This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via cdaad0cdd33e63232fe8939644825619576b6be3 (commit) via c86d893830560165e065cd44ee44f13c2d7e97a7 (commit) via 13827014fcee7d3094529feb2be17513602e5421 (commit) via 49deea707bc6db5683ecc139070d5c83b89b7c48 (commit) from 4c76d08b2a1ef5ac9ff8b546c0d887e342adec1c (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit cdaad0cdd33e63232fe8939644825619576b6be3 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Jan 2 16:24:39 2019 +0000
libvirt: Bump package version
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit c86d893830560165e065cd44ee44f13c2d7e97a7 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Tue Jan 1 18:39:03 2019 +0100
squid: Update to 4.5
For details see: http://www.squid-cache.org/Versions/v4/changesets/
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 13827014fcee7d3094529feb2be17513602e5421 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Dec 31 00:36:23 2018 +0000
core127: Ship updated wget
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 49deea707bc6db5683ecc139070d5c83b89b7c48 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Thu Dec 27 18:16:35 2018 +0100
wget: Update to 1.20.1
This is a bugfix release:
"due to some privacy issues in default settings of Wget, we introduce this bugfix release.
The --xattr option (saving original URL and Referer into extended file attributes) was introduced and enabled by default since Wget 1.19. It possibly saved - possibly unrecognized by the user - credentials, access tokes etc that were included in the requested URL.
We changed three details as a countermeasure, see below in the NEWS section.
With Best Regards, Tim
...
NEWS
* Changes in Wget 1.20.1
** --xattr is no longer default since it introduces privacy issues.
** --xattr saves the Referer as scheme/host/port, user/pw/path/query/fragment are no longer saved to prevent privacy issues.
** --xattr saves the Original URL without user/password to prevent privacy issues."
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: .../{oldcore/104 => core/127}/filelists/wget | 0 lfs/libvirt | 2 +- lfs/squid | 9 +- lfs/wget | 4 +- ..._netdb_exchange_with_a_TLS_cache_peer_307.patch | 91 -------------- ..._tarball_format_formally_to_make_dist_325.patch | 22 ---- .../03_The_handshake_logformat_code_331.patch | 132 --------------------- ...ch => squid-4.5-fix-max-file-descriptors.patch} | 4 +- 8 files changed, 8 insertions(+), 256 deletions(-) copy config/rootfiles/{oldcore/104 => core/127}/filelists/wget (100%) delete mode 100644 src/patches/squid/01_Fix_netdb_exchange_with_a_TLS_cache_peer_307.patch delete mode 100644 src/patches/squid/02_Maintenance_add_xz_tarball_format_formally_to_make_dist_325.patch delete mode 100644 src/patches/squid/03_The_handshake_logformat_code_331.patch rename src/patches/squid/{squid-4.4-fix-max-file-descriptors.patch => squid-4.5-fix-max-file-descriptors.patch} (92%)
Difference in files: diff --git a/config/rootfiles/core/127/filelists/wget b/config/rootfiles/core/127/filelists/wget new file mode 120000 index 000000000..fcb57dfec --- /dev/null +++ b/config/rootfiles/core/127/filelists/wget @@ -0,0 +1 @@ +../../../common/wget \ No newline at end of file diff --git a/lfs/libvirt b/lfs/libvirt index aba2f1339..0bda497ce 100644 --- a/lfs/libvirt +++ b/lfs/libvirt @@ -33,7 +33,7 @@ DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) SUP_ARCH = i586 x86_64 PROG = libvirt -PAK_VER = 17 +PAK_VER = 18
DEPS = "jansson libpciaccess libyajl ncat qemu"
diff --git a/lfs/squid b/lfs/squid index aaa2d0b96..6033ab394 100644 --- a/lfs/squid +++ b/lfs/squid @@ -24,7 +24,7 @@
include Config
-VER = 4.4 +VER = 4.5
THISAPP = squid-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -42,7 +42,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 892504ca9700e1f139a53f84098613bd +$(DL_FILE)_MD5 = 8275da5846f9f2243ad2625e5aef2ee0
install : $(TARGET)
@@ -72,10 +72,7 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xaf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squid/01_Fix_netdb_exchange_with_a_TLS_cache_peer_307.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squid/02_Maintenance_add_xz_tarball_format_formally_to_make_dist_325.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squid/03_The_handshake_logformat_code_331.patch - cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-4.4-fix-max-file-descriptors.patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-4.5-fix-max-file-descriptors.patch
cd $(DIR_APP) && autoreconf -vfi cd $(DIR_APP)/libltdl && autoreconf -vfi diff --git a/lfs/wget b/lfs/wget index 5ccb0029f..b8c83d10d 100644 --- a/lfs/wget +++ b/lfs/wget @@ -24,7 +24,7 @@
include Config
-VER = 1.20 +VER = 1.20.1
THISAPP = wget-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 9f1515d083b769e9ff7642ce6016518e +$(DL_FILE)_MD5 = f6ebe9c7b375fc9832fb1b2028271fb7
install : $(TARGET)
diff --git a/src/patches/squid/01_Fix_netdb_exchange_with_a_TLS_cache_peer_307.patch b/src/patches/squid/01_Fix_netdb_exchange_with_a_TLS_cache_peer_307.patch deleted file mode 100644 index 09f8961dc..000000000 --- a/src/patches/squid/01_Fix_netdb_exchange_with_a_TLS_cache_peer_307.patch +++ /dev/null @@ -1,91 +0,0 @@ -commit bc54d7a6f7ec510a25966f2f800d3ea874657546 -Author: chi-mf 43963496+chi-mf@users.noreply.github.com -Date: 2018-10-30 04:48:40 +0000 - - Fix netdb exchange with a TLS cache_peer (#307) - - Squid uses http-scheme URLs when sending netdb exchange (and possibly - other) requests to a cache_peer. If a DIRECT path is selected for that - cache_peer URL, then Squid sends a clear text HTTP request to that - cache_peer. If that cache_peer expects a TLS connection, it will reject - that request (with, e.g., error:transaction-end-before-headers), - resulting in an HTTP 503 or 504 netdb fetch error. - - Workaround this by adding an internalRemoteUri() parameter to indicate - whether https or http URL scheme should be used. Netdb fetches from - CachePeer::secure peers now get an https scheme and, hence, a TLS - connection. - -diff --git a/src/icmp/net_db.cc b/src/icmp/net_db.cc -index 0f488de..526093f 100644 ---- a/src/icmp/net_db.cc -+++ b/src/icmp/net_db.cc -@@ -1282,7 +1282,7 @@ netdbExchangeStart(void *data) - #if USE_ICMP - CachePeer *p = (CachePeer *)data; - static const SBuf netDB("netdb"); -- char *uri = internalRemoteUri(p->host, p->http_port, "/squid-internal-dynamic/", netDB); -+ char *uri = internalRemoteUri(p->secure.encryptTransport, p->host, p->http_port, "/squid-internal-dynamic/", netDB); - debugs(38, 3, "Requesting '" << uri << "'"); - const MasterXaction::Pointer mx = new MasterXaction(XactionInitiator::initIcmp); - HttpRequest *req = HttpRequest::FromUrl(uri, mx); -diff --git a/src/internal.cc b/src/internal.cc -index 6ebc7a6..ff7b4d6 100644 ---- a/src/internal.cc -+++ b/src/internal.cc -@@ -82,7 +82,7 @@ internalStaticCheck(const SBuf &urlPath) - * makes internal url with a given host and port (remote internal url) - */ - char * --internalRemoteUri(const char *host, unsigned short port, const char *dir, const SBuf &name) -+internalRemoteUri(bool encrypt, const char *host, unsigned short port, const char *dir, const SBuf &name) - { - static char lc_host[SQUIDHOSTNAMELEN]; - assert(host && !name.isEmpty()); -@@ -115,7 +115,7 @@ internalRemoteUri(const char *host, unsigned short port, const char *dir, const - static MemBuf mb; - - mb.reset(); -- mb.appendf("http://" SQUIDSBUFPH, SQUIDSBUFPRINT(tmp.authority())); -+ mb.appendf("%s://" SQUIDSBUFPH, encrypt ? "https" : "http", SQUIDSBUFPRINT(tmp.authority())); - - if (dir) - mb.append(dir, strlen(dir)); -@@ -132,7 +132,10 @@ internalRemoteUri(const char *host, unsigned short port, const char *dir, const - char * - internalLocalUri(const char *dir, const SBuf &name) - { -- return internalRemoteUri(getMyHostname(), -+ // XXX: getMy*() may return https_port info, but we force http URIs -+ // because we have not checked whether the callers can handle https. -+ const bool secure = false; -+ return internalRemoteUri(secure, getMyHostname(), - getMyPort(), dir, name); - } - -diff --git a/src/internal.h b/src/internal.h -index c91f9ac..13a43a6 100644 ---- a/src/internal.h -+++ b/src/internal.h -@@ -24,7 +24,7 @@ void internalStart(const Comm::ConnectionPointer &clientConn, HttpRequest *, Sto - bool internalCheck(const SBuf &urlPath); - bool internalStaticCheck(const SBuf &urlPath); - char *internalLocalUri(const char *dir, const SBuf &name); --char *internalRemoteUri(const char *, unsigned short, const char *, const SBuf &); -+char *internalRemoteUri(bool, const char *, unsigned short, const char *, const SBuf &); - const char *internalHostname(void); - int internalHostnameIs(const char *); - -diff --git a/src/peer_digest.cc b/src/peer_digest.cc -index 36a8705..f515aaa 100644 ---- a/src/peer_digest.cc -+++ b/src/peer_digest.cc -@@ -323,7 +323,7 @@ peerDigestRequest(PeerDigest * pd) - if (p->digest_url) - url = xstrdup(p->digest_url); - else -- url = xstrdup(internalRemoteUri(p->host, p->http_port, "/squid-internal-periodic/", SBuf(StoreDigestFileName))); -+ url = xstrdup(internalRemoteUri(p->secure.encryptTransport, p->host, p->http_port, "/squid-internal-periodic/", SBuf(StoreDigestFileName))); - debugs(72, 2, url); - - const MasterXaction::Pointer mx = new MasterXaction(XactionInitiator::initCacheDigest); diff --git a/src/patches/squid/02_Maintenance_add_xz_tarball_format_formally_to_make_dist_325.patch b/src/patches/squid/02_Maintenance_add_xz_tarball_format_formally_to_make_dist_325.patch deleted file mode 100644 index 58ceaa034..000000000 --- a/src/patches/squid/02_Maintenance_add_xz_tarball_format_formally_to_make_dist_325.patch +++ /dev/null @@ -1,22 +0,0 @@ -commit 3c23ae8c7431344f8fc50bb5ee8f4b56d08c10a4 -Author: Amos Jeffries yadij@users.noreply.github.com -Date: 2018-11-11 04:29:58 +0000 - - Maintenance: add .xz tarball format formally to make dist (#325) - - Automake can now handle generating this format itself and the - experiments of providing it for downstream have gone well. - -diff --git a/configure.ac b/configure.ac -index 3f8af6d..f668567 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -10,7 +10,7 @@ AC_PREREQ(2.61) - AC_CONFIG_HEADERS([include/autoconf.h]) - AC_CONFIG_AUX_DIR(cfgaux) - AC_CONFIG_SRCDIR([src/main.cc]) --AM_INIT_AUTOMAKE([tar-ustar nostdinc subdir-objects]) -+AM_INIT_AUTOMAKE([tar-ustar nostdinc subdir-objects dist-xz]) - AC_REVISION($Revision$)dnl - AC_PREFIX_DEFAULT(/usr/local/squid) - AM_MAINTAINER_MODE diff --git a/src/patches/squid/03_The_handshake_logformat_code_331.patch b/src/patches/squid/03_The_handshake_logformat_code_331.patch deleted file mode 100644 index 2ce8bdc4a..000000000 --- a/src/patches/squid/03_The_handshake_logformat_code_331.patch +++ /dev/null @@ -1,132 +0,0 @@ -commit 0022167d80725513d95b38aaebc90086fc0b6938 (tag: refs/tags/M-staged-PR331, refs/remotes/origin/v4) -Author: Christos Tsantilas christos@chtsanti.net -Date: 2018-11-14 15:17:06 +0000 - - The %>handshake logformat code (#331) - - Logging client "handshake" bytes is useful in at least two contexts: - - * Runtime traffic bypass and bumping/splicing decisions. Identifying - popular clients like Skype for Business (that uses a TLS handshake but - then may not speak TLS) is critical for handling their traffic - correctly. Squid does not have enough ACLs to interrogate most TLS - handshake aspects. Adding more ACLs may still be a good idea, but - initial sketches for SfB handshakes showed rather complex - ACLs/configurations, _and_ no reasonable ACLs would be able to handle - non-TLS handshakes. An external ACL receiving the handshake is in a - much better position to analyze/fingerprint it according to custom - admin needs. - - * A logged handshake can be used to analyze new/unusual traffic or even - trigger security-related alarms. - - The current support is limited to cases where Squid was saving handshake - for other reasons. With enough demand, this initial support can be - extended to all protocols and port configurations. - - This is a Measurement Factory project. - -diff --git a/src/cf.data.pre b/src/cf.data.pre -index fa8af56..a8ca587 100644 ---- a/src/cf.data.pre -+++ b/src/cf.data.pre -@@ -4394,6 +4394,37 @@ DOC_START - <qos Server connection TOS/DSCP value set by Squid - <nfmark Server connection netfilter mark set by Squid - -+ >handshake Raw client handshake -+ Initial client bytes received by Squid on a newly -+ accepted TCP connection or inside a just established -+ CONNECT tunnel. Squid stops accumulating handshake -+ bytes as soon as the handshake parser succeeds or -+ fails (determining whether the client is using the -+ expected protocol). -+ -+ For HTTP clients, the handshake is the request line. -+ For TLS clients, the handshake consists of all TLS -+ records up to and including the TLS record that -+ contains the last byte of the first ClientHello -+ message. For clients using an unsupported protocol, -+ this field contains the bytes received by Squid at the -+ time of the handshake parsing failure. -+ -+ See the on_unsupported_protocol directive for more -+ information on Squid handshake traffic expectations. -+ -+ Current support is limited to these contexts: -+ - http_port connections, but only when the -+ on_unsupported_protocol directive is in use. -+ - https_port connections (and CONNECT tunnels) that -+ are subject to the ssl_bump peek or stare action. -+ -+ To protect binary handshake data, this field is always -+ base64-encoded (RFC 4648 Section 4). If logformat -+ field encoding is configured, that encoding is applied -+ on top of base64. Otherwise, the computed base64 value -+ is recorded as is. -+ - Time related format codes: - - ts Seconds since epoch -diff --git a/src/format/ByteCode.h b/src/format/ByteCode.h -index ad230bb..a6f8fd9 100644 ---- a/src/format/ByteCode.h -+++ b/src/format/ByteCode.h -@@ -46,6 +46,8 @@ typedef enum { - LFT_CLIENT_LOCAL_TOS, - LFT_CLIENT_LOCAL_NFMARK, - -+ LFT_CLIENT_HANDSHAKE, -+ - /* client connection local squid.conf details */ - LFT_LOCAL_LISTENING_IP, - LFT_LOCAL_LISTENING_PORT, -diff --git a/src/format/Format.cc b/src/format/Format.cc -index c1e19b4..8fd6720 100644 ---- a/src/format/Format.cc -+++ b/src/format/Format.cc -@@ -8,6 +8,7 @@ - - #include "squid.h" - #include "AccessLogEntry.h" -+#include "base64.h" - #include "client_side.h" - #include "comm/Connection.h" - #include "err_detail_type.h" -@@ -547,6 +548,24 @@ Format::Format::assemble(MemBuf &mb, const AccessLogEntry::Pointer &al, int logS - } - break; - -+ case LFT_CLIENT_HANDSHAKE: -+ if (al->request && al->request->clientConnectionManager.valid()) { -+ const auto &handshake = al->request->clientConnectionManager->preservedClientData; -+ if (const auto rawLength = handshake.length()) { -+ // add 1 byte to optimize the c_str() conversion below -+ char *buf = sb.rawAppendStart(base64_encode_len(rawLength) + 1); -+ -+ struct base64_encode_ctx ctx; -+ base64_encode_init(&ctx); -+ auto encLength = base64_encode_update(&ctx, buf, rawLength, reinterpret_cast<const uint8_t*>(handshake.rawContent())); -+ encLength += base64_encode_final(&ctx, buf + encLength); -+ -+ sb.rawAppendFinish(buf, encLength); -+ out = sb.c_str(); -+ } -+ } -+ break; -+ - case LFT_TIME_SECONDS_SINCE_EPOCH: - // some platforms store time in 32-bit, some 64-bit... - outoff = static_cast<int64_t>(current_time.tv_sec); -diff --git a/src/format/Token.cc b/src/format/Token.cc -index 186ade5..06c60cf 100644 ---- a/src/format/Token.cc -+++ b/src/format/Token.cc -@@ -141,6 +141,7 @@ static TokenTableEntry TokenTableMisc[] = { - TokenTableEntry("<qos", LFT_SERVER_LOCAL_TOS), - TokenTableEntry(">nfmark", LFT_CLIENT_LOCAL_NFMARK), - TokenTableEntry("<nfmark", LFT_SERVER_LOCAL_NFMARK), -+ TokenTableEntry(">handshake", LFT_CLIENT_HANDSHAKE), - TokenTableEntry("err_code", LFT_SQUID_ERROR ), - TokenTableEntry("err_detail", LFT_SQUID_ERROR_DETAIL ), - TokenTableEntry("note", LFT_NOTE ), diff --git a/src/patches/squid/squid-4.4-fix-max-file-descriptors.patch b/src/patches/squid/squid-4.5-fix-max-file-descriptors.patch similarity index 92% rename from src/patches/squid/squid-4.4-fix-max-file-descriptors.patch rename to src/patches/squid/squid-4.5-fix-max-file-descriptors.patch index 8d1a4e03a..57fd0a6a6 100644 --- a/src/patches/squid/squid-4.4-fix-max-file-descriptors.patch +++ b/src/patches/squid/squid-4.5-fix-max-file-descriptors.patch @@ -1,6 +1,6 @@ --- configure.ac.~ Wed Apr 20 14:26:07 2016 +++ configure.ac Fri Apr 22 17:20:46 2016 -@@ -3156,6 +3156,9 @@ +@@ -3160,6 +3160,9 @@ ;; esac
@@ -10,7 +10,7 @@ dnl --with-maxfd present for compatibility with Squid-2. dnl undocumented in ./configure --help to encourage using the Squid-3 directive AC_ARG_WITH(maxfd,, -@@ -3186,8 +3189,6 @@ +@@ -3190,8 +3193,6 @@ esac ])
hooks/post-receive -- IPFire 2.x development tree