Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org --- lfs/squid | 5 +++ src/patches/squid/squid-3.5-14144.patch | 43 +++++++++++++++++++++++ src/patches/squid/squid-3.5-14145.patch | 33 ++++++++++++++++++ src/patches/squid/squid-3.5-14146.patch | 41 ++++++++++++++++++++++ src/patches/squid/squid-3.5-14147.patch | 37 ++++++++++++++++++++ src/patches/squid/squid-3.5-14148.patch | 62 +++++++++++++++++++++++++++++++++ 6 files changed, 221 insertions(+) create mode 100644 src/patches/squid/squid-3.5-14144.patch create mode 100644 src/patches/squid/squid-3.5-14145.patch create mode 100644 src/patches/squid/squid-3.5-14146.patch create mode 100644 src/patches/squid/squid-3.5-14147.patch create mode 100644 src/patches/squid/squid-3.5-14148.patch
diff --git a/lfs/squid b/lfs/squid index 8ac878cd0..5f12b9b05 100644 --- a/lfs/squid +++ b/lfs/squid @@ -72,6 +72,11 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xaf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14142.patch cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14143.patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14144.patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14145.patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14146.patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14147.patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14148.patch cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.5.24-fix-max-file-descriptors.patch
cd $(DIR_APP) && autoreconf -vfi diff --git a/src/patches/squid/squid-3.5-14144.patch b/src/patches/squid/squid-3.5-14144.patch new file mode 100644 index 000000000..592a774d6 --- /dev/null +++ b/src/patches/squid/squid-3.5-14144.patch @@ -0,0 +1,43 @@ +------------------------------------------------------------ +revno: 14144 +revision-id: squid3@treenet.co.nz-20170226084624-5tkl3bdrqz8nlp9g +parent: squid3@treenet.co.nz-20170225055014-j7v5xax13u4jddr9 +author: Alex Rousskov rousskov@measurement-factory.com +committer: Amos Jeffries squid3@treenet.co.nz +branch nick: 3.5 +timestamp: Sun 2017-02-26 21:46:24 +1300 +message: + Fix crash when configuring with invalid delay_parameters restore value. + + ... like none/none. Introduced in rev which fixed another, much + bigger delay_parameters parsing bug. + + TODO: Reject all invalid input, including restore/max of "-/100". + + TODO: Fix misleading/wrong associated error messages. For example: + ERROR: invalid delay rate 'none/none'. Expecting restore/max or 'none' + ERROR: restore rate in '1/none' is not a number. +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3@treenet.co.nz-20170226084624-5tkl3bdrqz8nlp9g +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# testament_sha1: 42f47b8ee1da049d57e6af76ce755e459d2fc9fd +# timestamp: 2017-02-26 08:51:02 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# base_revision_id: squid3@treenet.co.nz-20170225055014-\ +# j7v5xax13u4jddr9 +# +# Begin patch +=== modified file 'src/DelaySpec.cc' +--- src/DelaySpec.cc 2017-01-01 00:16:45 +0000 ++++ src/DelaySpec.cc 2017-02-26 08:46:24 +0000 +@@ -55,7 +55,7 @@ + + // parse the first digits into restore_bps + const char *p = NULL; +- if (!StringToInt(token, restore_bps, &p, 10) && *p != '/') { ++ if (!StringToInt(token, restore_bps, &p, 10) || *p != '/') { + debugs(77, DBG_CRITICAL, "ERROR: invalid delay rate '" << token << "'. Expecting restore/max or 'none'."); + self_destruct(); + } + diff --git a/src/patches/squid/squid-3.5-14145.patch b/src/patches/squid/squid-3.5-14145.patch new file mode 100644 index 000000000..aaa56ed33 --- /dev/null +++ b/src/patches/squid/squid-3.5-14145.patch @@ -0,0 +1,33 @@ +------------------------------------------------------------ +revno: 14145 +revision-id: squid3@treenet.co.nz-20170226085009-tj3o81s5ybk8ly9s +parent: squid3@treenet.co.nz-20170226084624-5tkl3bdrqz8nlp9g +committer: Amos Jeffries squid3@treenet.co.nz +branch nick: 3.5 +timestamp: Sun 2017-02-26 21:50:09 +1300 +message: + Fix missing CRLF on FTP timeout ABORT commands +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3@treenet.co.nz-20170226085009-tj3o81s5ybk8ly9s +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# testament_sha1: a290f77545e17012eea87e6315a9d375bff16752 +# timestamp: 2017-02-26 08:51:05 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# base_revision_id: squid3@treenet.co.nz-20170226084624-\ +# 5tkl3bdrqz8nlp9g +# +# Begin patch +=== modified file 'src/clients/FtpGateway.cc' +--- src/clients/FtpGateway.cc 2017-01-01 00:16:45 +0000 ++++ src/clients/FtpGateway.cc 2017-02-26 08:50:09 +0000 +@@ -1775,7 +1775,7 @@ + + // ABORT on timeouts. server may be waiting on a broken TCP link. + if (io.xerrno == Comm::TIMEOUT) +- writeCommand("ABOR"); ++ writeCommand("ABOR\r\n"); + + // try another connection attempt with some other method + ftpSendPassive(this); + diff --git a/src/patches/squid/squid-3.5-14146.patch b/src/patches/squid/squid-3.5-14146.patch new file mode 100644 index 000000000..391fa35d8 --- /dev/null +++ b/src/patches/squid/squid-3.5-14146.patch @@ -0,0 +1,41 @@ +------------------------------------------------------------ +revno: 14146 +revision-id: squid3@treenet.co.nz-20170226085245-vcvc7nemupizbe4t +parent: squid3@treenet.co.nz-20170226085009-tj3o81s5ybk8ly9s +committer: Amos Jeffries squid3@treenet.co.nz +branch nick: 3.5 +timestamp: Sun 2017-02-26 21:52:45 +1300 +message: + Check that -k argument is provided before trying to use it. + + Detected by Coverity Scan. Issue 1364726. +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3@treenet.co.nz-20170226085245-vcvc7nemupizbe4t +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# testament_sha1: 31bba06ced5b67f892e4be897b05ec3744b2a942 +# timestamp: 2017-02-26 09:51:00 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# base_revision_id: squid3@treenet.co.nz-20170226085009-\ +# tj3o81s5ybk8ly9s +# +# Begin patch +=== modified file 'src/main.cc' +--- src/main.cc 2017-01-01 00:16:45 +0000 ++++ src/main.cc 2017-02-26 08:52:45 +0000 +@@ -425,11 +425,11 @@ + /** \par k + * Run the administrative action given following the option */ + +- /** \li When its an unknown option display the usage help. */ +- if ((int) strlen(optarg) < 1) ++ /** \li When it is missing or an unknown option display the usage help. */ ++ if (!optarg || strlen(optarg) < 1) + usage(); + +- if (!strncmp(optarg, "reconfigure", strlen(optarg))) ++ else if (!strncmp(optarg, "reconfigure", strlen(optarg))) + /** \li On reconfigure send SIGHUP. */ + opt_send_signal = SIGHUP; + else if (!strncmp(optarg, "rotate", strlen(optarg))) + diff --git a/src/patches/squid/squid-3.5-14147.patch b/src/patches/squid/squid-3.5-14147.patch new file mode 100644 index 000000000..a8b52f388 --- /dev/null +++ b/src/patches/squid/squid-3.5-14147.patch @@ -0,0 +1,37 @@ +------------------------------------------------------------ +revno: 14147 +revision-id: squid3@treenet.co.nz-20170226085617-89jfjndt62i83qtn +parent: squid3@treenet.co.nz-20170226085245-vcvc7nemupizbe4t +committer: Amos Jeffries squid3@treenet.co.nz +branch nick: 3.5 +timestamp: Sun 2017-02-26 21:56:17 +1300 +message: + ext_kerberos_ldap_group_acl: fix unused value warnings + + Detected by Coverity Scan. Issues 1364748 and 1364749. +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3@treenet.co.nz-20170226085617-89jfjndt62i83qtn +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# testament_sha1: fd770175ba851fc62de4a085414c8fd996b53e46 +# timestamp: 2017-02-26 09:51:04 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# base_revision_id: squid3@treenet.co.nz-20170226085245-\ +# vcvc7nemupizbe4t +# +# Begin patch +=== modified file 'helpers/external_acl/kerberos_ldap_group/support_ldap.cc' +--- helpers/external_acl/kerberos_ldap_group/support_ldap.cc 2017-01-01 00:16:45 +0000 ++++ helpers/external_acl/kerberos_ldap_group/support_ldap.cc 2017-02-26 08:56:17 +0000 +@@ -919,8 +919,8 @@ + /* + * Initialise ldap + */ +- ldap_debug = 127 /* LDAP_DEBUG_TRACE */ ; +- ldap_debug = -1 /* LDAP_DEBUG_ANY */ ; ++// ldap_debug = 127 /* LDAP_DEBUG_TRACE */ ; ++// ldap_debug = -1 /* LDAP_DEBUG_ANY */ ; + ldap_debug = 0; + (void) ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &ldap_debug); + #endif + diff --git a/src/patches/squid/squid-3.5-14148.patch b/src/patches/squid/squid-3.5-14148.patch new file mode 100644 index 000000000..ce7d9667c --- /dev/null +++ b/src/patches/squid/squid-3.5-14148.patch @@ -0,0 +1,62 @@ +------------------------------------------------------------ +revno: 14148 +revision-id: squid3@treenet.co.nz-20170226110942-90rcwhx3fwa2l7is +parent: squid3@treenet.co.nz-20170226085617-89jfjndt62i83qtn +author: Alexander Gozman a.gozman@securitycode.ru +committer: Amos Jeffries squid3@treenet.co.nz +branch nick: 3.5 +timestamp: Mon 2017-02-27 00:09:42 +1300 +message: + Native FTP relay: NAT and TPROXY interception fixes +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3@treenet.co.nz-20170226110942-90rcwhx3fwa2l7is +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# testament_sha1: 63f57f0ddddf0f231c3ef88a12728a707828c6ad +# timestamp: 2017-02-26 11:51:04 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# base_revision_id: squid3@treenet.co.nz-20170226085617-\ +# 89jfjndt62i83qtn +# +# Begin patch +=== modified file 'src/servers/FtpServer.cc' +--- src/servers/FtpServer.cc 2017-01-01 00:16:45 +0000 ++++ src/servers/FtpServer.cc 2017-02-26 11:09:42 +0000 +@@ -1454,9 +1454,33 @@ + Comm::ConnectionPointer conn = new Comm::Connection(); + conn->flags |= COMM_DOBIND; + +- // Use local IP address of the control connection as the source address +- // of the active data connection, or some clients will refuse to accept. +- conn->setAddrs(clientConnection->local, cltAddr); ++ if (clientConnection->flags & COMM_INTERCEPTION) { ++ // In the case of NAT interception conn->local value is not set ++ // because the TCP stack will automatically pick correct source ++ // address for the data connection. We must only ensure that IP ++ // version matches client's address. ++ conn->local.setAnyAddr(); ++ ++ if (cltAddr.isIPv4()) ++ conn->local.setIPv4(); ++ ++ conn->remote = cltAddr; ++ } else { ++ // In the case of explicit-proxy the local IP of the control connection ++ // is the Squid IP the client is knowingly talking to. ++ // ++ // In the case of TPROXY the IP address of the control connection is ++ // server IP the client is connecting to, it can be spoofed by Squid. ++ // ++ // In both cases some clients may refuse to accept data connections if ++ // these control connectin local-IP's are not used. ++ conn->setAddrs(clientConnection->local, cltAddr); ++ ++ // Using non-local addresses in TPROXY mode requires appropriate socket option. ++ if (clientConnection->flags & COMM_TRANSPARENT) ++ conn->flags |= COMM_TRANSPARENT; ++ } ++ + // RFC 959 requires active FTP connections to originate from port 20 + // but that would preclude us from supporting concurrent transfers! (XXX?) + conn->local.port(0); +