diff --git a/cache_swap.sh b/cache_swap.sh index 77d06ac..89f3478 100644 --- a/cache_swap.sh +++ b/cache_swap.sh @@ -17,5 +17,8 @@ done if [ $init_cache_dirs -ne 0 ]; then echo "" - squid --foreground -z -f "$SQUID_CONF" >> /var/log/squid/squid.out 2>&1 + if ! squid --foreground -z -f "$SQUID_CONF" >> /var/log/squid/squid.out 2>&1; then + echo "init_cache_dir failed, see /var/log/squid/squid.out for more information" + exit 1 + fi fi diff --git a/sources b/sources index 975ec82..304c790 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-6.4.tar.xz) = 7bbf759841448874090a145699ee01f67696c19da147e433b1ecc80a856095cbfae611ef910bc4f2c44218101d89f2ee13796f5b7ada2e21e95638d4dae077ab -SHA512 (squid-6.4.tar.xz.asc) = e61ea2f81a73ead4f6a8553410822ba51f0910546c7cbfb93e26f73f862f0a526fcb5c26308109f49e9f0fd0fbce702804a919fe8234b085a32251d62c891803 -SHA512 (pgp.asc) = 09f7012030d68831dfc083d67ca63ee54ed851482ca8d0e9505b444ee3e7ddeed62369b53f2917c9b2e0e57cc0533fce46e8cafd2ebcd1c6cb186b516efd0ad2 +SHA512 (squid-7.3.tar.xz) = ad6bbe518d79d079f7fe5d1ee9ae7a3f49b28ba75afdb1f0db16675e1e4127be2bc30dd246b00576f29e987c08c41dbff50c8227166ae3955c460ff837a89e2b +SHA512 (squid-7.3.tar.xz.asc) = c6774627e0408d1feed5a00489ca95467f001261b201b82c3ab9c450856fe5ad27e50d43db7a2afe2aaff88930981f783315a1b764cac5619543852e93338273 +SHA512 (pgp.asc) = b1e1dd5ead34711f064a12a324b2f156ad4835330d861eae4032926b8a6cd07c0eacc76f52518d47ed5a8ead4695f5abd02f2b4190af8e7833bd3ea31453569d diff --git a/squid-6.1-crash-half-closed.patch b/squid-6.1-crash-half-closed.patch deleted file mode 100644 index 901ece2..0000000 --- a/squid-6.1-crash-half-closed.patch +++ /dev/null @@ -1,158 +0,0 @@ -diff --git a/src/client_side.cc b/src/client_side.cc -index f488fc4..69586df 100644 ---- a/src/client_side.cc -+++ b/src/client_side.cc -@@ -932,7 +932,7 @@ ConnStateData::kick() - * We are done with the response, and we are either still receiving request - * body (early response!) or have already stopped receiving anything. - * -- * If we are still receiving, then clientParseRequest() below will fail. -+ * If we are still receiving, then parseRequests() below will fail. - * (XXX: but then we will call readNextRequest() which may succeed and - * execute a smuggled request as we are not done with the current request). - * -@@ -952,28 +952,12 @@ ConnStateData::kick() - * Attempt to parse a request from the request buffer. - * If we've been fed a pipelined request it may already - * be in our read buffer. -- * -- \par -- * This needs to fall through - if we're unlucky and parse the _last_ request -- * from our read buffer we may never re-register for another client read. - */ - -- if (clientParseRequests()) { -- debugs(33, 3, clientConnection << ": parsed next request from buffer"); -- } -+ parseRequests(); - -- /** \par -- * Either we need to kick-start another read or, if we have -- * a half-closed connection, kill it after the last request. -- * This saves waiting for half-closed connections to finished being -- * half-closed _AND_ then, sometimes, spending "Timeout" time in -- * the keepalive "Waiting for next request" state. -- */ -- if (commIsHalfClosed(clientConnection->fd) && pipeline.empty()) { -- debugs(33, 3, "half-closed client with no pending requests, closing"); -- clientConnection->close(); -+ if (!isOpen()) - return; -- } - - /** \par - * At this point we either have a parsed request (which we've -@@ -1893,16 +1877,11 @@ ConnStateData::receivedFirstByte() - resetReadTimeout(Config.Timeout.request); - } - --/** -- * Attempt to parse one or more requests from the input buffer. -- * Returns true after completing parsing of at least one request [header]. That -- * includes cases where parsing ended with an error (e.g., a huge request). -- */ --bool --ConnStateData::clientParseRequests() -+/// Attempt to parse one or more requests from the input buffer. -+/// May close the connection. -+void -+ConnStateData::parseRequests() - { -- bool parsed_req = false; -- - debugs(33, 5, clientConnection << ": attempting to parse"); - - // Loop while we have read bytes that are not needed for producing the body -@@ -1947,8 +1926,6 @@ ConnStateData::clientParseRequests() - - processParsedRequest(context); - -- parsed_req = true; // XXX: do we really need to parse everything right NOW ? -- - if (context->mayUseConnection()) { - debugs(33, 3, "Not parsing new requests, as this request may need the connection"); - break; -@@ -1961,8 +1938,19 @@ ConnStateData::clientParseRequests() - } - } - -- /* XXX where to 'finish' the parsing pass? */ -- return parsed_req; -+ debugs(33, 7, "buffered leftovers: " << inBuf.length()); -+ -+ if (isOpen() && commIsHalfClosed(clientConnection->fd)) { -+ if (pipeline.empty()) { -+ // we processed what we could parse, and no more data is coming -+ debugs(33, 5, "closing half-closed without parsed requests: " << clientConnection); -+ clientConnection->close(); -+ } else { -+ // we parsed what we could, and no more data is coming -+ debugs(33, 5, "monitoring half-closed while processing parsed requests: " << clientConnection); -+ flags.readMore = false; // may already be false -+ } -+ } - } - - void -@@ -1979,18 +1967,7 @@ ConnStateData::afterClientRead() - if (pipeline.empty()) - fd_note(clientConnection->fd, "Reading next request"); - -- if (!clientParseRequests()) { -- if (!isOpen()) -- return; -- // We may get here if the client half-closed after sending a partial -- // request. See doClientRead() and shouldCloseOnEof(). -- // XXX: This partially duplicates ConnStateData::kick(). -- if (pipeline.empty() && commIsHalfClosed(clientConnection->fd)) { -- debugs(33, 5, clientConnection << ": half-closed connection, no completed request parsed, connection closing."); -- clientConnection->close(); -- return; -- } -- } -+ parseRequests(); - - if (!isOpen()) - return; -@@ -3775,7 +3752,7 @@ ConnStateData::notePinnedConnectionBecameIdle(PinnedIdleContext pic) - startPinnedConnectionMonitoring(); - - if (pipeline.empty()) -- kick(); // in case clientParseRequests() was blocked by a busy pic.connection -+ kick(); // in case parseRequests() was blocked by a busy pic.connection - } - - /// Forward future client requests using the given server connection. -diff --git a/src/client_side.h b/src/client_side.h -index 6027b31..60b99b1 100644 ---- a/src/client_side.h -+++ b/src/client_side.h -@@ -98,7 +98,6 @@ public: - void doneWithControlMsg() override; - - /// Traffic parsing -- bool clientParseRequests(); - void readNextRequest(); - - /// try to make progress on a transaction or read more I/O -@@ -443,6 +442,7 @@ private: - - void checkLogging(); - -+ void parseRequests(); - void clientAfterReadingRequests(); - bool concurrentRequestQueueFilled() const; - -diff --git a/src/tests/stub_client_side.cc b/src/tests/stub_client_side.cc -index 8c160e5..f49d5dc 100644 ---- a/src/tests/stub_client_side.cc -+++ b/src/tests/stub_client_side.cc -@@ -14,7 +14,7 @@ - #include "tests/STUB.h" - - #include "client_side.h" --bool ConnStateData::clientParseRequests() STUB_RETVAL(false) -+void ConnStateData::parseRequests() STUB - void ConnStateData::readNextRequest() STUB - bool ConnStateData::isOpen() const STUB_RETVAL(false) - void ConnStateData::kick() STUB diff --git a/squid-6.1-perlpath.patch b/squid-6.1-perlpath.patch index fe37759..8bfdbdf 100644 --- a/squid-6.1-perlpath.patch +++ b/squid-6.1-perlpath.patch @@ -6,5 +6,5 @@ index e965e9e..ed5ffcb 100755 -#!/usr/local/bin/perl -Tw +#!/usr/bin/perl -Tw # - # * Copyright (C) 1996-2023 The Squid Software Foundation and contributors + # * Copyright (C) 1996-2025 The Squid Software Foundation and contributors # * diff --git a/squid.service b/squid.service index 6978032..09c68cc 100644 --- a/squid.service +++ b/squid.service @@ -8,11 +8,14 @@ Type=notify LimitNOFILE=16384 PIDFile=/run/squid.pid EnvironmentFile=/etc/sysconfig/squid -ExecStartPre=/usr/libexec/squid/cache_swap.sh -ExecStart=/usr/sbin/squid --foreground $SQUID_OPTS -f ${SQUID_CONF} -ExecReload=/usr/bin/kill -HUP $MAINPID +ExecStartPre=!/usr/libexec/squid/cache_swap.sh +ExecStart=!/usr/sbin/squid --foreground $SQUID_OPTS -f ${SQUID_CONF} +ExecReload=!/usr/bin/kill -HUP $MAINPID KillMode=mixed NotifyAccess=all +User=squid +Group=squid +RuntimeDirectory=squid [Install] WantedBy=multi-user.target diff --git a/squid.spec b/squid.spec index c1fffcf..84d079b 100644 --- a/squid.spec +++ b/squid.spec @@ -1,7 +1,8 @@ %define __perl_requires %{SOURCE98} +%define version_underscore %(echo %{version} | tr '.' '_') Name: squid -Version: 6.4 +Version: 7.3 Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 @@ -9,8 +10,8 @@ Epoch: 7 License: GPL-2.0-or-later AND (LGPL-2.0-or-later AND MIT AND BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND BSD-4-Clause-UC AND LicenseRef-Fedora-Public-Domain AND Beerware) URL: http://www.squid-cache.org -Source0: http://www.squid-cache.org/Versions/v6/squid-%{version}.tar.xz -Source1: http://www.squid-cache.org/Versions/v6/squid-%{version}.tar.xz.asc +Source0: https://github.com/squid-cache/squid/releases/download/SQUID_%{version_underscore}/squid-%{version}.tar.xz +Source1: https://github.com/squid-cache/squid/releases/download/SQUID_%{version_underscore}/squid-%{version}.tar.xz.asc Source2: http://www.squid-cache.org/pgp.asc Source3: squid.logrotate Source4: squid.sysconfig @@ -25,7 +26,7 @@ Source98: perl-requires-squid.sh # Upstream patches # Backported patches -# Patch101: patch +# Patch101: squid-7.1-.....patch # Local patches # Applying upstream patches first makes it less likely that local patches @@ -36,8 +37,6 @@ Patch203: squid-6.1-perlpath.patch # revert this upstream patch - https://bugzilla.redhat.com/show_bug.cgi?id=1936422 # workaround for #1934919 Patch204: squid-6.1-symlink-lang-err.patch -# Upstream PR: https://github.com/squid-cache/squid/pull/1442 -Patch205: squid-6.1-crash-half-closed.patch # cache_swap.sh Requires: bash gawk @@ -55,8 +54,6 @@ BuildRequires: openssl-devel BuildRequires: krb5-devel # time_quota requires TrivialDB BuildRequires: libtdb-devel -# ESI support requires Expat & libxml2 -BuildRequires: expat-devel libxml2-devel # TPROXY requires libcap, and also increases security somewhat BuildRequires: libcap-devel # eCAP support @@ -64,12 +61,13 @@ BuildRequires: libecap-devel #ip_user helper requires BuildRequires: gcc-c++ BuildRequires: libtool libtool-ltdl-devel +BuildRequires: libxcrypt-devel BuildRequires: perl-generators # For test suite BuildRequires: pkgconfig(cppunit) # For verifying downloded src tarball BuildRequires: gnupg2 -# for _tmpfilesdir and _unitdir macro +# for _unitdir macro # see https://docs.fedoraproject.org/en-US/packaging-guidelines/Systemd/#_packaging BuildRequires: systemd-rpm-macros # systemd notify @@ -83,7 +81,7 @@ Conflicts: NetworkManager < 1.20 %description Squid is a high-performance proxy caching server for Web clients, -supporting FTP, gopher, and HTTP data objects. Unlike traditional +supporting FTP and HTTP data objects. Unlike traditional caching software, Squid handles all requests in a single, non-blocking, I/O-driven process. Squid keeps meta data and especially hot objects cached in RAM, caches DNS lookups, supports non-blocking @@ -95,19 +93,8 @@ lookup program (dnsserver), a program for retrieving FTP data %prep %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' -%setup -q -# Upstream patches - -# Backported patches -# %patch101 -p1 -b .patch - -# Local patches -%patch -P 201 -p1 -b .config -%patch -P 202 -p1 -b .location -%patch -P 203 -p1 -b .perlpath -%patch -P 204 -p1 -b .symlink-lang-err -%patch -P 205 -p1 -b .crash-half-closed +%autosetup -p1 # https://bugzilla.redhat.com/show_bug.cgi?id=1679526 # Patch in the vendor documentation and used different location for documentation @@ -127,8 +114,8 @@ sed -i 's|@SYSCONFDIR@/squid.conf.documented|%{_pkgdocdir}/squid.conf.documented --enable-eui \ --enable-follow-x-forwarded-for \ --enable-auth \ - --enable-auth-basic="DB,fake,getpwnam,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB,SMB_LM" \ - --enable-auth-ntlm="SMB_LM,fake" \ + --enable-auth-basic="DB,fake,getpwnam,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB" \ + --enable-auth-ntlm="fake" \ --enable-auth-digest="file,LDAP" \ --enable-auth-negotiate="kerberos" \ --enable-external-acl-helpers="LDAP_group,time_quota,session,unix_group,wbinfo_group,kerberos_ldap_group" \ @@ -150,7 +137,7 @@ sed -i 's|@SYSCONFDIR@/squid.conf.documented|%{_pkgdocdir}/squid.conf.documented --enable-storeio="aufs,diskd,ufs,rock" \ --enable-diskio \ --enable-wccpv2 \ - --enable-esi \ + --disable-esi \ --enable-ecap \ --with-aio \ --with-default-user="squid" \ @@ -164,9 +151,9 @@ sed -i 's|@SYSCONFDIR@/squid.conf.documented|%{_pkgdocdir}/squid.conf.documented --enable-translation # workaround to build squid v5 -mkdir -p src/icmp/tests -mkdir -p tools/squidclient/tests -mkdir -p tools/tests +#mkdir -p src/icmp/tests +#mkdir -p tools/squidclient/tests +#mkdir -p tools/tests %make_build @@ -207,17 +194,8 @@ install -m 644 $RPM_BUILD_ROOT/squid.httpd.tmp $RPM_BUILD_ROOT%{_sysconfdir}/htt install -m 755 %{SOURCE6} $RPM_BUILD_ROOT%{_prefix}/lib/NetworkManager/dispatcher.d/20-squid mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/log/squid mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/spool/squid -mkdir -p $RPM_BUILD_ROOT/run/squid chmod 644 contrib/url-normalizer.pl contrib/user-agents.pl -# install /usr/lib/tmpfiles.d/squid.conf -mkdir -p ${RPM_BUILD_ROOT}%{_tmpfilesdir} -cat > ${RPM_BUILD_ROOT}%{_tmpfilesdir}/squid.conf < - 7:7.3-1 +- new version 7.3 + +* Fri Oct 17 2025 Luboš Uhliarik - 7:7.2-1 +- new version 7.2 + +* Thu Sep 11 2025 Luboš Uhliarik - 7:7.1-3 +- Support provider keys that require NULL digest + +* Thu Aug 14 2025 Luboš Uhliarik - 7:7.1-1 +- new version 7.1 +- removed squidclient +- removed purge +- removed cachemgr.cgi +- removed basic_smb_lm_auth and ntlm_smb_lm_auth helpers + +* Fri Jul 25 2025 Fedora Release Engineering - 7:6.14-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild + +* Mon Jul 21 2025 Luboš Uhliarik - 7:6.14-1 +- new version 6.14 + +* Wed Mar 12 2025 Luboš Uhliarik - 7:6.13-2 +- Do not blame cache_peer for 4xx CONNECT responses + +* Tue Feb 04 2025 Luboš Uhliarik - 7:6.13-1 +- new version 6.13 + +* Sat Feb 01 2025 Björn Esser - 7:6.12-5 +- Add explicit BR: libxcrypt-devel + +* Sun Jan 19 2025 Fedora Release Engineering - 7:6.12-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild + +* Fri Nov 01 2024 Luboš Uhliarik - 7:6.12-3 +- better error handling in cache_swap.sh +- added RuntimeDirectory to systemd service file + +* Fri Nov 01 2024 Luboš Uhliarik - 7:6.12-2 +- Disable ESI support since ESI support has been also removed from squid 7 +- Resolves: CVE-2024-45802 squid: Denial of Service processing ESI + response content + +* Wed Oct 23 2024 Luboš Uhliarik - 7:6.12-1 +- new version 6.12 +- Fix TCP_MISS_ABORTED/100 erros when uploading + +* Fri Oct 11 2024 Luboš Uhliarik - 7:6.11-2 +- ignore SP and HTAB chars after chunk-size + +* Wed Sep 25 2024 Luboš Uhliarik - 7:6.11-1 +- new version 6.11 + +* Sat Jul 20 2024 Fedora Release Engineering - 7:6.10-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild + +* Mon Jul 01 2024 Luboš Uhliarik - 7:6.10-1 +- new version 6.10 +- Resolves: #2294354 - CVE-2024-37894 squid: Out-of-bounds write error may + lead to Denial of Service + +* Tue Apr 16 2024 Luboš Uhliarik - 7:6.9-1 +- Resolves: #2262715 - squid-6.9 is available + +* Sat Mar 09 2024 Luboš Uhliarik - 7:6.8-1 +- new version 6.8 + +* Mon Feb 12 2024 Luboš Uhliarik - 7:6.7-1 +- new version 6.7 +- switch to autosetup +- fix FTBFS when using gcc14 + +* Sat Jan 27 2024 Fedora Release Engineering - 7:6.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Wed Dec 13 2023 Yaakov Selkowitz - 7:6.6-1 +- new version 6.6 + +* Tue Nov 07 2023 Luboš Uhliarik - 7:6.5-1 +- new version 6.5 + * Tue Oct 24 2023 Luboš Uhliarik - 7:6.4-1 - new version 6.4