This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via 24a80f0c22d2e3c3654ba0168dfd49f4a4de2185 (commit) via a5c0ef3679d59f081b8c4e3d4dca96feb058b7b4 (commit) via 39e71549764d91324cfc5b43e824ff0080bf8f02 (commit) from 183b23b5ca703bd0ee837e135c84a9b91b1fcb91 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 24a80f0c22d2e3c3654ba0168dfd49f4a4de2185 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Sun Apr 2 10:09:08 2017 +0200
squid 3.5.24: latest patches (14149-14153)
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit a5c0ef3679d59f081b8c4e3d4dca96feb058b7b4 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Mon Feb 27 18:38:17 2017 +0100
squid 3.5.24: latest patches (14144-14148)
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 39e71549764d91324cfc5b43e824ff0080bf8f02 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Sun Feb 26 21:21:30 2017 +0100
squid 3.5.24: latest patch (14143)
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: lfs/squid | 11 + src/patches/squid/squid-3.5-14143.patch | 55 +++++ src/patches/squid/squid-3.5-14144.patch | 43 ++++ src/patches/squid/squid-3.5-14145.patch | 33 +++ src/patches/squid/squid-3.5-14146.patch | 41 ++++ src/patches/squid/squid-3.5-14147.patch | 37 ++++ src/patches/squid/squid-3.5-14148.patch | 62 ++++++ src/patches/squid/squid-3.5-14149.patch | 78 +++++++ src/patches/squid/squid-3.5-14150.patch | 32 +++ src/patches/squid/squid-3.5-14151.patch | 36 ++++ src/patches/squid/squid-3.5-14152.patch | 35 ++++ src/patches/squid/squid-3.5-14153.patch | 353 ++++++++++++++++++++++++++++++++ 12 files changed, 816 insertions(+) create mode 100644 src/patches/squid/squid-3.5-14143.patch create mode 100644 src/patches/squid/squid-3.5-14144.patch create mode 100644 src/patches/squid/squid-3.5-14145.patch create mode 100644 src/patches/squid/squid-3.5-14146.patch create mode 100644 src/patches/squid/squid-3.5-14147.patch create mode 100644 src/patches/squid/squid-3.5-14148.patch create mode 100644 src/patches/squid/squid-3.5-14149.patch create mode 100644 src/patches/squid/squid-3.5-14150.patch create mode 100644 src/patches/squid/squid-3.5-14151.patch create mode 100644 src/patches/squid/squid-3.5-14152.patch create mode 100644 src/patches/squid/squid-3.5-14153.patch
Difference in files: diff --git a/lfs/squid b/lfs/squid index 6d55751..2699020 100644 --- a/lfs/squid +++ b/lfs/squid @@ -71,6 +71,17 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xaf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14142.patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14143.patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14144.patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14145.patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14146.patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14147.patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14148.patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14149.patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14150.patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14151.patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14152.patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14153.patch cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.5.24-fix-max-file-descriptors.patch
cd $(DIR_APP) && autoreconf -vfi diff --git a/src/patches/squid/squid-3.5-14143.patch b/src/patches/squid/squid-3.5-14143.patch new file mode 100644 index 0000000..49b3eb8 --- /dev/null +++ b/src/patches/squid/squid-3.5-14143.patch @@ -0,0 +1,55 @@ +------------------------------------------------------------ +revno: 14143 +revision-id: squid3@treenet.co.nz-20170225055014-j7v5xax13u4jddr9 +parent: squid3@treenet.co.nz-20170208054033-pxqn8rs4yu713ijq +author: Christos Tsantilas chtsanti@users.sourceforge.net +committer: Amos Jeffries squid3@treenet.co.nz +branch nick: 3.5 +timestamp: Sat 2017-02-25 18:50:14 +1300 +message: + Fix regression in CONNECT authentication after rev.14142 +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3@treenet.co.nz-20170225055014-j7v5xax13u4jddr9 +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# testament_sha1: bedc99ffdffd1e999c98c33faa830d4e9d1fc01d +# timestamp: 2017-02-25 05:51:22 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# base_revision_id: squid3@treenet.co.nz-20170208054033-\ +# pxqn8rs4yu713ijq +# +# Begin patch +=== modified file 'src/client_side_request.cc' +--- src/client_side_request.cc 2017-02-08 05:40:33 +0000 ++++ src/client_side_request.cc 2017-02-25 05:50:14 +0000 +@@ -1442,6 +1442,14 @@ + return false; + } + ++ // Do not bump during authentication: clients would not proxy-authenticate ++ // if we delay a 407 response and respond with 200 OK to CONNECT. ++ if (error && error->httpStatus == Http::scProxyAuthenticationRequired) { ++ http->al->ssl.bumpMode = Ssl::bumpEnd; // SslBump does not apply; log - ++ debugs(85, 5, HERE << "no SslBump during proxy authentication"); ++ return false; ++ } ++ + if (error) { + debugs(85, 5, "SslBump applies. Force bump action on error " << err_type_str[(error->type >= ERR_NONE && error->type < ERR_MAX) ? error->type : ERR_NONE]); + http->sslBumpNeed(Ssl::bumpBump); +@@ -1449,14 +1457,6 @@ + return false; + } + +- // Do not bump during authentication: clients would not proxy-authenticate +- // if we delay a 407 response and respond with 200 OK to CONNECT. +- if (error && error->httpStatus == Http::scProxyAuthenticationRequired) { +- http->al->ssl.bumpMode = Ssl::bumpEnd; // SslBump does not apply; log - +- debugs(85, 5, HERE << "no SslBump during proxy authentication"); +- return false; +- } +- + debugs(85, 5, HERE << "SslBump possible, checking ACL"); + + ACLFilledChecklist *aclChecklist = clientAclChecklistCreate(Config.accessList.ssl_bump, http); + diff --git a/src/patches/squid/squid-3.5-14144.patch b/src/patches/squid/squid-3.5-14144.patch new file mode 100644 index 0000000..592a774 --- /dev/null +++ b/src/patches/squid/squid-3.5-14144.patch @@ -0,0 +1,43 @@ +------------------------------------------------------------ +revno: 14144 +revision-id: squid3@treenet.co.nz-20170226084624-5tkl3bdrqz8nlp9g +parent: squid3@treenet.co.nz-20170225055014-j7v5xax13u4jddr9 +author: Alex Rousskov rousskov@measurement-factory.com +committer: Amos Jeffries squid3@treenet.co.nz +branch nick: 3.5 +timestamp: Sun 2017-02-26 21:46:24 +1300 +message: + Fix crash when configuring with invalid delay_parameters restore value. + + ... like none/none. Introduced in rev which fixed another, much + bigger delay_parameters parsing bug. + + TODO: Reject all invalid input, including restore/max of "-/100". + + TODO: Fix misleading/wrong associated error messages. For example: + ERROR: invalid delay rate 'none/none'. Expecting restore/max or 'none' + ERROR: restore rate in '1/none' is not a number. +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3@treenet.co.nz-20170226084624-5tkl3bdrqz8nlp9g +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# testament_sha1: 42f47b8ee1da049d57e6af76ce755e459d2fc9fd +# timestamp: 2017-02-26 08:51:02 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# base_revision_id: squid3@treenet.co.nz-20170225055014-\ +# j7v5xax13u4jddr9 +# +# Begin patch +=== modified file 'src/DelaySpec.cc' +--- src/DelaySpec.cc 2017-01-01 00:16:45 +0000 ++++ src/DelaySpec.cc 2017-02-26 08:46:24 +0000 +@@ -55,7 +55,7 @@ + + // parse the first digits into restore_bps + const char *p = NULL; +- if (!StringToInt(token, restore_bps, &p, 10) && *p != '/') { ++ if (!StringToInt(token, restore_bps, &p, 10) || *p != '/') { + debugs(77, DBG_CRITICAL, "ERROR: invalid delay rate '" << token << "'. Expecting restore/max or 'none'."); + self_destruct(); + } + diff --git a/src/patches/squid/squid-3.5-14145.patch b/src/patches/squid/squid-3.5-14145.patch new file mode 100644 index 0000000..aaa56ed --- /dev/null +++ b/src/patches/squid/squid-3.5-14145.patch @@ -0,0 +1,33 @@ +------------------------------------------------------------ +revno: 14145 +revision-id: squid3@treenet.co.nz-20170226085009-tj3o81s5ybk8ly9s +parent: squid3@treenet.co.nz-20170226084624-5tkl3bdrqz8nlp9g +committer: Amos Jeffries squid3@treenet.co.nz +branch nick: 3.5 +timestamp: Sun 2017-02-26 21:50:09 +1300 +message: + Fix missing CRLF on FTP timeout ABORT commands +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3@treenet.co.nz-20170226085009-tj3o81s5ybk8ly9s +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# testament_sha1: a290f77545e17012eea87e6315a9d375bff16752 +# timestamp: 2017-02-26 08:51:05 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# base_revision_id: squid3@treenet.co.nz-20170226084624-\ +# 5tkl3bdrqz8nlp9g +# +# Begin patch +=== modified file 'src/clients/FtpGateway.cc' +--- src/clients/FtpGateway.cc 2017-01-01 00:16:45 +0000 ++++ src/clients/FtpGateway.cc 2017-02-26 08:50:09 +0000 +@@ -1775,7 +1775,7 @@ + + // ABORT on timeouts. server may be waiting on a broken TCP link. + if (io.xerrno == Comm::TIMEOUT) +- writeCommand("ABOR"); ++ writeCommand("ABOR\r\n"); + + // try another connection attempt with some other method + ftpSendPassive(this); + diff --git a/src/patches/squid/squid-3.5-14146.patch b/src/patches/squid/squid-3.5-14146.patch new file mode 100644 index 0000000..391fa35 --- /dev/null +++ b/src/patches/squid/squid-3.5-14146.patch @@ -0,0 +1,41 @@ +------------------------------------------------------------ +revno: 14146 +revision-id: squid3@treenet.co.nz-20170226085245-vcvc7nemupizbe4t +parent: squid3@treenet.co.nz-20170226085009-tj3o81s5ybk8ly9s +committer: Amos Jeffries squid3@treenet.co.nz +branch nick: 3.5 +timestamp: Sun 2017-02-26 21:52:45 +1300 +message: + Check that -k argument is provided before trying to use it. + + Detected by Coverity Scan. Issue 1364726. +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3@treenet.co.nz-20170226085245-vcvc7nemupizbe4t +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# testament_sha1: 31bba06ced5b67f892e4be897b05ec3744b2a942 +# timestamp: 2017-02-26 09:51:00 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# base_revision_id: squid3@treenet.co.nz-20170226085009-\ +# tj3o81s5ybk8ly9s +# +# Begin patch +=== modified file 'src/main.cc' +--- src/main.cc 2017-01-01 00:16:45 +0000 ++++ src/main.cc 2017-02-26 08:52:45 +0000 +@@ -425,11 +425,11 @@ + /** \par k + * Run the administrative action given following the option */ + +- /** \li When its an unknown option display the usage help. */ +- if ((int) strlen(optarg) < 1) ++ /** \li When it is missing or an unknown option display the usage help. */ ++ if (!optarg || strlen(optarg) < 1) + usage(); + +- if (!strncmp(optarg, "reconfigure", strlen(optarg))) ++ else if (!strncmp(optarg, "reconfigure", strlen(optarg))) + /** \li On reconfigure send SIGHUP. */ + opt_send_signal = SIGHUP; + else if (!strncmp(optarg, "rotate", strlen(optarg))) + diff --git a/src/patches/squid/squid-3.5-14147.patch b/src/patches/squid/squid-3.5-14147.patch new file mode 100644 index 0000000..a8b52f3 --- /dev/null +++ b/src/patches/squid/squid-3.5-14147.patch @@ -0,0 +1,37 @@ +------------------------------------------------------------ +revno: 14147 +revision-id: squid3@treenet.co.nz-20170226085617-89jfjndt62i83qtn +parent: squid3@treenet.co.nz-20170226085245-vcvc7nemupizbe4t +committer: Amos Jeffries squid3@treenet.co.nz +branch nick: 3.5 +timestamp: Sun 2017-02-26 21:56:17 +1300 +message: + ext_kerberos_ldap_group_acl: fix unused value warnings + + Detected by Coverity Scan. Issues 1364748 and 1364749. +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3@treenet.co.nz-20170226085617-89jfjndt62i83qtn +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# testament_sha1: fd770175ba851fc62de4a085414c8fd996b53e46 +# timestamp: 2017-02-26 09:51:04 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# base_revision_id: squid3@treenet.co.nz-20170226085245-\ +# vcvc7nemupizbe4t +# +# Begin patch +=== modified file 'helpers/external_acl/kerberos_ldap_group/support_ldap.cc' +--- helpers/external_acl/kerberos_ldap_group/support_ldap.cc 2017-01-01 00:16:45 +0000 ++++ helpers/external_acl/kerberos_ldap_group/support_ldap.cc 2017-02-26 08:56:17 +0000 +@@ -919,8 +919,8 @@ + /* + * Initialise ldap + */ +- ldap_debug = 127 /* LDAP_DEBUG_TRACE */ ; +- ldap_debug = -1 /* LDAP_DEBUG_ANY */ ; ++// ldap_debug = 127 /* LDAP_DEBUG_TRACE */ ; ++// ldap_debug = -1 /* LDAP_DEBUG_ANY */ ; + ldap_debug = 0; + (void) ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &ldap_debug); + #endif + diff --git a/src/patches/squid/squid-3.5-14148.patch b/src/patches/squid/squid-3.5-14148.patch new file mode 100644 index 0000000..ce7d966 --- /dev/null +++ b/src/patches/squid/squid-3.5-14148.patch @@ -0,0 +1,62 @@ +------------------------------------------------------------ +revno: 14148 +revision-id: squid3@treenet.co.nz-20170226110942-90rcwhx3fwa2l7is +parent: squid3@treenet.co.nz-20170226085617-89jfjndt62i83qtn +author: Alexander Gozman a.gozman@securitycode.ru +committer: Amos Jeffries squid3@treenet.co.nz +branch nick: 3.5 +timestamp: Mon 2017-02-27 00:09:42 +1300 +message: + Native FTP relay: NAT and TPROXY interception fixes +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3@treenet.co.nz-20170226110942-90rcwhx3fwa2l7is +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# testament_sha1: 63f57f0ddddf0f231c3ef88a12728a707828c6ad +# timestamp: 2017-02-26 11:51:04 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# base_revision_id: squid3@treenet.co.nz-20170226085617-\ +# 89jfjndt62i83qtn +# +# Begin patch +=== modified file 'src/servers/FtpServer.cc' +--- src/servers/FtpServer.cc 2017-01-01 00:16:45 +0000 ++++ src/servers/FtpServer.cc 2017-02-26 11:09:42 +0000 +@@ -1454,9 +1454,33 @@ + Comm::ConnectionPointer conn = new Comm::Connection(); + conn->flags |= COMM_DOBIND; + +- // Use local IP address of the control connection as the source address +- // of the active data connection, or some clients will refuse to accept. +- conn->setAddrs(clientConnection->local, cltAddr); ++ if (clientConnection->flags & COMM_INTERCEPTION) { ++ // In the case of NAT interception conn->local value is not set ++ // because the TCP stack will automatically pick correct source ++ // address for the data connection. We must only ensure that IP ++ // version matches client's address. ++ conn->local.setAnyAddr(); ++ ++ if (cltAddr.isIPv4()) ++ conn->local.setIPv4(); ++ ++ conn->remote = cltAddr; ++ } else { ++ // In the case of explicit-proxy the local IP of the control connection ++ // is the Squid IP the client is knowingly talking to. ++ // ++ // In the case of TPROXY the IP address of the control connection is ++ // server IP the client is connecting to, it can be spoofed by Squid. ++ // ++ // In both cases some clients may refuse to accept data connections if ++ // these control connectin local-IP's are not used. ++ conn->setAddrs(clientConnection->local, cltAddr); ++ ++ // Using non-local addresses in TPROXY mode requires appropriate socket option. ++ if (clientConnection->flags & COMM_TRANSPARENT) ++ conn->flags |= COMM_TRANSPARENT; ++ } ++ + // RFC 959 requires active FTP connections to originate from port 20 + // but that would preclude us from supporting concurrent transfers! (XXX?) + conn->local.port(0); + diff --git a/src/patches/squid/squid-3.5-14149.patch b/src/patches/squid/squid-3.5-14149.patch new file mode 100644 index 0000000..a9fa597 --- /dev/null +++ b/src/patches/squid/squid-3.5-14149.patch @@ -0,0 +1,78 @@ +------------------------------------------------------------ +revno: 14149 +revision-id: squid3@treenet.co.nz-20170330133122-zcpblbvnuq7mjvq3 +parent: squid3@treenet.co.nz-20170226110942-90rcwhx3fwa2l7is +fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4508 +author: Christos Tsantilas chtsanti@users.sourceforge.net +committer: Amos Jeffries squid3@treenet.co.nz +branch nick: 3.5 +timestamp: Fri 2017-03-31 01:31:22 +1200 +message: + Bug 4508: Host forgery stalls intercepted being-spliced connections. + + Most SslBump splicing happens after getting SNI. SNI goes into the + second fake CONNECT request, where it may fail the host forgery check. + A failed check triggers an HTTP error response from Squid. When + attempting to send that response to the TLS client, Squid checks whether + all previously pipelined HTTP requests on the connection have finished. + + Prior to this fix, Squid left the first fake CONNECT request in the + connection pipeline despite adding the second fake CONNECT. That first + CONNECT stalled the error response described above, with Squid waiting, + in vain, for that already handled [fake] transaction to finish. + + Also call quitAfterError() to force Squid to close the connection (after + writing the discussed error response) instead of just logging a + [misleading] "kick abandoning [connection]" message in cache.log. + + TODO: Always pop the first CONNECT when generating a second one. + Unifying CONNECT treatment is difficult because code like tunnel.cc + wants that CONNECT to be in the pipeline. Polishing that would probably + require disassociating ConnStateData from tunnel.cc (at least). + + TODO: Apply the existing "delayed error" logic (that optionally bumps + TLS connections to deliver [some] errors to [some] SSL/TLS clients) to + host forgery errors. Otherwise, the plain HTTP error message cannot be + understood by the intercepted TLS client. + + This is a Measurement Factory project +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3@treenet.co.nz-20170330133122-zcpblbvnuq7mjvq3 +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# testament_sha1: db616fff2ac0df73cf41d380f07a96b773cf2be5 +# timestamp: 2017-03-30 13:51:17 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# base_revision_id: squid3@treenet.co.nz-20170226110942-\ +# 90rcwhx3fwa2l7is +# +# Begin patch +=== modified file 'src/client_side.cc' +--- src/client_side.cc 2017-01-27 13:38:24 +0000 ++++ src/client_side.cc 2017-03-30 13:31:22 +0000 +@@ -4376,7 +4376,12 @@ + fd_table[connState->clientConnection->fd].read_method = &default_read_method; + fd_table[connState->clientConnection->fd].write_method = &default_write_method; + ++ ClientSocketContext::Pointer context = connState->getCurrentContext(); ++ Must(context != NULL); + if (connState->transparent()) { ++ // If we are going to fake the second CONNECT, clear the first one. ++ context->connIsFinished(); ++ + // fake a CONNECT request to force connState to tunnel + // XXX: copy from MemBuf reallocates, not a regression since old code did too + SBuf temp; + +=== modified file 'src/client_side_request.cc' +--- src/client_side_request.cc 2017-02-25 05:50:14 +0000 ++++ src/client_side_request.cc 2017-03-30 13:31:22 +0000 +@@ -561,6 +561,7 @@ + debugs(85, DBG_IMPORTANT, "SECURITY ALERT: on URL: " << urlCanonical(http->request)); + + // IP address validation for Host: failed. reject the connection. ++ http->getConn()->quitAfterError(http->request); + clientStreamNode *node = (clientStreamNode *)http->client_stream.tail->prev->data; + clientReplyContext *repContext = dynamic_cast<clientReplyContext *>(node->data.getRaw()); + assert (repContext); + diff --git a/src/patches/squid/squid-3.5-14150.patch b/src/patches/squid/squid-3.5-14150.patch new file mode 100644 index 0000000..dfe97a0 --- /dev/null +++ b/src/patches/squid/squid-3.5-14150.patch @@ -0,0 +1,32 @@ +------------------------------------------------------------ +revno: 14150 +revision-id: squid3@treenet.co.nz-20170331005152-8exm3hsly1v1jk8y +parent: squid3@treenet.co.nz-20170330133122-zcpblbvnuq7mjvq3 +committer: Amos Jeffries squid3@treenet.co.nz +branch nick: 3.5 +timestamp: Fri 2017-03-31 12:51:52 +1200 +message: + Fix variable shadowing after rev.14149 +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3@treenet.co.nz-20170331005152-8exm3hsly1v1jk8y +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# testament_sha1: ae1e30fff31cf8b411c62eba344fdc944692aecf +# timestamp: 2017-03-31 01:51:06 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# base_revision_id: squid3@treenet.co.nz-20170330133122-\ +# zcpblbvnuq7mjvq3 +# +# Begin patch +=== modified file 'src/client_side.cc' +--- src/client_side.cc 2017-03-30 13:31:22 +0000 ++++ src/client_side.cc 2017-03-31 00:51:52 +0000 +@@ -4390,7 +4390,6 @@ + } else { + // in.buf still has the "CONNECT ..." request data, reset it to SSL hello message + connState->in.buf.append(rbuf.content(), rbuf.contentSize()); +- ClientSocketContext::Pointer context = connState->getCurrentContext(); + ClientHttpRequest *http = context->http; + tunnelStart(http, &http->out.size, &http->al->http.code, http->al); + } + diff --git a/src/patches/squid/squid-3.5-14151.patch b/src/patches/squid/squid-3.5-14151.patch new file mode 100644 index 0000000..d22387d --- /dev/null +++ b/src/patches/squid/squid-3.5-14151.patch @@ -0,0 +1,36 @@ +------------------------------------------------------------ +revno: 14151 +revision-id: squid3@treenet.co.nz-20170331233831-m3hfrigo82uhz4id +parent: squid3@treenet.co.nz-20170331005152-8exm3hsly1v1jk8y +author: Garri Djavadyan garryd@comnet.uz +committer: Amos Jeffries squid3@treenet.co.nz +branch nick: 3.5 +timestamp: Sat 2017-04-01 12:38:31 +1300 +message: + Docs: update refresh_pattern description regarding 'max' option +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3@treenet.co.nz-20170331233831-m3hfrigo82uhz4id +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# testament_sha1: be64101730dcb2deb664d6594d20a7295a666b98 +# timestamp: 2017-03-31 23:40:50 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# base_revision_id: squid3@treenet.co.nz-20170331005152-\ +# 8exm3hsly1v1jk8y +# +# Begin patch +=== modified file 'src/cf.data.pre' +--- src/cf.data.pre 2017-01-01 00:16:45 +0000 ++++ src/cf.data.pre 2017-03-31 23:38:31 +0000 +@@ -5401,7 +5401,9 @@ + will be considered fresh. + + 'Max' is an upper limit on how long objects without an explicit +- expiry time will be considered fresh. ++ expiry time will be considered fresh. The value is also used ++ to form Cache-Control: max-age header for a request sent from ++ Squid to origin/parent. + + options: override-expire + override-lastmod + diff --git a/src/patches/squid/squid-3.5-14152.patch b/src/patches/squid/squid-3.5-14152.patch new file mode 100644 index 0000000..81bd3a0 --- /dev/null +++ b/src/patches/squid/squid-3.5-14152.patch @@ -0,0 +1,35 @@ +------------------------------------------------------------ +revno: 14152 +revision-id: squid3@treenet.co.nz-20170331233921-efxhs8vy025fvrnl +parent: squid3@treenet.co.nz-20170331233831-m3hfrigo82uhz4id +committer: Amos Jeffries squid3@treenet.co.nz +branch nick: 3.5 +timestamp: Sat 2017-04-01 12:39:21 +1300 +message: + libtrie: Fix 'make check' when run before 'make all' +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3@treenet.co.nz-20170331233921-efxhs8vy025fvrnl +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# testament_sha1: 8399bbfe7b517fa6306bdc61d212a9a4fcc9e88b +# timestamp: 2017-03-31 23:40:52 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# base_revision_id: squid3@treenet.co.nz-20170331233831-\ +# m3hfrigo82uhz4id +# +# Begin patch +=== modified file 'lib/libTrie/Makefile.am' +--- lib/libTrie/Makefile.am 2017-01-01 00:16:45 +0000 ++++ lib/libTrie/Makefile.am 2017-03-31 23:39:21 +0000 +@@ -8,8 +8,8 @@ + include $(top_srcdir)/src/Common.am + include $(top_srcdir)/src/TestHeaders.am + +-DIST_SUBDIRS = test +-SUBDIRS = test ++DIST_SUBDIRS = . test ++SUBDIRS = . test + + noinst_LIBRARIES = libTrie.a + + diff --git a/src/patches/squid/squid-3.5-14153.patch b/src/patches/squid/squid-3.5-14153.patch new file mode 100644 index 0000000..c236a61 --- /dev/null +++ b/src/patches/squid/squid-3.5-14153.patch @@ -0,0 +1,353 @@ +------------------------------------------------------------ +revno: 14153 +revision-id: squid3@treenet.co.nz-20170331234747-59glu40hhx0kf8fx +parent: squid3@treenet.co.nz-20170331233921-efxhs8vy025fvrnl +fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4688 +author: Lubos Uhliarik luhliari@redhat.com +committer: Amos Jeffries squid3@treenet.co.nz +branch nick: 3.5 +timestamp: Sat 2017-04-01 12:47:47 +1300 +message: + Bug 4688: various typo error(s) in man page(s) +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3@treenet.co.nz-20170331234747-59glu40hhx0kf8fx +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# testament_sha1: a05d98a4e328e39f2a490cfeff72ad8735cc6b6e +# timestamp: 2017-03-31 23:48:51 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# base_revision_id: squid3@treenet.co.nz-20170331233921-\ +# efxhs8vy025fvrnl +# +# Begin patch +=== modified file 'compat/compat.h' +--- compat/compat.h 2017-01-01 00:16:45 +0000 ++++ compat/compat.h 2017-03-31 23:47:47 +0000 +@@ -11,7 +11,7 @@ + + /* + * From discussions it was chosen to push compat code as far down as possible. +- * That means we can have a seperate compat for most ++ * That means we can have a separate compat for most + * compatability and portability hacks and resolutions. + * + * This file is meant to collate all those hacks files together and + +=== modified file 'helpers/basic_auth/DB/basic_db_auth.pl.in' +--- helpers/basic_auth/DB/basic_db_auth.pl.in 2017-01-01 00:16:45 +0000 ++++ helpers/basic_auth/DB/basic_db_auth.pl.in 2017-03-31 23:47:47 +0000 +@@ -14,7 +14,7 @@ + + basic_db_auth [options] + +-=head1 DESCRIPTOIN ++=head1 DESCRIPTION + + This program verifies username & password to a database + +@@ -97,7 +97,7 @@ + Copyright (C) 2007 Henrik Nordstrom henrik@henriknordstrom.net + Copyright (C) 2010 Luis Daniel Lucio Quiroz dlucio@okay.com.mx (Joomla support) + This program is free software. You may redistribute copies of it under the +-terms of the GNU General Public License version 2, or (at youropinion) any ++terms of the GNU General Public License version 2, or (at your opinion) any + later version. + + =head1 QUESTIONS + +=== modified file 'helpers/basic_auth/LDAP/basic_ldap_auth.8' +--- helpers/basic_auth/LDAP/basic_ldap_auth.8 2017-01-01 00:16:45 +0000 ++++ helpers/basic_auth/LDAP/basic_ldap_auth.8 2017-03-31 23:47:47 +0000 +@@ -98,7 +98,7 @@ + .B Note: + This can only be done if all your users are located directly under + the same position in the LDAP tree and the login name is used for naming +-each user object. If your LDAP tree does not match these criterias or if ++each user object. If your LDAP tree does not match these criteria or if + you want to filter who are valid users then you need to use a search filter + to search for your users DN ( + .B -f +@@ -186,15 +186,15 @@ + .B never + dereference aliases (default), + .B always +-dereference aliases, only while +-.B search ing ++dereference aliases, only during a ++.B search + or only to + .B find + the base object. + . + .if !'po4a'hide' .TP + .if !'po4a'hide' .B "-H ldap_uri +-Specity the LDAP server to connect to by LDAP URI (requires OpenLDAP libraries). ++Specify the LDAP server to connect to by LDAP URI (requires OpenLDAP libraries). + Servers can also be specified last on the command line. + . + .if !'po4a'hide' .TP + +=== modified file 'helpers/digest_auth/LDAP/digest_pw_auth.cc' +--- helpers/digest_auth/LDAP/digest_pw_auth.cc 2017-01-01 00:16:45 +0000 ++++ helpers/digest_auth/LDAP/digest_pw_auth.cc 2017-03-31 23:47:47 +0000 +@@ -30,7 +30,7 @@ + * the file format. However storing such a triple does little to + * improve security: If compromised the username:realm:HA1 combination + * is "plaintext equivalent" - for the purposes of digest authentication +- * they allow the user access. Password syncronisation is not tackled ++ * they allow the user access. Password synchronization is not tackled + * by digest - just preventing on the wire compromise. + * + * Copyright (c) 2003 Robert Collins robertc@squid-cache.org + +=== modified file 'helpers/digest_auth/eDirectory/digest_pw_auth.cc' +--- helpers/digest_auth/eDirectory/digest_pw_auth.cc 2017-01-01 00:16:45 +0000 ++++ helpers/digest_auth/eDirectory/digest_pw_auth.cc 2017-03-31 23:47:47 +0000 +@@ -30,7 +30,7 @@ + * the file format. However storing such a triple does little to + * improve security: If compromised the username:realm:HA1 combination + * is "plaintext equivalent" - for the purposes of digest authentication +- * they allow the user access. Password syncronisation is not tackled ++ * they allow the user access. Password synchronization is not tackled + * by digest - just preventing on the wire compromise. + * + * Copyright (c) 2003 Robert Collins robertc@squid-cache.org + +=== modified file 'helpers/digest_auth/file/digest_file_auth.8' +--- helpers/digest_auth/file/digest_file_auth.8 2017-01-01 00:16:45 +0000 ++++ helpers/digest_auth/file/digest_file_auth.8 2017-03-31 23:47:47 +0000 +@@ -15,7 +15,7 @@ + is an installed binary authentication program for Squid. It handles digest + authentication protocol and authenticates against a text file backend. + . +-This program will automatically detect the existence of a concurrecy channel-ID and adjust appropriately. ++This program will automatically detect the existence of a concurrency channel-ID and adjust appropriately. + It may be used with any value 0 or above for the auth_param children concurrency= parameter. + . + .SH OPTIONS +@@ -54,7 +54,7 @@ + improve security: If compromised the + .B username:realm:HA1 + combination is "plaintext equivalent" - for the purposes of digest authentication +-they allow the user access. Password syncronisation is not tackled ++they allow the user access. Password synchronization is not tackled + by digest - just preventing on the wire compromise. + . + .SH AUTHOR + +=== modified file 'helpers/digest_auth/file/digest_file_auth.cc' +--- helpers/digest_auth/file/digest_file_auth.cc 2017-01-01 00:16:45 +0000 ++++ helpers/digest_auth/file/digest_file_auth.cc 2017-03-31 23:47:47 +0000 +@@ -33,7 +33,7 @@ + * the file format. However storing such a triple does little to + * improve security: If compromised the username:realm:HA1 combination + * is "plaintext equivalent" - for the purposes of digest authentication +- * they allow the user access. Password syncronisation is not tackled ++ * they allow the user access. Password synchronization is not tackled + * by digest - just preventing on the wire compromise. + * + * Copyright (c) 2003 Robert Collins robertc@squid-cache.org + +=== modified file 'helpers/digest_auth/file/text_backend.cc' +--- helpers/digest_auth/file/text_backend.cc 2017-01-01 00:16:45 +0000 ++++ helpers/digest_auth/file/text_backend.cc 2017-03-31 23:47:47 +0000 +@@ -29,7 +29,7 @@ + * the file format. However storing such a triple does little to + * improve security: If compromised the username:realm:HA1 combination + * is "plaintext equivalent" - for the purposes of digest authentication +- * they allow the user access. Password syncronisation is not tackled ++ * they allow the user access. Password synchronization is not tackled + * by digest - just preventing on the wire compromise. + * + * Copyright (c) 2003 Robert Collins robertc@squid-cache.org + +=== modified file 'helpers/external_acl/LDAP_group/ext_ldap_group_acl.8' +--- helpers/external_acl/LDAP_group/ext_ldap_group_acl.8 2017-01-01 00:16:45 +0000 ++++ helpers/external_acl/LDAP_group/ext_ldap_group_acl.8 2017-03-31 23:47:47 +0000 +@@ -52,8 +52,8 @@ + .BI never + dereference aliases (default), + .BI always +-dereference aliases, only while +-.BR search ing ++dereference aliases, only during a ++.BR search + or only to + .B find + the base object +@@ -143,7 +143,7 @@ + . + .if !'po4a'hide' .TP + .if !'po4a'hide' .BI -H " ldapuri" +-Specity the LDAP server to connect to by a LDAP URI (requires OpenLDAP libraries) ++Specify the LDAP server to connect to by a LDAP URI (requires OpenLDAP libraries) + . + .if !'po4a'hide' .TP + .if !'po4a'hide' .BI -K + +=== modified file 'helpers/external_acl/kerberos_ldap_group/README' +--- helpers/external_acl/kerberos_ldap_group/README 2010-08-13 10:17:20 +0000 ++++ helpers/external_acl/kerberos_ldap_group/README 2017-03-31 23:47:47 +0000 +@@ -65,7 +65,7 @@ + export KRB5_KTNAME + + If you use a different Kerberos domain than the machine itself is in you can point squid to +-the seperate Kerberos config file by setting the following environmnet variable in the startup ++the separate Kerberos config file by setting the following environment variable in the startup + script. + + KRB5_CONFIG=/etc/krb5-squid.conf + +=== modified file 'helpers/external_acl/kerberos_ldap_group/ext_kerberos_ldap_group_acl.8' +--- helpers/external_acl/kerberos_ldap_group/ext_kerberos_ldap_group_acl.8 2015-03-21 06:32:34 +0000 ++++ helpers/external_acl/kerberos_ldap_group/ext_kerberos_ldap_group_acl.8 2017-03-31 23:47:47 +0000 +@@ -163,7 +163,7 @@ + .if !'po4a'hide' .ft + . + If you use a different Kerberos domain than the machine itself is in you can point squid to +-the seperate Kerberos config file by setting the following environmnet variable in the startup ++the separate Kerberos config file by setting the following environment variable in the startup + script. + .if !'po4a'hide' .P + .if !'po4a'hide' .ft CR + +=== modified file 'helpers/external_acl/session/ext_session_acl.8' +--- helpers/external_acl/session/ext_session_acl.8 2017-01-01 00:16:45 +0000 ++++ helpers/external_acl/session/ext_session_acl.8 2017-03-31 23:47:47 +0000 +@@ -21,7 +21,7 @@ + ) or a fixed period of time ( + .B -T + ). The former is suitable for displaying terms and conditions to a user; the +-latter is suitable for the display of advertisments or other notices (both as a ++latter is suitable for the display of advertisements or other notices (both as a + splash page - see config examples in the wiki online). The session helper can also be used + to force users to re-authenticate if the + .B %LOGIN +@@ -55,7 +55,7 @@ + environment is created within the directory. The advantage of the latter + is better database support between multiple instances of the session + helper. Using multiple instances of the session helper with a single +-database file will cause synchronisation problems between processes. ++database file will cause synchronization problems between processes. + If this option is not specified the session details will be kept in + memory only and all sessions will reset each time Squid restarts its + helpers (Squid restart or rotation of logs). + +=== modified file 'helpers/log_daemon/DB/log_db_daemon.pl.in' +--- helpers/log_daemon/DB/log_db_daemon.pl.in 2017-01-01 00:16:45 +0000 ++++ helpers/log_daemon/DB/log_db_daemon.pl.in 2017-03-31 23:47:47 +0000 +@@ -18,7 +18,7 @@ + + log_db_daemon DSN [options] + +-=head1 DESCRIPTOIN ++=head1 DESCRIPTION + + This program writes Squid access.log entries to a database. + Presently only accepts the B<squid> native format +@@ -373,7 +373,7 @@ + WHERE squid_request_status LIKE '%MISS%') + / + (SELECT COUNT(*) FROM access_log)*100 +- AS pecentage; ++ AS percentage; + + =item Response time ranges + +@@ -433,7 +433,7 @@ + + This script currently implements only the C<L> (i.e. "append a line to the log") command, therefore the log lines are never purged from the table. This approach has an obvious scalability problem. + +-One solution would be to implement e.g. the "rotate log" command in a way that would calculate some summary values, put them in a "summary table" and then delete the lines used to caluclate those values. ++One solution would be to implement e.g. the "rotate log" command in a way that would calculate some summary values, put them in a "summary table" and then delete the lines used to calculate those values. + + Similar cleanup code could be implemented in an external script and run periodically independently from squid log commands. + + +=== modified file 'helpers/negotiate_auth/kerberos/README' +--- helpers/negotiate_auth/kerberos/README 2008-10-03 02:25:50 +0000 ++++ helpers/negotiate_auth/kerberos/README 2017-03-31 23:47:47 +0000 +@@ -53,7 +53,7 @@ + export KRB5_KTNAME + + If you use a different Kerberos domain than the machine itself is in you can point squid to +-the seperate Kerberos config file by setting the following environmnet variable in the startup ++the separate Kerberos config file by setting the following environment variable in the startup + script. + + KRB5_CONFIG=/etc/krb-squid5.conf + +=== modified file 'helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.8' +--- helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.8 2014-12-20 17:10:25 +0000 ++++ helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.8 2017-03-31 23:47:47 +0000 +@@ -69,7 +69,7 @@ + export KRB5_KTNAME + + If you use a different Kerberos domain than the machine itself is in you can point squid to +-the seperate Kerberos config file by setting the following environmnet variable in the startup ++the separate Kerberos config file by setting the following environment variable in the startup + script. + + KRB5_CONFIG=/etc/krb5-squid.conf + +=== modified file 'helpers/storeid_rewrite/file/storeid_file_rewrite.pl.in' +--- helpers/storeid_rewrite/file/storeid_file_rewrite.pl.in 2017-01-01 00:16:45 +0000 ++++ helpers/storeid_rewrite/file/storeid_file_rewrite.pl.in 2017-03-31 23:47:47 +0000 +@@ -29,7 +29,7 @@ + Rewrite rules are matched in the same order as they appear in the rules file. + So for best performance, sort it in order of frequency of occurrence. + +-This program will automatically detect the existence of a concurrecy channel-ID and adjust appropriately. ++This program will automatically detect the existence of a concurrency channel-ID and adjust appropriately. + It may be used with any value 0 or above for the store_id_children concurrency= parameter. + + =head1 OPTIONS + +=== modified file 'src/StoreFileSystem.h' +--- src/StoreFileSystem.h 2017-01-01 00:16:45 +0000 ++++ src/StoreFileSystem.h 2017-03-31 23:47:47 +0000 +@@ -47,7 +47,7 @@ + \par + * configure will take a list of storage types through the + * --enable-store-io parameter. This parameter takes a list of +- * space seperated storage types. For example, ++ * space separated storage types. For example, + * --enable-store-io="ufs aufs" . + * + \par + +=== modified file 'src/ipcache.cc' +--- src/ipcache.cc 2017-01-01 00:16:45 +0000 ++++ src/ipcache.cc 2017-03-31 23:47:47 +0000 +@@ -50,7 +50,7 @@ + \defgroup IPCacheInternal IP Cache Internals + \ingroup IPCacheAPI + \todo when IP cache is provided as a class. These sub-groups will be obsolete +- * for now they are used to seperate the public and private functions. ++ * for now they are used to separate the public and private functions. + * with the private ones all being in IPCachInternal and public in IPCacheAPI + * + \section InternalOperation Internal Operation + +=== modified file 'src/ssl/ssl_crtd.8' +--- src/ssl/ssl_crtd.8 2017-01-01 00:16:45 +0000 ++++ src/ssl/ssl_crtd.8 2017-03-31 23:47:47 +0000 +@@ -33,7 +33,7 @@ + Because the generation and signing of SSL certificates takes time + Squid must use external process to handle the work. + . +-This process generates new SSL certificates and uses a disk cache of certificatess ++This process generates new SSL certificates and uses a disk cache of certificates + to improve response times on repeated requests. + Communication occurs via TCP sockets bound to the loopback interface. + . +@@ -122,7 +122,7 @@ + . + .PP + For simple configuration the helper defaults can be used. +-Only HTTP listening port options are required to enable generation and set the signign CA certificate. ++Only HTTP listening port options are required to enable generation and set the signing CA certificate. + For Example: + .if !'po4a'hide' .RS + .if !'po4a'hide' .B http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/www.sample.com.pem +
hooks/post-receive -- IPFire 2.x development tree