Re: [PATCH] squid: Update to 4.4 (stable)

[Matthias Fischer <matthias.fischer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 9531 bytes --]

On 09.11.2018 16:22, Michael Tremer wrote:
> Hey,

Hi,

> this is a fairly small looking patch but bringing a lot of changes with it.
> Looks great what the squid devs have done.
> 
> However, one of my first thoughts was: Does this require no changes to the
> configuration/CGI? Can you confirm?

Confirmed. I never needed any GUI changes.

Best,
Matthias

> Best,
> -Michael
> 
> On Sun, 2018-11-04 at 08:09 +0100, Matthias Fischer wrote:
>> For details see:
>> http://www.squid-cache.org/Versions/v4/changesets/
>> 
>> In July 2018, 'squid 4' was "released for production use", see:
>> https://wiki.squid-cache.org/Squid-4
>> 
>> "The features have been set and large code changes are reserved for later
>> versions."
>> 
>> I've tested almost all 4.x-versions and patch series before with good results.
>> Right now, 4.4 is running here with no seen problems together with
>> 'squidclamav', 'squidguard' and 'privoxy'.
>> 
>> I too would declare this version stable.
>> 
>> Best,
>> Matthias
>> 
>> Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
>> ---
>>  lfs/squid                                     | 12 ++--
>>  ...via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch | 72 -------------------
>>  ...ry_leak_when_parsing_SNMP_packet_313.patch | 22 ------
>>  ... squid-4.4-fix-max-file-descriptors.patch} |  4 +-
>>  4 files changed, 8 insertions(+), 102 deletions(-)
>>  delete mode 100644
>> src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNECT_
>> FAIL_306.patch
>>  delete mode 100644
>> src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch
>>  rename src/patches/squid/{squid-4.3-fix-max-file-descriptors.patch => squid-
>> 4.4-fix-max-file-descriptors.patch} (92%)
>> 
>> diff --git a/lfs/squid b/lfs/squid
>> index 11b84d719..e5e799111 100644
>> --- a/lfs/squid
>> +++ b/lfs/squid
>> @@ -24,7 +24,7 @@
>>  
>>  include Config
>>  
>> -VER        = 3.5.28
>> +VER        = 4.4
>>  
>>  THISAPP    = squid-$(VER)
>>  DL_FILE    = $(THISAPP).tar.xz
>> @@ -42,7 +42,7 @@ objects = $(DL_FILE)
>>  
>>  $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>>  
>> -$(DL_FILE)_MD5 = 9367e0375ea53ba0e99f77054d4402c5
>> +$(DL_FILE)_MD5 = 892504ca9700e1f139a53f84098613bd
>>  
>>  install : $(TARGET)
>>  
>> @@ -72,9 +72,7 @@ $(subst %,%_MD5,$(objects)) :
>>  $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>>  	@$(PREBUILD)
>>  	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xaf $(DIR_DL)/$(DL_FILE)
>> -	cd $(DIR_APP) && patch -Np1 -i
>> $(DIR_SRC)/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECU
>> RE_CONNECT_FAIL_306.patch
>> -	cd $(DIR_APP) && patch -Np1 -i
>> $(DIR_SRC)/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.p
>> atch
>> -	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-
>> 3.5.28-fix-max-file-descriptors.patch
>> +	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-4.4-
>> fix-max-file-descriptors.patch
>>  
>>  	cd $(DIR_APP) && autoreconf -vfi
>>  	cd $(DIR_APP)/libltdl && autoreconf -vfi
>> @@ -125,7 +123,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>>  		--enable-zph-qos \
>>  		--with-dl \
>>  		--with-filedescriptors=$$(( 16384 * 64 )) \
>> -		--with-large-files
>> +		--with-large-files \
>> +		--without-gnutls \
>> +		--without-netfilter-conntrack
>>  
>>  	cd $(DIR_APP) && make $(MAKETUNING)
>>  	cd $(DIR_APP) && make install
>> diff --git
>> a/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNEC
>> T_FAIL_306.patch
>> b/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNEC
>> T_FAIL_306.patch
>> deleted file mode 100644
>> index fadb1d48c..000000000
>> ---
>> a/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNEC
>> T_FAIL_306.patch
>> +++ /dev/null
>> @@ -1,72 +0,0 @@
>> -commit f1657a9decc820f748fa3aff68168d3145258031
>> -Author: Christos Tsantilas <christos(a)chtsanti.net>
>> -Date:   2018-10-17 15:14:07 +0000
>> -
>> -    Certificate fields injection via %D in ERR_SECURE_CONNECT_FAIL (#306)
>> -    
>> -    %ssl_subject, %ssl_ca_name, and %ssl_cn values were not properly escaped
>> when %D code was expanded in HTML context of the ERR_SECURE_CONNECT_FAIL
>> template. This bug affects all
>> -    ERR_SECURE_CONNECT_FAIL page templates containing %D, including the
>> default template.
>> -    
>> -    Other error pages are not vulnerable because Squid does not populate %D
>> with certificate details in other contexts (yet).
>> -    
>> -    Thanks to Nikolas Lohmann [eBlocker] for identifying the problem.
>> -    
>> -    TODO: If those certificate details become needed for ACL checks or other
>> non-HTML purposes, make their HTML-escaping conditional.
>> -    
>> -    This is a Measurement Factory project.
>> -
>> -diff --git a/src/ssl/ErrorDetail.cc b/src/ssl/ErrorDetail.cc
>> -index b5030e3..314e998 100644
>> ---- a/src/ssl/ErrorDetail.cc
>> -+++ b/src/ssl/ErrorDetail.cc
>> -@@ -8,6 +8,8 @@
>> - 
>> - #include "squid.h"
>> - #include "errorpage.h"
>> -+#include "fatal.h"
>> -+#include "html_quote.h"
>> - #include "ssl/ErrorDetail.h"
>> - 
>> - #include <climits>
>> -@@ -432,8 +434,11 @@ const char  *Ssl::ErrorDetail::subject() const
>> - {
>> -     if (broken_cert.get()) {
>> -         static char tmpBuffer[256]; // A temporary buffer
>> --        if (X509_NAME_oneline(X509_get_subject_name(broken_cert.get()),
>> tmpBuffer, sizeof(tmpBuffer)))
>> --            return tmpBuffer;
>> -+        if (X509_NAME_oneline(X509_get_subject_name(broken_cert.get()),
>> tmpBuffer, sizeof(tmpBuffer))) {
>> -+            // quote to avoid possible html code injection through
>> -+            // certificate subject
>> -+            return html_quote(tmpBuffer);
>> -+        }
>> -     }
>> -     return "[Not available]";
>> - }
>> -@@ -461,8 +466,11 @@ const char *Ssl::ErrorDetail::cn() const
>> -         static String tmpStr;  ///< A temporary string buffer
>> -         tmpStr.clean();
>> -         Ssl::matchX509CommonNames(broken_cert.get(), &tmpStr, copy_cn);
>> --        if (tmpStr.size())
>> --            return tmpStr.termedBuf();
>> -+        if (tmpStr.size()) {
>> -+            // quote to avoid possible html code injection through
>> -+            // certificate subject
>> -+            return html_quote(tmpStr.termedBuf());
>> -+        }
>> -     }
>> -     return "[Not available]";
>> - }
>> -@@ -474,8 +482,11 @@ const char *Ssl::ErrorDetail::ca_name() const
>> - {
>> -     if (broken_cert.get()) {
>> -         static char tmpBuffer[256]; // A temporary buffer
>> --        if (X509_NAME_oneline(X509_get_issuer_name(broken_cert.get()),
>> tmpBuffer, sizeof(tmpBuffer)))
>> --            return tmpBuffer;
>> -+        if (X509_NAME_oneline(X509_get_issuer_name(broken_cert.get()),
>> tmpBuffer, sizeof(tmpBuffer))) {
>> -+            // quote to avoid possible html code injection through
>> -+            // certificate issuer subject
>> -+            return html_quote(tmpBuffer);
>> -+        }
>> -     }
>> -     return "[Not available]";
>> - }
>> diff --git
>> a/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch
>> b/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch
>> deleted file mode 100644
>> index 2ae034c20..000000000
>> --- a/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch
>> +++ /dev/null
>> @@ -1,22 +0,0 @@
>> -commit bc9786119f058a76ddf0625424bc33d36460b9a2 (refs/remotes/origin/v3.5)
>> -Author: flozilla <fishyflow(a)gmail.com>
>> -Date:   2018-10-24 14:12:01 +0200
>> -
>> -    Fix memory leak when parsing SNMP packet (#313)
>> -    
>> -    SNMP queries denied by snmp_access rules and queries with certain
>> -    unsupported SNMPv2 commands were leaking a few hundred bytes each. Such
>> -    queries trigger "SNMP agent query DENIED from..." WARNINGs in cache.log.
>> -
>> -diff --git a/src/snmp_core.cc b/src/snmp_core.cc
>> -index c4d21c1..16c2993 100644
>> ---- a/src/snmp_core.cc
>> -+++ b/src/snmp_core.cc
>> -@@ -409,6 +409,7 @@ snmpDecodePacket(SnmpRequest * rq)
>> -             snmpConstructReponse(rq);
>> -         } else {
>> -             debugs(49, DBG_IMPORTANT, "WARNING: SNMP agent query DENIED from
>> : " << rq->from);
>> -+            snmp_free_pdu(PDU);
>> -         }
>> -         xfree(Community);
>> - 
>> diff --git a/src/patches/squid/squid-4.3-fix-max-file-descriptors.patch
>> b/src/patches/squid/squid-4.4-fix-max-file-descriptors.patch
>> similarity index 92%
>> rename from src/patches/squid/squid-4.3-fix-max-file-descriptors.patch
>> rename to src/patches/squid/squid-4.4-fix-max-file-descriptors.patch
>> index a46390c1e..8d1a4e03a 100644
>> --- a/src/patches/squid/squid-4.3-fix-max-file-descriptors.patch
>> +++ b/src/patches/squid/squid-4.4-fix-max-file-descriptors.patch
>> @@ -1,6 +1,6 @@
>>  --- configure.ac.~	Wed Apr 20 14:26:07 2016
>>  +++ configure.ac	Fri Apr 22 17:20:46 2016
>> -@@ -3149,6 +3149,9 @@
>> +@@ -3156,6 +3156,9 @@
>>       ;;
>>   esac
>>   
>> @@ -10,7 +10,7 @@
>>   dnl --with-maxfd present for compatibility with Squid-2.
>>   dnl undocumented in ./configure --help  to encourage using the Squid-3
>> directive
>>   AC_ARG_WITH(maxfd,,
>> -@@ -3179,8 +3182,6 @@
>> +@@ -3186,8 +3189,6 @@
>>       esac
>>   ])
>>   
> 
>