Compare commits

...
Sign in to create a new pull request.

19 commits

Author SHA1 Message Date
Luboš Uhliarik
d9e38f9215 new version 7.3 2025-10-29 11:01:53 +01:00
Luboš Uhliarik
8c77c2eb98 new version 7.2 2025-10-17 10:54:21 +02:00
Luboš Uhliarik
a70045fc30 Support provider keys that require NULL digest
- use upstream patch
2025-09-24 10:05:39 +02:00
Luboš Uhliarik
3b10dff119 Support provider keys that require NULL digest 2025-09-12 01:56:25 +02:00
Luboš Uhliarik
6e12cc940e new version 7.1
removed squidclient
removed purge
removed cachemgr.cgi
removed basic_smb_lm_auth and ntlm_smb_lm_auth helpers
2025-08-14 22:29:23 +02:00
Fedora Release Engineering
fea9e4c688 Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild 2025-07-25 18:41:07 +00:00
Luboš Uhliarik
383c43dd7b new version 6.14 2025-07-21 19:36:11 +02:00
Luboš Uhliarik
3f92dc8816 Do not blame cache_peer for 4xx CONNECT responses 2025-04-10 14:34:13 +02:00
Luboš Uhliarik
22a11a4a8b Source URL change
Use the GitHub URL as the source URL instead of the obsolete one.
2025-02-05 18:12:27 +01:00
Luboš Uhliarik
9c651e4fe8 new version 6.13 2025-02-04 18:38:52 +01:00
Björn Esser
5403d24982
Add explicit BR: libxcrypt-devel
Signed-off-by: Björn Esser <besser82@fedoraproject.org>
2025-02-01 19:57:33 +01:00
Fedora Release Engineering
d3ada05373 Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild 2025-01-19 11:31:35 +00:00
Luboš Uhliarik
789f7c9b18 better error handling in cache_swap.sh
added RuntimeDirectory to systemd service file
2024-11-01 21:44:15 +01:00
Luboš Uhliarik
e91b352f10 Disable ESI support since ESI support has been also removed from squid 7
Resolves: CVE-2024-45802 squid: Denial of Service processing ESI
  response content
2024-11-01 16:39:14 +01:00
Luboš Uhliarik
9e3214a729 new version 6.12
Fix TCP_MISS_ABORTED/100 erros when uploading
2024-10-23 21:45:56 +02:00
Luboš Uhliarik
8504f8d8fa ignore SP and HTAB chars after chunk-size 2024-10-11 20:22:16 +02:00
Luboš Uhliarik
259e6f50ca new version 6.11 2024-09-25 15:41:08 +02:00
Fedora Release Engineering
bc07278a7c Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild 2024-07-20 06:20:17 +00:00
Luboš Uhliarik
71d404cc38 new version 6.10
Resolves: #2294354 - CVE-2024-37894 squid: Out-of-bounds write error may
  lead to Denial of Service
2024-07-01 11:20:18 +02:00
6 changed files with 87 additions and 196 deletions

View file

@ -17,5 +17,8 @@ done
if [ $init_cache_dirs -ne 0 ]; then
echo ""
squid --foreground -z -f "$SQUID_CONF" >> /var/log/squid/squid.out 2>&1
if ! squid --foreground -z -f "$SQUID_CONF" >> /var/log/squid/squid.out 2>&1; then
echo "init_cache_dir failed, see /var/log/squid/squid.out for more information"
exit 1
fi
fi

View file

@ -1,3 +1,3 @@
SHA512 (squid-6.9.tar.xz) = 2666551caca39fa6ca49b56b537645dd043ee0c99b805c433cf714172e6062590fd6ed942043df1a3b543f30c039f3ab701493187dc6a0a4a8311217417c366e
SHA512 (squid-6.9.tar.xz.asc) = ccd053476e91544bf797cf38a7e57acdc1c02c1edb2804230f061d9b24abbbd2e06abbaaa0fe2b209951631c0369510f60f0b7137fe950f3ccf59e8a212bc0fa
SHA512 (squid-7.3.tar.xz) = ad6bbe518d79d079f7fe5d1ee9ae7a3f49b28ba75afdb1f0db16675e1e4127be2bc30dd246b00576f29e987c08c41dbff50c8227166ae3955c460ff837a89e2b
SHA512 (squid-7.3.tar.xz.asc) = c6774627e0408d1feed5a00489ca95467f001261b201b82c3ab9c450856fe5ad27e50d43db7a2afe2aaff88930981f783315a1b764cac5619543852e93338273
SHA512 (pgp.asc) = b1e1dd5ead34711f064a12a324b2f156ad4835330d861eae4032926b8a6cd07c0eacc76f52518d47ed5a8ead4695f5abd02f2b4190af8e7833bd3ea31453569d

View file

@ -1,158 +0,0 @@
diff --git a/src/client_side.cc b/src/client_side.cc
index f488fc4..69586df 100644
--- a/src/client_side.cc
+++ b/src/client_side.cc
@@ -932,7 +932,7 @@ ConnStateData::kick()
* We are done with the response, and we are either still receiving request
* body (early response!) or have already stopped receiving anything.
*
- * If we are still receiving, then clientParseRequest() below will fail.
+ * If we are still receiving, then parseRequests() below will fail.
* (XXX: but then we will call readNextRequest() which may succeed and
* execute a smuggled request as we are not done with the current request).
*
@@ -952,28 +952,12 @@ ConnStateData::kick()
* Attempt to parse a request from the request buffer.
* If we've been fed a pipelined request it may already
* be in our read buffer.
- *
- \par
- * This needs to fall through - if we're unlucky and parse the _last_ request
- * from our read buffer we may never re-register for another client read.
*/
- if (clientParseRequests()) {
- debugs(33, 3, clientConnection << ": parsed next request from buffer");
- }
+ parseRequests();
- /** \par
- * Either we need to kick-start another read or, if we have
- * a half-closed connection, kill it after the last request.
- * This saves waiting for half-closed connections to finished being
- * half-closed _AND_ then, sometimes, spending "Timeout" time in
- * the keepalive "Waiting for next request" state.
- */
- if (commIsHalfClosed(clientConnection->fd) && pipeline.empty()) {
- debugs(33, 3, "half-closed client with no pending requests, closing");
- clientConnection->close();
+ if (!isOpen())
return;
- }
/** \par
* At this point we either have a parsed request (which we've
@@ -1893,16 +1877,11 @@ ConnStateData::receivedFirstByte()
resetReadTimeout(Config.Timeout.request);
}
-/**
- * Attempt to parse one or more requests from the input buffer.
- * Returns true after completing parsing of at least one request [header]. That
- * includes cases where parsing ended with an error (e.g., a huge request).
- */
-bool
-ConnStateData::clientParseRequests()
+/// Attempt to parse one or more requests from the input buffer.
+/// May close the connection.
+void
+ConnStateData::parseRequests()
{
- bool parsed_req = false;
-
debugs(33, 5, clientConnection << ": attempting to parse");
// Loop while we have read bytes that are not needed for producing the body
@@ -1947,8 +1926,6 @@ ConnStateData::clientParseRequests()
processParsedRequest(context);
- parsed_req = true; // XXX: do we really need to parse everything right NOW ?
-
if (context->mayUseConnection()) {
debugs(33, 3, "Not parsing new requests, as this request may need the connection");
break;
@@ -1961,8 +1938,19 @@ ConnStateData::clientParseRequests()
}
}
- /* XXX where to 'finish' the parsing pass? */
- return parsed_req;
+ debugs(33, 7, "buffered leftovers: " << inBuf.length());
+
+ if (isOpen() && commIsHalfClosed(clientConnection->fd)) {
+ if (pipeline.empty()) {
+ // we processed what we could parse, and no more data is coming
+ debugs(33, 5, "closing half-closed without parsed requests: " << clientConnection);
+ clientConnection->close();
+ } else {
+ // we parsed what we could, and no more data is coming
+ debugs(33, 5, "monitoring half-closed while processing parsed requests: " << clientConnection);
+ flags.readMore = false; // may already be false
+ }
+ }
}
void
@@ -1979,18 +1967,7 @@ ConnStateData::afterClientRead()
if (pipeline.empty())
fd_note(clientConnection->fd, "Reading next request");
- if (!clientParseRequests()) {
- if (!isOpen())
- return;
- // We may get here if the client half-closed after sending a partial
- // request. See doClientRead() and shouldCloseOnEof().
- // XXX: This partially duplicates ConnStateData::kick().
- if (pipeline.empty() && commIsHalfClosed(clientConnection->fd)) {
- debugs(33, 5, clientConnection << ": half-closed connection, no completed request parsed, connection closing.");
- clientConnection->close();
- return;
- }
- }
+ parseRequests();
if (!isOpen())
return;
@@ -3775,7 +3752,7 @@ ConnStateData::notePinnedConnectionBecameIdle(PinnedIdleContext pic)
startPinnedConnectionMonitoring();
if (pipeline.empty())
- kick(); // in case clientParseRequests() was blocked by a busy pic.connection
+ kick(); // in case parseRequests() was blocked by a busy pic.connection
}
/// Forward future client requests using the given server connection.
diff --git a/src/client_side.h b/src/client_side.h
index 6027b31..60b99b1 100644
--- a/src/client_side.h
+++ b/src/client_side.h
@@ -98,7 +98,6 @@ public:
void doneWithControlMsg() override;
/// Traffic parsing
- bool clientParseRequests();
void readNextRequest();
/// try to make progress on a transaction or read more I/O
@@ -443,6 +442,7 @@ private:
void checkLogging();
+ void parseRequests();
void clientAfterReadingRequests();
bool concurrentRequestQueueFilled() const;
diff --git a/src/tests/stub_client_side.cc b/src/tests/stub_client_side.cc
index 8c160e5..f49d5dc 100644
--- a/src/tests/stub_client_side.cc
+++ b/src/tests/stub_client_side.cc
@@ -14,7 +14,7 @@
#include "tests/STUB.h"
#include "client_side.h"
-bool ConnStateData::clientParseRequests() STUB_RETVAL(false)
+void ConnStateData::parseRequests() STUB
void ConnStateData::readNextRequest() STUB
bool ConnStateData::isOpen() const STUB_RETVAL(false)
void ConnStateData::kick() STUB

View file

@ -6,5 +6,5 @@ index e965e9e..ed5ffcb 100755
-#!/usr/local/bin/perl -Tw
+#!/usr/bin/perl -Tw
#
# * Copyright (C) 1996-2023 The Squid Software Foundation and contributors
# * Copyright (C) 1996-2025 The Squid Software Foundation and contributors
# *

View file

@ -8,11 +8,14 @@ Type=notify
LimitNOFILE=16384
PIDFile=/run/squid.pid
EnvironmentFile=/etc/sysconfig/squid
ExecStartPre=/usr/libexec/squid/cache_swap.sh
ExecStart=/usr/sbin/squid --foreground $SQUID_OPTS -f ${SQUID_CONF}
ExecReload=/usr/bin/kill -HUP $MAINPID
ExecStartPre=!/usr/libexec/squid/cache_swap.sh
ExecStart=!/usr/sbin/squid --foreground $SQUID_OPTS -f ${SQUID_CONF}
ExecReload=!/usr/bin/kill -HUP $MAINPID
KillMode=mixed
NotifyAccess=all
User=squid
Group=squid
RuntimeDirectory=squid
[Install]
WantedBy=multi-user.target

View file

@ -1,7 +1,8 @@
%define __perl_requires %{SOURCE98}
%define version_underscore %(echo %{version} | tr '.' '_')
Name: squid
Version: 6.9
Version: 7.3
Release: 1%{?dist}
Summary: The Squid proxy caching server
Epoch: 7
@ -9,8 +10,8 @@ Epoch: 7
License: GPL-2.0-or-later AND (LGPL-2.0-or-later AND MIT AND BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND BSD-4-Clause-UC AND LicenseRef-Fedora-Public-Domain AND Beerware)
URL: http://www.squid-cache.org
Source0: http://www.squid-cache.org/Versions/v6/squid-%{version}.tar.xz
Source1: http://www.squid-cache.org/Versions/v6/squid-%{version}.tar.xz.asc
Source0: https://github.com/squid-cache/squid/releases/download/SQUID_%{version_underscore}/squid-%{version}.tar.xz
Source1: https://github.com/squid-cache/squid/releases/download/SQUID_%{version_underscore}/squid-%{version}.tar.xz.asc
Source2: http://www.squid-cache.org/pgp.asc
Source3: squid.logrotate
Source4: squid.sysconfig
@ -25,7 +26,7 @@ Source98: perl-requires-squid.sh
# Upstream patches
# Backported patches
# Patch101: patch
# Patch101: squid-7.1-.....patch
# Local patches
# Applying upstream patches first makes it less likely that local patches
@ -36,8 +37,6 @@ Patch203: squid-6.1-perlpath.patch
# revert this upstream patch - https://bugzilla.redhat.com/show_bug.cgi?id=1936422
# workaround for #1934919
Patch204: squid-6.1-symlink-lang-err.patch
# Upstream PR: https://github.com/squid-cache/squid/pull/1442
Patch205: squid-6.1-crash-half-closed.patch
# cache_swap.sh
Requires: bash gawk
@ -55,8 +54,6 @@ BuildRequires: openssl-devel
BuildRequires: krb5-devel
# time_quota requires TrivialDB
BuildRequires: libtdb-devel
# ESI support requires Expat & libxml2
BuildRequires: expat-devel libxml2-devel
# TPROXY requires libcap, and also increases security somewhat
BuildRequires: libcap-devel
# eCAP support
@ -64,12 +61,13 @@ BuildRequires: libecap-devel
#ip_user helper requires
BuildRequires: gcc-c++
BuildRequires: libtool libtool-ltdl-devel
BuildRequires: libxcrypt-devel
BuildRequires: perl-generators
# For test suite
BuildRequires: pkgconfig(cppunit)
# For verifying downloded src tarball
BuildRequires: gnupg2
# for _tmpfilesdir and _unitdir macro
# for _unitdir macro
# see https://docs.fedoraproject.org/en-US/packaging-guidelines/Systemd/#_packaging
BuildRequires: systemd-rpm-macros
# systemd notify
@ -116,8 +114,8 @@ sed -i 's|@SYSCONFDIR@/squid.conf.documented|%{_pkgdocdir}/squid.conf.documented
--enable-eui \
--enable-follow-x-forwarded-for \
--enable-auth \
--enable-auth-basic="DB,fake,getpwnam,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB,SMB_LM" \
--enable-auth-ntlm="SMB_LM,fake" \
--enable-auth-basic="DB,fake,getpwnam,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB" \
--enable-auth-ntlm="fake" \
--enable-auth-digest="file,LDAP" \
--enable-auth-negotiate="kerberos" \
--enable-external-acl-helpers="LDAP_group,time_quota,session,unix_group,wbinfo_group,kerberos_ldap_group" \
@ -139,7 +137,7 @@ sed -i 's|@SYSCONFDIR@/squid.conf.documented|%{_pkgdocdir}/squid.conf.documented
--enable-storeio="aufs,diskd,ufs,rock" \
--enable-diskio \
--enable-wccpv2 \
--enable-esi \
--disable-esi \
--enable-ecap \
--with-aio \
--with-default-user="squid" \
@ -153,9 +151,9 @@ sed -i 's|@SYSCONFDIR@/squid.conf.documented|%{_pkgdocdir}/squid.conf.documented
--enable-translation
# workaround to build squid v5
mkdir -p src/icmp/tests
mkdir -p tools/squidclient/tests
mkdir -p tools/tests
#mkdir -p src/icmp/tests
#mkdir -p tools/squidclient/tests
#mkdir -p tools/tests
%make_build
@ -196,17 +194,8 @@ install -m 644 $RPM_BUILD_ROOT/squid.httpd.tmp $RPM_BUILD_ROOT%{_sysconfdir}/htt
install -m 755 %{SOURCE6} $RPM_BUILD_ROOT%{_prefix}/lib/NetworkManager/dispatcher.d/20-squid
mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/log/squid
mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/spool/squid
mkdir -p $RPM_BUILD_ROOT/run/squid
chmod 644 contrib/url-normalizer.pl contrib/user-agents.pl
# install /usr/lib/tmpfiles.d/squid.conf
mkdir -p ${RPM_BUILD_ROOT}%{_tmpfilesdir}
cat > ${RPM_BUILD_ROOT}%{_tmpfilesdir}/squid.conf <<EOF
# See tmpfiles.d(5) for details
d /run/squid 0755 squid squid - -
EOF
# Move the MIB definition to the proper place (and name)
mkdir -p $RPM_BUILD_ROOT/usr/share/snmp/mibs
mv $RPM_BUILD_ROOT/usr/share/squid/mib.txt $RPM_BUILD_ROOT/usr/share/snmp/mibs/SQUID-MIB.txt
@ -232,11 +221,9 @@ install -p -D -m 0644 %{SOURCE9} %{buildroot}%{_sysusersdir}/squid.conf
%attr(755,root,root) %dir %{_libdir}/squid
%attr(770,squid,root) %dir %{_localstatedir}/log/squid
%attr(750,squid,squid) %dir %{_localstatedir}/spool/squid
%attr(755,squid,squid) %dir /run/squid
%config(noreplace) %attr(644,root,root) %{_sysconfdir}/httpd/conf.d/squid.conf
%config(noreplace) %attr(640,root,squid) %{_sysconfdir}/squid/squid.conf
%config(noreplace) %attr(644,root,squid) %{_sysconfdir}/squid/cachemgr.conf
%config(noreplace) %{_sysconfdir}/squid/mime.conf
%config(noreplace) %{_sysconfdir}/squid/errorpage.css
%config(noreplace) %{_sysconfdir}/sysconfig/squid
@ -244,7 +231,6 @@ install -p -D -m 0644 %{SOURCE9} %{buildroot}%{_sysusersdir}/squid.conf
%config %{_sysconfdir}/squid/squid.conf.default
%config %{_sysconfdir}/squid/mime.conf.default
%config %{_sysconfdir}/squid/errorpage.css.default
%config %{_sysconfdir}/squid/cachemgr.conf.default
%config(noreplace) %{_sysconfdir}/pam.d/squid
%config(noreplace) %{_sysconfdir}/logrotate.d/squid
@ -253,13 +239,9 @@ install -p -D -m 0644 %{SOURCE9} %{buildroot}%{_sysusersdir}/squid.conf
%{_prefix}/lib/NetworkManager
%{_datadir}/squid/icons
%{_sbindir}/squid
%{_bindir}/squidclient
%{_bindir}/purge
%{_mandir}/man8/*
%{_mandir}/man1/*
%{_libdir}/squid/*
%{_datadir}/snmp/mibs/SQUID-MIB.txt
%{_tmpfilesdir}/squid.conf
%{_sysusersdir}/squid.conf
%pre
@ -324,6 +306,67 @@ fi
%changelog
* Wed Oct 29 2025 Luboš Uhliarik <luhliari@redhat.com> - 7:7.3-1
- new version 7.3
* Fri Oct 17 2025 Luboš Uhliarik <luhliari@redhat.com> - 7:7.2-1
- new version 7.2
* Thu Sep 11 2025 Luboš Uhliarik <luhliari@redhat.com> - 7:7.1-3
- Support provider keys that require NULL digest
* Thu Aug 14 2025 Luboš Uhliarik <luhliari@redhat.com> - 7:7.1-1
- new version 7.1
- removed squidclient
- removed purge
- removed cachemgr.cgi
- removed basic_smb_lm_auth and ntlm_smb_lm_auth helpers
* Fri Jul 25 2025 Fedora Release Engineering <releng@fedoraproject.org> - 7:6.14-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
* Mon Jul 21 2025 Luboš Uhliarik <luhliari@redhat.com> - 7:6.14-1
- new version 6.14
* Wed Mar 12 2025 Luboš Uhliarik <luhliari@redhat.com> - 7:6.13-2
- Do not blame cache_peer for 4xx CONNECT responses
* Tue Feb 04 2025 Luboš Uhliarik <luhliari@redhat.com> - 7:6.13-1
- new version 6.13
* Sat Feb 01 2025 Björn Esser <besser82@fedoraproject.org> - 7:6.12-5
- Add explicit BR: libxcrypt-devel
* Sun Jan 19 2025 Fedora Release Engineering <releng@fedoraproject.org> - 7:6.12-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
* Fri Nov 01 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:6.12-3
- better error handling in cache_swap.sh
- added RuntimeDirectory to systemd service file
* Fri Nov 01 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:6.12-2
- Disable ESI support since ESI support has been also removed from squid 7
- Resolves: CVE-2024-45802 squid: Denial of Service processing ESI
response content
* Wed Oct 23 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:6.12-1
- new version 6.12
- Fix TCP_MISS_ABORTED/100 erros when uploading
* Fri Oct 11 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:6.11-2
- ignore SP and HTAB chars after chunk-size
* Wed Sep 25 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:6.11-1
- new version 6.11
* Sat Jul 20 2024 Fedora Release Engineering <releng@fedoraproject.org> - 7:6.10-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
* Mon Jul 01 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:6.10-1
- new version 6.10
- Resolves: #2294354 - CVE-2024-37894 squid: Out-of-bounds write error may
lead to Denial of Service
* Tue Apr 16 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:6.9-1
- Resolves: #2262715 - squid-6.9 is available