keyNeedsDigest(const EVP_PKEY * const pkey) { ++ if (EVP_PKEY_is_a(pkey, "ML-DSA-44") || ++ EVP_PKEY_is_a(pkey, "ML-DSA-65") || ++ EVP_PKEY_is_a(pkey, "ML-DSA-87") || ++ EVP_PKEY_is_a(pkey, "ED25519") || ++ EVP_PKEY_is_a(pkey, "ED448")) ++ return false; // no digest needed ++ ++ return true; // require a digest for all other types ++} ++ + void + Ssl::ForgetErrors() + { +@@ -677,9 +690,9 @@ static bool generateFakeSslCertificate(Security::CertPointer & certToStore, Secu + assert(hash); + /*Now sign the request */ + if (properties.signAlgorithm != Ssl::algSignSelf && properties.signWithPkey.get()) +- ret = X509_sign(cert.get(), properties.signWithPkey.get(), hash); ++ ret = X509_sign(cert.get(), properties.signWithPkey.get(), keyNeedsDigest(properties.signWithPkey.get()) ? hash : nullptr); + else //else sign with self key (self signed request) +- ret = X509_sign(cert.get(), pkey.get(), hash); ++ ret = X509_sign(cert.get(), pkey.get(), keyNeedsDigest(pkey.get()) ? hash : nullptr); + + if (!ret) + return false; diff --git a/squid.spec b/squid.spec index bf7b2f2..ec105a4 100644 --- a/squid.spec +++ b/squid.spec @@ -3,7 +3,7 @@ Name: squid Version: 7.1 -Release: 1%{?dist} +Release: 2%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -37,6 +37,7 @@ Patch203: squid-6.1-perlpath.patch # revert this upstream patch - https://bugzilla.redhat.com/show_bug.cgi?id=1936422 # workaround for #1934919 Patch204: squid-6.1-symlink-lang-err.patch +Patch205: squid-7.1-provider-keys-digest.patch # cache_swap.sh Requires: bash gawk @@ -306,6 +307,9 @@ fi %changelog +* Thu Sep 11 2025 Luboš Uhliarik - 7:7.1-2 +- Support provider keys that require NULL digest + * Thu Aug 14 2025 Luboš Uhliarik - 7:7.1-1 - new version 7.1 - removed squidclient From a70045fc305bb0ab6afd4178e67b35ed38d041b3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Wed, 24 Sep 2025 10:05:39 +0200 Subject: [PATCH 24/26] Support provider keys that require NULL digest - use upstream patch --- squid-7.1-provider-keys-digest.patch | 51 ++++++++++++++++++++-------- squid.spec | 4 +-- 2 files changed, 39 insertions(+), 16 deletions(-) diff --git a/squid-7.1-provider-keys-digest.patch b/squid-7.1-provider-keys-digest.patch index bd62ea1..961a506 100644 --- a/squid-7.1-provider-keys-digest.patch +++ b/squid-7.1-provider-keys-digest.patch @@ -1,36 +1,59 @@ diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc -index 09bad6d..59171b7 100644 +index 1f8ac9d..3f54e3d 100644 --- a/src/ssl/gadgets.cc +++ b/src/ssl/gadgets.cc -@@ -15,6 +15,19 @@ +@@ -13,6 +13,42 @@ #include "security/Io.h" #include "ssl/gadgets.h" -+/// whether the given key requires a digest when signing ++/// whether to supply a digest algorithm name when calling X509_sign() with the given key +static bool -+keyNeedsDigest(const EVP_PKEY * const pkey) { -+ if (EVP_PKEY_is_a(pkey, "ML-DSA-44") || -+ EVP_PKEY_is_a(pkey, "ML-DSA-65") || -+ EVP_PKEY_is_a(pkey, "ML-DSA-87") || -+ EVP_PKEY_is_a(pkey, "ED25519") || -+ EVP_PKEY_is_a(pkey, "ED448")) -+ return false; // no digest needed ++signWithDigest(const Security::PrivateKeyPointer &key) { ++ Assure(key); // TODO: Add and use Security::PrivateKey (here and in caller). ++ const auto pkey = key.get(); + -+ return true; // require a digest for all other types ++ // OpenSSL does not define a maximum name size, but does terminate longer ++ // names without returning an error to the caller. Many similar callers in ++ // OpenSSL sources use 80-byte buffers. ++ char defaultDigestName[80] = ""; ++ const auto nameGetterResult = EVP_PKEY_get_default_digest_name(pkey, defaultDigestName, sizeof(defaultDigestName)); ++ debugs(83, 3, "nameGetterResult=" << nameGetterResult << " defaultDigestName=" << defaultDigestName); ++ if (nameGetterResult <= 0) { ++ debugs(83, 3, "ERROR: EVP_PKEY_get_default_digest_name() failure: " << Ssl::ReportAndForgetErrors); ++ // Backward compatibility: On error, assume digest should be used. ++ // TODO: Return false for -2 nameGetterResult as it "indicates the ++ // operation is not supported by the public key algorithm"? ++ return true; ++ } ++ ++ // The name "UNDEF" signifies that a digest must (for return value 2) or may ++ // (for return value 1) be left unspecified. ++ if (nameGetterResult == 2 && strcmp(defaultDigestName, "UNDEF") == 0) ++ return false; ++ ++ // Defined mandatory algorithms and "may be left unspecified" cases mentioned above. ++ return true; ++} ++ ++/// OpenSSL X509_sign() wrapper ++static auto ++Sign(Security::Certificate &cert, const Security::PrivateKeyPointer &key, const EVP_MD &availableDigest) { ++ const auto digestOrNil = signWithDigest(key) ? &availableDigest : nullptr; ++ return X509_sign(&cert, key.get(), digestOrNil); +} + void Ssl::ForgetErrors() { -@@ -677,9 +690,9 @@ static bool generateFakeSslCertificate(Security::CertPointer & certToStore, Secu +@@ -618,9 +654,9 @@ static bool generateFakeSslCertificate(Security::CertPointer & certToStore, Secu assert(hash); /*Now sign the request */ if (properties.signAlgorithm != Ssl::algSignSelf && properties.signWithPkey.get()) - ret = X509_sign(cert.get(), properties.signWithPkey.get(), hash); -+ ret = X509_sign(cert.get(), properties.signWithPkey.get(), keyNeedsDigest(properties.signWithPkey.get()) ? hash : nullptr); ++ ret = Sign(*cert, properties.signWithPkey, *hash); else //else sign with self key (self signed request) - ret = X509_sign(cert.get(), pkey.get(), hash); -+ ret = X509_sign(cert.get(), pkey.get(), keyNeedsDigest(pkey.get()) ? hash : nullptr); ++ ret = Sign(*cert, pkey, *hash); if (!ret) return false; diff --git a/squid.spec b/squid.spec index ec105a4..1a32214 100644 --- a/squid.spec +++ b/squid.spec @@ -3,7 +3,7 @@ Name: squid Version: 7.1 -Release: 2%{?dist} +Release: 3%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -307,7 +307,7 @@ fi %changelog -* Thu Sep 11 2025 Luboš Uhliarik - 7:7.1-2 +* Thu Sep 11 2025 Luboš Uhliarik - 7:7.1-3 - Support provider keys that require NULL digest * Thu Aug 14 2025 Luboš Uhliarik - 7:7.1-1 From 8c77c2eb9851b794b03226cccaedf594ad0d3615 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Fri, 17 Oct 2025 10:53:46 +0200 Subject: [PATCH 25/26] new version 7.2 --- sources | 4 +- squid-7.1-provider-keys-digest.patch | 59 ---------------------------- squid.spec | 8 ++-- 3 files changed, 7 insertions(+), 64 deletions(-) delete mode 100644 squid-7.1-provider-keys-digest.patch diff --git a/sources b/sources index 700eafd..1a01cad 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-7.1.tar.xz) = f12d4cac78576eecf19193cbb88f374b2d1bf3f480e684008a562bdda55eedae643b1a5766846c04673030ad1e89a608a62f52078312a80a3664fdccfc5f44df -SHA512 (squid-7.1.tar.xz.asc) = 4c7be2b32b7ce6cd1a99fe49c397fcd4d294817f96c4aaf5e66ad8c2de0c51b9debb4c85cf877efce87b1c44c2ebbb795a170859ca38124389b050e9fbaa1ff6 +SHA512 (squid-7.2.tar.xz) = 424c425dde7b399531c9ed5a700ef84bf8e828b1896f0bd037da121e9b4c8ad0fb0c2b8daad1a0a5308269cc5ffbda42e4c1815421c0bdd6a4046d92dcb56fa7 +SHA512 (squid-7.2.tar.xz.asc) = 688dac65470fa27551579046061130c6a4a623070fda56fdb873ca1c6008afbf2c5fe328f2a93135bec3645444b9636137b9ec32fb2c041fdad8924dc91ccf5f SHA512 (pgp.asc) = b1e1dd5ead34711f064a12a324b2f156ad4835330d861eae4032926b8a6cd07c0eacc76f52518d47ed5a8ead4695f5abd02f2b4190af8e7833bd3ea31453569d diff --git a/squid-7.1-provider-keys-digest.patch b/squid-7.1-provider-keys-digest.patch deleted file mode 100644 index 961a506..0000000 --- a/squid-7.1-provider-keys-digest.patch +++ /dev/null @@ -1,59 +0,0 @@ -diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc -index 1f8ac9d..3f54e3d 100644 ---- a/src/ssl/gadgets.cc -+++ b/src/ssl/gadgets.cc -@@ -13,6 +13,42 @@ - #include "security/Io.h" - #include "ssl/gadgets.h" - -+/// whether to supply a digest algorithm name when calling X509_sign() with the given key -+static bool -+signWithDigest(const Security::PrivateKeyPointer &key) { -+ Assure(key); // TODO: Add and use Security::PrivateKey (here and in caller). -+ const auto pkey = key.get(); -+ -+ // OpenSSL does not define a maximum name size, but does terminate longer -+ // names without returning an error to the caller. Many similar callers in -+ // OpenSSL sources use 80-byte buffers. -+ char defaultDigestName[80] = ""; -+ const auto nameGetterResult = EVP_PKEY_get_default_digest_name(pkey, defaultDigestName, sizeof(defaultDigestName)); -+ debugs(83, 3, "nameGetterResult=" << nameGetterResult << " defaultDigestName=" << defaultDigestName); -+ if (nameGetterResult <= 0) { -+ debugs(83, 3, "ERROR: EVP_PKEY_get_default_digest_name() failure: " << Ssl::ReportAndForgetErrors); -+ // Backward compatibility: On error, assume digest should be used. -+ // TODO: Return false for -2 nameGetterResult as it "indicates the -+ // operation is not supported by the public key algorithm"? -+ return true; -+ } -+ -+ // The name "UNDEF" signifies that a digest must (for return value 2) or may -+ // (for return value 1) be left unspecified. -+ if (nameGetterResult == 2 && strcmp(defaultDigestName, "UNDEF") == 0) -+ return false; -+ -+ // Defined mandatory algorithms and "may be left unspecified" cases mentioned above. -+ return true; -+} -+ -+/// OpenSSL X509_sign() wrapper -+static auto -+Sign(Security::Certificate &cert, const Security::PrivateKeyPointer &key, const EVP_MD &availableDigest) { -+ const auto digestOrNil = signWithDigest(key) ? &availableDigest : nullptr; -+ return X509_sign(&cert, key.get(), digestOrNil); -+} -+ - void - Ssl::ForgetErrors() - { -@@ -618,9 +654,9 @@ static bool generateFakeSslCertificate(Security::CertPointer & certToStore, Secu - assert(hash); - /*Now sign the request */ - if (properties.signAlgorithm != Ssl::algSignSelf && properties.signWithPkey.get()) -- ret = X509_sign(cert.get(), properties.signWithPkey.get(), hash); -+ ret = Sign(*cert, properties.signWithPkey, *hash); - else //else sign with self key (self signed request) -- ret = X509_sign(cert.get(), pkey.get(), hash); -+ ret = Sign(*cert, pkey, *hash); - - if (!ret) - return false; diff --git a/squid.spec b/squid.spec index 1a32214..5d3f86e 100644 --- a/squid.spec +++ b/squid.spec @@ -2,8 +2,8 @@ %define version_underscore %(echo %{version} | tr '.' '_') Name: squid -Version: 7.1 -Release: 3%{?dist} +Version: 7.2 +Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -37,7 +37,6 @@ Patch203: squid-6.1-perlpath.patch # revert this upstream patch - https://bugzilla.redhat.com/show_bug.cgi?id=1936422 # workaround for #1934919 Patch204: squid-6.1-symlink-lang-err.patch -Patch205: squid-7.1-provider-keys-digest.patch # cache_swap.sh Requires: bash gawk @@ -307,6 +306,9 @@ fi %changelog +* Fri Oct 17 2025 Luboš Uhliarik - 7:7.2-1 +- new version 7.2 + * Thu Sep 11 2025 Luboš Uhliarik - 7:7.1-3 - Support provider keys that require NULL digest From d9e38f92158f83eef6f4a9cf9ddad9931d703413 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Wed, 29 Oct 2025 11:01:53 +0100 Subject: [PATCH 26/26] new version 7.3 --- sources | 4 ++-- squid.spec | 5 ++++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/sources b/sources index 1a01cad..304c790 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-7.2.tar.xz) = 424c425dde7b399531c9ed5a700ef84bf8e828b1896f0bd037da121e9b4c8ad0fb0c2b8daad1a0a5308269cc5ffbda42e4c1815421c0bdd6a4046d92dcb56fa7 -SHA512 (squid-7.2.tar.xz.asc) = 688dac65470fa27551579046061130c6a4a623070fda56fdb873ca1c6008afbf2c5fe328f2a93135bec3645444b9636137b9ec32fb2c041fdad8924dc91ccf5f +SHA512 (squid-7.3.tar.xz) = ad6bbe518d79d079f7fe5d1ee9ae7a3f49b28ba75afdb1f0db16675e1e4127be2bc30dd246b00576f29e987c08c41dbff50c8227166ae3955c460ff837a89e2b +SHA512 (squid-7.3.tar.xz.asc) = c6774627e0408d1feed5a00489ca95467f001261b201b82c3ab9c450856fe5ad27e50d43db7a2afe2aaff88930981f783315a1b764cac5619543852e93338273 SHA512 (pgp.asc) = b1e1dd5ead34711f064a12a324b2f156ad4835330d861eae4032926b8a6cd07c0eacc76f52518d47ed5a8ead4695f5abd02f2b4190af8e7833bd3ea31453569d diff --git a/squid.spec b/squid.spec index 5d3f86e..84d079b 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ %define version_underscore %(echo %{version} | tr '.' '_') Name: squid -Version: 7.2 +Version: 7.3 Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 @@ -306,6 +306,9 @@ fi %changelog +* Wed Oct 29 2025 Luboš Uhliarik - 7:7.3-1 +- new version 7.3 + * Fri Oct 17 2025 Luboš Uhliarik - 7:7.2-1 - new version 7.2