Re: [PATCH] squid: Update to 4.4 (stable)

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 9154 bytes --]

Hey,

this is a fairly small looking patch but bringing a lot of changes with it.
Looks great what the squid devs have done.

However, one of my first thoughts was: Does this require no changes to the
configuration/CGI? Can you confirm?

Best,
-Michael

On Sun, 2018-11-04 at 08:09 +0100, Matthias Fischer wrote:
> For details see:
> http://www.squid-cache.org/Versions/v4/changesets/
> 
> In July 2018, 'squid 4' was "released for production use", see:
> https://wiki.squid-cache.org/Squid-4
> 
> "The features have been set and large code changes are reserved for later
> versions."
> 
> I've tested almost all 4.x-versions and patch series before with good results.
> Right now, 4.4 is running here with no seen problems together with
> 'squidclamav', 'squidguard' and 'privoxy'.
> 
> I too would declare this version stable.
> 
> Best,
> Matthias
> 
> Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
> ---
>  lfs/squid                                     | 12 ++--
>  ...via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch | 72 -------------------
>  ...ry_leak_when_parsing_SNMP_packet_313.patch | 22 ------
>  ... squid-4.4-fix-max-file-descriptors.patch} |  4 +-
>  4 files changed, 8 insertions(+), 102 deletions(-)
>  delete mode 100644
> src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNECT_
> FAIL_306.patch
>  delete mode 100644
> src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch
>  rename src/patches/squid/{squid-4.3-fix-max-file-descriptors.patch => squid-
> 4.4-fix-max-file-descriptors.patch} (92%)
> 
> diff --git a/lfs/squid b/lfs/squid
> index 11b84d719..e5e799111 100644
> --- a/lfs/squid
> +++ b/lfs/squid
> @@ -24,7 +24,7 @@
>  
>  include Config
>  
> -VER        = 3.5.28
> +VER        = 4.4
>  
>  THISAPP    = squid-$(VER)
>  DL_FILE    = $(THISAPP).tar.xz
> @@ -42,7 +42,7 @@ objects = $(DL_FILE)
>  
>  $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>  
> -$(DL_FILE)_MD5 = 9367e0375ea53ba0e99f77054d4402c5
> +$(DL_FILE)_MD5 = 892504ca9700e1f139a53f84098613bd
>  
>  install : $(TARGET)
>  
> @@ -72,9 +72,7 @@ $(subst %,%_MD5,$(objects)) :
>  $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>  	@$(PREBUILD)
>  	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xaf $(DIR_DL)/$(DL_FILE)
> -	cd $(DIR_APP) && patch -Np1 -i
> $(DIR_SRC)/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECU
> RE_CONNECT_FAIL_306.patch
> -	cd $(DIR_APP) && patch -Np1 -i
> $(DIR_SRC)/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.p
> atch
> -	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-
> 3.5.28-fix-max-file-descriptors.patch
> +	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-4.4-
> fix-max-file-descriptors.patch
>  
>  	cd $(DIR_APP) && autoreconf -vfi
>  	cd $(DIR_APP)/libltdl && autoreconf -vfi
> @@ -125,7 +123,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>  		--enable-zph-qos \
>  		--with-dl \
>  		--with-filedescriptors=$$(( 16384 * 64 )) \
> -		--with-large-files
> +		--with-large-files \
> +		--without-gnutls \
> +		--without-netfilter-conntrack
>  
>  	cd $(DIR_APP) && make $(MAKETUNING)
>  	cd $(DIR_APP) && make install
> diff --git
> a/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNEC
> T_FAIL_306.patch
> b/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNEC
> T_FAIL_306.patch
> deleted file mode 100644
> index fadb1d48c..000000000
> ---
> a/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNEC
> T_FAIL_306.patch
> +++ /dev/null
> @@ -1,72 +0,0 @@
> -commit f1657a9decc820f748fa3aff68168d3145258031
> -Author: Christos Tsantilas <christos(a)chtsanti.net>
> -Date:   2018-10-17 15:14:07 +0000
> -
> -    Certificate fields injection via %D in ERR_SECURE_CONNECT_FAIL (#306)
> -    
> -    %ssl_subject, %ssl_ca_name, and %ssl_cn values were not properly escaped
> when %D code was expanded in HTML context of the ERR_SECURE_CONNECT_FAIL
> template. This bug affects all
> -    ERR_SECURE_CONNECT_FAIL page templates containing %D, including the
> default template.
> -    
> -    Other error pages are not vulnerable because Squid does not populate %D
> with certificate details in other contexts (yet).
> -    
> -    Thanks to Nikolas Lohmann [eBlocker] for identifying the problem.
> -    
> -    TODO: If those certificate details become needed for ACL checks or other
> non-HTML purposes, make their HTML-escaping conditional.
> -    
> -    This is a Measurement Factory project.
> -
> -diff --git a/src/ssl/ErrorDetail.cc b/src/ssl/ErrorDetail.cc
> -index b5030e3..314e998 100644
> ---- a/src/ssl/ErrorDetail.cc
> -+++ b/src/ssl/ErrorDetail.cc
> -@@ -8,6 +8,8 @@
> - 
> - #include "squid.h"
> - #include "errorpage.h"
> -+#include "fatal.h"
> -+#include "html_quote.h"
> - #include "ssl/ErrorDetail.h"
> - 
> - #include <climits>
> -@@ -432,8 +434,11 @@ const char  *Ssl::ErrorDetail::subject() const
> - {
> -     if (broken_cert.get()) {
> -         static char tmpBuffer[256]; // A temporary buffer
> --        if (X509_NAME_oneline(X509_get_subject_name(broken_cert.get()),
> tmpBuffer, sizeof(tmpBuffer)))
> --            return tmpBuffer;
> -+        if (X509_NAME_oneline(X509_get_subject_name(broken_cert.get()),
> tmpBuffer, sizeof(tmpBuffer))) {
> -+            // quote to avoid possible html code injection through
> -+            // certificate subject
> -+            return html_quote(tmpBuffer);
> -+        }
> -     }
> -     return "[Not available]";
> - }
> -@@ -461,8 +466,11 @@ const char *Ssl::ErrorDetail::cn() const
> -         static String tmpStr;  ///< A temporary string buffer
> -         tmpStr.clean();
> -         Ssl::matchX509CommonNames(broken_cert.get(), &tmpStr, copy_cn);
> --        if (tmpStr.size())
> --            return tmpStr.termedBuf();
> -+        if (tmpStr.size()) {
> -+            // quote to avoid possible html code injection through
> -+            // certificate subject
> -+            return html_quote(tmpStr.termedBuf());
> -+        }
> -     }
> -     return "[Not available]";
> - }
> -@@ -474,8 +482,11 @@ const char *Ssl::ErrorDetail::ca_name() const
> - {
> -     if (broken_cert.get()) {
> -         static char tmpBuffer[256]; // A temporary buffer
> --        if (X509_NAME_oneline(X509_get_issuer_name(broken_cert.get()),
> tmpBuffer, sizeof(tmpBuffer)))
> --            return tmpBuffer;
> -+        if (X509_NAME_oneline(X509_get_issuer_name(broken_cert.get()),
> tmpBuffer, sizeof(tmpBuffer))) {
> -+            // quote to avoid possible html code injection through
> -+            // certificate issuer subject
> -+            return html_quote(tmpBuffer);
> -+        }
> -     }
> -     return "[Not available]";
> - }
> diff --git
> a/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch
> b/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch
> deleted file mode 100644
> index 2ae034c20..000000000
> --- a/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch
> +++ /dev/null
> @@ -1,22 +0,0 @@
> -commit bc9786119f058a76ddf0625424bc33d36460b9a2 (refs/remotes/origin/v3.5)
> -Author: flozilla <fishyflow(a)gmail.com>
> -Date:   2018-10-24 14:12:01 +0200
> -
> -    Fix memory leak when parsing SNMP packet (#313)
> -    
> -    SNMP queries denied by snmp_access rules and queries with certain
> -    unsupported SNMPv2 commands were leaking a few hundred bytes each. Such
> -    queries trigger "SNMP agent query DENIED from..." WARNINGs in cache.log.
> -
> -diff --git a/src/snmp_core.cc b/src/snmp_core.cc
> -index c4d21c1..16c2993 100644
> ---- a/src/snmp_core.cc
> -+++ b/src/snmp_core.cc
> -@@ -409,6 +409,7 @@ snmpDecodePacket(SnmpRequest * rq)
> -             snmpConstructReponse(rq);
> -         } else {
> -             debugs(49, DBG_IMPORTANT, "WARNING: SNMP agent query DENIED from
> : " << rq->from);
> -+            snmp_free_pdu(PDU);
> -         }
> -         xfree(Community);
> - 
> diff --git a/src/patches/squid/squid-4.3-fix-max-file-descriptors.patch
> b/src/patches/squid/squid-4.4-fix-max-file-descriptors.patch
> similarity index 92%
> rename from src/patches/squid/squid-4.3-fix-max-file-descriptors.patch
> rename to src/patches/squid/squid-4.4-fix-max-file-descriptors.patch
> index a46390c1e..8d1a4e03a 100644
> --- a/src/patches/squid/squid-4.3-fix-max-file-descriptors.patch
> +++ b/src/patches/squid/squid-4.4-fix-max-file-descriptors.patch
> @@ -1,6 +1,6 @@
>  --- configure.ac.~	Wed Apr 20 14:26:07 2016
>  +++ configure.ac	Fri Apr 22 17:20:46 2016
> -@@ -3149,6 +3149,9 @@
> +@@ -3156,6 +3156,9 @@
>       ;;
>   esac
>   
> @@ -10,7 +10,7 @@
>   dnl --with-maxfd present for compatibility with Squid-2.
>   dnl undocumented in ./configure --help  to encourage using the Squid-3
> directive
>   AC_ARG_WITH(maxfd,,
> -@@ -3179,8 +3182,6 @@
> +@@ -3186,8 +3189,6 @@
>       esac
>   ])
>