This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via 898b355abd27b86193dd6496a43e49e5bdf672a6 (commit) via 6eb221c2e5529945a6f31bf5be466795d917cf55 (commit) via 2e0660f9ce59433831d619dad546e3d31bc22612 (commit) via c22498887d13776a694d25f6aa465c4e0eb47cee (commit) via 0c451a4a3262d564e298a13a252fd59e573da3a5 (commit) via c3070d32e3f1223ff3a35f190978883b0804eb3f (commit) via e2bd68dfad370340c343aa3d18b2fabf87c3f221 (commit) from 4f10c0b3a3a3441f352ff10d1a46c702a93f84f4 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 898b355abd27b86193dd6496a43e49e5bdf672a6 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Nov 1 10:31:45 2018 +0000
core125: Ship updated ca-certificates
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 6eb221c2e5529945a6f31bf5be466795d917cf55 Author: Peter Müller peter.mueller@link38.eu Date: Sat Oct 27 15:37:45 2018 +0200
update ca-certificates CA bundle
Update the CA certificates list to what Mozilla NSS ships currently.
The original file can be retrieved from: https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/bu...
The second version of this patch superseds the first one and bumps the LFS version of ca-certificate, too. Me stupid...
Signed-off-by: Peter Müller peter.mueller@link38.eu Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 2e0660f9ce59433831d619dad546e3d31bc22612 Author: Peter Müller peter.mueller@link38.eu Date: Sat Oct 27 15:44:02 2018 +0200
Unbound: output statistics daily instead of just on shutdown
Currently, Unbound only prints statistics if it is being shutdown (mostly because of a machine reboot). This makes detecting DNS anomalies hard as no intermediate statistic result is being logged.
This patch changes Unbound's behaviour in order to log statistics every 86,400 seconds (i.e. 24 hours).
Signed-off-by: Peter Müller peter.mueller@link38.eu Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit c22498887d13776a694d25f6aa465c4e0eb47cee Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Nov 1 10:30:49 2018 +0000
core125: Ship updated ids.cgi
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 0c451a4a3262d564e298a13a252fd59e573da3a5 Author: Peter Müller peter.mueller@link38.eu Date: Mon Oct 29 18:49:49 2018 +0100
fix downloading Snort rules if behind upstream proxy
Currently, the wget call only uses proxy information for HTTP. Since rulesets are downloaded via HTTPS now, the same information also needs to be applied for HTTPS.
Signed-off-by: Peter Müller peter.mueller@link38.eu Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit c3070d32e3f1223ff3a35f190978883b0804eb3f Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Nov 1 10:29:48 2018 +0000
core125: Ship updated squid
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit e2bd68dfad370340c343aa3d18b2fabf87c3f221 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Thu Nov 1 09:24:24 2018 +0100
squid 3.5.28: latest patches (01-02)
For details see: http://www.squid-cache.org/Versions/v3/3.5/changesets/
Best, Matthias
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/ca-certificates/certdata.txt | 140 --------------------- .../121 => core/125}/filelists/ca-certificates | 0 config/rootfiles/core/125/filelists/files | 1 + .../{oldcore/100 => core/125}/filelists/squid | 0 config/rootfiles/core/125/update.sh | 2 + config/unbound/unbound.conf | 2 +- html/cgi-bin/ids.cgi | 2 +- lfs/ca-certificates | 2 +- lfs/squid | 2 + ...tion_via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch | 72 +++++++++++ ..._memory_leak_when_parsing_SNMP_packet_313.patch | 22 ++++ 11 files changed, 102 insertions(+), 143 deletions(-) copy config/rootfiles/{oldcore/121 => core/125}/filelists/ca-certificates (100%) copy config/rootfiles/{oldcore/100 => core/125}/filelists/squid (100%) create mode 100644 src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch create mode 100644 src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch
Difference in files: diff --git a/config/ca-certificates/certdata.txt b/config/ca-certificates/certdata.txt index 193cef38f..61c37a8bd 100644 --- a/config/ca-certificates/certdata.txt +++ b/config/ca-certificates/certdata.txt @@ -2144,146 +2144,6 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-# -# Certificate "Visa eCommerce Root" -# -# Issuer: CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US -# Serial Number:13:86:35:4d:1d:3f:06:f2:c1:f9:65:05:d5:90:1c:62 -# Subject: CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US -# Not Valid Before: Wed Jun 26 02:18:36 2002 -# Not Valid After : Fri Jun 24 00:16:12 2022 -# Fingerprint (MD5): FC:11:B8:D8:08:93:30:00:6D:23:F9:7E:EB:52:1E:02 -# Fingerprint (SHA1): 70:17:9B:86:8C:00:A4:FA:60:91:52:22:3F:9F:3E:32:BD:E0:05:62 -CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Visa eCommerce Root" -CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 -CKA_SUBJECT MULTILINE_OCTAL -\060\153\061\013\060\011\006\003\125\004\006\023\002\125\123\061 -\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057 -\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156 -\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166 -\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061 -\034\060\032\006\003\125\004\003\023\023\126\151\163\141\040\145 -\103\157\155\155\145\162\143\145\040\122\157\157\164 -END -CKA_ID UTF8 "0" -CKA_ISSUER MULTILINE_OCTAL -\060\153\061\013\060\011\006\003\125\004\006\023\002\125\123\061 -\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057 -\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156 -\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166 -\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061 -\034\060\032\006\003\125\004\003\023\023\126\151\163\141\040\145 -\103\157\155\155\145\162\143\145\040\122\157\157\164 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\020\023\206\065\115\035\077\006\362\301\371\145\005\325\220 -\034\142 -END -CKA_VALUE MULTILINE_OCTAL -\060\202\003\242\060\202\002\212\240\003\002\001\002\002\020\023 -\206\065\115\035\077\006\362\301\371\145\005\325\220\034\142\060 -\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\153 -\061\013\060\011\006\003\125\004\006\023\002\125\123\061\015\060 -\013\006\003\125\004\012\023\004\126\111\123\101\061\057\060\055 -\006\003\125\004\013\023\046\126\151\163\141\040\111\156\164\145 -\162\156\141\164\151\157\156\141\154\040\123\145\162\166\151\143 -\145\040\101\163\163\157\143\151\141\164\151\157\156\061\034\060 -\032\006\003\125\004\003\023\023\126\151\163\141\040\145\103\157 -\155\155\145\162\143\145\040\122\157\157\164\060\036\027\015\060 -\062\060\066\062\066\060\062\061\070\063\066\132\027\015\062\062 -\060\066\062\064\060\060\061\066\061\062\132\060\153\061\013\060 -\011\006\003\125\004\006\023\002\125\123\061\015\060\013\006\003 -\125\004\012\023\004\126\111\123\101\061\057\060\055\006\003\125 -\004\013\023\046\126\151\163\141\040\111\156\164\145\162\156\141 -\164\151\157\156\141\154\040\123\145\162\166\151\143\145\040\101 -\163\163\157\143\151\141\164\151\157\156\061\034\060\032\006\003 -\125\004\003\023\023\126\151\163\141\040\145\103\157\155\155\145 -\162\143\145\040\122\157\157\164\060\202\001\042\060\015\006\011 -\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017\000 -\060\202\001\012\002\202\001\001\000\257\127\336\126\036\156\241 -\332\140\261\224\047\313\027\333\007\077\200\205\117\310\234\266 -\320\364\157\117\317\231\330\341\333\302\110\134\072\254\071\063 -\307\037\152\213\046\075\053\065\365\110\261\221\301\002\116\004 -\226\221\173\260\063\360\261\024\116\021\157\265\100\257\033\105 -\245\112\357\176\266\254\362\240\037\130\077\022\106\140\074\215 -\241\340\175\317\127\076\063\036\373\107\361\252\025\227\007\125 -\146\245\265\055\056\330\200\131\262\247\015\267\106\354\041\143 -\377\065\253\245\002\317\052\364\114\376\173\365\224\135\204\115 -\250\362\140\217\333\016\045\074\237\163\161\317\224\337\112\352 -\333\337\162\070\214\363\226\275\361\027\274\322\272\073\105\132 -\306\247\366\306\027\213\001\235\374\031\250\052\203\026\270\072 -\110\376\116\076\240\253\006\031\351\123\363\200\023\007\355\055 -\277\077\012\074\125\040\071\054\054\000\151\164\225\112\274\040 -\262\251\171\345\030\211\221\250\334\034\115\357\273\176\067\013 -\135\376\071\245\210\122\214\000\154\354\030\174\101\275\366\213 -\165\167\272\140\235\204\347\376\055\002\003\001\000\001\243\102 -\060\100\060\017\006\003\125\035\023\001\001\377\004\005\060\003 -\001\001\377\060\016\006\003\125\035\017\001\001\377\004\004\003 -\002\001\006\060\035\006\003\125\035\016\004\026\004\024\025\070 -\203\017\077\054\077\160\063\036\315\106\376\007\214\040\340\327 -\303\267\060\015\006\011\052\206\110\206\367\015\001\001\005\005 -\000\003\202\001\001\000\137\361\101\175\174\134\010\271\053\340 -\325\222\107\372\147\134\245\023\303\003\041\233\053\114\211\106 -\317\131\115\311\376\245\100\266\143\315\335\161\050\225\147\021 -\314\044\254\323\104\154\161\256\001\040\153\003\242\217\030\267 -\051\072\175\345\026\140\123\170\074\300\257\025\203\367\217\122 -\063\044\275\144\223\227\356\213\367\333\030\250\155\161\263\367 -\054\027\320\164\045\151\367\376\153\074\224\276\115\113\101\214 -\116\342\163\320\343\220\042\163\103\315\363\357\352\163\316\105 -\212\260\246\111\377\114\175\235\161\210\304\166\035\220\133\035 -\356\375\314\367\356\375\140\245\261\172\026\161\321\026\320\174 -\022\074\154\151\227\333\256\137\071\232\160\057\005\074\031\106 -\004\231\040\066\320\140\156\141\006\273\026\102\214\160\367\060 -\373\340\333\146\243\000\001\275\346\054\332\221\137\240\106\213 -\115\152\234\075\075\335\005\106\376\166\277\240\012\074\344\000 -\346\047\267\377\204\055\336\272\042\047\226\020\161\353\042\355 -\337\337\063\234\317\343\255\256\216\324\216\346\117\121\257\026 -\222\340\134\366\007\017 -END -CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - -# Trust for Certificate "Visa eCommerce Root" -# Issuer: CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US -# Serial Number:13:86:35:4d:1d:3f:06:f2:c1:f9:65:05:d5:90:1c:62 -# Subject: CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US -# Not Valid Before: Wed Jun 26 02:18:36 2002 -# Not Valid After : Fri Jun 24 00:16:12 2022 -# Fingerprint (MD5): FC:11:B8:D8:08:93:30:00:6D:23:F9:7E:EB:52:1E:02 -# Fingerprint (SHA1): 70:17:9B:86:8C:00:A4:FA:60:91:52:22:3F:9F:3E:32:BD:E0:05:62 -CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Visa eCommerce Root" -CKA_CERT_SHA1_HASH MULTILINE_OCTAL -\160\027\233\206\214\000\244\372\140\221\122\042\077\237\076\062 -\275\340\005\142 -END -CKA_CERT_MD5_HASH MULTILINE_OCTAL -\374\021\270\330\010\223\060\000\155\043\371\176\353\122\036\002 -END -CKA_ISSUER MULTILINE_OCTAL -\060\153\061\013\060\011\006\003\125\004\006\023\002\125\123\061 -\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057 -\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156 -\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166 -\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061 -\034\060\032\006\003\125\004\003\023\023\126\151\163\141\040\145 -\103\157\155\155\145\162\143\145\040\122\157\157\164 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\020\023\206\065\115\035\077\006\362\301\371\145\005\325\220 -\034\142 -END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE - # # Certificate "Certum Root CA" # diff --git a/config/rootfiles/core/125/filelists/ca-certificates b/config/rootfiles/core/125/filelists/ca-certificates new file mode 120000 index 000000000..320fea8f4 --- /dev/null +++ b/config/rootfiles/core/125/filelists/ca-certificates @@ -0,0 +1 @@ +../../../common/ca-certificates \ No newline at end of file diff --git a/config/rootfiles/core/125/filelists/files b/config/rootfiles/core/125/filelists/files index 59de43460..ab7eeee47 100644 --- a/config/rootfiles/core/125/filelists/files +++ b/config/rootfiles/core/125/filelists/files @@ -4,6 +4,7 @@ etc/ssh/sshd_config etc/sysctl.conf srv/web/ipfire/cgi-bin/credits.cgi srv/web/ipfire/cgi-bin/hardwaregraphs.cgi +srv/web/ipfire/cgi-bin/ids.cgi srv/web/ipfire/cgi-bin/media.cgi srv/web/ipfire/cgi-bin/pakfire.cgi usr/local/bin/makegraphs diff --git a/config/rootfiles/core/125/filelists/squid b/config/rootfiles/core/125/filelists/squid new file mode 120000 index 000000000..2dc8372a0 --- /dev/null +++ b/config/rootfiles/core/125/filelists/squid @@ -0,0 +1 @@ +../../../common/squid \ No newline at end of file diff --git a/config/rootfiles/core/125/update.sh b/config/rootfiles/core/125/update.sh index 9d056f921..a4ae0993c 100644 --- a/config/rootfiles/core/125/update.sh +++ b/config/rootfiles/core/125/update.sh @@ -32,6 +32,7 @@ for (( i=1; i<=$core; i++ )); do done
# Stop services +/etc/init.d/squid stop
# Extract files extract_files @@ -46,6 +47,7 @@ ldconfig /etc/init.d/unbound restart /etc/init.d/apache restart /etc/init.d/sshd restart +/etc/init.d/squid start
# Reload sysctl.conf sysctl -p diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index cda591dab..2cc5bab8a 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -28,7 +28,7 @@ server: log-queries: no
# Unbound Statistics - statistics-interval: 0 + statistics-interval: 86400 statistics-cumulative: yes extended-statistics: yes
diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index d9d697deb..eddfc387c 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -692,7 +692,7 @@ sub downloadrulesfile { }
if ($peer) { - system("wget -r --proxy=on --proxy-user=$proxysettings{'UPSTREAM_USER'} --proxy-passwd=$proxysettings{'UPSTREAM_PASSWORD'} -e http_proxy=http://$peer:$peerport/ -o /var/tmp/log --output-document=/var/tmp/snortrules.tar.gz $url"); + system("wget -r --proxy=on --proxy-user=$proxysettings{'UPSTREAM_USER'} --proxy-passwd=$proxysettings{'UPSTREAM_PASSWORD'} -e http_proxy=http://$peer:$peerport/ -e https_proxy=http://$peer:$peerport/ -o /var/tmp/log --output-document=/var/tmp/snortrules.tar.gz $url"); } else { system("wget -r -o /var/tmp/log --output-document=/var/tmp/snortrules.tar.gz $url"); } diff --git a/lfs/ca-certificates b/lfs/ca-certificates index e063b6439..6c684702a 100644 --- a/lfs/ca-certificates +++ b/lfs/ca-certificates @@ -24,7 +24,7 @@
include Config
-VER = 20180910 +VER = 20181027
THISAPP = ca-certificates DIR_APP = $(DIR_SRC)/$(THISAPP) diff --git a/lfs/squid b/lfs/squid index cae56407c..11b84d719 100644 --- a/lfs/squid +++ b/lfs/squid @@ -72,6 +72,8 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xaf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5.28-fix-max-file-descriptors.patch
cd $(DIR_APP) && autoreconf -vfi diff --git a/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch b/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch new file mode 100644 index 000000000..fadb1d48c --- /dev/null +++ b/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch @@ -0,0 +1,72 @@ +commit f1657a9decc820f748fa3aff68168d3145258031 +Author: Christos Tsantilas christos@chtsanti.net +Date: 2018-10-17 15:14:07 +0000 + + Certificate fields injection via %D in ERR_SECURE_CONNECT_FAIL (#306) + + %ssl_subject, %ssl_ca_name, and %ssl_cn values were not properly escaped when %D code was expanded in HTML context of the ERR_SECURE_CONNECT_FAIL template. This bug affects all + ERR_SECURE_CONNECT_FAIL page templates containing %D, including the default template. + + Other error pages are not vulnerable because Squid does not populate %D with certificate details in other contexts (yet). + + Thanks to Nikolas Lohmann [eBlocker] for identifying the problem. + + TODO: If those certificate details become needed for ACL checks or other non-HTML purposes, make their HTML-escaping conditional. + + This is a Measurement Factory project. + +diff --git a/src/ssl/ErrorDetail.cc b/src/ssl/ErrorDetail.cc +index b5030e3..314e998 100644 +--- a/src/ssl/ErrorDetail.cc ++++ b/src/ssl/ErrorDetail.cc +@@ -8,6 +8,8 @@ + + #include "squid.h" + #include "errorpage.h" ++#include "fatal.h" ++#include "html_quote.h" + #include "ssl/ErrorDetail.h" + + #include <climits> +@@ -432,8 +434,11 @@ const char *Ssl::ErrorDetail::subject() const + { + if (broken_cert.get()) { + static char tmpBuffer[256]; // A temporary buffer +- if (X509_NAME_oneline(X509_get_subject_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer))) +- return tmpBuffer; ++ if (X509_NAME_oneline(X509_get_subject_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer))) { ++ // quote to avoid possible html code injection through ++ // certificate subject ++ return html_quote(tmpBuffer); ++ } + } + return "[Not available]"; + } +@@ -461,8 +466,11 @@ const char *Ssl::ErrorDetail::cn() const + static String tmpStr; ///< A temporary string buffer + tmpStr.clean(); + Ssl::matchX509CommonNames(broken_cert.get(), &tmpStr, copy_cn); +- if (tmpStr.size()) +- return tmpStr.termedBuf(); ++ if (tmpStr.size()) { ++ // quote to avoid possible html code injection through ++ // certificate subject ++ return html_quote(tmpStr.termedBuf()); ++ } + } + return "[Not available]"; + } +@@ -474,8 +482,11 @@ const char *Ssl::ErrorDetail::ca_name() const + { + if (broken_cert.get()) { + static char tmpBuffer[256]; // A temporary buffer +- if (X509_NAME_oneline(X509_get_issuer_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer))) +- return tmpBuffer; ++ if (X509_NAME_oneline(X509_get_issuer_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer))) { ++ // quote to avoid possible html code injection through ++ // certificate issuer subject ++ return html_quote(tmpBuffer); ++ } + } + return "[Not available]"; + } diff --git a/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch b/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch new file mode 100644 index 000000000..2ae034c20 --- /dev/null +++ b/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch @@ -0,0 +1,22 @@ +commit bc9786119f058a76ddf0625424bc33d36460b9a2 (refs/remotes/origin/v3.5) +Author: flozilla fishyflow@gmail.com +Date: 2018-10-24 14:12:01 +0200 + + Fix memory leak when parsing SNMP packet (#313) + + SNMP queries denied by snmp_access rules and queries with certain + unsupported SNMPv2 commands were leaking a few hundred bytes each. Such + queries trigger "SNMP agent query DENIED from..." WARNINGs in cache.log. + +diff --git a/src/snmp_core.cc b/src/snmp_core.cc +index c4d21c1..16c2993 100644 +--- a/src/snmp_core.cc ++++ b/src/snmp_core.cc +@@ -409,6 +409,7 @@ snmpDecodePacket(SnmpRequest * rq) + snmpConstructReponse(rq); + } else { + debugs(49, DBG_IMPORTANT, "WARNING: SNMP agent query DENIED from : " << rq->from); ++ snmp_free_pdu(PDU); + } + xfree(Community); +
hooks/post-receive -- IPFire 2.x development tree