On 09.11.2018 16:22, Michael Tremer wrote:
Hey,
Hi,
this is a fairly small looking patch but bringing a lot of changes with it. Looks great what the squid devs have done.
However, one of my first thoughts was: Does this require no changes to the configuration/CGI? Can you confirm?
Confirmed. I never needed any GUI changes.
Best, Matthias
Best, -Michael
On Sun, 2018-11-04 at 08:09 +0100, Matthias Fischer wrote:
For details see: http://www.squid-cache.org/Versions/v4/changesets/
In July 2018, 'squid 4' was "released for production use", see: https://wiki.squid-cache.org/Squid-4
"The features have been set and large code changes are reserved for later versions."
I've tested almost all 4.x-versions and patch series before with good results. Right now, 4.4 is running here with no seen problems together with 'squidclamav', 'squidguard' and 'privoxy'.
I too would declare this version stable.
Best, Matthias
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org
lfs/squid | 12 ++-- ...via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch | 72 ------------------- ...ry_leak_when_parsing_SNMP_packet_313.patch | 22 ------ ... squid-4.4-fix-max-file-descriptors.patch} | 4 +- 4 files changed, 8 insertions(+), 102 deletions(-) delete mode 100644 src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNECT_ FAIL_306.patch delete mode 100644 src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch rename src/patches/squid/{squid-4.3-fix-max-file-descriptors.patch => squid- 4.4-fix-max-file-descriptors.patch} (92%)
diff --git a/lfs/squid b/lfs/squid index 11b84d719..e5e799111 100644 --- a/lfs/squid +++ b/lfs/squid @@ -24,7 +24,7 @@
include Config
-VER = 3.5.28 +VER = 4.4
THISAPP = squid-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -42,7 +42,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 9367e0375ea53ba0e99f77054d4402c5 +$(DL_FILE)_MD5 = 892504ca9700e1f139a53f84098613bd
install : $(TARGET)
@@ -72,9 +72,7 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xaf $(DIR_DL)/$(DL_FILE)
- cd $(DIR_APP) && patch -Np1 -i
$(DIR_SRC)/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECU RE_CONNECT_FAIL_306.patch
- cd $(DIR_APP) && patch -Np1 -i
$(DIR_SRC)/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.p atch
- cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-
3.5.28-fix-max-file-descriptors.patch
- cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-4.4-
fix-max-file-descriptors.patch
cd $(DIR_APP) && autoreconf -vfi cd $(DIR_APP)/libltdl && autoreconf -vfi @@ -125,7 +123,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --enable-zph-qos \ --with-dl \ --with-filedescriptors=$$(( 16384 * 64 )) \
--with-large-files
--with-large-files \
--without-gnutls \
--without-netfilter-conntrack
cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install
diff --git a/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNEC T_FAIL_306.patch b/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNEC T_FAIL_306.patch deleted file mode 100644 index fadb1d48c..000000000
a/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNEC T_FAIL_306.patch +++ /dev/null @@ -1,72 +0,0 @@ -commit f1657a9decc820f748fa3aff68168d3145258031 -Author: Christos Tsantilas christos@chtsanti.net -Date: 2018-10-17 15:14:07 +0000
- Certificate fields injection via %D in ERR_SECURE_CONNECT_FAIL (#306)
- %ssl_subject, %ssl_ca_name, and %ssl_cn values were not properly escaped
when %D code was expanded in HTML context of the ERR_SECURE_CONNECT_FAIL template. This bug affects all
- ERR_SECURE_CONNECT_FAIL page templates containing %D, including the
default template.
- Other error pages are not vulnerable because Squid does not populate %D
with certificate details in other contexts (yet).
- Thanks to Nikolas Lohmann [eBlocker] for identifying the problem.
- TODO: If those certificate details become needed for ACL checks or other
non-HTML purposes, make their HTML-escaping conditional.
- This is a Measurement Factory project.
-diff --git a/src/ssl/ErrorDetail.cc b/src/ssl/ErrorDetail.cc -index b5030e3..314e998 100644 ---- a/src/ssl/ErrorDetail.cc -+++ b/src/ssl/ErrorDetail.cc -@@ -8,6 +8,8 @@
- #include "squid.h"
- #include "errorpage.h"
-+#include "fatal.h" -+#include "html_quote.h"
- #include "ssl/ErrorDetail.h"
- #include <climits>
-@@ -432,8 +434,11 @@ const char *Ssl::ErrorDetail::subject() const
- {
if (broken_cert.get()) {
static char tmpBuffer[256]; // A temporary buffer
-- if (X509_NAME_oneline(X509_get_subject_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer))) -- return tmpBuffer; -+ if (X509_NAME_oneline(X509_get_subject_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer))) { -+ // quote to avoid possible html code injection through -+ // certificate subject -+ return html_quote(tmpBuffer); -+ }
}
return "[Not available]";
- }
-@@ -461,8 +466,11 @@ const char *Ssl::ErrorDetail::cn() const
static String tmpStr; ///< A temporary string buffer
tmpStr.clean();
Ssl::matchX509CommonNames(broken_cert.get(), &tmpStr, copy_cn);
-- if (tmpStr.size()) -- return tmpStr.termedBuf(); -+ if (tmpStr.size()) { -+ // quote to avoid possible html code injection through -+ // certificate subject -+ return html_quote(tmpStr.termedBuf()); -+ }
}
return "[Not available]";
- }
-@@ -474,8 +482,11 @@ const char *Ssl::ErrorDetail::ca_name() const
- {
if (broken_cert.get()) {
static char tmpBuffer[256]; // A temporary buffer
-- if (X509_NAME_oneline(X509_get_issuer_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer))) -- return tmpBuffer; -+ if (X509_NAME_oneline(X509_get_issuer_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer))) { -+ // quote to avoid possible html code injection through -+ // certificate issuer subject -+ return html_quote(tmpBuffer); -+ }
}
return "[Not available]";
- }
diff --git a/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch b/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch deleted file mode 100644 index 2ae034c20..000000000 --- a/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch +++ /dev/null @@ -1,22 +0,0 @@ -commit bc9786119f058a76ddf0625424bc33d36460b9a2 (refs/remotes/origin/v3.5) -Author: flozilla fishyflow@gmail.com -Date: 2018-10-24 14:12:01 +0200
- Fix memory leak when parsing SNMP packet (#313)
- SNMP queries denied by snmp_access rules and queries with certain
- unsupported SNMPv2 commands were leaking a few hundred bytes each. Such
- queries trigger "SNMP agent query DENIED from..." WARNINGs in cache.log.
-diff --git a/src/snmp_core.cc b/src/snmp_core.cc -index c4d21c1..16c2993 100644 ---- a/src/snmp_core.cc -+++ b/src/snmp_core.cc -@@ -409,6 +409,7 @@ snmpDecodePacket(SnmpRequest * rq)
snmpConstructReponse(rq);
} else {
debugs(49, DBG_IMPORTANT, "WARNING: SNMP agent query DENIED from
: " << rq->from); -+ snmp_free_pdu(PDU);
}
xfree(Community);
diff --git a/src/patches/squid/squid-4.3-fix-max-file-descriptors.patch b/src/patches/squid/squid-4.4-fix-max-file-descriptors.patch similarity index 92% rename from src/patches/squid/squid-4.3-fix-max-file-descriptors.patch rename to src/patches/squid/squid-4.4-fix-max-file-descriptors.patch index a46390c1e..8d1a4e03a 100644 --- a/src/patches/squid/squid-4.3-fix-max-file-descriptors.patch +++ b/src/patches/squid/squid-4.4-fix-max-file-descriptors.patch @@ -1,6 +1,6 @@ --- configure.ac.~ Wed Apr 20 14:26:07 2016 +++ configure.ac Fri Apr 22 17:20:46 2016 -@@ -3149,6 +3149,9 @@ +@@ -3156,6 +3156,9 @@ ;; esac
@@ -10,7 +10,7 @@ dnl --with-maxfd present for compatibility with Squid-2. dnl undocumented in ./configure --help to encourage using the Squid-3 directive AC_ARG_WITH(maxfd,, -@@ -3179,8 +3182,6 @@ +@@ -3186,8 +3189,6 @@ esac ])