new version 7.3

- use upstream patch

cache_swap.sh

@@ -17,5 +17,8 @@ done
 
 if [ $init_cache_dirs -ne 0 ]; then
 	echo ""
-	squid --foreground -z -f "$SQUID_CONF" >> /var/log/squid/squid.out 2>&1
+	if ! squid --foreground -z -f "$SQUID_CONF" >> /var/log/squid/squid.out 2>&1; then
+		echo "init_cache_dir failed, see /var/log/squid/squid.out for more information"
+		exit 1
+	fi
 fi

sources

@@ -1,3 +1,3 @@
-SHA512 (squid-6.4.tar.xz) = 7bbf759841448874090a145699ee01f67696c19da147e433b1ecc80a856095cbfae611ef910bc4f2c44218101d89f2ee13796f5b7ada2e21e95638d4dae077ab
-SHA512 (squid-6.4.tar.xz.asc) = e61ea2f81a73ead4f6a8553410822ba51f0910546c7cbfb93e26f73f862f0a526fcb5c26308109f49e9f0fd0fbce702804a919fe8234b085a32251d62c891803
-SHA512 (pgp.asc) = 09f7012030d68831dfc083d67ca63ee54ed851482ca8d0e9505b444ee3e7ddeed62369b53f2917c9b2e0e57cc0533fce46e8cafd2ebcd1c6cb186b516efd0ad2
+SHA512 (squid-7.3.tar.xz) = ad6bbe518d79d079f7fe5d1ee9ae7a3f49b28ba75afdb1f0db16675e1e4127be2bc30dd246b00576f29e987c08c41dbff50c8227166ae3955c460ff837a89e2b
+SHA512 (squid-7.3.tar.xz.asc) = c6774627e0408d1feed5a00489ca95467f001261b201b82c3ab9c450856fe5ad27e50d43db7a2afe2aaff88930981f783315a1b764cac5619543852e93338273
+SHA512 (pgp.asc) = b1e1dd5ead34711f064a12a324b2f156ad4835330d861eae4032926b8a6cd07c0eacc76f52518d47ed5a8ead4695f5abd02f2b4190af8e7833bd3ea31453569d

squid-6.1-crash-half-closed.patch

@@ -1,158 +0,0 @@
-diff --git a/src/client_side.cc b/src/client_side.cc
-index f488fc4..69586df 100644
---- a/src/client_side.cc
-+++ b/src/client_side.cc
-@@ -932,7 +932,7 @@ ConnStateData::kick()
-      * We are done with the response, and we are either still receiving request
-      * body (early response!) or have already stopped receiving anything.
-      *
--     * If we are still receiving, then clientParseRequest() below will fail.
-+     * If we are still receiving, then parseRequests() below will fail.
-      * (XXX: but then we will call readNextRequest() which may succeed and
-      * execute a smuggled request as we are not done with the current request).
-      *
-@@ -952,28 +952,12 @@ ConnStateData::kick()
-      * Attempt to parse a request from the request buffer.
-      * If we've been fed a pipelined request it may already
-      * be in our read buffer.
--     *
--     \par
--     * This needs to fall through - if we're unlucky and parse the _last_ request
--     * from our read buffer we may never re-register for another client read.
-      */
- 
--    if (clientParseRequests()) {
--        debugs(33, 3, clientConnection << ": parsed next request from buffer");
--    }
-+    parseRequests();
- 
--    /** \par
--     * Either we need to kick-start another read or, if we have
--     * a half-closed connection, kill it after the last request.
--     * This saves waiting for half-closed connections to finished being
--     * half-closed _AND_ then, sometimes, spending "Timeout" time in
--     * the keepalive "Waiting for next request" state.
--     */
--    if (commIsHalfClosed(clientConnection->fd) && pipeline.empty()) {
--        debugs(33, 3, "half-closed client with no pending requests, closing");
--        clientConnection->close();
-+    if (!isOpen())
-         return;
--    }
- 
-     /** \par
-      * At this point we either have a parsed request (which we've
-@@ -1893,16 +1877,11 @@ ConnStateData::receivedFirstByte()
-     resetReadTimeout(Config.Timeout.request);
- }
- 
--/**
-- * Attempt to parse one or more requests from the input buffer.
-- * Returns true after completing parsing of at least one request [header]. That
-- * includes cases where parsing ended with an error (e.g., a huge request).
-- */
--bool
--ConnStateData::clientParseRequests()
-+/// Attempt to parse one or more requests from the input buffer.
-+/// May close the connection.
-+void
-+ConnStateData::parseRequests()
- {
--    bool parsed_req = false;
--
-     debugs(33, 5, clientConnection << ": attempting to parse");
- 
-     // Loop while we have read bytes that are not needed for producing the body
-@@ -1947,8 +1926,6 @@ ConnStateData::clientParseRequests()
- 
-             processParsedRequest(context);
- 
--            parsed_req = true; // XXX: do we really need to parse everything right NOW ?
--
-             if (context->mayUseConnection()) {
-                 debugs(33, 3, "Not parsing new requests, as this request may need the connection");
-                 break;
-@@ -1961,8 +1938,19 @@ ConnStateData::clientParseRequests()
-         }
-     }
- 
--    /* XXX where to 'finish' the parsing pass? */
--    return parsed_req;
-+    debugs(33, 7, "buffered leftovers: " << inBuf.length());
-+
-+    if (isOpen() && commIsHalfClosed(clientConnection->fd)) {
-+        if (pipeline.empty()) {
-+            // we processed what we could parse, and no more data is coming
-+            debugs(33, 5, "closing half-closed without parsed requests: " << clientConnection);
-+            clientConnection->close();
-+        } else {
-+            // we parsed what we could, and no more data is coming
-+            debugs(33, 5, "monitoring half-closed while processing parsed requests: " << clientConnection);
-+            flags.readMore = false; // may already be false
-+        }
-+    }
- }
- 
- void
-@@ -1979,18 +1967,7 @@ ConnStateData::afterClientRead()
-     if (pipeline.empty())
-         fd_note(clientConnection->fd, "Reading next request");
- 
--    if (!clientParseRequests()) {
--        if (!isOpen())
--            return;
--        // We may get here if the client half-closed after sending a partial
--        // request. See doClientRead() and shouldCloseOnEof().
--        // XXX: This partially duplicates ConnStateData::kick().
--        if (pipeline.empty() && commIsHalfClosed(clientConnection->fd)) {
--            debugs(33, 5, clientConnection << ": half-closed connection, no completed request parsed, connection closing.");
--            clientConnection->close();
--            return;
--        }
--    }
-+    parseRequests();
- 
-     if (!isOpen())
-         return;
-@@ -3775,7 +3752,7 @@ ConnStateData::notePinnedConnectionBecameIdle(PinnedIdleContext pic)
-     startPinnedConnectionMonitoring();
- 
-     if (pipeline.empty())
--        kick(); // in case clientParseRequests() was blocked by a busy pic.connection
-+        kick(); // in case parseRequests() was blocked by a busy pic.connection
- }
- 
- /// Forward future client requests using the given server connection.
-diff --git a/src/client_side.h b/src/client_side.h
-index 6027b31..60b99b1 100644
---- a/src/client_side.h
-+++ b/src/client_side.h
-@@ -98,7 +98,6 @@ public:
-     void doneWithControlMsg() override;
- 
-     /// Traffic parsing
--    bool clientParseRequests();
-     void readNextRequest();
- 
-     /// try to make progress on a transaction or read more I/O
-@@ -443,6 +442,7 @@ private:
- 
-     void checkLogging();
- 
-+    void parseRequests();
-     void clientAfterReadingRequests();
-     bool concurrentRequestQueueFilled() const;
- 
-diff --git a/src/tests/stub_client_side.cc b/src/tests/stub_client_side.cc
-index 8c160e5..f49d5dc 100644
---- a/src/tests/stub_client_side.cc
-+++ b/src/tests/stub_client_side.cc
-@@ -14,7 +14,7 @@
- #include "tests/STUB.h"
- 
- #include "client_side.h"
--bool ConnStateData::clientParseRequests() STUB_RETVAL(false)
-+void ConnStateData::parseRequests() STUB
- void ConnStateData::readNextRequest() STUB
- bool ConnStateData::isOpen() const STUB_RETVAL(false)
- void ConnStateData::kick() STUB

squid-6.1-perlpath.patch

@@ -6,5 +6,5 @@ index e965e9e..ed5ffcb 100755
 -#!/usr/local/bin/perl -Tw
 +#!/usr/bin/perl -Tw
  #
- # * Copyright (C) 1996-2023 The Squid Software Foundation and contributors
+ # * Copyright (C) 1996-2025 The Squid Software Foundation and contributors
  # *

squid.service

@@ -8,11 +8,14 @@ Type=notify
 LimitNOFILE=16384
 PIDFile=/run/squid.pid
 EnvironmentFile=/etc/sysconfig/squid
-ExecStartPre=/usr/libexec/squid/cache_swap.sh
-ExecStart=/usr/sbin/squid --foreground $SQUID_OPTS -f ${SQUID_CONF}
-ExecReload=/usr/bin/kill -HUP $MAINPID
+ExecStartPre=!/usr/libexec/squid/cache_swap.sh
+ExecStart=!/usr/sbin/squid --foreground $SQUID_OPTS -f ${SQUID_CONF}
+ExecReload=!/usr/bin/kill -HUP $MAINPID
 KillMode=mixed
 NotifyAccess=all
+User=squid
+Group=squid
+RuntimeDirectory=squid
 
 [Install]
 WantedBy=multi-user.target

squid.spec

@@ -1,7 +1,8 @@
 %define __perl_requires %{SOURCE98}
+%define version_underscore %(echo %{version} | tr '.' '_')
 
 Name:     squid
-Version:  6.4
+Version:  7.3
 Release:  1%{?dist}
 Summary:  The Squid proxy caching server
 Epoch:    7
@@ -9,8 +10,8 @@ Epoch:    7
 License:  GPL-2.0-or-later AND (LGPL-2.0-or-later AND MIT AND BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND BSD-4-Clause-UC AND LicenseRef-Fedora-Public-Domain AND Beerware)
 URL:      http://www.squid-cache.org
 
-Source0:  http://www.squid-cache.org/Versions/v6/squid-%{version}.tar.xz
-Source1:  http://www.squid-cache.org/Versions/v6/squid-%{version}.tar.xz.asc
+Source0:  https://github.com/squid-cache/squid/releases/download/SQUID_%{version_underscore}/squid-%{version}.tar.xz
+Source1:  https://github.com/squid-cache/squid/releases/download/SQUID_%{version_underscore}/squid-%{version}.tar.xz.asc
 Source2:  http://www.squid-cache.org/pgp.asc
 Source3:  squid.logrotate
 Source4:  squid.sysconfig
@@ -25,7 +26,7 @@ Source98: perl-requires-squid.sh
 # Upstream patches
 
 # Backported patches
-# Patch101: patch
+# Patch101: squid-7.1-.....patch
 
 # Local patches
 # Applying upstream patches first makes it less likely that local patches
@@ -36,8 +37,6 @@ Patch203: squid-6.1-perlpath.patch
 # revert this upstream patch - https://bugzilla.redhat.com/show_bug.cgi?id=1936422
 # workaround for #1934919
 Patch204: squid-6.1-symlink-lang-err.patch
-# Upstream PR: https://github.com/squid-cache/squid/pull/1442
-Patch205: squid-6.1-crash-half-closed.patch
 
 # cache_swap.sh
 Requires: bash gawk
@@ -55,8 +54,6 @@ BuildRequires: openssl-devel
 BuildRequires: krb5-devel
 # time_quota requires TrivialDB
 BuildRequires: libtdb-devel
-# ESI support requires Expat & libxml2
-BuildRequires: expat-devel libxml2-devel
 # TPROXY requires libcap, and also increases security somewhat
 BuildRequires: libcap-devel
 # eCAP support
@@ -64,12 +61,13 @@ BuildRequires: libecap-devel
 #ip_user helper requires
 BuildRequires: gcc-c++
 BuildRequires: libtool libtool-ltdl-devel
+BuildRequires: libxcrypt-devel
 BuildRequires: perl-generators
 # For test suite
 BuildRequires: pkgconfig(cppunit)
 # For verifying downloded src tarball
 BuildRequires: gnupg2
-# for _tmpfilesdir and _unitdir macro
+# for _unitdir macro
 # see https://docs.fedoraproject.org/en-US/packaging-guidelines/Systemd/#_packaging
 BuildRequires: systemd-rpm-macros
 # systemd notify
@@ -83,7 +81,7 @@ Conflicts: NetworkManager < 1.20
 
 %description
 Squid is a high-performance proxy caching server for Web clients,
-supporting FTP, gopher, and HTTP data objects. Unlike traditional
+supporting FTP and HTTP data objects. Unlike traditional
 caching software, Squid handles all requests in a single,
 non-blocking, I/O-driven process. Squid keeps meta data and especially
 hot objects cached in RAM, caches DNS lookups, supports non-blocking
@@ -95,19 +93,8 @@ lookup program (dnsserver), a program for retrieving FTP data
 
 %prep
 %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
-%setup -q
 
-# Upstream patches
-
-# Backported patches
-# %patch101 -p1 -b .patch
-
-# Local patches
-%patch -P 201 -p1 -b .config
-%patch -P 202 -p1 -b .location
-%patch -P 203 -p1 -b .perlpath
-%patch -P 204 -p1 -b .symlink-lang-err
-%patch -P 205 -p1 -b .crash-half-closed
+%autosetup -p1
 
 # https://bugzilla.redhat.com/show_bug.cgi?id=1679526
 # Patch in the vendor documentation and used different location for documentation
@@ -127,8 +114,8 @@ sed -i 's|@SYSCONFDIR@/squid.conf.documented|%{_pkgdocdir}/squid.conf.documented
    --enable-eui \
    --enable-follow-x-forwarded-for \
    --enable-auth \
-   --enable-auth-basic="DB,fake,getpwnam,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB,SMB_LM" \
-   --enable-auth-ntlm="SMB_LM,fake" \
+   --enable-auth-basic="DB,fake,getpwnam,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB" \
+   --enable-auth-ntlm="fake" \
    --enable-auth-digest="file,LDAP" \
    --enable-auth-negotiate="kerberos" \
    --enable-external-acl-helpers="LDAP_group,time_quota,session,unix_group,wbinfo_group,kerberos_ldap_group" \
@@ -150,7 +137,7 @@ sed -i 's|@SYSCONFDIR@/squid.conf.documented|%{_pkgdocdir}/squid.conf.documented
    --enable-storeio="aufs,diskd,ufs,rock" \
    --enable-diskio \
    --enable-wccpv2 \
-   --enable-esi \
+   --disable-esi \
    --enable-ecap \
    --with-aio \
    --with-default-user="squid" \
@@ -164,9 +151,9 @@ sed -i 's|@SYSCONFDIR@/squid.conf.documented|%{_pkgdocdir}/squid.conf.documented
    --enable-translation
 
 # workaround to build squid v5
-mkdir -p src/icmp/tests
-mkdir -p tools/squidclient/tests
-mkdir -p tools/tests
+#mkdir -p src/icmp/tests
+#mkdir -p tools/squidclient/tests
+#mkdir -p tools/tests
 
 %make_build
 
@@ -207,17 +194,8 @@ install -m 644 $RPM_BUILD_ROOT/squid.httpd.tmp $RPM_BUILD_ROOT%{_sysconfdir}/htt
 install -m 755 %{SOURCE6} $RPM_BUILD_ROOT%{_prefix}/lib/NetworkManager/dispatcher.d/20-squid
 mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/log/squid
 mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/spool/squid
-mkdir -p $RPM_BUILD_ROOT/run/squid
 chmod 644 contrib/url-normalizer.pl contrib/user-agents.pl
 
-# install /usr/lib/tmpfiles.d/squid.conf
-mkdir -p ${RPM_BUILD_ROOT}%{_tmpfilesdir}
-cat > ${RPM_BUILD_ROOT}%{_tmpfilesdir}/squid.conf <<EOF
-# See tmpfiles.d(5) for details
-
-d /run/squid 0755 squid squid - -
-EOF
-
 # Move the MIB definition to the proper place (and name)
 mkdir -p $RPM_BUILD_ROOT/usr/share/snmp/mibs
 mv $RPM_BUILD_ROOT/usr/share/squid/mib.txt $RPM_BUILD_ROOT/usr/share/snmp/mibs/SQUID-MIB.txt
@@ -243,11 +221,9 @@ install -p -D -m 0644 %{SOURCE9} %{buildroot}%{_sysusersdir}/squid.conf
 %attr(755,root,root) %dir %{_libdir}/squid
 %attr(770,squid,root) %dir %{_localstatedir}/log/squid
 %attr(750,squid,squid) %dir %{_localstatedir}/spool/squid
-%attr(755,squid,squid) %dir /run/squid
 
 %config(noreplace) %attr(644,root,root) %{_sysconfdir}/httpd/conf.d/squid.conf
 %config(noreplace) %attr(640,root,squid) %{_sysconfdir}/squid/squid.conf
-%config(noreplace) %attr(644,root,squid) %{_sysconfdir}/squid/cachemgr.conf
 %config(noreplace) %{_sysconfdir}/squid/mime.conf
 %config(noreplace) %{_sysconfdir}/squid/errorpage.css
 %config(noreplace) %{_sysconfdir}/sysconfig/squid
@@ -255,7 +231,6 @@ install -p -D -m 0644 %{SOURCE9} %{buildroot}%{_sysusersdir}/squid.conf
 %config %{_sysconfdir}/squid/squid.conf.default
 %config %{_sysconfdir}/squid/mime.conf.default
 %config %{_sysconfdir}/squid/errorpage.css.default
-%config %{_sysconfdir}/squid/cachemgr.conf.default
 %config(noreplace) %{_sysconfdir}/pam.d/squid
 %config(noreplace) %{_sysconfdir}/logrotate.d/squid
 
@@ -264,13 +239,9 @@ install -p -D -m 0644 %{SOURCE9} %{buildroot}%{_sysusersdir}/squid.conf
 %{_prefix}/lib/NetworkManager
 %{_datadir}/squid/icons
 %{_sbindir}/squid
-%{_bindir}/squidclient
-%{_bindir}/purge
 %{_mandir}/man8/*
-%{_mandir}/man1/*
 %{_libdir}/squid/*
 %{_datadir}/snmp/mibs/SQUID-MIB.txt
-%{_tmpfilesdir}/squid.conf
 %{_sysusersdir}/squid.conf
 
 %pre
@@ -335,6 +306,87 @@ fi
 
 
 %changelog
+* Wed Oct 29 2025 Luboš Uhliarik <luhliari@redhat.com> - 7:7.3-1
+- new version 7.3
+
+* Fri Oct 17 2025 Luboš Uhliarik <luhliari@redhat.com> - 7:7.2-1
+- new version 7.2
+
+* Thu Sep 11 2025 Luboš Uhliarik <luhliari@redhat.com> - 7:7.1-3
+- Support provider keys that require NULL digest
+
+* Thu Aug 14 2025 Luboš Uhliarik <luhliari@redhat.com> - 7:7.1-1
+- new version 7.1
+- removed squidclient
+- removed purge
+- removed cachemgr.cgi
+- removed basic_smb_lm_auth and ntlm_smb_lm_auth helpers
+
+* Fri Jul 25 2025 Fedora Release Engineering <releng@fedoraproject.org> - 7:6.14-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
+
+* Mon Jul 21 2025 Luboš Uhliarik <luhliari@redhat.com> - 7:6.14-1
+- new version 6.14
+
+* Wed Mar 12 2025 Luboš Uhliarik <luhliari@redhat.com> - 7:6.13-2
+- Do not blame cache_peer for 4xx CONNECT responses
+
+* Tue Feb 04 2025 Luboš Uhliarik <luhliari@redhat.com> - 7:6.13-1
+- new version 6.13
+
+* Sat Feb 01 2025 Björn Esser <besser82@fedoraproject.org> - 7:6.12-5
+- Add explicit BR: libxcrypt-devel
+
+* Sun Jan 19 2025 Fedora Release Engineering <releng@fedoraproject.org> - 7:6.12-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
+
+* Fri Nov 01 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:6.12-3
+- better error handling in cache_swap.sh
+- added RuntimeDirectory to systemd service file
+
+* Fri Nov 01 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:6.12-2
+- Disable ESI support since ESI support has been also removed from squid 7
+- Resolves: CVE-2024-45802 squid: Denial of Service processing ESI
+  response content
+
+* Wed Oct 23 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:6.12-1
+- new version 6.12
+- Fix TCP_MISS_ABORTED/100 erros when uploading
+
+* Fri Oct 11 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:6.11-2
+- ignore SP and HTAB chars after chunk-size
+
+* Wed Sep 25 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:6.11-1
+- new version 6.11
+
+* Sat Jul 20 2024 Fedora Release Engineering <releng@fedoraproject.org> - 7:6.10-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
+
+* Mon Jul 01 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:6.10-1
+- new version 6.10
+- Resolves: #2294354 - CVE-2024-37894 squid: Out-of-bounds write error may
+  lead to Denial of Service
+
+* Tue Apr 16 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:6.9-1
+- Resolves: #2262715 - squid-6.9 is available
+
+* Sat Mar 09 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:6.8-1
+- new version 6.8
+
+* Mon Feb 12 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:6.7-1
+- new version 6.7
+- switch to autosetup
+- fix FTBFS when using gcc14
+
+* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 7:6.6-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Wed Dec 13 2023 Yaakov Selkowitz <yselkowi@redhat.com> - 7:6.6-1
+- new version 6.6
+
+* Tue Nov 07 2023 Luboš Uhliarik <luhliari@redhat.com> - 7:6.5-1
+- new version 6.5
+
 * Tue Oct 24 2023 Luboš Uhliarik <luhliari@redhat.com> - 7:6.4-1
 - new version 6.4