From 3563803dd347dcd835e3dafd73c77768de1c70c2 Mon Sep 17 00:00:00 2001 From: Jeff Law Date: Fri, 7 Aug 2020 16:39:46 -0600 Subject: [PATCH 01/68] Disable LTO --- squid.spec | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/squid.spec b/squid.spec index 8a99ea2..f6cfa30 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 4.12 -Release: 3%{?dist} +Release: 4%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -108,6 +108,9 @@ lookup program (dnsserver), a program for retrieving FTP data sed -i 's|@SYSCONFDIR@/squid.conf.documented|%{_pkgdocdir}/squid.conf.documented|' src/squid.8.in %build +# This package fails its testsuite when LTO is enabled. This needs further +# investigation +%define _lto_cflags %{nil} # NIS helper has been removed because of the following bug # https://bugzilla.redhat.com/show_bug.cgi?id=1531540 @@ -294,6 +297,9 @@ fi %changelog +* Fri Aug 07 2020 Jeff law - 7:4.12-4 +- Disable LTO + * Sat Aug 01 2020 Fedora Release Engineering - 7:4.12-3 - Second attempt - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild From 84255a49f400d0ceda5b5b81eb6ba33f6122e152 Mon Sep 17 00:00:00 2001 From: Lubos Uhliarik Date: Tue, 25 Aug 2020 23:25:44 +0200 Subject: [PATCH 02/68] new version 4.13 --- squid.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/squid.spec b/squid.spec index f6cfa30..ad8cf9a 100644 --- a/squid.spec +++ b/squid.spec @@ -1,8 +1,8 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 4.12 -Release: 4%{?dist} +Version: 4.13 +Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -297,6 +297,9 @@ fi %changelog +* Tue Aug 25 2020 Lubos Uhliarik - 7:4.13-1 +- new version 4.13 + * Fri Aug 07 2020 Jeff law - 7:4.12-4 - Disable LTO From ba95f2afcc5b37405b84f48782bff8b4c112ee4c Mon Sep 17 00:00:00 2001 From: Lubos Uhliarik Date: Tue, 25 Aug 2020 23:49:54 +0200 Subject: [PATCH 03/68] remove pgp.asc from git and add it to lookaside cache --- pgp.asc | Bin 95203 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 pgp.asc diff --git a/pgp.asc b/pgp.asc deleted file mode 100644 index 2f745739ac76e5e140365206287b1de8b3feeb0b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 95203 zcmd41bx_@1mWKPoU4vV2cXxLP?(Px@1b24}5+GPOxVr?m1PiXg3GSBQev5Qx!q;C< z&z-8dRrfEbQ>UI<`#o#zz1F*TDi{)^)C3R&1`BK~`tO#+)!KfVNTzf$XxF}~bgZ-A z!&9zk&{&>ML~x>vrjE$z&I;;U)RJ>@f%%dM-Y*4B`d4+Kbmk= zI<%a9ro*iyF3-E^6`OyI>RlR_mn|{C)Sbiz(7*t&I#Q80_D;mI<`x!?*5*#c{KjwW zorIko&CTu1of%E-8SOj;BfxkdUx0xFWZ?J^&M#Hgz(jv+l z@1{T?*$W?DTDN6dB&#sE+E+I>Ki0UX1tQ6Jp}L34uA?goHG);FDigfgLVLcchYaWu zdl4EByi6sk|DI@$;L>V^F`I0DrHTYa_V(k&pm7yiUA10YozX(5IdWAC?a*DylnPDh z4@XNpBvKAq>!hTT$$~E(4fGABg{`6iNJ|ODAKU_if;ThMA)`BmDpxlrENeh7(NXZb zXpWp;s)FkHcfGP0Ei~8@R3xgAj7TvG#5a7;Hb8fnvLje#BRhfy)mpeaSe^;f+Y-?; zXo8KkA&Xh(nv{nCyG93KJ-4q|^X=)X}A3S4HfJQExj?74z> zGBA&ZYe6Wk^_O2<`t%211>tS>j@!nMds7=9C!0hqU30okeM8@ld2cy0<7Qkkgv|S; z0BU5}U2Uk&AF=@a$dg-307uiaUh!V)Fi!S;aO@&kTTYiOSt%L{2&|FqzJ<(IUgIFT zV4K-mmvRmItzP=Jd*wNXLzoly+uDWv9k6+v^75|^0R}#++xl%vf=74*G>#~wTGMRZ zJ-D-K)--SSNv1YFLAr=3D3ZXMgPRrY2`fXi^6Q3l-R(wmLppHJZYqtE(2fbiHLG~T z)F1L?i(3R8jsv{pM#NV=TO}rNzRpCSQ%OjT-`bnFNs+sJ!U%h*<)@TwUv4k@6GcpN zqmKWt8A`3{;9_k?%*Mz}tYU6!ZtP@EENAXPL(K2=^f}w#a+mX${>1-%?*2V-&k0~2 z_?8f45{{LmUBmYKecRmIa258oj2GcY!-o@#ZZwo!-o!QK30)B;BmNHgN8u*?NpfE2OXs4e6<)ny0OA z&QQuvcdzMKxgbJIQ6t#+XX8D;1dL;GhX)(@Vc|oPbOy;;B31SW3yFxuv4DrY{!CM0 z+ZMHq-d}!cWYJ!yBV*tBgAbY;UH}!|@c_a~1~crK#GT7o!rZ>OiD(QMg+7T|$BCX| z=7#KSU=JpbF-(&DVb4rEa*SuB3{k4@pZeD{kmkM3wp=jaLEyCyEj zdj4<3cxqne)X~D)~U76??#4DdEpSs7kn-9H!7>78fnEC=$=EoZaFD z6f^drPr*r$b#BpZSOf)!Y}wZ^b25Zdf1_C(F7B1=lL}%_Geex{_CU^SO_$rH?nWKj zL>ey*>I@YQODupC6+2dM#Fbay6&Jw&5p(PN zgKFxQ4hR!plDApJAP7^q#Iqg9la-HV+O|&pRFqOE{Fyg?MZ96CJ}b<5TSs$zWp9 z$=+fR>QQN6Rd*q3jf|8@{`YP}-%s>)vzno=C@!gplT=m%>AytVsy1hvUK*RksjLbZ zq(D#7ur09Q5Vo$KkhFsdEkWqwzY|B zG;;r+&aCHI`@$3!nB>&YB8=$KBugyy!qMi{sjRnqPY9w`^WdvMb?T;!5KAJFCH2}< zDNsT@m&RcE@n9Yh=S_1u`_M|LK3SvF0D;* zPH9>BD1oe@B^2T2mgi6$B$y-^#`chAi|;6tzeoI!D=%i$KAg<1j^av>cX{;R298AIcRx_iVQFBeBWY^vJJW zQzcJxH67MJwR44{nuw8##aQK!)jUe|P%ImAjC?*;f|@jUuIl}?QQi9;(HY*}6K zo83yMI!_OS?ponsL){ANi8(v1R-HA^G%PloCzn239#KV6$r@x$&SlG>SsgzE^w?ZW z>~)EqJKATF26ea1W!-(%+TSoI9-9x=+o(V89 z??RA~^l^C!KADLorUw0v37ZGH zm4y&wtvxA)Qta$PL=yQ0V%(5E`mA0{Ey&lFqcsm9$f{Zq?A6)!4BV$vA!eahJ2QfL z(T(FoL3bg`Hu4eJc#r`Hq3H10CWnyT4*3x2_%u$C_Y*VZv(-0>kf<9yGWV_RCVrmS zhwqw>;6!j`p;NdLkMswNg-Q2{YQY)6v0L`X6Ya_}Tz1mjabf*lskztqi~aL*02Y7awF$xEo&rF_QqfZ35I3x}jIDqnN zvugv#2Z#FA;egTn8DTp0i6L>pzyaugeCKJygNZaP89O7&RW*cp^nrm$WE$>^xWYH- zfx<+3?P0V`44W|tQo9S-JlE)~o>SIw;IyM<&kOBC(uz^02+L+2K(}KKr1199(j(2; z6h~rqJ$5F|*wnPYv)>@2>*JMV zKaNh#{G`{2-RplN2j_lUJ+IwoKo?z~Gv0tdUVlB{`>h3hPz19%Mvs+L_*%o%(!WLUf z4fKn#s^0X=L;2{oe2T=Kjq~)*(XK8_CgBUar0bpND`H0pGRjE>m!2AAS>68RekOqU zrHcs0<&~-rOuJIpy8^0m*Vr&vq$nCJ&t%&CAKT{RYSOG~ZMYaq$e^T(xOp(Gpx2U) zoAU43hZlLGt(2{oySBEL-rnfi@(ZXn40Ese^H-92Kq%@B+G7MzGq@FQav2Vdee4@}X!`=;h&jQZLGWNk{M3cGf#CL^FKUQn@sjTD{DI&pOffKJN zPFM^U%*UUeZVVI=Tj5&PdB&H1&PMfX`QKVx(-JN_EAEMTXPWv>?NRZ&sD!s|3Eq?h z*!3B;@V~=$o#s!tbh?f;ieA(i-s;9vU(`^Gwl8 zhY3Hl12-iZmSugF7qc2?_iF~ z`lVOq_?rn|`51+l1Zuh5%2AU@*x{viwo|R8L5?PcqPr|*lc6wr&2dFXD&viq~j%la2eVxF6%}_^h zH(mn4x%l|uoo<|iaD1IFT6pWM-Be;LSnpxf>pK1GFSIMn85yafy%uIK{7Zz)8i@c! zC~g{C6k+R^mVQ{fYWezANgRhMljJ$aPPJqxWKb zTP+!;wdzrc_aY*)$hVG~6Tp*QcC#G8nytbcYYS;P$A>1ndz4%J5-oYFySaflGNanD z@tr)lk+#iSw1(ewNjS&|D&(z5UWM98j|?|H#oWeTA>>wAR${3zFrgU47=OyO1FLcH z1<3mHIVl&s@TUn$Ldl{{qkciuTV^MSM{%5pzMrql)D!GU;Jcg^Ti6grL3~mzvbK*p zm&G+Oix+}HeJ?oIhzdMrNb~&)z2Mh?{lf>tf~mV$%84uW;1fLO37Bu2;OJP0_cX~u z*ZAjnOd+Cl72zH7MeMH*J(Rbbmip%mXnZ`FWohtRT&K;<$&uBYV?PJ-6(CyR%|Sfc z9KV#i0uiHJyku*NYPf`28YP7BC|fWmpwxqfgPn&9xfmghC)i4|i=R+R^xr&QEMap* zTzGE)bfrdmdoe)gmoVsESLQYi!E)J9%J@4CUbKdl?cV{xdwqPusKi~2?aYZa&7GXgZJmhu-Tv{9@Gmch!PMB) z%AC>O(NZwn0`dhK_>-CN^qcTvxonQ|7&Ck^j5?==sxWt4pW z1eD|ZQh%bayrH@BsmMY%JovC;c^jDU5*!7kMB;=E+MZ^GS4yLhk9=*ypV`AWa7K8Y zt(J{yvX{?ndJdsILS)167Fe}hVz5k+H{Qw9<6)8;W9>crcT5V{ByV@Br4jk zZbquKT>eR&ZSRzBblAOPS7{*29~#Sz9@{ewdB!L5fHy)s5t%C<$SQ>IA;acsI{Kh) zK2~6jf11cR@7Dy5^s6{gVSz%0h9;<*h9Jf3q)aS$ftHVmJUlW>*$Nw{EG#dEC9aqi zQG_+7*P27FzxpAAEq%2%r|E{^Ah6sd6Laf~Y-z`wu;+abt2-5{wB1kLb-g8#vz0L% zn?D-AOkC#G?k^Fp<0A+V-;1H{w>T$?q|4>0RR= zf(KuZ9hqa38C8KR*vOVvjw=v5kG=-^0!v5nf171M5O5)bMjO+HgY+ScIKfrNYmM_ifwe z=R3<92KTX6HK^vTPZ{pw%}U<1bY{wEir%g0rdQ4wz9nf`*NO#4xsY*OGl+9S;%yZK znj;^n8Q$D!FYIE0eq<}&bI?uo=n^)`FNTRTqA%HK6FD!~(|MLOPuVcHeSI&Ej{-S= zF0rpcK!i8?f zQsKCTnq1Z*Rs=1P)aH#$ab+FL`1IS5OQ{xaP?Cw;!Z zdPEM6?6ulv;G8X$L!*kE8be3dKLE$eKQ?y57sigjf z4j=3{&De=b_5%`V$D8s8)eUgcW-GQU;6kXUiF(h+9RKvWZvB3XQoC;-B#5A#vI#}6 z0V(`oe?z7r-(eTAx=w0Uwr>!Z(~;Fzp3AmS=6NzcYARZTmRwNlIAW2I`&ikN=n@+L zVLA?-=8zunL7)HOa3|oprOFU2_^NPawF91y7+c-|J|%Q05U*=j9TdX z(K9RmWqixcGbuMkLlek~Sm##Pu|T)K5V_{;8?NYq7O!FtH~qzVx{dnB<pmZ^ZOrAWy={YCD1PP#TR`HC;) zgS07-0LUT4Tbov;D*TWRWY@5!5CL&q{plG;b8P5|Q|ZkoUv&`q(kdRv3LPJPsK6B; zw7r_RZc3+bxnTjf2C{6UksLPfU*DKNT~l5c;Xx&S2}RI`BQ{S z0$B-s$&LZ#P4Y^d4Os<(fu_axFQkEVXiS}tjMqw2+zCZ^D2xHERkOh%&p4X;jZd5( z&GJO!{mrqc5&%f-Lx~K7`9N%~C*VziulIG>nj{ebnI$*mWP(KO$$B1PnBNZgeI()l@v6yUb<1ZQodM`4P6^Z|mh0Il+)NLUmCqI|#MsYR^}&`Uqr&i)Z`YRMJxFE1vg$e*g=k6{r;gvSQ3X zqV@MR<`lsTnQnF{8^=>F2k=u_mk*YvpGaqAJQl!&@ypT>VShdH@MCR z)n8!kwCGixrH~Ucf}3*TXt)RQ){qggz=|P_-pmn211s}|2y_;c+crKKLDa2jvHKi0 zl~8u0)xi1)Z?8M%6-{35)tJ?Y&t`s=yb(7dLK{@L0%QV?1h*^~j-GpCdR8kxQe}U* z`X??5DIo&APDhr0%4e%If*pQZW$;N)H+xXYi=|`$PykomK?`zKnj?DY2QJMPoUqA335qcf!ubb>}A7p zS~d(QhM?rCx9`)~u($ova=omuXtahS)IJ)pFKE1p&QI;IFT0qcaQ8NBoZg+`PLVw!eN3Kgy?w zx9N8>B=mb_sS+n)T5FG>b2MOoEV%k}Ije0EJ&?l%ndwNX+MRA)+J2s*6X%CVx3;I{ zoOjnM#Zo82?I(UFrtfphVjl*oMqUk6LPuRvHadw`ozD9Wo80w4>wlklCi8YK=t&*@ z{9bkDv#3X88X&7?PKRhFp>S{83zD4Rvh*g=dyOE|0jG4R|z4m z{xi-F7||0)H>MyArOL69ER5pbQz1W~I{_e1 z_}O^{NiP^HaRjRXH#gMyFzTS^oQ9?+&MLAe+%}WP&15D3k}`t!vP*UMM{ze~VxS|g zwlq%D13-!2E8i~(1dI%g(oWl+xG|HdkjSbQONXc+@Pq?Ua zIzD|<6Lfc^2uWin4P*+5)rSh3sI{e0LBrT%63}E=@CZNS=m!)(aYCSVwWk@z3sL<5 zkX`3;HtonnM<{GYN&Z0EQS!=GF_4u`XNzkF3ypL~x~KVLT(@^ZC8PWq$GCvviKFCx zuUyuw)HlKjWEHlVG9r_Hd$EPIBSDmHG?!Z2=>uf4v#_y{34LExlhV&3E?+F-e#Lw6 zjAQ*C@rkpPapzIZ3L$e~31lE#gkR$7q?{KI)-QQ1;cEA3BhLdM>rTNoGdh!m#B5`- zEXKS*R<`qw=bS{==bSJx0OS~lS=MgQX-$q><*Auq!oL6q-UMU{rs@dw{M4YYg7p*7 z`GFSDEi#Su=a7^#SZnyD&u6O5d`<43ZjV4#6vOI`gu=UAS-}! z;NA^cj^AR84Tnyb-FALNNIAUq_YokaZ%F&ZIm{tStT%VCKb?kr;Ar>JyZ2b%da>vF zaMmD7x8nCoHKb4>!N+~q#kQJyJ?qijLU^%h4vT;EsIDO}HXZ3zz$IDKAsDx`A0kRj z)4~vZ^qF)FmM2L?&dC=g1P==tLT98$`Q%rhvjcV(RT!1UL|++B`ZZ&#(nV?%x86z~ z%aJEuO)5t+SI?C%W&qb7oe(chAwqT2oplrD_oUK+;IRXydo&L~DxC4uzK-(Ww7+)t zfA>EAtM3)*N04}0Cl`H;x<%tHHmK+ z3fd0T$G?VZ$3EwvQ9W^Z_YdrPEu`-kHvy38Im7Vw1^o+N?x@6z9V?TplH^k$EA#Fp zyip%iz+I-6{cXt&oxWtxL%9C0qn+?SHP63Js^6VSI1P{iZ(6=M;J{CFTpV|dFa^-Q4zxgmNI01woikFD74#YPwu)icB27yR!rP8AnFw*9nXc{UbNwKJ7vq z1^}58b0EWLG$A*roe1AKSp8(`+P2x}Y5v-nBcH6j283n-kUpOmI@o0E< zU(EBpn&;&OvLYK+(b-IxA7n{}$Hm^v5gxNzV*#MIiM3pbKC%^WXmXfjZG%}~WO4gG z8Wt7c*S-U?f}MjFa;$k_UsGHd zAa*u%8+6)#{KFAfOw)Mc{GKda@PMqGPx}zL2{^&!i)>)-@l=l_VdWM;8h9?J-3J_@ z`PG>4o^-tEe)e2Qw7+nio;bfJiz_++6RiWG7J!1F=0MgEk zV2xotkfG3U)~^0+I!4D-hyI5nq5hNiiSv81=-2{4a*P;ioHMrm$(B*?<3&m7yoTs5 zflMkB%&M<3$=1&HltSGO#Ig@}xn9pWn))qIoZpiL8!?box(@VZ*nfQdhCfN(Vi3yC z)tm?eWJQ#&h=x;;i(zYJo)nrNa{Ip1vG~K0)EN+c;{2WnA|-&V&C#o6*-y=4Q*df& zr;|mcUt6SRfGmHzL@Gq^_nPGNC2gzDJU>Tw_MZ-?C+iX#3S8{fclRew#vRcMZaPzJ zbrJxi$&jZRoongOlxcoK>g;Z8v!(tK0NGX>OVxkZccQ)FgROQks$TgRi~NW4uam{N z001&j?{VC2i3{cC2;!$@ny&}Td8rG4EVu{YUlwd5pDes~Bp*s7OD|uUh!M=P=y@AfKLvaut|%_5O&nJJY_Qr3UyqasZ_9ZOI_ToDVB1 zr8VYM3**wVP7>_DrjvXiJPLnKR-Ux$y zGm(<=4cT|5so-Z3Z%srNIZtQz(o}4El7~e&+s~|n$VLpaA@-I7KTq&1*4TRO^vuiq z$D-6BTi*$SeSB8=8}3LwrO)_rXK;G-OrcG3Hd&(sviNc}dbKg5u)c_5qM_G0Qm2I) z2Rh*aGn+FJV5GlJQbZ_l(MY#%P!IsR3-A==2h_&&0nKvnSyWh{$j&C`lN@U^OWmc2 z$3Byh`@Mi+?a5GsXolW<;+--B(xbZ#chKEjk3oN5#r!)S{48R1g(F{oda8qNGi4c7 zy97bFuh7^C`w<8cuMsdAy~8qO!NZ_*%Dlp^u10iZWbjSA9F&kdM;9CwcX!Eda(}k=oz+% ziIBkI!or*GD6yV@*(yiA)g0(a8=(xR2sfI?M22lF-3oS;uKK2$mR?iB{w` zV!_?$NOV>=U0U-QO|PPLBoauS+)j2@EO5sJ;4UE))_(Ok!+n3N@>%+7W4;%OIKt}E zBdjU@m>7P4W`!uKC-<8=$I`&NIqECkJnDhNeHH8Mx>V&K?(bdZDBhVoCWpAnFm$B; zcngvQ#I-x*9Vb77YLgst;U?E{QLdwTcY+6uFF(_81hA0-o@$++$Y6*}2 zE>Z~z%%e>7kPhX~S1}bGg0xr7V6jfBq@X<$OVO-bls>)EShi-!SeHXT$%Lc}VO)49 zJnqf%7^-(c=e@P5v)=j=Lv`?JWSfZ-m25Uge$~WK%}APy;2Z)yofhbZVsI`9ocRMt z15BTn=GRuizIfP)G<%ODyi|Sx%_6(%-OxSFKOZ*Bxa8wyP0V{OXVP%vi_)G)$$q;G zM@tQApBv}3TWCwaD&5`aXn0f!XjD2RCfw{l%sJA~hg?yi02v3n5-8$qSF>6`EQfq~ z`NBXK?q$|4pVHP3!nM~q(Y8#V?2r&w2rfbmdTcQsKENKP6-`OHPiLU%^2`qGh1Yt< zZ0ajN7pX6X{_i4{O2FKsF<#epJk+2-skMhE8m4AVexhuM^`0r094m09LLw&2aSuJ1 zKpf}!af^=)9et0bdU(CxDBbP8TTo(po`)Ou!+v`am0GGO>F6fHI`6&aJe?ZRGOo4$ za`+gobm>4GV5AYCy!NP_0uncA+Y`P}SdKY7z5n2RYqGp)6`R~9WlJ_8ydvMzI9OnY9jap7H zQK&MRTKS>mk)=m2o{O|_XZm-MCLLfNrKG|ikU)#Wv>C%hxv82L^hf7+EdstB8#An! z*7QCf-F!cRlofsKHZaK**E=+hFHQJ2SIM%!tMPs~56Z#RH>VZqx%T;PHw`0}ir?A4 zN@jHDa*qyp%gt`fO(UK;6`}^~esn4PqHo81S=28`9_%}45fw!;kUA^)R&4QrHKp7m ze$b$Iv%|L6qW;i03H@`br*3M{Ahc_fn80Rj#}bPELU68UOH;*<1K!BbM#6r3|A@4Y$(R_VkNiYiWc;&4QVP{iPZ zRt9;Levi0UiZBb`lGr^My2k8_7yJq?7YsIGB7oS+5jXR0|DLlIjMnABeKJ$4Twx-1c>qQROY3)PcSVm_rxOQ70$A~68 z-nYq*);Mdsncg{uj(0y>FPiZ8jn0^rLwI%vsIV##Tkqhvl@TYGpLT6D9EHz*tpG$Qs(=IXCjHgj;8)yB;_?& zAQQ)buWD*G-|93at=BM{g1V7tDqQ@vJ<38> z4n(8hvgqXrPmsm$as$yckdnF$?mr#0aJygn%6#5v&Co^3%?)bOkd(|8EP_g|?|Jp! zebJr=11ANeK)ULt?sel!9O+c${lQ4HIDTjXkv{5WIU9fa$B1Dn()%4vpD^_4aV>mX zis8AuQ|%p=#f|7~7PjoLuUZO_R=wW3uN))1fU0DS04kg7}%%dzXsahC@?c}<}TO?ITF|K=Mtt~~B9OoGP1%|s9yi;Pi-0<&E z^MEI_W){zH6*rfC!>r2~BOEMV6g7eBWxTE~Exr+z!-$m1b7BisqaLf(jq)p`4aQOr zq(dbfeVh8QdE^olBW~tUP?)W@eaDA~59ov11&7#`M)_=6921X&_7(SZIAfbDW0fJE zt7PB#yC6o7Om@y?mOdvYS<#I%ft&j?UiKbkNijrYy_ zq9#A%{EPL?hYf(#%#2znR($0(EhHtG+Z&h0`6TK9khg`AB3PCGrW=84pA4bRsVMKE}qiVbQ(?#TTvu>@~h2Te-UtdnuY zQitm>fBunKOqQ|w>F4@weJ_FmnT*^x-N=N7QM4|P6&Y#Nn43@)?m$-2S5kraBem5m zj(C`d9f@J>(~_z`9LXIpk|)k@>-!Blkd*|wql0+lp9-S<1eq|}#%L~q?+Jk9qYc}c zATt|G?7@30NYE}6-?9JI`nG=J{IU#xHAeIRRjM2c>xE6`Oy#1?HSJb`@fHEJA? z4g;H2JKW&W2AH&d)z@FL7vZ9M=DJDg2mG3Ie_P)ufk0MC=yk4>DIf9$%@0%Dp_PCa zapGnGNRi&=a#{x!&5J;fc_O2TL$WV; zD*yikFKNlg5?U(GkdW(a>@HJA8QrvG$b{?%&E2mrD&aN{dx6TNM}B3P`&NJ?8A zAQL_UY2ff;g8c1KM;OZR1(-99yUf;8TK~P(tcwl#s70*&CcrUX3d#X5Z4LR2hE9rY zN>`gIrTkoY{t+JH;Q|$noKt)mvf#SSTT=6{9Ftdy%nU==%>u8f12hIJ+Hj4q6FBED zf2PFC;tZ-3Gg9$PR)5cn)$S^chch~!Whi9S4MVkrLh&gn ze>=?@9zX`7%yb{aZN`C6bjeqz#^R+DRm9Z(9%q;L2I7Yofh zbs>*+{HXrI*?8joHi@gl0Fc5|iAzyqx$h_|n+aAbdBA=4WpB4L} zUFYBS!i65$sl6@#59j~TB>u}Y7CKu1WUKF6|3u1;}Lc9S{z^ zCxKPbMPyL)`|$P^Ml9!F;`zTZn-%~19OjGy$jWo3^GAz{by<059i47r_N^&6ehJ7* zN^#$@K(>l%gsr~)s6Ql0{pGmvSv>zoruDx*t4XW?GT<#p0~R`7RF**Kw2Ol!EAlg7 zN&z6v!i3Vj?(drQyEQ(x{n`R(w~s4-;`!HSHKqpuNSx_(9haezAhj}p=P{rSrmjJ6 z7|05eoj>J)>eeG!*cea?71YLOm)?BF`4{tB)C(lQaHl|Ac1p@QT6pPsS&^P#7t&H(;XKL0kqVTpmPsuyK!sX96@|79{N6&YP3|_ z(J~=MW#No5)+Ic*=(Jp?&T$fZ9rJSzTgyTfy#(cr4Z^RTKKeAesER7qWrS*+XpW7R zIOp~ji@_(Yk?(pfut3k{TUXzWWh+-}q9`d-^30S#Ll-b&C$V%i*~aThzJE5N{d+4L z0vzU1*JOOA-8`CVK6CF8^ zqQ(&_#5mXm@dE*wJfQ^`b}EnjAeWtun4R)LE|;#j_+>aghyGD1yoKu&QHjoHK@fxo z&U2Cet(9%&3-joko}VtDEVNWmpgSa@PS(x54M+tq1MX5K4I5ehe5UVea78Q#-(E#H z0u|)hT@XJBZ3_FnFz0AlQrKe<>vl7a>%WkbabYsN{H!zGR`dx^p4Pj1!Ume@)k*Qn z_N}@x08XFh%W|y})Dn(Rx>Y>N^*&Q_uHXz2VP+IfIxQQX7-D;zrXhv;9YfdH!xX9g zz%{P=k)2oy(pnD3xSQ)8@`tX2CF-`#qF#kg+D$+m3}A!e!XBk^M1 z*S~fDQ5wMVT%><%Wfxw;0-#9AvNaCMErCxlcn;rVMXmI$31(Do>Ak{=CbV>N46%n+ zH0WCWdu#6BBRG_lou`rn)0CJ!GLj=X(_FwT&QFG=1X95kwox2QZ*?l3n<6Zc)0TAV zw6E#ybXgC*^qMZtblZvM>QXg`-ZkR#U9Un?91MOW>r1IfE8K6C^_D-A`zFu5ulKVc zcRFwK3cuk*K1A%~vMJX&&sJ-wFOi{j)fXa6O)+k$o_+ciG6HO;+gg`zHUhgopCJO= zk!39c1?J|G8N^u0Ed;nhp83Pic-S>G>Lw2s*}(C%9Su0K_s8ezyC#P3kf<#1eIV&r zbLiq7>WLVT;|83C5(L)Tj}hGDyAT%CyRCZ#4nX-|cP#jcd)u1NVJ}We4Itt;e>lGJ z`j|e1kkc@FxbwX-@}usD-gI>&Owk_=wC@&3f$deAM7=T#wnFu+nTdqeXw0}A@Tt-P zN&h}cF|?WtSV`+>*|2Y?@Mtb*=xEPH`nOj0P8!Suw_)&Ect4D#%GGHL(dR(0(bq^) zUwZYTINZz4jHHDZw$t*R9j4zB6>Pj?vS68^tH!wInI=dLA8(8pLZ$f|6q#*p7zj@-mc6#h;eaB?8S~ zto}4_*j&XniM|k(heiED=nO+TAv81BDT$#>#}yCX&cHx6|9*&Etz{3Zs;fn^6u&? zO;9J(&Lx_dWBKg9{zA$wLX16r#%Y%ohCQ@2V5TjE^x)gL$J{X$>8l#SUf6B1KIKIhzmy7fyK{Zwt%lVilAKe`91sspPw(o8_lj zQ=eZfLH(Xl+mA$U^BqFh;#X8KN^L^xx%zmvq|ZVm%C3jpW62Li7m-uN7Kwo~?n?HD zE$a6YAG2g|>WNI%--{%%0-o54Iv zoR$xYN?P}&Qc+!w><{2am^+e=GW}fKcJtnz^HlJKsM+!SgfoY2=8l7uOB9?(F55|- zo>${o=u&?;>h%&*FG_4V$@S358}^NF0L15FCGH@re8v4u47Q=;*IUyE_LKIdM)SL5 zD-=CCuxk?xKLZVnI0uqrnc_l@-xLm~9^9a;iH3yTn;u~}Tg-hT_ma zf`qv%sKcFiHa0saZhs}FT&?6kvc}qY3by^(R+5y4HFzC6h}OV)yg*dFjb@zcRm4xBMMbH2LfR*9BYvb1HVcu$+LUteYN1KSiVRF(~@HVmi+M{q@1d$^XOI zTL;y(Hrc})m*5sO5Zv9}-3jjQ?!lel4#CdBJvadpG`MRZK>`GK32tBI&fE%@x$n$Z zzrQG;YSB;AXYYPiukJolX%a5>G0PG%MW)lco@1A7Ul>B#c=vf;yfettT-1Nd*meDb zwg6>dO@8L%?0K?|B78YI?!2;g@q)to5DN>d~69b}$nUt!o!_ z)2gH&APr#Y@7PfiCpDT3TcE0WiBPYXZs<8rLZj>>fUoD|W)UHWjJ8IoND1qsCOwaq zW1%GQ++zsVh0t>*NBELO>ttSDt1PV3Z*QlUi-h}Pz4ww|*{&8id0^w$}2@NRSlviKJ@W~<%zE@`x=JOLXO&|X9Qd&~DvoFqXy<@rCIB*6mr zXok4HCJ(PzO!7j)^T!Vch(mMH%q%^vn&nv}bz#K}1q<@hyjHPU7W7pRs^;wm(c^cX zF%>I`mi*VR+gC-gvFz?GzM(7AhT>tJHwwMMwf?NQp9M<=)oT&W&!fJ9Gn_#XU2IFp z(Hl3#<+=eQTk;^>d+y#M-4l^-d&pOYB?w=ld2oUJn$YHgU9bP}2L-hdxfX5%7fKw- zc~j{tBYERKu9`s6AfDIsWMRq8(V0U`j&{t<`Sk+;5@)|Z>wb$MoVD-?E!^We&1%+j^nWQA zEMCAp3d`>&1l7Nc%)fq^2xD7~u=*rgq-Pusi(^Db6Xh~|OXq-f&r(+w3R?<&falC6 z&nr6G1X=HkKixWO`N1D~P$; z)T@pZUKhC>E>MVX*1^ig9?9p|TuP@NuV?|o#KgPJAgfR8%vkx<)-Zvj;_-pU1kQuq zkAK`OCd>HO*p9!;1%y=q$U`Dkl85|j>fEo?xC~NU3=W@Z70rUfJwsE7jOq+G+*ktyrqXo?Gvh3TnBDIk;Bud|e_Nh})IwjdF$0ENd zZ+@Cvp>eSzt2mtbzHWQH4pRHoM#8{oC%}dw%`ASm+o%E=xy~({IH_^D&;qeTj$$AA zN%&%*o`O;!xd8>V8R*C1Cy zJYO9hNr`ufm_L?Itdo}u8<_s3T<~9wnHI+O)^;}L4h(;KGoKd@jDHhfe-{ook%8RT zNTpE7)jyakJGXhX*HD9mDS3+kkj8RJf3#msw@7=-7<)9XiR{@7%>PT_;EEi`A>=$v zl}enw>tvliu}z$g5?$M}2f&e>ols=A6!z+D^Kthm_8Xo3yGefn<$2-Y7#GNX(QNR7 zGURw0IrbNGkf6`V_Q+*A01~6Rc6v3Mqf2fZ8vs2|S$z!IF7O2BS>Yhk006n&6Pgz5 zBAQ`2F;eo}5Zfq{Hn;%bM89mam`ajFt7$JTFmkbA!V)EaQnhb zGsAnQQG`0Nj!(QC3C4-B8n;9Nw`h!_i90JM{N}C?x zFG4M9odP;2Iv@dX4oplL2CXi56CEDC)B9!IE$)TYKXCrhw^TUFyf9T@~ zZGwvXe`MC=;sZIa?sYy_29B4n2xn9AXrZfntjJZJta5H7ybM{4Ro5p5;U z(z`4nf7QWy1%T7;ZdgUW>ZXuJm`cG(H++wvCwubVd`_^3p8_Dequ5koYi$N?+w_aK zr2RQeG*i+5$l#G&FYQDZbBk5f$oZXth`_*$#y|EvC)l?k0B~gK3%vmeJu+~-r1#Ec zvd#%DjUkYYvjKYs`0vTEDVrQA&W z7158Sn(6ep8??F$0Xf9xs_tLjFGf?$I9$xuC~kj(3nBZ1^PCtTSp{-wsu!V8EWg=0 z((gzy>?zJXY9>MfxdLCHkNOjSY8`In`J6EE51fg9+I~WePxHM0zlm{B5s=G}7Ku~D z>_8Q?ZzHtl^E142ygvv430tXW&(o$zeZH_G4OlLeWKel&{hz7lVkW2uYR!1oVF=|Q zCAlOys3eEA&f+b_FH(;AOeGfqWD9f_&FRw$j5Trob5UF#WAaUTWc_GisI)>Y#BE)g zOJy}y?TzcqDW$#bn9VJt8lm=$UwF)W3k_0wG-2jHH+RrH&IZ(T+to94PsrTw*m-2o7&UDLZSC-yo2%+w=dY;@+FW`w})NK1SZ zLBlee723(fy{8}oa_4ay*?;##Z^GyDtrUF4`P-xUpNN-p>GvMCVULLCq+89h-oMIC zg=?(S^LAe)l1O;5gLKc{5kTLh*4{E5Jay8)QqQ{EaF32-o>s_LY(?!{>vhLCZBg3U zZO)dHv`Xf~-$x{!Q^y_a=FJYJ*No;nhG8~DW*oD3K+Cl*uc6V2yM^P1S?Y&AUO`DB z^Oq1m^tj`Y9qbR9+}8#m4iv>X)w~b6@@82{s=?PJbW_#Sh}FbELz{g~n(JI{e>R3| zd>j=3_2{>&U-@0rq=q}HE__qbz7kEzOFKPs2K17YaItc`nVPp?{O2$`m+c1k>~Uz& z?px0FmkO$AZ!{?L156)}d6zAg13L9%27Yp?2I4?@ub{w!%PKyMF2JIVg{N*iznl5c zZDX~RHo<{#N4#-Im+EW%7z2s+s}MUQdC{K|*1L;C zU!`xov*!l2dQoy*U%$nDF)Zk`y?di%-T4+XMb&s`PUdPZ^%iE~sgwSddcL`W2Ws)5 z)F|gauG7obKt{a`A~B)faxkwojjff>>EoDUJD@2dSx?Y;-3UEjo`5$P!ok7QD0d}V zOTu6M%i8AhoV&iF6N03NyE)$v#ioH%HOi#n%AHDmQTsZ#DDNY5455%z7eO?gjuHxv z)Y&Ur@sknwIoMh&ukR|5HZ6)ow~Y31C5U;=N>E0ha5 zJZ88D8mxfqaU$22H4R3kqAyz}NWl^;HK5j^O-fF}W1<#(lddBh(O$5SY!TDIkF0y1iGvl*Zy>huHM%7aPA6`A&7uk&kGC*J(dKov z$0NKQV?DB%eY@1J?|rCHCz3d~llbWV;m+mDT(g7UJLEXMOGOdXkQPz!elj1sH?j1j zJay8)QqPsBaF3FgYb;?SA?;I+g}&!Id}Rf=+aG!_Z;a>O`>beF6+QT{wlG9q3YeAb zwch)=B527)BQM92pq$Jht@C}G*48_at;LLIrNC?#6GAL^SUbh(3y&O zJ`FD$7S3sh(JphMLC7$d@lz=L91pb9Hf7 zSy_@_Y>AsPChxehkYlvYIB!zB5;qIR(rd|%qp|=})1UJW9V6IBztnY(UbEWAC?rQ& zZSofE;kd}`>l*j1vc2R1mdXrcqcv}M!dFnFyHz8%p!x;R9goBXe3oAl_7o1v)`cGi zik+w_FFOwhYp@CLdvgrCVudl(OkNi2`b1o67{2Jy-~0N4P*7SPF^h#-8#({8g{o3m zn8oOK8*Xnu{2w8YR`fDvwbmU%JE%VmzrD0C*5&rlp2v}u03nSH@xf%lTNPF>Y^E`O zjzM@kyO3}{lrg&A&?WUGlK!1~M)ik#p#72z~%*ixZy-xqHgFaRz^EV}vb3dna;oorDGxrZTK*sycU+W>T z7P_Cg^U>hc!XRS_^HijlUBAJ?-DE72M$s+wQu9_yr&qlS>*QOIe{Wf4gn=z?b?KI6 zbY#1F;s#mkR>ls(K<1rR-+Vh!&n^-i@m2J5tD~rhn3kRS3&n<_Bz_o^3^nvhnZ|&2LyO2QQpV~Q^;#uLZi;4=?2>aV>^0HoEPNI{{ zWmiLi@D97Avyh-73W~5*0vcbiW_mq!(!WyALmY4q%(m&4@&45XKQ<$@9+sqR;+54K5OSj7aGQkEbb` zLv^J+bb{q08{gN2xBBc=&c!tDku*#mz6W-8^9$neUA!N!xX){Y-R~Up%wj4o`L-|y z20-zNv(XE=SlS|s$e~J93=taHUl1GzXwqrS(-yb+$oQNbF=gCF^wq=1(Fa#dX{TL% z>L0W^iFqr0`Ac`JW?~V@i-7+hau9^faR`3e=c=fZMVt z$HW6WYc-(=tl%yd)L@jr#RB8L3&U( zNe^CaRN>xr{Qh@4UsBAJ-UwliuJ^#GF3VkEe8)j|KK}8RX&U~_D%i`pjP_SpE0S+% z%IC?~8K><n$?K-)eV^EF_+q6PAiUfvf zNIOuc>m&B0>@Jl9WPvTMGY_5z5$nwvJ)ac54`xPu)z`RyZh7LQf2W=W8{r<9mMus2 z#2t0m=xCv)oLJBy?r?oR!i^{(WL@DC3i!VBg8pJddeh@H75XY+LFzXD6x9)ti*1HO zk$=YUhdkEtyX=LojvTgM(_B_BcHA}9mgUv^MTq}oOi@NGUihAQ27^;b6}u-Emk9q&Q>ndXgE1Nt zq<|$6s*z5sKx<>JBkJA(JB1cRFMG87&7JewMMIKEmvzNpc-IYYMS&q03|-wqD6eEsT>5??uKKya>bAlbq9ss}NOqC1AFf@rcE!$A@47Ko%ARWZnU2V$`hBH8e-a z8=RKZPyoo8d&C+pcF56;{c&7L-Q|Q~P@L}%&U1nt>Hq-eX$>C`EHsq8fbGNua4h%x z4EP2CaNk<`o36U-F6LDI@wz3LA=#aclczZUB-l4_0Pwr)scYM96651y&jvPqvPe$| z1wjBDf*Gf;P<$koKFrK?g)^Wgl;_&;1m_vSZu|qtAr9r`exHy>=5>xxuWm12?-GRh z764~DqRd^kJG~oEIz(MaupK=c=Xt{CN$Cfj{pN@MCfKRs0r1z9E6DOsHwXOt6$9X! z{toQ2JZ%7ExFIOngzaImnXrJAwgc;QDunt(aQ&QM=a>O za|f%ffE)sJTwN+Pc9J_zb_L~}O?Qoa*54CE{{z8p$P0iBEhz%DGfknmh*_Owt!M%- z=h}$?aIN~)_ZU#YkP2Ln?gV81~05DH>$s5NNTl)Vm7SndSv3| zy>t`xP-Z7%CdquY#Dc1AlEgzwP(+~H9`Kow>|lAc8*bhvF!hVorY}#xSp0-gI`o!5 zk&NLm+ji4Zhs6%&HEP8Vr!8x}9WikPB$lP?IcPZ&A9Re%Wx5auG~rv=t+No|a`}od z*zvRm8m%M@CLjUBW!;BaHn7r9XAhb4yB@n*1eqgLYzX5(1O0y_*q={6e9o?GJ!RLk z8Uc{-M=8IF;EmRXZ!@XJMq~zMhVuOYIH|UQsojN-shO0QdGdBvBWEKL<^P3UPkIgH z;7#{+yXSm7KkW-HpJ~6DmdXjz13>2YRPtAq8Amm`OsJB+d8af>QqF&(_Bngp1OOoa z;54Kotfs9;_#|ma^B_4?tQUCzxa2eHC8Bc9SR%~l;o_>`d8rb`?8QP5lS|8y z^Yjo}_*^AAF5&GKLT0Y%_SSYd0P13|LX>`8IG1a1Q^-#zZBg8iKUkcO3z9N*p{1fLE@Xzv@(`tL9hp--j>#?1WxnkJ|Z z0pt)1@MT)NvY4iFBCo__5se5zM$P~r(U>2EEpyd7#*#0K7*DH;<7{O<{YgEZ&-yDu zgnA%@2{(fH_7#ud+vmPz>ig*9Q=E;o328eyF67mKAXL#8;T0V%fo?-0lYGqI)TvV~eC7MoT>@_=f|gO#-qw@7C6a@sEJuVS zSPe}6rL>7dFk~-9G$u{+@~lwvb09+tOAls-49NkrIXzU!)QfKvm%O|_+wRavLDxyx z#yRJpIPm2sVz?)#e3oE+)&@Xwu9v0cPy_Nz(Ke*)L1aVnCgNcLNVJ;*l(J|Vop2apDZPN(-!43VwbLBT(@z>pv-H&JZwE$sxT{>U+>X$ zFvJ2y=+Q&nM@ZCg8UZV7GW6419Q_v`Us5RkLpiZwiDdRpkwAX#!6{2(arG>V1$0^2 zT(OL@vKj_iW4K$szv`lULdMPvc0)i^DeP4CBZF98-y5-`7BdDJWAKU-^yk?fdwSYR zrsxT`%9rE*NU<-cVHs-GY!OEVMdph4Z*;A~9W3{z=&s|9QvkG=rukYOsgAl(<6sVw zdOx}Bw^RbO(x&T?5`TAaJWn73`GJg&*(jTII-KD6L6tA?WmR7V#czR3DAc*?b1&){ zE=a!ECe)9PVP7kr)~U7%3V%Oo{uV+6Wda~`;EU+Q{mn(%rxV7FLQ)s;?C1<2mz-0i zecr}2gaht~EI_2}S2-WblPBo&Jgqt#0Ec9aTnJ(_!%u@24nZI@31FbPgmIQ%Yy@g0dVHZTWa_q zw*Bf)4IJ04U&ztGzE7h0dEaF2C;;-%lnr*FQdOG$>RnZ6%hsvvG~U zA`%-J7ZzG)J&KDb=Xxe!5H1G5V_v5Fv#+IYc6QuZ$i>wU1NURt0PsFL%2v+mb{{J^$!QBQ;1qx|A$nx$eI`nnPc^}=N^dEK$^@J%iL7b>Y}h{xskISnR3 zSd1A#lj_0g0-4DR1Q;jkr6xrs_HiyX4%V`YO zpsl>OWrQ76Ao{52=~Lk`VU_mM>00$ajn=a_b}@GKc6BqicV#qnwEt(rquSHViiI1< zC5?+__?Xg-{{oMg+#yPTW8@2<2ILC7(d_h!KtG8EZgI5Ta~9QOq93YnK|#iz2=jx{S#x)H48D( zK=z9|NBpz4BTbpkE)+~vsvoKu(P}^@-%7s;);5^eTaHaye z3?3OFM1JrXCY*+rf^0DMRUS49KrYoDYr?1Z5QPJ5oJ{ekN?n1bVXA*{o@brF7XTbO z{Mx5DqM(|!^-Cx;ksh_zdf)G{lpmXi(?lJ(2fJu2-IHYu>Iti!jLCf7TqwB)fYi0FF~yY1!*g zAP?%c15L8gNmmqZ#{wWl<4xkle%O=iR8j#L+u@`h(Fo5!_WX~mQxgE!9Ukrl^Qvh1 zD%j{txy1_wuVyR*;I=`yWKo9n(FuiUr6Lr_!(27KkAH9^b%vOpW}TMj02sso_j*JA zfb@AeSQBj&J8JgV`jG1PxA*4WzAb68|5Z=h>@iBmgo@_|@2u z_YSnIpd4tcB<`l@lEVmOzpz)PFdk4^vrb2az|Y8}0(UKzqJ3h1$MJ_P)#&K0Bmi->iqA(KLb zY^uRfiJ#{URrE94&aWIwxN+$wAWCvnHv2VE+t;2~-7{ssTZ~_FJ-&QTm ztdI4&Fu9??d-Dg;QjO>9NZO}76k@=$U$Delt#A%>;2n$3*;NerL`9;UHydi1M^6_v zFfop+N=opmi!`rY-oE#Ib%XgXXwW^O8}alPcSj`4cpz(ba1oQHpqJ8aGj4K|nd=YK z0`-K@Uu_VMP*qYI2=O7j`;IPi7L{~*P0LT6^slOd3_G|7X65-C1ytvPjt?R=5L5=* zDh^T1(rvp<5eWSU{rD0;Ex9k%-k8<<%3bZ$&F8;O_xQbHG9>dEKmJKKlt3#91$faC}C7^~lVVbyrN{$4V;Xc5b3kpc(3&+~Sz60E#0 z@F3Zx%Cxi*8T!Rwgp7n*C*vADM=~z!3YS*VMi}b`&jhsnUT9T*|D$J5YoH^-&(yGO z!byM>YLZRu6u!uZ5+)c`)e&DV$$&PC2m=E_3Qc51+Wx7N{#8|w!U*@kwnAd**d)G< zIbDWtba8m$@^UEUN~K!ot@vyk#a-?;V+d=T3wMVKGKEF_F2$rOud!&Xx3EwC#8jFs za!OOEt1lp|ZQE^T&}&eFm*yn{ni&X0o}u>kUxcOZr6HuQj*iGY6hGG17MYb|dKC#8=4rSXv)N9j z--@3Nhm2^a&O;$f(jpy{{WOG?!@)V#NU=O)s=5kJEo^mfxkALd3&sz@Vm%p2CzFQ} zzdKuKTfneQKNQ6oW_W?oKF<(Isp+uAu3ZN;W{IsM;X)df(Itkw`_xJQsw&8Agu6qk zG|P8TkNJWz0nM#!Lcfyd%~TLKk_~?>d?~~7_A^FL|H`|#_cL0#HQdLkbG!+#w58j* zHP@$IWn#Q#r?i?el$Rk2WsAlT%7#M|4rb^-Xm&iE`t~bBeuSRBFA>dBC)=iBm@PRQ z-}g!)4AZPNzN1v~@kp>h>1hFWGpp1g*wx7K6hI`3l74kf_Hj{LwY>?_QonE(#g1FW z`mCEijP)C4h#pkgzVkiCmh}`VRe{Ga3R;b^5Hm{7rrbA+0VlG2#xG^HIaNT7bjGtJ zVXmNRGUc4U-%wky5;1;5ed*ZFBSJNkks1BFT5Z6sh+ad}XVc(!SCbxY4F_$A_Rl_?6H(b+BD?fSR<#L|W&gK)5L9 z_^xUMC0~6pIXW6q-MA3SIhW6a-e%BU%p~1WBqdge~MTI zxu9^a&|>&OgVDJ05F%4fmYtq^v0UEDgfK-JdlZ9;x*~4W(y5-P;O7(@4_-@=x(Wvk zlQs)&)^Xr|&cLy<^?m)TN5-%qw~x16@|wtWl${3@kQkHs?(4QzLp6Oa96n?;Ur%&$ zpnlMn-e0VWO-Q|FA0u(`@Xy*LaS`E|oGK9zDDJ}8)%&Oea)b~zreoHqwd0m7RWaJj zmpH?gzWqkDCa0i2UQE#$ct*hNdKU>Q?;slblyK3`AQYdGJ=P-Gwru(4&F0*c@y$vI zYSlryNiBwg9vJ&+B>k(ZfG`vuC}9-aKRfN-tYEJ$i*m^Typ(5H@IY)VnpOHxx) z>+X>}8U)pnU%`bu0tht#l#UtE?S7sF_gU9UW-nwg)JVyUde{$7sajz}e5L3Fh{L#L z!>raI81HY#z3(2!^kwa^3vCZ(MT8JOWD@W(YRp@TBIp@H&LOn^Xt(XROq@6zrIJD7 z;wy9Ov*GfWiSCzcTt9Bipjti9Rba9xutQq)sQt;5i({ZEQ%o7$V*)iR6Cp5(&*9?6 z-gIv?{P8Qf0D!$JAO2BSj(>x2apJ8r5s2^OV4$s;b=D6%E`wE#^?}<(xH(L>hp`ic zYsdmW-R`=nmmx^vWf9@<{7;7W7=8i(=qhJ;uiEo9lE zPUXNu19)S2Q*OGVqkl-v@sw-@Z|q7$N|4B;CbJ|ad=w#0WpRy)D(HP!?x(;_tcZXk z=JXpZ7H1JG?$Q0N#)X3EXQDbV7<++K0?n={A&g6hz~7oO`omjK9Q?aiH#kQkU5`?*8??3CdsKXx(5T%_=zk7 z=X#GYk{Se_)sQZ5XzL3McLq?2)f6Uzjt9c!brgVW?5>w8bw8Zv&;$#`0ovLoA*=}J zmp9tj*Qp6vUEN1}_4(mSm`jPVAMoZJPc5WCN)aB+n7U4r_|q_Z18T&M-EXoUncP8_ z(eFXNeHFjTzee`b97fmkFm$-y-muan%y67HyFT3j@r=P z8Osbw(Mj8YnWXU(oM%*J7cT%#Ikhg+sVbo=BHMj@eL~hJxRxvqfaK!(x#1q7kaHnk z2^+LYT4y~Xru~zuT>5=;`g<)&FfQCZdbbR2PVY%oh3)w==LGj$4Ve-eY~&GCVbbb3 zca)pvgT4C@@+vm@p*@ZMp)*y30DD+Zfr$vQ5Vasl>0EG`d`;PYa3yPDN?a_+9WsPg z`_pXhmWD2L4?tlT|6ah@XQ8{~tg52AT!x)!1^z4)*@6F}gy%~q{n0FcrpF%wv1IUg?dSjOs7qCrhWM+N{# zqEBw#Q@i1cV|_@UbCp5rl_Ly%^6z>!n{5gj$mR3Yd8LcMVE#GrHFxG`b)AsJluZC6 z?2dY<4_-t~EM^-P#ji+!J0t1;gY%qYL=FQ$0THCMgkh@l=hxrWcQk89#k@_M0dUO> zYUhpN_9$EY4J>}TK{+fHt@Klzf7XJB(tupSi6cmYpX8?LCo9$`I{=iTU#Tnr5>?nK zDMT1Q-ul=agRMg=AS;CRWJuL>Di;X{$b{kzAdwxaPVbIR+1XoxT}VqwJ_K@bO9!Pp zDpGj@w@43Sxi3HG1|13kkbZMj#k(Vs52n8q1k+uR6+gcyumC{HjXWOF z0dI&^l~^9WHB$TFZxZQ0G*VPR0J$V1m{Odt4rDkXkn@pTqYF0DaBl%{kO%N- zANF-$EuFrPx64uj5vfzeKd8X+|CaTK(40%WP1??d9fq`#L%iwwXUp+N)LIZmfCO`~qP!eF?1MX>>TDPl3@=nCgK z5W&`xdn3oI8$hjmxxO`H*l`K3nSWPFc;*(Dy)Z|S1OuN_y&+FBbSC^}n%Qn_TYhbN z{UG>mh{58VDcx*WW(1=OCTjJiW|K75Fy!}j>hdl3IOcanB)pRL4^6RfS1ZwQxLxA_ z6b#e@gS*`L7d^SmO^)mj(AFb%G~&}x#nY7??uy57O_H_Wn_FsxmvGYAU($01vMGBx z(yYt|t6##yRFC>z{z9ytqFvTthZz^?>ur|z#;J%Ig%04>Ai!O#2W7fvuS5e{G00oDX12V^&KJE%zeN6Z8IsrG&bXSIpYEquEC^ky?_?@w7$cP8H|^69&8+i6-m z&=43&$n?imj=jVZ1Hjv-VbT5fGdScS(WEjYq~(~Axgt;xOa}U^?`igL>e2>^qsVtY z1Uo8?>%dTCsv}JmjJwE>oa{ra4o2Yx_J&<81i!hUosN)GqKU4g#%ro9J!50i--AYjm~MW+0BVEq+RFp%Pkk#2yh z6bUrmf9>)RSB!N0{jh<{RO6)O)U11-1?1B15ED&#F?!HxTCcdo9t0RGRb&F-)Mj$c z$__~#LQaP&>bo&(=4N^&w;mq z8SrPByCm2w-Z=)&ejLnk;ABgwH~D`(c!|?!TU1GB`$i ziDEuW7?#wV^oW8HXbHw=zz!@_suDIIg-j@>kI;tu;Xp}oCxof9#^2|q5n9A{FJop`1oqQ?55`+h83;q`m=og*4!)X*NLUCqlF|T#w+h{{rlJZo+ zu=lS;SD?~7<32{Lid>_j9Gt^pK}~f!⋙2%uZ5im0+CtphC1|_(WSD<#~!G3?M zQ2ZjC`tZ<-XYajJygwjM=oIDzJ9{l8`Rh!)K{nQ^Xe0cT>^*h2f+xmnYgU`g;9X)p zVOC5IP|!ePT!@YdG4s3 z=@h(|h0Z3>>$oF=KHpX(?kt59FSVy|Md6RhSsig9=VwJ(-YTTdn5>AdJFkni7%`E8 zcI>zd^=`mi*!F7r-sQ4zP&wZ|*hC$?OdJ+8e_Mt|Az^%9(1iXb1A>~CNvf#c4V&xr zR1Jc`{bs6^2`VoNo(x9Hyxp4!$wfUw+XE0Lc3jtRAK!>8mYKOIJuc zc7^WwZ4w}tvRlZ8Y?$AcN+%0fjaa^P^*m*!ITl(%D4 zu{-#Z-d{?zDtA4R6M|MZX{GAr=bN&8H;!oOh1v%d#SrpYhYlZI+d{f~Jc=H}a+wTq z3TS9ZhX^W5uP1ie4rO-5)OFSN2w5?d#J!vc6mj=onb~ zv6_u2$7F54g)RcnApnTTt-p?i00a5kDo6rIp!CltCWizX@4q&5|NiCgGm9ySC1v&Z z>)7c*J=z*e5b{*LNLwm8Q+;T?!eG4H6|hhuDPwlbxXaHUCot>2a`h1Uq%TbhwuBPo z?58@An#x;?qe-(?(f{dy+%HBeD9%Sq9Mq-E*mquVA+2}|ExpxUi`#_mCsK{D`Owz$ z;S)x5z)NRwHiZZ)EN{m={vrF62_23u=d6}*;=EC`Kn}KTAI_N==Edoc-IiYsd(q=) z)ujM90o9xRQO~cm)!Un1Q~dh}`RWDdzx@742muWgCCDLILA-NAPYb88d9&C{m|S)X zIwllZmB?bJ&moqjk`;+t?Q!WW`37g`jvZ=l{CX<}(_m=0f#x*na3;xn3aLYcNSK4d zu#o-d2R4a|kbYNee!`|K)e-KYo8Cge3TDRovgNQW8WU2Tf#65{&gY5C$2tz8bz0z~W(7^UcK*Z?P|kM= zX+pOZaIKoa~TWrcnKav9;|HnT}D*VOo zFEQOb%9&1dBUN>F6995wx*W5VaCxIVO`hCvV(*2xCCUKgQZctw4by?*0`F~`G$|6ZckJDcY&Ax5`OjT(M2xi6tO|(u(SfK697^>vZy;a z#x5A6!9T>rE@G0To_JDb6`53V`2B!O(7JKhV;ht7^8vsWarh?e7aDLd9||1;)a8ll z`}2cJP9in7{gY89Af>UTH>D9JgL>I81NgMH1M{rzeSyY z;~>TTHG*Ad2hWaZg+7@K)Mw-BZ;rM;6=FG@EcYq4R_-HGB z%l=SJeI;b`1PA-4_-}hiaR*+-`9eKXF$3V3C5n7)jG%xJX&+yIk?>X9HB?O?msR>D zPHzv7!Isv<^LuRjKlOq`@DNh}Y{bafT-W zkOMJA#aEbsuUfSfl|e2iJH+=jrcZFbXOjQ6rx>NC;eNS^{)Zj_9uttc`R7lCyqokr@oiF{ZpinoaD1Nsd{C%$Fns097|2}V-}0HmR1>~{)v=J@>% z2mO2iX5LOf=J!I!|7I|RQRNeU+ru;C_S5?0NYjZD0D1WOZncG!aUJ*!eDX1$SBCT? zGzW6IdsKBm*j%5;Zp3y~FN6vi&4!-HDumG+|ME|irE@mJHdTFJ8jwp`rMao5Fb*rZ zKcaDa8PEHPUCSNFWsmfKx!ggWF*a#8oT`LA$)&$Rv<$DCIA zH;!E)zNc98*8%LGKrU&o|DfAAtrY(^c9{Xl+N{0?3O)eblCY&59bbp0g!4L4tm@dn zQ{-~@363WN*KeFcL3=8U;D~L$bRbuV@dru*l02cO$=Ev8_=pwT+y9TX^Zv&&{QLi5 zlRdL%gvdx{_6pf6o9ygOlD$_{w(C48Bs1B2CNj!OM2b?`B_#2ET-{xFSJ(ad-jDAO z-+$oscpv9Dj`MsykJtN{7zYTBu}|G?X0#j?(m6OMbFC7+V}t7GIu#m79gcO~H!)St z?n_+&A?!k<{q#E>gRn@P(AZxjKKU2l^_KDhZa!C9F8Y+>1(v~{j}G2ltsT(!EOco08W0Z%=zrs^;c}4LusNv zb$x&WhB!5r}0XT|bLv!3z=T_PIs7`*mtljH4Oq>95i5;sy zUTNdJnd7W;1Rcx6)HE|>k9Jf&!EIznosqXI`KL||owaHQ2od|HZ-URAp3RRH?4CZW zz%YKDnhoUR-{#7Z3Xf-V40`r{7sjI}QcXq9&nTU!@=2tQGUKI<;#U)y$GxC{+|(yL zJrQSDMA^XFof1h^BfFIu9U4$(J%G1&O{> zR$m|3$t0w4=)EIBtEV^j4pIlJ-cM|43X#iu8+m?nPKUS8T`{2~ixBILVjE`4mWu$g zh@86fRu1xW7*t;89c<7pi<@6T(-|5|M(X$!o!BxRERsW>pn$wua+%U)(U$UMfmn~v zvMT8$qdY)})mSuhb06bGTsM)Fbj-b#UjrkfMyUHWqV#+I+239z7Y;MoK=guwQ)?Qe z$Q3$7_7bp`uxy&T1rP#jx{ajXY1o05WeEhjuf+v)QjiDJqI6#W*LuO`s?w`3 zRW_Pz0uVgeR5V^UDyX~$s$Yv+^j(!@36BKORpAkxvSzEJe7zNgF>=X@H+6o<5D7|W z>BjFf+&Oez6!mTL{cpSk&@IP(4-S*yI2K=*&A6VklTxDD769`3_Bd7?cdPI7O^K$% z4K>^A=LT+|>Aa_qv3LUos1X&xw0kus*ziMWyOB0kwx`YAYa!w9l!}Qzup*h|7di)!JD1<^236oG9UW5 zip}Sc^(aAD7DVpalj8XR&dO=RzpaREYM~wIsUt&L^z-CrKS0RvQ0S~+RhsG-5!(50 zc?%f~^wgo%(^lny)DhF$(3coNm6$W@}Y1 zSmy?a3s{`crd`R~5GK4K+2OHkj4tcQ)>D7(yW%s_G^7sdyzFZl0De2-Q}Np5=?L*q zz~E7#-(nw@wFrQ04RJ;(*oXHH3;%LhM-3b;xRwI;dZ2Xd4tVZhcHyC_bY( zB0#GcOe~ z^Iwzqed7TTLSu~zvA2VsvXhcp{nAq|CCcJj25{M($t{lZp(_I$tHImdUugEt7|)^A z^S$Bs!OsRELN&R;HF0a-0o+o(+E+X;E0kUMkwV3__MFb(DN%c#!p!;D4N2(AG<^hXMRD>&yNbk;ccIM)qQ#wP-H51|8)9xY(go zqmslE$5+?p{bzc-2^$!l38Z> z>YIJOg|T-4$U&sGuKdC1JB^lX+Wgwg`|VEQ(Fq#Ab%^k=726l2unB%oiJE1f7uI!N0Xh0XEC5f$3rppeH4je)*)r4&)NShJ6)pXhQVJFg z{v*|Vm&~I))D`yS1%=(uO{4q zbIoR7B-s6~iUXSo=g+akIJDR}ICR)p|8;0F9=4K<9tSo97INUI?tAvF0KV57f;EEc zJ5sD4d%kDBRQywsejJm8pG9nuj3UI0a%UM$h?iEJrRGbjh zt9|1Tl+eNjMfB;5ZqD2@l)StXPP{pizcQv2mA~QR)g&qtF{`eboyRR%!%`|2sRS=i zbGqG=nyC!XSQ2;5brby(w4Gwg$(-2cPCQH!y0zTu$=GG1zVDrW?mFS^jq&O=u8^-4 zaZO3o-vqepD;OnJCw0qkEg83CiJUX}(_1QtBhG*Fmi+rWtI$spkE{-N;j&wuj=+8j z0FdUCV_1Gg@BQ+zCcN=)K^70I6p*hqshZ};w^x!llYBU_Z6J8h6U=LPmcgR)AApF*IJE%r>pM^jS8g$P0Eo!BF*`FvtV0QcYqM$*59 zb@mJj3gq?+&xm%sSo~X$O4Q>bqz+Tx789&lOd$IMz%h)EY74hiQaQwb91MhpG<-f& z-U}eFIUK);Q&Vvz?pP;2{O#q%vZ9~<(Rq*5amhNWuEb{&RiFm&ccbW_Mp&!+gAZCQrk*zT*X5BIfl%xQKtOqhn z59{z797(0i2R^zV+ES5G0EFC!w|Eb|E|*vw<_b)&WyTz;pGHpSf3CAihQx2%AccFA zoV2@X#?lQyUhy5qQ$1oT_G=R&Snxf84VLXp0D10zxVCmJk1x;8bI4tdV)T)vQ~F;W zRq4%7$a?tYf+ljD#l{5b0D_zAw!ugFgU`Y1@^;B&V(`}G)71dJy^HUeSa+LKFU(lv z$iFa=IwI5d@AROeF!x_AT`#SMPwNt@8`gt793PJ{(;D-h`Na8Joey7}m%oKpfI?P2 zyoD+p*N(JbHkJHIPmL{WG|@hnR1)!yk@Z+S`Oa{aE`(860>JlU2H>7r(NOB2;;eZ% z%K4&0p`oCVHZ3FagnQuA{)qtFh!%Us!-|*re>0Qv?r)Ht^8Vv%jnqfI&B`mF@U%yo zm8R}p{AEK;a*OYxm#Nq;c>@Gj4inL5k(1z(V(8*s`$W(ls|TZ9w}GnP({uG%xpgSrLE~v1Xqn(Qrh5G&`EL34p(5I}xP#xPHf>o(RYYMQd{ZG+VNeeIx-_L{o9OvZ(uLt^4x7pGq< z_v-Tf`ezditc4UpZGzeMB?J%8*V}pvWNm!4SjmdXBOZTF20e))Z?!(tW@#w#8G1$& zL{IT#d1=QhMrCFtm3b)^tuXWV14}c6dn_5RanI^zb+Tf$9c(w5@qCdUAijwZ;|BP)3q`Z) zw1p~dI&D9V*_wTnpPe1k)R9Q93$2{o3H`XTKgM!dHsXEyt*e)UlwN+UiNj`X@DVD4 z@oWi6{Tut4E-ued-1l&!r|Z+a(Xt+18=F|W6~q0Wam;F#_i3Cr6?V<)1&v=H`K2FJ z^=poNqqYl`Xg#<-ltj@}lV8vIpB+nufNKGs{sE}C5^C!5%!F4I3xj_CrfD4*0-AvLS)(Ouqs=P_)(buAV9(mZ`-<5I~se@W6w>|+0$gi$KMxm6JAXTLs44%l7J%FheD;qQ=p-Lqa=%g0$*{PFOCJE>q$dlno=5R7 zZOrh|mihE6^IsH14`N*>c!{hB_2s?73m~tKgj+AKWf;sVS%0Sdpr<;oy!R78+P@CL zj~V74Ka(|BmQRU9Vka#W{~g!=$0eu)Sr2LnqLu;(p**rJC4X-5Cl7J?vA>b?TDb}@ z07!%EdCn~@>I>4JaNd8f8rCz;IgR`iKu!5kkG~*wP)m@wB!D{%ivS^Z?XvCnokr;R z(D~z~wJELpFGBMHWPIzAw(KqImPp=}?1*MSIODEn=S=#wn<>)S1RZF?W=cEX(P>~F_o40fL zi9T)C3rjpMlR6{GQ5KnvSC;G)cvc0cpZsIaz34UOAAMCK$fdci zg|!wzVephu^-WFUj!M?v_)SJX^*b4&HTMg;N3SKnV_xR1I%3Oh_UOFsO4`(Vs_IaG zQ7XpRQoNVEp8J0+HP`+CF$Mb&=O9;4jMYZ|YC#wBZt!(lak~66f>HzkLgv%g$&540 zj@7f;csCWyj>@W1HUJbdn5en8vh47Mz4ah&%YTYQS_Ao?_~&iL|VpJ2+kJDPsrm1c4bE*uc`y@Gkbujr_W$GZB=m@XX-BBnIhW%s(_}0!Plr9K_P9Q(7yS-@2~i= z-WWWQ3e5kIr*|8`@!NrBX9^g<{bWmU_~uhxV3tQi&?VP6(B@LE5h5hJ$}hPHEY{rqhZOJKHvZdK3As9xN^x*Ek#zX zE8*5J2*aKrPqzNUS>!F6f1i+jiR40?$~lYA#Weu3u)HRtN@IHdF8My0Ch5!QhXnvmg(9Lgzhh*M89rM)O$S+6~jCyUBV0Qd(v- zoxJRoV)X*+=+fMTECZ_n4`{mj>Z0Cb&y`D55sP(T=zq-SGPB(8h9M(t^yjrOXD$$gNIyZPYF z)dto0QY-L?P-@_fwT%ISGhr(EQ4Le&bliuXHtLG~4Fgqn09{`H2AEHX zy%M+bsn|HKJ!QCZu?(Ct zONO@{y9mz3I@5PtlKq9IgTWv1UIF-(;L1UHdv5B5xF4V74xa>SCIztoc)I?a#J5HN z{VgnF82>TebJj=4$g^<&d`-xUE&SfsdfFoWU1!@J`LMG99=?5}hTDSDf^VJYm#xWV zNb3jVB7jUTG}12Yy*tR-KTY9Ma{Mqf_$4x~{@*(9e*4m#Pqu3lyC%P1*aVRB(;>dA0~j$K+HBavsY+(;ap` z*`=B35<5??Fu0yj> z@oEhu-~Uq&CZDxj0+2oJwmsWUEt{kt^S#`8)hvUOTQ320oy+U=faxGlN1=_lcmV6} z%FrF;ehicj2A?JD2KfZ%7Gw2Jn3@+KFpdt6)UoEooyh}mq0H0rU%5PPE@>Z%gU0Yg zR-L|@q3K}o+39V7IQyEZg<$AQm19W8nOo162jsd#gh4(*%x3a%_fw97?2-?as_!0G z%*3M|9e~Mahot}7z|QXXxV4se$kGv92q1S{U~x)y^;n%@PN1(JZ{byL zDjG+?OD|mRaUzV) zAA>5Ck%RFC%fz9&WzrB5Kp(D)ZEW139xDUw1(p<6KE*u(Cd3?)| za?XqtIJe-a|@mVw-3_hF01|aj)8sgLbN)U)l35*+!XdI+>I|mSgxsaxAJx%paSn(5G9=Ua{ zS)EvPoqzdk(ExzkX2rJ>w@BLW$XL!dRlPeW)RYknAm?oF(^r!59d{U)*!6nI5_^b` zkZCQ{^}*n?CL{oE#s9d$>s@bimtOk0g3I@z;;VrJ04~V-+_&$1G5f2ITbZT9;prVM z7-=}7bTIhrneU*0Fm>X>GgTb1;&?4}t=2%?hEU?S0P_5l8|86);V#L5T_|N8DH9i5 zhWtB6>0t2LEq4I1JrYBj={`JU*HS?X&tRu$j`3Pvwq5zSRKr^ zeZ0+u##u1=?7Sd=G+m#*nC1U`?iZFKJi6YJDd5_$3?OGK(Q7OYw75EBCr5`#-n!Wl zo1AF%VDQ$QCGg9=ll8qA+s2D?nz%R-sq!XE(+F>f^ref z5i}hPKHF{wAmj2MKW6KGbh4^HdaZD>?uP#(lm{SqB1~H6i%r_Cst>L=#VwCf(}88@B!x zBw+Y+-xV?V?8hbmM{nJ@m^qefS*n9|=iV3b8?DI!4*{HnmqudZoo?a9{LH3&>3r4@ z1G^EL4hB~h+6It!0p2gVtHe?ztMucOA6)XjJqkDjV955GBVHKiqqg8mf13oxLjt~^ z$nRcMJs4b77Z1RnR4c&8u8X139S`#QI$H*CUQXBnC~ye7Ovt44gJ)UbQ9$vV$ zq-bu|Y-CdxhQpB`M~di88zc+~jlLg8?1G|X3pt@e%G>={p5be^%%0)&Kzb8q=} zeaZLZeP_=>E2W|Dy;f-BdS+CL)Io98NgROS{|Zm|jJj>$v+Qh|rb)dz*_~?v(2Zg` z5B*aDGwj$(KPN{@$rz~kk>BB{>x02nAKwIU%%ag+BjOk9lsJA8lpwzDtD4CL;N0m; z3f+R)hx(tqc0bFl(>(0PLvwc&zc=(F>p^kVGX?-&k(_b(pj_Bz*wTVO806Z}Emh|N z;0{AGhpWvon%ZYi2hZ1SI6ff{Is97>CRgQk1_+VltzGJ)E@@tVQT3IMgFWM(w?+U8 z?Y#Ec;+_q^bF56z#!EZ@_pItFXgVSPy2S_a0J<(gihBcJ2*)oW-duU;`weF9^gmIH(5O$0jU1+ z7Xn9hJ#~PEbyN@FJnkFtqK^;l_ALjG60Ql@{DT}5C?KQr@t%Hv4?Y)Xk-0$5<5ApV zJe>&c;owoo+yAt3aPkI6cyq2;Soy*@Kk;;}`f%ijx=OQaXztoN_3t?88`lU-tPNO; z`#3XwFk0Q2DW~O2OJDTy_85_0G3Az1OC>4{lbW_~XZCKtqR!NX`{axs%NFC5Mnwu$ zmv)#&!(LR>?WZ#zBKa)?tuN`<517Kto7RSOT1!z{x^;cY>iU<5ld9T%hThICu0j9M zUVh|bhN8W9@8g1=l-|67-C=}u)5_@>`~--ew9Ipv!{IjZ2ulzFT~6o2x7IOkO3#VL zXMR(fJQ+}4?DX`n}s!&z9K@&TCbH0QZ-~UtGj_Lfw6?1&|=dbH$Gx z({fUf_%AuPzY(i&W5OZh3)NmWaxw57^hpxToz+s%j>~zJ_t#v(q`h{I0A64YkSEQa zKg;`7&M`LreF2Wo6=wjK$>?#C8L7PC?4ztn;pXFcT6aqDuMVbVPjDN+)5f&C7Yt&> z*XgQk+%$w|NCETUdr6=~K=SuGLG+jP#( z6U8@Q3b(G)H`&z}EKUQ2j5Kx`SID?=Y8*3Z9%ozhS#N{oe{}w_$RG3oIP$EG;JwWD zm?rk8gJ0ME;F*$3a{zH}w}^ZZ-ko~vfkvZTA- zfI_O#Y{~b%ZG}wK6=9SgM(CZ5TS5VXXU!rSOXi7l&Zulx#vKt6tQ0S_zRs9dvO)?# za4R`&OyroDMGU;u-v3@~dq@B3X#j;y6;vu@%q)B5)%o^y^$AhD2xR*^*no zjuj!8GH|Rybj04#Q4Dvr{m2u>lW25M@wEE2RiJsRWvVPUUd0(a0os$;?&W48-U{Qb zlnBS_xedV981%9-!<65)N{jbO9A z+*svi=lGtqwQ9LC#M1U<0_UMO!X~o~*~$p97o%5m!mZ3&BRyD^PMwU_%yoT5q#3fF zzEN*`K_sGY>8WgqsL5`3^{t$%MuD{VRrY<;?s_dAm@Lk5Afw zlZi_CKUm4Xa~2BrcAj3IuJ(5B7*;Z-Rr>7~fU9Hi`1Icg@BZT6lvN80hGkf9doN8#FAWFV6zqf#+wh9>-19-+VsMKbZSwtg`C;s!GnBIMd zN(6w{5dGAX_L4=0Bsa{9t_R-An&&N(cpv?*n|c7w z33#z9cvg7TH*x;HwOzMt(l)2wKP>g~{|igCI0q2&8Zyj`GO;X`BdvzX_uWe)o8wXe zjKB)-%0BA=MZ0`F#yQoab6nTO@%M#LD)s-Jnm{p71wjC}w0z20T4Ws`Ct}Hr{m_5P zO@fgXK$jyzh2~AaQBP%I`8VxE{s6Z((YDWEPN+YVKrU9kOvU1dyLx-H1*1}%Cf_CR zI&%U@{p%WGt7ptDy}pR2>`{aAi;MxtU3!0BP)r8eO#~qQCzo4vhdZe!7QGEd>ARIq zswCC{T$uIp$WBo*?Pdi_JB3ED)U7D;$iF(66LVD*fOPhTTLZa5k{V5IKfR;8_W0hm zN)v$ZkIs{*{0hdq=9q`&GQ|9ts^dGFn~%vZ32y-Sl{{%HHZNCZ`FK;nPtMteX|{=1 z03IUp5-46%d+Sk{!1g7Tt5S_u6!~?FS|~8s<#{^**1qdm9wbZq{QvDH`T0f*MsuwS_c%B20 zS#>{4S%Y)cmza%`cw>E&oB@C2!H%ej5MzRuIR&7=8*Ex&qEm->fMuzgDe_uV!2_B0BAViIEI3y}2?eIPbD#d0!CSL2FA_s87 zhr87h)r*;iyIj67U+>+-^g%MTabd7Rkq&?mbPV7HVN>&#xiSqJmp)OJr)eWwu2TJE ze_Y}M`%aiV&sBMMASSP({J%`_pYsSoQBI)#m#ehyt6s9%M*e!*-aO$$y6pN_Jt>}C zsp$hLriz*4J-d3&?c?9N1D=^YA^%GI;wOLC$xYiBbyJQ0WoOd2@h6jM*2)y~zBeZ_ z2y&abXNQ!&yyuzhnp8_IkbSke@==uFrm>W#3roULDdOtR4SRWM~h9Hv7QULo{+e1SDWh?f7LU*1-`e#nwqi(q)SgJ4U^ zaGFee*uP_{@%uCHdp++3iYbK>1CKNX>(BmAR_Kp{g)UzH9(JyOrg+u=cG)rLK}8gR zBh$jw^sfs%b-1u=pMdlDXTN^~A;|d|A<}mWzj0ae{>S*cpNuL32++<+mz5%6LoT;o zY7$;Z%?RpeVb^uP(Bb#I>(CqT{ zYk!L~N_{%I9sO~|grEil0P+`4x<@R!Prdniovc~j`U8ayUnzhbQdY&Tb^atu)G(V5 z>xs+W#eaqj5BzzZF(D{B13<`(Taq>(jm(uQ-=3xOwNu^k+JFIqYw~>IPj&)k+t1R` zy^o6O8YlbFz8^6msHz2k{I+R4d*sY&v!>p+UAgj^kuqV_8o-D%g;RUBft6~<65bP6 zL$7T*O(S8(pL#G?cFpquA*>Q$fo`Ud52ju5#(W$Z+BTcJ*diAC4L#P z-FZ(BpA8va`U7d?vgje?eMdpiVIF{x%Vg@qSxLKF2+ZZ%Deq1PO}J131jn%uE&ZX~ zD!Bn0X~`-@hyKq`NR$1K4kiTccK`+Cp5q$MmnAz=e4!_9TkoXZ#>m0}oIT#5iCA&J zW>4U}|8gRKX||C>f;lu zlTxQ(IxIyk3tnW{3{?*XbkuVPg%qjR=TifuD!$MKw7S0-jnvfAt_E-s(_@~e;UX^2 za&HO@+L>fm-X(vFrh@?;KN17DqavbvtuJKc+9r{2BXE#A_gV-SKqe#vJtbW)*#vFH z@uWU+t2Xo$BSS2xdN82l8)PVSa`BuAS&m_0jSQ_(`AKd6?sXaf7qG>IKlZ0HI!Y0X zVofO;c3g2lhM-V77|>Ds4S?(ms9sgK)D-|wsJ)PG{5{r@_sk^3 z0+l4LGrHvzXgV0s5$iU9Oq0%Co$vg)eZ`7d;AWs?NX5N3b)fKcWw7#YnZgvMmWaiZ zP&Xk}W-8vlp8@h>3s%VY9R(dTZvX_B@vbai1L^9rFm}@9wDSyU=Rp?8!=Vz+uM}Cb z2-u(GTi42j3whGeOj3EVcfVZ>6m$%P07Cv?cCeO}%t1GXaa-q#(GeHkBXIyjK5WlO zY`FcP;o^Z74T;5LnC;LUE8n5IU54}n+0GZq6D89yx z)3l#t4Pl+5kvHH|?B%r}|H%z-51|M(B29i3tPL{7>WZR4GSycDUm%|{IuM9 z)2lWw7UfsaLN%Ds@zW}RAp;A;-k&Ys6FioLCe~_FUGz4H077WOY}3a`36~&2!7hlv z+3?3f{5Q0EFreeiHh>#}Fa=+gj@irQdcmrgZ?y>zT<8IO@0mdy17lv-*_-venS>*% zSPd*QXgV07P~QUpKTXzqj`KZkqzIFR5imldQiy7kzG{4l$0B4(U*RSs$-)u z-%TD}=ie}=Hxnoz9*>*vFHFo4jow(D%A=}NOtH=da4ze`jq;?615rllMp_8^QG(*9 z=+_wo779WD(%BR*eSP{R(ZIBT!n^7KcFi1We}E7y6PbM0cC=k(Hi-Y~ybw;&_bcdO zMGVOItrkGnW(gI{IrfKsT)p%xaa|5isq2;@fMZyHRi!0o`#1^`YsL~kbSO6YgxvIi zy6+F=e}}+d#z%uyCatt!6@XwLcaS_)H)XfXQ}=alBdwfM`b8XoZg9M6KDC;7?>a^N z`Tn6>r;~qa`l9Jzz(UO^0GF9M(yhrJU-jlz-xmqqH7K`S)Bp%^DIw|X8bx=mL0<76 z%wy8*u_4&#I{(5#-#~!iHVc67n0-HCrM&RSGX0DE$CG0s0BLxz3iGdiQHphc=F68d z)R+}xjSidJvU8F1&r|9*pXJzXD}y!wWWGhvz8C(Cg0cF}rmyFX1AC)n2Y?Xqo@w;) ztTnRbL>SiFuu}nWZRz(igxv zLPL1_^uJn7>^B+Cb7wuF2-`)Q4>93o?F4{pwp8WFjyzvs|J2BsK-!_N44?IbL&;E)SXx26POw1_%jr`PDsk{~CqJ&@tXN-^^uI9t41{UDt_} zQhZE3FdT3y7|&22A$Sc9W?(|chUy9A=cK4cIBPbW;YTJPs?2d2(cIIbQgYj zbSRfqbLu@>ke#KHN1ls=8W#q199jYhF^!MHSE6`a1Eqf^PT#rnf#bVa1%Ts9y)R6C zF;h`e`aI)mvDS*$(1C2$@J9y|I(mITHd)~L9=Vq#O#h<*k7`@we61o*9Dr;etDb7D zwmVBBMazv}GvYXKl7u`L=f8FS4TX+=1ckH?1MKu&$%m_2N^;tGQWG}sj;jEq@umvV zdX_NHFE2)iH^a`nXF|GD-O~d!*o+As<=v10H^{A^Zu+OrIrdwbJ3o1@eCy8y2q`_vn;*q< ziO%Q*?-6G^9O7tl~wS~&e3`D4?^P&LU9@!%r7~!IK zE~lLDa!|8oN|Y6HD>!Og7;vtq13>DI`C7KkC!Js1UfUOAo9i|1eRv2UFC2A~4Xh~* zQJN%~5LxklmE;F2ExS#J^?X{&VZr zyX6fZBQ!WCg{$!Y1n0DrK_N|gJK}rH{%Xp*(%@&G%TChQd!GQv=GH|K5^ddTzGS*M z6Bn`V880m6{{-h+-s2qeGN*3pQPI#$m{>ua zOxdpC29|FFL7u_$8!--3qpQ}TdQq(icv32!x<={yI${NXI!37DEF14r9d(8r<%_PL zse8VdKi5xvWFYJi-jt(fHoAdF!a!K+_MJk|lv}TItD)RaHzR0x`0sDELO)3?a#=xz z9qGjZbopsoTHg_8UBlNsiUOSn`?oJv41vPa#AS1D!}5zC2?>pcR5LDAeF{c?CjI$6 z$8>A6h5!^sM;d{jvwT2#ulvi)(zml#vPnw-@(vhgnvHqmX8sHJ?Dntt+PWb{k-s{a zF6+8CC?NXz`P$tU{*RVUU&ihQlDhMXWHp0)+yxI&m6Ok=Leg~jd>52@pS~nOPUC;- z!E{-#69PE#*c?lI;#auGPIXT4O!@xyU1n8~kE^TFB5xYwC;Ttn5w zAZCudKB$C5jJ10=V$h!6*NbZlZ3<{5k4hA1BD-heHA6^9s>AaL&wd=zUI#yS5y`7kJ_~tHN)%hO8^w~;ilRTtVfn~7ZXgm+q3Id!h6s% z%qof2zmq1YB!%7)fWi*bwI@S*LJWo-#-|$_%-1IPm;j9EC!5fYJ)l3}=1#zRe4hGi ztrYsWFx*i|e*j(g{xsdK|9#b!w^@i{naCKu`9v z=M>cz3*p20S%l{3@q<+A$F%~CieCMTUtcWu-hIL9uIi~wOzSEW9ijOu-|?Bwz+0bS z>V$5qhA!TEUQBn?-POs_-Owa~`%u00c+O%gbuBi{xKlkWop{<8d4K zsUR(-KlLc|ll)HUq2{V-RsauBGk;^}ZnebMf@$k)zDIv~-S) zry+M%1|USwv}KyxJ7^B85F2shrdd|e_RjsM#e&uk=Oi>pzQVr4-~Nh%#L>!p|GE=o11h!P8)qaIoac*mQ#FB8-{1H6HeG@S%P`&S{xkqxDfWN&v+`)X8+ZNl z!>`|pm&lCFKpxIAZsps2;o}!qi8ySSB^QqrPLOWWpK)Qj*$(UgA<}TLsKV&cGvgn= z{cuiS?E6emC4g+2NZ8)Vhu0RpUcuueDXzpn+kiZP;Q#U{rT z8xPAXHonwX0=S0f+owlPdj+x-F8<(^>Cmg=9OUwi(!q%I$YX;-mSI~;v9TJlQ!b}0 z3tGAlY6FOlK>_(2Ci|+JQ7=8sy`ng74zDD$>mxrWP&yc{xcm%&6e+i!)_Bgue=M)M zNcZ_Nu}WKQ04O}|7)Sz9k4;#sy;B-`#Q(s;&Jw-#9)>IamSG#5o zdfhr|A9i#C$XvMWQ@!6(+L6RXW-h3Gg!Gml^7QvV^448TLGs`=fGZbSh)= zDaSg-3L;qsP)Hwz;;~0m)JfIbO5hOTxbpS@8KC}eoqr=ej}HMtAlZu8nx1SwIEb~+ zC^zP6>`NCO04e`+sEsNbn~-O}*u&fPjAOKIQy5JL!(9(%00o4UbfG?6o!S{%)gAs@ zgx0oeAwK~^T0g$;!`XqST<3=bxKAh1Yz{ggqb8_&Fx>T9695W-c;WB^XTUGzS);zC zW8Vfj62Dgfp8C}tzk|EyQICTcVRmjTR%SL-3QY&YT^A+>h%>U!{rTf3OU;bRn|-qm z2fF5tgaLwAXHa>)c55nVDP_e^)P(=rc{*ed4^%xE?z%1~K%BE<+8TNFIk&Jge1_lf zONDn*BpE2A2~90hRnflF`;OA0Gn4($R+S%lf(1$k!(F$u2Ze0Ru|6F%(wUXnKRy*D zIO>#=C|3i>JWiFhZE7o(JNf9v3spMRf=?`Ht-&xOJ<}ZkapA$Q*vgx%{<}l1_nyyp zDcO7$rveC>8D~d5YZcND5;xRR7@n2;`+1`M?aE_BdT`eOoXo(LU|YQ`A!0hELvzm5 z^~=p)ToN4gAwVGdJ7@ldJKKy-r4>=&celB0U)o0i-GQr7iwr01?%dx{i9QJnf5Lj)DMW zekJB6FEA>!l1{^xy=-FjGs6u@Xa2YxnC|+e0{~|gnil0|Hb}Eq-{uk$E3B0h=`910 zeWy2VP~GaquiFA*;+JQ>>9Q=(q3K|_>r&SN+;hwm^kVJY?cxriNx6^hMKZ!#IG~W3 zJUeE(IcY7-a9rh-V@i}tlMXVviK+*~T_?an9yjEiRp*!;ciT)euxrF?JLq&RqIssg3p+#dQYD;ot%^fxn7mr_ePhAnf z5wUmuBoz<&YQJh5ye?55Rz6>c?nYv`^wg&TWKl=_DWgkeq~qeV15f6=8zggYUxEVS z1`#2xBe}RGY7@yT;92|NkSQ|a_}}CDH_{{h3>2~sgitaYOBtoYySNo;u5)T*<*Wd* zeA%hQSr~eM@R;e1+Rdlpgb%FH_Ms^RxBfzo3l-_%wg&}-dS}i)knr(*B5*frr&Mq7 z)sKiUfZ$7Ye|;@2Z;^%IJ?{IM;W!@tw=QV)V7UF+ivYU0Mpqj1w5OV(({<8Vub!YR zKCBx+nnAIYuF*fwex+z!QSHen%skvEMbp7>>2JRQh>P}ihiXkKuTCHCC}&@z5+!jz zs|Mf%AACI;^YFg9Un6RYAvNRShBGDTI{&)#R$Bm4N+;oL_t|t7J_;-z*WbL_WT`d- z;D^-({-Wge4(AM}qZ02cifS0MC86v5>xv6{0ysC}R!nG9y7@)h?T0S*EWXV#Tz3G1 zzv+&MX-)!P;8@Sf?5IBPtgh7m66wjt0+8~p^a9dp2~k{vq7Tt)>3*9ehcf_9sSLYI zZ|HaYl6N5Gf!c*@k0L4Gqt$~E=?N%D?%owBKX|oKD|iSl%#}u6S4wH=)X;!*9O zewDho_{Wd4n;OVUQ)|(5Fj_7?JqrpM_kzSqI`6gSY<4y5>XTZ^QmGJw0>lKlQA3iW6LXUD`xa<9!0CIodE6yU9elDb9vdLkcs2QPiwF*GKJ(ne)2fwGB znId6XOH8IlPRu6`|E-VhgIfxEN)JY1dyJ~foFmA({Bto zs;6njl)cP~QqUu67?B=RaZt$MT$Jaw;+g!WOAw+rFR0AZ0-oNCWtsKy2}E@1qIeCrLtY`*eYUS z+E4=z6V4E16#37%Fx~aWJY?ukB{@_vtl&K9l>p;c4_}a|FNXohf-}}LtmRIl4tV=+ zzJI;>c+42B2NkBfzA6UbRj0@oVutAtLTAZHUKE-<{*^P03*cou-}ci)n?!ND(^Mbc zxX*sjc!$;+RdI0Ux7~z_^bjxt$fC^cp*u&dP+vj40B<{OqqU(u4uD6ZBn~$DM8D!^ z@k^EJuChcARNO=x7iO!(GXS1X9${$sJKrr9E@LO-+-hqW}syR2E-K5l>Ew95hb`}zLmuoxThWzNm^2Bw0Cd=D6q4aoI_)2nWDjZQFl zy|pBBBKRWr3XRHPQUmO30Dgb!9hKVAmlmIfDC;0PPrIzqW>Nqd<-Hp=EN+||->#Ap z>>j7`n5#yM7-3R_nsNZ&-_7ui9$gzU6n|Ot;x$XTe%#|`fVfyob%bp->Os-BpetRp zsm2}+BYWxn85brsU}Xf5shT8CWZ9I9@elz=s)OD0b7Or$0RF0n>xorYc`CSx;_9=n z3LcN?U+@35`u_tp;9vxB0^=cDiY7B&Cx}t8F3}bz-*EN^kSW)ZG(QJWuxIx&UR&ZE>+$IOA6BslQ8jN*fZ!D#Ybgj$-K|>x z%#^W1<|Lif#POeuARQH4fDl0Ro87r67;{FdqEvS;j#P$+azMf9K|=)9nOAL@wSKvz zs*E&os>A9(@iyjme|S4j8Jtl5AIjc3tg5bU_a1BYjS@&i!-ltL} zS;%)jO5xEi*8E^x=~P}fN-dz#^^k^+=ibkZH1`~vor0!cmAuM#9mG?;LFEeRpDp>^6^3lwsm6`wq=`DGYXD{?F>J{Z{P@OX{ z>G&d#2A?o%8V=6@g65isNNnS7pgMVkdOCfr)j~oX4nVSmMrRtgop;2RGY71x!3puH zxJ78=!Ki7R?*ni);%%oHL>T`#56RJW*6>LLLWlt%E*zNap6Qcqx*POZ*<8jKSJK8) z^N$W@P2*A$Kr)U@*ApEd4u55+prZ^Di_(7^8wQ~34@va+>K@+~&^fe8K_s2=mOMgF zb;3x8nllAR9XcdKd{FL(p0VUNMs3&ytItqsU z-fS=(-*(FY$)&`g-zLsj)^de!L|9v{#sT}nns;8$U7VAW!M%gIjK%XyG;UK4629BJqAdQ?4eI~bF~@048FwdlarJ-ILuf7 zrKU0VfdD*74J^enveoDcc>=rXB-Z)# zSM!84euhb+OJst#%x5>tc?EwwSNOuv!;N=qa=d*rnkX+ju;LZj(@>JzFV`ZTk}#69 zUCR$S%ja*~g*)Z3#fAOL#p(PdTmp_u;v|HGq0eIK9<8j%X&ToLM17n7#xY%af6Q=) zI9$T=k-e~P9moGz(=ao0xAZo1clb|H<3B5ciIam-4JGg2vUaQ(vritY%_gy?lpDzL zu?BerU+P0YE&UjV>-W8fDH6z=`>$pG(ZR&YuKfVAKaPKZ+w^5eHtP^inE5K!tKsE& zfV@WPl1(tez|Ql5MmK0$!xPsz8FkY6_Z@j`fV=Bw+&Fz6_FdQ&8Z(zo?<6Aihy;*& zl15%61CzAutIx$}euZVFKv5`j$8RiziGkUS0G#}-hNX-__}tf|z}VZ*+YzL~j!6JP z-eY{|4kAqHUvql}ylJ#Z+~BrE)4{;NZd3rt{C&>mJ!9P7{Wm+RgQj5?$8L=&08SlN zXi~dc{%Dl{`sepuewS#hv1rhAFfi~9EdV)>M>fVULmBvOUQ39cJjw*q+#dkCVR2g0 zNUzS|1J!zy^e~Cu;c2Sxe{?W0@MtiA?oPdy^}}f*JF2DzsOYdU(% zcQRh{>M{fw&g1Rhmqx?nm>AfK1;C+)ZI;xJiHkfH-|?;7C#*SeUZ((XLECsd^`+4J zZ)LOSQpO8UuSjz5pp6Fu184jMNG9RAv(dr|nzs;#OG52316GDOF#yThp*>g9W+mVss#Y6Bu*u#mjFb&D(@r zj=lD|GvAKQ0c|`O7?{HYKzB8hrb`UP4%=;&XyVEkd>_xPrGq>|mQo!&mB;`$(ZC*G zmYAi*gAr6i+Y_vafq}hwK^~#-tC?r_mNpibjHN$ni`+Ro9yUqq1UQE2KOw z+mCg&v4#)zx%nTRzcDalHGuqL+@9UujKMw>a(sjRD=fOJSb!fu>V#J+=oq=TZxj;Z zh?CDec+V__GE1K5U|`@iB!KIW;w8y6%gh(9HLMTMUYJrH9w7j5)z6Y5`p-it4|lkd zJKMGDY!HN~gq9N>3=FIn3gGs|dAF1+&J^OZFVlVm4WYXGUHN~-oNTZb3uR5Y?CO|csBQqckg!^@9ds(RnPG}~yu zJmR?`!V_IgjHZKufzQkWxIMyUzTsEfWS8wr1y(CuodLF;djRrtnokLES-G2R8ms-4 zmLw?JSgt-F>k4r z6hX(X7$)m-69D%)?%;c?jl{j(?*ClEH$bd-c@YM17OyzFIQypQ#iG4(x5ovY<_RTe zN%)u;SVjUsLGl)Ds>dmfQx|_s2a4^Igs8JN03>s2d89&gnwn-tbDAT4kfwi;0D7_t z1_pk)0-&1`zG?P&Ue>ygbz5TzvBRj=?z;iV^nO;igv7@z`%KDH9HVpWJ@W(T=5dV9 zJIFQwN0AAvy~y23IIZfKaq7ba!CN&xS%y3F#CmUCL!?MB5u}=A>$fg_C%^|e$U|?6d1c2nA zf8QH{BRr_DD_tM6A=zGc-5UT%WoBHt;>O2aC-X<_?^9;6iA}}OKI>&Luxlg(fLny0 z#A(WsS~^(#@DVg^8|czpKL_A&H~)@xC4;fxs7V7y*>1Ul;hb(c@FtCP86sw$CLHKz^-4y0Fp;Bp*BH>!OM403WQ~DK<;?+-Nx&TkOO5o( z(|6+UOgQ~}=T_p(K<=q@Hy3(pMXVlvSEVCgp|RWV-lAi23|vZ#vYWquVc*ZS+a5w7 z)NV8{<05Iqq6;9W^%kc<6Ia5vp$3!9k<+Xi3HoSBFPONr7z@Dnb==&4l-!Y%J~xr6 zDeY;Xj~j6bu8$R8l^CJU-UL zUB28(I7KbF3J~XS-mg5Q`Vxg0PcJ6h5897O$40rve(PX%sPPp8kd^1F)cx8p! zk-)gDzmI+MGJp%DFN$b$2Cd(jS6VB%7}n*b>g#&ndrz`g&mciWfy zIe*NZr@W2;3P@=g)XUmd>0{&((x;`Xy+?Tl&8&@yOUq6Hcry~`0;vtsN| z^8|PtdH|&Hq(g6rV}JyXYagY>uk*8gB^rk|FN_4FBzu6o^5yw)+0p`E{|={i&8C|+ ztvtnN05=UZAIml1Nv(gz|M>3IPhb#SU_?_3aI4Xvof&oKZZK zAqo*^Jhf8`ko$PD(eO4VE)|CXJlds@hHpV>a8B>S&}SJD zbvxI)dH~7z+0MveKJ_vGX|FhQCvr~OyJIN(%*lGa*8Qim%n9aH=mU@u4)V%AO)Cq> z>8l5)-ED0{6k;?0f|TKAdLb!~@h6S(?2$9%IOH^|D`+|xm@|_QAg_LAZ2Nh5*Gf$P zdI(NaRY!oT005AZ#jd((xOw3v8`)*97_IvaT_UKK7$@Vw=m;~m1|WZG!_Z-ZiQ18p z@tYMn0W=$iY{dXx>I)^ho@{WL>;8=zfquLQhG-GgA>iLSn3yx>GJpa~aEK~zzS;A% ze0kNWILQ5u_FNHw-z+blOV7ZgRTj0r9Q+`@sisCs1x*Jdxk%X%NmJJ zTT-&hLw>xs{1!mo-tKuu!ww;0!_s3e6jX>V`ka5qoTMoL@_7>JaSvyc>UlTiwn09!LLce~D^G%Go9fFenCi;xbfP z0+1Ec{zevCKEJng8l##IOT>aQdk26Y)Fr*={hn2ZC1mu`_-bO?m5iA4|BZ33Y@Pxc zXIfou&URdoz%4hfYkDdbd>l4%G?$O~6_!A-pp!QflkDH9d6`-2J&VWdA3T@b?l{Ob z6{L$@u1;-e;LV_z(LLLL3B0fhmTM`|Kw4HhT_p&>i}6aHS#e%_N0l9=a-lrIK2_i7 zmRIsIYw_stxrD%EoGYKj^NlSpli9|@f4dFCQS&=-8y4~d$ZrovU|N@J&9{Q_<*#Um zfenHF?*J*xHN^!U?j?868mYNo&~b_9!A7&fVfGe~a0YN_nuqDq7Il6;p^Eqw-A@Fy zOlQmi94cm$V@YyhE|ZRvi+bwm5*6PU)NkznfksZH0(hiEytuzGR@{msM4fOtIO_A^ zfdqi=amkR~{>iql-|A1^m&iYCxk>02t$3n?N&mKaK-P|(&0=+}Z$oJt)zTSs*fV%$-&UFZ$x8H>&R;o2I%NQ|0qJF=kKdTxs>{XVO#4ylS{vsB zkbK3j6KNu4c_yb$cS!YgeE@P#&?5LTVWbKpfU}PR`!=_#!|p7uKW_6nzT}rg(F5Sv zsU<5u<~1suk4#m>O51tYy@sy-d6Y3>vko*gbl$ryOk>-2GRIx{~nRj{~2a4uVv5xs>1IXpdhGkxh zTm z2#1}jqEO7}-P;t^;D3RUlW_##i|JUVNq$jCZfWAhv|iik^6~tJ5=;v)W^}xyP+G=Q_n;7#;+;8>n>vWQSI!a2% zBiLUjH^N}u{py}gL}T`MZA9DI=;Y`2GwY#;1ys0KTGF;!^^9yEeGl_acPr5FlYJw6 zzIpte_^`#!gR%IlpUoEtYA4<713UNC`g;9rSE}!yuIa!XBy_S0z1n4KJ(4bg9DdK- z=9(4y>YCj1@3emNZ4u*yY89no+9Nk|+$}Y)w}yOC;F57snG_w3NUG@U$8u#{(awC+ z9V_Z{(4|-$3omyo5h09>Axs#_I1J#T3lcea zySW9owKEWj7Tb&L|te@|v@bw$cXh$6|VdTOvfSmBN5?VZq z=O!k0y!g(2C1_O%8Us*}(RM{5!9vu`Vf$keTX#hk8$r}b#s2|DK7#?|p32`_8qeFK z?i17(XwUWDR<8O!fK->~`JvV~-)~`e-5U?M!^Eb!hQjbCIv8>F9w=|C*)o?C)=Gt$ zfQ2|4r@J>ynvD z`YqzYI>lMhH+nAv_{~nt_K(W@jtno-zFfJjPZ_x-rTqs^V8X~QEdZAcgvGwdE2hy) za%2<;RV}VMEhq}$2Q$m&a?>PU)ETeTyU6(Zl^!UCqv>G4$O}OLZmRn&5a%!Z(dw)qRT=iLfp&m3H3>ZnX4j|7EedkFN`nAM+^Ht)_ zO7i{O4}Af2T{`Yzka(wTp)+|5jl;I3PUL&^Sa%FhDnA~8)2*GTUKP4Ue3)tx%<;Dx z*tnv`4dCV-_YH&70J#119QF!C!afG0W~+PpKP{fIiX{70Yg#Juv; z^at>V^NfZ0JCo-E_k0~?@Fj9RSAlY?pUn81#E$Feo%UR+Syu%6oiUIH( z$0M=Enk1DTF1pXjS~CPQolPhY)`<=Vj7%{Cc_jV?7n9}h8qObO@4KcD)i>=?NdP#M z>e!X@jHCmHnt0J4yB za~rY8ck})lwh=stb;-?OrVUL814e#h25`NnI6=w>W68Iz*hJSqEk#g`SdjvFO@j4j ze(ev%Gf#y*XjYvjpl7epJS&(m(x3&vUq$)3cclauDaWPnEj;t*0B~v|fZVzHH1F7i zDF|NEytwtrB_U5p9JT-a{y4ydk>x=E9@BbQ<{m1jGufqQBfcDiH{!Il4Paz2)8qLG z$?`aRooaJMvf?|HnW**xCps7~^42JTUofva9da?8Bqz$av0OU{5M%(y~ zJElH=hRb-(n|tvLG1^H^Oc;rz1aNAco#sGlO~H=w*M!^MnWxOky%_*f&|8&6s}J`g z8EZ2q>w#={%v}+b_xJaBFk$4Z0Dx|P7Rxv~yRhzbiMoAcV}g{NZQdF{dMVW*#|pfP zCb8`TqX?P;eivG_k0(qR+4KlN%C`i21N@RZdnYawAILk91>U3C0Z2i!8)b|G0SY5u zo-94DxBo#{FNG?zpNt0sM*hqMkenukIbL3OS7^yJvx}_{W!}!S=K#99aP3#==b&=m zyRSk{NlgB#7JH3$oiSnLGA%$#rttv+hkSuNl#tKq+G5ypk z8iGT|x3Jui=rPzBp49w!0H@jnb?*)E#zITI`UV699Mxvm{Q-g@sa{aex3hd^bk<{b zo<;WCHHLJwd11gv)(-%(e(-4Q3$tZRAYI&0q{tIqejfTx02h)3D|QpD3zmj#|)AijI?t>#OsCasW& zdv#~fWB4&(ik9f0I{b+0r!S5f9672~7!m{VVVMG5(VJVIqI@w|bZQQg4y`(}+)QUrL) zsQ2l~x?{k|h(Um4%_9C}V{ke~K^yC$%tuPKarK|q0P^ZKR9x+>&gy8I=vlU;Js?$u zZG^7#w+Hl@9e|_93khw1Mn2|Lrl*Xx>=LWc;DSLmR?dnEk`BI1@(D35Kq#G#4N;+a zo-ko#YbAgJ=wfe#6d{yr;k{ePv)|$^z*lmBlyogvd)X$o{c*3H@p9RU#p}FSR1(w4 zyfBgx4q^f1xsrQ^{QCa%cL`IiUb307ODz}o08-GDo897WW@|@X>ta$G-LE6&;k#%$ z7%-Bl8^C4p6bPeN>9(JVKE^^raG-WWh!}uw6W;oUY8bAEDdB#TKXuJ42{36;uC-Rj3#xow#k?K4 z+^Z_g_L5?i`}m`9dW%Q`@W$Hi00h<88;f(if#ZozB{+y8hZF@8ew%_Qt^S2kjc#_f98b=Bl{HqoSUH( zLP%s^UQ>AC4HIWZoO`XiEyz2|l~2QN`o{39SMLjHn}a!8^%zNXoxhV2cuW8sm00Z7 zC}y`vNjASL%8LwoZDKG2kUR|TCJe+%m9cGDt)5o;lDGuBI%ql=$q3TV0OFj75G0#t z+5gaQw}YK7wX9H{{R7CsK9a#HWFxMMzx(LPXkhfiq3J7V_aP>XtfK+&bT9d}f&d5d zwYN4B;*X)swWoHZ06|SgDsZohdER{|n-=fK&fScpFtj%5m=Mu38sy+){Sqob7|}N) zYzrx$7#KFYMKb~fg9U?=wS?DPjJ@qB3#o#gllm4asp|K0feHWGtO4SJ#HgUSg(m)3 zQsZ(I-9ae#5X1=(G*$SevbK-plIF>&W+=-T6^#W@zZ3rG{M8QHsT)A1>d9(l%FWc~ zLQA5)gIEOFXWkNlywg8VE#43zKkpht*>twEt2j8d8m(;$Cj4WQ2atn?!>{IN7tUh& z_)=_V*X&#%%r^t@ca1S;p%tq}y%}|!<2vfFYH1|eb;g8$hlT*&WqQ^uC8c4UHI=xm zv0!ZxFw#y6pqu@juS5vqRXHXPL1? zc&pmKTzzi))~Nz|1w)s& zbAkvRr9wd-p}2keoewKIY^koV2j!Pfb1WW)|A~v07Syi#-^9fVo&pH!=E+phpCuYF~^_)Hbe3ap0v;&z8f!$m=Xp?QL|R<>`OX=|FdGGth2rCd5?-n?6x zlF%(K@Q9^*^Nw*@p(Kv+nT1{IG)u^7sYmAZh&5sbd{T*P7mwabKCYPZzzFA};_jIz&9YK25@vH=JGKpzp9e@zvAI>G zWzy7^kICHKKpa~q65p~vI+!NHS2_T?D~e6KZ`*yAkCyb5_Jw0)sysOoz~S)?Wo=id za}>7TJoKbwkJp!GJ@})8$=jHI0R)-T;&bzS@xxZxsXWugK(S9XTxkHF8)&cGA8nF) zGFQtJZj!`Fy`P85&;G;h{^D(oGXRq9em%=wuh`J2^F<#Ss|Q=ylqLYk$NfIydHs@x z7s0L9umhptG`lal4u**kvIfX2B^T$DQ@t#%;Oc9`2Ctl295(ST^hNikf;@sADl)m8W-5+dkJgb7 zb$I?TW$(Z6w#Y>S@FbnxdA>gs%ekSy%3Rj%wafzl*QSfkM=bbM$hX_x+$C?KJ~_OR zelUZKXkGKOo+=V2_O}{}(b85aP;Us8JbLbOUGAZcZ0-}gvt!=`=lTeqv{gj57rALU zyOEz;Bs4r_?9PfUNY-Hyx>CxF!@}}fXxBPF%kUx(ZeuV4i>4s2rPJ~B2-dr`TldvA zod^;sZmya0&xB<4Pit!UHIColnly5ib*0s)Xm*Lq+iQ#0B{cNmw@-fe9P(loyx>UH zJ+smg`Dtj)5sH(%zM%H7g^k@z&Wupz|4#!zwXjEJ^;AtvFo*BRbM^+_B?&w^@VqLni9SM$T54> ze{SWx;gEZ_EY)nvchO^+>wk7>Id{U<|IIE<*AE~MPTREI8cuuHMmJ@DU3DLyACVt#L2rZaDk}K%H#ZyvNmY0~f&0 zN2?r!bwnB~R7zwzYJTikhpRID84qTtcXug(tmn$vo5JU7#rD%?gl_g-yWVPY3&5`e z%az|dh+gWF&+i`Z*VFgI-9#BQ{_KW-H6;Gg3Luv-TmAE9Iws{AY$^u!l@H29=FhFxvNsy1Ejbn;juSpl_r`zo@NMMwImAcxCjszt+!-* z4SRlCTwY9RuNh+~=~G9`JHXsk`Q!kkF<@2EEpI|3lhW$5$(!A0H4oSUg5C|^X|`}^ z`!#7-Z=!A&?@r$n**}jA=B`>m1)v~H#vy!hV-cub&l>-InInr}?*Twc4_}m;d^D_Y zF3@(LxbZO}h5jxob@%t9hiT2mjRcTlK(J`s)N%U9fa})xChhj#XlAGYI8KC7(e?&j zcd3WlVB%KvIj+ov*MHUvb9c_v2YILY$4g9$Ka#KN1hpf3n@R?(AE~0MPEMcqIE`e3 z@g^bh%F44kpJg!`_x{yw;e8na_*6{uUAkRVHn*}ZE@<#Bv0qd7tawrP(dFLW|6Zd;3<^3UtI-{Q#F@v_;+>C|-#gu5&;XEgQZZ3Xf?qO*s6Zd14k z6+h}E6Y+Eg~%DR#+?kuNl=7tgG?A5-xLTR2;1Oevn}mxGvFylYRa0*iH299aYg4ahuY( z{(!>86=wFdbd!7hzcfg3KJ5mKsKp#MXTLA&(%J2**omtu(54LiFga1ZcQ3zThHND{ z(lq{YsHd)7;k06UqrCM~pLe!47scwh{~x>a-vyEXR1`6RKT{IOnn=caJe3kfUtPbV zBg;I*>)dGxva$M3KgM^!@nc+x2@&O3MB0^WFh?t%+#{GA=(-?)W42y)z0_`ICz(5- z)}G5|pV<+T0a;%X6F&vr#pmD2W9olani5YLk5+HREUWMe0tBi4?V4uE31$$VcRow$W<86N(w<*4 zzjjHSEFU1*&k|W|bJDxMk2qQ=eG-#D39q5$$77aNOsD{oufeIT@|^K!sh#UPS!VB> zaC~vs0a7~hjs?*NauU1}UCo!u4$5AK0_efI7-a+aCx8?QTe6Dynl-H#ej(xa9J!K6 zj;jDN{ME#xojDWw{fv_`VI#hlk!>9c+nwNAjDTnLL;&3hC04w<753nCP-W;)MpOz9NWT+c*)tRIrYk> z-d;e09PEZ8_N4e-z{4Qyjo37v>yg+)dF@VgFuK#)1OO;#uZDesr&=cALC7adXCJD& zjQXAcUbc-Q!OGe7C2r5kpS<3;F51|IDoFoF=kF*B(@uaCwxTp{DMFrI4Y?c;TTQ|1 zLuf_>AcqJBQVW3(dr^vXA4}>Q)mT;4P^m{JIv8aG!uJ5uvD&dcQ$2Xf5^I4pX-%8& zImzR308byh|D68w+r7Zl&$n<`$B*`xlnBvv{`N4Fpb97h4rE*X7PQ<#tHsbwuR(T{!Zfi>3N*L;b4-D>DwL=2DaQ#t@$XOb+dNFO=My*%|u+ga|0 z?Iq!F0J2sv6i#fZ7vGc|)f%O%Xujynh}JC*6N?Am1PJW zE3pbss7ARghr`v?CT@KeM#EB=IQz~Hfc$6LWt1jTRLuSO1UB-#FV%7(l_ttlitO9|VNTICRz9<6lMyGU5Rw7v&({py802 zO-;$3oh!pRks3|ZPxk-l{2gg52LYCjog{E@S{&?GB>tPJsr$yiig zh?4fY=DxSBJob2le*a+L>?h3tQdAN_6ow-iJVPE3z8K}xy^*gL1>l^~c!{q2IhAJ& zKShv?Yhqd6<9JZZ?0;BM9k`nQJ(2{#?NYVKC0F^QPw-(X1)i1u&Tl@;($pvsk9Wz5if&jbVy?0g> zXWDTupR+`LLY!P544j=#fC{STEFCH^^}XERGlWciJIwLp$5VhH6=m2aVf<13aYe~s z|Hr*v0yb>aPtp?|j3@$Q9{~9!me}$HR?iSs;+J=CpWf58xHFG* z-&0!ykfD{GFmX2iIRGg#WM)FT2fBLK60Upp?)XWh?cV{A{#ZG~3&{${#0sdO98?!_xxK@iyZVboy_+Ac7Gp0?kEUq?NFCIhRNZKBt!Qy0Hg$#ueNN(-aaGV@V2iePFzfUE&6yc zA_Q6<1GrcRy!A9~)2_dD#JR8bMbNd3*BL;L#qnJ!VgVsGT=^Hd0u)ReyQBZc&^f60 zmxD(>9;dmqdvgYW!|pHDtVl00Q&-dLifHFCQ;%r$?3Q8-X7 z3%wgGhL?3z6d*2i^6(Iq^V_in^Ad~Xek0{gVwwSv3gc;#NN&81!Nyy8H}tNqUyH{@ zi>|?>8`Kj3p3f4wb^$lsvwC)I{PpQV4M{%a2LL&#$-TiDZ~Rpq*+GGa%VI@Hl!j`w z^80?qq#F|D0L~AH_ceNA+Z0h3_YH^rLgse`+ywyn4#q#xJnb7MZ_2dLrYCmudC!LW zAG+~haCSX6fGeh4!zV+(vHgq)85$-tw&Y86Q3r6y1nXn%q@rPs1Le!5ScUjfOs`h| zNc|U_-E$p4{zi_ua~vv)uyXvHfmf%Z`yLvK0Qk9}sH+BFG){pf)d;T>Rv(F>@!}s) zBJEBZ^S=QlL0JG&Wjl7f&fjbyqi2se6HORd)8wQK5Tt&een$43Q6I0>`5|oVT_ zjn)QIrt8c&=N{S}Ui2$B14w~R&7X%d#5guz9bcxl zNc&x0*+*+DhzUxfX#wOtxIcntVEkriNQDFn>V_f$EN-TlB#V%4h7;k83t2oUt-RHpJ2JBKf6BicKIN12vx zCZd9We(PWYj$1MSjzIe31?CA}K^Sr>1zTr?JY^tP12D{!daQJ7l|XE`bAgb9P z7i?_)kpT3O9hL1d9ugiP*S`}KG;)gFS1B3k{o&ppd7Pl{5_lsy{7U0nx2}sBdLf-d zUu}|^B}G+{laJhYhpU1ed3nj3>>`c=2h%IKHTi?~Ve;!40y=WLxATlE+oKdsB%{`; ze|$Xh!U(gtsxe#q0Q3T>Zs8;Uz;^#hi0pDEUih1Oi)e!V7GEn0y` zn^#GsW1LjOFu}Rk0jOqmka_upcy{Uxj@Lc6bw1Lbo_@Y;bIU(>?CZ_!9{#lv)_H;Aj84pRLAYV+YJ*cAYKC`hvsU>osF6O z=WawhA_{~?`K>#u018y2dvuPdOhsq*VZ2n$`Yf#3UgbVw5WP|hAbp|JoKLT0Zx>C94!u>C z!qXejZw5%=>l#+MYFDY^TXc&Qc&G+F&E`-aD<|VIYIuv%kvMbZg#wq+QeriLl;W{J zF%oYqQdW-?#7q0yi;5OB0LY)56mltL?!ECw-2<9!<$Jk)ao~@R%;^XJL>G5F@;lt_ z*4A%Y0Z0*~*LlGO&xV-399)$F7sb*Q5@i4<@f=%}5o6OA*VWs#nCV#>JhwpaVs$3r zpS&T%C0fVx^P6@BmjHsUU*vMARW{xQpU$Uqu4-FKR2jAaDV!KHDE5&&;8cwXow|lV zNHx_a>c{5E$2SJNary{ggaUH}mDATGop$a)_Vevd$thLQ01C3TuKht{@Iv3Obc4k_qP%1$^XmLXfzs*mWIL!0yOIz=d7CYvI?ts6f{tpXGw0~arrM)(5i!d0Govn9 z=sC9IITuhmB_xmPjwYUQGv5XXDlhwFa(3&AzAjg>>z4N7=X$&(@3)Cg)EBIHls(SzgJX zYos*_T8F&l8mX%WNoe!hj7&l4On!gC%+@s0YLN_(d`HV?{O`R;WH)W=m5@Sq@a%MF z0=OlJZN;PV!iHIU+}P7OCk2r)2{h;;E%Z4QrPErBg*S{laD4hTK+x8f4`02$%{ZwX!1-*t}8OW?BR5=d{=TxHQbz*u@uP&mxFiw{*+SeKe{~AJe z|8mXQS4o}(Q1GYdn%$wpsN9jdflT`8{=Omm^M8JxV0uu^Z2^Lk*6YeuR)}ivz54E} z^+@&6c&9}G_xn_iKNQ5%puAD4dKB<5k$Tbq?Et8>{^@^UTP|x`AaAT~^YupnQV%~= zo2V^fd!i5#wWG`_cJ&Bf96%oVIy9e!B!v|r+KAij>^Z{u8fczRX;(us)b*LVY&hZ# z-mEDu0=S^wMBZ8FgKcUW5PIHB9~;zcrUKynl1F1VUvit*O_|**-KHJU3FJe|DU%^m z_=VDuuy`X4KUs`bxB?L8zt-2&ls`Ar(duS4FldRO)t5B{aAFtvGm7b1{JW|je%!}7 zo{t=>MfVV%y%C4f5qs}BYqzmx;35woS8STjjC#8Vc8H@h0-IwW@J+`zF`08;q=`&TbKdp>TlH>o<*D?Q1j zA|nUz1E&1s=k(oc`QfJ}3ZQ1ooZC0i+B3*d-rq!x$9pYqG3xQ)Q_9x>ZmNEHzV1rO z$nM?&nbD4vU(f0C3V;;EmROT0PQRzh{q+%V}O#S}gOBi**x?vm2ld6Z%W*Yy$JWxnJd2H@d=@seS(@8bo7+x*na5wF~n zAEM_i`aJw+-w5aa&B( zcdDj2$0{;V3?L<rFw;%2K&Y%KRPS$;lgBUfhi*^bfT4JUBIGq3~^kbQf)X>s4@;Mzt&gjvX zJ>?`xkawC4rJqANOY+!iUGKVr$bn3;COr9|Gi6{jGzKHid#EBvR1#mLCuN>=aSo7boLc zc*>6&&(iTv^NS_lY+u|0aQNAyD6+Nc(K7>$L|a;s&TDa%mfkqAAP;Qn?B|5F!$ll@v&Pw%z$6~{ip^}R=9 zL82BB3m}=RO1jR8!V9|P^xxgo$?3nREumauC-W*W{Aa!7AS@$7NA-8_z5>WsiT=_u z=aQr{R?Rm$9f2+R$f&s_%#s+oY z_oBm~4*_b5mePTup8w zhS&LFuk3NyAAoe*+i=5!7BhbFTIQVkZstFx@Ve{|v6F53 zB8ZI-P(xDfOg$(VvJ<(#4B%9W*5P`J@~pnApC^?DcW=0QUugyKheR8$46-Zjvi%lD zaxTO14t875{z&~7_;=w2KuRuEJxlyNy51eBJikgPg2yD^vjN~rmzmTo829M3|6$eI z$28-jkIg;NhX2ft?*B^a#Ko2tVhY2i#X=49{~TjSHF^R_QAd)ej9#h&=G4=|eMiT` zPrl-|fIOmoz11Hb#ZQM1zwJG>|EzeHc#h^jS)fGtr*TfSWal80ElxA`4Ynt$yJ{=d_QbbZ|b`7dawf+DU&B=H+bX2muqo1 z^?cqcPUus}{l_S4U}^0N4splru&};fJOvUvtn0%_jX!$Dat7$1rMad>dG6Wv7iK(a zZT}Z)vEE4%1#>0lQ{0Ok^s`nu^nGpo@Y?*y?A^fE(J|^2emA)%SOx2z&nA6XNQ}=B z?u^G>lJ&@bRcyqfXLgysb>g_4*|qE53U&N^ZEep$-S>&Fi_(4g3>oP_g>0lRad4yI z4?>XXI^&DFfG5Orl>W`zZrR}e3Q0zVwQ`yAh#)p(f<LJ|U7 z>0xSgu77kei6{F{04b+E9KP*SX#^iWr2kvV&!^Pk6h9d@;6go=Hy^Q{XH;}DvvXuLv$S-#^6+4Ec42gM zakjB?XSDWmw(zubaW->ApNP#UfD{hwr|DFLqLj+JFPzP2D~7>@$7%uOBM{-FQ#A;sgZ3J&&sD;Q*6?)zX~}p+J{Wrwpc`pY zL>=&IY{bEw@?V&+>Nou3fPiBx!u{H_ZjEN|&SR15C5}hi=Uwts;nue(m0o#+#gblM zA8q!f%k$x`grMXv;(5*pd{e!2zMru(Vb#4+Hab@&`M^!G%Gl^^-E|Bmd|BO(QQpki#o5ln%<-QEJy~E5MogQr#mV1c9PP)% zp~etEP|Di4QVcI~!pl!c8kMoMtElYdb|LRcyV*% zC(S~Qs`va=35bRDD9Ljez|mRhxYF?hB}-Jq><$f&NtFt}|2!$6{ZFN{e_nT&&>tG^ z5&&5uOaY%oyif|ML{D%!uI+`UZ9I^RdrpP%8g5j$g{y(-CC%*R6ftXqKMxJ2(|A_| zz?}y)VsGwXjdrtNlwIYxpph9u!3MIiu<*Ozmal4EYT6wfCY-*Vc;y()NsIY95t9H& zmUjbwbF6SS%L?LoxXBYI*CT5+0NM9vw2JF&s)XkRz8f-9K?vJ>qB_C+-gf2f@dr@z zIw2J}EC9YwLFgb~Y8evOw|F)6=k{Z6-vTWFKMB`#37-9Kpa0Wh(lVFQAtl2bt(hL? zYiamCfIqn!jlZ@H#!)hZGpcG0}LQBbcb{|2oghs ziXhS*(kYF!ba%%LE!`>IQi4b;AfS{W-EkkjbH01Lo^$SBGqdM;)-!vrwSH@_{q9){ z$fo81>*hIe?~;Ec|Jms2Y}`z-E%%$8Kf=<05|D{9sLti|(^A(~`s~2j(w|rrC3^%& zN1Cty8u$!pHUw$@L|x{`BKKOf@xSE!8J0Y&0k{pO`KOp4>5(ZxxDqC-=}^1X&{F_W z%Vt+^+YX4ue9)QuV4b4y-6j3&zjmH~hNX>GAe%ZG1uW=D>wYO1Jm)a$RM6J^_%Q&N zd`=ZA_;h)?Qx@5!eI#{kD@A7GH#y;`pnHA&-Pm$!5P&QG)KzEV45Jb#5TeLmmF~90 zmx}_jAQBTJwSt;aO>YaXS`b&*2t!HE-{$oPynTWJxOtuoA6v@VE%mwo2+8*H0**^# z1_0My`5tSo4l5M}?d{M92B=%mzMTDk;ElBd0lI67B@~ji1WCcdfpYRAzl@wxP8DIl zC^^oOh=whn(wQAogjBDZwwmrbai-)eb$jfr?(POYBm3mV8m+&1B08H5#8A5HDLmZx z>M3f^^{jQwT`_y*CQ=1v`GpL9p$jr$*9^%ids>;y@ASFnd@9;Juuh4b`DiKFn-Vs! z{DX7~S#`=4zZvn+O`yU38@<|(FFwvu#W)4woIqt1xvq?F-4TL!MJZIe4Mrv zFBTj@MtuIil3%8*MDNtqh+VAr-QZt9evHf$TX0w)G4!dSKj55=fb05yb&K-K{R$@g zh%jo(0V&At$~Lllhx0!&>87M#4P^)vA+4>K{uADRe3mgYu`;&*H-MYMUj6mOAKeE3 z^mS!oAe)Gbe3dj<)iCThxRLI)$FLE8wFH1zWiPJe*HL+(&+RmP8YJ0*c5*({=TzSaN}i&rD2jGr0Em$D4=5KmR7p!!i2gnJ zC*~F6rTl-H)Sn1gN&yfvnI*6Xt5t*ZE5`L!R~v~z-l!%3;uH4Vpz!t>>zvwz_cEne zCtEesZ?q%lG6L5(E${L!r_tuY=_4gs}OQHWNnF zF#l?v^EXQVK)@sefJl00g(d@zESv6hj&El90;He_o&Y%ya~!SX5&35iHP;_W{2ZTb znvwXe8n#Tl&|l3xq8RpYu)3ONX!8NMPFQLT0iE~lbmBfiM*11QxMUF(fXMd6^(`JE zlpjqVKb(7KEmL|Ke}6;lpTFl%l)N4U;Jzy|9c>lzEhC;JvuNODG}!EjA^)IlR9i;E#Ip8rwk5qdZrU&NyD!CES`dcgG@7IhCjg$VB5mkQQsp z6+IZYe~h30>_gT*KizL~{y@os;eE3jo;XG%O&eOm06c6g6|MRKsS*IL_3gp)}+v!Hwdb0Rr?xijlV&hI90Jz+D%m&lC*ZsRc zCKMB5-#J57k8A%QlprD@K-NV@J$Y!e=krW*6fg`+#z+kEYwvXK(mo)K^fRhuX6jGT zbEG|u{ZK~uhMcTqsqGeStW>awK5}TF303QnlO9gG1c~=`3RhkgG%f3J+GTH!!=Gx+fn!}{n7Pnm6uaI|Bv?}{urBgJ zYZ$FUBji&x^`PW_pvoBvtpL=6wL!Fl{qc;og%^;?yRq{EQ#%LEUn5rwT)wL$c|G5# zFH&>GY7U79eYDjkSZYDS0*eVlByhn%y-So}b;=GW*Q#D@dFC8;qGxS{hLDrIXwr##;7J*shqL8|u&Ie?6c zd`mZlY7P>P`IrN5fkh$zxZXupSNcYH$EhcZNsHtKZF$PQ$#^+^neZ%lk@J1Kl#xat zD_elJ;Vp$!l6I3%NTA153WFva!qe({#c54oYYMyGDG)C0?P`9V!8|hJq*dX`V(ds9 zZnO>M$S!W1Se~p4YJ(1!=RHtEJ!o*MlnPS=lR!bhgTLC-N}!-4_gDb`sU?X_B9Kk= zO+^XQ{4-QWM@ni2Kp_iwgo5kf62V4x{J5;byi zqzesqn!GOhuK(g_-NB2D>bcjZNLYk)smHrcMazOFTs;N(S<_Mi5MyTZLd#5=>*J@7 zC~9|yvcAW}#p)U1^%ce><_1X-Bbg{{&GZi#JRYfc-TFD}OPS@Cqmn1A;e@0ZQ|!Ir0lGI&pTF+U3L z+TDKNZ}Tg$6NYT_Wdl&M!l%q)+3Vb2`W`&r#g}%OyoD>p7}ZcREvbWpaM$B<4OeMd zl^+In_@Z@SW|YXIW{f*#G&Js>0Y3^oX97}|bxz&r4XRRjE~l2LU?f4k|3~%1|6TPT zA^^Ba@9nvT+bMNHN%s3zSTx$nT*wOm?l_U63ST6yrg2VAz)p32t@@)?^Ir9^tI`c9 z7}!s-EZbZO>t5ka#eF=~7t@fZIahoA*gMsCuflDdh#$wa)oVTJqnrMSyu8A(3?(KPoFvtG~tqI3tL>B1&QW&jn)1_N{L zoF0Zl?+b0J!jW=noF4V2512QUF#GRstJkaRy(3i_Cc$}>2&?aeoIk zJYR+7WFr%mBr(ttxFJgSwO2QN+-29U%`yXHV(sGVM zMpM@;hlSk5iVtrf9To}?6F>7wRis-|p*pDS`92|V@l4cdpmvf;85S-~z1n>^9H#k~ z*W;jo?o|aM2ce*&RG(0+TvyU3VYjQ2H{ zXjf6z9CfVx((QGIcp{gPKGB0*8;%4D?z!K}8AvqJBpFUV89KdH9O0r1nZNdJnMA(6 zE-7>=Pb%ViGCcp9+tu%q=7exdT054*7kUCc5SGF~LOI>GASW8(NfwIS6UvG#YKz`S z`xw7dAr?-~Pkd~wWr(K1^?1wd7}E=jC#0D@chyV3saQC9Hh174K%piE z1*LVHI-wBbPO}x@uz8e1xbR|R zXa1^8At?FGBn1U;?sT@D@CZOgLA&Lus`13b)O`c>8%-ZufAqC8r&pw+2bau?^5Qym zu>Ds6;kz=E(%RRC0#$|OMZ<$|wGZ->YG2r(WMiKbr6^N>SP7UI3E_PFCP3EVbLRY)y)CYPFuRS9D8Gb;=^ z4(%vh)>G1pk7#T7ei)%g8xYUOod^kj4}L0Fq}k5M`C?&PodEX=iwiLn^95^+R8-qI z5~mn8!TgzaoMz4ET&~f>ZaXsVfmn)0#cDlz_J-bc;hh-H=^DeYgw9X{4ll36-MZoo zfy-YsAMqv&wWQL%zKwCZ?iNE3bh2wXc6Ds`_655tW5N74qAYx-1uze;+ zPGjkKfi83dU4_NCL>T;HlxK$hAlm}}tb9KfgF>&iK3syQ-9PbhGS=wn=OqBm@kd6>v`_Y7T3i*aijN6N-LJoA0}#A-QmFB(C<( zXDO&ea5k}>)uAch@@87PHJusfk-%QzRUWh)B6Kp>gP-nV?^e@>4g5fm$U&yWxmiuT zRO>ln-lVwhnF%b)P)-&#pSVq%6pRq^iBPWGraEhF(%swFof*fsrs^4C7iDVTqy5{D zjVk3&w!&Y>qR>rrXW&FpQgJ3i780r=9BN2a7T&=QnhA6X8Ap^}-o@$_xEveN)SDF2 z-zJzqYTS#dh@~KwJG5E15llAhcri4q0kN^RLZ6sJ%QfvE9Lwzo9S1y(ifz{EbE`Tj zwCy0{N~b>hRYaM)oy1f4s#Fe69M#g9SQ8h=@!ig*x?$#dr=@igC;l8^nQis)HnVhE zt&jehY79%NL_bn}@tif?ce6K_4~~Pr4E01I=jG~WXkHcYUoNQYP!-HHD;0E{{a7h@ z0obI3E}F;8Pw0;x>50ebFj`>zD*kzSPlLiWM%9i@(2GNWY2s7M2rqG zzpB1o)^f%OAM$%o;!iYbs6aNAe-5MVd}e2S6K#>9r5Bgx-h0V(q&%?X5ZWvh4Akv? z^@s9}48a}1WS?ZjRDYqY_{8J1!A=?1FfwMM!4evTb=?i-sLjlcu5vsNqlL*%n4_t1 zH=}IIJ)~YYF}rPc{VbO+v=DEpnzNqSxdyPMzhaePYfPH-CcSq<U?uP^NzZMsS5zDlEoI71kgv6x+Bh<1VlvEy3onzGqlSZHe4v{_R((h?W_beZk$fF zt#|GC1sAkG0c~AEWxC;B$af}Y8C6ZVdkkE56!|C5RYlQ;wc2aD3MZCJePkAbN%wdo z9|AH2{=?$Z3c?GVoBUCwqG~K1H{@UXaI+~wR6GVDJpCfrcDLte$Sn)czox%1EH|-e z#;a#LxIGEhpvgC27{Lpe!d{cB1-0OdoHX=dkOYimU#YX0{a%=DjQoK}Bb^8NcE^ANP}K0V(si0cv_5@^x=@3=!R+<#=pD`*WyH>oVcLJmAw>b*o5z1CaxJp+ z(|*8Q;RdD!AVPhW7#&_Ihr@q5OODCVf_~_XlLF~Tn4Lze5j7oHMu#>u6M7$`I^Nv; zE0vTS5~BS51mSK0fXnd;KEZQ8vEoOaLbpu2bxiFh$^>$FF({PG<~sXr!`W|?R+Odn z*FQ4VbN+{AVYacdx3Mx~p%MMZ8`wWy{#u&1En7*h2nnseb$9evKwySq{EfT1hhFrYv}SrUhqr?99$go3>b?ug~)e?>O{O^>}=KXFMKvTNqvu{s0!@kBWud$DM|6E?y%{in)X zpkN?UCy9kc=yjiUlAv^aoP9*f&x@AEcXjUYxRrb&U`IKSAm2Xu`Qb~+iXlw;y?6Ls zm8qF`6N4EKyhQU@c4)^EFXWXd^5_Rp#oF7gdN zHDg@hfueiDr$#MC=nz9}@~jVpr|Ixh#hzLo^(3Cb*P!ymjb}Y>vc9z~Z*`^dNbbsv z%HIca_$S%jE-GcYp}V=AdA`-yZhn+sZ#Repni~3<9%B-~*XZ4wpo#Z%O@t1;#%%#B zh$2A55Y>A~i$W8+SGpLB05S9`XLOSw-!k{rm>gd1A7dbpqA28%Zn4^?Je1ZS}<@2TnZ*E3Tn0^8)zju=s^P$-C-Bw1j@Lh;tp?JipuW2_=*j z*6@~09x8};#{^HFq^**!$T#j#HEI0t_vJ!4{YW}BE<}(bF2iiI_+;fQSWDE}BlQ2M zyyf3j9&iL8vRyepG+P&yVG}wGl2gcIO?Xd10Yv*xkz>72>w&uyDH^PX=9UVYix!hPG{^?9E4&Z3t?5^k6!7@&-&~G~J5nK;{wP|^O6Q)~N_Mz0WNy)_3~8q9rdz7Pa^pU8r} znH9C7@Zd<%qNMiByyFVGcWPHi&+}Nn)aQnzSkWU&297~RP>a$da>0BVwH?xiYyDHq zqweh>jt$fem9&9}Z-<$tuE5o*Mm&jMV$L;dEfD;QtopAjOJ+3VzR(F?pG}%tOlIue zJA2zLHYR0gbP?LssY%j?qM7koi(WZP2gLRk!@#;4B~&0F~%n*;y|O;1$vp zeaL-1())8I)cY_Ak^dbfa6$n7iq(}t!{2rZXeMJ9i^LjD)07Sa;IL!4HL5m>Dxl|J zJ#Eoybtz!*#r=7m<}pp@6k>k-AFvtSWGR%fzg2RFG4Npa?_P_^`R`tfdjHRZcf|s}-G-sTxJ0NVdRHWQi~LX^ z3wxZ6;F6Gzq&|Ff%E?IoZQ;?&^>h#xSPSQQKN2p`F)=Y;F3Q}`Xz}%tLv#J|c1nU2k`QN?Ko>09pQEKk8OWZ9nyW_UQK9+$!%rasI{?;~ngaj^_G-jMSS z9-W0o_0r2!JeP=mGH&n)F^#blaO(M7Ea>Gkxp)WrR>?;OF4%L@Sp?j;RjD^i&PV;q zsGPApQ&ZDvM?66;Oa8(iF{KbDI88z5r!C3!eK)MRncR29Ox|V}-(FThEGu|p6quiJ zG$4yK64X`4@y%}6DRIG%*^g-UaCZIMZ_qp1r^4WorA43I+NU&I!IS@jcS2Th_K@}0yN7D0T?KKK(=$EL zPeCNFi=$r6@xFG>P|tkTEFJFUfK|vwje@IA41SjqH~oV}qH(A`HmO!#l?9t_sw+Y9 z%L4f949|Na8cT|Koj!#FOBh<~n|!xK#ZJ@FDz}uUL&9id0V%5s2fUKl4tt6Vh4-5% zmy4d65D|!77fG{U^=XAHV3;i*)LEj8LG*r=9jNs ztzOZ*w6d_bvbUglYUas8BkFuV#s_n8GBdL`yRXH@Y5zt%93%wBM}h#fD4=_T0+A!5 zV4_3NK&XTebPP-omUPh9F}u!~qZ%J^eh-}6M;h%!IXo@gw8f%GJlQmU zbvqS1)YD`3Dl`fUpX^-rqmm(|C|FWoOJ>@hwyex+1k1@_=!~+=Tk^F1oJ7JY{Z6Fo zxm)U3RIUH&N1iFyVWAFp_lcGt`(Y?#r2U$tJYw#PuouZFVKcX>`1yGK16tHKI_>zG z{#7qW6POReFjY+{he5l>ezURJL}OiQJ~`oST8a9>aqLQ?OB~8pwxDld-)Gj;vS|@h zp?+2xWZI!C>Rr5v@Znbn_M{&CZyQSm^TIuUP(rvuY1f&vNm-gcF!AalX;Oc9LbSIz zKqTXZ8a3RHJc11O6`^x3kQo!&?53h6Vd9SW91U0&R`S}1or}dk*1wZt;!+QRs^eKv zhAaKDo)e03I(KJ??oJZ8(oUVG|DfQGYm1iHG$zjV0>8G)YYaLbBVXQ;w@ zuq8@O7fbo8_Ixlk{PQ>TTI0OUw2}pvUPNlyS%c|69#}!{LxmQOF2TKd)LL$!-sv5i zz79mYv)%+gj0-FNuZzX%4Dn0!r za2qS&jr9|LiSqZ6Ongyj;`QBDyYYKNosLbpJZCz$2bq-iXtTS|LEY+SrJ)r3uA;P| zPvU_9Y5vMa^@locVi?l3HT~(6>ikY}OyPv{i6P;y5>o2Rw&}``9-NfgnLaj9zslIC zeH+d2)o2#Cgf|Cl(E2lB21-Ylv66R|?^s-@dM1OcWG!Fy)X%5x3yXpjQ HsKEaK^B( Date: Tue, 25 Aug 2020 23:50:53 +0200 Subject: [PATCH 04/68] added pgp.asc to lookaside cache --- sources | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/sources b/sources index 1f508a5..b026e38 100644 --- a/sources +++ b/sources @@ -1,2 +1,3 @@ -SHA512 (squid-4.12.tar.xz) = 96fa700a0c28711eb1ec5e44e1d324dc8d3accdddbc675def8babe057e2cc71083bd3817bc37cbd9f3c03772743df578573ee3698bbd6131df68c3580ad31ef4 -SHA512 (squid-4.12.tar.xz.asc) = 3283912319f5a027b4c9302f3ed26082d7f22e3797b39edd7eaa3df10904fb170352745a0dc1eda50c4c669b2037d9c596a8163f827f5060ec3ecfe0d6b22b27 +SHA512 (squid-4.13.tar.xz) = 06807f82ed01e12afe2dd843aa0a94f69c351765b1889c4c5c3da1cf2ecb06ac3a4be6a24a62f04397299c8fc0df5397f76f64df5422ff78b37a9382d5fdf7fc +SHA512 (squid-4.13.tar.xz.asc) = be1265376927dcb3c96ea0c8c1b0f1d6bd7e3deb0fdd38ff80030c31f53f77345a8b8564c6b8cc79d7449aa361d4bdf1ba10d02f5f08af245ee35b484977b93a +SHA512 (pgp.asc) = 09f7012030d68831dfc083d67ca63ee54ed851482ca8d0e9505b444ee3e7ddeed62369b53f2917c9b2e0e57cc0533fce46e8cafd2ebcd1c6cb186b516efd0ad2 From ed458c36ef6f8eb873e8a65c8a1005e05ad6def1 Mon Sep 17 00:00:00 2001 From: Jeff Law Date: Sat, 17 Oct 2020 09:27:01 -0600 Subject: [PATCH 05/68] Fix missing #includes for gcc-11 --- squid-gcc11.patch | 24 ++++++++++++++++++++++++ squid.spec | 7 ++++++- 2 files changed, 30 insertions(+), 1 deletion(-) create mode 100644 squid-gcc11.patch diff --git a/squid-gcc11.patch b/squid-gcc11.patch new file mode 100644 index 0000000..c87ade5 --- /dev/null +++ b/squid-gcc11.patch @@ -0,0 +1,24 @@ +diff --git a/src/acl/ConnMark.cc b/src/acl/ConnMark.cc +index 1fdae0c..213cf39 100644 +--- a/src/acl/ConnMark.cc ++++ b/src/acl/ConnMark.cc +@@ -15,6 +15,7 @@ + #include "Debug.h" + #include "http/Stream.h" + #include "sbuf/Stream.h" ++#include + + bool + Acl::ConnMark::empty() const +diff --git a/src/security/ServerOptions.cc b/src/security/ServerOptions.cc +index 5cd81ab..3f73892 100644 +--- a/src/security/ServerOptions.cc ++++ b/src/security/ServerOptions.cc +@@ -6,6 +6,7 @@ + * Please see the COPYING and CONTRIBUTORS files for details. + */ + ++#include + #include "squid.h" + #include "anyp/PortCfg.h" + #include "base/Packable.h" diff --git a/squid.spec b/squid.spec index ad8cf9a..af5875f 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 4.13 -Release: 1%{?dist} +Release: 2%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -33,6 +33,7 @@ Patch202: squid-3.1.0.9-location.patch Patch203: squid-3.0.STABLE1-perlpath.patch Patch204: squid-3.5.9-include-guards.patch Patch205: squid-4.0.21-large-acl.patch +Patch206: squid-gcc11.patch # cache_swap.sh Requires: bash gawk @@ -102,6 +103,7 @@ lookup program (dnsserver), a program for retrieving FTP data %patch203 -p1 -b .perlpath %patch204 -p0 -b .include-guards %patch205 -p1 -b .large_acl +%patch206 -p1 -b .gcc11 # https://bugzilla.redhat.com/show_bug.cgi?id=1679526 # Patch in the vendor documentation and used different location for documentation @@ -297,6 +299,9 @@ fi %changelog +* Sat Oct 17 2020 Jeff Law - 7:4.13-2 +- Fix missing #includes for gcc-11 + * Tue Aug 25 2020 Lubos Uhliarik - 7:4.13-1 - new version 4.13 From 3282e06751b073f4225cc8cb6647b3cd031a8fa1 Mon Sep 17 00:00:00 2001 From: Tom Stellard Date: Fri, 8 Jan 2021 21:54:52 +0000 Subject: [PATCH 06/68] Add BuildRequires: make https://fedoraproject.org/wiki/Changes/Remove_make_from_BuildRoot --- squid.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/squid.spec b/squid.spec index af5875f..8047893 100644 --- a/squid.spec +++ b/squid.spec @@ -44,6 +44,7 @@ Requires(post): systemd Requires(preun): systemd Requires(postun): systemd # squid_ldap_auth and other LDAP helpers require OpenLDAP +BuildRequires: make BuildRequires: openldap-devel # squid_pam_auth requires PAM development libs BuildRequires: pam-devel From 04e0b1693c17e805efd9bf2255d3f60ef78c3a05 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 27 Jan 2021 20:57:57 +0000 Subject: [PATCH 07/68] - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- squid.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/squid.spec b/squid.spec index 8047893..140ad3f 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 4.13 -Release: 2%{?dist} +Release: 3%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -300,6 +300,9 @@ fi %changelog +* Wed Jan 27 2021 Fedora Release Engineering - 7:4.13-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + * Sat Oct 17 2020 Jeff Law - 7:4.13-2 - Fix missing #includes for gcc-11 From 5fc2c3b43cfb2f153bad68eb741d05773db18878 Mon Sep 17 00:00:00 2001 From: Lubos Uhliarik Date: Fri, 12 Feb 2021 04:22:45 +0100 Subject: [PATCH 08/68] new version 5.0.5 --- sources | 4 +- squid-3.0.STABLE1-perlpath.patch | 2 +- squid-4.0.21-large-acl.patch | 178 ------------------------------- squid-5.0.5-build-errors.patch | 116 ++++++++++++++++++++ squid-gcc11.patch | 24 ----- squid.spec | 26 +++-- 6 files changed, 135 insertions(+), 215 deletions(-) delete mode 100644 squid-4.0.21-large-acl.patch create mode 100644 squid-5.0.5-build-errors.patch delete mode 100644 squid-gcc11.patch diff --git a/sources b/sources index b026e38..cf080d9 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-4.13.tar.xz) = 06807f82ed01e12afe2dd843aa0a94f69c351765b1889c4c5c3da1cf2ecb06ac3a4be6a24a62f04397299c8fc0df5397f76f64df5422ff78b37a9382d5fdf7fc -SHA512 (squid-4.13.tar.xz.asc) = be1265376927dcb3c96ea0c8c1b0f1d6bd7e3deb0fdd38ff80030c31f53f77345a8b8564c6b8cc79d7449aa361d4bdf1ba10d02f5f08af245ee35b484977b93a +SHA512 (squid-5.0.5.tar.xz) = e0f816296d9d32fc97b98249dde077b321651dac70c212fe8eb9566003ce04f13a83665e387531e06bffbab1ec21277e3e0549a16caee426b6a749e18bf77991 +SHA512 (squid-5.0.5.tar.xz.asc) = ca1b170bef9cca5afe1108e8a439282f3a19bea48d2dba42847acd1cf039d38ccc8c714e27fc9e49fe9e3027963f64e9ab19e6a358e6e038c78f85cc77657a3b SHA512 (pgp.asc) = 09f7012030d68831dfc083d67ca63ee54ed851482ca8d0e9505b444ee3e7ddeed62369b53f2917c9b2e0e57cc0533fce46e8cafd2ebcd1c6cb186b516efd0ad2 diff --git a/squid-3.0.STABLE1-perlpath.patch b/squid-3.0.STABLE1-perlpath.patch index 087469d..9cb5e81 100644 --- a/squid-3.0.STABLE1-perlpath.patch +++ b/squid-3.0.STABLE1-perlpath.patch @@ -6,5 +6,5 @@ index 4cb0480..4b89910 100755 -#!/usr/local/bin/perl -Tw +#!/usr/bin/perl -Tw # - # * Copyright (C) 1996-2020 The Squid Software Foundation and contributors + # * Copyright (C) 1996-2021 The Squid Software Foundation and contributors # * diff --git a/squid-4.0.21-large-acl.patch b/squid-4.0.21-large-acl.patch deleted file mode 100644 index 8aacf38..0000000 --- a/squid-4.0.21-large-acl.patch +++ /dev/null @@ -1,178 +0,0 @@ -diff --git a/src/acl/RegexData.cc b/src/acl/RegexData.cc -index 01a4c12..b5c1679 100644 ---- a/src/acl/RegexData.cc -+++ b/src/acl/RegexData.cc -@@ -22,6 +22,7 @@ - #include "ConfigParser.h" - #include "Debug.h" - #include "sbuf/List.h" -+#include "sbuf/Algorithms.h" - - ACLRegexData::~ACLRegexData() - { -@@ -129,6 +130,18 @@ compileRE(std::list &curlist, const char * RE, int flags) - return true; - } - -+static bool -+compileRE(std::list &curlist, const SBufList &RE, int flags) -+{ -+ if (RE.empty()) -+ return curlist.empty(); // XXX: old code did this. It looks wrong. -+ SBuf regexp; -+ static const SBuf openparen("("), closeparen(")"), separator(")|("); -+ JoinContainerIntoSBuf(regexp, RE.begin(), RE.end(), separator, openparen, -+ closeparen); -+ return compileRE(curlist, regexp.c_str(), flags); -+} -+ - /** Compose and compile one large RE from a set of (small) REs. - * The ultimate goal is to have only one RE per ACL so that match() is - * called only once per ACL. -@@ -137,16 +150,11 @@ static int - compileOptimisedREs(std::list &curlist, const SBufList &sl) - { - std::list newlist; -- int numREs = 0; -+ SBufList accumulatedRE; -+ int numREs = 0, reSize = 0; - int flags = REG_EXTENDED | REG_NOSUB; -- int largeREindex = 0; -- char largeRE[BUFSIZ]; -- *largeRE = 0; - - for (const SBuf & configurationLineWord : sl) { -- int RElen; -- RElen = configurationLineWord.length(); -- - static const SBuf minus_i("-i"); - static const SBuf plus_i("+i"); - if (configurationLineWord == minus_i) { -@@ -155,10 +163,11 @@ compileOptimisedREs(std::list &curlist, const SBufList &sl) - debugs(28, 2, "optimisation of -i ... -i" ); - } else { - debugs(28, 2, "-i" ); -- if (!compileRE(newlist, largeRE, flags)) -+ if (!compileRE(newlist, accumulatedRE, flags)) - return 0; - flags |= REG_ICASE; -- largeRE[largeREindex=0] = '\0'; -+ accumulatedRE.clear(); -+ reSize = 0; - } - } else if (configurationLineWord == plus_i) { - if ((flags & REG_ICASE) == 0) { -@@ -166,37 +175,34 @@ compileOptimisedREs(std::list &curlist, const SBufList &sl) - debugs(28, 2, "optimisation of +i ... +i"); - } else { - debugs(28, 2, "+i"); -- if (!compileRE(newlist, largeRE, flags)) -+ if (!compileRE(newlist, accumulatedRE, flags)) - return 0; - flags &= ~REG_ICASE; -- largeRE[largeREindex=0] = '\0'; -+ accumulatedRE.clear(); -+ reSize = 0; - } -- } else if (RElen + largeREindex + 3 < BUFSIZ-1) { -+ } else if (reSize < 1024) { - debugs(28, 2, "adding RE '" << configurationLineWord << "'"); -- if (largeREindex > 0) { -- largeRE[largeREindex] = '|'; -- ++largeREindex; -- } -- largeRE[largeREindex] = '('; -- ++largeREindex; -- configurationLineWord.copy(largeRE+largeREindex, BUFSIZ-largeREindex); -- largeREindex += configurationLineWord.length(); -- largeRE[largeREindex] = ')'; -- ++largeREindex; -- largeRE[largeREindex] = '\0'; -+ accumulatedRE.push_back(configurationLineWord); - ++numREs; -+ reSize += configurationLineWord.length(); - } else { - debugs(28, 2, "buffer full, generating new optimised RE..." ); -- if (!compileRE(newlist, largeRE, flags)) -+ accumulatedRE.push_back(configurationLineWord); -+ if (!compileRE(newlist, accumulatedRE, flags)) - return 0; -- largeRE[largeREindex=0] = '\0'; -+ accumulatedRE.clear(); -+ reSize = 0; - continue; /* do the loop again to add the RE to largeRE */ - } - } - -- if (!compileRE(newlist, largeRE, flags)) -+ if (!compileRE(newlist, accumulatedRE, flags)) - return 0; - -+ accumulatedRE.clear(); -+ reSize = 0; -+ - /* all was successful, so put the new list at the tail */ - curlist.splice(curlist.end(), newlist); - -diff --git a/src/sbuf/Algorithms.h b/src/sbuf/Algorithms.h -index 21ee889..338e9c0 100644 ---- a/src/sbuf/Algorithms.h -+++ b/src/sbuf/Algorithms.h -@@ -81,6 +81,57 @@ SBufContainerJoin(const Container &items, const SBuf& separator) - return rv; - } - -+/** Join container of SBufs and append to supplied target -+ * -+ * append to the target SBuf all elements in the [begin,end) range from -+ * an iterable container, prefixed by prefix, separated by separator and -+ * followed by suffix. Prefix and suffix are added also in case of empty -+ * iterable -+ * -+ * \return the modified dest -+ */ -+template -+SBuf& -+JoinContainerIntoSBuf(SBuf &dest, const ContainerIterator &begin, -+ const ContainerIterator &end, const SBuf& separator, -+ const SBuf& prefix = SBuf(), const SBuf& suffix = SBuf()) -+{ -+ if (begin == end) { -+ dest.append(prefix).append(suffix); -+ return dest; -+ } -+ -+ // optimization: pre-calculate needed storage -+ const SBuf::size_type totalContainerSize = -+ std::accumulate(begin, end, 0, SBufAddLength(separator)) + -+ dest.length() + prefix.length() + suffix.length(); -+ SBufReservationRequirements req; -+ req.minSpace = totalContainerSize; -+ dest.reserve(req); -+ -+ auto i = begin; -+ dest.append(prefix); -+ dest.append(*i); -+ ++i; -+ for (; i != end; ++i) -+ dest.append(separator).append(*i); -+ dest.append(suffix); -+ return dest; -+} -+ -+ -+/// convenience wrapper of JoinContainerIntoSBuf with no caller-supplied SBuf -+template -+SBuf -+JoinContainerToSBuf(const ContainerIterator &begin, -+ const ContainerIterator &end, const SBuf& separator, -+ const SBuf& prefix = SBuf(), const SBuf& suffix = SBuf()) -+{ -+ SBuf rv; -+ return JoinContainerIntoSBuf(rv, begin, end, separator, prefix, suffix); -+} -+ -+ - namespace std { - /// default hash functor to support std::unordered_map - template <> diff --git a/squid-5.0.5-build-errors.patch b/squid-5.0.5-build-errors.patch new file mode 100644 index 0000000..4293d67 --- /dev/null +++ b/squid-5.0.5-build-errors.patch @@ -0,0 +1,116 @@ +diff --git a/src/Makefile.am b/src/Makefile.am +index 81403a7..5e2a493 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -2477,6 +2477,7 @@ tests_testHttpRequest_LDADD = \ + $(SSLLIB) \ + $(KRB5LIBS) \ + $(LIBCPPUNIT_LIBS) \ ++ $(SYSTEMD_LIBS) \ + $(COMPAT_LIB) \ + $(XTRA_LIBS) + tests_testHttpRequest_LDFLAGS = $(LIBADD_DL) +@@ -2781,6 +2782,7 @@ tests_testCacheManager_LDADD = \ + $(SSLLIB) \ + $(KRB5LIBS) \ + $(LIBCPPUNIT_LIBS) \ ++ $(SYSTEMD_LIBS) \ + $(COMPAT_LIB) \ + $(XTRA_LIBS) + tests_testCacheManager_LDFLAGS = $(LIBADD_DL) +@@ -3101,6 +3103,7 @@ tests_testEvent_LDADD = \ + $(SSLLIB) \ + $(KRB5LIBS) \ + $(LIBCPPUNIT_LIBS) \ ++ $(SYSTEMD_LIBS) \ + $(COMPAT_LIB) \ + $(XTRA_LIBS) + tests_testEvent_LDFLAGS = $(LIBADD_DL) +@@ -3339,6 +3342,7 @@ tests_testEventLoop_LDADD = \ + $(SSLLIB) \ + $(KRB5LIBS) \ + $(LIBCPPUNIT_LIBS) \ ++ $(SYSTEMD_LIBS) \ + $(COMPAT_LIB) \ + $(XTRA_LIBS) + tests_testEventLoop_LDFLAGS = $(LIBADD_DL) +diff --git a/src/Makefile.in b/src/Makefile.in +index fda6de6..4e047cc 100644 +--- a/src/Makefile.in ++++ b/src/Makefile.in +@@ -4581,6 +4581,7 @@ tests_test_http_range_LDADD = \ + $(SSLLIB) \ + $(KRB5LIBS) \ + $(LIBCPPUNIT_LIBS) \ ++ $(SYSTEMD_LIBS) \ + $(COMPAT_LIB) \ + $(XTRA_LIBS) + +@@ -4972,6 +4973,7 @@ tests_testHttpRequest_LDADD = \ + $(SSLLIB) \ + $(KRB5LIBS) \ + $(LIBCPPUNIT_LIBS) \ ++ $(SYSTEMD_LIBS) \ + $(COMPAT_LIB) \ + $(XTRA_LIBS) + +@@ -5274,6 +5276,7 @@ tests_testCacheManager_LDADD = \ + $(SSLLIB) \ + $(KRB5LIBS) \ + $(LIBCPPUNIT_LIBS) \ ++ $(SYSTEMD_LIBS) \ + $(COMPAT_LIB) \ + $(XTRA_LIBS) + +@@ -5593,6 +5596,7 @@ tests_testEvent_LDADD = \ + $(SSLLIB) \ + $(KRB5LIBS) \ + $(LIBCPPUNIT_LIBS) \ ++ $(SYSTEMD_LIBS) \ + $(COMPAT_LIB) \ + $(XTRA_LIBS) + +@@ -5832,6 +5836,7 @@ tests_testEventLoop_LDADD = \ + $(SSLLIB) \ + $(KRB5LIBS) \ + $(LIBCPPUNIT_LIBS) \ ++ $(SYSTEMD_LIBS) \ + $(COMPAT_LIB) \ + $(XTRA_LIBS) + +diff --git a/src/proxyp/Parser.cc b/src/proxyp/Parser.cc +index 328d207..2f358a7 100644 +--- a/src/proxyp/Parser.cc ++++ b/src/proxyp/Parser.cc +@@ -15,6 +15,7 @@ + #include "sbuf/Stream.h" + + #include ++#include + + #if HAVE_SYS_SOCKET_H + #include +diff --git a/src/security/ServerOptions.cc b/src/security/ServerOptions.cc +index e114ed8..22bce84 100644 +--- a/src/security/ServerOptions.cc ++++ b/src/security/ServerOptions.cc +@@ -18,6 +18,7 @@ + #if USE_OPENSSL + #include "compat/openssl.h" + #include "ssl/support.h" ++#include + + #if HAVE_OPENSSL_ERR_H + #include +diff --git a/src/acl/ConnMark.cc b/src/acl/ConnMark.cc +index 1fdae0c..213cf39 100644 +--- a/src/acl/ConnMark.cc ++++ b/src/acl/ConnMark.cc +@@ -15,6 +15,7 @@ + #include "Debug.h" + #include "http/Stream.h" + #include "sbuf/Stream.h" ++#include + + bool + Acl::ConnMark::empty() const diff --git a/squid-gcc11.patch b/squid-gcc11.patch deleted file mode 100644 index c87ade5..0000000 --- a/squid-gcc11.patch +++ /dev/null @@ -1,24 +0,0 @@ -diff --git a/src/acl/ConnMark.cc b/src/acl/ConnMark.cc -index 1fdae0c..213cf39 100644 ---- a/src/acl/ConnMark.cc -+++ b/src/acl/ConnMark.cc -@@ -15,6 +15,7 @@ - #include "Debug.h" - #include "http/Stream.h" - #include "sbuf/Stream.h" -+#include - - bool - Acl::ConnMark::empty() const -diff --git a/src/security/ServerOptions.cc b/src/security/ServerOptions.cc -index 5cd81ab..3f73892 100644 ---- a/src/security/ServerOptions.cc -+++ b/src/security/ServerOptions.cc -@@ -6,6 +6,7 @@ - * Please see the COPYING and CONTRIBUTORS files for details. - */ - -+#include - #include "squid.h" - #include "anyp/PortCfg.h" - #include "base/Packable.h" diff --git a/squid.spec b/squid.spec index 140ad3f..8267755 100644 --- a/squid.spec +++ b/squid.spec @@ -1,16 +1,16 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 4.13 -Release: 3%{?dist} +Version: 5.0.5 +Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code License: GPLv2+ and (LGPLv2+ and MIT and BSD and Public Domain) URL: http://www.squid-cache.org -Source0: http://www.squid-cache.org/Versions/v4/squid-%{version}.tar.xz -Source1: http://www.squid-cache.org/Versions/v4/squid-%{version}.tar.xz.asc +Source0: http://www.squid-cache.org/Versions/v5/squid-%{version}.tar.xz +Source1: http://www.squid-cache.org/Versions/v5/squid-%{version}.tar.xz.asc Source2: http://www.squid-cache.org/pgp.asc Source3: squid.logrotate Source4: squid.sysconfig @@ -32,8 +32,7 @@ Patch201: squid-4.0.11-config.patch Patch202: squid-3.1.0.9-location.patch Patch203: squid-3.0.STABLE1-perlpath.patch Patch204: squid-3.5.9-include-guards.patch -Patch205: squid-4.0.21-large-acl.patch -Patch206: squid-gcc11.patch +Patch205: squid-5.0.5-build-errors.patch # cache_swap.sh Requires: bash gawk @@ -52,8 +51,8 @@ BuildRequires: pam-devel BuildRequires: openssl-devel # squid_kerb_aut requires Kerberos development libs BuildRequires: krb5-devel -# time_quota requires DB -BuildRequires: libdb-devel +# time_quota requires TrivialDB +BuildRequires: libtdb-devel # ESI support requires Expat & libxml2 BuildRequires: expat-devel libxml2-devel # TPROXY requires libcap, and also increases security somewhat @@ -103,8 +102,7 @@ lookup program (dnsserver), a program for retrieving FTP data %patch202 -p1 -b .location %patch203 -p1 -b .perlpath %patch204 -p0 -b .include-guards -%patch205 -p1 -b .large_acl -%patch206 -p1 -b .gcc11 +%patch205 -p1 -b .build-errors # https://bugzilla.redhat.com/show_bug.cgi?id=1679526 # Patch in the vendor documentation and used different location for documentation @@ -162,6 +160,11 @@ sed -i 's|@SYSCONFDIR@/squid.conf.documented|%{_pkgdocdir}/squid.conf.documented --disable-strict-error-checking \ --with-swapdir=%{_localstatedir}/spool/squid +# workaround to build squid v5 +mkdir -p src/icmp/tests +mkdir -p tools/squidclient/tests +mkdir -p tools/tests + %make_build %check @@ -300,6 +303,9 @@ fi %changelog +* Wed Feb 10 2021 Lubos Uhliarik - 7:5.0.5-1 +- new version 5.0.5 + * Wed Jan 27 2021 Fedora Release Engineering - 7:4.13-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild From c0914fb70e161c1d9a540c9a6a484bbb44c0e435 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 2 Mar 2021 16:12:16 +0100 Subject: [PATCH 09/68] Rebuilt for updated systemd-rpm-macros See https://pagure.io/fesco/issue/2583. --- squid.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/squid.spec b/squid.spec index 8267755..fd92e86 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 5.0.5 -Release: 1%{?dist} +Release: 2%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -303,6 +303,10 @@ fi %changelog +* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 7:5.0.5-2 +- Rebuilt for updated systemd-rpm-macros + See https://pagure.io/fesco/issue/2583. + * Wed Feb 10 2021 Lubos Uhliarik - 7:5.0.5-1 - new version 5.0.5 From c1eca09b2428a6d0241e00f99c1b7a0b7f7da342 Mon Sep 17 00:00:00 2001 From: Lubos Uhliarik Date: Mon, 8 Mar 2021 13:25:55 +0100 Subject: [PATCH 10/68] new version 5.0.5 --- squid.spec | 36 +++++++++++++++++++++++++++++++++++- 1 file changed, 35 insertions(+), 1 deletion(-) diff --git a/squid.spec b/squid.spec index fd92e86..7747c55 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 5.0.5 -Release: 2%{?dist} +Release: 3%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -225,6 +225,7 @@ rm -f $RPM_BUILD_ROOT%{_sysconfdir}/squid/squid.conf.documented # remove unpackaged files from the buildroot rm -f $RPM_BUILD_ROOT/squid.httpd.tmp + %files %license COPYING %doc CONTRIBUTORS README ChangeLog QUICKSTART src/squid.conf.documented @@ -285,6 +286,36 @@ done exit 0 +%pretrans -p +-- previously /usr/share/squid/errors/es-mx was symlink, now it is directory since squid v5 +-- see https://docs.fedoraproject.org/en-US/packaging-guidelines/Directory_Replacement/ +-- Define the path to the symlink being replaced below. +path = "/usr/share/squid/errors/es-mx" +st = posix.stat(path) +if st and st.type == "link" then + os.remove(path) +end + +-- Due to a bug #447156 +paths = {"/usr/share/squid/errors/zh-cn", "/usr/share/squid/errors/zh-tw"} +for key,path in ipairs(paths) +do + st = posix.stat(path) + if st and st.type == "directory" then + status = os.rename(path, path .. ".rpmmoved") + if not status then + suffix = 0 + while not status do + suffix = suffix + 1 + status = os.rename(path .. ".rpmmoved", path .. ".rpmmoved." .. suffix) + end + os.rename(path, path .. ".rpmmoved") + end + end +end + + + %post %systemd_post squid.service @@ -303,6 +334,9 @@ fi %changelog +* Fri Mar 05 2021 Lubos Uhliarik - 7:5.0.5-3 +- Resolves: #1934919 - squid update attempts fail with file conflicts + * Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 7:5.0.5-2 - Rebuilt for updated systemd-rpm-macros See https://pagure.io/fesco/issue/2583. From 3f98a4414b8b7a825d846e8987b9af59526b0bc9 Mon Sep 17 00:00:00 2001 From: Iveta Cesalova Date: Tue, 9 Mar 2021 10:51:40 +0100 Subject: [PATCH 11/68] add fmf plan --- plans/all.fmf | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 plans/all.fmf diff --git a/plans/all.fmf b/plans/all.fmf new file mode 100644 index 0000000..cdfc481 --- /dev/null +++ b/plans/all.fmf @@ -0,0 +1,6 @@ +summary: Test plan with all beakerlib tests +discover: + how: fmf + url: https://src.fedoraproject.org/tests/squid.git +execute: + how: tmt From e841b1b13912e32632fed18180b4d939f3fb0844 Mon Sep 17 00:00:00 2001 From: Iveta Cesalova Date: Tue, 9 Mar 2021 11:17:15 +0100 Subject: [PATCH 12/68] fmf metadata added --- .fmf/version | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 .fmf/version diff --git a/.fmf/version b/.fmf/version new file mode 100644 index 0000000..e69de29 From 606d4437da26076eefdf39530653c8cb0b5fd61d Mon Sep 17 00:00:00 2001 From: Iveta Cesalova Date: Tue, 9 Mar 2021 16:37:11 +0100 Subject: [PATCH 13/68] fix version --- .fmf/version | 1 + 1 file changed, 1 insertion(+) diff --git a/.fmf/version b/.fmf/version index e69de29..d00491f 100644 --- a/.fmf/version +++ b/.fmf/version @@ -0,0 +1 @@ +1 From fc2d4c0be126a5b9da59ca7caa79b0e0102ddbf1 Mon Sep 17 00:00:00 2001 From: Lubos Uhliarik Date: Fri, 23 Apr 2021 14:21:07 +0200 Subject: [PATCH 14/68] Related: #1934919 - squid update attempts fail with file conflicts --- squid-5.0.5-symlink-lang-err.patch | 80 ++++++++++++++++++++++++++++++ squid.spec | 22 +++++--- 2 files changed, 96 insertions(+), 6 deletions(-) create mode 100644 squid-5.0.5-symlink-lang-err.patch diff --git a/squid-5.0.5-symlink-lang-err.patch b/squid-5.0.5-symlink-lang-err.patch new file mode 100644 index 0000000..29b5e2c --- /dev/null +++ b/squid-5.0.5-symlink-lang-err.patch @@ -0,0 +1,80 @@ +From fc01451000eaa5592cd5afbd6aee14e53f7dd2c3 Mon Sep 17 00:00:00 2001 +From: Amos Jeffries +Date: Sun, 18 Oct 2020 20:23:10 +1300 +Subject: [PATCH] Update translations integration + +* Add credits for es-mx translation moderator +* Use es-mx for default of all Spanish (Central America) texts +* Update translation related .am files +--- + doc/manuals/language.am | 2 +- + errors/TRANSLATORS | 1 + + errors/aliases | 3 ++- + errors/language.am | 3 ++- + errors/template.am | 2 +- + 5 files changed, 7 insertions(+), 4 deletions(-) + +diff --git a/doc/manuals/language.am b/doc/manuals/language.am +index 7670c88380c..f03c4cf71b4 100644 +--- a/doc/manuals/language.am ++++ b/doc/manuals/language.am +@@ -18,4 +18,4 @@ TRANSLATE_LANGUAGES = \ + oc.lang \ + pt.lang \ + ro.lang \ +- ru.lang ++ ru.lang +diff --git a/errors/TRANSLATORS b/errors/TRANSLATORS +index e29bf707678..6ee2df637ad 100644 +--- a/errors/TRANSLATORS ++++ b/errors/TRANSLATORS +@@ -21,6 +21,7 @@ and ideas to make Squid available as multi-langual software. + George Machitidze + Henrik Nordström + Ivan Masár ++ Javier Pacheco + John 'Profic' Ustiuzhanin + Leandro Cesar Nardini Frasson + liuyongbing +diff --git a/errors/aliases b/errors/aliases +index 36f17f4b80f..cf0116f297d 100644 +--- a/errors/aliases ++++ b/errors/aliases +@@ -14,7 +14,8 @@ da da-dk + de de-at de-ch de-de de-li de-lu + el el-gr + en en-au en-bz en-ca en-cn en-gb en-ie en-in en-jm en-nz en-ph en-sg en-tt en-uk en-us en-za en-zw +-es es-ar es-bo es-cl es-co es-cr es-do es-ec es-es es-gt es-hn es-mx es-ni es-pa es-pe es-pr es-py es-sv es-us es-uy es-ve es-xl ++es es-ar es-bo es-cl es-cu es-co es-do es-ec es-es es-pe es-pr es-py es-us es-uy es-ve es-xl spq ++es-mx es-bz es-cr es-gt es-hn es-ni es-pa es-sv + et et-ee + fa fa-fa fa-ir + fi fi-fi +diff --git a/errors/language.am b/errors/language.am +index 12b1b2b3b43..029e8c1eb2f 100644 +--- a/errors/language.am ++++ b/errors/language.am +@@ -17,6 +17,7 @@ TRANSLATE_LANGUAGES = \ + de.lang \ + el.lang \ + en.lang \ ++ es-mx.lang \ + es.lang \ + et.lang \ + fa.lang \ +@@ -51,4 +52,4 @@ TRANSLATE_LANGUAGES = \ + uz.lang \ + vi.lang \ + zh-hans.lang \ +- zh-hant.lang ++ zh-hant.lang +diff --git a/errors/template.am b/errors/template.am +index 6c12781e6f4..715c65aa22b 100644 +--- a/errors/template.am ++++ b/errors/template.am +@@ -48,4 +48,4 @@ ERROR_TEMPLATES = \ + templates/ERR_UNSUP_REQ \ + templates/ERR_URN_RESOLVE \ + templates/ERR_WRITE_ERROR \ +- templates/ERR_ZERO_SIZE_OBJECT ++ templates/ERR_ZERO_SIZE_OBJECT diff --git a/squid.spec b/squid.spec index 7747c55..261681b 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 5.0.5 -Release: 3%{?dist} +Release: 4%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -33,6 +33,9 @@ Patch202: squid-3.1.0.9-location.patch Patch203: squid-3.0.STABLE1-perlpath.patch Patch204: squid-3.5.9-include-guards.patch Patch205: squid-5.0.5-build-errors.patch +# revert this upstream patch - https://bugzilla.redhat.com/show_bug.cgi?id=1936422 +# workaround for #1934919 +Patch206: squid-5.0.5-symlink-lang-err.patch # cache_swap.sh Requires: bash gawk @@ -103,6 +106,7 @@ lookup program (dnsserver), a program for retrieving FTP data %patch203 -p1 -b .perlpath %patch204 -p0 -b .include-guards %patch205 -p1 -b .build-errors +%patch206 -p1 -R -b .symlink-lang-err # https://bugzilla.redhat.com/show_bug.cgi?id=1679526 # Patch in the vendor documentation and used different location for documentation @@ -287,14 +291,17 @@ done exit 0 %pretrans -p +-- temporarilly commented until https://bugzilla.redhat.com/show_bug.cgi?id=1936422 is resolved +-- -- previously /usr/share/squid/errors/es-mx was symlink, now it is directory since squid v5 -- see https://docs.fedoraproject.org/en-US/packaging-guidelines/Directory_Replacement/ -- Define the path to the symlink being replaced below. -path = "/usr/share/squid/errors/es-mx" -st = posix.stat(path) -if st and st.type == "link" then - os.remove(path) -end +-- +-- path = "/usr/share/squid/errors/es-mx" +-- st = posix.stat(path) +-- if st and st.type == "link" then +-- os.remove(path) +-- end -- Due to a bug #447156 paths = {"/usr/share/squid/errors/zh-cn", "/usr/share/squid/errors/zh-tw"} @@ -334,6 +341,9 @@ fi %changelog +* Fri Apr 23 2021 Lubos Uhliarik - 7:5.0.5-4 +- Related: #1934919 - squid update attempts fail with file conflicts + * Fri Mar 05 2021 Lubos Uhliarik - 7:5.0.5-3 - Resolves: #1934919 - squid update attempts fail with file conflicts From 7836ba99c11169208960592771012b99c5f67ec0 Mon Sep 17 00:00:00 2001 From: Lubos Uhliarik Date: Mon, 17 May 2021 16:52:49 +0200 Subject: [PATCH 15/68] new version 5.0.6 --- sources | 4 ++-- squid.spec | 13 +++++++------ 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/sources b/sources index cf080d9..95161c1 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-5.0.5.tar.xz) = e0f816296d9d32fc97b98249dde077b321651dac70c212fe8eb9566003ce04f13a83665e387531e06bffbab1ec21277e3e0549a16caee426b6a749e18bf77991 -SHA512 (squid-5.0.5.tar.xz.asc) = ca1b170bef9cca5afe1108e8a439282f3a19bea48d2dba42847acd1cf039d38ccc8c714e27fc9e49fe9e3027963f64e9ab19e6a358e6e038c78f85cc77657a3b +SHA512 (squid-5.0.6.tar.xz) = 97300844145ea5488a88a531fc0fbbf3c96051169eb20f8b95ba9a4c37f73edfbbedb69ee446e81f45b663e5c7c9a82e2978239c2613da7e5da2365fdaeceb6e +SHA512 (squid-5.0.6.tar.xz.asc) = 5caafb63926356813a0409f3c6a303c70e938f71cdd4cbc8bbbbbbb4a858b1aa91d59edcca4b63e1452ca95c18da46963c43b9e8f63f2e459342e447a02f2107 SHA512 (pgp.asc) = 09f7012030d68831dfc083d67ca63ee54ed851482ca8d0e9505b444ee3e7ddeed62369b53f2917c9b2e0e57cc0533fce46e8cafd2ebcd1c6cb186b516efd0ad2 diff --git a/squid.spec b/squid.spec index 261681b..0d69483 100644 --- a/squid.spec +++ b/squid.spec @@ -1,8 +1,8 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 5.0.5 -Release: 4%{?dist} +Version: 5.0.6 +Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -32,10 +32,9 @@ Patch201: squid-4.0.11-config.patch Patch202: squid-3.1.0.9-location.patch Patch203: squid-3.0.STABLE1-perlpath.patch Patch204: squid-3.5.9-include-guards.patch -Patch205: squid-5.0.5-build-errors.patch # revert this upstream patch - https://bugzilla.redhat.com/show_bug.cgi?id=1936422 # workaround for #1934919 -Patch206: squid-5.0.5-symlink-lang-err.patch +Patch205: squid-5.0.5-symlink-lang-err.patch # cache_swap.sh Requires: bash gawk @@ -105,8 +104,7 @@ lookup program (dnsserver), a program for retrieving FTP data %patch202 -p1 -b .location %patch203 -p1 -b .perlpath %patch204 -p0 -b .include-guards -%patch205 -p1 -b .build-errors -%patch206 -p1 -R -b .symlink-lang-err +%patch205 -p1 -R -b .symlink-lang-err # https://bugzilla.redhat.com/show_bug.cgi?id=1679526 # Patch in the vendor documentation and used different location for documentation @@ -341,6 +339,9 @@ fi %changelog +* Mon May 17 2021 Lubos Uhliarik - 7:5.0.6-1 +- new version 5.0.6 + * Fri Apr 23 2021 Lubos Uhliarik - 7:5.0.5-4 - Related: #1934919 - squid update attempts fail with file conflicts From c2c7db535e9b6eead38c019c800a5ea8d06b8f4e Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 23 Jul 2021 18:11:38 +0000 Subject: [PATCH 16/68] - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- squid.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/squid.spec b/squid.spec index 0d69483..85dc517 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 5.0.6 -Release: 1%{?dist} +Release: 2%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -339,6 +339,9 @@ fi %changelog +* Fri Jul 23 2021 Fedora Release Engineering - 7:5.0.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + * Mon May 17 2021 Lubos Uhliarik - 7:5.0.6-1 - new version 5.0.6 From f7fef10385c1ddb7e100cb988e428389661d4e00 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Thu, 5 Aug 2021 17:00:09 +0200 Subject: [PATCH 17/68] new version 5.1 --- sources | 4 ++-- squid.spec | 7 +++++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/sources b/sources index 95161c1..cadf4d7 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-5.0.6.tar.xz) = 97300844145ea5488a88a531fc0fbbf3c96051169eb20f8b95ba9a4c37f73edfbbedb69ee446e81f45b663e5c7c9a82e2978239c2613da7e5da2365fdaeceb6e -SHA512 (squid-5.0.6.tar.xz.asc) = 5caafb63926356813a0409f3c6a303c70e938f71cdd4cbc8bbbbbbb4a858b1aa91d59edcca4b63e1452ca95c18da46963c43b9e8f63f2e459342e447a02f2107 +SHA512 (squid-5.1.tar.xz) = 55792ab268e360132336f074b1e674a11931bf2f89745775aa047d85bfc4fd7bd9c97e9d1358a46e599def1173fefa4f1886dd3f0ba35e6c80da5241cf5bf581 +SHA512 (squid-5.1.tar.xz.asc) = cb1b7ca9a29ccecc7bdf39433f448a8e6022ae3610110653c16e57c642bd8c415ad4ad78c8d6e09a93ebb4787725b6ea147a865dcb27f840dd7af0af61195f07 SHA512 (pgp.asc) = 09f7012030d68831dfc083d67ca63ee54ed851482ca8d0e9505b444ee3e7ddeed62369b53f2917c9b2e0e57cc0533fce46e8cafd2ebcd1c6cb186b516efd0ad2 diff --git a/squid.spec b/squid.spec index 85dc517..b7b89fa 100644 --- a/squid.spec +++ b/squid.spec @@ -1,8 +1,8 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 5.0.6 -Release: 2%{?dist} +Version: 5.1 +Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -339,6 +339,9 @@ fi %changelog +* Thu Aug 05 2021 Luboš Uhliarik - 7:5.1-1 +- new version 5.1 + * Fri Jul 23 2021 Fedora Release Engineering - 7:5.0.6-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild From 1f442bae8a43380cbb7760764738a75599596711 Mon Sep 17 00:00:00 2001 From: Sahana Prasad Date: Tue, 14 Sep 2021 19:15:33 +0200 Subject: [PATCH 18/68] Rebuilt with OpenSSL 3.0.0 --- squid.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/squid.spec b/squid.spec index b7b89fa..dec81a3 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 5.1 -Release: 1%{?dist} +Release: 2%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -339,6 +339,9 @@ fi %changelog +* Tue Sep 14 2021 Sahana Prasad - 7:5.1-2 +- Rebuilt with OpenSSL 3.0.0 + * Thu Aug 05 2021 Luboš Uhliarik - 7:5.1-1 - new version 5.1 From c5a28774577b32ddc6267f5b1e01c595a3e968d2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Tue, 5 Oct 2021 13:08:18 +0200 Subject: [PATCH 19/68] new version 5.2 (#2010109) Resolves: #1934559 - squid: out-of-bounds read in WCCP protocol --- sources | 4 ++-- squid.spec | 17 ++++++++++++----- 2 files changed, 14 insertions(+), 7 deletions(-) diff --git a/sources b/sources index cadf4d7..0f57160 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-5.1.tar.xz) = 55792ab268e360132336f074b1e674a11931bf2f89745775aa047d85bfc4fd7bd9c97e9d1358a46e599def1173fefa4f1886dd3f0ba35e6c80da5241cf5bf581 -SHA512 (squid-5.1.tar.xz.asc) = cb1b7ca9a29ccecc7bdf39433f448a8e6022ae3610110653c16e57c642bd8c415ad4ad78c8d6e09a93ebb4787725b6ea147a865dcb27f840dd7af0af61195f07 +SHA512 (squid-5.2.tar.xz) = 0e5d57baf50a9a35ac4b28fee86d736311c7736ee460de8a7e739534aa4b24f8697836797c33da5c4899763672275af03ffabf4f811c7b833ba569e977c1a7e5 +SHA512 (squid-5.2.tar.xz.asc) = 0af0c51186b0533fd2670b62111438ca5d8de33343996fd254129ad1bf96ff8c0f9dfeeaefa1426bcd9802ae0b5503785cdfe7c1dc185224a2234d4fcf8c67b3 SHA512 (pgp.asc) = 09f7012030d68831dfc083d67ca63ee54ed851482ca8d0e9505b444ee3e7ddeed62369b53f2917c9b2e0e57cc0533fce46e8cafd2ebcd1c6cb186b516efd0ad2 diff --git a/squid.spec b/squid.spec index dec81a3..02c62df 100644 --- a/squid.spec +++ b/squid.spec @@ -1,8 +1,8 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 5.1 -Release: 2%{?dist} +Version: 5.2 +Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -35,6 +35,10 @@ Patch204: squid-3.5.9-include-guards.patch # revert this upstream patch - https://bugzilla.redhat.com/show_bug.cgi?id=1936422 # workaround for #1934919 Patch205: squid-5.0.5-symlink-lang-err.patch +# fix openssl3 build failures +Patch206: squid-5.2-openssl3.patch +# fix -lto build failure +Patch207: squid-5.2-test-store-cppsuite.patch # cache_swap.sh Requires: bash gawk @@ -105,15 +109,14 @@ lookup program (dnsserver), a program for retrieving FTP data %patch203 -p1 -b .perlpath %patch204 -p0 -b .include-guards %patch205 -p1 -R -b .symlink-lang-err +%patch206 -p1 -b .openssl3 +%patch207 -p1 -b .flto # https://bugzilla.redhat.com/show_bug.cgi?id=1679526 # Patch in the vendor documentation and used different location for documentation sed -i 's|@SYSCONFDIR@/squid.conf.documented|%{_pkgdocdir}/squid.conf.documented|' src/squid.8.in %build -# This package fails its testsuite when LTO is enabled. This needs further -# investigation -%define _lto_cflags %{nil} # NIS helper has been removed because of the following bug # https://bugzilla.redhat.com/show_bug.cgi?id=1531540 @@ -339,6 +342,10 @@ fi %changelog +* Tue Oct 05 2021 Luboš Uhliarik - 7:5.2-1 +- new version 5.2 (#2010109) +- Resolves: #1934559 - squid: out-of-bounds read in WCCP protocol + * Tue Sep 14 2021 Sahana Prasad - 7:5.1-2 - Rebuilt with OpenSSL 3.0.0 From ed2947e56b61a1b40f01474d534664fb0be25dc1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Tue, 5 Oct 2021 13:20:38 +0200 Subject: [PATCH 20/68] Add missing patch file fixing openssl3 build. --- squid-5.2-openssl3.patch | 185 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 185 insertions(+) create mode 100644 squid-5.2-openssl3.patch diff --git a/squid-5.2-openssl3.patch b/squid-5.2-openssl3.patch new file mode 100644 index 0000000..32ff6ee --- /dev/null +++ b/squid-5.2-openssl3.patch @@ -0,0 +1,185 @@ +diff --git a/src/ssl/support.cc b/src/ssl/support.cc +index 3ad135d..73912ce 100644 +--- a/src/ssl/support.cc ++++ b/src/ssl/support.cc +@@ -557,7 +557,11 @@ Ssl::VerifyCallbackParameters::At(Security::Connection &sconn) + } + + // "dup" function for SSL_get_ex_new_index("cert_err_check") +-#if SQUID_USE_CONST_CRYPTO_EX_DATA_DUP ++#if OPENSSL_VERSION_MAJOR >= 3 ++static int ++ssl_dupAclChecklist(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void **, ++ int, long, void *) ++#elif SQUID_USE_CONST_CRYPTO_EX_DATA_DUP + static int + ssl_dupAclChecklist(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void *, + int, long, void *) +diff --git a/src/security/PeerOptions.cc b/src/security/PeerOptions.cc +index cf1d4ba..4346ba5 100644 +--- a/src/security/PeerOptions.cc ++++ b/src/security/PeerOptions.cc +@@ -297,130 +297,130 @@ static struct ssl_option { + + } ssl_options[] = { + +-#if SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG ++#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG + { + "NETSCAPE_REUSE_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG + }, + #endif +-#if SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG ++#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG + { + "SSLREF2_REUSE_CERT_TYPE_BUG", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG + }, + #endif +-#if SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER ++#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER + { + "MICROSOFT_BIG_SSLV3_BUFFER", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER + }, + #endif +-#if SSL_OP_SSLEAY_080_CLIENT_DH_BUG ++#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG + { + "SSLEAY_080_CLIENT_DH_BUG", SSL_OP_SSLEAY_080_CLIENT_DH_BUG + }, + #endif +-#if SSL_OP_TLS_D5_BUG ++#ifdef SSL_OP_TLS_D5_BUG + { + "TLS_D5_BUG", SSL_OP_TLS_D5_BUG + }, + #endif +-#if SSL_OP_TLS_BLOCK_PADDING_BUG ++#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG + { + "TLS_BLOCK_PADDING_BUG", SSL_OP_TLS_BLOCK_PADDING_BUG + }, + #endif +-#if SSL_OP_TLS_ROLLBACK_BUG ++#ifdef SSL_OP_TLS_ROLLBACK_BUG + { + "TLS_ROLLBACK_BUG", SSL_OP_TLS_ROLLBACK_BUG + }, + #endif +-#if SSL_OP_ALL ++#ifdef SSL_OP_ALL + { + "ALL", (long)SSL_OP_ALL + }, + #endif +-#if SSL_OP_SINGLE_DH_USE ++#ifdef SSL_OP_SINGLE_DH_USE + { + "SINGLE_DH_USE", SSL_OP_SINGLE_DH_USE + }, + #endif +-#if SSL_OP_EPHEMERAL_RSA ++#ifdef SSL_OP_EPHEMERAL_RSA + { + "EPHEMERAL_RSA", SSL_OP_EPHEMERAL_RSA + }, + #endif +-#if SSL_OP_PKCS1_CHECK_1 ++#ifdef SSL_OP_PKCS1_CHECK_1 + { + "PKCS1_CHECK_1", SSL_OP_PKCS1_CHECK_1 + }, + #endif +-#if SSL_OP_PKCS1_CHECK_2 ++#ifdef SSL_OP_PKCS1_CHECK_2 + { + "PKCS1_CHECK_2", SSL_OP_PKCS1_CHECK_2 + }, + #endif +-#if SSL_OP_NETSCAPE_CA_DN_BUG ++#ifdef SSL_OP_NETSCAPE_CA_DN_BUG + { + "NETSCAPE_CA_DN_BUG", SSL_OP_NETSCAPE_CA_DN_BUG + }, + #endif +-#if SSL_OP_NON_EXPORT_FIRST ++#ifdef SSL_OP_NON_EXPORT_FIRST + { + "NON_EXPORT_FIRST", SSL_OP_NON_EXPORT_FIRST + }, + #endif +-#if SSL_OP_CIPHER_SERVER_PREFERENCE ++#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE + { + "CIPHER_SERVER_PREFERENCE", SSL_OP_CIPHER_SERVER_PREFERENCE + }, + #endif +-#if SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG ++#ifdef SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG + { + "NETSCAPE_DEMO_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG + }, + #endif +-#if SSL_OP_NO_SSLv3 ++#ifdef SSL_OP_NO_SSLv3 + { + "NO_SSLv3", SSL_OP_NO_SSLv3 + }, + #endif +-#if SSL_OP_NO_TLSv1 ++#ifdef SSL_OP_NO_TLSv1 + { + "NO_TLSv1", SSL_OP_NO_TLSv1 + }, + #else + { "NO_TLSv1", 0 }, + #endif +-#if SSL_OP_NO_TLSv1_1 ++#ifdef SSL_OP_NO_TLSv1_1 + { + "NO_TLSv1_1", SSL_OP_NO_TLSv1_1 + }, + #else + { "NO_TLSv1_1", 0 }, + #endif +-#if SSL_OP_NO_TLSv1_2 ++#ifdef SSL_OP_NO_TLSv1_2 + { + "NO_TLSv1_2", SSL_OP_NO_TLSv1_2 + }, + #else + { "NO_TLSv1_2", 0 }, + #endif +-#if SSL_OP_NO_TLSv1_3 ++#ifdef SSL_OP_NO_TLSv1_3 + { + "NO_TLSv1_3", SSL_OP_NO_TLSv1_3 + }, + #else + { "NO_TLSv1_3", 0 }, + #endif +-#if SSL_OP_NO_COMPRESSION ++#ifdef SSL_OP_NO_COMPRESSION + { + "No_Compression", SSL_OP_NO_COMPRESSION + }, + #endif +-#if SSL_OP_NO_TICKET ++#ifdef SSL_OP_NO_TICKET + { + "NO_TICKET", SSL_OP_NO_TICKET + }, + #endif +-#if SSL_OP_SINGLE_ECDH_USE ++#ifdef SSL_OP_SINGLE_ECDH_USE + { + "SINGLE_ECDH_USE", SSL_OP_SINGLE_ECDH_USE + }, +@@ -512,7 +512,7 @@ Security::PeerOptions::parseOptions() + + } + +-#if SSL_OP_NO_SSLv2 ++#ifdef SSL_OP_NO_SSLv2 + // compliance with RFC 6176: Prohibiting Secure Sockets Layer (SSL) Version 2.0 + op = op | SSL_OP_NO_SSLv2; + #endif From d1a0600227fdb02763656a5b93b6875ac30cc8b9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Tue, 5 Oct 2021 13:28:35 +0200 Subject: [PATCH 21/68] CI: Add gating.yaml file --- gating.yaml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 gating.yaml diff --git a/gating.yaml b/gating.yaml new file mode 100644 index 0000000..0c1cc35 --- /dev/null +++ b/gating.yaml @@ -0,0 +1,7 @@ +--- !Policy +product_versions: + - fedora-* +decision_contexts: [bodhi_update_push_stable] +subject_type: koji_build +rules: + - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional} From 16f685d837dd97bca2dbc0295eaa400fec9c110c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Tue, 5 Oct 2021 13:44:36 +0200 Subject: [PATCH 22/68] Add another missing patch... --- squid-5.2-test-store-cppsuite.patch | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 squid-5.2-test-store-cppsuite.patch diff --git a/squid-5.2-test-store-cppsuite.patch b/squid-5.2-test-store-cppsuite.patch new file mode 100644 index 0000000..d7c52be --- /dev/null +++ b/squid-5.2-test-store-cppsuite.patch @@ -0,0 +1,24 @@ +diff --git a/src/tests/testStoreHashIndex.cc b/src/tests/testStoreHashIndex.cc +index 0564380..fcd60b9 100644 +--- a/src/tests/testStoreHashIndex.cc ++++ b/src/tests/testStoreHashIndex.cc +@@ -102,6 +102,8 @@ void commonInit() + if (inited) + return; + ++ inited = true; ++ + Mem::Init(); + + Config.Store.avgObjectSize = 1024; +@@ -109,6 +111,10 @@ void commonInit() + Config.Store.objectsPerBucket = 20; + + Config.Store.maxObjectSize = 2048; ++ ++ Config.memShared.defaultTo(false); ++ ++ Config.store_dir_select_algorithm = xstrdup("round-robin"); + } + + /* TODO make this a cbdata class */ From b6515114b288c559b053a7c52552a027be1a92c7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Branislav=20N=C3=A1ter?= Date: Wed, 10 Nov 2021 14:18:37 +0100 Subject: [PATCH 23/68] Adding 'testing' decision context --- gating.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/gating.yaml b/gating.yaml index 0c1cc35..d2f0c2e 100644 --- a/gating.yaml +++ b/gating.yaml @@ -1,4 +1,13 @@ --- !Policy +product_versions: + - fedora-* +decision_contexts: [bodhi_update_push_testing] +subject_type: koji_build +rules: + - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional} + +#gating rawhide +--- !Policy product_versions: - fedora-* decision_contexts: [bodhi_update_push_stable] From 7628dce7d8930e752d6288c15811e6d340f30911 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 22 Jan 2022 01:34:00 +0000 Subject: [PATCH 24/68] - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- squid.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/squid.spec b/squid.spec index 02c62df..f3a41f0 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 5.2 -Release: 1%{?dist} +Release: 2%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -342,6 +342,9 @@ fi %changelog +* Sat Jan 22 2022 Fedora Release Engineering - 7:5.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + * Tue Oct 05 2021 Luboš Uhliarik - 7:5.2-1 - new version 5.2 (#2010109) - Resolves: #1934559 - squid: out-of-bounds read in WCCP protocol From 1cd94f5079ab808de5003d36ecf0fc46b7aacc0c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Wed, 9 Feb 2022 03:10:23 +0100 Subject: [PATCH 25/68] new version 5.4 --- sources | 4 ++-- squid-3.0.STABLE1-perlpath.patch | 2 +- squid-5.0.5-symlink-lang-err.patch | 12 ------------ squid.spec | 7 +++++-- 4 files changed, 8 insertions(+), 17 deletions(-) diff --git a/sources b/sources index 0f57160..273cc3a 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-5.2.tar.xz) = 0e5d57baf50a9a35ac4b28fee86d736311c7736ee460de8a7e739534aa4b24f8697836797c33da5c4899763672275af03ffabf4f811c7b833ba569e977c1a7e5 -SHA512 (squid-5.2.tar.xz.asc) = 0af0c51186b0533fd2670b62111438ca5d8de33343996fd254129ad1bf96ff8c0f9dfeeaefa1426bcd9802ae0b5503785cdfe7c1dc185224a2234d4fcf8c67b3 +SHA512 (squid-5.4.tar.xz) = db0a4de8cd21199c12fad95c53b622f1334994f831f950a7f8d7383d1ea3c931545912faa03ca955bb736eebb89493c0b195f0aede1fecc54f28f6dfc11fe8af +SHA512 (squid-5.4.tar.xz.asc) = bc3a6eee5e7b11b619f1181458908fe728cf9a5a12f045238098b360c577ac70f914cefff6db3a8f1b28dea65b1fa70c0f6f122c0e12ada01630a1970f8f34c4 SHA512 (pgp.asc) = 09f7012030d68831dfc083d67ca63ee54ed851482ca8d0e9505b444ee3e7ddeed62369b53f2917c9b2e0e57cc0533fce46e8cafd2ebcd1c6cb186b516efd0ad2 diff --git a/squid-3.0.STABLE1-perlpath.patch b/squid-3.0.STABLE1-perlpath.patch index 9cb5e81..d927e43 100644 --- a/squid-3.0.STABLE1-perlpath.patch +++ b/squid-3.0.STABLE1-perlpath.patch @@ -6,5 +6,5 @@ index 4cb0480..4b89910 100755 -#!/usr/local/bin/perl -Tw +#!/usr/bin/perl -Tw # - # * Copyright (C) 1996-2021 The Squid Software Foundation and contributors + # * Copyright (C) 1996-2022 The Squid Software Foundation and contributors # * diff --git a/squid-5.0.5-symlink-lang-err.patch b/squid-5.0.5-symlink-lang-err.patch index 29b5e2c..45d6fe9 100644 --- a/squid-5.0.5-symlink-lang-err.patch +++ b/squid-5.0.5-symlink-lang-err.patch @@ -24,18 +24,6 @@ index 7670c88380c..f03c4cf71b4 100644 ro.lang \ - ru.lang + ru.lang -diff --git a/errors/TRANSLATORS b/errors/TRANSLATORS -index e29bf707678..6ee2df637ad 100644 ---- a/errors/TRANSLATORS -+++ b/errors/TRANSLATORS -@@ -21,6 +21,7 @@ and ideas to make Squid available as multi-langual software. - George Machitidze - Henrik Nordström - Ivan Masár -+ Javier Pacheco - John 'Profic' Ustiuzhanin - Leandro Cesar Nardini Frasson - liuyongbing diff --git a/errors/aliases b/errors/aliases index 36f17f4b80f..cf0116f297d 100644 --- a/errors/aliases diff --git a/squid.spec b/squid.spec index f3a41f0..f838ba8 100644 --- a/squid.spec +++ b/squid.spec @@ -1,8 +1,8 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 5.2 -Release: 2%{?dist} +Version: 5.4 +Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -342,6 +342,9 @@ fi %changelog +* Wed Feb 09 2022 Luboš Uhliarik - 7:5.4-1 +- new version 5.4 + * Sat Jan 22 2022 Fedora Release Engineering - 7:5.2-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild From 87b80ce965f88776e4dfde892c8f84661a02ad5e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Wed, 20 Apr 2022 09:34:04 +0200 Subject: [PATCH 26/68] new version 5.5 Resolves: #2053799 - squid-5.5 is available --- sources | 4 ++-- squid.spec | 6 +++++- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/sources b/sources index 273cc3a..994fe87 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-5.4.tar.xz) = db0a4de8cd21199c12fad95c53b622f1334994f831f950a7f8d7383d1ea3c931545912faa03ca955bb736eebb89493c0b195f0aede1fecc54f28f6dfc11fe8af -SHA512 (squid-5.4.tar.xz.asc) = bc3a6eee5e7b11b619f1181458908fe728cf9a5a12f045238098b360c577ac70f914cefff6db3a8f1b28dea65b1fa70c0f6f122c0e12ada01630a1970f8f34c4 +SHA512 (squid-5.5.tar.xz) = f506f8cc01d59e36432d08eebd68332ef002c931425d6f95bbae7ed35281bbca453db85aba3d765913ce5d38160c48a328c322b31a1bcdcfc7f0a821d420d2c0 +SHA512 (squid-5.5.tar.xz.asc) = 57d5d5b6f714fc26e427a3756756296ecba3e61a48b4dcbfff2da2330f036f3c6c1bc7f05acf59fc33c855972e57bc0a4d8fb2c3bdd82fb1487eb5a6d4518a8f SHA512 (pgp.asc) = 09f7012030d68831dfc083d67ca63ee54ed851482ca8d0e9505b444ee3e7ddeed62369b53f2917c9b2e0e57cc0533fce46e8cafd2ebcd1c6cb186b516efd0ad2 diff --git a/squid.spec b/squid.spec index f838ba8..c71c6c6 100644 --- a/squid.spec +++ b/squid.spec @@ -1,7 +1,7 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 5.4 +Version: 5.5 Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 @@ -342,6 +342,10 @@ fi %changelog +* Wed Apr 20 2022 Luboš Uhliarik - 7:5.5-1 +- new version 5.5 +- Resolves: #2053799 - squid-5.5 is available + * Wed Feb 09 2022 Luboš Uhliarik - 7:5.4-1 - new version 5.4 From 0f548f718dcb3fb5db886164010b07fc0c37b2b2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Mon, 27 Jun 2022 14:15:40 +0200 Subject: [PATCH 27/68] new version 5.6 --- sources | 4 ++-- squid.spec | 5 ++++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/sources b/sources index 994fe87..523d744 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-5.5.tar.xz) = f506f8cc01d59e36432d08eebd68332ef002c931425d6f95bbae7ed35281bbca453db85aba3d765913ce5d38160c48a328c322b31a1bcdcfc7f0a821d420d2c0 -SHA512 (squid-5.5.tar.xz.asc) = 57d5d5b6f714fc26e427a3756756296ecba3e61a48b4dcbfff2da2330f036f3c6c1bc7f05acf59fc33c855972e57bc0a4d8fb2c3bdd82fb1487eb5a6d4518a8f +SHA512 (squid-5.6.tar.xz) = 940a4d21ea8e3384642951d80c501a192178d1220f06a59a7bc54ce86d49caea0a86b6e789e28bcb7125ffa2a564ca1aca886a96cccf6356314121a81f38221a +SHA512 (squid-5.6.tar.xz.asc) = dcb3c33c098200a5bb289fcefe0cb8d69c8d65c99dfc536c0b9d1b2ef51427e5e05e987b3e31eab33b2c1e48885d5cfa2ec33a50cf6b3685306fd16a35a4d0bf SHA512 (pgp.asc) = 09f7012030d68831dfc083d67ca63ee54ed851482ca8d0e9505b444ee3e7ddeed62369b53f2917c9b2e0e57cc0533fce46e8cafd2ebcd1c6cb186b516efd0ad2 diff --git a/squid.spec b/squid.spec index c71c6c6..efddac7 100644 --- a/squid.spec +++ b/squid.spec @@ -1,7 +1,7 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 5.5 +Version: 5.6 Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 @@ -342,6 +342,9 @@ fi %changelog +* Mon Jun 27 2022 Luboš Uhliarik - 7:5.6-1 +- new version 5.6 + * Wed Apr 20 2022 Luboš Uhliarik - 7:5.5-1 - new version 5.5 - Resolves: #2053799 - squid-5.5 is available From 429921391fa5689f85412949f71eaa205ad55290 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 23 Jul 2022 09:19:10 +0000 Subject: [PATCH 28/68] Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- squid.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/squid.spec b/squid.spec index efddac7..449f18b 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 5.6 -Release: 1%{?dist} +Release: 2%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -342,6 +342,9 @@ fi %changelog +* Sat Jul 23 2022 Fedora Release Engineering - 7:5.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + * Mon Jun 27 2022 Luboš Uhliarik - 7:5.6-1 - new version 5.6 From b6675637de95c4685a687111375aa85c7b937cf3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Tue, 6 Sep 2022 09:17:41 +0200 Subject: [PATCH 29/68] - new version 5.7 - remove openssl3 patch - already in upstream - remove -lfto patch which is also alrady in upstream --- sources | 4 +- squid-5.2-openssl3.patch | 185 ---------------------------- squid-5.2-test-store-cppsuite.patch | 24 ---- squid.spec | 13 +- 4 files changed, 7 insertions(+), 219 deletions(-) delete mode 100644 squid-5.2-openssl3.patch delete mode 100644 squid-5.2-test-store-cppsuite.patch diff --git a/sources b/sources index 523d744..5bea984 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-5.6.tar.xz) = 940a4d21ea8e3384642951d80c501a192178d1220f06a59a7bc54ce86d49caea0a86b6e789e28bcb7125ffa2a564ca1aca886a96cccf6356314121a81f38221a -SHA512 (squid-5.6.tar.xz.asc) = dcb3c33c098200a5bb289fcefe0cb8d69c8d65c99dfc536c0b9d1b2ef51427e5e05e987b3e31eab33b2c1e48885d5cfa2ec33a50cf6b3685306fd16a35a4d0bf +SHA512 (squid-5.7.tar.xz) = 624a39041a6ceda6c470dc0937616f1aa67200f3db02b4d74095d8d706ed31d6df5e0417dcacde45f6be40b617bee018849793d52c96a626aab32a2b182972aa +SHA512 (squid-5.7.tar.xz.asc) = e8578d3dc0ecff0cb4a0d53375564f782b51c218276413a1b3b924396846a2cbca1f3ff8d53b247d210e4f63e553d89795a5b8b6972b7712d87c33b556076238 SHA512 (pgp.asc) = 09f7012030d68831dfc083d67ca63ee54ed851482ca8d0e9505b444ee3e7ddeed62369b53f2917c9b2e0e57cc0533fce46e8cafd2ebcd1c6cb186b516efd0ad2 diff --git a/squid-5.2-openssl3.patch b/squid-5.2-openssl3.patch deleted file mode 100644 index 32ff6ee..0000000 --- a/squid-5.2-openssl3.patch +++ /dev/null @@ -1,185 +0,0 @@ -diff --git a/src/ssl/support.cc b/src/ssl/support.cc -index 3ad135d..73912ce 100644 ---- a/src/ssl/support.cc -+++ b/src/ssl/support.cc -@@ -557,7 +557,11 @@ Ssl::VerifyCallbackParameters::At(Security::Connection &sconn) - } - - // "dup" function for SSL_get_ex_new_index("cert_err_check") --#if SQUID_USE_CONST_CRYPTO_EX_DATA_DUP -+#if OPENSSL_VERSION_MAJOR >= 3 -+static int -+ssl_dupAclChecklist(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void **, -+ int, long, void *) -+#elif SQUID_USE_CONST_CRYPTO_EX_DATA_DUP - static int - ssl_dupAclChecklist(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void *, - int, long, void *) -diff --git a/src/security/PeerOptions.cc b/src/security/PeerOptions.cc -index cf1d4ba..4346ba5 100644 ---- a/src/security/PeerOptions.cc -+++ b/src/security/PeerOptions.cc -@@ -297,130 +297,130 @@ static struct ssl_option { - - } ssl_options[] = { - --#if SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG -+#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG - { - "NETSCAPE_REUSE_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG - }, - #endif --#if SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG -+#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG - { - "SSLREF2_REUSE_CERT_TYPE_BUG", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG - }, - #endif --#if SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER -+#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER - { - "MICROSOFT_BIG_SSLV3_BUFFER", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER - }, - #endif --#if SSL_OP_SSLEAY_080_CLIENT_DH_BUG -+#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG - { - "SSLEAY_080_CLIENT_DH_BUG", SSL_OP_SSLEAY_080_CLIENT_DH_BUG - }, - #endif --#if SSL_OP_TLS_D5_BUG -+#ifdef SSL_OP_TLS_D5_BUG - { - "TLS_D5_BUG", SSL_OP_TLS_D5_BUG - }, - #endif --#if SSL_OP_TLS_BLOCK_PADDING_BUG -+#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG - { - "TLS_BLOCK_PADDING_BUG", SSL_OP_TLS_BLOCK_PADDING_BUG - }, - #endif --#if SSL_OP_TLS_ROLLBACK_BUG -+#ifdef SSL_OP_TLS_ROLLBACK_BUG - { - "TLS_ROLLBACK_BUG", SSL_OP_TLS_ROLLBACK_BUG - }, - #endif --#if SSL_OP_ALL -+#ifdef SSL_OP_ALL - { - "ALL", (long)SSL_OP_ALL - }, - #endif --#if SSL_OP_SINGLE_DH_USE -+#ifdef SSL_OP_SINGLE_DH_USE - { - "SINGLE_DH_USE", SSL_OP_SINGLE_DH_USE - }, - #endif --#if SSL_OP_EPHEMERAL_RSA -+#ifdef SSL_OP_EPHEMERAL_RSA - { - "EPHEMERAL_RSA", SSL_OP_EPHEMERAL_RSA - }, - #endif --#if SSL_OP_PKCS1_CHECK_1 -+#ifdef SSL_OP_PKCS1_CHECK_1 - { - "PKCS1_CHECK_1", SSL_OP_PKCS1_CHECK_1 - }, - #endif --#if SSL_OP_PKCS1_CHECK_2 -+#ifdef SSL_OP_PKCS1_CHECK_2 - { - "PKCS1_CHECK_2", SSL_OP_PKCS1_CHECK_2 - }, - #endif --#if SSL_OP_NETSCAPE_CA_DN_BUG -+#ifdef SSL_OP_NETSCAPE_CA_DN_BUG - { - "NETSCAPE_CA_DN_BUG", SSL_OP_NETSCAPE_CA_DN_BUG - }, - #endif --#if SSL_OP_NON_EXPORT_FIRST -+#ifdef SSL_OP_NON_EXPORT_FIRST - { - "NON_EXPORT_FIRST", SSL_OP_NON_EXPORT_FIRST - }, - #endif --#if SSL_OP_CIPHER_SERVER_PREFERENCE -+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE - { - "CIPHER_SERVER_PREFERENCE", SSL_OP_CIPHER_SERVER_PREFERENCE - }, - #endif --#if SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG -+#ifdef SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG - { - "NETSCAPE_DEMO_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG - }, - #endif --#if SSL_OP_NO_SSLv3 -+#ifdef SSL_OP_NO_SSLv3 - { - "NO_SSLv3", SSL_OP_NO_SSLv3 - }, - #endif --#if SSL_OP_NO_TLSv1 -+#ifdef SSL_OP_NO_TLSv1 - { - "NO_TLSv1", SSL_OP_NO_TLSv1 - }, - #else - { "NO_TLSv1", 0 }, - #endif --#if SSL_OP_NO_TLSv1_1 -+#ifdef SSL_OP_NO_TLSv1_1 - { - "NO_TLSv1_1", SSL_OP_NO_TLSv1_1 - }, - #else - { "NO_TLSv1_1", 0 }, - #endif --#if SSL_OP_NO_TLSv1_2 -+#ifdef SSL_OP_NO_TLSv1_2 - { - "NO_TLSv1_2", SSL_OP_NO_TLSv1_2 - }, - #else - { "NO_TLSv1_2", 0 }, - #endif --#if SSL_OP_NO_TLSv1_3 -+#ifdef SSL_OP_NO_TLSv1_3 - { - "NO_TLSv1_3", SSL_OP_NO_TLSv1_3 - }, - #else - { "NO_TLSv1_3", 0 }, - #endif --#if SSL_OP_NO_COMPRESSION -+#ifdef SSL_OP_NO_COMPRESSION - { - "No_Compression", SSL_OP_NO_COMPRESSION - }, - #endif --#if SSL_OP_NO_TICKET -+#ifdef SSL_OP_NO_TICKET - { - "NO_TICKET", SSL_OP_NO_TICKET - }, - #endif --#if SSL_OP_SINGLE_ECDH_USE -+#ifdef SSL_OP_SINGLE_ECDH_USE - { - "SINGLE_ECDH_USE", SSL_OP_SINGLE_ECDH_USE - }, -@@ -512,7 +512,7 @@ Security::PeerOptions::parseOptions() - - } - --#if SSL_OP_NO_SSLv2 -+#ifdef SSL_OP_NO_SSLv2 - // compliance with RFC 6176: Prohibiting Secure Sockets Layer (SSL) Version 2.0 - op = op | SSL_OP_NO_SSLv2; - #endif diff --git a/squid-5.2-test-store-cppsuite.patch b/squid-5.2-test-store-cppsuite.patch deleted file mode 100644 index d7c52be..0000000 --- a/squid-5.2-test-store-cppsuite.patch +++ /dev/null @@ -1,24 +0,0 @@ -diff --git a/src/tests/testStoreHashIndex.cc b/src/tests/testStoreHashIndex.cc -index 0564380..fcd60b9 100644 ---- a/src/tests/testStoreHashIndex.cc -+++ b/src/tests/testStoreHashIndex.cc -@@ -102,6 +102,8 @@ void commonInit() - if (inited) - return; - -+ inited = true; -+ - Mem::Init(); - - Config.Store.avgObjectSize = 1024; -@@ -109,6 +111,10 @@ void commonInit() - Config.Store.objectsPerBucket = 20; - - Config.Store.maxObjectSize = 2048; -+ -+ Config.memShared.defaultTo(false); -+ -+ Config.store_dir_select_algorithm = xstrdup("round-robin"); - } - - /* TODO make this a cbdata class */ diff --git a/squid.spec b/squid.spec index 449f18b..40a161f 100644 --- a/squid.spec +++ b/squid.spec @@ -1,8 +1,8 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 5.6 -Release: 2%{?dist} +Version: 5.7 +Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -35,10 +35,6 @@ Patch204: squid-3.5.9-include-guards.patch # revert this upstream patch - https://bugzilla.redhat.com/show_bug.cgi?id=1936422 # workaround for #1934919 Patch205: squid-5.0.5-symlink-lang-err.patch -# fix openssl3 build failures -Patch206: squid-5.2-openssl3.patch -# fix -lto build failure -Patch207: squid-5.2-test-store-cppsuite.patch # cache_swap.sh Requires: bash gawk @@ -109,8 +105,6 @@ lookup program (dnsserver), a program for retrieving FTP data %patch203 -p1 -b .perlpath %patch204 -p0 -b .include-guards %patch205 -p1 -R -b .symlink-lang-err -%patch206 -p1 -b .openssl3 -%patch207 -p1 -b .flto # https://bugzilla.redhat.com/show_bug.cgi?id=1679526 # Patch in the vendor documentation and used different location for documentation @@ -342,6 +336,9 @@ fi %changelog +* Tue Sep 06 2022 Luboš Uhliarik - 7:5.7-1 +- new version 5.7 + * Sat Jul 23 2022 Fedora Release Engineering - 7:5.6-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild From 1e6d0f7e8cb8ddfe44e177bd22bd2b0d23abf10e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Wed, 12 Oct 2022 13:46:39 +0200 Subject: [PATCH 30/68] Provide a sysusers.d file to get user() and group() provides (#2134071) --- squid.spec | 26 +++++++++++++------------- squid.sysusers | 2 ++ 2 files changed, 15 insertions(+), 13 deletions(-) create mode 100644 squid.sysusers diff --git a/squid.spec b/squid.spec index 40a161f..c660e3e 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 5.7 -Release: 1%{?dist} +Release: 2%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -18,6 +18,7 @@ Source5: squid.pam Source6: squid.nm Source7: squid.service Source8: cache_swap.sh +Source9: squid.sysusers Source98: perl-requires-squid.sh @@ -41,9 +42,10 @@ Requires: bash gawk # for httpd conf file - cachemgr script alias Requires: httpd-filesystem Requires(pre): shadow-utils -Requires(post): systemd -Requires(preun): systemd -Requires(postun): systemd + +%systemd_requires +%{?sysusers_requires_compat} + # squid_ldap_auth and other LDAP helpers require OpenLDAP BuildRequires: make BuildRequires: openldap-devel @@ -224,6 +226,8 @@ rm -f $RPM_BUILD_ROOT%{_sysconfdir}/squid/squid.conf.documented # remove unpackaged files from the buildroot rm -f $RPM_BUILD_ROOT/squid.httpd.tmp +# sysusers.d +install -p -D -m 0644 %{SOURCE9} %{buildroot}%{_sysusersdir}/squid.conf %files %license COPYING @@ -265,15 +269,10 @@ rm -f $RPM_BUILD_ROOT/squid.httpd.tmp %{_libdir}/squid/* %{_datadir}/snmp/mibs/SQUID-MIB.txt %{_tmpfilesdir}/squid.conf +%{_sysusersdir}/squid.conf %pre -if ! getent group squid >/dev/null 2>&1; then - /usr/sbin/groupadd -g 23 squid -fi - -if ! getent passwd squid >/dev/null 2>&1 ; then - /usr/sbin/useradd -g 23 -u 23 -d /var/spool/squid -r -s /sbin/nologin squid >/dev/null 2>&1 || exit 1 -fi +%sysusers_create_compat %{SOURCE9} for i in /var/log/squid /var/spool/squid ; do if [ -d $i ] ; then @@ -316,8 +315,6 @@ do end end - - %post %systemd_post squid.service @@ -336,6 +333,9 @@ fi %changelog +* Wed Oct 12 2022 Luboš Uhliarik - 7:5.7-2 +- Provide a sysusers.d file to get user() and group() provides (#2134071) + * Tue Sep 06 2022 Luboš Uhliarik - 7:5.7-1 - new version 5.7 diff --git a/squid.sysusers b/squid.sysusers new file mode 100644 index 0000000..f9cc56b --- /dev/null +++ b/squid.sysusers @@ -0,0 +1,2 @@ +g squid 23 - +u squid 23 "Squid proxy user" /var/spool/squid /sbin/nologin From 3d9c5a32eb74cbf49edacb29be7b8c9ed77b1641 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Wed, 12 Oct 2022 14:55:57 +0200 Subject: [PATCH 31/68] Fix spec file & build --- squid.spec | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/squid.spec b/squid.spec index c660e3e..2cf01e6 100644 --- a/squid.spec +++ b/squid.spec @@ -41,10 +41,6 @@ Patch205: squid-5.0.5-symlink-lang-err.patch Requires: bash gawk # for httpd conf file - cachemgr script alias Requires: httpd-filesystem -Requires(pre): shadow-utils - -%systemd_requires -%{?sysusers_requires_compat} # squid_ldap_auth and other LDAP helpers require OpenLDAP BuildRequires: make @@ -77,6 +73,8 @@ BuildRequires: systemd-rpm-macros # systemd notify BuildRequires: systemd-devel +%{?systemd_requires} +%{?sysusers_requires_compat} # Old NetworkManager expects the dispatcher scripts in a different place Conflicts: NetworkManager < 1.20 From d298212c7742da5c42bb97431d940eec9d50efc4 Mon Sep 17 00:00:00 2001 From: Tomas Korbar Date: Mon, 5 Dec 2022 15:07:20 +0100 Subject: [PATCH 32/68] Backport adding IP_BIND_ADDRESS_NO_PORT flag to outgoing connections --- squid-5.7-ip-bind-address-no-port.patch | 156 ++++++++++++++++++++++++ squid.spec | 7 +- 2 files changed, 162 insertions(+), 1 deletion(-) create mode 100644 squid-5.7-ip-bind-address-no-port.patch diff --git a/squid-5.7-ip-bind-address-no-port.patch b/squid-5.7-ip-bind-address-no-port.patch new file mode 100644 index 0000000..55d9597 --- /dev/null +++ b/squid-5.7-ip-bind-address-no-port.patch @@ -0,0 +1,156 @@ +commit c54122584d175cf1d292b239a5b70f2d1aa77c3a +Author: Tomas Korbar +Date: Mon Dec 5 15:03:07 2022 +0100 + + Backport adding IP_BIND_ADDRESS_NO_PORT flag to outgoing connections + +diff --git a/src/comm.cc b/src/comm.cc +index b4818f3..b18d175 100644 +--- a/src/comm.cc ++++ b/src/comm.cc +@@ -59,6 +59,7 @@ + */ + + static IOCB commHalfClosedReader; ++static int comm_openex(int sock_type, int proto, Ip::Address &, int flags, const char *note); + static void comm_init_opened(const Comm::ConnectionPointer &conn, const char *note, struct addrinfo *AI); + static int comm_apply_flags(int new_socket, Ip::Address &addr, int flags, struct addrinfo *AI); + +@@ -76,6 +77,7 @@ static EVH commHalfClosedCheck; + static void commPlanHalfClosedCheck(); + + static Comm::Flag commBind(int s, struct addrinfo &); ++static void commSetBindAddressNoPort(int); + static void commSetReuseAddr(int); + static void commSetNoLinger(int); + #ifdef TCP_NODELAY +@@ -202,6 +204,22 @@ comm_local_port(int fd) + return F->local_addr.port(); + } + ++/// sets the IP_BIND_ADDRESS_NO_PORT socket option to optimize ephemeral port ++/// reuse by outgoing TCP connections that must bind(2) to a source IP address ++static void ++commSetBindAddressNoPort(const int fd) ++{ ++#if defined(IP_BIND_ADDRESS_NO_PORT) ++ int flag = 1; ++ if (setsockopt(fd, IPPROTO_IP, IP_BIND_ADDRESS_NO_PORT, reinterpret_cast(&flag), sizeof(flag)) < 0) { ++ const auto savedErrno = errno; ++ debugs(50, DBG_IMPORTANT, "ERROR: setsockopt(IP_BIND_ADDRESS_NO_PORT) failure: " << xstrerr(savedErrno)); ++ } ++#else ++ (void)fd; ++#endif ++} ++ + static Comm::Flag + commBind(int s, struct addrinfo &inaddr) + { +@@ -228,6 +246,10 @@ comm_open(int sock_type, + int flags, + const char *note) + { ++ // assume zero-port callers do not need to know the assigned port right away ++ if (sock_type == SOCK_STREAM && addr.port() == 0 && ((flags & COMM_DOBIND) || !addr.isAnyAddr())) ++ flags |= COMM_DOBIND_PORT_LATER; ++ + return comm_openex(sock_type, proto, addr, flags, note); + } + +@@ -329,7 +351,7 @@ comm_set_transparent(int fd) + * Create a socket. Default is blocking, stream (TCP) socket. IO_TYPE + * is OR of flags specified in defines.h:COMM_* + */ +-int ++static int + comm_openex(int sock_type, + int proto, + Ip::Address &addr, +@@ -488,6 +510,9 @@ comm_apply_flags(int new_socket, + } + } + #endif ++ if ((flags & COMM_DOBIND_PORT_LATER)) ++ commSetBindAddressNoPort(new_socket); ++ + if (commBind(new_socket, *AI) != Comm::OK) { + comm_close(new_socket); + return -1; +diff --git a/src/comm.h b/src/comm.h +index 5a1a7c2..a9f33db 100644 +--- a/src/comm.h ++++ b/src/comm.h +@@ -43,7 +43,6 @@ void comm_import_opened(const Comm::ConnectionPointer &, const char *note, struc + + /** + * Open a port specially bound for listening or sending through a specific port. +- * This is a wrapper providing IPv4/IPv6 failover around comm_openex(). + * Please use for all listening sockets and bind() outbound sockets. + * + * It will open a socket bound for: +@@ -59,7 +58,6 @@ void comm_import_opened(const Comm::ConnectionPointer &, const char *note, struc + int comm_open_listener(int sock_type, int proto, Ip::Address &addr, int flags, const char *note); + void comm_open_listener(int sock_type, int proto, Comm::ConnectionPointer &conn, const char *note); + +-int comm_openex(int, int, Ip::Address &, int, const char *); + unsigned short comm_local_port(int fd); + + int comm_udp_sendto(int sock, const Ip::Address &to, const void *buf, int buflen); +diff --git a/src/comm/ConnOpener.cc b/src/comm/ConnOpener.cc +index 19c1237..79fa2ed 100644 +--- a/src/comm/ConnOpener.cc ++++ b/src/comm/ConnOpener.cc +@@ -285,7 +285,7 @@ Comm::ConnOpener::createFd() + if (callback_ == NULL || callback_->canceled()) + return false; + +- temporaryFd_ = comm_openex(SOCK_STREAM, IPPROTO_TCP, conn_->local, conn_->flags, host_); ++ temporaryFd_ = comm_open(SOCK_STREAM, IPPROTO_TCP, conn_->local, conn_->flags, host_); + if (temporaryFd_ < 0) { + sendAnswer(Comm::ERR_CONNECT, 0, "Comm::ConnOpener::createFd"); + return false; +diff --git a/src/comm/Connection.h b/src/comm/Connection.h +index 40c2249..2641f4e 100644 +--- a/src/comm/Connection.h ++++ b/src/comm/Connection.h +@@ -52,6 +52,8 @@ namespace Comm + #define COMM_REUSEPORT 0x40 //< needs SO_REUSEPORT + /// not registered with Comm and not owned by any connection-closing code + #define COMM_ORPHANED 0x40 ++/// Internal Comm optimization: Keep the source port unassigned until connect(2) ++#define COMM_DOBIND_PORT_LATER 0x100 + + /** + * Store data about the physical and logical attributes of a connection. +diff --git a/src/ipc.cc b/src/ipc.cc +index 45cab52..42e11e6 100644 +--- a/src/ipc.cc ++++ b/src/ipc.cc +@@ -95,12 +95,12 @@ ipcCreate(int type, const char *prog, const char *const args[], const char *name + } else void(0) + + if (type == IPC_TCP_SOCKET) { +- crfd = cwfd = comm_open(SOCK_STREAM, ++ crfd = cwfd = comm_open_listener(SOCK_STREAM, + 0, + local_addr, + COMM_NOCLOEXEC, + name); +- prfd = pwfd = comm_open(SOCK_STREAM, ++ prfd = pwfd = comm_open_listener(SOCK_STREAM, + 0, /* protocol */ + local_addr, + 0, /* blocking */ +diff --git a/src/tests/stub_comm.cc b/src/tests/stub_comm.cc +index a1d33d6..bf4bea6 100644 +--- a/src/tests/stub_comm.cc ++++ b/src/tests/stub_comm.cc +@@ -48,7 +48,6 @@ int comm_open_uds(int sock_type, int proto, struct sockaddr_un* addr, int flags) + void comm_import_opened(const Comm::ConnectionPointer &, const char *note, struct addrinfo *AI) STUB + int comm_open_listener(int sock_type, int proto, Ip::Address &addr, int flags, const char *note) STUB_RETVAL(-1) + void comm_open_listener(int sock_type, int proto, Comm::ConnectionPointer &conn, const char *note) STUB +-int comm_openex(int, int, Ip::Address &, int, tos_t tos, nfmark_t nfmark, const char *) STUB_RETVAL(-1) + unsigned short comm_local_port(int fd) STUB_RETVAL(0) + int comm_udp_sendto(int sock, const Ip::Address &to, const void *buf, int buflen) STUB_RETVAL(-1) + void commCallCloseHandlers(int fd) STUB diff --git a/squid.spec b/squid.spec index 2cf01e6..68cb116 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 5.7 -Release: 2%{?dist} +Release: 3%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -25,6 +25,7 @@ Source98: perl-requires-squid.sh # Upstream patches # Backported patches +Patch101: squid-5.7-ip-bind-address-no-port.patch # Local patches # Applying upstream patches first makes it less likely that local patches @@ -98,6 +99,7 @@ lookup program (dnsserver), a program for retrieving FTP data # Upstream patches # Backported patches +%patch101 -p1 -b .ip-bind-address-no-port # Local patches %patch201 -p1 -b .config @@ -331,6 +333,9 @@ fi %changelog +* Mon Dec 05 2022 Tomas Korbar - 7:5.7-3 +- Backport adding IP_BIND_ADDRESS_NO_PORT flag to outgoing connections + * Wed Oct 12 2022 Luboš Uhliarik - 7:5.7-2 - Provide a sysusers.d file to get user() and group() provides (#2134071) From e59f77ea78ea664f764e448f14b157f717b207f3 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 21 Jan 2023 03:57:27 +0000 Subject: [PATCH 33/68] Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- squid.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/squid.spec b/squid.spec index 68cb116..aeb4b7e 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 5.7 -Release: 3%{?dist} +Release: 4%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -333,6 +333,9 @@ fi %changelog +* Sat Jan 21 2023 Fedora Release Engineering - 7:5.7-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + * Mon Dec 05 2022 Tomas Korbar - 7:5.7-3 - Backport adding IP_BIND_ADDRESS_NO_PORT flag to outgoing connections From c4d9b668ca2a9caf3f357c3f7afd66af5061262c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Tue, 28 Feb 2023 18:28:13 +0100 Subject: [PATCH 34/68] new version 5.8 --- sources | 4 ++-- squid-3.0.STABLE1-perlpath.patch | 2 +- squid.spec | 7 +++++-- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/sources b/sources index 5bea984..01b250d 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-5.7.tar.xz) = 624a39041a6ceda6c470dc0937616f1aa67200f3db02b4d74095d8d706ed31d6df5e0417dcacde45f6be40b617bee018849793d52c96a626aab32a2b182972aa -SHA512 (squid-5.7.tar.xz.asc) = e8578d3dc0ecff0cb4a0d53375564f782b51c218276413a1b3b924396846a2cbca1f3ff8d53b247d210e4f63e553d89795a5b8b6972b7712d87c33b556076238 +SHA512 (squid-5.8.tar.xz) = 81a9a7d1dfcb58476369e08e99feb76411dd3242a3374feb175408fa0dc8161545a9a903603219c6fa2bcfb615461901e093428e97ac74cf4c596a7065d3247d +SHA512 (squid-5.8.tar.xz.asc) = d1cbadb6c0abb4bea7261818e5ed6558d2ea6a51f6249e222647fb68138b84730e10676bca8a75c8162f73fe8b6133b91df0182e682f04a32ffa98020eaeaba6 SHA512 (pgp.asc) = 09f7012030d68831dfc083d67ca63ee54ed851482ca8d0e9505b444ee3e7ddeed62369b53f2917c9b2e0e57cc0533fce46e8cafd2ebcd1c6cb186b516efd0ad2 diff --git a/squid-3.0.STABLE1-perlpath.patch b/squid-3.0.STABLE1-perlpath.patch index d927e43..5ab22a0 100644 --- a/squid-3.0.STABLE1-perlpath.patch +++ b/squid-3.0.STABLE1-perlpath.patch @@ -6,5 +6,5 @@ index 4cb0480..4b89910 100755 -#!/usr/local/bin/perl -Tw +#!/usr/bin/perl -Tw # - # * Copyright (C) 1996-2022 The Squid Software Foundation and contributors + # * Copyright (C) 1996-2023 The Squid Software Foundation and contributors # * diff --git a/squid.spec b/squid.spec index aeb4b7e..53c3bcc 100644 --- a/squid.spec +++ b/squid.spec @@ -1,8 +1,8 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 5.7 -Release: 4%{?dist} +Version: 5.8 +Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -333,6 +333,9 @@ fi %changelog +* Tue Feb 28 2023 Luboš Uhliarik - 7:5.8-1 +- new version 5.8 + * Sat Jan 21 2023 Fedora Release Engineering - 7:5.7-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild From e8590f9b27a483a79b621507bf44d6e3610279c2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Tue, 9 May 2023 11:48:39 +0200 Subject: [PATCH 35/68] new version 5.9 --- sources | 4 ++-- squid.spec | 5 ++++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/sources b/sources index 01b250d..65abcc4 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-5.8.tar.xz) = 81a9a7d1dfcb58476369e08e99feb76411dd3242a3374feb175408fa0dc8161545a9a903603219c6fa2bcfb615461901e093428e97ac74cf4c596a7065d3247d -SHA512 (squid-5.8.tar.xz.asc) = d1cbadb6c0abb4bea7261818e5ed6558d2ea6a51f6249e222647fb68138b84730e10676bca8a75c8162f73fe8b6133b91df0182e682f04a32ffa98020eaeaba6 +SHA512 (squid-5.9.tar.xz) = 7dc366ef6b2a397ca6adec993c05876949de5f5e72a8a4409c9c9c52c42a8a4b37f58e85a171eebd36a166951f6c764176cfebec30019b299abe34a5adc4e5ac +SHA512 (squid-5.9.tar.xz.asc) = e2852d45645effc1a94f3ff13471a6dfc0721b42c9c162c06d7ac8613a46e4e3e580ec2dd8371b93ef68d2d197008398926003c35c4e8468cae2871d740491a0 SHA512 (pgp.asc) = 09f7012030d68831dfc083d67ca63ee54ed851482ca8d0e9505b444ee3e7ddeed62369b53f2917c9b2e0e57cc0533fce46e8cafd2ebcd1c6cb186b516efd0ad2 diff --git a/squid.spec b/squid.spec index 53c3bcc..7db39f3 100644 --- a/squid.spec +++ b/squid.spec @@ -1,7 +1,7 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 5.8 +Version: 5.9 Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 @@ -333,6 +333,9 @@ fi %changelog +* Tue May 09 2023 Luboš Uhliarik - 7:5.9-1 +- new version 5.9 + * Tue Feb 28 2023 Luboš Uhliarik - 7:5.8-1 - new version 5.8 From d682c6288b2fa2b6dedab71063bae911f42bd853 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Tue, 11 Jul 2023 20:23:30 +0200 Subject: [PATCH 36/68] new version 6.1 --- .gitignore | 2 +- sources | 5 +- squid-3.5.9-include-guards.patch | 95 ----------- squid-5.0.5-build-errors.patch | 116 ------------- squid-5.0.5-symlink-lang-err.patch | 68 -------- squid-5.7-ip-bind-address-no-port.patch | 156 ------------------ ....11-config.patch => squid-6.1-config.patch | 11 +- ...location.patch => squid-6.1-location.patch | 0 ...perlpath.patch => squid-6.1-perlpath.patch | 2 +- squid-6.1-symlink-lang-err.patch | 26 +++ squid.spec | 34 ++-- 11 files changed, 55 insertions(+), 460 deletions(-) delete mode 100644 squid-3.5.9-include-guards.patch delete mode 100644 squid-5.0.5-build-errors.patch delete mode 100644 squid-5.0.5-symlink-lang-err.patch delete mode 100644 squid-5.7-ip-bind-address-no-port.patch rename squid-4.0.11-config.patch => squid-6.1-config.patch (61%) rename squid-3.1.0.9-location.patch => squid-6.1-location.patch (100%) rename squid-3.0.STABLE1-perlpath.patch => squid-6.1-perlpath.patch (90%) create mode 100644 squid-6.1-symlink-lang-err.patch diff --git a/.gitignore b/.gitignore index c2dc451..e16a3d0 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ /*.asc -/*.xz +/*.xz \ No newline at end of file diff --git a/sources b/sources index 65abcc4..8ab4e23 100644 --- a/sources +++ b/sources @@ -1,3 +1,4 @@ -SHA512 (squid-5.9.tar.xz) = 7dc366ef6b2a397ca6adec993c05876949de5f5e72a8a4409c9c9c52c42a8a4b37f58e85a171eebd36a166951f6c764176cfebec30019b299abe34a5adc4e5ac -SHA512 (squid-5.9.tar.xz.asc) = e2852d45645effc1a94f3ff13471a6dfc0721b42c9c162c06d7ac8613a46e4e3e580ec2dd8371b93ef68d2d197008398926003c35c4e8468cae2871d740491a0 +SHA512 (squid-6.1.tar.xz) = 1e3d5b4cf40d84f94fa108ac7fcd592b55e477a12bb7bca68dd5d58e6614b4f8918d05ca9200ae13b6c4632bdb66e088656fb4efa2cfb6b66fca6bb9c2f91247 +SHA512 (squid-6.1.tar.xz.asc) = 4243e2c547dc7383fce58e5b463a0ef198a9591cfe22b01c5b3b8f79b26bff2e7968a87e900bbbbbbc7abea4863d6aa55e624fcf30ab533fc41b0ad52cf3fc8e SHA512 (pgp.asc) = 09f7012030d68831dfc083d67ca63ee54ed851482ca8d0e9505b444ee3e7ddeed62369b53f2917c9b2e0e57cc0533fce46e8cafd2ebcd1c6cb186b516efd0ad2 + diff --git a/squid-3.5.9-include-guards.patch b/squid-3.5.9-include-guards.patch deleted file mode 100644 index e2d4ff9..0000000 --- a/squid-3.5.9-include-guards.patch +++ /dev/null @@ -1,95 +0,0 @@ ------------------------------------------------------------- -revno: 14311 -revision-id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4 -parent: squid3@treenet.co.nz-20150924032241-6cx3g6hwz9xfoybr ------------------------------------------------------------- -revno: 14311 -revision-id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4 -parent: squid3@treenet.co.nz-20150924032241-6cx3g6hwz9xfoybr -fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4323 -author: Francesco Chemolli -committer: Amos Jeffries -branch nick: trunk -timestamp: Thu 2015-09-24 06:05:37 -0700 -message: - Bug 4323: Netfilter broken cross-includes with Linux 4.2 ------------------------------------------------------------- -# Bazaar merge directive format 2 (Bazaar 0.90) -# revision_id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4 -# target_branch: http://bzr.squid-cache.org/bzr/squid3/trunk/ -# testament_sha1: c67cfca81040f3845d7c4caf2f40518511f14d0b -# timestamp: 2015-09-24 13:06:33 +0000 -# source_branch: http://bzr.squid-cache.org/bzr/squid3/trunk -# base_revision_id: squid3@treenet.co.nz-20150924032241-\ -# 6cx3g6hwz9xfoybr -# -# Begin patch -=== modified file 'compat/os/linux.h' ---- compat/os/linux.h 2015-01-13 07:25:36 +0000 -+++ compat/os/linux.h 2015-09-24 13:05:37 +0000 -@@ -30,6 +30,21 @@ - #endif - - /* -+ * Netfilter header madness. (see Bug 4323) -+ * -+ * Netfilter have a history of defining their own versions of network protocol -+ * primitives without sufficient protection against the POSIX defines which are -+ * aways present in Linux. -+ * -+ * netinet/in.h must be included before any other sys header in order to properly -+ * activate include guards in the kernel maintainers added -+ * to workaround it. -+ */ -+#if HAVE_NETINET_IN_H -+#include -+#endif -+ -+/* - * sys/capability.h is only needed in Linux apparently. - * - * HACK: LIBCAP_BROKEN Ugly glue to get around linux header madness colliding with glibc -fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4323 -author: Francesco Chemolli -committer: Amos Jeffries -branch nick: trunk -timestamp: Thu 2015-09-24 06:05:37 -0700 -message: - Bug 4323: Netfilter broken cross-includes with Linux 4.2 ------------------------------------------------------------- -# Bazaar merge directive format 2 (Bazaar 0.90) -# revision_id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4 -# target_branch: http://bzr.squid-cache.org/bzr/squid3/trunk/ -# testament_sha1: c67cfca81040f3845d7c4caf2f40518511f14d0b -# timestamp: 2015-09-24 13:06:33 +0000 -# source_branch: http://bzr.squid-cache.org/bzr/squid3/trunk -# base_revision_id: squid3@treenet.co.nz-20150924032241-\ -# 6cx3g6hwz9xfoybr -# -# Begin patch -=== modified file 'compat/os/linux.h' ---- compat/os/linux.h 2015-01-13 07:25:36 +0000 -+++ compat/os/linux.h 2015-09-24 13:05:37 +0000 -@@ -30,6 +30,21 @@ - #endif - - /* -+ * Netfilter header madness. (see Bug 4323) -+ * -+ * Netfilter have a history of defining their own versions of network protocol -+ * primitives without sufficient protection against the POSIX defines which are -+ * aways present in Linux. -+ * -+ * netinet/in.h must be included before any other sys header in order to properly -+ * activate include guards in the kernel maintainers added -+ * to workaround it. -+ */ -+#if HAVE_NETINET_IN_H -+#include -+#endif -+ -+/* - * sys/capability.h is only needed in Linux apparently. - * - * HACK: LIBCAP_BROKEN Ugly glue to get around linux header madness colliding with glibc - diff --git a/squid-5.0.5-build-errors.patch b/squid-5.0.5-build-errors.patch deleted file mode 100644 index 4293d67..0000000 --- a/squid-5.0.5-build-errors.patch +++ /dev/null @@ -1,116 +0,0 @@ -diff --git a/src/Makefile.am b/src/Makefile.am -index 81403a7..5e2a493 100644 ---- a/src/Makefile.am -+++ b/src/Makefile.am -@@ -2477,6 +2477,7 @@ tests_testHttpRequest_LDADD = \ - $(SSLLIB) \ - $(KRB5LIBS) \ - $(LIBCPPUNIT_LIBS) \ -+ $(SYSTEMD_LIBS) \ - $(COMPAT_LIB) \ - $(XTRA_LIBS) - tests_testHttpRequest_LDFLAGS = $(LIBADD_DL) -@@ -2781,6 +2782,7 @@ tests_testCacheManager_LDADD = \ - $(SSLLIB) \ - $(KRB5LIBS) \ - $(LIBCPPUNIT_LIBS) \ -+ $(SYSTEMD_LIBS) \ - $(COMPAT_LIB) \ - $(XTRA_LIBS) - tests_testCacheManager_LDFLAGS = $(LIBADD_DL) -@@ -3101,6 +3103,7 @@ tests_testEvent_LDADD = \ - $(SSLLIB) \ - $(KRB5LIBS) \ - $(LIBCPPUNIT_LIBS) \ -+ $(SYSTEMD_LIBS) \ - $(COMPAT_LIB) \ - $(XTRA_LIBS) - tests_testEvent_LDFLAGS = $(LIBADD_DL) -@@ -3339,6 +3342,7 @@ tests_testEventLoop_LDADD = \ - $(SSLLIB) \ - $(KRB5LIBS) \ - $(LIBCPPUNIT_LIBS) \ -+ $(SYSTEMD_LIBS) \ - $(COMPAT_LIB) \ - $(XTRA_LIBS) - tests_testEventLoop_LDFLAGS = $(LIBADD_DL) -diff --git a/src/Makefile.in b/src/Makefile.in -index fda6de6..4e047cc 100644 ---- a/src/Makefile.in -+++ b/src/Makefile.in -@@ -4581,6 +4581,7 @@ tests_test_http_range_LDADD = \ - $(SSLLIB) \ - $(KRB5LIBS) \ - $(LIBCPPUNIT_LIBS) \ -+ $(SYSTEMD_LIBS) \ - $(COMPAT_LIB) \ - $(XTRA_LIBS) - -@@ -4972,6 +4973,7 @@ tests_testHttpRequest_LDADD = \ - $(SSLLIB) \ - $(KRB5LIBS) \ - $(LIBCPPUNIT_LIBS) \ -+ $(SYSTEMD_LIBS) \ - $(COMPAT_LIB) \ - $(XTRA_LIBS) - -@@ -5274,6 +5276,7 @@ tests_testCacheManager_LDADD = \ - $(SSLLIB) \ - $(KRB5LIBS) \ - $(LIBCPPUNIT_LIBS) \ -+ $(SYSTEMD_LIBS) \ - $(COMPAT_LIB) \ - $(XTRA_LIBS) - -@@ -5593,6 +5596,7 @@ tests_testEvent_LDADD = \ - $(SSLLIB) \ - $(KRB5LIBS) \ - $(LIBCPPUNIT_LIBS) \ -+ $(SYSTEMD_LIBS) \ - $(COMPAT_LIB) \ - $(XTRA_LIBS) - -@@ -5832,6 +5836,7 @@ tests_testEventLoop_LDADD = \ - $(SSLLIB) \ - $(KRB5LIBS) \ - $(LIBCPPUNIT_LIBS) \ -+ $(SYSTEMD_LIBS) \ - $(COMPAT_LIB) \ - $(XTRA_LIBS) - -diff --git a/src/proxyp/Parser.cc b/src/proxyp/Parser.cc -index 328d207..2f358a7 100644 ---- a/src/proxyp/Parser.cc -+++ b/src/proxyp/Parser.cc -@@ -15,6 +15,7 @@ - #include "sbuf/Stream.h" - - #include -+#include - - #if HAVE_SYS_SOCKET_H - #include -diff --git a/src/security/ServerOptions.cc b/src/security/ServerOptions.cc -index e114ed8..22bce84 100644 ---- a/src/security/ServerOptions.cc -+++ b/src/security/ServerOptions.cc -@@ -18,6 +18,7 @@ - #if USE_OPENSSL - #include "compat/openssl.h" - #include "ssl/support.h" -+#include - - #if HAVE_OPENSSL_ERR_H - #include -diff --git a/src/acl/ConnMark.cc b/src/acl/ConnMark.cc -index 1fdae0c..213cf39 100644 ---- a/src/acl/ConnMark.cc -+++ b/src/acl/ConnMark.cc -@@ -15,6 +15,7 @@ - #include "Debug.h" - #include "http/Stream.h" - #include "sbuf/Stream.h" -+#include - - bool - Acl::ConnMark::empty() const diff --git a/squid-5.0.5-symlink-lang-err.patch b/squid-5.0.5-symlink-lang-err.patch deleted file mode 100644 index 45d6fe9..0000000 --- a/squid-5.0.5-symlink-lang-err.patch +++ /dev/null @@ -1,68 +0,0 @@ -From fc01451000eaa5592cd5afbd6aee14e53f7dd2c3 Mon Sep 17 00:00:00 2001 -From: Amos Jeffries -Date: Sun, 18 Oct 2020 20:23:10 +1300 -Subject: [PATCH] Update translations integration - -* Add credits for es-mx translation moderator -* Use es-mx for default of all Spanish (Central America) texts -* Update translation related .am files ---- - doc/manuals/language.am | 2 +- - errors/TRANSLATORS | 1 + - errors/aliases | 3 ++- - errors/language.am | 3 ++- - errors/template.am | 2 +- - 5 files changed, 7 insertions(+), 4 deletions(-) - -diff --git a/doc/manuals/language.am b/doc/manuals/language.am -index 7670c88380c..f03c4cf71b4 100644 ---- a/doc/manuals/language.am -+++ b/doc/manuals/language.am -@@ -18,4 +18,4 @@ TRANSLATE_LANGUAGES = \ - oc.lang \ - pt.lang \ - ro.lang \ -- ru.lang -+ ru.lang -diff --git a/errors/aliases b/errors/aliases -index 36f17f4b80f..cf0116f297d 100644 ---- a/errors/aliases -+++ b/errors/aliases -@@ -14,7 +14,8 @@ da da-dk - de de-at de-ch de-de de-li de-lu - el el-gr - en en-au en-bz en-ca en-cn en-gb en-ie en-in en-jm en-nz en-ph en-sg en-tt en-uk en-us en-za en-zw --es es-ar es-bo es-cl es-co es-cr es-do es-ec es-es es-gt es-hn es-mx es-ni es-pa es-pe es-pr es-py es-sv es-us es-uy es-ve es-xl -+es es-ar es-bo es-cl es-cu es-co es-do es-ec es-es es-pe es-pr es-py es-us es-uy es-ve es-xl spq -+es-mx es-bz es-cr es-gt es-hn es-ni es-pa es-sv - et et-ee - fa fa-fa fa-ir - fi fi-fi -diff --git a/errors/language.am b/errors/language.am -index 12b1b2b3b43..029e8c1eb2f 100644 ---- a/errors/language.am -+++ b/errors/language.am -@@ -17,6 +17,7 @@ TRANSLATE_LANGUAGES = \ - de.lang \ - el.lang \ - en.lang \ -+ es-mx.lang \ - es.lang \ - et.lang \ - fa.lang \ -@@ -51,4 +52,4 @@ TRANSLATE_LANGUAGES = \ - uz.lang \ - vi.lang \ - zh-hans.lang \ -- zh-hant.lang -+ zh-hant.lang -diff --git a/errors/template.am b/errors/template.am -index 6c12781e6f4..715c65aa22b 100644 ---- a/errors/template.am -+++ b/errors/template.am -@@ -48,4 +48,4 @@ ERROR_TEMPLATES = \ - templates/ERR_UNSUP_REQ \ - templates/ERR_URN_RESOLVE \ - templates/ERR_WRITE_ERROR \ -- templates/ERR_ZERO_SIZE_OBJECT -+ templates/ERR_ZERO_SIZE_OBJECT diff --git a/squid-5.7-ip-bind-address-no-port.patch b/squid-5.7-ip-bind-address-no-port.patch deleted file mode 100644 index 55d9597..0000000 --- a/squid-5.7-ip-bind-address-no-port.patch +++ /dev/null @@ -1,156 +0,0 @@ -commit c54122584d175cf1d292b239a5b70f2d1aa77c3a -Author: Tomas Korbar -Date: Mon Dec 5 15:03:07 2022 +0100 - - Backport adding IP_BIND_ADDRESS_NO_PORT flag to outgoing connections - -diff --git a/src/comm.cc b/src/comm.cc -index b4818f3..b18d175 100644 ---- a/src/comm.cc -+++ b/src/comm.cc -@@ -59,6 +59,7 @@ - */ - - static IOCB commHalfClosedReader; -+static int comm_openex(int sock_type, int proto, Ip::Address &, int flags, const char *note); - static void comm_init_opened(const Comm::ConnectionPointer &conn, const char *note, struct addrinfo *AI); - static int comm_apply_flags(int new_socket, Ip::Address &addr, int flags, struct addrinfo *AI); - -@@ -76,6 +77,7 @@ static EVH commHalfClosedCheck; - static void commPlanHalfClosedCheck(); - - static Comm::Flag commBind(int s, struct addrinfo &); -+static void commSetBindAddressNoPort(int); - static void commSetReuseAddr(int); - static void commSetNoLinger(int); - #ifdef TCP_NODELAY -@@ -202,6 +204,22 @@ comm_local_port(int fd) - return F->local_addr.port(); - } - -+/// sets the IP_BIND_ADDRESS_NO_PORT socket option to optimize ephemeral port -+/// reuse by outgoing TCP connections that must bind(2) to a source IP address -+static void -+commSetBindAddressNoPort(const int fd) -+{ -+#if defined(IP_BIND_ADDRESS_NO_PORT) -+ int flag = 1; -+ if (setsockopt(fd, IPPROTO_IP, IP_BIND_ADDRESS_NO_PORT, reinterpret_cast(&flag), sizeof(flag)) < 0) { -+ const auto savedErrno = errno; -+ debugs(50, DBG_IMPORTANT, "ERROR: setsockopt(IP_BIND_ADDRESS_NO_PORT) failure: " << xstrerr(savedErrno)); -+ } -+#else -+ (void)fd; -+#endif -+} -+ - static Comm::Flag - commBind(int s, struct addrinfo &inaddr) - { -@@ -228,6 +246,10 @@ comm_open(int sock_type, - int flags, - const char *note) - { -+ // assume zero-port callers do not need to know the assigned port right away -+ if (sock_type == SOCK_STREAM && addr.port() == 0 && ((flags & COMM_DOBIND) || !addr.isAnyAddr())) -+ flags |= COMM_DOBIND_PORT_LATER; -+ - return comm_openex(sock_type, proto, addr, flags, note); - } - -@@ -329,7 +351,7 @@ comm_set_transparent(int fd) - * Create a socket. Default is blocking, stream (TCP) socket. IO_TYPE - * is OR of flags specified in defines.h:COMM_* - */ --int -+static int - comm_openex(int sock_type, - int proto, - Ip::Address &addr, -@@ -488,6 +510,9 @@ comm_apply_flags(int new_socket, - } - } - #endif -+ if ((flags & COMM_DOBIND_PORT_LATER)) -+ commSetBindAddressNoPort(new_socket); -+ - if (commBind(new_socket, *AI) != Comm::OK) { - comm_close(new_socket); - return -1; -diff --git a/src/comm.h b/src/comm.h -index 5a1a7c2..a9f33db 100644 ---- a/src/comm.h -+++ b/src/comm.h -@@ -43,7 +43,6 @@ void comm_import_opened(const Comm::ConnectionPointer &, const char *note, struc - - /** - * Open a port specially bound for listening or sending through a specific port. -- * This is a wrapper providing IPv4/IPv6 failover around comm_openex(). - * Please use for all listening sockets and bind() outbound sockets. - * - * It will open a socket bound for: -@@ -59,7 +58,6 @@ void comm_import_opened(const Comm::ConnectionPointer &, const char *note, struc - int comm_open_listener(int sock_type, int proto, Ip::Address &addr, int flags, const char *note); - void comm_open_listener(int sock_type, int proto, Comm::ConnectionPointer &conn, const char *note); - --int comm_openex(int, int, Ip::Address &, int, const char *); - unsigned short comm_local_port(int fd); - - int comm_udp_sendto(int sock, const Ip::Address &to, const void *buf, int buflen); -diff --git a/src/comm/ConnOpener.cc b/src/comm/ConnOpener.cc -index 19c1237..79fa2ed 100644 ---- a/src/comm/ConnOpener.cc -+++ b/src/comm/ConnOpener.cc -@@ -285,7 +285,7 @@ Comm::ConnOpener::createFd() - if (callback_ == NULL || callback_->canceled()) - return false; - -- temporaryFd_ = comm_openex(SOCK_STREAM, IPPROTO_TCP, conn_->local, conn_->flags, host_); -+ temporaryFd_ = comm_open(SOCK_STREAM, IPPROTO_TCP, conn_->local, conn_->flags, host_); - if (temporaryFd_ < 0) { - sendAnswer(Comm::ERR_CONNECT, 0, "Comm::ConnOpener::createFd"); - return false; -diff --git a/src/comm/Connection.h b/src/comm/Connection.h -index 40c2249..2641f4e 100644 ---- a/src/comm/Connection.h -+++ b/src/comm/Connection.h -@@ -52,6 +52,8 @@ namespace Comm - #define COMM_REUSEPORT 0x40 //< needs SO_REUSEPORT - /// not registered with Comm and not owned by any connection-closing code - #define COMM_ORPHANED 0x40 -+/// Internal Comm optimization: Keep the source port unassigned until connect(2) -+#define COMM_DOBIND_PORT_LATER 0x100 - - /** - * Store data about the physical and logical attributes of a connection. -diff --git a/src/ipc.cc b/src/ipc.cc -index 45cab52..42e11e6 100644 ---- a/src/ipc.cc -+++ b/src/ipc.cc -@@ -95,12 +95,12 @@ ipcCreate(int type, const char *prog, const char *const args[], const char *name - } else void(0) - - if (type == IPC_TCP_SOCKET) { -- crfd = cwfd = comm_open(SOCK_STREAM, -+ crfd = cwfd = comm_open_listener(SOCK_STREAM, - 0, - local_addr, - COMM_NOCLOEXEC, - name); -- prfd = pwfd = comm_open(SOCK_STREAM, -+ prfd = pwfd = comm_open_listener(SOCK_STREAM, - 0, /* protocol */ - local_addr, - 0, /* blocking */ -diff --git a/src/tests/stub_comm.cc b/src/tests/stub_comm.cc -index a1d33d6..bf4bea6 100644 ---- a/src/tests/stub_comm.cc -+++ b/src/tests/stub_comm.cc -@@ -48,7 +48,6 @@ int comm_open_uds(int sock_type, int proto, struct sockaddr_un* addr, int flags) - void comm_import_opened(const Comm::ConnectionPointer &, const char *note, struct addrinfo *AI) STUB - int comm_open_listener(int sock_type, int proto, Ip::Address &addr, int flags, const char *note) STUB_RETVAL(-1) - void comm_open_listener(int sock_type, int proto, Comm::ConnectionPointer &conn, const char *note) STUB --int comm_openex(int, int, Ip::Address &, int, tos_t tos, nfmark_t nfmark, const char *) STUB_RETVAL(-1) - unsigned short comm_local_port(int fd) STUB_RETVAL(0) - int comm_udp_sendto(int sock, const Ip::Address &to, const void *buf, int buflen) STUB_RETVAL(-1) - void commCallCloseHandlers(int fd) STUB diff --git a/squid-4.0.11-config.patch b/squid-6.1-config.patch similarity index 61% rename from squid-4.0.11-config.patch rename to squid-6.1-config.patch index a4faae8..9d2b192 100644 --- a/squid-4.0.11-config.patch +++ b/squid-6.1-config.patch @@ -1,7 +1,8 @@ -diff -up squid-4.0.11/src/cf.data.pre.config squid-4.0.11/src/cf.data.pre ---- squid-4.0.11/src/cf.data.pre.config 2016-06-09 22:32:57.000000000 +0200 -+++ squid-4.0.11/src/cf.data.pre 2016-07-11 21:08:35.090976840 +0200 -@@ -4658,7 +4658,7 @@ DOC_END +diff --git a/src/cf.data.pre b/src/cf.data.pre +index 44aa34d..12225bc 100644 +--- a/src/cf.data.pre ++++ b/src/cf.data.pre +@@ -5453,7 +5453,7 @@ DOC_END NAME: logfile_rotate TYPE: int @@ -10,7 +11,7 @@ diff -up squid-4.0.11/src/cf.data.pre.config squid-4.0.11/src/cf.data.pre LOC: Config.Log.rotateNumber DOC_START Specifies the default number of logfile rotations to make when you -@@ -6444,11 +6444,11 @@ COMMENT_END +@@ -7447,11 +7447,11 @@ COMMENT_END NAME: cache_mgr TYPE: string diff --git a/squid-3.1.0.9-location.patch b/squid-6.1-location.patch similarity index 100% rename from squid-3.1.0.9-location.patch rename to squid-6.1-location.patch diff --git a/squid-3.0.STABLE1-perlpath.patch b/squid-6.1-perlpath.patch similarity index 90% rename from squid-3.0.STABLE1-perlpath.patch rename to squid-6.1-perlpath.patch index 5ab22a0..fe37759 100644 --- a/squid-3.0.STABLE1-perlpath.patch +++ b/squid-6.1-perlpath.patch @@ -1,5 +1,5 @@ diff --git a/contrib/url-normalizer.pl b/contrib/url-normalizer.pl -index 4cb0480..4b89910 100755 +index e965e9e..ed5ffcb 100755 --- a/contrib/url-normalizer.pl +++ b/contrib/url-normalizer.pl @@ -1,4 +1,4 @@ diff --git a/squid-6.1-symlink-lang-err.patch b/squid-6.1-symlink-lang-err.patch new file mode 100644 index 0000000..a29274b --- /dev/null +++ b/squid-6.1-symlink-lang-err.patch @@ -0,0 +1,26 @@ +diff --git a/errors/aliases b/errors/aliases +index c256106..38c123a 100644 +--- a/errors/aliases ++++ b/errors/aliases +@@ -14,8 +14,7 @@ da da-dk + de de-at de-ch de-de de-li de-lu + el el-gr + en en-au en-bz en-ca en-cn en-gb en-ie en-in en-jm en-nz en-ph en-sg en-tt en-uk en-us en-za en-zw +-es es-ar es-bo es-cl es-cu es-co es-do es-ec es-es es-pe es-pr es-py es-us es-uy es-ve es-xl spq +-es-mx es-bz es-cr es-gt es-hn es-ni es-pa es-sv ++es es-ar es-bo es-cl es-co es-cr es-do es-ec es-es es-gt es-hn es-mx es-ni es-pa es-pe es-pr es-py es-sv es-us es-uy es-ve es-xl + et et-ee + fa fa-fa fa-ir + fi fi-fi +diff --git a/errors/language.am b/errors/language.am +index a437d17..f2fe463 100644 +--- a/errors/language.am ++++ b/errors/language.am +@@ -19,7 +19,6 @@ LANGUAGE_FILES = \ + de.lang \ + el.lang \ + en.lang \ +- es-mx.lang \ + es.lang \ + et.lang \ + fa.lang \ diff --git a/squid.spec b/squid.spec index 7db39f3..e5accda 100644 --- a/squid.spec +++ b/squid.spec @@ -1,7 +1,7 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 5.9 +Version: 6.1 Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 @@ -9,8 +9,8 @@ Epoch: 7 License: GPLv2+ and (LGPLv2+ and MIT and BSD and Public Domain) URL: http://www.squid-cache.org -Source0: http://www.squid-cache.org/Versions/v5/squid-%{version}.tar.xz -Source1: http://www.squid-cache.org/Versions/v5/squid-%{version}.tar.xz.asc +Source0: http://www.squid-cache.org/Versions/v6/squid-%{version}.tar.xz +Source1: http://www.squid-cache.org/Versions/v6/squid-%{version}.tar.xz.asc Source2: http://www.squid-cache.org/pgp.asc Source3: squid.logrotate Source4: squid.sysconfig @@ -25,18 +25,17 @@ Source98: perl-requires-squid.sh # Upstream patches # Backported patches -Patch101: squid-5.7-ip-bind-address-no-port.patch +# Patch101: patch # Local patches # Applying upstream patches first makes it less likely that local patches # will break upstream ones. -Patch201: squid-4.0.11-config.patch -Patch202: squid-3.1.0.9-location.patch -Patch203: squid-3.0.STABLE1-perlpath.patch -Patch204: squid-3.5.9-include-guards.patch +Patch201: squid-6.1-config.patch +Patch202: squid-6.1-location.patch +Patch203: squid-6.1-perlpath.patch # revert this upstream patch - https://bugzilla.redhat.com/show_bug.cgi?id=1936422 # workaround for #1934919 -Patch205: squid-5.0.5-symlink-lang-err.patch +Patch204: squid-6.1-symlink-lang-err.patch # cache_swap.sh Requires: bash gawk @@ -99,14 +98,13 @@ lookup program (dnsserver), a program for retrieving FTP data # Upstream patches # Backported patches -%patch101 -p1 -b .ip-bind-address-no-port +# %patch101 -p1 -b .patch # Local patches -%patch201 -p1 -b .config -%patch202 -p1 -b .location -%patch203 -p1 -b .perlpath -%patch204 -p0 -b .include-guards -%patch205 -p1 -R -b .symlink-lang-err +%patch -P 201 -p1 -b .config +%patch -P 202 -p1 -b .location +%patch -P 203 -p1 -b .perlpath +%patch -P 204 -p1 -b .symlink-lang-err # https://bugzilla.redhat.com/show_bug.cgi?id=1679526 # Patch in the vendor documentation and used different location for documentation @@ -159,7 +157,8 @@ sed -i 's|@SYSCONFDIR@/squid.conf.documented|%{_pkgdocdir}/squid.conf.documented --disable-arch-native \ --disable-security-cert-validators \ --disable-strict-error-checking \ - --with-swapdir=%{_localstatedir}/spool/squid + --with-swapdir=%{_localstatedir}/spool/squid \ + --enable-translation # workaround to build squid v5 mkdir -p src/icmp/tests @@ -333,6 +332,9 @@ fi %changelog +* Tue Jul 11 2023 Luboš Uhliarik - 7:6.1-1 +- new version 6.1 + * Tue May 09 2023 Luboš Uhliarik - 7:5.9-1 - new version 5.9 From 45aa5f8be15879d8b532e024e0babb4f02613250 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 22 Jul 2023 02:24:49 +0000 Subject: [PATCH 37/68] Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- squid.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/squid.spec b/squid.spec index e5accda..94cf540 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 6.1 -Release: 1%{?dist} +Release: 2%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -332,6 +332,9 @@ fi %changelog +* Sat Jul 22 2023 Fedora Release Engineering - 7:6.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + * Tue Jul 11 2023 Luboš Uhliarik - 7:6.1-1 - new version 6.1 From fb5d65bd298a33525db7a189eb2c7d8be58cb057 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Tue, 8 Aug 2023 16:53:27 +0200 Subject: [PATCH 38/68] Fix "!commHasHalfClosedMonitor(fd)" assertion --- squid-6.1-crash-half-closed.patch | 158 ++++++++++++++++++++++++++++++ squid.spec | 8 +- 2 files changed, 165 insertions(+), 1 deletion(-) create mode 100644 squid-6.1-crash-half-closed.patch diff --git a/squid-6.1-crash-half-closed.patch b/squid-6.1-crash-half-closed.patch new file mode 100644 index 0000000..901ece2 --- /dev/null +++ b/squid-6.1-crash-half-closed.patch @@ -0,0 +1,158 @@ +diff --git a/src/client_side.cc b/src/client_side.cc +index f488fc4..69586df 100644 +--- a/src/client_side.cc ++++ b/src/client_side.cc +@@ -932,7 +932,7 @@ ConnStateData::kick() + * We are done with the response, and we are either still receiving request + * body (early response!) or have already stopped receiving anything. + * +- * If we are still receiving, then clientParseRequest() below will fail. ++ * If we are still receiving, then parseRequests() below will fail. + * (XXX: but then we will call readNextRequest() which may succeed and + * execute a smuggled request as we are not done with the current request). + * +@@ -952,28 +952,12 @@ ConnStateData::kick() + * Attempt to parse a request from the request buffer. + * If we've been fed a pipelined request it may already + * be in our read buffer. +- * +- \par +- * This needs to fall through - if we're unlucky and parse the _last_ request +- * from our read buffer we may never re-register for another client read. + */ + +- if (clientParseRequests()) { +- debugs(33, 3, clientConnection << ": parsed next request from buffer"); +- } ++ parseRequests(); + +- /** \par +- * Either we need to kick-start another read or, if we have +- * a half-closed connection, kill it after the last request. +- * This saves waiting for half-closed connections to finished being +- * half-closed _AND_ then, sometimes, spending "Timeout" time in +- * the keepalive "Waiting for next request" state. +- */ +- if (commIsHalfClosed(clientConnection->fd) && pipeline.empty()) { +- debugs(33, 3, "half-closed client with no pending requests, closing"); +- clientConnection->close(); ++ if (!isOpen()) + return; +- } + + /** \par + * At this point we either have a parsed request (which we've +@@ -1893,16 +1877,11 @@ ConnStateData::receivedFirstByte() + resetReadTimeout(Config.Timeout.request); + } + +-/** +- * Attempt to parse one or more requests from the input buffer. +- * Returns true after completing parsing of at least one request [header]. That +- * includes cases where parsing ended with an error (e.g., a huge request). +- */ +-bool +-ConnStateData::clientParseRequests() ++/// Attempt to parse one or more requests from the input buffer. ++/// May close the connection. ++void ++ConnStateData::parseRequests() + { +- bool parsed_req = false; +- + debugs(33, 5, clientConnection << ": attempting to parse"); + + // Loop while we have read bytes that are not needed for producing the body +@@ -1947,8 +1926,6 @@ ConnStateData::clientParseRequests() + + processParsedRequest(context); + +- parsed_req = true; // XXX: do we really need to parse everything right NOW ? +- + if (context->mayUseConnection()) { + debugs(33, 3, "Not parsing new requests, as this request may need the connection"); + break; +@@ -1961,8 +1938,19 @@ ConnStateData::clientParseRequests() + } + } + +- /* XXX where to 'finish' the parsing pass? */ +- return parsed_req; ++ debugs(33, 7, "buffered leftovers: " << inBuf.length()); ++ ++ if (isOpen() && commIsHalfClosed(clientConnection->fd)) { ++ if (pipeline.empty()) { ++ // we processed what we could parse, and no more data is coming ++ debugs(33, 5, "closing half-closed without parsed requests: " << clientConnection); ++ clientConnection->close(); ++ } else { ++ // we parsed what we could, and no more data is coming ++ debugs(33, 5, "monitoring half-closed while processing parsed requests: " << clientConnection); ++ flags.readMore = false; // may already be false ++ } ++ } + } + + void +@@ -1979,18 +1967,7 @@ ConnStateData::afterClientRead() + if (pipeline.empty()) + fd_note(clientConnection->fd, "Reading next request"); + +- if (!clientParseRequests()) { +- if (!isOpen()) +- return; +- // We may get here if the client half-closed after sending a partial +- // request. See doClientRead() and shouldCloseOnEof(). +- // XXX: This partially duplicates ConnStateData::kick(). +- if (pipeline.empty() && commIsHalfClosed(clientConnection->fd)) { +- debugs(33, 5, clientConnection << ": half-closed connection, no completed request parsed, connection closing."); +- clientConnection->close(); +- return; +- } +- } ++ parseRequests(); + + if (!isOpen()) + return; +@@ -3775,7 +3752,7 @@ ConnStateData::notePinnedConnectionBecameIdle(PinnedIdleContext pic) + startPinnedConnectionMonitoring(); + + if (pipeline.empty()) +- kick(); // in case clientParseRequests() was blocked by a busy pic.connection ++ kick(); // in case parseRequests() was blocked by a busy pic.connection + } + + /// Forward future client requests using the given server connection. +diff --git a/src/client_side.h b/src/client_side.h +index 6027b31..60b99b1 100644 +--- a/src/client_side.h ++++ b/src/client_side.h +@@ -98,7 +98,6 @@ public: + void doneWithControlMsg() override; + + /// Traffic parsing +- bool clientParseRequests(); + void readNextRequest(); + + /// try to make progress on a transaction or read more I/O +@@ -443,6 +442,7 @@ private: + + void checkLogging(); + ++ void parseRequests(); + void clientAfterReadingRequests(); + bool concurrentRequestQueueFilled() const; + +diff --git a/src/tests/stub_client_side.cc b/src/tests/stub_client_side.cc +index 8c160e5..f49d5dc 100644 +--- a/src/tests/stub_client_side.cc ++++ b/src/tests/stub_client_side.cc +@@ -14,7 +14,7 @@ + #include "tests/STUB.h" + + #include "client_side.h" +-bool ConnStateData::clientParseRequests() STUB_RETVAL(false) ++void ConnStateData::parseRequests() STUB + void ConnStateData::readNextRequest() STUB + bool ConnStateData::isOpen() const STUB_RETVAL(false) + void ConnStateData::kick() STUB diff --git a/squid.spec b/squid.spec index 94cf540..51f5852 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 6.1 -Release: 2%{?dist} +Release: 3%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -36,6 +36,8 @@ Patch203: squid-6.1-perlpath.patch # revert this upstream patch - https://bugzilla.redhat.com/show_bug.cgi?id=1936422 # workaround for #1934919 Patch204: squid-6.1-symlink-lang-err.patch +# Upstream PR: https://github.com/squid-cache/squid/pull/1442 +Patch205: squid-6.1-crash-half-closed.patch # cache_swap.sh Requires: bash gawk @@ -105,6 +107,7 @@ lookup program (dnsserver), a program for retrieving FTP data %patch -P 202 -p1 -b .location %patch -P 203 -p1 -b .perlpath %patch -P 204 -p1 -b .symlink-lang-err +%patch -P 205 -p1 -b .crash-half-closed # https://bugzilla.redhat.com/show_bug.cgi?id=1679526 # Patch in the vendor documentation and used different location for documentation @@ -332,6 +335,9 @@ fi %changelog +* Fri Aug 04 2023 Luboš Uhliarik - 7:6.1-3 +- Fix "!commHasHalfClosedMonitor(fd)" assertion + * Sat Jul 22 2023 Fedora Release Engineering - 7:6.1-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild From b5e1d7b9e6a78ea63b7cedae3f381a77ec9c4f3d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Wed, 16 Aug 2023 17:31:00 +0200 Subject: [PATCH 39/68] new version 6.2 --- sources | 5 ++--- squid.spec | 7 +++++-- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/sources b/sources index 8ab4e23..bab2980 100644 --- a/sources +++ b/sources @@ -1,4 +1,3 @@ -SHA512 (squid-6.1.tar.xz) = 1e3d5b4cf40d84f94fa108ac7fcd592b55e477a12bb7bca68dd5d58e6614b4f8918d05ca9200ae13b6c4632bdb66e088656fb4efa2cfb6b66fca6bb9c2f91247 -SHA512 (squid-6.1.tar.xz.asc) = 4243e2c547dc7383fce58e5b463a0ef198a9591cfe22b01c5b3b8f79b26bff2e7968a87e900bbbbbbc7abea4863d6aa55e624fcf30ab533fc41b0ad52cf3fc8e +SHA512 (squid-6.2.tar.xz) = a2f3ad666b88708ddc52958e610222778e4f64c2ac097b821867ae4022ca35dcbe225f2c5bba42a69fa56f89feebf63764d1a936444e4debce7e55e87b7366db +SHA512 (squid-6.2.tar.xz.asc) = d178eb1d89e8dbe03033378125038be1a4b153846efa53aff396405e7cbadd985842098ab16b68f68d2d23bf3cfca609c535b97ef67df903ee4998d6f0406656 SHA512 (pgp.asc) = 09f7012030d68831dfc083d67ca63ee54ed851482ca8d0e9505b444ee3e7ddeed62369b53f2917c9b2e0e57cc0533fce46e8cafd2ebcd1c6cb186b516efd0ad2 - diff --git a/squid.spec b/squid.spec index 51f5852..2528d8c 100644 --- a/squid.spec +++ b/squid.spec @@ -1,8 +1,8 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 6.1 -Release: 3%{?dist} +Version: 6.2 +Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -335,6 +335,9 @@ fi %changelog +* Wed Aug 16 2023 Luboš Uhliarik - 7:6.2-1 +- new version 6.2 + * Fri Aug 04 2023 Luboš Uhliarik - 7:6.1-3 - Fix "!commHasHalfClosedMonitor(fd)" assertion From 986386af0e951f6ea82e2bd5cc6a476438d88187 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Tue, 5 Sep 2023 14:08:40 +0200 Subject: [PATCH 40/68] new version 6.3 --- sources | 4 ++-- squid.spec | 5 ++++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/sources b/sources index bab2980..9585a3a 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-6.2.tar.xz) = a2f3ad666b88708ddc52958e610222778e4f64c2ac097b821867ae4022ca35dcbe225f2c5bba42a69fa56f89feebf63764d1a936444e4debce7e55e87b7366db -SHA512 (squid-6.2.tar.xz.asc) = d178eb1d89e8dbe03033378125038be1a4b153846efa53aff396405e7cbadd985842098ab16b68f68d2d23bf3cfca609c535b97ef67df903ee4998d6f0406656 +SHA512 (squid-6.3.tar.xz) = add8718895ceccc130d31e6cbf9fbdb7fd45a778a617e9f02bf310babe72106e1dc14ac8b3dc81d31e1f4cace66d9d72176dd82f1652d7248a478fa10ffb6b87 +SHA512 (squid-6.3.tar.xz.asc) = 39a4a1b426e06cf990cca1afc64f78623954e32079fb9562154518eeec4124b3b19f28f6c6cb998117aae176be707b25185fe66f98acb205f660396de59bd829 SHA512 (pgp.asc) = 09f7012030d68831dfc083d67ca63ee54ed851482ca8d0e9505b444ee3e7ddeed62369b53f2917c9b2e0e57cc0533fce46e8cafd2ebcd1c6cb186b516efd0ad2 diff --git a/squid.spec b/squid.spec index 2528d8c..1730441 100644 --- a/squid.spec +++ b/squid.spec @@ -1,7 +1,7 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 6.2 +Version: 6.3 Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 @@ -335,6 +335,9 @@ fi %changelog +* Tue Sep 05 2023 Luboš Uhliarik - 7:6.3-1 +- new version 6.3 + * Wed Aug 16 2023 Luboš Uhliarik - 7:6.2-1 - new version 6.2 From 92b68088588ad74f1e9634c204a350d94887942a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Thu, 14 Sep 2023 14:36:09 +0200 Subject: [PATCH 41/68] SPDX migration --- squid.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/squid.spec b/squid.spec index 1730441..a529327 100644 --- a/squid.spec +++ b/squid.spec @@ -2,11 +2,11 @@ Name: squid Version: 6.3 -Release: 1%{?dist} +Release: 2%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code -License: GPLv2+ and (LGPLv2+ and MIT and BSD and Public Domain) +License: GPL-2.0-or-later AND (LGPL-2.0-or-later AND MIT AND BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND BSD-4-Clause-UC AND LicenseRef-Fedora-Public-Domain AND Beerware) URL: http://www.squid-cache.org Source0: http://www.squid-cache.org/Versions/v6/squid-%{version}.tar.xz @@ -335,6 +335,9 @@ fi %changelog +* Thu Sep 14 2023 Luboš Uhliarik - 7:6.3-2 +- SPDX migration + * Tue Sep 05 2023 Luboš Uhliarik - 7:6.3-1 - new version 6.3 From 32a0233ae79b27d44b12389ce6dd38fb30396e76 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Tue, 24 Oct 2023 22:39:39 +0200 Subject: [PATCH 42/68] new version 6.4 --- sources | 4 ++-- squid.spec | 7 +++++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/sources b/sources index 9585a3a..975ec82 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-6.3.tar.xz) = add8718895ceccc130d31e6cbf9fbdb7fd45a778a617e9f02bf310babe72106e1dc14ac8b3dc81d31e1f4cace66d9d72176dd82f1652d7248a478fa10ffb6b87 -SHA512 (squid-6.3.tar.xz.asc) = 39a4a1b426e06cf990cca1afc64f78623954e32079fb9562154518eeec4124b3b19f28f6c6cb998117aae176be707b25185fe66f98acb205f660396de59bd829 +SHA512 (squid-6.4.tar.xz) = 7bbf759841448874090a145699ee01f67696c19da147e433b1ecc80a856095cbfae611ef910bc4f2c44218101d89f2ee13796f5b7ada2e21e95638d4dae077ab +SHA512 (squid-6.4.tar.xz.asc) = e61ea2f81a73ead4f6a8553410822ba51f0910546c7cbfb93e26f73f862f0a526fcb5c26308109f49e9f0fd0fbce702804a919fe8234b085a32251d62c891803 SHA512 (pgp.asc) = 09f7012030d68831dfc083d67ca63ee54ed851482ca8d0e9505b444ee3e7ddeed62369b53f2917c9b2e0e57cc0533fce46e8cafd2ebcd1c6cb186b516efd0ad2 diff --git a/squid.spec b/squid.spec index a529327..c1fffcf 100644 --- a/squid.spec +++ b/squid.spec @@ -1,8 +1,8 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 6.3 -Release: 2%{?dist} +Version: 6.4 +Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -335,6 +335,9 @@ fi %changelog +* Tue Oct 24 2023 Luboš Uhliarik - 7:6.4-1 +- new version 6.4 + * Thu Sep 14 2023 Luboš Uhliarik - 7:6.3-2 - SPDX migration From 014ff8bb7a1d9f2f3d3ab300bd7b6bfdf8728137 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Tue, 7 Nov 2023 21:24:03 +0100 Subject: [PATCH 43/68] new version 6.5 --- sources | 4 ++-- squid.spec | 5 ++++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/sources b/sources index 975ec82..24c2ba7 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-6.4.tar.xz) = 7bbf759841448874090a145699ee01f67696c19da147e433b1ecc80a856095cbfae611ef910bc4f2c44218101d89f2ee13796f5b7ada2e21e95638d4dae077ab -SHA512 (squid-6.4.tar.xz.asc) = e61ea2f81a73ead4f6a8553410822ba51f0910546c7cbfb93e26f73f862f0a526fcb5c26308109f49e9f0fd0fbce702804a919fe8234b085a32251d62c891803 +SHA512 (squid-6.5.tar.xz) = d3a40f5f390f0042a8e981ca28755a90dd520230a06b4246ba7bec0c98025ce1cdc7426797a666f769addd60238e28e1f04d2c701ea2ef2d7329dbe87b830d70 +SHA512 (squid-6.5.tar.xz.asc) = bf6ab7128a6261ac63115f402925311be5f59ad9085d19813f842cfac4b385b47eb07c9398c85654896ef04f6678a4ea645edcbed503f4ac18a3920b6a03ed04 SHA512 (pgp.asc) = 09f7012030d68831dfc083d67ca63ee54ed851482ca8d0e9505b444ee3e7ddeed62369b53f2917c9b2e0e57cc0533fce46e8cafd2ebcd1c6cb186b516efd0ad2 diff --git a/squid.spec b/squid.spec index c1fffcf..a3f6dba 100644 --- a/squid.spec +++ b/squid.spec @@ -1,7 +1,7 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 6.4 +Version: 6.5 Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 @@ -335,6 +335,9 @@ fi %changelog +* Tue Nov 07 2023 Luboš Uhliarik - 7:6.5-1 +- new version 6.5 + * Tue Oct 24 2023 Luboš Uhliarik - 7:6.4-1 - new version 6.4 From 5580eab2d9db7b0f14a66cd8e8c17fa905490a51 Mon Sep 17 00:00:00 2001 From: Yaakov Selkowitz Date: Tue, 12 Dec 2023 22:32:30 -0500 Subject: [PATCH 44/68] new version 6.6 --- sources | 4 ++-- squid.spec | 5 ++++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/sources b/sources index 24c2ba7..6823720 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-6.5.tar.xz) = d3a40f5f390f0042a8e981ca28755a90dd520230a06b4246ba7bec0c98025ce1cdc7426797a666f769addd60238e28e1f04d2c701ea2ef2d7329dbe87b830d70 -SHA512 (squid-6.5.tar.xz.asc) = bf6ab7128a6261ac63115f402925311be5f59ad9085d19813f842cfac4b385b47eb07c9398c85654896ef04f6678a4ea645edcbed503f4ac18a3920b6a03ed04 +SHA512 (squid-6.6.tar.xz) = 4ab261ed85ad674288467500aca9d8a48e3918b55f777635c0ba7a2551f248d35536848a5fbf2c946490a818004727f2aed33144f0a3ebab0be36cc4cffb020c +SHA512 (squid-6.6.tar.xz.asc) = 08550569759c403a1a9747d08ea7055751fbf251355691074f6d09baca76a0987c5dff36e1f01b64edd446d568c7244b14124f6f8a1b19ccfc30293eed83a297 SHA512 (pgp.asc) = 09f7012030d68831dfc083d67ca63ee54ed851482ca8d0e9505b444ee3e7ddeed62369b53f2917c9b2e0e57cc0533fce46e8cafd2ebcd1c6cb186b516efd0ad2 diff --git a/squid.spec b/squid.spec index a3f6dba..8938081 100644 --- a/squid.spec +++ b/squid.spec @@ -1,7 +1,7 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 6.5 +Version: 6.6 Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 @@ -335,6 +335,9 @@ fi %changelog +* Wed Dec 13 2023 Yaakov Selkowitz - 7:6.6-1 +- new version 6.6 + * Tue Nov 07 2023 Luboš Uhliarik - 7:6.5-1 - new version 6.5 From ded59a53104e787986fdd65b98a0e3f599b67d4b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Wed, 20 Dec 2023 14:54:02 +0100 Subject: [PATCH 45/68] Remove gopher mention from SPEC file, since gopher support has been removed --- squid.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/squid.spec b/squid.spec index 8938081..ba852f7 100644 --- a/squid.spec +++ b/squid.spec @@ -83,7 +83,7 @@ Conflicts: NetworkManager < 1.20 %description Squid is a high-performance proxy caching server for Web clients, -supporting FTP, gopher, and HTTP data objects. Unlike traditional +supporting FTP and HTTP data objects. Unlike traditional caching software, Squid handles all requests in a single, non-blocking, I/O-driven process. Squid keeps meta data and especially hot objects cached in RAM, caches DNS lookups, supports non-blocking From 2af86284bc59404eec4b917537854c9e1d021fd0 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 27 Jan 2024 04:14:57 +0000 Subject: [PATCH 46/68] Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild --- squid.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/squid.spec b/squid.spec index ba852f7..e34a531 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 6.6 -Release: 1%{?dist} +Release: 2%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -335,6 +335,9 @@ fi %changelog +* Sat Jan 27 2024 Fedora Release Engineering - 7:6.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + * Wed Dec 13 2023 Yaakov Selkowitz - 7:6.6-1 - new version 6.6 From 24c56d185eaafd4fb39fc1d3094b74ee9acd0a33 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Wed, 14 Feb 2024 00:34:23 +0100 Subject: [PATCH 47/68] new version 6.7 switch to autosetup fix FTBFS when using gcc14 --- sources | 6 +- squid-6.7-gcc-14.patch | 123 +++++++++++++++++++++++++++++++++++++++++ squid.spec | 24 ++++---- 3 files changed, 136 insertions(+), 17 deletions(-) create mode 100644 squid-6.7-gcc-14.patch diff --git a/sources b/sources index 6823720..d17889d 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-6.6.tar.xz) = 4ab261ed85ad674288467500aca9d8a48e3918b55f777635c0ba7a2551f248d35536848a5fbf2c946490a818004727f2aed33144f0a3ebab0be36cc4cffb020c -SHA512 (squid-6.6.tar.xz.asc) = 08550569759c403a1a9747d08ea7055751fbf251355691074f6d09baca76a0987c5dff36e1f01b64edd446d568c7244b14124f6f8a1b19ccfc30293eed83a297 -SHA512 (pgp.asc) = 09f7012030d68831dfc083d67ca63ee54ed851482ca8d0e9505b444ee3e7ddeed62369b53f2917c9b2e0e57cc0533fce46e8cafd2ebcd1c6cb186b516efd0ad2 +SHA512 (squid-6.7.tar.xz) = 6221437056c600119fe9ff1ceeeaa9955cf9f21df481ad29a3515f8439a41b779d51f37b820b75641d0d4d6de54554f6f924dbd347834bf4a6ad6b5b317084a0 +SHA512 (squid-6.7.tar.xz.asc) = 4a1f9d123ce6b5a600d9d2dd3af95a7ce98bfe28ba42d1281ab1f3d7f220f8738a4320afb85eeba1bf9d31e722ffaccd2d89cbefcd11e6b6ea31fe237ccf9a8c +SHA512 (pgp.asc) = b1e1dd5ead34711f064a12a324b2f156ad4835330d861eae4032926b8a6cd07c0eacc76f52518d47ed5a8ead4695f5abd02f2b4190af8e7833bd3ea31453569d diff --git a/squid-6.7-gcc-14.patch b/squid-6.7-gcc-14.patch new file mode 100644 index 0000000..283f5ec --- /dev/null +++ b/squid-6.7-gcc-14.patch @@ -0,0 +1,123 @@ +From 7080c9ea3c761f4ac67e3341bbc371383e4e739b Mon Sep 17 00:00:00 2001 +From: Amos Jeffries +Date: Wed, 14 Feb 2024 03:07:20 +1300 +Subject: [PATCH 1/4] Fix undefined std::find + +--- + src/helper/Reply.cc | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/helper/Reply.cc b/src/helper/Reply.cc +index 93cd5c84322..2e5e92aa2be 100644 +--- a/src/helper/Reply.cc ++++ b/src/helper/Reply.cc +@@ -17,6 +17,8 @@ + #include "rfc1738.h" + #include "SquidString.h" + ++#include ++ + Helper::Reply::Reply() : + result(Helper::Unknown) + { + +From 906884bf2565025cbc5b322c47425defa07f1f8e Mon Sep 17 00:00:00 2001 +From: Amos Jeffries +Date: Wed, 14 Feb 2024 03:51:17 +1300 +Subject: [PATCH 2/4] Fix error: 'InstanceId<...>::InstanceId(const + InstanceId<...> &)' is private within this context + +--- + src/base/InstanceId.h | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/src/base/InstanceId.h b/src/base/InstanceId.h +index a48be882cc4..c4dd4090b00 100644 +--- a/src/base/InstanceId.h ++++ b/src/base/InstanceId.h +@@ -49,6 +49,7 @@ class InstanceId + typedef ValueType Value; ///< id storage type + + InstanceId() {change();} ++ InstanceId(const InstanceId &); ///< no copying; IDs are unique + + operator Value() const { return value; } + bool operator ==(const InstanceId &o) const { return value == o.value; } +@@ -67,10 +68,6 @@ class InstanceId + + public: + Value value = Value(); ///< instance identifier +- +-private: +- InstanceId(const InstanceId &); ///< not implemented; IDs are unique +- InstanceId& operator=(const InstanceId &); ///< not implemented + }; + + /// An InstanceIdDefinitions() helper. Avoid direct use. + +From 2631e20bf8adc2102ba039baf86c1c64c158431f Mon Sep 17 00:00:00 2001 +From: Amos Jeffries +Date: Wed, 14 Feb 2024 03:58:47 +1300 +Subject: [PATCH 3/4] =?UTF-8?q?Fix=20error:=20=E2=80=98void*=20calloc(size?= + =?UTF-8?q?=5Ft,=20size=5Ft)=E2=80=99=20sizes?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +... specified with ‘sizeof’ in the earlier argument +and not in the later argument [-Werror=calloc-transposed-args] +--- + src/auth/basic/LDAP/basic_ldap_auth.cc | 2 +- + src/auth/digest/eDirectory/edir_ldapext.cc | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/auth/basic/LDAP/basic_ldap_auth.cc b/src/auth/basic/LDAP/basic_ldap_auth.cc +index 4d9a78574cb..f79a5b88984 100644 +--- a/src/auth/basic/LDAP/basic_ldap_auth.cc ++++ b/src/auth/basic/LDAP/basic_ldap_auth.cc +@@ -795,7 +795,7 @@ readSecret(const char *filename) + if ((e = strrchr(buf, '\r'))) + *e = 0; + +- passwd = (char *) calloc(sizeof(char), strlen(buf) + 1); ++ passwd = static_cast(calloc(strlen(buf) + 1, sizeof(char))); + if (!passwd) { + fprintf(stderr, PROGRAM_NAME " ERROR: can not allocate memory\n"); + exit(EXIT_FAILURE); +diff --git a/src/auth/digest/eDirectory/edir_ldapext.cc b/src/auth/digest/eDirectory/edir_ldapext.cc +index f34341c912c..13e7daca67b 100644 +--- a/src/auth/digest/eDirectory/edir_ldapext.cc ++++ b/src/auth/digest/eDirectory/edir_ldapext.cc +@@ -69,7 +69,7 @@ + + #define NMAS_LDAP_EXT_VERSION 1 + +-#define SMB_MALLOC_ARRAY(type, nelem) calloc(sizeof(type), nelem) ++#define SMB_MALLOC_ARRAY(type, nelem) calloc(nelem, sizeof(type)) + #define DEBUG(level, args) + + /********************************************************************** + +From 535606d99e04f3479af07c471768af688ff790cb Mon Sep 17 00:00:00 2001 +From: Amos Jeffries +Date: Wed, 14 Feb 2024 05:52:05 +1300 +Subject: [PATCH 4/4] Update src/base/InstanceId.h + +Co-authored-by: Alex Rousskov +--- + src/base/InstanceId.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/base/InstanceId.h b/src/base/InstanceId.h +index c4dd4090b00..d3e2ebb2b2e 100644 +--- a/src/base/InstanceId.h ++++ b/src/base/InstanceId.h +@@ -49,7 +49,7 @@ class InstanceId + typedef ValueType Value; ///< id storage type + + InstanceId() {change();} +- InstanceId(const InstanceId &); ///< no copying; IDs are unique ++ InstanceId(InstanceId &&) = delete; // no copying/moving of any kind + + operator Value() const { return value; } + bool operator ==(const InstanceId &o) const { return value == o.value; } diff --git a/squid.spec b/squid.spec index e34a531..490653c 100644 --- a/squid.spec +++ b/squid.spec @@ -1,8 +1,8 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 6.6 -Release: 2%{?dist} +Version: 6.7 +Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -38,6 +38,8 @@ Patch203: squid-6.1-perlpath.patch Patch204: squid-6.1-symlink-lang-err.patch # Upstream PR: https://github.com/squid-cache/squid/pull/1442 Patch205: squid-6.1-crash-half-closed.patch +# https://github.com/squid-cache/squid/pull/1673 +Patch206: squid-6.7-gcc-14.patch # cache_swap.sh Requires: bash gawk @@ -95,19 +97,8 @@ lookup program (dnsserver), a program for retrieving FTP data %prep %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' -%setup -q -# Upstream patches - -# Backported patches -# %patch101 -p1 -b .patch - -# Local patches -%patch -P 201 -p1 -b .config -%patch -P 202 -p1 -b .location -%patch -P 203 -p1 -b .perlpath -%patch -P 204 -p1 -b .symlink-lang-err -%patch -P 205 -p1 -b .crash-half-closed +%autosetup -p1 # https://bugzilla.redhat.com/show_bug.cgi?id=1679526 # Patch in the vendor documentation and used different location for documentation @@ -335,6 +326,11 @@ fi %changelog +* Mon Feb 12 2024 Luboš Uhliarik - 7:6.7-1 +- new version 6.7 +- switch to autosetup +- fix FTBFS when using gcc14 + * Sat Jan 27 2024 Fedora Release Engineering - 7:6.6-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild From 5c7c3985cfee87f8be71b06ad85957ce4483c247 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Sat, 9 Mar 2024 04:10:00 +0100 Subject: [PATCH 48/68] new version 6.8 --- sources | 4 +- squid-6.7-gcc-14.patch | 123 ----------------------------------------- squid.spec | 7 ++- 3 files changed, 6 insertions(+), 128 deletions(-) delete mode 100644 squid-6.7-gcc-14.patch diff --git a/sources b/sources index d17889d..8d6d769 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-6.7.tar.xz) = 6221437056c600119fe9ff1ceeeaa9955cf9f21df481ad29a3515f8439a41b779d51f37b820b75641d0d4d6de54554f6f924dbd347834bf4a6ad6b5b317084a0 -SHA512 (squid-6.7.tar.xz.asc) = 4a1f9d123ce6b5a600d9d2dd3af95a7ce98bfe28ba42d1281ab1f3d7f220f8738a4320afb85eeba1bf9d31e722ffaccd2d89cbefcd11e6b6ea31fe237ccf9a8c +SHA512 (squid-6.8.tar.xz) = 25509662de0b16af763a7aca090937b16c9ae15cb29ae1275634db9091eba511de33e9119ef8552fda936b7a7cfd1b7e51f6082c039c8e9e9f7da64d5efac992 +SHA512 (squid-6.8.tar.xz.asc) = 118c6b2022ee0b62c83484742a6ae3ee6402ddb06d5f8e953b67185499070e5b1b04cb97953d4f73e91c420e86956f73787ea2208609e451ec2c24a7701a9f24 SHA512 (pgp.asc) = b1e1dd5ead34711f064a12a324b2f156ad4835330d861eae4032926b8a6cd07c0eacc76f52518d47ed5a8ead4695f5abd02f2b4190af8e7833bd3ea31453569d diff --git a/squid-6.7-gcc-14.patch b/squid-6.7-gcc-14.patch deleted file mode 100644 index 283f5ec..0000000 --- a/squid-6.7-gcc-14.patch +++ /dev/null @@ -1,123 +0,0 @@ -From 7080c9ea3c761f4ac67e3341bbc371383e4e739b Mon Sep 17 00:00:00 2001 -From: Amos Jeffries -Date: Wed, 14 Feb 2024 03:07:20 +1300 -Subject: [PATCH 1/4] Fix undefined std::find - ---- - src/helper/Reply.cc | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/helper/Reply.cc b/src/helper/Reply.cc -index 93cd5c84322..2e5e92aa2be 100644 ---- a/src/helper/Reply.cc -+++ b/src/helper/Reply.cc -@@ -17,6 +17,8 @@ - #include "rfc1738.h" - #include "SquidString.h" - -+#include -+ - Helper::Reply::Reply() : - result(Helper::Unknown) - { - -From 906884bf2565025cbc5b322c47425defa07f1f8e Mon Sep 17 00:00:00 2001 -From: Amos Jeffries -Date: Wed, 14 Feb 2024 03:51:17 +1300 -Subject: [PATCH 2/4] Fix error: 'InstanceId<...>::InstanceId(const - InstanceId<...> &)' is private within this context - ---- - src/base/InstanceId.h | 5 +---- - 1 file changed, 1 insertion(+), 4 deletions(-) - -diff --git a/src/base/InstanceId.h b/src/base/InstanceId.h -index a48be882cc4..c4dd4090b00 100644 ---- a/src/base/InstanceId.h -+++ b/src/base/InstanceId.h -@@ -49,6 +49,7 @@ class InstanceId - typedef ValueType Value; ///< id storage type - - InstanceId() {change();} -+ InstanceId(const InstanceId &); ///< no copying; IDs are unique - - operator Value() const { return value; } - bool operator ==(const InstanceId &o) const { return value == o.value; } -@@ -67,10 +68,6 @@ class InstanceId - - public: - Value value = Value(); ///< instance identifier -- --private: -- InstanceId(const InstanceId &); ///< not implemented; IDs are unique -- InstanceId& operator=(const InstanceId &); ///< not implemented - }; - - /// An InstanceIdDefinitions() helper. Avoid direct use. - -From 2631e20bf8adc2102ba039baf86c1c64c158431f Mon Sep 17 00:00:00 2001 -From: Amos Jeffries -Date: Wed, 14 Feb 2024 03:58:47 +1300 -Subject: [PATCH 3/4] =?UTF-8?q?Fix=20error:=20=E2=80=98void*=20calloc(size?= - =?UTF-8?q?=5Ft,=20size=5Ft)=E2=80=99=20sizes?= -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -... specified with ‘sizeof’ in the earlier argument -and not in the later argument [-Werror=calloc-transposed-args] ---- - src/auth/basic/LDAP/basic_ldap_auth.cc | 2 +- - src/auth/digest/eDirectory/edir_ldapext.cc | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/auth/basic/LDAP/basic_ldap_auth.cc b/src/auth/basic/LDAP/basic_ldap_auth.cc -index 4d9a78574cb..f79a5b88984 100644 ---- a/src/auth/basic/LDAP/basic_ldap_auth.cc -+++ b/src/auth/basic/LDAP/basic_ldap_auth.cc -@@ -795,7 +795,7 @@ readSecret(const char *filename) - if ((e = strrchr(buf, '\r'))) - *e = 0; - -- passwd = (char *) calloc(sizeof(char), strlen(buf) + 1); -+ passwd = static_cast(calloc(strlen(buf) + 1, sizeof(char))); - if (!passwd) { - fprintf(stderr, PROGRAM_NAME " ERROR: can not allocate memory\n"); - exit(EXIT_FAILURE); -diff --git a/src/auth/digest/eDirectory/edir_ldapext.cc b/src/auth/digest/eDirectory/edir_ldapext.cc -index f34341c912c..13e7daca67b 100644 ---- a/src/auth/digest/eDirectory/edir_ldapext.cc -+++ b/src/auth/digest/eDirectory/edir_ldapext.cc -@@ -69,7 +69,7 @@ - - #define NMAS_LDAP_EXT_VERSION 1 - --#define SMB_MALLOC_ARRAY(type, nelem) calloc(sizeof(type), nelem) -+#define SMB_MALLOC_ARRAY(type, nelem) calloc(nelem, sizeof(type)) - #define DEBUG(level, args) - - /********************************************************************** - -From 535606d99e04f3479af07c471768af688ff790cb Mon Sep 17 00:00:00 2001 -From: Amos Jeffries -Date: Wed, 14 Feb 2024 05:52:05 +1300 -Subject: [PATCH 4/4] Update src/base/InstanceId.h - -Co-authored-by: Alex Rousskov ---- - src/base/InstanceId.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/base/InstanceId.h b/src/base/InstanceId.h -index c4dd4090b00..d3e2ebb2b2e 100644 ---- a/src/base/InstanceId.h -+++ b/src/base/InstanceId.h -@@ -49,7 +49,7 @@ class InstanceId - typedef ValueType Value; ///< id storage type - - InstanceId() {change();} -- InstanceId(const InstanceId &); ///< no copying; IDs are unique -+ InstanceId(InstanceId &&) = delete; // no copying/moving of any kind - - operator Value() const { return value; } - bool operator ==(const InstanceId &o) const { return value == o.value; } diff --git a/squid.spec b/squid.spec index 490653c..94a138d 100644 --- a/squid.spec +++ b/squid.spec @@ -1,7 +1,7 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 6.7 +Version: 6.8 Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 @@ -38,8 +38,6 @@ Patch203: squid-6.1-perlpath.patch Patch204: squid-6.1-symlink-lang-err.patch # Upstream PR: https://github.com/squid-cache/squid/pull/1442 Patch205: squid-6.1-crash-half-closed.patch -# https://github.com/squid-cache/squid/pull/1673 -Patch206: squid-6.7-gcc-14.patch # cache_swap.sh Requires: bash gawk @@ -326,6 +324,9 @@ fi %changelog +* Sat Mar 09 2024 Luboš Uhliarik - 7:6.8-1 +- new version 6.8 + * Mon Feb 12 2024 Luboš Uhliarik - 7:6.7-1 - new version 6.7 - switch to autosetup From 8f425c9ec24cef71e2cca266d6e2906ab6c7a21a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Wed, 17 Apr 2024 01:26:51 +0200 Subject: [PATCH 49/68] Resolves: #2262715 - squid-6.9 is available --- sources | 4 ++-- squid.spec | 5 ++++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/sources b/sources index 8d6d769..a42cd14 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-6.8.tar.xz) = 25509662de0b16af763a7aca090937b16c9ae15cb29ae1275634db9091eba511de33e9119ef8552fda936b7a7cfd1b7e51f6082c039c8e9e9f7da64d5efac992 -SHA512 (squid-6.8.tar.xz.asc) = 118c6b2022ee0b62c83484742a6ae3ee6402ddb06d5f8e953b67185499070e5b1b04cb97953d4f73e91c420e86956f73787ea2208609e451ec2c24a7701a9f24 +SHA512 (squid-6.9.tar.xz) = 2666551caca39fa6ca49b56b537645dd043ee0c99b805c433cf714172e6062590fd6ed942043df1a3b543f30c039f3ab701493187dc6a0a4a8311217417c366e +SHA512 (squid-6.9.tar.xz.asc) = ccd053476e91544bf797cf38a7e57acdc1c02c1edb2804230f061d9b24abbbd2e06abbaaa0fe2b209951631c0369510f60f0b7137fe950f3ccf59e8a212bc0fa SHA512 (pgp.asc) = b1e1dd5ead34711f064a12a324b2f156ad4835330d861eae4032926b8a6cd07c0eacc76f52518d47ed5a8ead4695f5abd02f2b4190af8e7833bd3ea31453569d diff --git a/squid.spec b/squid.spec index 94a138d..6e8a194 100644 --- a/squid.spec +++ b/squid.spec @@ -1,7 +1,7 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 6.8 +Version: 6.9 Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 @@ -324,6 +324,9 @@ fi %changelog +* Tue Apr 16 2024 Luboš Uhliarik - 7:6.9-1 +- Resolves: #2262715 - squid-6.9 is available + * Sat Mar 09 2024 Luboš Uhliarik - 7:6.8-1 - new version 6.8 From 71d404cc388ccce1a343081da6ee97a4a3aaf069 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Mon, 1 Jul 2024 11:20:18 +0200 Subject: [PATCH 50/68] new version 6.10 Resolves: #2294354 - CVE-2024-37894 squid: Out-of-bounds write error may lead to Denial of Service --- sources | 4 ++-- squid.spec | 7 ++++++- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/sources b/sources index a42cd14..38903ce 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-6.9.tar.xz) = 2666551caca39fa6ca49b56b537645dd043ee0c99b805c433cf714172e6062590fd6ed942043df1a3b543f30c039f3ab701493187dc6a0a4a8311217417c366e -SHA512 (squid-6.9.tar.xz.asc) = ccd053476e91544bf797cf38a7e57acdc1c02c1edb2804230f061d9b24abbbd2e06abbaaa0fe2b209951631c0369510f60f0b7137fe950f3ccf59e8a212bc0fa +SHA512 (squid-6.10.tar.xz) = c0b75c3d383b1cd234b30dd02e84e1c5655fc53f63b75704bf4bac9ee0b86ba27e4656116893aff8b95dea19ff1befabcbb9dab3875da52fcb65f1d30f0fe5a9 +SHA512 (squid-6.10.tar.xz.asc) = 5e9d053db90549760f7a675d9f4703ecde460906cb09dff489f9db5d0f7826fb30487c9b009cc4577f3f061f3c7b3a667418af298f55f882f696884dc536bf53 SHA512 (pgp.asc) = b1e1dd5ead34711f064a12a324b2f156ad4835330d861eae4032926b8a6cd07c0eacc76f52518d47ed5a8ead4695f5abd02f2b4190af8e7833bd3ea31453569d diff --git a/squid.spec b/squid.spec index 6e8a194..8d0f9e2 100644 --- a/squid.spec +++ b/squid.spec @@ -1,7 +1,7 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 6.9 +Version: 6.10 Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 @@ -324,6 +324,11 @@ fi %changelog +* Mon Jul 01 2024 Luboš Uhliarik - 7:6.10-1 +- new version 6.10 +- Resolves: #2294354 - CVE-2024-37894 squid: Out-of-bounds write error may + lead to Denial of Service + * Tue Apr 16 2024 Luboš Uhliarik - 7:6.9-1 - Resolves: #2262715 - squid-6.9 is available From bc07278a7c3b6e94716a0b71bb92f443ecffd70e Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 20 Jul 2024 06:20:17 +0000 Subject: [PATCH 51/68] Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild --- squid.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/squid.spec b/squid.spec index 8d0f9e2..c02c88b 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 6.10 -Release: 1%{?dist} +Release: 2%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -324,6 +324,9 @@ fi %changelog +* Sat Jul 20 2024 Fedora Release Engineering - 7:6.10-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild + * Mon Jul 01 2024 Luboš Uhliarik - 7:6.10-1 - new version 6.10 - Resolves: #2294354 - CVE-2024-37894 squid: Out-of-bounds write error may From 259e6f50ca2a8f1bceb11ecc23318c4947c5adca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Wed, 25 Sep 2024 15:38:12 +0200 Subject: [PATCH 52/68] new version 6.11 --- sources | 4 ++-- squid-6.1-perlpath.patch | 2 +- squid.spec | 7 +++++-- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/sources b/sources index 38903ce..469e7e0 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-6.10.tar.xz) = c0b75c3d383b1cd234b30dd02e84e1c5655fc53f63b75704bf4bac9ee0b86ba27e4656116893aff8b95dea19ff1befabcbb9dab3875da52fcb65f1d30f0fe5a9 -SHA512 (squid-6.10.tar.xz.asc) = 5e9d053db90549760f7a675d9f4703ecde460906cb09dff489f9db5d0f7826fb30487c9b009cc4577f3f061f3c7b3a667418af298f55f882f696884dc536bf53 +SHA512 (squid-6.11.tar.xz) = 669f658b0a58514f98c2b33df874706d40b9ed0837e1f32e08e274c79617063e06e706932011a34b115dcc96d43125f9cea30fba459cd31a88e3afd9b6076d7a +SHA512 (squid-6.11.tar.xz.asc) = e4bf8a77fe431eb6ba7ff9c10511d987692438d66c4aa72739b4fedf73aa6e6704e4da756ffcfeb82b9d76be9a3e4bb963dd523132cda732077898785cc6bbb9 SHA512 (pgp.asc) = b1e1dd5ead34711f064a12a324b2f156ad4835330d861eae4032926b8a6cd07c0eacc76f52518d47ed5a8ead4695f5abd02f2b4190af8e7833bd3ea31453569d diff --git a/squid-6.1-perlpath.patch b/squid-6.1-perlpath.patch index fe37759..7539001 100644 --- a/squid-6.1-perlpath.patch +++ b/squid-6.1-perlpath.patch @@ -6,5 +6,5 @@ index e965e9e..ed5ffcb 100755 -#!/usr/local/bin/perl -Tw +#!/usr/bin/perl -Tw # - # * Copyright (C) 1996-2023 The Squid Software Foundation and contributors + # * Copyright (C) 1996-2024 The Squid Software Foundation and contributors # * diff --git a/squid.spec b/squid.spec index c02c88b..f4fd37a 100644 --- a/squid.spec +++ b/squid.spec @@ -1,8 +1,8 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 6.10 -Release: 2%{?dist} +Version: 6.11 +Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -324,6 +324,9 @@ fi %changelog +* Wed Sep 25 2024 Luboš Uhliarik - 7:6.11-1 +- new version 6.11 + * Sat Jul 20 2024 Fedora Release Engineering - 7:6.10-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild From 8504f8d8faa18c410053b85036e2522d738b3d03 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Fri, 11 Oct 2024 20:22:16 +0200 Subject: [PATCH 53/68] ignore SP and HTAB chars after chunk-size --- squid-6.11-ignore-wsp-after-chunk-size.patch | 367 +++++++++++++++++++ squid.spec | 7 +- 2 files changed, 373 insertions(+), 1 deletion(-) create mode 100644 squid-6.11-ignore-wsp-after-chunk-size.patch diff --git a/squid-6.11-ignore-wsp-after-chunk-size.patch b/squid-6.11-ignore-wsp-after-chunk-size.patch new file mode 100644 index 0000000..ea4025f --- /dev/null +++ b/squid-6.11-ignore-wsp-after-chunk-size.patch @@ -0,0 +1,367 @@ +From 8d0ee420a4d91ac7fd97316338f1e28b4b060cbf Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= +Date: Thu, 10 Oct 2024 19:26:27 +0200 +Subject: [PATCH 1/6] Ignore whitespace chars after chunk-size + +Previously (before #1498 change), squid was accepting TE-chunked replies +with whitespaces after chunk-size and missing chunk-ext data. After + +It turned out that replies with such whitespace chars are pretty +common and other webservers which can act as forward proxies (e.g. +nginx, httpd...) are accepting them. + +This change will allow to proxy chunked responses from origin server, +which had whitespaces inbetween chunk-size and CRLF. +--- + src/http/one/TeChunkedParser.cc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/http/one/TeChunkedParser.cc b/src/http/one/TeChunkedParser.cc +index 9cce10fdc91..04753395e16 100644 +--- a/src/http/one/TeChunkedParser.cc ++++ b/src/http/one/TeChunkedParser.cc +@@ -125,6 +125,7 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok) + // Code becomes much simpler when incremental parsing functions throw on + // bad or insufficient input, like in the code below. TODO: Expand up. + try { ++ tok.skipAll(CharacterSet::WSP); // Some servers send SP/TAB after chunk-size + parseChunkExtensions(tok); // a possibly empty chunk-ext list + tok.skipRequired("CRLF after [chunk-ext]", Http1::CrLf()); + buf_ = tok.remaining(); + +From 9c8d35f899035fa06021ab3fe6919f892c2f0c6b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= +Date: Fri, 11 Oct 2024 02:06:31 +0200 +Subject: [PATCH 2/6] Added new argument to Http::One::ParseBws() + +Depending on new wsp_only argument in ParseBws() it will be decided +which set of whitespaces characters will be parsed. If wsp_only is set +to true, only SP and HTAB chars will be parsed. + +Also optimized number of ParseBws calls. +--- + src/http/one/Parser.cc | 4 ++-- + src/http/one/Parser.h | 3 ++- + src/http/one/TeChunkedParser.cc | 13 +++++++++---- + src/http/one/TeChunkedParser.h | 2 +- + 4 files changed, 14 insertions(+), 8 deletions(-) + +diff --git a/src/http/one/Parser.cc b/src/http/one/Parser.cc +index b1908316a0b..01d7e3bc0e8 100644 +--- a/src/http/one/Parser.cc ++++ b/src/http/one/Parser.cc +@@ -273,9 +273,9 @@ Http::One::ErrorLevel() + + // BWS = *( SP / HTAB ) ; WhitespaceCharacters() may relax this RFC 7230 rule + void +-Http::One::ParseBws(Parser::Tokenizer &tok) ++Http::One::ParseBws(Parser::Tokenizer &tok, const bool wsp_only) + { +- const auto count = tok.skipAll(Parser::WhitespaceCharacters()); ++ const auto count = tok.skipAll(wsp_only ? CharacterSet::WSP : Parser::WhitespaceCharacters()); + + if (tok.atEnd()) + throw InsufficientInput(); // even if count is positive +diff --git a/src/http/one/Parser.h b/src/http/one/Parser.h +index d9a0ac8c273..08200371cd6 100644 +--- a/src/http/one/Parser.h ++++ b/src/http/one/Parser.h +@@ -163,8 +163,9 @@ class Parser : public RefCountable + }; + + /// skips and, if needed, warns about RFC 7230 BWS ("bad" whitespace) ++/// \param wsp_only force skipping of whitespaces only, don't consider skipping relaxed delimeter chars + /// \throws InsufficientInput when the end of BWS cannot be confirmed +-void ParseBws(Parser::Tokenizer &); ++void ParseBws(Parser::Tokenizer &, const bool wsp_only = false); + + /// the right debugs() level for logging HTTP violation messages + int ErrorLevel(); +diff --git a/src/http/one/TeChunkedParser.cc b/src/http/one/TeChunkedParser.cc +index 04753395e16..41e1e5ddaea 100644 +--- a/src/http/one/TeChunkedParser.cc ++++ b/src/http/one/TeChunkedParser.cc +@@ -125,8 +125,11 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok) + // Code becomes much simpler when incremental parsing functions throw on + // bad or insufficient input, like in the code below. TODO: Expand up. + try { +- tok.skipAll(CharacterSet::WSP); // Some servers send SP/TAB after chunk-size +- parseChunkExtensions(tok); // a possibly empty chunk-ext list ++ // A possibly empty chunk-ext list. If no chunk-ext has been found, ++ // try to skip trailing BWS, because some servers send "chunk-size BWS CRLF". ++ if (!parseChunkExtensions(tok)) ++ ParseBws(tok, true); ++ + tok.skipRequired("CRLF after [chunk-ext]", Http1::CrLf()); + buf_ = tok.remaining(); + parsingStage_ = theChunkSize ? Http1::HTTP_PARSE_CHUNK : Http1::HTTP_PARSE_MIME; +@@ -140,20 +143,22 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok) + + /// Parses the chunk-ext list (RFC 9112 section 7.1.1: + /// chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] ) +-void ++bool + Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &callerTok) + { ++ bool foundChunkExt = false; + do { + auto tok = callerTok; + + ParseBws(tok); // Bug 4492: IBM_HTTP_Server sends SP after chunk-size + + if (!tok.skip(';')) +- return; // reached the end of extensions (if any) ++ return foundChunkExt; // reached the end of extensions (if any) + + parseOneChunkExtension(tok); + buf_ = tok.remaining(); // got one extension + callerTok = tok; ++ foundChunkExt = true; + } while (true); + } + +diff --git a/src/http/one/TeChunkedParser.h b/src/http/one/TeChunkedParser.h +index 02eacd1bb89..8c5d4bb4cba 100644 +--- a/src/http/one/TeChunkedParser.h ++++ b/src/http/one/TeChunkedParser.h +@@ -71,7 +71,7 @@ class TeChunkedParser : public Http1::Parser + private: + bool parseChunkSize(Tokenizer &tok); + bool parseChunkMetadataSuffix(Tokenizer &); +- void parseChunkExtensions(Tokenizer &); ++ bool parseChunkExtensions(Tokenizer &); + void parseOneChunkExtension(Tokenizer &); + bool parseChunkBody(Tokenizer &tok); + bool parseChunkEnd(Tokenizer &tok); + +From 81e67f97f9c386bdd0bb4a5e182395c46adb70ad Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= +Date: Fri, 11 Oct 2024 02:44:33 +0200 +Subject: [PATCH 3/6] Fix typo in Parser.h + +--- + src/http/one/Parser.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/http/one/Parser.h b/src/http/one/Parser.h +index 08200371cd6..3ef4c5f7752 100644 +--- a/src/http/one/Parser.h ++++ b/src/http/one/Parser.h +@@ -163,7 +163,7 @@ class Parser : public RefCountable + }; + + /// skips and, if needed, warns about RFC 7230 BWS ("bad" whitespace) +-/// \param wsp_only force skipping of whitespaces only, don't consider skipping relaxed delimeter chars ++/// \param wsp_only force skipping of whitespaces only, don't consider skipping relaxed delimiter chars + /// \throws InsufficientInput when the end of BWS cannot be confirmed + void ParseBws(Parser::Tokenizer &, const bool wsp_only = false); + + +From a0d4fe1794e605f8299a5c118c758a807453f016 Mon Sep 17 00:00:00 2001 +From: Alex Rousskov +Date: Thu, 10 Oct 2024 22:39:42 -0400 +Subject: [PATCH 4/6] Bug 5449 is a regression of Bug 4492! + +Both bugs deal with "chunk-size SP+ CRLF" use cases. Bug 4492 had _two_ +spaces after chunk-size, which answers one of the PR review questions: +Should we skip just one space? No, we should not. + +The lines moved around in many commits, but I believe this regression +was introduced in commit 951013d0 because that commit stopped consuming +partially parsed chunk-ext sequences. That consumption was wrong, but it +had a positive side effect -- fixing Bug 4492... +--- + src/http/one/TeChunkedParser.cc | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/http/one/TeChunkedParser.cc b/src/http/one/TeChunkedParser.cc +index 41e1e5ddaea..aa4a840fdcf 100644 +--- a/src/http/one/TeChunkedParser.cc ++++ b/src/http/one/TeChunkedParser.cc +@@ -125,10 +125,10 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok) + // Code becomes much simpler when incremental parsing functions throw on + // bad or insufficient input, like in the code below. TODO: Expand up. + try { +- // A possibly empty chunk-ext list. If no chunk-ext has been found, +- // try to skip trailing BWS, because some servers send "chunk-size BWS CRLF". +- if (!parseChunkExtensions(tok)) +- ParseBws(tok, true); ++ // Bug 4492: IBM_HTTP_Server sends SP after chunk-size ++ ParseBws(tok, true); ++ ++ parseChunkExtensions(tok); + + tok.skipRequired("CRLF after [chunk-ext]", Http1::CrLf()); + buf_ = tok.remaining(); +@@ -150,7 +150,7 @@ Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &callerTok) + do { + auto tok = callerTok; + +- ParseBws(tok); // Bug 4492: IBM_HTTP_Server sends SP after chunk-size ++ ParseBws(tok); + + if (!tok.skip(';')) + return foundChunkExt; // reached the end of extensions (if any) + +From f837f5ff61301a17008f16ce1fb793c2abf19786 Mon Sep 17 00:00:00 2001 +From: Alex Rousskov +Date: Thu, 10 Oct 2024 23:06:42 -0400 +Subject: [PATCH 5/6] fixup: Fewer conditionals/ifs and more explicit spelling + +... to draw code reader attention when something unusual is going on. +--- + src/http/one/Parser.cc | 22 ++++++++++++++++++---- + src/http/one/Parser.h | 10 ++++++++-- + src/http/one/TeChunkedParser.cc | 14 ++++++-------- + src/http/one/TeChunkedParser.h | 2 +- + 4 files changed, 33 insertions(+), 15 deletions(-) + +diff --git a/src/http/one/Parser.cc b/src/http/one/Parser.cc +index 01d7e3bc0e8..d3937e5e96b 100644 +--- a/src/http/one/Parser.cc ++++ b/src/http/one/Parser.cc +@@ -271,11 +271,12 @@ Http::One::ErrorLevel() + return Config.onoff.relaxed_header_parser < 0 ? DBG_IMPORTANT : 5; + } + +-// BWS = *( SP / HTAB ) ; WhitespaceCharacters() may relax this RFC 7230 rule +-void +-Http::One::ParseBws(Parser::Tokenizer &tok, const bool wsp_only) ++/// common part of ParseBws() and ParseStrctBws() ++namespace Http::One { ++static void ++ParseBws_(Parser::Tokenizer &tok, const CharacterSet &bwsChars) + { +- const auto count = tok.skipAll(wsp_only ? CharacterSet::WSP : Parser::WhitespaceCharacters()); ++ const auto count = tok.skipAll(bwsChars); + + if (tok.atEnd()) + throw InsufficientInput(); // even if count is positive +@@ -290,4 +291,17 @@ Http::One::ParseBws(Parser::Tokenizer &tok, const bool wsp_only) + + // success: no more BWS characters expected + } ++} // namespace Http::One ++ ++void ++Http::One::ParseBws(Parser::Tokenizer &tok) ++{ ++ ParseBws_(tok, CharacterSet::WSP); ++} ++ ++void ++Http::One::ParseStrictBws(Parser::Tokenizer &tok) ++{ ++ ParseBws_(tok, Parser::WhitespaceCharacters()); ++} + +diff --git a/src/http/one/Parser.h b/src/http/one/Parser.h +index 3ef4c5f7752..49e399de546 100644 +--- a/src/http/one/Parser.h ++++ b/src/http/one/Parser.h +@@ -163,9 +163,15 @@ class Parser : public RefCountable + }; + + /// skips and, if needed, warns about RFC 7230 BWS ("bad" whitespace) +-/// \param wsp_only force skipping of whitespaces only, don't consider skipping relaxed delimiter chars + /// \throws InsufficientInput when the end of BWS cannot be confirmed +-void ParseBws(Parser::Tokenizer &, const bool wsp_only = false); ++/// \sa WhitespaceCharacters() for the definition of BWS characters ++/// \sa ParseStrictBws() that avoids WhitespaceCharacters() uncertainties ++void ParseBws(Parser::Tokenizer &); ++ ++/// Like ParseBws() but only skips CharacterSet::WSP characters. This variation ++/// must be used if the next element may start with CR or any other character ++/// from RelaxedDelimiterCharacters(). ++void ParseStrictBws(Parser::Tokenizer &); + + /// the right debugs() level for logging HTTP violation messages + int ErrorLevel(); +diff --git a/src/http/one/TeChunkedParser.cc b/src/http/one/TeChunkedParser.cc +index aa4a840fdcf..859471b8c77 100644 +--- a/src/http/one/TeChunkedParser.cc ++++ b/src/http/one/TeChunkedParser.cc +@@ -125,11 +125,11 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok) + // Code becomes much simpler when incremental parsing functions throw on + // bad or insufficient input, like in the code below. TODO: Expand up. + try { +- // Bug 4492: IBM_HTTP_Server sends SP after chunk-size +- ParseBws(tok, true); +- +- parseChunkExtensions(tok); ++ // Bug 4492: IBM_HTTP_Server sends SP after chunk-size. ++ // No ParseBws() here because it may consume CR required further below. ++ ParseStrictBws(tok); + ++ parseChunkExtensions(tok); // a possibly empty chunk-ext list + tok.skipRequired("CRLF after [chunk-ext]", Http1::CrLf()); + buf_ = tok.remaining(); + parsingStage_ = theChunkSize ? Http1::HTTP_PARSE_CHUNK : Http1::HTTP_PARSE_MIME; +@@ -143,22 +143,20 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok) + + /// Parses the chunk-ext list (RFC 9112 section 7.1.1: + /// chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] ) +-bool ++void + Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &callerTok) + { +- bool foundChunkExt = false; + do { + auto tok = callerTok; + + ParseBws(tok); + + if (!tok.skip(';')) +- return foundChunkExt; // reached the end of extensions (if any) ++ return; // reached the end of extensions (if any) + + parseOneChunkExtension(tok); + buf_ = tok.remaining(); // got one extension + callerTok = tok; +- foundChunkExt = true; + } while (true); + } + +diff --git a/src/http/one/TeChunkedParser.h b/src/http/one/TeChunkedParser.h +index 8c5d4bb4cba..02eacd1bb89 100644 +--- a/src/http/one/TeChunkedParser.h ++++ b/src/http/one/TeChunkedParser.h +@@ -71,7 +71,7 @@ class TeChunkedParser : public Http1::Parser + private: + bool parseChunkSize(Tokenizer &tok); + bool parseChunkMetadataSuffix(Tokenizer &); +- bool parseChunkExtensions(Tokenizer &); ++ void parseChunkExtensions(Tokenizer &); + void parseOneChunkExtension(Tokenizer &); + bool parseChunkBody(Tokenizer &tok); + bool parseChunkEnd(Tokenizer &tok); + +From f79936a234e722adb2dd08f31cf6019d81ee712c Mon Sep 17 00:00:00 2001 +From: Alex Rousskov +Date: Thu, 10 Oct 2024 23:31:08 -0400 +Subject: [PATCH 6/6] fixup: Deadly typo + +--- + src/http/one/Parser.cc | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/http/one/Parser.cc b/src/http/one/Parser.cc +index d3937e5e96b..7403a9163a2 100644 +--- a/src/http/one/Parser.cc ++++ b/src/http/one/Parser.cc +@@ -296,12 +296,12 @@ ParseBws_(Parser::Tokenizer &tok, const CharacterSet &bwsChars) + void + Http::One::ParseBws(Parser::Tokenizer &tok) + { +- ParseBws_(tok, CharacterSet::WSP); ++ ParseBws_(tok, Parser::WhitespaceCharacters()); + } + + void + Http::One::ParseStrictBws(Parser::Tokenizer &tok) + { +- ParseBws_(tok, Parser::WhitespaceCharacters()); ++ ParseBws_(tok, CharacterSet::WSP); + } + + diff --git a/squid.spec b/squid.spec index f4fd37a..bfed799 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 6.11 -Release: 1%{?dist} +Release: 2%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -38,6 +38,8 @@ Patch203: squid-6.1-perlpath.patch Patch204: squid-6.1-symlink-lang-err.patch # Upstream PR: https://github.com/squid-cache/squid/pull/1442 Patch205: squid-6.1-crash-half-closed.patch +# Upstream PR: https://github.com/squid-cache/squid/pull/1914 +Patch206: squid-6.11-ignore-wsp-after-chunk-size.patch # cache_swap.sh Requires: bash gawk @@ -324,6 +326,9 @@ fi %changelog +* Fri Oct 11 2024 Luboš Uhliarik - 7:6.11-2 +- ignore SP and HTAB chars after chunk-size + * Wed Sep 25 2024 Luboš Uhliarik - 7:6.11-1 - new version 6.11 From 9e3214a7297593a7cf0ea6a40bd892d351137976 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Wed, 23 Oct 2024 21:35:04 +0200 Subject: [PATCH 54/68] new version 6.12 Fix TCP_MISS_ABORTED/100 erros when uploading --- sources | 4 +- squid-6.12-large-upload-buffer-dies.patch | 117 ++++++++++++++++++++++ squid.spec | 10 +- 3 files changed, 127 insertions(+), 4 deletions(-) create mode 100644 squid-6.12-large-upload-buffer-dies.patch diff --git a/sources b/sources index 469e7e0..f79692e 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-6.11.tar.xz) = 669f658b0a58514f98c2b33df874706d40b9ed0837e1f32e08e274c79617063e06e706932011a34b115dcc96d43125f9cea30fba459cd31a88e3afd9b6076d7a -SHA512 (squid-6.11.tar.xz.asc) = e4bf8a77fe431eb6ba7ff9c10511d987692438d66c4aa72739b4fedf73aa6e6704e4da756ffcfeb82b9d76be9a3e4bb963dd523132cda732077898785cc6bbb9 +SHA512 (squid-6.12.tar.xz) = 7ab61f19416426fb8284de7bddc1ea9a5a7b3148fc54c018a243071ba5854610ef38a248f6a22634a2acb7d3ea408b582af1f48818dfe698ade0b7b8c00fd183 +SHA512 (squid-6.12.tar.xz.asc) = 34cd6e9f6f908626184ea6995bcb340a939c00b6254f4427967282fb6e4b89e5cf9c02f8df9f61f2ae9ea08a4ec3796840eeb327e123299e26683a5ecb9b9a0f SHA512 (pgp.asc) = b1e1dd5ead34711f064a12a324b2f156ad4835330d861eae4032926b8a6cd07c0eacc76f52518d47ed5a8ead4695f5abd02f2b4190af8e7833bd3ea31453569d diff --git a/squid-6.12-large-upload-buffer-dies.patch b/squid-6.12-large-upload-buffer-dies.patch new file mode 100644 index 0000000..459d528 --- /dev/null +++ b/squid-6.12-large-upload-buffer-dies.patch @@ -0,0 +1,117 @@ +From 4d6dd3ddba5e850a42c86d8233735165a371c31c Mon Sep 17 00:00:00 2001 +From: Alex Rousskov +Date: Sun, 1 Sep 2024 00:39:34 +0000 +Subject: [PATCH] Bug 5405: Large uploads fill request buffer and die (#1887) + + maybeMakeSpaceAvailable: request buffer full + ReadNow: ... size 0, retval 0, errno 0 + terminateAll: 1/1 after ERR_CLIENT_GONE/WITH_CLIENT + %Ss=TCP_MISS_ABORTED + +This bug is triggered by a combination of the following two conditions: + +* HTTP client upload fills Squid request buffer faster than it is + drained by an origin server, cache_peer, or REQMOD service. The buffer + accumulates 576 KB (default 512 KB client_request_buffer_max_size + 64 + KB internal "pipe" buffer). + +* The affected server or service consumes a few bytes after the critical + accumulation is reached. In other words, the bug cannot be triggered + if nothing is consumed after the first condition above is met. + +Comm::ReadNow() must not be called with a full buffer: Related +FD_READ_METHOD() code cannot distinguish "received EOF" from "had no +buffer space" outcomes. Server::readSomeData() tried to prevent such +calls, but the corresponding check had two problems: + +* The check had an unsigned integer underflow bug[^1] that made it + ineffective when inBuf length exceeded Config.maxRequestBufferSize. + That length could exceed the limit due to reconfiguration and when + inBuf space size first grew outside of maybeMakeSpaceAvailable() + protections (e.g., during an inBuf.c_str() call) and then got filled + with newly read data. That growth started happening after 2020 commit + 1dfbca06 optimized SBuf::cow() to merge leading and trailing space. + Prior to that commit, Bug 5405 could probably only affect Squid + reconfigurations that lower client_request_buffer_max_size. + +* The check was separated from the ReadNow() call it was meant to + protect. While ConnStateData was waiting for the socket to become + ready for reading, various asynchronous events could alter inBuf or + Config.maxRequestBufferSize. + +This change fixes both problems. + +This change also fixes Squid Bug 5214. + +[^1]: That underflow bug was probably introduced in 2015 commit 4d1376d7 +while trying to emulate the original "do not read less than two bytes" +ConnStateData::In::maybeMakeSpaceAvailable() condition. That condition +itself looks like a leftover from manual zero-terminated input buffer +days that ended with 2014 commit e7287625. It is now removed. +--- + +diff --git a/src/servers/Server.cc b/src/servers/Server.cc +index 70fd10b..dd20619 100644 +--- a/src/servers/Server.cc ++++ b/src/servers/Server.cc +@@ -83,16 +83,25 @@ Server::maybeMakeSpaceAvailable() + debugs(33, 4, "request buffer full: client_request_buffer_max_size=" << Config.maxRequestBufferSize); + } + ++bool ++Server::mayBufferMoreRequestBytes() const ++{ ++ // TODO: Account for bodyPipe buffering as well. ++ if (inBuf.length() >= Config.maxRequestBufferSize) { ++ debugs(33, 4, "no: " << inBuf.length() << '-' << Config.maxRequestBufferSize << '=' << (inBuf.length() - Config.maxRequestBufferSize)); ++ return false; ++ } ++ debugs(33, 7, "yes: " << Config.maxRequestBufferSize << '-' << inBuf.length() << '=' << (Config.maxRequestBufferSize - inBuf.length())); ++ return true; ++} ++ + void + Server::readSomeData() + { + if (reading()) + return; + +- debugs(33, 4, clientConnection << ": reading request..."); +- +- // we can only read if there is more than 1 byte of space free +- if (Config.maxRequestBufferSize - inBuf.length() < 2) ++ if (!mayBufferMoreRequestBytes()) + return; + + typedef CommCbMemFunT Dialer; +@@ -123,7 +132,16 @@ Server::doClientRead(const CommIoCbParams &io) + * Plus, it breaks our lame *HalfClosed() detection + */ + ++ // mayBufferMoreRequestBytes() was true during readSomeData(), but variables ++ // like Config.maxRequestBufferSize may have changed since that check ++ if (!mayBufferMoreRequestBytes()) { ++ // XXX: If we avoid Comm::ReadNow(), we should not Comm::Read() again ++ // when the wait is over; resume these doClientRead() checks instead. ++ return; // wait for noteMoreBodySpaceAvailable() or a similar inBuf draining event ++ } + maybeMakeSpaceAvailable(); ++ Assure(inBuf.spaceSize()); ++ + CommIoCbParams rd(this); // will be expanded with ReadNow results + rd.conn = io.conn; + switch (Comm::ReadNow(rd, inBuf)) { +diff --git a/src/servers/Server.h b/src/servers/Server.h +index ef105f5..6e549b3 100644 +--- a/src/servers/Server.h ++++ b/src/servers/Server.h +@@ -119,6 +119,9 @@ protected: + /// abort any pending transactions and prevent new ones (by closing) + virtual void terminateAll(const Error &, const LogTagsErrors &) = 0; + ++ /// whether client_request_buffer_max_size allows inBuf.length() increase ++ bool mayBufferMoreRequestBytes() const; ++ + void doClientRead(const CommIoCbParams &io); + void clientWriteDone(const CommIoCbParams &io); + diff --git a/squid.spec b/squid.spec index bfed799..2ee61da 100644 --- a/squid.spec +++ b/squid.spec @@ -1,8 +1,8 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 6.11 -Release: 2%{?dist} +Version: 6.12 +Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -40,6 +40,8 @@ Patch204: squid-6.1-symlink-lang-err.patch Patch205: squid-6.1-crash-half-closed.patch # Upstream PR: https://github.com/squid-cache/squid/pull/1914 Patch206: squid-6.11-ignore-wsp-after-chunk-size.patch +# https://bugs.squid-cache.org/show_bug.cgi?id=5214 +Patch207: squid-6.12-large-upload-buffer-dies.patch # cache_swap.sh Requires: bash gawk @@ -326,6 +328,10 @@ fi %changelog +* Wed Oct 23 2024 Luboš Uhliarik - 7:6.12-1 +- new version 6.12 +- Fix TCP_MISS_ABORTED/100 erros when uploading + * Fri Oct 11 2024 Luboš Uhliarik - 7:6.11-2 - ignore SP and HTAB chars after chunk-size From e91b352f108c5c8897982cbb51d468ce421d61b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Fri, 1 Nov 2024 16:39:14 +0100 Subject: [PATCH 55/68] Disable ESI support since ESI support has been also removed from squid 7 Resolves: CVE-2024-45802 squid: Denial of Service processing ESI response content --- squid.spec | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/squid.spec b/squid.spec index 2ee61da..0631e68 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 6.12 -Release: 1%{?dist} +Release: 2%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -59,8 +59,6 @@ BuildRequires: openssl-devel BuildRequires: krb5-devel # time_quota requires TrivialDB BuildRequires: libtdb-devel -# ESI support requires Expat & libxml2 -BuildRequires: expat-devel libxml2-devel # TPROXY requires libcap, and also increases security somewhat BuildRequires: libcap-devel # eCAP support @@ -143,7 +141,7 @@ sed -i 's|@SYSCONFDIR@/squid.conf.documented|%{_pkgdocdir}/squid.conf.documented --enable-storeio="aufs,diskd,ufs,rock" \ --enable-diskio \ --enable-wccpv2 \ - --enable-esi \ + --disable-esi \ --enable-ecap \ --with-aio \ --with-default-user="squid" \ @@ -328,6 +326,11 @@ fi %changelog +* Fri Nov 01 2024 Luboš Uhliarik - 7:6.12-2 +- Disable ESI support since ESI support has been also removed from squid 7 +- Resolves: CVE-2024-45802 squid: Denial of Service processing ESI + response content + * Wed Oct 23 2024 Luboš Uhliarik - 7:6.12-1 - new version 6.12 - Fix TCP_MISS_ABORTED/100 erros when uploading From 789f7c9b18f6158643a288de505436f575b8f1c6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Fri, 1 Nov 2024 21:44:15 +0100 Subject: [PATCH 56/68] better error handling in cache_swap.sh added RuntimeDirectory to systemd service file --- cache_swap.sh | 5 ++++- squid.service | 9 ++++++--- squid.spec | 19 ++++++------------- 3 files changed, 16 insertions(+), 17 deletions(-) diff --git a/cache_swap.sh b/cache_swap.sh index 77d06ac..89f3478 100644 --- a/cache_swap.sh +++ b/cache_swap.sh @@ -17,5 +17,8 @@ done if [ $init_cache_dirs -ne 0 ]; then echo "" - squid --foreground -z -f "$SQUID_CONF" >> /var/log/squid/squid.out 2>&1 + if ! squid --foreground -z -f "$SQUID_CONF" >> /var/log/squid/squid.out 2>&1; then + echo "init_cache_dir failed, see /var/log/squid/squid.out for more information" + exit 1 + fi fi diff --git a/squid.service b/squid.service index 6978032..09c68cc 100644 --- a/squid.service +++ b/squid.service @@ -8,11 +8,14 @@ Type=notify LimitNOFILE=16384 PIDFile=/run/squid.pid EnvironmentFile=/etc/sysconfig/squid -ExecStartPre=/usr/libexec/squid/cache_swap.sh -ExecStart=/usr/sbin/squid --foreground $SQUID_OPTS -f ${SQUID_CONF} -ExecReload=/usr/bin/kill -HUP $MAINPID +ExecStartPre=!/usr/libexec/squid/cache_swap.sh +ExecStart=!/usr/sbin/squid --foreground $SQUID_OPTS -f ${SQUID_CONF} +ExecReload=!/usr/bin/kill -HUP $MAINPID KillMode=mixed NotifyAccess=all +User=squid +Group=squid +RuntimeDirectory=squid [Install] WantedBy=multi-user.target diff --git a/squid.spec b/squid.spec index 0631e68..5cbe6b9 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 6.12 -Release: 2%{?dist} +Release: 3%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -71,7 +71,7 @@ BuildRequires: perl-generators BuildRequires: pkgconfig(cppunit) # For verifying downloded src tarball BuildRequires: gnupg2 -# for _tmpfilesdir and _unitdir macro +# for _unitdir macro # see https://docs.fedoraproject.org/en-US/packaging-guidelines/Systemd/#_packaging BuildRequires: systemd-rpm-macros # systemd notify @@ -198,17 +198,8 @@ install -m 644 $RPM_BUILD_ROOT/squid.httpd.tmp $RPM_BUILD_ROOT%{_sysconfdir}/htt install -m 755 %{SOURCE6} $RPM_BUILD_ROOT%{_prefix}/lib/NetworkManager/dispatcher.d/20-squid mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/log/squid mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/spool/squid -mkdir -p $RPM_BUILD_ROOT/run/squid chmod 644 contrib/url-normalizer.pl contrib/user-agents.pl -# install /usr/lib/tmpfiles.d/squid.conf -mkdir -p ${RPM_BUILD_ROOT}%{_tmpfilesdir} -cat > ${RPM_BUILD_ROOT}%{_tmpfilesdir}/squid.conf < - 7:6.12-3 +- better error handling in cache_swap.sh +- added RuntimeDirectory to systemd service file + * Fri Nov 01 2024 Luboš Uhliarik - 7:6.12-2 - Disable ESI support since ESI support has been also removed from squid 7 - Resolves: CVE-2024-45802 squid: Denial of Service processing ESI From d3ada053730bd30c73f430ff270c4b92b86ef5ca Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sun, 19 Jan 2025 11:31:35 +0000 Subject: [PATCH 57/68] Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild --- squid.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/squid.spec b/squid.spec index 5cbe6b9..22786ee 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 6.12 -Release: 3%{?dist} +Release: 4%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -315,6 +315,9 @@ fi %changelog +* Sun Jan 19 2025 Fedora Release Engineering - 7:6.12-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild + * Fri Nov 01 2024 Luboš Uhliarik - 7:6.12-3 - better error handling in cache_swap.sh - added RuntimeDirectory to systemd service file From 5403d2498221ec36a496d79a1797054f64e78fa4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= Date: Sat, 1 Feb 2025 19:57:33 +0100 Subject: [PATCH 58/68] Add explicit BR: libxcrypt-devel MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Björn Esser --- squid.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/squid.spec b/squid.spec index 22786ee..ff41802 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 6.12 -Release: 4%{?dist} +Release: 5%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -66,6 +66,7 @@ BuildRequires: libecap-devel #ip_user helper requires BuildRequires: gcc-c++ BuildRequires: libtool libtool-ltdl-devel +BuildRequires: libxcrypt-devel BuildRequires: perl-generators # For test suite BuildRequires: pkgconfig(cppunit) @@ -315,6 +316,9 @@ fi %changelog +* Sat Feb 01 2025 Björn Esser - 7:6.12-5 +- Add explicit BR: libxcrypt-devel + * Sun Jan 19 2025 Fedora Release Engineering - 7:6.12-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild From 9c651e4fe8d7da27226525e8fc3c7c84f7d724bf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Tue, 4 Feb 2025 18:38:52 +0100 Subject: [PATCH 59/68] new version 6.13 --- sources | 4 +- squid-6.12-large-upload-buffer-dies.patch | 117 ---------------------- squid.spec | 9 +- 3 files changed, 7 insertions(+), 123 deletions(-) delete mode 100644 squid-6.12-large-upload-buffer-dies.patch diff --git a/sources b/sources index f79692e..83d969f 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-6.12.tar.xz) = 7ab61f19416426fb8284de7bddc1ea9a5a7b3148fc54c018a243071ba5854610ef38a248f6a22634a2acb7d3ea408b582af1f48818dfe698ade0b7b8c00fd183 -SHA512 (squid-6.12.tar.xz.asc) = 34cd6e9f6f908626184ea6995bcb340a939c00b6254f4427967282fb6e4b89e5cf9c02f8df9f61f2ae9ea08a4ec3796840eeb327e123299e26683a5ecb9b9a0f +SHA512 (squid-6.13.tar.xz) = a67276a7eb38d00271962b67bff7f08e760db73bc6b0f94ab71297d520405033df65ebb0b38ee5db02bd6c00d81cd600b60d918fe7fff64e06255deaf78f00c1 +SHA512 (squid-6.13.tar.xz.asc) = 66d8d657793ca3bd20e4a728dc0d3568fac078334d57f3105bb67f1c6fbc5e89e21b757f38048f2361b670938ff350d1afd956ba3dfa5d55dfb54d13e4620fc9 SHA512 (pgp.asc) = b1e1dd5ead34711f064a12a324b2f156ad4835330d861eae4032926b8a6cd07c0eacc76f52518d47ed5a8ead4695f5abd02f2b4190af8e7833bd3ea31453569d diff --git a/squid-6.12-large-upload-buffer-dies.patch b/squid-6.12-large-upload-buffer-dies.patch deleted file mode 100644 index 459d528..0000000 --- a/squid-6.12-large-upload-buffer-dies.patch +++ /dev/null @@ -1,117 +0,0 @@ -From 4d6dd3ddba5e850a42c86d8233735165a371c31c Mon Sep 17 00:00:00 2001 -From: Alex Rousskov -Date: Sun, 1 Sep 2024 00:39:34 +0000 -Subject: [PATCH] Bug 5405: Large uploads fill request buffer and die (#1887) - - maybeMakeSpaceAvailable: request buffer full - ReadNow: ... size 0, retval 0, errno 0 - terminateAll: 1/1 after ERR_CLIENT_GONE/WITH_CLIENT - %Ss=TCP_MISS_ABORTED - -This bug is triggered by a combination of the following two conditions: - -* HTTP client upload fills Squid request buffer faster than it is - drained by an origin server, cache_peer, or REQMOD service. The buffer - accumulates 576 KB (default 512 KB client_request_buffer_max_size + 64 - KB internal "pipe" buffer). - -* The affected server or service consumes a few bytes after the critical - accumulation is reached. In other words, the bug cannot be triggered - if nothing is consumed after the first condition above is met. - -Comm::ReadNow() must not be called with a full buffer: Related -FD_READ_METHOD() code cannot distinguish "received EOF" from "had no -buffer space" outcomes. Server::readSomeData() tried to prevent such -calls, but the corresponding check had two problems: - -* The check had an unsigned integer underflow bug[^1] that made it - ineffective when inBuf length exceeded Config.maxRequestBufferSize. - That length could exceed the limit due to reconfiguration and when - inBuf space size first grew outside of maybeMakeSpaceAvailable() - protections (e.g., during an inBuf.c_str() call) and then got filled - with newly read data. That growth started happening after 2020 commit - 1dfbca06 optimized SBuf::cow() to merge leading and trailing space. - Prior to that commit, Bug 5405 could probably only affect Squid - reconfigurations that lower client_request_buffer_max_size. - -* The check was separated from the ReadNow() call it was meant to - protect. While ConnStateData was waiting for the socket to become - ready for reading, various asynchronous events could alter inBuf or - Config.maxRequestBufferSize. - -This change fixes both problems. - -This change also fixes Squid Bug 5214. - -[^1]: That underflow bug was probably introduced in 2015 commit 4d1376d7 -while trying to emulate the original "do not read less than two bytes" -ConnStateData::In::maybeMakeSpaceAvailable() condition. That condition -itself looks like a leftover from manual zero-terminated input buffer -days that ended with 2014 commit e7287625. It is now removed. ---- - -diff --git a/src/servers/Server.cc b/src/servers/Server.cc -index 70fd10b..dd20619 100644 ---- a/src/servers/Server.cc -+++ b/src/servers/Server.cc -@@ -83,16 +83,25 @@ Server::maybeMakeSpaceAvailable() - debugs(33, 4, "request buffer full: client_request_buffer_max_size=" << Config.maxRequestBufferSize); - } - -+bool -+Server::mayBufferMoreRequestBytes() const -+{ -+ // TODO: Account for bodyPipe buffering as well. -+ if (inBuf.length() >= Config.maxRequestBufferSize) { -+ debugs(33, 4, "no: " << inBuf.length() << '-' << Config.maxRequestBufferSize << '=' << (inBuf.length() - Config.maxRequestBufferSize)); -+ return false; -+ } -+ debugs(33, 7, "yes: " << Config.maxRequestBufferSize << '-' << inBuf.length() << '=' << (Config.maxRequestBufferSize - inBuf.length())); -+ return true; -+} -+ - void - Server::readSomeData() - { - if (reading()) - return; - -- debugs(33, 4, clientConnection << ": reading request..."); -- -- // we can only read if there is more than 1 byte of space free -- if (Config.maxRequestBufferSize - inBuf.length() < 2) -+ if (!mayBufferMoreRequestBytes()) - return; - - typedef CommCbMemFunT Dialer; -@@ -123,7 +132,16 @@ Server::doClientRead(const CommIoCbParams &io) - * Plus, it breaks our lame *HalfClosed() detection - */ - -+ // mayBufferMoreRequestBytes() was true during readSomeData(), but variables -+ // like Config.maxRequestBufferSize may have changed since that check -+ if (!mayBufferMoreRequestBytes()) { -+ // XXX: If we avoid Comm::ReadNow(), we should not Comm::Read() again -+ // when the wait is over; resume these doClientRead() checks instead. -+ return; // wait for noteMoreBodySpaceAvailable() or a similar inBuf draining event -+ } - maybeMakeSpaceAvailable(); -+ Assure(inBuf.spaceSize()); -+ - CommIoCbParams rd(this); // will be expanded with ReadNow results - rd.conn = io.conn; - switch (Comm::ReadNow(rd, inBuf)) { -diff --git a/src/servers/Server.h b/src/servers/Server.h -index ef105f5..6e549b3 100644 ---- a/src/servers/Server.h -+++ b/src/servers/Server.h -@@ -119,6 +119,9 @@ protected: - /// abort any pending transactions and prevent new ones (by closing) - virtual void terminateAll(const Error &, const LogTagsErrors &) = 0; - -+ /// whether client_request_buffer_max_size allows inBuf.length() increase -+ bool mayBufferMoreRequestBytes() const; -+ - void doClientRead(const CommIoCbParams &io); - void clientWriteDone(const CommIoCbParams &io); - diff --git a/squid.spec b/squid.spec index ff41802..d73d7be 100644 --- a/squid.spec +++ b/squid.spec @@ -1,8 +1,8 @@ %define __perl_requires %{SOURCE98} Name: squid -Version: 6.12 -Release: 5%{?dist} +Version: 6.13 +Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -40,8 +40,6 @@ Patch204: squid-6.1-symlink-lang-err.patch Patch205: squid-6.1-crash-half-closed.patch # Upstream PR: https://github.com/squid-cache/squid/pull/1914 Patch206: squid-6.11-ignore-wsp-after-chunk-size.patch -# https://bugs.squid-cache.org/show_bug.cgi?id=5214 -Patch207: squid-6.12-large-upload-buffer-dies.patch # cache_swap.sh Requires: bash gawk @@ -316,6 +314,9 @@ fi %changelog +* Tue Feb 04 2025 Luboš Uhliarik - 7:6.13-1 +- new version 6.13 + * Sat Feb 01 2025 Björn Esser - 7:6.12-5 - Add explicit BR: libxcrypt-devel From 22a11a4a8b6f73f9ba9abe9490f09f5628b42b6d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Wed, 5 Feb 2025 18:12:27 +0100 Subject: [PATCH 60/68] Source URL change Use the GitHub URL as the source URL instead of the obsolete one. --- squid.spec | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/squid.spec b/squid.spec index d73d7be..dbdcc3a 100644 --- a/squid.spec +++ b/squid.spec @@ -1,4 +1,5 @@ %define __perl_requires %{SOURCE98} +%define version_underscore %(echo %{version} | tr '.' '_') Name: squid Version: 6.13 @@ -9,8 +10,8 @@ Epoch: 7 License: GPL-2.0-or-later AND (LGPL-2.0-or-later AND MIT AND BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND BSD-4-Clause-UC AND LicenseRef-Fedora-Public-Domain AND Beerware) URL: http://www.squid-cache.org -Source0: http://www.squid-cache.org/Versions/v6/squid-%{version}.tar.xz -Source1: http://www.squid-cache.org/Versions/v6/squid-%{version}.tar.xz.asc +Source0: https://github.com/squid-cache/squid/releases/download/SQUID_%{version_underscore}/squid-%{version}.tar.xz +Source1: https://github.com/squid-cache/squid/releases/download/SQUID_%{version_underscore}/squid-%{version}.tar.xz.asc Source2: http://www.squid-cache.org/pgp.asc Source3: squid.logrotate Source4: squid.sysconfig From 3f92dc8816e1639138e4fcb01ac2d293dc49ff8b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Thu, 10 Apr 2025 14:34:13 +0200 Subject: [PATCH 61/68] Do not blame cache_peer for 4xx CONNECT responses --- squid-6.13-cache-peer-connect-errors.patch | 287 +++++++++++++++++++++ squid.spec | 16 +- 2 files changed, 297 insertions(+), 6 deletions(-) create mode 100644 squid-6.13-cache-peer-connect-errors.patch diff --git a/squid-6.13-cache-peer-connect-errors.patch b/squid-6.13-cache-peer-connect-errors.patch new file mode 100644 index 0000000..339d9ec --- /dev/null +++ b/squid-6.13-cache-peer-connect-errors.patch @@ -0,0 +1,287 @@ +From 2e7dea3cedd3ef2f071dee82867c4147f17376dd Mon Sep 17 00:00:00 2001 +From: Alex Rousskov +Date: Tue, 2 Apr 2024 20:37:31 +0000 +Subject: [PATCH] Do not blame cache_peer for CONNECT errors (#1772) + + ERROR: Connection to [such-and-such-cache_peer] failed + TCP_TUNNEL/503 CONNECT nxdomain.test:443 FIRSTUP_PARENT + +Squid does not alert an admin about (and decrease health level of) a +cache_peer that responded with an error to a GET request. Just like GET +responses from a cache_peer, CONNECT responses may (and often do!) +reflect client or origin server failures. We should not penalize +cache_peers (and alert admins) until we can distinguish these frequent +client/origin failures from (relatively rare) cache_peer problems. This +change absolves cache_peers of CONNECT problems, restoring parity with +GETs and restoring v4 behavior changed (probably by accident) in v5. + +Also removed Http::StatusCode parameter from failure notification +functions because it became essentially unused after the primary +Http::Tunneler changes. Tunneler was the only source of status code +information that (in some cases) used received HTTP response to compute +that status code. All other cases extracted that status code from +Squid-generated errors. Those errors were arguably never meant to supply +status code information for "this failure is not our fault" decision, +and they do not supply 4xx status codes driving that decision. + +### Problem evolution + +2019 commit f5e1794 effectively started blaming cache_peer for all +FwdState CONNECT errors. That functionality change was probably +accidental, likely influenced by the names of noteConnectFailure() and +peerConnectFailed() functions that abbreviated "Connection", making the +functions look as applicable to CONNECT failures. Prior to that commit, +the functions were never used for CONNECT errors. After it, FwdState +started calling peerConnectFailed() for all CONNECT failures. + +In 2020 commit 25b0ce4, TunnelStateData started blaming cache_peers as +well (by moving that FwdState-only error handling code into Tunneler). +The same "accidental functionality change" speculations apply here. + +In 2022 commit 022dbab, we made an exception for 4xx CONNECT errors as +folks deploying newer code started complaining about cache_peers getting +blamed for client-caused errors (e.g., HTTP 403 Forbidden replies). We +did not realize that the blaming code itself was an unwanted accident. + +Now we are getting complaints about cache_peers getting blamed for 502 +and 503 CONNECT errors caused by, for example, domain names without IPs: +As these CONNECT error responses are propagated from parent to child +caches, every child cache in the chain logs ERRORs and every cache_peer +in the chain gets its health counter decreased! +--- + src/CachePeer.cc | 11 +---------- + src/CachePeer.h | 12 +++++------- + src/HappyConnOpener.cc | 2 +- + src/PeerPoolMgr.cc | 2 +- + src/clients/HttpTunneler.cc | 10 ++++++---- + src/clients/HttpTunneler.h | 2 +- + src/neighbors.cc | 2 +- + src/security/BlindPeerConnector.cc | 2 +- + src/security/PeerConnector.cc | 8 ++++---- + src/security/PeerConnector.h | 2 +- + src/tests/stub_libsecurity.cc | 2 +- + 11 files changed, 23 insertions(+), 32 deletions(-) + +diff --git a/src/CachePeer.cc b/src/CachePeer.cc +index a5c3adf..91045ef 100644 +--- a/src/CachePeer.cc ++++ b/src/CachePeer.cc +@@ -68,20 +68,11 @@ CachePeer::noteSuccess() + } + } + +-void +-CachePeer::noteFailure(const Http::StatusCode code) +-{ +- if (Http::Is4xx(code)) +- return; // this failure is not our fault +- +- countFailure(); +-} +- + // TODO: Require callers to detail failures instead of using one (and often + // misleading!) "connection failed" phrase for all of them. + /// noteFailure() helper for handling failures attributed to this peer + void +-CachePeer::countFailure() ++CachePeer::noteFailure() + { + stats.last_connect_failure = squid_curtime; + if (tcp_up > 0) +diff --git a/src/CachePeer.h b/src/CachePeer.h +index 5b13e29..14e40ff 100644 +--- a/src/CachePeer.h ++++ b/src/CachePeer.h +@@ -38,9 +38,8 @@ public: + /// reacts to a successful establishment of a connection to this cache_peer + void noteSuccess(); + +- /// reacts to a failure on a connection to this cache_peer +- /// \param code a received response status code, if any +- void noteFailure(Http::StatusCode code); ++ /// reacts to a failed attempt to establish a connection to this cache_peer ++ void noteFailure(); + + /// (re)configure cache_peer name=value + void rename(const char *); +@@ -238,14 +237,13 @@ NoteOutgoingConnectionSuccess(CachePeer * const peer) + peer->noteSuccess(); + } + +-/// reacts to a failure on a connection to an origin server or cache_peer ++/// reacts to a failed attempt to establish a connection to an origin server or cache_peer + /// \param peer nil if the connection is to an origin server +-/// \param code a received response status code, if any + inline void +-NoteOutgoingConnectionFailure(CachePeer * const peer, const Http::StatusCode code) ++NoteOutgoingConnectionFailure(CachePeer * const peer) + { + if (peer) +- peer->noteFailure(code); ++ peer->noteFailure(); + } + + /// identify the given cache peer in cache.log messages and such +diff --git a/src/HappyConnOpener.cc b/src/HappyConnOpener.cc +index 5ab9294..5e17a76 100644 +--- a/src/HappyConnOpener.cc ++++ b/src/HappyConnOpener.cc +@@ -638,7 +638,7 @@ HappyConnOpener::handleConnOpenerAnswer(Attempt &attempt, const CommConnectCbPar + lastError = makeError(ERR_CONNECT_FAIL); + lastError->xerrno = params.xerrno; + +- NoteOutgoingConnectionFailure(params.conn->getPeer(), lastError->httpStatus); ++ NoteOutgoingConnectionFailure(params.conn->getPeer()); + + if (spareWaiting) + updateSpareWaitAfterPrimeFailure(); +diff --git a/src/PeerPoolMgr.cc b/src/PeerPoolMgr.cc +index 9cb038e..6fb5b09 100644 +--- a/src/PeerPoolMgr.cc ++++ b/src/PeerPoolMgr.cc +@@ -86,7 +86,7 @@ PeerPoolMgr::handleOpenedConnection(const CommConnectCbParams ¶ms) + } + + if (params.flag != Comm::OK) { +- NoteOutgoingConnectionFailure(peer, Http::scNone); ++ NoteOutgoingConnectionFailure(peer); + checkpoint("conn opening failure"); // may retry + return; + } +diff --git a/src/clients/HttpTunneler.cc b/src/clients/HttpTunneler.cc +index 2fbc3fb..a6e49db 100644 +--- a/src/clients/HttpTunneler.cc ++++ b/src/clients/HttpTunneler.cc +@@ -90,7 +90,7 @@ Http::Tunneler::handleConnectionClosure(const CommCloseCbParams &) + { + closer = nullptr; + if (connection) { +- countFailingConnection(nullptr); ++ countFailingConnection(); + connection->noteClosure(); + connection = nullptr; + } +@@ -355,7 +355,7 @@ Http::Tunneler::bailWith(ErrorState *error) + + if (const auto failingConnection = connection) { + // TODO: Reuse to-peer connections after a CONNECT error response. +- countFailingConnection(error); ++ countFailingConnection(); + disconnect(); + failingConnection->close(); + } +@@ -374,10 +374,12 @@ Http::Tunneler::sendSuccess() + } + + void +-Http::Tunneler::countFailingConnection(const ErrorState * const error) ++Http::Tunneler::countFailingConnection() + { + assert(connection); +- NoteOutgoingConnectionFailure(connection->getPeer(), error ? error->httpStatus : Http::scNone); ++ // No NoteOutgoingConnectionFailure(connection->getPeer()) call here because ++ // we do not blame cache_peer for CONNECT failures (on top of a successfully ++ // established connection to that cache_peer). + if (noteFwdPconnUse && connection->isOpen()) + fwdPconnPool->noteUses(fd_table[connection->fd].pconn.uses); + } +diff --git a/src/clients/HttpTunneler.h b/src/clients/HttpTunneler.h +index 7886f09..596efcf 100644 +--- a/src/clients/HttpTunneler.h ++++ b/src/clients/HttpTunneler.h +@@ -80,7 +80,7 @@ private: + void disconnect(); + + /// updates connection usage history before the connection is closed +- void countFailingConnection(const ErrorState *); ++ void countFailingConnection(); + + AsyncCall::Pointer writer; ///< called when the request has been written + AsyncCall::Pointer reader; ///< called when the response should be read +diff --git a/src/neighbors.cc b/src/neighbors.cc +index 04b69c1..75f56c9 100644 +--- a/src/neighbors.cc ++++ b/src/neighbors.cc +@@ -1320,7 +1320,7 @@ peerProbeConnectDone(const Comm::ConnectionPointer &conn, Comm::Flag status, int + if (status == Comm::OK) + p->noteSuccess(); + else +- p->noteFailure(Http::scNone); ++ p->noteFailure(); + + -- p->testing_now; + conn->close(); +diff --git a/src/security/BlindPeerConnector.cc b/src/security/BlindPeerConnector.cc +index b9e5659..4c37f34 100644 +--- a/src/security/BlindPeerConnector.cc ++++ b/src/security/BlindPeerConnector.cc +@@ -76,7 +76,7 @@ Security::BlindPeerConnector::noteNegotiationDone(ErrorState *error) + // based on TCP results, SSL results, or both. And the code is probably not + // consistent in this aspect across tunnelling and forwarding modules. + if (peer && peer->secure.encryptTransport) +- peer->noteFailure(error->httpStatus); ++ peer->noteFailure(); + return; + } + +diff --git a/src/security/PeerConnector.cc b/src/security/PeerConnector.cc +index d458f99..d0131a1 100644 +--- a/src/security/PeerConnector.cc ++++ b/src/security/PeerConnector.cc +@@ -115,7 +115,7 @@ Security::PeerConnector::commCloseHandler(const CommCloseCbParams ¶ms) + err->detailError(d); + + if (serverConn) { +- countFailingConnection(err); ++ countFailingConnection(); + serverConn->noteClosure(); + serverConn = nullptr; + } +@@ -507,7 +507,7 @@ Security::PeerConnector::bail(ErrorState *error) + answer().error = error; + + if (const auto failingConnection = serverConn) { +- countFailingConnection(error); ++ countFailingConnection(); + disconnect(); + failingConnection->close(); + } +@@ -525,10 +525,10 @@ Security::PeerConnector::sendSuccess() + } + + void +-Security::PeerConnector::countFailingConnection(const ErrorState * const error) ++Security::PeerConnector::countFailingConnection() + { + assert(serverConn); +- NoteOutgoingConnectionFailure(serverConn->getPeer(), error ? error->httpStatus : Http::scNone); ++ NoteOutgoingConnectionFailure(serverConn->getPeer()); + // TODO: Calling PconnPool::noteUses() should not be our responsibility. + if (noteFwdPconnUse && serverConn->isOpen()) + fwdPconnPool->noteUses(fd_table[serverConn->fd].pconn.uses); +diff --git a/src/security/PeerConnector.h b/src/security/PeerConnector.h +index a1d5ef9..401df06 100644 +--- a/src/security/PeerConnector.h ++++ b/src/security/PeerConnector.h +@@ -150,7 +150,7 @@ protected: + void disconnect(); + + /// updates connection usage history before the connection is closed +- void countFailingConnection(const ErrorState *); ++ void countFailingConnection(); + + /// If called the certificates validator will not used + void bypassCertValidator() {useCertValidator_ = false;} +diff --git a/src/tests/stub_libsecurity.cc b/src/tests/stub_libsecurity.cc +index 6bd6204..b513a22 100644 +--- a/src/tests/stub_libsecurity.cc ++++ b/src/tests/stub_libsecurity.cc +@@ -97,7 +97,7 @@ void PeerConnector::bail(ErrorState *) STUB + void PeerConnector::sendSuccess() STUB + void PeerConnector::callBack() STUB + void PeerConnector::disconnect() STUB +-void PeerConnector::countFailingConnection(const ErrorState *) STUB ++void PeerConnector::countFailingConnection() STUB + void PeerConnector::recordNegotiationDetails() STUB + EncryptorAnswer &PeerConnector::answer() STUB_RETREF(EncryptorAnswer) + } diff --git a/squid.spec b/squid.spec index dbdcc3a..fea08a9 100644 --- a/squid.spec +++ b/squid.spec @@ -3,7 +3,7 @@ Name: squid Version: 6.13 -Release: 1%{?dist} +Release: 2%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -26,7 +26,12 @@ Source98: perl-requires-squid.sh # Upstream patches # Backported patches -# Patch101: patch +# Upstream PR: https://github.com/squid-cache/squid/pull/1442 +Patch101: squid-6.1-crash-half-closed.patch +# Upstream PR: https://github.com/squid-cache/squid/pull/1914 +Patch102: squid-6.11-ignore-wsp-after-chunk-size.patch +# Upstream commit: https://github.com/squid-cache/squid/commit/022dbabd89249f839d1861aa87c1ab9e1a008a47 +Patch103: squid-6.13-cache-peer-connect-errors.patch # Local patches # Applying upstream patches first makes it less likely that local patches @@ -37,10 +42,6 @@ Patch203: squid-6.1-perlpath.patch # revert this upstream patch - https://bugzilla.redhat.com/show_bug.cgi?id=1936422 # workaround for #1934919 Patch204: squid-6.1-symlink-lang-err.patch -# Upstream PR: https://github.com/squid-cache/squid/pull/1442 -Patch205: squid-6.1-crash-half-closed.patch -# Upstream PR: https://github.com/squid-cache/squid/pull/1914 -Patch206: squid-6.11-ignore-wsp-after-chunk-size.patch # cache_swap.sh Requires: bash gawk @@ -315,6 +316,9 @@ fi %changelog +* Wed Mar 12 2025 Luboš Uhliarik - 7:6.13-2 +- Do not blame cache_peer for 4xx CONNECT responses + * Tue Feb 04 2025 Luboš Uhliarik - 7:6.13-1 - new version 6.13 From 383c43dd7bcf46924ab261bf4a0937745a2e356e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Mon, 21 Jul 2025 19:36:11 +0200 Subject: [PATCH 62/68] new version 6.14 --- sources | 4 ++-- squid-6.1-perlpath.patch | 2 +- squid.spec | 7 +++++-- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/sources b/sources index 83d969f..02e8a81 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-6.13.tar.xz) = a67276a7eb38d00271962b67bff7f08e760db73bc6b0f94ab71297d520405033df65ebb0b38ee5db02bd6c00d81cd600b60d918fe7fff64e06255deaf78f00c1 -SHA512 (squid-6.13.tar.xz.asc) = 66d8d657793ca3bd20e4a728dc0d3568fac078334d57f3105bb67f1c6fbc5e89e21b757f38048f2361b670938ff350d1afd956ba3dfa5d55dfb54d13e4620fc9 +SHA512 (squid-6.14.tar.xz) = 5905060ae8d70128516c26cf379ed5b434c02525efe0e17ac56d4e060af7542b4a7a41ac3eca5ba5a00867791aed18ed5ed0e247b18a376e1ae7bc13039782f5 +SHA512 (squid-6.14.tar.xz.asc) = 5cc102787796db1cf4c71e9e21d3462becdd869eb72cd69a5c4ca74f60628a98a5543aabe7a0d0bc74c99a62bae0678d3ae6eab9dfe0e4dfb9c063678005f2e3 SHA512 (pgp.asc) = b1e1dd5ead34711f064a12a324b2f156ad4835330d861eae4032926b8a6cd07c0eacc76f52518d47ed5a8ead4695f5abd02f2b4190af8e7833bd3ea31453569d diff --git a/squid-6.1-perlpath.patch b/squid-6.1-perlpath.patch index 7539001..8bfdbdf 100644 --- a/squid-6.1-perlpath.patch +++ b/squid-6.1-perlpath.patch @@ -6,5 +6,5 @@ index e965e9e..ed5ffcb 100755 -#!/usr/local/bin/perl -Tw +#!/usr/bin/perl -Tw # - # * Copyright (C) 1996-2024 The Squid Software Foundation and contributors + # * Copyright (C) 1996-2025 The Squid Software Foundation and contributors # * diff --git a/squid.spec b/squid.spec index fea08a9..5c4ee42 100644 --- a/squid.spec +++ b/squid.spec @@ -2,8 +2,8 @@ %define version_underscore %(echo %{version} | tr '.' '_') Name: squid -Version: 6.13 -Release: 2%{?dist} +Version: 6.14 +Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -316,6 +316,9 @@ fi %changelog +* Mon Jul 21 2025 Luboš Uhliarik - 7:6.14-1 +- new version 6.14 + * Wed Mar 12 2025 Luboš Uhliarik - 7:6.13-2 - Do not blame cache_peer for 4xx CONNECT responses From fea9e4c688052db60dc2833d2786c511f44d6b29 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 25 Jul 2025 18:41:07 +0000 Subject: [PATCH 63/68] Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild --- squid.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/squid.spec b/squid.spec index 5c4ee42..352f5a2 100644 --- a/squid.spec +++ b/squid.spec @@ -3,7 +3,7 @@ Name: squid Version: 6.14 -Release: 1%{?dist} +Release: 2%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -316,6 +316,9 @@ fi %changelog +* Fri Jul 25 2025 Fedora Release Engineering - 7:6.14-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild + * Mon Jul 21 2025 Luboš Uhliarik - 7:6.14-1 - new version 6.14 From 6e12cc940ee289ffca223c00616510350e50c89f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Thu, 14 Aug 2025 22:29:23 +0200 Subject: [PATCH 64/68] new version 7.1 removed squidclient removed purge removed cachemgr.cgi removed basic_smb_lm_auth and ntlm_smb_lm_auth helpers --- sources | 4 +- squid-6.1-crash-half-closed.patch | 158 -------- squid-6.11-ignore-wsp-after-chunk-size.patch | 367 ------------------- squid-6.13-cache-peer-connect-errors.patch | 287 --------------- squid.spec | 33 +- 5 files changed, 17 insertions(+), 832 deletions(-) delete mode 100644 squid-6.1-crash-half-closed.patch delete mode 100644 squid-6.11-ignore-wsp-after-chunk-size.patch delete mode 100644 squid-6.13-cache-peer-connect-errors.patch diff --git a/sources b/sources index 02e8a81..700eafd 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-6.14.tar.xz) = 5905060ae8d70128516c26cf379ed5b434c02525efe0e17ac56d4e060af7542b4a7a41ac3eca5ba5a00867791aed18ed5ed0e247b18a376e1ae7bc13039782f5 -SHA512 (squid-6.14.tar.xz.asc) = 5cc102787796db1cf4c71e9e21d3462becdd869eb72cd69a5c4ca74f60628a98a5543aabe7a0d0bc74c99a62bae0678d3ae6eab9dfe0e4dfb9c063678005f2e3 +SHA512 (squid-7.1.tar.xz) = f12d4cac78576eecf19193cbb88f374b2d1bf3f480e684008a562bdda55eedae643b1a5766846c04673030ad1e89a608a62f52078312a80a3664fdccfc5f44df +SHA512 (squid-7.1.tar.xz.asc) = 4c7be2b32b7ce6cd1a99fe49c397fcd4d294817f96c4aaf5e66ad8c2de0c51b9debb4c85cf877efce87b1c44c2ebbb795a170859ca38124389b050e9fbaa1ff6 SHA512 (pgp.asc) = b1e1dd5ead34711f064a12a324b2f156ad4835330d861eae4032926b8a6cd07c0eacc76f52518d47ed5a8ead4695f5abd02f2b4190af8e7833bd3ea31453569d diff --git a/squid-6.1-crash-half-closed.patch b/squid-6.1-crash-half-closed.patch deleted file mode 100644 index 901ece2..0000000 --- a/squid-6.1-crash-half-closed.patch +++ /dev/null @@ -1,158 +0,0 @@ -diff --git a/src/client_side.cc b/src/client_side.cc -index f488fc4..69586df 100644 ---- a/src/client_side.cc -+++ b/src/client_side.cc -@@ -932,7 +932,7 @@ ConnStateData::kick() - * We are done with the response, and we are either still receiving request - * body (early response!) or have already stopped receiving anything. - * -- * If we are still receiving, then clientParseRequest() below will fail. -+ * If we are still receiving, then parseRequests() below will fail. - * (XXX: but then we will call readNextRequest() which may succeed and - * execute a smuggled request as we are not done with the current request). - * -@@ -952,28 +952,12 @@ ConnStateData::kick() - * Attempt to parse a request from the request buffer. - * If we've been fed a pipelined request it may already - * be in our read buffer. -- * -- \par -- * This needs to fall through - if we're unlucky and parse the _last_ request -- * from our read buffer we may never re-register for another client read. - */ - -- if (clientParseRequests()) { -- debugs(33, 3, clientConnection << ": parsed next request from buffer"); -- } -+ parseRequests(); - -- /** \par -- * Either we need to kick-start another read or, if we have -- * a half-closed connection, kill it after the last request. -- * This saves waiting for half-closed connections to finished being -- * half-closed _AND_ then, sometimes, spending "Timeout" time in -- * the keepalive "Waiting for next request" state. -- */ -- if (commIsHalfClosed(clientConnection->fd) && pipeline.empty()) { -- debugs(33, 3, "half-closed client with no pending requests, closing"); -- clientConnection->close(); -+ if (!isOpen()) - return; -- } - - /** \par - * At this point we either have a parsed request (which we've -@@ -1893,16 +1877,11 @@ ConnStateData::receivedFirstByte() - resetReadTimeout(Config.Timeout.request); - } - --/** -- * Attempt to parse one or more requests from the input buffer. -- * Returns true after completing parsing of at least one request [header]. That -- * includes cases where parsing ended with an error (e.g., a huge request). -- */ --bool --ConnStateData::clientParseRequests() -+/// Attempt to parse one or more requests from the input buffer. -+/// May close the connection. -+void -+ConnStateData::parseRequests() - { -- bool parsed_req = false; -- - debugs(33, 5, clientConnection << ": attempting to parse"); - - // Loop while we have read bytes that are not needed for producing the body -@@ -1947,8 +1926,6 @@ ConnStateData::clientParseRequests() - - processParsedRequest(context); - -- parsed_req = true; // XXX: do we really need to parse everything right NOW ? -- - if (context->mayUseConnection()) { - debugs(33, 3, "Not parsing new requests, as this request may need the connection"); - break; -@@ -1961,8 +1938,19 @@ ConnStateData::clientParseRequests() - } - } - -- /* XXX where to 'finish' the parsing pass? */ -- return parsed_req; -+ debugs(33, 7, "buffered leftovers: " << inBuf.length()); -+ -+ if (isOpen() && commIsHalfClosed(clientConnection->fd)) { -+ if (pipeline.empty()) { -+ // we processed what we could parse, and no more data is coming -+ debugs(33, 5, "closing half-closed without parsed requests: " << clientConnection); -+ clientConnection->close(); -+ } else { -+ // we parsed what we could, and no more data is coming -+ debugs(33, 5, "monitoring half-closed while processing parsed requests: " << clientConnection); -+ flags.readMore = false; // may already be false -+ } -+ } - } - - void -@@ -1979,18 +1967,7 @@ ConnStateData::afterClientRead() - if (pipeline.empty()) - fd_note(clientConnection->fd, "Reading next request"); - -- if (!clientParseRequests()) { -- if (!isOpen()) -- return; -- // We may get here if the client half-closed after sending a partial -- // request. See doClientRead() and shouldCloseOnEof(). -- // XXX: This partially duplicates ConnStateData::kick(). -- if (pipeline.empty() && commIsHalfClosed(clientConnection->fd)) { -- debugs(33, 5, clientConnection << ": half-closed connection, no completed request parsed, connection closing."); -- clientConnection->close(); -- return; -- } -- } -+ parseRequests(); - - if (!isOpen()) - return; -@@ -3775,7 +3752,7 @@ ConnStateData::notePinnedConnectionBecameIdle(PinnedIdleContext pic) - startPinnedConnectionMonitoring(); - - if (pipeline.empty()) -- kick(); // in case clientParseRequests() was blocked by a busy pic.connection -+ kick(); // in case parseRequests() was blocked by a busy pic.connection - } - - /// Forward future client requests using the given server connection. -diff --git a/src/client_side.h b/src/client_side.h -index 6027b31..60b99b1 100644 ---- a/src/client_side.h -+++ b/src/client_side.h -@@ -98,7 +98,6 @@ public: - void doneWithControlMsg() override; - - /// Traffic parsing -- bool clientParseRequests(); - void readNextRequest(); - - /// try to make progress on a transaction or read more I/O -@@ -443,6 +442,7 @@ private: - - void checkLogging(); - -+ void parseRequests(); - void clientAfterReadingRequests(); - bool concurrentRequestQueueFilled() const; - -diff --git a/src/tests/stub_client_side.cc b/src/tests/stub_client_side.cc -index 8c160e5..f49d5dc 100644 ---- a/src/tests/stub_client_side.cc -+++ b/src/tests/stub_client_side.cc -@@ -14,7 +14,7 @@ - #include "tests/STUB.h" - - #include "client_side.h" --bool ConnStateData::clientParseRequests() STUB_RETVAL(false) -+void ConnStateData::parseRequests() STUB - void ConnStateData::readNextRequest() STUB - bool ConnStateData::isOpen() const STUB_RETVAL(false) - void ConnStateData::kick() STUB diff --git a/squid-6.11-ignore-wsp-after-chunk-size.patch b/squid-6.11-ignore-wsp-after-chunk-size.patch deleted file mode 100644 index ea4025f..0000000 --- a/squid-6.11-ignore-wsp-after-chunk-size.patch +++ /dev/null @@ -1,367 +0,0 @@ -From 8d0ee420a4d91ac7fd97316338f1e28b4b060cbf Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= -Date: Thu, 10 Oct 2024 19:26:27 +0200 -Subject: [PATCH 1/6] Ignore whitespace chars after chunk-size - -Previously (before #1498 change), squid was accepting TE-chunked replies -with whitespaces after chunk-size and missing chunk-ext data. After - -It turned out that replies with such whitespace chars are pretty -common and other webservers which can act as forward proxies (e.g. -nginx, httpd...) are accepting them. - -This change will allow to proxy chunked responses from origin server, -which had whitespaces inbetween chunk-size and CRLF. ---- - src/http/one/TeChunkedParser.cc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/http/one/TeChunkedParser.cc b/src/http/one/TeChunkedParser.cc -index 9cce10fdc91..04753395e16 100644 ---- a/src/http/one/TeChunkedParser.cc -+++ b/src/http/one/TeChunkedParser.cc -@@ -125,6 +125,7 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok) - // Code becomes much simpler when incremental parsing functions throw on - // bad or insufficient input, like in the code below. TODO: Expand up. - try { -+ tok.skipAll(CharacterSet::WSP); // Some servers send SP/TAB after chunk-size - parseChunkExtensions(tok); // a possibly empty chunk-ext list - tok.skipRequired("CRLF after [chunk-ext]", Http1::CrLf()); - buf_ = tok.remaining(); - -From 9c8d35f899035fa06021ab3fe6919f892c2f0c6b Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= -Date: Fri, 11 Oct 2024 02:06:31 +0200 -Subject: [PATCH 2/6] Added new argument to Http::One::ParseBws() - -Depending on new wsp_only argument in ParseBws() it will be decided -which set of whitespaces characters will be parsed. If wsp_only is set -to true, only SP and HTAB chars will be parsed. - -Also optimized number of ParseBws calls. ---- - src/http/one/Parser.cc | 4 ++-- - src/http/one/Parser.h | 3 ++- - src/http/one/TeChunkedParser.cc | 13 +++++++++---- - src/http/one/TeChunkedParser.h | 2 +- - 4 files changed, 14 insertions(+), 8 deletions(-) - -diff --git a/src/http/one/Parser.cc b/src/http/one/Parser.cc -index b1908316a0b..01d7e3bc0e8 100644 ---- a/src/http/one/Parser.cc -+++ b/src/http/one/Parser.cc -@@ -273,9 +273,9 @@ Http::One::ErrorLevel() - - // BWS = *( SP / HTAB ) ; WhitespaceCharacters() may relax this RFC 7230 rule - void --Http::One::ParseBws(Parser::Tokenizer &tok) -+Http::One::ParseBws(Parser::Tokenizer &tok, const bool wsp_only) - { -- const auto count = tok.skipAll(Parser::WhitespaceCharacters()); -+ const auto count = tok.skipAll(wsp_only ? CharacterSet::WSP : Parser::WhitespaceCharacters()); - - if (tok.atEnd()) - throw InsufficientInput(); // even if count is positive -diff --git a/src/http/one/Parser.h b/src/http/one/Parser.h -index d9a0ac8c273..08200371cd6 100644 ---- a/src/http/one/Parser.h -+++ b/src/http/one/Parser.h -@@ -163,8 +163,9 @@ class Parser : public RefCountable - }; - - /// skips and, if needed, warns about RFC 7230 BWS ("bad" whitespace) -+/// \param wsp_only force skipping of whitespaces only, don't consider skipping relaxed delimeter chars - /// \throws InsufficientInput when the end of BWS cannot be confirmed --void ParseBws(Parser::Tokenizer &); -+void ParseBws(Parser::Tokenizer &, const bool wsp_only = false); - - /// the right debugs() level for logging HTTP violation messages - int ErrorLevel(); -diff --git a/src/http/one/TeChunkedParser.cc b/src/http/one/TeChunkedParser.cc -index 04753395e16..41e1e5ddaea 100644 ---- a/src/http/one/TeChunkedParser.cc -+++ b/src/http/one/TeChunkedParser.cc -@@ -125,8 +125,11 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok) - // Code becomes much simpler when incremental parsing functions throw on - // bad or insufficient input, like in the code below. TODO: Expand up. - try { -- tok.skipAll(CharacterSet::WSP); // Some servers send SP/TAB after chunk-size -- parseChunkExtensions(tok); // a possibly empty chunk-ext list -+ // A possibly empty chunk-ext list. If no chunk-ext has been found, -+ // try to skip trailing BWS, because some servers send "chunk-size BWS CRLF". -+ if (!parseChunkExtensions(tok)) -+ ParseBws(tok, true); -+ - tok.skipRequired("CRLF after [chunk-ext]", Http1::CrLf()); - buf_ = tok.remaining(); - parsingStage_ = theChunkSize ? Http1::HTTP_PARSE_CHUNK : Http1::HTTP_PARSE_MIME; -@@ -140,20 +143,22 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok) - - /// Parses the chunk-ext list (RFC 9112 section 7.1.1: - /// chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] ) --void -+bool - Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &callerTok) - { -+ bool foundChunkExt = false; - do { - auto tok = callerTok; - - ParseBws(tok); // Bug 4492: IBM_HTTP_Server sends SP after chunk-size - - if (!tok.skip(';')) -- return; // reached the end of extensions (if any) -+ return foundChunkExt; // reached the end of extensions (if any) - - parseOneChunkExtension(tok); - buf_ = tok.remaining(); // got one extension - callerTok = tok; -+ foundChunkExt = true; - } while (true); - } - -diff --git a/src/http/one/TeChunkedParser.h b/src/http/one/TeChunkedParser.h -index 02eacd1bb89..8c5d4bb4cba 100644 ---- a/src/http/one/TeChunkedParser.h -+++ b/src/http/one/TeChunkedParser.h -@@ -71,7 +71,7 @@ class TeChunkedParser : public Http1::Parser - private: - bool parseChunkSize(Tokenizer &tok); - bool parseChunkMetadataSuffix(Tokenizer &); -- void parseChunkExtensions(Tokenizer &); -+ bool parseChunkExtensions(Tokenizer &); - void parseOneChunkExtension(Tokenizer &); - bool parseChunkBody(Tokenizer &tok); - bool parseChunkEnd(Tokenizer &tok); - -From 81e67f97f9c386bdd0bb4a5e182395c46adb70ad Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= -Date: Fri, 11 Oct 2024 02:44:33 +0200 -Subject: [PATCH 3/6] Fix typo in Parser.h - ---- - src/http/one/Parser.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/http/one/Parser.h b/src/http/one/Parser.h -index 08200371cd6..3ef4c5f7752 100644 ---- a/src/http/one/Parser.h -+++ b/src/http/one/Parser.h -@@ -163,7 +163,7 @@ class Parser : public RefCountable - }; - - /// skips and, if needed, warns about RFC 7230 BWS ("bad" whitespace) --/// \param wsp_only force skipping of whitespaces only, don't consider skipping relaxed delimeter chars -+/// \param wsp_only force skipping of whitespaces only, don't consider skipping relaxed delimiter chars - /// \throws InsufficientInput when the end of BWS cannot be confirmed - void ParseBws(Parser::Tokenizer &, const bool wsp_only = false); - - -From a0d4fe1794e605f8299a5c118c758a807453f016 Mon Sep 17 00:00:00 2001 -From: Alex Rousskov -Date: Thu, 10 Oct 2024 22:39:42 -0400 -Subject: [PATCH 4/6] Bug 5449 is a regression of Bug 4492! - -Both bugs deal with "chunk-size SP+ CRLF" use cases. Bug 4492 had _two_ -spaces after chunk-size, which answers one of the PR review questions: -Should we skip just one space? No, we should not. - -The lines moved around in many commits, but I believe this regression -was introduced in commit 951013d0 because that commit stopped consuming -partially parsed chunk-ext sequences. That consumption was wrong, but it -had a positive side effect -- fixing Bug 4492... ---- - src/http/one/TeChunkedParser.cc | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/src/http/one/TeChunkedParser.cc b/src/http/one/TeChunkedParser.cc -index 41e1e5ddaea..aa4a840fdcf 100644 ---- a/src/http/one/TeChunkedParser.cc -+++ b/src/http/one/TeChunkedParser.cc -@@ -125,10 +125,10 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok) - // Code becomes much simpler when incremental parsing functions throw on - // bad or insufficient input, like in the code below. TODO: Expand up. - try { -- // A possibly empty chunk-ext list. If no chunk-ext has been found, -- // try to skip trailing BWS, because some servers send "chunk-size BWS CRLF". -- if (!parseChunkExtensions(tok)) -- ParseBws(tok, true); -+ // Bug 4492: IBM_HTTP_Server sends SP after chunk-size -+ ParseBws(tok, true); -+ -+ parseChunkExtensions(tok); - - tok.skipRequired("CRLF after [chunk-ext]", Http1::CrLf()); - buf_ = tok.remaining(); -@@ -150,7 +150,7 @@ Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &callerTok) - do { - auto tok = callerTok; - -- ParseBws(tok); // Bug 4492: IBM_HTTP_Server sends SP after chunk-size -+ ParseBws(tok); - - if (!tok.skip(';')) - return foundChunkExt; // reached the end of extensions (if any) - -From f837f5ff61301a17008f16ce1fb793c2abf19786 Mon Sep 17 00:00:00 2001 -From: Alex Rousskov -Date: Thu, 10 Oct 2024 23:06:42 -0400 -Subject: [PATCH 5/6] fixup: Fewer conditionals/ifs and more explicit spelling - -... to draw code reader attention when something unusual is going on. ---- - src/http/one/Parser.cc | 22 ++++++++++++++++++---- - src/http/one/Parser.h | 10 ++++++++-- - src/http/one/TeChunkedParser.cc | 14 ++++++-------- - src/http/one/TeChunkedParser.h | 2 +- - 4 files changed, 33 insertions(+), 15 deletions(-) - -diff --git a/src/http/one/Parser.cc b/src/http/one/Parser.cc -index 01d7e3bc0e8..d3937e5e96b 100644 ---- a/src/http/one/Parser.cc -+++ b/src/http/one/Parser.cc -@@ -271,11 +271,12 @@ Http::One::ErrorLevel() - return Config.onoff.relaxed_header_parser < 0 ? DBG_IMPORTANT : 5; - } - --// BWS = *( SP / HTAB ) ; WhitespaceCharacters() may relax this RFC 7230 rule --void --Http::One::ParseBws(Parser::Tokenizer &tok, const bool wsp_only) -+/// common part of ParseBws() and ParseStrctBws() -+namespace Http::One { -+static void -+ParseBws_(Parser::Tokenizer &tok, const CharacterSet &bwsChars) - { -- const auto count = tok.skipAll(wsp_only ? CharacterSet::WSP : Parser::WhitespaceCharacters()); -+ const auto count = tok.skipAll(bwsChars); - - if (tok.atEnd()) - throw InsufficientInput(); // even if count is positive -@@ -290,4 +291,17 @@ Http::One::ParseBws(Parser::Tokenizer &tok, const bool wsp_only) - - // success: no more BWS characters expected - } -+} // namespace Http::One -+ -+void -+Http::One::ParseBws(Parser::Tokenizer &tok) -+{ -+ ParseBws_(tok, CharacterSet::WSP); -+} -+ -+void -+Http::One::ParseStrictBws(Parser::Tokenizer &tok) -+{ -+ ParseBws_(tok, Parser::WhitespaceCharacters()); -+} - -diff --git a/src/http/one/Parser.h b/src/http/one/Parser.h -index 3ef4c5f7752..49e399de546 100644 ---- a/src/http/one/Parser.h -+++ b/src/http/one/Parser.h -@@ -163,9 +163,15 @@ class Parser : public RefCountable - }; - - /// skips and, if needed, warns about RFC 7230 BWS ("bad" whitespace) --/// \param wsp_only force skipping of whitespaces only, don't consider skipping relaxed delimiter chars - /// \throws InsufficientInput when the end of BWS cannot be confirmed --void ParseBws(Parser::Tokenizer &, const bool wsp_only = false); -+/// \sa WhitespaceCharacters() for the definition of BWS characters -+/// \sa ParseStrictBws() that avoids WhitespaceCharacters() uncertainties -+void ParseBws(Parser::Tokenizer &); -+ -+/// Like ParseBws() but only skips CharacterSet::WSP characters. This variation -+/// must be used if the next element may start with CR or any other character -+/// from RelaxedDelimiterCharacters(). -+void ParseStrictBws(Parser::Tokenizer &); - - /// the right debugs() level for logging HTTP violation messages - int ErrorLevel(); -diff --git a/src/http/one/TeChunkedParser.cc b/src/http/one/TeChunkedParser.cc -index aa4a840fdcf..859471b8c77 100644 ---- a/src/http/one/TeChunkedParser.cc -+++ b/src/http/one/TeChunkedParser.cc -@@ -125,11 +125,11 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok) - // Code becomes much simpler when incremental parsing functions throw on - // bad or insufficient input, like in the code below. TODO: Expand up. - try { -- // Bug 4492: IBM_HTTP_Server sends SP after chunk-size -- ParseBws(tok, true); -- -- parseChunkExtensions(tok); -+ // Bug 4492: IBM_HTTP_Server sends SP after chunk-size. -+ // No ParseBws() here because it may consume CR required further below. -+ ParseStrictBws(tok); - -+ parseChunkExtensions(tok); // a possibly empty chunk-ext list - tok.skipRequired("CRLF after [chunk-ext]", Http1::CrLf()); - buf_ = tok.remaining(); - parsingStage_ = theChunkSize ? Http1::HTTP_PARSE_CHUNK : Http1::HTTP_PARSE_MIME; -@@ -143,22 +143,20 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok) - - /// Parses the chunk-ext list (RFC 9112 section 7.1.1: - /// chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] ) --bool -+void - Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &callerTok) - { -- bool foundChunkExt = false; - do { - auto tok = callerTok; - - ParseBws(tok); - - if (!tok.skip(';')) -- return foundChunkExt; // reached the end of extensions (if any) -+ return; // reached the end of extensions (if any) - - parseOneChunkExtension(tok); - buf_ = tok.remaining(); // got one extension - callerTok = tok; -- foundChunkExt = true; - } while (true); - } - -diff --git a/src/http/one/TeChunkedParser.h b/src/http/one/TeChunkedParser.h -index 8c5d4bb4cba..02eacd1bb89 100644 ---- a/src/http/one/TeChunkedParser.h -+++ b/src/http/one/TeChunkedParser.h -@@ -71,7 +71,7 @@ class TeChunkedParser : public Http1::Parser - private: - bool parseChunkSize(Tokenizer &tok); - bool parseChunkMetadataSuffix(Tokenizer &); -- bool parseChunkExtensions(Tokenizer &); -+ void parseChunkExtensions(Tokenizer &); - void parseOneChunkExtension(Tokenizer &); - bool parseChunkBody(Tokenizer &tok); - bool parseChunkEnd(Tokenizer &tok); - -From f79936a234e722adb2dd08f31cf6019d81ee712c Mon Sep 17 00:00:00 2001 -From: Alex Rousskov -Date: Thu, 10 Oct 2024 23:31:08 -0400 -Subject: [PATCH 6/6] fixup: Deadly typo - ---- - src/http/one/Parser.cc | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/http/one/Parser.cc b/src/http/one/Parser.cc -index d3937e5e96b..7403a9163a2 100644 ---- a/src/http/one/Parser.cc -+++ b/src/http/one/Parser.cc -@@ -296,12 +296,12 @@ ParseBws_(Parser::Tokenizer &tok, const CharacterSet &bwsChars) - void - Http::One::ParseBws(Parser::Tokenizer &tok) - { -- ParseBws_(tok, CharacterSet::WSP); -+ ParseBws_(tok, Parser::WhitespaceCharacters()); - } - - void - Http::One::ParseStrictBws(Parser::Tokenizer &tok) - { -- ParseBws_(tok, Parser::WhitespaceCharacters()); -+ ParseBws_(tok, CharacterSet::WSP); - } - - diff --git a/squid-6.13-cache-peer-connect-errors.patch b/squid-6.13-cache-peer-connect-errors.patch deleted file mode 100644 index 339d9ec..0000000 --- a/squid-6.13-cache-peer-connect-errors.patch +++ /dev/null @@ -1,287 +0,0 @@ -From 2e7dea3cedd3ef2f071dee82867c4147f17376dd Mon Sep 17 00:00:00 2001 -From: Alex Rousskov -Date: Tue, 2 Apr 2024 20:37:31 +0000 -Subject: [PATCH] Do not blame cache_peer for CONNECT errors (#1772) - - ERROR: Connection to [such-and-such-cache_peer] failed - TCP_TUNNEL/503 CONNECT nxdomain.test:443 FIRSTUP_PARENT - -Squid does not alert an admin about (and decrease health level of) a -cache_peer that responded with an error to a GET request. Just like GET -responses from a cache_peer, CONNECT responses may (and often do!) -reflect client or origin server failures. We should not penalize -cache_peers (and alert admins) until we can distinguish these frequent -client/origin failures from (relatively rare) cache_peer problems. This -change absolves cache_peers of CONNECT problems, restoring parity with -GETs and restoring v4 behavior changed (probably by accident) in v5. - -Also removed Http::StatusCode parameter from failure notification -functions because it became essentially unused after the primary -Http::Tunneler changes. Tunneler was the only source of status code -information that (in some cases) used received HTTP response to compute -that status code. All other cases extracted that status code from -Squid-generated errors. Those errors were arguably never meant to supply -status code information for "this failure is not our fault" decision, -and they do not supply 4xx status codes driving that decision. - -### Problem evolution - -2019 commit f5e1794 effectively started blaming cache_peer for all -FwdState CONNECT errors. That functionality change was probably -accidental, likely influenced by the names of noteConnectFailure() and -peerConnectFailed() functions that abbreviated "Connection", making the -functions look as applicable to CONNECT failures. Prior to that commit, -the functions were never used for CONNECT errors. After it, FwdState -started calling peerConnectFailed() for all CONNECT failures. - -In 2020 commit 25b0ce4, TunnelStateData started blaming cache_peers as -well (by moving that FwdState-only error handling code into Tunneler). -The same "accidental functionality change" speculations apply here. - -In 2022 commit 022dbab, we made an exception for 4xx CONNECT errors as -folks deploying newer code started complaining about cache_peers getting -blamed for client-caused errors (e.g., HTTP 403 Forbidden replies). We -did not realize that the blaming code itself was an unwanted accident. - -Now we are getting complaints about cache_peers getting blamed for 502 -and 503 CONNECT errors caused by, for example, domain names without IPs: -As these CONNECT error responses are propagated from parent to child -caches, every child cache in the chain logs ERRORs and every cache_peer -in the chain gets its health counter decreased! ---- - src/CachePeer.cc | 11 +---------- - src/CachePeer.h | 12 +++++------- - src/HappyConnOpener.cc | 2 +- - src/PeerPoolMgr.cc | 2 +- - src/clients/HttpTunneler.cc | 10 ++++++---- - src/clients/HttpTunneler.h | 2 +- - src/neighbors.cc | 2 +- - src/security/BlindPeerConnector.cc | 2 +- - src/security/PeerConnector.cc | 8 ++++---- - src/security/PeerConnector.h | 2 +- - src/tests/stub_libsecurity.cc | 2 +- - 11 files changed, 23 insertions(+), 32 deletions(-) - -diff --git a/src/CachePeer.cc b/src/CachePeer.cc -index a5c3adf..91045ef 100644 ---- a/src/CachePeer.cc -+++ b/src/CachePeer.cc -@@ -68,20 +68,11 @@ CachePeer::noteSuccess() - } - } - --void --CachePeer::noteFailure(const Http::StatusCode code) --{ -- if (Http::Is4xx(code)) -- return; // this failure is not our fault -- -- countFailure(); --} -- - // TODO: Require callers to detail failures instead of using one (and often - // misleading!) "connection failed" phrase for all of them. - /// noteFailure() helper for handling failures attributed to this peer - void --CachePeer::countFailure() -+CachePeer::noteFailure() - { - stats.last_connect_failure = squid_curtime; - if (tcp_up > 0) -diff --git a/src/CachePeer.h b/src/CachePeer.h -index 5b13e29..14e40ff 100644 ---- a/src/CachePeer.h -+++ b/src/CachePeer.h -@@ -38,9 +38,8 @@ public: - /// reacts to a successful establishment of a connection to this cache_peer - void noteSuccess(); - -- /// reacts to a failure on a connection to this cache_peer -- /// \param code a received response status code, if any -- void noteFailure(Http::StatusCode code); -+ /// reacts to a failed attempt to establish a connection to this cache_peer -+ void noteFailure(); - - /// (re)configure cache_peer name=value - void rename(const char *); -@@ -238,14 +237,13 @@ NoteOutgoingConnectionSuccess(CachePeer * const peer) - peer->noteSuccess(); - } - --/// reacts to a failure on a connection to an origin server or cache_peer -+/// reacts to a failed attempt to establish a connection to an origin server or cache_peer - /// \param peer nil if the connection is to an origin server --/// \param code a received response status code, if any - inline void --NoteOutgoingConnectionFailure(CachePeer * const peer, const Http::StatusCode code) -+NoteOutgoingConnectionFailure(CachePeer * const peer) - { - if (peer) -- peer->noteFailure(code); -+ peer->noteFailure(); - } - - /// identify the given cache peer in cache.log messages and such -diff --git a/src/HappyConnOpener.cc b/src/HappyConnOpener.cc -index 5ab9294..5e17a76 100644 ---- a/src/HappyConnOpener.cc -+++ b/src/HappyConnOpener.cc -@@ -638,7 +638,7 @@ HappyConnOpener::handleConnOpenerAnswer(Attempt &attempt, const CommConnectCbPar - lastError = makeError(ERR_CONNECT_FAIL); - lastError->xerrno = params.xerrno; - -- NoteOutgoingConnectionFailure(params.conn->getPeer(), lastError->httpStatus); -+ NoteOutgoingConnectionFailure(params.conn->getPeer()); - - if (spareWaiting) - updateSpareWaitAfterPrimeFailure(); -diff --git a/src/PeerPoolMgr.cc b/src/PeerPoolMgr.cc -index 9cb038e..6fb5b09 100644 ---- a/src/PeerPoolMgr.cc -+++ b/src/PeerPoolMgr.cc -@@ -86,7 +86,7 @@ PeerPoolMgr::handleOpenedConnection(const CommConnectCbParams ¶ms) - } - - if (params.flag != Comm::OK) { -- NoteOutgoingConnectionFailure(peer, Http::scNone); -+ NoteOutgoingConnectionFailure(peer); - checkpoint("conn opening failure"); // may retry - return; - } -diff --git a/src/clients/HttpTunneler.cc b/src/clients/HttpTunneler.cc -index 2fbc3fb..a6e49db 100644 ---- a/src/clients/HttpTunneler.cc -+++ b/src/clients/HttpTunneler.cc -@@ -90,7 +90,7 @@ Http::Tunneler::handleConnectionClosure(const CommCloseCbParams &) - { - closer = nullptr; - if (connection) { -- countFailingConnection(nullptr); -+ countFailingConnection(); - connection->noteClosure(); - connection = nullptr; - } -@@ -355,7 +355,7 @@ Http::Tunneler::bailWith(ErrorState *error) - - if (const auto failingConnection = connection) { - // TODO: Reuse to-peer connections after a CONNECT error response. -- countFailingConnection(error); -+ countFailingConnection(); - disconnect(); - failingConnection->close(); - } -@@ -374,10 +374,12 @@ Http::Tunneler::sendSuccess() - } - - void --Http::Tunneler::countFailingConnection(const ErrorState * const error) -+Http::Tunneler::countFailingConnection() - { - assert(connection); -- NoteOutgoingConnectionFailure(connection->getPeer(), error ? error->httpStatus : Http::scNone); -+ // No NoteOutgoingConnectionFailure(connection->getPeer()) call here because -+ // we do not blame cache_peer for CONNECT failures (on top of a successfully -+ // established connection to that cache_peer). - if (noteFwdPconnUse && connection->isOpen()) - fwdPconnPool->noteUses(fd_table[connection->fd].pconn.uses); - } -diff --git a/src/clients/HttpTunneler.h b/src/clients/HttpTunneler.h -index 7886f09..596efcf 100644 ---- a/src/clients/HttpTunneler.h -+++ b/src/clients/HttpTunneler.h -@@ -80,7 +80,7 @@ private: - void disconnect(); - - /// updates connection usage history before the connection is closed -- void countFailingConnection(const ErrorState *); -+ void countFailingConnection(); - - AsyncCall::Pointer writer; ///< called when the request has been written - AsyncCall::Pointer reader; ///< called when the response should be read -diff --git a/src/neighbors.cc b/src/neighbors.cc -index 04b69c1..75f56c9 100644 ---- a/src/neighbors.cc -+++ b/src/neighbors.cc -@@ -1320,7 +1320,7 @@ peerProbeConnectDone(const Comm::ConnectionPointer &conn, Comm::Flag status, int - if (status == Comm::OK) - p->noteSuccess(); - else -- p->noteFailure(Http::scNone); -+ p->noteFailure(); - - -- p->testing_now; - conn->close(); -diff --git a/src/security/BlindPeerConnector.cc b/src/security/BlindPeerConnector.cc -index b9e5659..4c37f34 100644 ---- a/src/security/BlindPeerConnector.cc -+++ b/src/security/BlindPeerConnector.cc -@@ -76,7 +76,7 @@ Security::BlindPeerConnector::noteNegotiationDone(ErrorState *error) - // based on TCP results, SSL results, or both. And the code is probably not - // consistent in this aspect across tunnelling and forwarding modules. - if (peer && peer->secure.encryptTransport) -- peer->noteFailure(error->httpStatus); -+ peer->noteFailure(); - return; - } - -diff --git a/src/security/PeerConnector.cc b/src/security/PeerConnector.cc -index d458f99..d0131a1 100644 ---- a/src/security/PeerConnector.cc -+++ b/src/security/PeerConnector.cc -@@ -115,7 +115,7 @@ Security::PeerConnector::commCloseHandler(const CommCloseCbParams ¶ms) - err->detailError(d); - - if (serverConn) { -- countFailingConnection(err); -+ countFailingConnection(); - serverConn->noteClosure(); - serverConn = nullptr; - } -@@ -507,7 +507,7 @@ Security::PeerConnector::bail(ErrorState *error) - answer().error = error; - - if (const auto failingConnection = serverConn) { -- countFailingConnection(error); -+ countFailingConnection(); - disconnect(); - failingConnection->close(); - } -@@ -525,10 +525,10 @@ Security::PeerConnector::sendSuccess() - } - - void --Security::PeerConnector::countFailingConnection(const ErrorState * const error) -+Security::PeerConnector::countFailingConnection() - { - assert(serverConn); -- NoteOutgoingConnectionFailure(serverConn->getPeer(), error ? error->httpStatus : Http::scNone); -+ NoteOutgoingConnectionFailure(serverConn->getPeer()); - // TODO: Calling PconnPool::noteUses() should not be our responsibility. - if (noteFwdPconnUse && serverConn->isOpen()) - fwdPconnPool->noteUses(fd_table[serverConn->fd].pconn.uses); -diff --git a/src/security/PeerConnector.h b/src/security/PeerConnector.h -index a1d5ef9..401df06 100644 ---- a/src/security/PeerConnector.h -+++ b/src/security/PeerConnector.h -@@ -150,7 +150,7 @@ protected: - void disconnect(); - - /// updates connection usage history before the connection is closed -- void countFailingConnection(const ErrorState *); -+ void countFailingConnection(); - - /// If called the certificates validator will not used - void bypassCertValidator() {useCertValidator_ = false;} -diff --git a/src/tests/stub_libsecurity.cc b/src/tests/stub_libsecurity.cc -index 6bd6204..b513a22 100644 ---- a/src/tests/stub_libsecurity.cc -+++ b/src/tests/stub_libsecurity.cc -@@ -97,7 +97,7 @@ void PeerConnector::bail(ErrorState *) STUB - void PeerConnector::sendSuccess() STUB - void PeerConnector::callBack() STUB - void PeerConnector::disconnect() STUB --void PeerConnector::countFailingConnection(const ErrorState *) STUB -+void PeerConnector::countFailingConnection() STUB - void PeerConnector::recordNegotiationDetails() STUB - EncryptorAnswer &PeerConnector::answer() STUB_RETREF(EncryptorAnswer) - } diff --git a/squid.spec b/squid.spec index 352f5a2..bf7b2f2 100644 --- a/squid.spec +++ b/squid.spec @@ -2,8 +2,8 @@ %define version_underscore %(echo %{version} | tr '.' '_') Name: squid -Version: 6.14 -Release: 2%{?dist} +Version: 7.1 +Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -26,12 +26,7 @@ Source98: perl-requires-squid.sh # Upstream patches # Backported patches -# Upstream PR: https://github.com/squid-cache/squid/pull/1442 -Patch101: squid-6.1-crash-half-closed.patch -# Upstream PR: https://github.com/squid-cache/squid/pull/1914 -Patch102: squid-6.11-ignore-wsp-after-chunk-size.patch -# Upstream commit: https://github.com/squid-cache/squid/commit/022dbabd89249f839d1861aa87c1ab9e1a008a47 -Patch103: squid-6.13-cache-peer-connect-errors.patch +# Patch101: squid-7.1-.....patch # Local patches # Applying upstream patches first makes it less likely that local patches @@ -119,8 +114,8 @@ sed -i 's|@SYSCONFDIR@/squid.conf.documented|%{_pkgdocdir}/squid.conf.documented --enable-eui \ --enable-follow-x-forwarded-for \ --enable-auth \ - --enable-auth-basic="DB,fake,getpwnam,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB,SMB_LM" \ - --enable-auth-ntlm="SMB_LM,fake" \ + --enable-auth-basic="DB,fake,getpwnam,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB" \ + --enable-auth-ntlm="fake" \ --enable-auth-digest="file,LDAP" \ --enable-auth-negotiate="kerberos" \ --enable-external-acl-helpers="LDAP_group,time_quota,session,unix_group,wbinfo_group,kerberos_ldap_group" \ @@ -156,9 +151,9 @@ sed -i 's|@SYSCONFDIR@/squid.conf.documented|%{_pkgdocdir}/squid.conf.documented --enable-translation # workaround to build squid v5 -mkdir -p src/icmp/tests -mkdir -p tools/squidclient/tests -mkdir -p tools/tests +#mkdir -p src/icmp/tests +#mkdir -p tools/squidclient/tests +#mkdir -p tools/tests %make_build @@ -229,7 +224,6 @@ install -p -D -m 0644 %{SOURCE9} %{buildroot}%{_sysusersdir}/squid.conf %config(noreplace) %attr(644,root,root) %{_sysconfdir}/httpd/conf.d/squid.conf %config(noreplace) %attr(640,root,squid) %{_sysconfdir}/squid/squid.conf -%config(noreplace) %attr(644,root,squid) %{_sysconfdir}/squid/cachemgr.conf %config(noreplace) %{_sysconfdir}/squid/mime.conf %config(noreplace) %{_sysconfdir}/squid/errorpage.css %config(noreplace) %{_sysconfdir}/sysconfig/squid @@ -237,7 +231,6 @@ install -p -D -m 0644 %{SOURCE9} %{buildroot}%{_sysusersdir}/squid.conf %config %{_sysconfdir}/squid/squid.conf.default %config %{_sysconfdir}/squid/mime.conf.default %config %{_sysconfdir}/squid/errorpage.css.default -%config %{_sysconfdir}/squid/cachemgr.conf.default %config(noreplace) %{_sysconfdir}/pam.d/squid %config(noreplace) %{_sysconfdir}/logrotate.d/squid @@ -246,10 +239,7 @@ install -p -D -m 0644 %{SOURCE9} %{buildroot}%{_sysusersdir}/squid.conf %{_prefix}/lib/NetworkManager %{_datadir}/squid/icons %{_sbindir}/squid -%{_bindir}/squidclient -%{_bindir}/purge %{_mandir}/man8/* -%{_mandir}/man1/* %{_libdir}/squid/* %{_datadir}/snmp/mibs/SQUID-MIB.txt %{_sysusersdir}/squid.conf @@ -316,6 +306,13 @@ fi %changelog +* Thu Aug 14 2025 Luboš Uhliarik - 7:7.1-1 +- new version 7.1 +- removed squidclient +- removed purge +- removed cachemgr.cgi +- removed basic_smb_lm_auth and ntlm_smb_lm_auth helpers + * Fri Jul 25 2025 Fedora Release Engineering - 7:6.14-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild From 3b10dff1195943f7da91454604681981c150b47e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Fri, 12 Sep 2025 01:25:20 +0200 Subject: [PATCH 65/68] Support provider keys that require NULL digest --- squid-7.1-provider-keys-digest.patch | 36 ++++++++++++++++++++++++++++ squid.spec | 6 ++++- 2 files changed, 41 insertions(+), 1 deletion(-) create mode 100644 squid-7.1-provider-keys-digest.patch diff --git a/squid-7.1-provider-keys-digest.patch b/squid-7.1-provider-keys-digest.patch new file mode 100644 index 0000000..bd62ea1 --- /dev/null +++ b/squid-7.1-provider-keys-digest.patch @@ -0,0 +1,36 @@ +diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc +index 09bad6d..59171b7 100644 +--- a/src/ssl/gadgets.cc ++++ b/src/ssl/gadgets.cc +@@ -15,6 +15,19 @@ + #include "security/Io.h" + #include "ssl/gadgets.h" + ++/// whether the given key requires a digest when signing ++static bool ++keyNeedsDigest(const EVP_PKEY * const pkey) { ++ if (EVP_PKEY_is_a(pkey, "ML-DSA-44") || ++ EVP_PKEY_is_a(pkey, "ML-DSA-65") || ++ EVP_PKEY_is_a(pkey, "ML-DSA-87") || ++ EVP_PKEY_is_a(pkey, "ED25519") || ++ EVP_PKEY_is_a(pkey, "ED448")) ++ return false; // no digest needed ++ ++ return true; // require a digest for all other types ++} ++ + void + Ssl::ForgetErrors() + { +@@ -677,9 +690,9 @@ static bool generateFakeSslCertificate(Security::CertPointer & certToStore, Secu + assert(hash); + /*Now sign the request */ + if (properties.signAlgorithm != Ssl::algSignSelf && properties.signWithPkey.get()) +- ret = X509_sign(cert.get(), properties.signWithPkey.get(), hash); ++ ret = X509_sign(cert.get(), properties.signWithPkey.get(), keyNeedsDigest(properties.signWithPkey.get()) ? hash : nullptr); + else //else sign with self key (self signed request) +- ret = X509_sign(cert.get(), pkey.get(), hash); ++ ret = X509_sign(cert.get(), pkey.get(), keyNeedsDigest(pkey.get()) ? hash : nullptr); + + if (!ret) + return false; diff --git a/squid.spec b/squid.spec index bf7b2f2..ec105a4 100644 --- a/squid.spec +++ b/squid.spec @@ -3,7 +3,7 @@ Name: squid Version: 7.1 -Release: 1%{?dist} +Release: 2%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -37,6 +37,7 @@ Patch203: squid-6.1-perlpath.patch # revert this upstream patch - https://bugzilla.redhat.com/show_bug.cgi?id=1936422 # workaround for #1934919 Patch204: squid-6.1-symlink-lang-err.patch +Patch205: squid-7.1-provider-keys-digest.patch # cache_swap.sh Requires: bash gawk @@ -306,6 +307,9 @@ fi %changelog +* Thu Sep 11 2025 Luboš Uhliarik - 7:7.1-2 +- Support provider keys that require NULL digest + * Thu Aug 14 2025 Luboš Uhliarik - 7:7.1-1 - new version 7.1 - removed squidclient From a70045fc305bb0ab6afd4178e67b35ed38d041b3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Wed, 24 Sep 2025 10:05:39 +0200 Subject: [PATCH 66/68] Support provider keys that require NULL digest - use upstream patch --- squid-7.1-provider-keys-digest.patch | 51 ++++++++++++++++++++-------- squid.spec | 4 +-- 2 files changed, 39 insertions(+), 16 deletions(-) diff --git a/squid-7.1-provider-keys-digest.patch b/squid-7.1-provider-keys-digest.patch index bd62ea1..961a506 100644 --- a/squid-7.1-provider-keys-digest.patch +++ b/squid-7.1-provider-keys-digest.patch @@ -1,36 +1,59 @@ diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc -index 09bad6d..59171b7 100644 +index 1f8ac9d..3f54e3d 100644 --- a/src/ssl/gadgets.cc +++ b/src/ssl/gadgets.cc -@@ -15,6 +15,19 @@ +@@ -13,6 +13,42 @@ #include "security/Io.h" #include "ssl/gadgets.h" -+/// whether the given key requires a digest when signing ++/// whether to supply a digest algorithm name when calling X509_sign() with the given key +static bool -+keyNeedsDigest(const EVP_PKEY * const pkey) { -+ if (EVP_PKEY_is_a(pkey, "ML-DSA-44") || -+ EVP_PKEY_is_a(pkey, "ML-DSA-65") || -+ EVP_PKEY_is_a(pkey, "ML-DSA-87") || -+ EVP_PKEY_is_a(pkey, "ED25519") || -+ EVP_PKEY_is_a(pkey, "ED448")) -+ return false; // no digest needed ++signWithDigest(const Security::PrivateKeyPointer &key) { ++ Assure(key); // TODO: Add and use Security::PrivateKey (here and in caller). ++ const auto pkey = key.get(); + -+ return true; // require a digest for all other types ++ // OpenSSL does not define a maximum name size, but does terminate longer ++ // names without returning an error to the caller. Many similar callers in ++ // OpenSSL sources use 80-byte buffers. ++ char defaultDigestName[80] = ""; ++ const auto nameGetterResult = EVP_PKEY_get_default_digest_name(pkey, defaultDigestName, sizeof(defaultDigestName)); ++ debugs(83, 3, "nameGetterResult=" << nameGetterResult << " defaultDigestName=" << defaultDigestName); ++ if (nameGetterResult <= 0) { ++ debugs(83, 3, "ERROR: EVP_PKEY_get_default_digest_name() failure: " << Ssl::ReportAndForgetErrors); ++ // Backward compatibility: On error, assume digest should be used. ++ // TODO: Return false for -2 nameGetterResult as it "indicates the ++ // operation is not supported by the public key algorithm"? ++ return true; ++ } ++ ++ // The name "UNDEF" signifies that a digest must (for return value 2) or may ++ // (for return value 1) be left unspecified. ++ if (nameGetterResult == 2 && strcmp(defaultDigestName, "UNDEF") == 0) ++ return false; ++ ++ // Defined mandatory algorithms and "may be left unspecified" cases mentioned above. ++ return true; ++} ++ ++/// OpenSSL X509_sign() wrapper ++static auto ++Sign(Security::Certificate &cert, const Security::PrivateKeyPointer &key, const EVP_MD &availableDigest) { ++ const auto digestOrNil = signWithDigest(key) ? &availableDigest : nullptr; ++ return X509_sign(&cert, key.get(), digestOrNil); +} + void Ssl::ForgetErrors() { -@@ -677,9 +690,9 @@ static bool generateFakeSslCertificate(Security::CertPointer & certToStore, Secu +@@ -618,9 +654,9 @@ static bool generateFakeSslCertificate(Security::CertPointer & certToStore, Secu assert(hash); /*Now sign the request */ if (properties.signAlgorithm != Ssl::algSignSelf && properties.signWithPkey.get()) - ret = X509_sign(cert.get(), properties.signWithPkey.get(), hash); -+ ret = X509_sign(cert.get(), properties.signWithPkey.get(), keyNeedsDigest(properties.signWithPkey.get()) ? hash : nullptr); ++ ret = Sign(*cert, properties.signWithPkey, *hash); else //else sign with self key (self signed request) - ret = X509_sign(cert.get(), pkey.get(), hash); -+ ret = X509_sign(cert.get(), pkey.get(), keyNeedsDigest(pkey.get()) ? hash : nullptr); ++ ret = Sign(*cert, pkey, *hash); if (!ret) return false; diff --git a/squid.spec b/squid.spec index ec105a4..1a32214 100644 --- a/squid.spec +++ b/squid.spec @@ -3,7 +3,7 @@ Name: squid Version: 7.1 -Release: 2%{?dist} +Release: 3%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -307,7 +307,7 @@ fi %changelog -* Thu Sep 11 2025 Luboš Uhliarik - 7:7.1-2 +* Thu Sep 11 2025 Luboš Uhliarik - 7:7.1-3 - Support provider keys that require NULL digest * Thu Aug 14 2025 Luboš Uhliarik - 7:7.1-1 From 8c77c2eb9851b794b03226cccaedf594ad0d3615 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Fri, 17 Oct 2025 10:53:46 +0200 Subject: [PATCH 67/68] new version 7.2 --- sources | 4 +- squid-7.1-provider-keys-digest.patch | 59 ---------------------------- squid.spec | 8 ++-- 3 files changed, 7 insertions(+), 64 deletions(-) delete mode 100644 squid-7.1-provider-keys-digest.patch diff --git a/sources b/sources index 700eafd..1a01cad 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-7.1.tar.xz) = f12d4cac78576eecf19193cbb88f374b2d1bf3f480e684008a562bdda55eedae643b1a5766846c04673030ad1e89a608a62f52078312a80a3664fdccfc5f44df -SHA512 (squid-7.1.tar.xz.asc) = 4c7be2b32b7ce6cd1a99fe49c397fcd4d294817f96c4aaf5e66ad8c2de0c51b9debb4c85cf877efce87b1c44c2ebbb795a170859ca38124389b050e9fbaa1ff6 +SHA512 (squid-7.2.tar.xz) = 424c425dde7b399531c9ed5a700ef84bf8e828b1896f0bd037da121e9b4c8ad0fb0c2b8daad1a0a5308269cc5ffbda42e4c1815421c0bdd6a4046d92dcb56fa7 +SHA512 (squid-7.2.tar.xz.asc) = 688dac65470fa27551579046061130c6a4a623070fda56fdb873ca1c6008afbf2c5fe328f2a93135bec3645444b9636137b9ec32fb2c041fdad8924dc91ccf5f SHA512 (pgp.asc) = b1e1dd5ead34711f064a12a324b2f156ad4835330d861eae4032926b8a6cd07c0eacc76f52518d47ed5a8ead4695f5abd02f2b4190af8e7833bd3ea31453569d diff --git a/squid-7.1-provider-keys-digest.patch b/squid-7.1-provider-keys-digest.patch deleted file mode 100644 index 961a506..0000000 --- a/squid-7.1-provider-keys-digest.patch +++ /dev/null @@ -1,59 +0,0 @@ -diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc -index 1f8ac9d..3f54e3d 100644 ---- a/src/ssl/gadgets.cc -+++ b/src/ssl/gadgets.cc -@@ -13,6 +13,42 @@ - #include "security/Io.h" - #include "ssl/gadgets.h" - -+/// whether to supply a digest algorithm name when calling X509_sign() with the given key -+static bool -+signWithDigest(const Security::PrivateKeyPointer &key) { -+ Assure(key); // TODO: Add and use Security::PrivateKey (here and in caller). -+ const auto pkey = key.get(); -+ -+ // OpenSSL does not define a maximum name size, but does terminate longer -+ // names without returning an error to the caller. Many similar callers in -+ // OpenSSL sources use 80-byte buffers. -+ char defaultDigestName[80] = ""; -+ const auto nameGetterResult = EVP_PKEY_get_default_digest_name(pkey, defaultDigestName, sizeof(defaultDigestName)); -+ debugs(83, 3, "nameGetterResult=" << nameGetterResult << " defaultDigestName=" << defaultDigestName); -+ if (nameGetterResult <= 0) { -+ debugs(83, 3, "ERROR: EVP_PKEY_get_default_digest_name() failure: " << Ssl::ReportAndForgetErrors); -+ // Backward compatibility: On error, assume digest should be used. -+ // TODO: Return false for -2 nameGetterResult as it "indicates the -+ // operation is not supported by the public key algorithm"? -+ return true; -+ } -+ -+ // The name "UNDEF" signifies that a digest must (for return value 2) or may -+ // (for return value 1) be left unspecified. -+ if (nameGetterResult == 2 && strcmp(defaultDigestName, "UNDEF") == 0) -+ return false; -+ -+ // Defined mandatory algorithms and "may be left unspecified" cases mentioned above. -+ return true; -+} -+ -+/// OpenSSL X509_sign() wrapper -+static auto -+Sign(Security::Certificate &cert, const Security::PrivateKeyPointer &key, const EVP_MD &availableDigest) { -+ const auto digestOrNil = signWithDigest(key) ? &availableDigest : nullptr; -+ return X509_sign(&cert, key.get(), digestOrNil); -+} -+ - void - Ssl::ForgetErrors() - { -@@ -618,9 +654,9 @@ static bool generateFakeSslCertificate(Security::CertPointer & certToStore, Secu - assert(hash); - /*Now sign the request */ - if (properties.signAlgorithm != Ssl::algSignSelf && properties.signWithPkey.get()) -- ret = X509_sign(cert.get(), properties.signWithPkey.get(), hash); -+ ret = Sign(*cert, properties.signWithPkey, *hash); - else //else sign with self key (self signed request) -- ret = X509_sign(cert.get(), pkey.get(), hash); -+ ret = Sign(*cert, pkey, *hash); - - if (!ret) - return false; diff --git a/squid.spec b/squid.spec index 1a32214..5d3f86e 100644 --- a/squid.spec +++ b/squid.spec @@ -2,8 +2,8 @@ %define version_underscore %(echo %{version} | tr '.' '_') Name: squid -Version: 7.1 -Release: 3%{?dist} +Version: 7.2 +Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -37,7 +37,6 @@ Patch203: squid-6.1-perlpath.patch # revert this upstream patch - https://bugzilla.redhat.com/show_bug.cgi?id=1936422 # workaround for #1934919 Patch204: squid-6.1-symlink-lang-err.patch -Patch205: squid-7.1-provider-keys-digest.patch # cache_swap.sh Requires: bash gawk @@ -307,6 +306,9 @@ fi %changelog +* Fri Oct 17 2025 Luboš Uhliarik - 7:7.2-1 +- new version 7.2 + * Thu Sep 11 2025 Luboš Uhliarik - 7:7.1-3 - Support provider keys that require NULL digest From d9e38f92158f83eef6f4a9cf9ddad9931d703413 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Wed, 29 Oct 2025 11:01:53 +0100 Subject: [PATCH 68/68] new version 7.3 --- sources | 4 ++-- squid.spec | 5 ++++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/sources b/sources index 1a01cad..304c790 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-7.2.tar.xz) = 424c425dde7b399531c9ed5a700ef84bf8e828b1896f0bd037da121e9b4c8ad0fb0c2b8daad1a0a5308269cc5ffbda42e4c1815421c0bdd6a4046d92dcb56fa7 -SHA512 (squid-7.2.tar.xz.asc) = 688dac65470fa27551579046061130c6a4a623070fda56fdb873ca1c6008afbf2c5fe328f2a93135bec3645444b9636137b9ec32fb2c041fdad8924dc91ccf5f +SHA512 (squid-7.3.tar.xz) = ad6bbe518d79d079f7fe5d1ee9ae7a3f49b28ba75afdb1f0db16675e1e4127be2bc30dd246b00576f29e987c08c41dbff50c8227166ae3955c460ff837a89e2b +SHA512 (squid-7.3.tar.xz.asc) = c6774627e0408d1feed5a00489ca95467f001261b201b82c3ab9c450856fe5ad27e50d43db7a2afe2aaff88930981f783315a1b764cac5619543852e93338273 SHA512 (pgp.asc) = b1e1dd5ead34711f064a12a324b2f156ad4835330d861eae4032926b8a6cd07c0eacc76f52518d47ed5a8ead4695f5abd02f2b4190af8e7833bd3ea31453569d diff --git a/squid.spec b/squid.spec index 5d3f86e..84d079b 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ %define version_underscore %(echo %{version} | tr '.' '_') Name: squid -Version: 7.2 +Version: 7.3 Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 @@ -306,6 +306,9 @@ fi %changelog +* Wed Oct 29 2025 Luboš Uhliarik - 7:7.3-1 +- new version 7.3 + * Fri Oct 17 2025 Luboš Uhliarik - 7:7.2-1 - new version 7.2