From mboxrd@z Thu Jan 1 00:00:00 1970 From: git@ipfire.org To: ipfire-scm@lists.ipfire.org Subject: [git.ipfire.org] IPFire 2.x development tree branch, master, updated. b26b242a9c5f9bc5b0a941782b2d57465dc69565 Date: Tue, 13 Dec 2016 22:32:08 +0000 Message-ID: <20161213223209.A5AE11078E80@git01.ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8054862863865369410==" List-Id: --===============8054862863865369410== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree". The branch, master has been updated via b26b242a9c5f9bc5b0a941782b2d57465dc69565 (commit) via a5f09f8e5b8639564b9ca4c4d06b3cfcaafa3ed2 (commit) via d15c59e6e52e51d6319c3cd3ca4fbad7038f88a2 (commit) via 6426c4066f85a9c706df2c141fbf9604739a78c3 (commit) via 4ce082a4dd427ea9a9d94241f1f2ce04e72d98a6 (commit) via 262c48be60bbfaa1f190aeacffd303800f3090cf (commit) via cc8f79f95fea8a2eb87f888c472c311df585035e (commit) via cc2a2209d8797569013c9dec58ff10e49dfabec5 (commit) via 67214dc2eb6b0a7c1b0f43e049a0aad6802a8db1 (commit) via 31986a351cc54a07a2205f5426e80e143afa87c5 (commit) via 6268c62384c17112f10cb0c6acc3b0951eb81f2c (commit) via 2aa15dee660214bfe4f402ff7c34c28b9bb068bc (commit) via cd812106b19a146d175fc2e13efcdc68ad04754e (commit) via adb11e90dfe701fa0e29bcc80aeb998719d99797 (commit) via b7f2fe819b1ecf0e0c04e0059b64b67127073d44 (commit) via 0b5b6a594cbe71d0a206176216d0ab1d749ef978 (commit) via 49750f72dee50a2103ead403b16630b67a838231 (commit) via e2b19d984cfa7510edcffc7788ef53cb086cdffb (commit) via 86e9d04bfb73eb256682a567e187fe1e5cdcc3ca (commit) via bc4a68812bb131be6a8413f69909bf6a3d5a89a2 (commit) via c6bc0fb03e0dbb9f1ba34d42195d0601b55891c1 (commit) via f8aa041f1a957f782c47c441c6b403e65707dd85 (commit) from 34f6a3f1b56e724062897d480d102d81e4e47298 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit b26b242a9c5f9bc5b0a941782b2d57465dc69565 Author: Arne Fitzenreiter Date: Tue Dec 13 23:29:21 2016 +0100 finish core108 =20 Signed-off-by: Arne Fitzenreiter commit a5f09f8e5b8639564b9ca4c4d06b3cfcaafa3ed2 Author: Matthias Fischer Date: Sat Dec 10 18:44:03 2016 +0100 squid 3.5.22: latest patches (14119-14122) =20 Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit d15c59e6e52e51d6319c3cd3ca4fbad7038f88a2 Author: Matthias Fischer Date: Sun Dec 11 01:22:51 2016 +0100 nano: Update to 2.7.1 =20 Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit 6426c4066f85a9c706df2c141fbf9604739a78c3 Author: Michael Tremer Date: Tue Dec 6 14:20:16 2016 +0000 core108: Ship updated squid =20 Signed-off-by: Michael Tremer commit 4ce082a4dd427ea9a9d94241f1f2ce04e72d98a6 Author: Matthias Fischer Date: Fri Dec 2 23:22:22 2016 +0100 squid 3.5.22: latest patches (14114-14118) =20 Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit 262c48be60bbfaa1f190aeacffd303800f3090cf Author: Matthias Fischer Date: Wed Nov 30 18:50:05 2016 +0100 squid 3.5.22: latest patches (14103-14113) =20 Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit cc8f79f95fea8a2eb87f888c472c311df585035e Author: Matthias Fischer Date: Fri Oct 28 09:49:32 2016 +0200 squid 3.5.22: latest patches (14100-14102) =20 Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit cc2a2209d8797569013c9dec58ff10e49dfabec5 Author: Matthias Fischer Date: Fri Oct 21 20:30:29 2016 +0200 squid 3.5.22: latest patch (14099) =20 Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit 67214dc2eb6b0a7c1b0f43e049a0aad6802a8db1 Author: Michael Tremer Date: Tue Dec 6 14:17:05 2016 +0000 core108: Ship updated NTP =20 Signed-off-by: Michael Tremer commit 31986a351cc54a07a2205f5426e80e143afa87c5 Author: Matthias Fischer Date: Thu Dec 1 18:32:31 2016 +0100 ntp: Update to 4.2.8p9 =20 "It addresses 1 high-, 2 medium-, 2 medium-/low-, and 5 low-severity security issues, 28 bugfixes, and contains other improvements over 4.2.8p= 8." =20 For a complete list, see: http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities =20 Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit 6268c62384c17112f10cb0c6acc3b0951eb81f2c Author: Michael Tremer Date: Sat Dec 3 13:30:02 2016 +0000 tor: Update to 0.2.8.10 =20 Brings various major bugfixes and privacy enhancements =20 Signed-off-by: Michael Tremer commit 2aa15dee660214bfe4f402ff7c34c28b9bb068bc Author: Michael Tremer Date: Thu Dec 1 17:13:07 2016 +0000 unbound: Fix DNS forwarder test =20 The previous version aborted when the validation test suceeded, but this is not always sufficient in case a provider filters any DNSKEY, DS or RRSIG records. =20 Signed-off-by: Michael Tremer commit cd812106b19a146d175fc2e13efcdc68ad04754e Author: Michael Tremer Date: Tue Nov 29 12:26:34 2016 +0000 unbound: Do not try removing forwarders when unbound is not running =20 Signed-off-by: Michael Tremer commit adb11e90dfe701fa0e29bcc80aeb998719d99797 Author: Michael Tremer Date: Tue Nov 29 12:18:41 2016 +0000 Always enable asynchronous logging =20 This patch always enables asynchronous logging which slows down the system a lot on slow storage and some virtual environments. =20 It also removes the configuration options in the web user interface, since this is not configurable any more. =20 Signed-off-by: Michael Tremer commit b7f2fe819b1ecf0e0c04e0059b64b67127073d44 Author: Michael Tremer Date: Mon Nov 28 21:51:13 2016 +0000 core108: Ship updated ddns =20 Signed-off-by: Michael Tremer commit 0b5b6a594cbe71d0a206176216d0ab1d749ef978 Author: Stefan Schantl Date: Fri Oct 28 15:48:22 2016 +0200 ddns: Import patches for schokokeks.org support. =20 Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit 49750f72dee50a2103ead403b16630b67a838231 Author: Michael Tremer Date: Mon Nov 28 21:48:21 2016 +0000 Start Core Update 108 =20 Signed-off-by: Michael Tremer commit e2b19d984cfa7510edcffc7788ef53cb086cdffb Author: Michael Tremer Date: Mon Nov 28 21:38:29 2016 +0000 strongswan: Update to 5.5.1 =20 Signed-off-by: Michael Tremer commit 86e9d04bfb73eb256682a567e187fe1e5cdcc3ca Author: Michael Tremer Date: Fri Nov 25 17:45:39 2016 +0000 unbound: Deactivate qname-minimization & harden-below-nxdomain =20 This causes trouble when you try to resolve a record like a.b.blah.com where b.blah.com responds with NXDOMAIN. unbound won't try to resolve a.b.blah.com because it is assumed that everything longer than b.blah.com does not exist which is probably not good usability. =20 Signed-off-by: Michael Tremer commit bc4a68812bb131be6a8413f69909bf6a3d5a89a2 Author: Alexander Marx Date: Mon Oct 31 12:19:15 2016 +0100 BUG11242: Fix for adding 2 VPN Hosts/network with same name =20 If one has an IPSec network named "aaa" and an OpenVPn Host with the same= name it was not possible to group them together because of the same name. Now the Network type is also checked wich allows Entries with same name, = but different networks. =20 Fixes: #11242 =20 Signed-off-by: Alexander Marx Signed-off-by: Michael Tremer commit c6bc0fb03e0dbb9f1ba34d42195d0601b55891c1 Merge: f8aa041 34f6a3f Author: Arne Fitzenreiter Date: Fri Nov 4 21:12:25 2016 +0100 Merge remote-tracking branch 'origin/master' into next commit f8aa041f1a957f782c47c441c6b403e65707dd85 Author: Michael Tremer Date: Wed Nov 2 15:42:40 2016 +0000 unbound: Fix for DNS forwarding of .local zones =20 These are traditionally used for Windows domains and should not be used for that. However if they are used like this, DNSSEC validation cannot be used. =20 Signed-off-by: Michael Tremer ----------------------------------------------------------------------- Summary of changes: config/etc/syslog.conf | 6 +- config/rootfiles/common/strongswan | 1 + config/rootfiles/{oldcore/106 =3D> core/108}/exclude | 0 .../{oldcore/95 =3D> core/108}/filelists/ddns | 0 config/rootfiles/core/108/filelists/files | 7 + .../108}/filelists/i586/strongswan-padlock | 0 .../{oldcore/96 =3D> core/108}/filelists/ntp | 0 config/rootfiles/core/{107 =3D> 108}/filelists/squid | 0 .../{oldcore/96 =3D> core/108}/filelists/strongswan | 0 config/rootfiles/core/{107 =3D> 108}/meta | 0 .../rootfiles/{oldcore/105 =3D> core/108}/update.sh | 28 +-- config/rootfiles/{core =3D> oldcore}/107/exclude | 0 .../107/filelists/armv5tel/linux-kirkwood | 0 .../107/filelists/armv5tel/linux-multi | 0 .../107/filelists/armv5tel/linux-rpi | 0 .../{core =3D> oldcore}/107/filelists/files | 0 .../{core =3D> oldcore}/107/filelists/hdparm | 0 .../{core =3D> oldcore}/107/filelists/i586/linux | 0 .../{core =3D> oldcore}/107/filelists/libjpeg | 0 .../{core =3D> oldcore}/107/filelists/libjpeg-compat | 0 .../rootfiles/oldcore/{94 =3D> 107}/filelists/squid | 0 .../{core =3D> oldcore}/107/filelists/x86_64/linux | 0 config/rootfiles/oldcore/{99 =3D> 107}/meta | 0 config/rootfiles/{core =3D> oldcore}/107/update.sh | 0 config/unbound/unbound.conf | 2 - doc/language_issues.de | 3 + doc/language_issues.en | 3 + doc/language_issues.es | 3 +- doc/language_issues.fr | 3 + doc/language_issues.it | 3 + doc/language_issues.nl | 3 + doc/language_issues.pl | 3 +- doc/language_issues.ru | 3 + doc/language_issues.tr | 3 + html/cgi-bin/fwhosts.cgi | 4 +- html/cgi-bin/logs.cgi/config.dat | 20 --- lfs/ddns | 3 + lfs/nano | 6 +- lfs/ntp | 6 +- lfs/squid | 24 +++ lfs/strongswan | 4 +- lfs/tor | 6 +- make.sh | 4 +- src/initscripts/init.d/unbound | 17 +- src/misc-progs/syslogdctrl.c | 23 --- .../ddns-0001-New-provider-Schokokeks.org.patch | 47 +++++ ...2-Schokokeks.org-Fix-malformed-update-URL.patch | 55 ++++++ src/patches/squid/squid-3.5-14099.patch | 65 +++++++ src/patches/squid/squid-3.5-14100.patch | 39 ++++ src/patches/squid/squid-3.5-14101.patch | 59 ++++++ src/patches/squid/squid-3.5-14102.patch | 38 ++++ src/patches/squid/squid-3.5-14103.patch | 61 +++++++ src/patches/squid/squid-3.5-14104.patch | 66 +++++++ src/patches/squid/squid-3.5-14105.patch | 48 +++++ src/patches/squid/squid-3.5-14106.patch | 34 ++++ src/patches/squid/squid-3.5-14107.patch | 56 ++++++ src/patches/squid/squid-3.5-14108.patch | 33 ++++ src/patches/squid/squid-3.5-14109.patch | 167 +++++++++++++++++ src/patches/squid/squid-3.5-14110.patch | 102 +++++++++++ src/patches/squid/squid-3.5-14111.patch | 43 +++++ src/patches/squid/squid-3.5-14112.patch | 60 +++++++ src/patches/squid/squid-3.5-14113.patch | 47 +++++ src/patches/squid/squid-3.5-14114.patch | 46 +++++ src/patches/squid/squid-3.5-14115.patch | 197 +++++++++++++++++++= ++ src/patches/squid/squid-3.5-14116.patch | 38 ++++ src/patches/squid/squid-3.5-14117.patch | 152 ++++++++++++++++ src/patches/squid/squid-3.5-14118.patch | 55 ++++++ src/patches/squid/squid-3.5-14119.patch | 184 +++++++++++++++++++ src/patches/squid/squid-3.5-14120.patch | 62 +++++++ src/patches/squid/squid-3.5-14121.patch | 36 ++++ src/patches/squid/squid-3.5-14122.patch | 34 ++++ 71 files changed, 1929 insertions(+), 83 deletions(-) copy config/rootfiles/{oldcore/106 =3D> core/108}/exclude (100%) copy config/rootfiles/{oldcore/95 =3D> core/108}/filelists/ddns (100%) create mode 100644 config/rootfiles/core/108/filelists/files copy config/rootfiles/{oldcore/96 =3D> core/108}/filelists/i586/strongswan-p= adlock (100%) copy config/rootfiles/{oldcore/96 =3D> core/108}/filelists/ntp (100%) rename config/rootfiles/core/{107 =3D> 108}/filelists/squid (100%) copy config/rootfiles/{oldcore/96 =3D> core/108}/filelists/strongswan (100%) rename config/rootfiles/core/{107 =3D> 108}/meta (100%) copy config/rootfiles/{oldcore/105 =3D> core/108}/update.sh (86%) rename config/rootfiles/{core =3D> oldcore}/107/exclude (100%) rename config/rootfiles/{core =3D> oldcore}/107/filelists/armv5tel/linux-kir= kwood (100%) rename config/rootfiles/{core =3D> oldcore}/107/filelists/armv5tel/linux-mul= ti (100%) rename config/rootfiles/{core =3D> oldcore}/107/filelists/armv5tel/linux-rpi= (100%) rename config/rootfiles/{core =3D> oldcore}/107/filelists/files (100%) rename config/rootfiles/{core =3D> oldcore}/107/filelists/hdparm (100%) rename config/rootfiles/{core =3D> oldcore}/107/filelists/i586/linux (100%) rename config/rootfiles/{core =3D> oldcore}/107/filelists/libjpeg (100%) rename config/rootfiles/{core =3D> oldcore}/107/filelists/libjpeg-compat (10= 0%) copy config/rootfiles/oldcore/{94 =3D> 107}/filelists/squid (100%) rename config/rootfiles/{core =3D> oldcore}/107/filelists/x86_64/linux (100%) copy config/rootfiles/oldcore/{99 =3D> 107}/meta (100%) rename config/rootfiles/{core =3D> oldcore}/107/update.sh (100%) create mode 100644 src/patches/ddns-0001-New-provider-Schokokeks.org.patch create mode 100644 src/patches/ddns-0002-Schokokeks.org-Fix-malformed-update= -URL.patch create mode 100644 src/patches/squid/squid-3.5-14099.patch create mode 100644 src/patches/squid/squid-3.5-14100.patch create mode 100644 src/patches/squid/squid-3.5-14101.patch create mode 100644 src/patches/squid/squid-3.5-14102.patch create mode 100644 src/patches/squid/squid-3.5-14103.patch create mode 100644 src/patches/squid/squid-3.5-14104.patch create mode 100644 src/patches/squid/squid-3.5-14105.patch create mode 100644 src/patches/squid/squid-3.5-14106.patch create mode 100644 src/patches/squid/squid-3.5-14107.patch create mode 100644 src/patches/squid/squid-3.5-14108.patch create mode 100644 src/patches/squid/squid-3.5-14109.patch create mode 100644 src/patches/squid/squid-3.5-14110.patch create mode 100644 src/patches/squid/squid-3.5-14111.patch create mode 100644 src/patches/squid/squid-3.5-14112.patch create mode 100644 src/patches/squid/squid-3.5-14113.patch create mode 100644 src/patches/squid/squid-3.5-14114.patch create mode 100644 src/patches/squid/squid-3.5-14115.patch create mode 100644 src/patches/squid/squid-3.5-14116.patch create mode 100644 src/patches/squid/squid-3.5-14117.patch create mode 100644 src/patches/squid/squid-3.5-14118.patch create mode 100644 src/patches/squid/squid-3.5-14119.patch create mode 100644 src/patches/squid/squid-3.5-14120.patch create mode 100644 src/patches/squid/squid-3.5-14121.patch create mode 100644 src/patches/squid/squid-3.5-14122.patch Difference in files: diff --git a/config/etc/syslog.conf b/config/etc/syslog.conf index b1b7ec8..cdef756 100644 --- a/config/etc/syslog.conf +++ b/config/etc/syslog.conf @@ -5,10 +5,10 @@ # Log anything (except mail) of level info or higher. # Don't log private authentication messages! # local0.* any dhcpcd log (even debug) in messages -cron.none;daemon.*;local0.*;local2.*;*.info;mail.none;authpriv.* /var/log/me= ssages +cron.none;daemon.*;local0.*;local2.*;*.info;mail.none;authpriv.* -/var/log/m= essages =20 # Log crons -#cron.* /var/log/cron.log +#cron.* -/var/log/cron.log =20 # Everybody gets emergency messages *.emerg * @@ -20,4 +20,4 @@ cron.none;daemon.*;local0.*;local2.*;*.info;mail.none;authp= riv.* /var/log/messag #*.* @hostname.domain =20 # Postfix logs -mail.* /var/log/mail +mail.* -/var/log/mail diff --git a/config/rootfiles/common/strongswan b/config/rootfiles/common/str= ongswan index f81a9c8..38da986 100644 --- a/config/rootfiles/common/strongswan +++ b/config/rootfiles/common/strongswan @@ -72,6 +72,7 @@ etc/swanctl/bliss etc/swanctl/ecdsa etc/swanctl/pkcs12 etc/swanctl/pkcs8 +etc/swanctl/private etc/swanctl/pubkey etc/swanctl/rsa etc/swanctl/swanctl.conf diff --git a/config/rootfiles/core/107/exclude b/config/rootfiles/core/107/ex= clude deleted file mode 100644 index 1d8d74e..0000000 --- a/config/rootfiles/core/107/exclude +++ /dev/null @@ -1,29 +0,0 @@ -boot/config.txt -boot/grub/grub.cfg -boot/grub/grubenv -etc/alternatives -etc/collectd.custom -etc/default/grub -etc/ipsec.conf -etc/ipsec.secrets -etc/ipsec.user.conf -etc/ipsec.user.secrets -etc/localtime -etc/shadow -etc/snort/snort.conf -etc/ssh/ssh_config -etc/ssh/sshd_config -etc/ssl/openssl.cnf -etc/sudoers -etc/sysconfig/firewall.local -etc/sysconfig/rc.local -etc/udev/rules.d/30-persistent-network.rules -srv/web/ipfire/html/proxy.pac -var/ipfire/dma -var/ipfire/time -var/ipfire/ovpn -var/lib/alternatives -var/lib/unbound/root.key -var/log/cache -var/state/dhcp/dhcpd.leases -var/updatecache diff --git a/config/rootfiles/core/107/filelists/armv5tel/linux-kirkwood b/co= nfig/rootfiles/core/107/filelists/armv5tel/linux-kirkwood deleted file mode 120000 index 7217107..0000000 --- a/config/rootfiles/core/107/filelists/armv5tel/linux-kirkwood +++ /dev/null @@ -1 +0,0 @@ -../../../../common/armv5tel/linux-kirkwood \ No newline at end of file diff --git a/config/rootfiles/core/107/filelists/armv5tel/linux-multi b/confi= g/rootfiles/core/107/filelists/armv5tel/linux-multi deleted file mode 120000 index 204eb4c..0000000 --- a/config/rootfiles/core/107/filelists/armv5tel/linux-multi +++ /dev/null @@ -1 +0,0 @@ -../../../../common/armv5tel/linux-multi \ No newline at end of file diff --git a/config/rootfiles/core/107/filelists/armv5tel/linux-rpi b/config/= rootfiles/core/107/filelists/armv5tel/linux-rpi deleted file mode 120000 index a651a49..0000000 --- a/config/rootfiles/core/107/filelists/armv5tel/linux-rpi +++ /dev/null @@ -1 +0,0 @@ -../../../../common/armv5tel/linux-rpi \ No newline at end of file diff --git a/config/rootfiles/core/107/filelists/files b/config/rootfiles/cor= e/107/filelists/files deleted file mode 100644 index 94704cf..0000000 --- a/config/rootfiles/core/107/filelists/files +++ /dev/null @@ -1,8 +0,0 @@ -etc/system-release -etc/issue -etc/unbound/unbound.conf -etc/rc.d/init.d/unbound -etc/rc.d/init.d/ntp -srv/web/ipfire/cgi-bin/logs.cgi/log.dat -srv/web/ipfire/cgi-bin/traffic.cgi -var/ipfire/langs diff --git a/config/rootfiles/core/107/filelists/hdparm b/config/rootfiles/co= re/107/filelists/hdparm deleted file mode 120000 index b644751..0000000 --- a/config/rootfiles/core/107/filelists/hdparm +++ /dev/null @@ -1 +0,0 @@ -../../../common/hdparm \ No newline at end of file diff --git a/config/rootfiles/core/107/filelists/i586/linux b/config/rootfile= s/core/107/filelists/i586/linux deleted file mode 120000 index 693ec4b..0000000 --- a/config/rootfiles/core/107/filelists/i586/linux +++ /dev/null @@ -1 +0,0 @@ -../../../../common/i586/linux \ No newline at end of file diff --git a/config/rootfiles/core/107/filelists/libjpeg b/config/rootfiles/c= ore/107/filelists/libjpeg deleted file mode 120000 index 3b1a782..0000000 --- a/config/rootfiles/core/107/filelists/libjpeg +++ /dev/null @@ -1 +0,0 @@ -../../../common/libjpeg \ No newline at end of file diff --git a/config/rootfiles/core/107/filelists/libjpeg-compat b/config/root= files/core/107/filelists/libjpeg-compat deleted file mode 120000 index e6ff86d..0000000 --- a/config/rootfiles/core/107/filelists/libjpeg-compat +++ /dev/null @@ -1 +0,0 @@ -../../../common/libjpeg-compat \ No newline at end of file diff --git a/config/rootfiles/core/107/filelists/squid b/config/rootfiles/cor= e/107/filelists/squid deleted file mode 120000 index 2dc8372..0000000 --- a/config/rootfiles/core/107/filelists/squid +++ /dev/null @@ -1 +0,0 @@ -../../../common/squid \ No newline at end of file diff --git a/config/rootfiles/core/107/filelists/x86_64/linux b/config/rootfi= les/core/107/filelists/x86_64/linux deleted file mode 120000 index 0615b5b..0000000 --- a/config/rootfiles/core/107/filelists/x86_64/linux +++ /dev/null @@ -1 +0,0 @@ -../../../../common/x86_64/linux \ No newline at end of file diff --git a/config/rootfiles/core/107/meta b/config/rootfiles/core/107/meta deleted file mode 100644 index d547fa8..0000000 --- a/config/rootfiles/core/107/meta +++ /dev/null @@ -1 +0,0 @@ -DEPS=3D"" diff --git a/config/rootfiles/core/107/update.sh b/config/rootfiles/core/107/= update.sh deleted file mode 100644 index 276dae5..0000000 --- a/config/rootfiles/core/107/update.sh +++ /dev/null @@ -1,253 +0,0 @@ -#!/bin/bash -############################################################################ -# # -# This file is part of the IPFire Firewall. # -# # -# IPFire is free software; you can redistribute it and/or modify # -# it under the terms of the GNU General Public License as published by # -# the Free Software Foundation; either version 3 of the License, or # -# (at your option) any later version. # -# # -# IPFire is distributed in the hope that it will be useful, # -# but WITHOUT ANY WARRANTY; without even the implied warranty of # -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # -# GNU General Public License for more details. # -# # -# You should have received a copy of the GNU General Public License # -# along with IPFire; if not, write to the Free Software # -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # -# # -# Copyright (C) 2016 IPFire-Team . = # -# # -############################################################################ -# -. /opt/pakfire/lib/functions.sh -/usr/local/bin/backupctrl exclude >/dev/null 2>&1 - -function find_device() { - local mountpoint=3D"${1}" - - local root - local dev mp fs flags rest - while read -r dev mp fs flags rest; do - # Skip unwanted entries - [ "${dev}" =3D "rootfs" ] && continue - - if [ "${mp}" =3D "${mountpoint}" ] && [ -b "${dev}" ]; then - root=3D"$(basename "${dev}")" - break - fi - done < /proc/mounts - - # Get the actual device from the partition that holds / - while [ -n "${root}" ]; do - if [ -e "/sys/block/${root}" ]; then - echo "${root}" - return 0 - fi - - # Remove last character - root=3D"${root::-1}" - done - - return 1 -} - - -core=3D107 - -function exit_with_error() { - # Set last succesfull installed core. - echo $(($core-1)) > /opt/pakfire/db/core/mine - /usr/bin/logger -p syslog.emerg -t ipfire \ - "core-update-${core}: $1" - exit $2 -} - -# Remove old core updates from pakfire cache to save space... -for (( i=3D1; i<=3D$core; i++ )) -do - rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire -done - -# -# Do some sanity checks. -case $(uname -r) in - *-ipfire* ) - # Ok. - ;; - * ) - exit_with_error "ERROR cannot update. No IPFire Kernel." 1 - ;; -esac - - -# -# -KVER=3D"xxxKVERxxx" - -# Check diskspace on root -ROOTSPACE=3D`df / -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1` - -if [ $ROOTSPACE -lt 100000 ]; then - exit_with_error "ERROR cannot update because not enough free space on root.= " 2 - exit 2 -fi - -echo -echo Update Kernel to $KVER ... -# -# Remove old kernel, configs, initrd, modules, dtb's ... -# -rm -rf /boot/System.map-* -rm -rf /boot/config-* -rm -rf /boot/ipfirerd-* -rm -rf /boot/initramfs-* -rm -rf /boot/vmlinuz-* -rm -rf /boot/uImage-ipfire-* -rm -rf /boot/zImage-ipfire-* -rm -rf /boot/uInit-ipfire-* -rm -rf /boot/dtb-*-ipfire-* -rm -rf /lib/modules - -case "$(uname -m)" in - armv*) - # Backup uEnv.txt if exist - if [ -e /boot/uEnv.txt ]; then - cp -vf /boot/uEnv.txt /boot/uEnv.txt.org - fi - - # work around the u-boot folder detection bug - mkdir -pv /boot/dtb-$KVER-ipfire-kirkwood - mkdir -pv /boot/dtb-$KVER-ipfire-multi - touch /boot/uImage-ipfire-kirkwood - touch /boot/zImage-ipfire-multi - touch /boot/uIinit-ipfire-kirkwood - touch /boot/uIinit-ipfire-multi - ;; -esac - -# Stop services -/etc/init.d/collectd stop -/etc/init.d/snort stop -/etc/init.d/squid stop -/etc/init.d/ipsec stop -/etc/init.d/apache stop - -# Extract files -tar xavf /opt/pakfire/tmp/files* --no-overwrite-dir -p --numeric-owner -C / - -# Remove some old files -rm -f /etc/unbound/interfaces.conf - -# update linker config -ldconfig - -# Check diskspace on boot -BOOTSPACE=3D`df /boot -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1` - -if [ $BOOTSPACE -lt 1000 ]; then - case $(uname -r) in - *-ipfire-kirkwood ) - # Special handling for old kirkwood images. - # (install only kirkwood kernel) - rm -rf /boot/* - # work around the u-boot folder detection bug - mkdir -pv /boot/dtb-$KVER-ipfire-kirkwood - tar xavf /opt/pakfire/tmp/files* --no-overwrite-dir -p \ - --numeric-owner -C / --wildcards 'boot/*-kirkwood*' - ;; - * ) - /etc/init.d/apache start - exit_with_error "FATAL-ERROR space run out on boot. System is not bootabl= e..." 4 - ;; - esac -fi - -# Update Language cache -/usr/local/bin/update-lang-cache - -# -# Start services -# -/etc/init.d/collectd start -/etc/init.d/apache start -/etc/init.d/squid start -/etc/init.d/snort start -if [ `grep "ENABLED=3Don" /var/ipfire/vpn/settings` ]; then - /etc/init.d/ipsec start -fi - -# Restart unbound to activate configuration changes -/etc/init.d/unbound restart - -# Delete old QoS enabled indicator -rm -f /var/ipfire/qos/enable - -# Upadate Kernel version uEnv.txt -if [ -e /boot/uEnv.txt ]; then - sed -i -e "s/KVER=3D.*/KVER=3D${KVER}/g" /boot/uEnv.txt -fi - -# call user update script (needed for some arm boards) -if [ -e /boot/pakfire-kernel-update ]; then - /boot/pakfire-kernel-update ${KVER} -fi - -case "$(uname -m)" in - i?86) - # Force (re)install pae kernel if pae is supported - rm -rf /opt/pakfire/db/installed/meta-linux-pae - if [ ! "$(grep "^flags.* pae " /proc/cpuinfo)" =3D=3D "" ]; then - ROOTSPACE=3D`df / -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1` - BOOTSPACE=3D`df /boot -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1` - if [ $BOOTSPACE -lt 12000 -o $ROOTSPACE -lt 90000 ]; then - /usr/bin/logger -p syslog.emerg -t ipfire \ - "core-update-${core}: WARNING not enough space for pae kernel." - else - echo "Name: linux-pae" > /opt/pakfire/db/installed/meta-linux-pae - echo "ProgVersion: 0" >> /opt/pakfire/db/installed/meta-linux-pae - echo "Release: 0" >> /opt/pakfire/db/installed/meta-linux-pae - fi - fi - ;; -esac -# -# After pakfire has ended run it again and update the lists and do upgrade -# -echo '#!/bin/bash' > /tmp/pak_update -echo 'while [ "$(ps -A | grep " update.sh")" !=3D "" ]; do' >> /tmp/pak_upda= te -echo ' sleep 1' >> /tmp/pak_update -echo 'done' >> /tmp/pak_update -echo 'while [ "$(ps -A | grep " pakfire")" !=3D "" ]; do' >> /tmp/pak_upda= te -echo ' sleep 1' >> /tmp/pak_update -echo 'done' >> /tmp/pak_update -echo '/opt/pakfire/pakfire update -y --force' >> /tmp/pak_update -echo '/opt/pakfire/pakfire upgrade -y' >> /tmp/pak_update -echo '/opt/pakfire/pakfire upgrade -y' >> /tmp/pak_update -echo '/opt/pakfire/pakfire upgrade -y' >> /tmp/pak_update -echo '/usr/bin/logger -p syslog.emerg -t ipfire "Core-upgrade finished. If y= ou use a customized grub/uboot config"' >> /tmp/pak_update -echo '/usr/bin/logger -p syslog.emerg -t ipfire "Check it before reboot !!!"= ' >> /tmp/pak_update -echo '/usr/bin/logger -p syslog.emerg -t ipfire " *** Please reboot... *** "= ' >> /tmp/pak_update -echo 'touch /var/run/need_reboot ' >> /tmp/pak_update -# -killall -KILL pak_update -chmod +x /tmp/pak_update -/tmp/pak_update & - -sync - -# This update need a reboot... -touch /var/run/need_reboot - -# Finish -/etc/init.d/fireinfo start -sendprofile -# Update grub config to display new core version -if [ -e /boot/grub/grub.cfg ]; then - grub-mkconfig -o /boot/grub/grub.cfg -fi -sync - -# Don't report the exitcode last command -exit 0 diff --git a/config/rootfiles/core/108/exclude b/config/rootfiles/core/108/ex= clude new file mode 100644 index 0000000..7ddeae0 --- /dev/null +++ b/config/rootfiles/core/108/exclude @@ -0,0 +1,28 @@ +boot/config.txt +boot/grub/grub.cfg +boot/grub/grubenv +etc/alternatives +etc/collectd.custom +etc/default/grub +etc/ipsec.conf +etc/ipsec.secrets +etc/ipsec.user.conf +etc/ipsec.user.secrets +etc/localtime +etc/shadow +etc/snort/snort.conf +etc/ssh/ssh_config +etc/ssh/sshd_config +etc/ssl/openssl.cnf +etc/sudoers +etc/sysconfig/firewall.local +etc/sysconfig/rc.local +etc/udev/rules.d/30-persistent-network.rules +srv/web/ipfire/html/proxy.pac +var/ipfire/dma +var/ipfire/time +var/ipfire/ovpn +var/lib/alternatives +var/log/cache +var/state/dhcp/dhcpd.leases +var/updatecache diff --git a/config/rootfiles/core/108/filelists/ddns b/config/rootfiles/core= /108/filelists/ddns new file mode 120000 index 0000000..7395164 --- /dev/null +++ b/config/rootfiles/core/108/filelists/ddns @@ -0,0 +1 @@ +../../../common/ddns \ No newline at end of file diff --git a/config/rootfiles/core/108/filelists/files b/config/rootfiles/cor= e/108/filelists/files new file mode 100644 index 0000000..6cce4ea --- /dev/null +++ b/config/rootfiles/core/108/filelists/files @@ -0,0 +1,7 @@ +etc/system-release +etc/issue +etc/rc.d/init.d/unbound +etc/syslog.conf +etc/unbound/unbound.conf +srv/web/ipfire/cgi-bin/fwhosts.cgi +srv/web/ipfire/cgi-bin/logs.cgi/config.dat diff --git a/config/rootfiles/core/108/filelists/i586/strongswan-padlock b/co= nfig/rootfiles/core/108/filelists/i586/strongswan-padlock new file mode 120000 index 0000000..2412824 --- /dev/null +++ b/config/rootfiles/core/108/filelists/i586/strongswan-padlock @@ -0,0 +1 @@ +../../../../common/i586/strongswan-padlock \ No newline at end of file diff --git a/config/rootfiles/core/108/filelists/ntp b/config/rootfiles/core/= 108/filelists/ntp new file mode 120000 index 0000000..7542d86 --- /dev/null +++ b/config/rootfiles/core/108/filelists/ntp @@ -0,0 +1 @@ +../../../common/ntp \ No newline at end of file diff --git a/config/rootfiles/core/108/filelists/squid b/config/rootfiles/cor= e/108/filelists/squid new file mode 120000 index 0000000..2dc8372 --- /dev/null +++ b/config/rootfiles/core/108/filelists/squid @@ -0,0 +1 @@ +../../../common/squid \ No newline at end of file diff --git a/config/rootfiles/core/108/filelists/strongswan b/config/rootfile= s/core/108/filelists/strongswan new file mode 120000 index 0000000..90c727e --- /dev/null +++ b/config/rootfiles/core/108/filelists/strongswan @@ -0,0 +1 @@ +../../../common/strongswan \ No newline at end of file diff --git a/config/rootfiles/core/108/meta b/config/rootfiles/core/108/meta new file mode 100644 index 0000000..d547fa8 --- /dev/null +++ b/config/rootfiles/core/108/meta @@ -0,0 +1 @@ +DEPS=3D"" diff --git a/config/rootfiles/core/108/update.sh b/config/rootfiles/core/108/= update.sh new file mode 100644 index 0000000..7a4bcd3 --- /dev/null +++ b/config/rootfiles/core/108/update.sh @@ -0,0 +1,73 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 3 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2016 IPFire-Team . = # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +/usr/local/bin/backupctrl exclude >/dev/null 2>&1 + +core=3D108 + +# Remove old core updates from pakfire cache to save space... +for (( i=3D1; i<=3D$core; i++ )); do + rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire +done + +# Stop services +/etc/init.d/ipsec stop +/etc/init.d/squid stop + +# Extract files +extract_files + +# update linker config +ldconfig + +# Update Language cache +#/usr/local/bin/update-lang-cache + +# Reload unbound upstream name servers +/etc/init.d/unbound update-forwarders + +# Start services +/etc/init.d/sysklogd restart +if grep -q "ENABLED=3Don" /var/ipfire/vpn/settings; then + /etc/init.d/ipsec start +fi +/etc/init.d/ntp restart +/etc/init.d/squid start + +# This update need a reboot... +#touch /var/run/need_reboot + +# Finish +/etc/init.d/fireinfo start +sendprofile + +# Update grub config to display new core version +if [ -e /boot/grub/grub.cfg ]; then + grub-mkconfig -o /boot/grub/grub.cfg +fi + +sync + +# Don't report the exitcode last command +exit 0 diff --git a/config/rootfiles/oldcore/107/exclude b/config/rootfiles/oldcore/= 107/exclude new file mode 100644 index 0000000..1d8d74e --- /dev/null +++ b/config/rootfiles/oldcore/107/exclude @@ -0,0 +1,29 @@ +boot/config.txt +boot/grub/grub.cfg +boot/grub/grubenv +etc/alternatives +etc/collectd.custom +etc/default/grub +etc/ipsec.conf +etc/ipsec.secrets +etc/ipsec.user.conf +etc/ipsec.user.secrets +etc/localtime +etc/shadow +etc/snort/snort.conf +etc/ssh/ssh_config +etc/ssh/sshd_config +etc/ssl/openssl.cnf +etc/sudoers +etc/sysconfig/firewall.local +etc/sysconfig/rc.local +etc/udev/rules.d/30-persistent-network.rules +srv/web/ipfire/html/proxy.pac +var/ipfire/dma +var/ipfire/time +var/ipfire/ovpn +var/lib/alternatives +var/lib/unbound/root.key +var/log/cache +var/state/dhcp/dhcpd.leases +var/updatecache diff --git a/config/rootfiles/oldcore/107/filelists/armv5tel/linux-kirkwood b= /config/rootfiles/oldcore/107/filelists/armv5tel/linux-kirkwood new file mode 120000 index 0000000..7217107 --- /dev/null +++ b/config/rootfiles/oldcore/107/filelists/armv5tel/linux-kirkwood @@ -0,0 +1 @@ +../../../../common/armv5tel/linux-kirkwood \ No newline at end of file diff --git a/config/rootfiles/oldcore/107/filelists/armv5tel/linux-multi b/co= nfig/rootfiles/oldcore/107/filelists/armv5tel/linux-multi new file mode 120000 index 0000000..204eb4c --- /dev/null +++ b/config/rootfiles/oldcore/107/filelists/armv5tel/linux-multi @@ -0,0 +1 @@ +../../../../common/armv5tel/linux-multi \ No newline at end of file diff --git a/config/rootfiles/oldcore/107/filelists/armv5tel/linux-rpi b/conf= ig/rootfiles/oldcore/107/filelists/armv5tel/linux-rpi new file mode 120000 index 0000000..a651a49 --- /dev/null +++ b/config/rootfiles/oldcore/107/filelists/armv5tel/linux-rpi @@ -0,0 +1 @@ +../../../../common/armv5tel/linux-rpi \ No newline at end of file diff --git a/config/rootfiles/oldcore/107/filelists/files b/config/rootfiles/= oldcore/107/filelists/files new file mode 100644 index 0000000..94704cf --- /dev/null +++ b/config/rootfiles/oldcore/107/filelists/files @@ -0,0 +1,8 @@ +etc/system-release +etc/issue +etc/unbound/unbound.conf +etc/rc.d/init.d/unbound +etc/rc.d/init.d/ntp +srv/web/ipfire/cgi-bin/logs.cgi/log.dat +srv/web/ipfire/cgi-bin/traffic.cgi +var/ipfire/langs diff --git a/config/rootfiles/oldcore/107/filelists/hdparm b/config/rootfiles= /oldcore/107/filelists/hdparm new file mode 120000 index 0000000..b644751 --- /dev/null +++ b/config/rootfiles/oldcore/107/filelists/hdparm @@ -0,0 +1 @@ +../../../common/hdparm \ No newline at end of file diff --git a/config/rootfiles/oldcore/107/filelists/i586/linux b/config/rootf= iles/oldcore/107/filelists/i586/linux new file mode 120000 index 0000000..693ec4b --- /dev/null +++ b/config/rootfiles/oldcore/107/filelists/i586/linux @@ -0,0 +1 @@ +../../../../common/i586/linux \ No newline at end of file diff --git a/config/rootfiles/oldcore/107/filelists/libjpeg b/config/rootfile= s/oldcore/107/filelists/libjpeg new file mode 120000 index 0000000..3b1a782 --- /dev/null +++ b/config/rootfiles/oldcore/107/filelists/libjpeg @@ -0,0 +1 @@ +../../../common/libjpeg \ No newline at end of file diff --git a/config/rootfiles/oldcore/107/filelists/libjpeg-compat b/config/r= ootfiles/oldcore/107/filelists/libjpeg-compat new file mode 120000 index 0000000..e6ff86d --- /dev/null +++ b/config/rootfiles/oldcore/107/filelists/libjpeg-compat @@ -0,0 +1 @@ +../../../common/libjpeg-compat \ No newline at end of file diff --git a/config/rootfiles/oldcore/107/filelists/squid b/config/rootfiles/= oldcore/107/filelists/squid new file mode 120000 index 0000000..2dc8372 --- /dev/null +++ b/config/rootfiles/oldcore/107/filelists/squid @@ -0,0 +1 @@ +../../../common/squid \ No newline at end of file diff --git a/config/rootfiles/oldcore/107/filelists/x86_64/linux b/config/roo= tfiles/oldcore/107/filelists/x86_64/linux new file mode 120000 index 0000000..0615b5b --- /dev/null +++ b/config/rootfiles/oldcore/107/filelists/x86_64/linux @@ -0,0 +1 @@ +../../../../common/x86_64/linux \ No newline at end of file diff --git a/config/rootfiles/oldcore/107/meta b/config/rootfiles/oldcore/107= /meta new file mode 100644 index 0000000..d547fa8 --- /dev/null +++ b/config/rootfiles/oldcore/107/meta @@ -0,0 +1 @@ +DEPS=3D"" diff --git a/config/rootfiles/oldcore/107/update.sh b/config/rootfiles/oldcor= e/107/update.sh new file mode 100644 index 0000000..276dae5 --- /dev/null +++ b/config/rootfiles/oldcore/107/update.sh @@ -0,0 +1,253 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 3 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2016 IPFire-Team . = # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +/usr/local/bin/backupctrl exclude >/dev/null 2>&1 + +function find_device() { + local mountpoint=3D"${1}" + + local root + local dev mp fs flags rest + while read -r dev mp fs flags rest; do + # Skip unwanted entries + [ "${dev}" =3D "rootfs" ] && continue + + if [ "${mp}" =3D "${mountpoint}" ] && [ -b "${dev}" ]; then + root=3D"$(basename "${dev}")" + break + fi + done < /proc/mounts + + # Get the actual device from the partition that holds / + while [ -n "${root}" ]; do + if [ -e "/sys/block/${root}" ]; then + echo "${root}" + return 0 + fi + + # Remove last character + root=3D"${root::-1}" + done + + return 1 +} + + +core=3D107 + +function exit_with_error() { + # Set last succesfull installed core. + echo $(($core-1)) > /opt/pakfire/db/core/mine + /usr/bin/logger -p syslog.emerg -t ipfire \ + "core-update-${core}: $1" + exit $2 +} + +# Remove old core updates from pakfire cache to save space... +for (( i=3D1; i<=3D$core; i++ )) +do + rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire +done + +# +# Do some sanity checks. +case $(uname -r) in + *-ipfire* ) + # Ok. + ;; + * ) + exit_with_error "ERROR cannot update. No IPFire Kernel." 1 + ;; +esac + + +# +# +KVER=3D"xxxKVERxxx" + +# Check diskspace on root +ROOTSPACE=3D`df / -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1` + +if [ $ROOTSPACE -lt 100000 ]; then + exit_with_error "ERROR cannot update because not enough free space on root.= " 2 + exit 2 +fi + +echo +echo Update Kernel to $KVER ... +# +# Remove old kernel, configs, initrd, modules, dtb's ... +# +rm -rf /boot/System.map-* +rm -rf /boot/config-* +rm -rf /boot/ipfirerd-* +rm -rf /boot/initramfs-* +rm -rf /boot/vmlinuz-* +rm -rf /boot/uImage-ipfire-* +rm -rf /boot/zImage-ipfire-* +rm -rf /boot/uInit-ipfire-* +rm -rf /boot/dtb-*-ipfire-* +rm -rf /lib/modules + +case "$(uname -m)" in + armv*) + # Backup uEnv.txt if exist + if [ -e /boot/uEnv.txt ]; then + cp -vf /boot/uEnv.txt /boot/uEnv.txt.org + fi + + # work around the u-boot folder detection bug + mkdir -pv /boot/dtb-$KVER-ipfire-kirkwood + mkdir -pv /boot/dtb-$KVER-ipfire-multi + touch /boot/uImage-ipfire-kirkwood + touch /boot/zImage-ipfire-multi + touch /boot/uIinit-ipfire-kirkwood + touch /boot/uIinit-ipfire-multi + ;; +esac + +# Stop services +/etc/init.d/collectd stop +/etc/init.d/snort stop +/etc/init.d/squid stop +/etc/init.d/ipsec stop +/etc/init.d/apache stop + +# Extract files +tar xavf /opt/pakfire/tmp/files* --no-overwrite-dir -p --numeric-owner -C / + +# Remove some old files +rm -f /etc/unbound/interfaces.conf + +# update linker config +ldconfig + +# Check diskspace on boot +BOOTSPACE=3D`df /boot -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1` + +if [ $BOOTSPACE -lt 1000 ]; then + case $(uname -r) in + *-ipfire-kirkwood ) + # Special handling for old kirkwood images. + # (install only kirkwood kernel) + rm -rf /boot/* + # work around the u-boot folder detection bug + mkdir -pv /boot/dtb-$KVER-ipfire-kirkwood + tar xavf /opt/pakfire/tmp/files* --no-overwrite-dir -p \ + --numeric-owner -C / --wildcards 'boot/*-kirkwood*' + ;; + * ) + /etc/init.d/apache start + exit_with_error "FATAL-ERROR space run out on boot. System is not bootabl= e..." 4 + ;; + esac +fi + +# Update Language cache +/usr/local/bin/update-lang-cache + +# +# Start services +# +/etc/init.d/collectd start +/etc/init.d/apache start +/etc/init.d/squid start +/etc/init.d/snort start +if [ `grep "ENABLED=3Don" /var/ipfire/vpn/settings` ]; then + /etc/init.d/ipsec start +fi + +# Restart unbound to activate configuration changes +/etc/init.d/unbound restart + +# Delete old QoS enabled indicator +rm -f /var/ipfire/qos/enable + +# Upadate Kernel version uEnv.txt +if [ -e /boot/uEnv.txt ]; then + sed -i -e "s/KVER=3D.*/KVER=3D${KVER}/g" /boot/uEnv.txt +fi + +# call user update script (needed for some arm boards) +if [ -e /boot/pakfire-kernel-update ]; then + /boot/pakfire-kernel-update ${KVER} +fi + +case "$(uname -m)" in + i?86) + # Force (re)install pae kernel if pae is supported + rm -rf /opt/pakfire/db/installed/meta-linux-pae + if [ ! "$(grep "^flags.* pae " /proc/cpuinfo)" =3D=3D "" ]; then + ROOTSPACE=3D`df / -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1` + BOOTSPACE=3D`df /boot -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1` + if [ $BOOTSPACE -lt 12000 -o $ROOTSPACE -lt 90000 ]; then + /usr/bin/logger -p syslog.emerg -t ipfire \ + "core-update-${core}: WARNING not enough space for pae kernel." + else + echo "Name: linux-pae" > /opt/pakfire/db/installed/meta-linux-pae + echo "ProgVersion: 0" >> /opt/pakfire/db/installed/meta-linux-pae + echo "Release: 0" >> /opt/pakfire/db/installed/meta-linux-pae + fi + fi + ;; +esac +# +# After pakfire has ended run it again and update the lists and do upgrade +# +echo '#!/bin/bash' > /tmp/pak_update +echo 'while [ "$(ps -A | grep " update.sh")" !=3D "" ]; do' >> /tmp/pak_upda= te +echo ' sleep 1' >> /tmp/pak_update +echo 'done' >> /tmp/pak_update +echo 'while [ "$(ps -A | grep " pakfire")" !=3D "" ]; do' >> /tmp/pak_upda= te +echo ' sleep 1' >> /tmp/pak_update +echo 'done' >> /tmp/pak_update +echo '/opt/pakfire/pakfire update -y --force' >> /tmp/pak_update +echo '/opt/pakfire/pakfire upgrade -y' >> /tmp/pak_update +echo '/opt/pakfire/pakfire upgrade -y' >> /tmp/pak_update +echo '/opt/pakfire/pakfire upgrade -y' >> /tmp/pak_update +echo '/usr/bin/logger -p syslog.emerg -t ipfire "Core-upgrade finished. If y= ou use a customized grub/uboot config"' >> /tmp/pak_update +echo '/usr/bin/logger -p syslog.emerg -t ipfire "Check it before reboot !!!"= ' >> /tmp/pak_update +echo '/usr/bin/logger -p syslog.emerg -t ipfire " *** Please reboot... *** "= ' >> /tmp/pak_update +echo 'touch /var/run/need_reboot ' >> /tmp/pak_update +# +killall -KILL pak_update +chmod +x /tmp/pak_update +/tmp/pak_update & + +sync + +# This update need a reboot... +touch /var/run/need_reboot + +# Finish +/etc/init.d/fireinfo start +sendprofile +# Update grub config to display new core version +if [ -e /boot/grub/grub.cfg ]; then + grub-mkconfig -o /boot/grub/grub.cfg +fi +sync + +# Don't report the exitcode last command +exit 0 diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index 3f724d8..c9b01b8 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -42,7 +42,6 @@ server: # Privacy Options hide-identity: yes hide-version: yes - qname-minimisation: yes minimal-responses: yes =20 # DNSSEC @@ -56,7 +55,6 @@ server: harden-short-bufsize: no harden-large-queries: yes harden-dnssec-stripped: yes - harden-below-nxdomain: yes harden-referral-path: yes harden-algo-downgrade: no use-caps-for-id: no diff --git a/doc/language_issues.de b/doc/language_issues.de index 101411e..48d7f6a 100644 --- a/doc/language_issues.de +++ b/doc/language_issues.de @@ -1,3 +1,4 @@ +WARNING: translation string unused: Async logging enabled WARNING: translation string unused: ConnSched scheduler WARNING: translation string unused: ConnSched select profile WARNING: translation string unused: HDD temperature @@ -335,6 +336,7 @@ WARNING: translation string unused: local hard disk WARNING: translation string unused: localkey WARNING: translation string unused: localkeyfile WARNING: translation string unused: log enabled +WARNING: translation string unused: log var messages WARNING: translation string unused: log viewer WARNING: translation string unused: logging WARNING: translation string unused: loosedirectorychecking @@ -361,6 +363,7 @@ WARNING: translation string unused: mbmon fan in WARNING: translation string unused: mbmon graphs WARNING: translation string unused: mbmon temp in WARNING: translation string unused: mbmon value +WARNING: translation string unused: messages logging WARNING: translation string unused: min size WARNING: translation string unused: missing dat WARNING: translation string unused: missing gz diff --git a/doc/language_issues.en b/doc/language_issues.en index 596cf71..0362802 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -1,3 +1,4 @@ +WARNING: translation string unused: Async logging enabled WARNING: translation string unused: ConnSched scheduler WARNING: translation string unused: ConnSched select profile WARNING: translation string unused: HDD temperature @@ -361,6 +362,7 @@ WARNING: translation string unused: local hard disk WARNING: translation string unused: localkey WARNING: translation string unused: localkeyfile WARNING: translation string unused: log enabled +WARNING: translation string unused: log var messages WARNING: translation string unused: log viewer WARNING: translation string unused: logging WARNING: translation string unused: loosedirectorychecking @@ -387,6 +389,7 @@ WARNING: translation string unused: mbmon fan in WARNING: translation string unused: mbmon graphs WARNING: translation string unused: mbmon temp in WARNING: translation string unused: mbmon value +WARNING: translation string unused: messages logging WARNING: translation string unused: min size WARNING: translation string unused: missing dat WARNING: translation string unused: missing gz diff --git a/doc/language_issues.es b/doc/language_issues.es index ad64380..60ba499 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -305,6 +305,7 @@ WARNING: translation string unused: local hard disk WARNING: translation string unused: localkey WARNING: translation string unused: localkeyfile WARNING: translation string unused: log enabled +WARNING: translation string unused: log var messages WARNING: translation string unused: log viewer WARNING: translation string unused: logging WARNING: translation string unused: loosedirectorychecking @@ -331,6 +332,7 @@ WARNING: translation string unused: mbmon fan in WARNING: translation string unused: mbmon graphs WARNING: translation string unused: mbmon temp in WARNING: translation string unused: mbmon value +WARNING: translation string unused: messages logging WARNING: translation string unused: min size WARNING: translation string unused: missing dat WARNING: translation string unused: missing gz @@ -616,7 +618,6 @@ WARNING: translation string unused: xtaccess all error WARNING: translation string unused: xtaccess bad transfert WARNING: translation string unused: year-graph WARNING: translation string unused: yearly firewallhits -WARNING: untranslated string: Async logging enabled WARNING: untranslated string: ConnSched dial WARNING: untranslated string: ConnSched hangup WARNING: untranslated string: ConnSched reboot diff --git a/doc/language_issues.fr b/doc/language_issues.fr index 28e80c9..863b529 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -1,3 +1,4 @@ +WARNING: translation string unused: Async logging enabled WARNING: translation string unused: Client status and controlc WARNING: translation string unused: ConnSched scheduler WARNING: translation string unused: ConnSched select profile @@ -302,6 +303,7 @@ WARNING: translation string unused: local hard disk WARNING: translation string unused: localkey WARNING: translation string unused: localkeyfile WARNING: translation string unused: log enabled +WARNING: translation string unused: log var messages WARNING: translation string unused: log viewer WARNING: translation string unused: logging WARNING: translation string unused: loosedirectorychecking @@ -328,6 +330,7 @@ WARNING: translation string unused: mbmon fan in WARNING: translation string unused: mbmon graphs WARNING: translation string unused: mbmon temp in WARNING: translation string unused: mbmon value +WARNING: translation string unused: messages logging WARNING: translation string unused: min size WARNING: translation string unused: missing dat WARNING: translation string unused: missing gz diff --git a/doc/language_issues.it b/doc/language_issues.it index d221534..6efef40 100644 --- a/doc/language_issues.it +++ b/doc/language_issues.it @@ -1,3 +1,4 @@ +WARNING: translation string unused: Async logging enabled WARNING: translation string unused: Client status and controlc WARNING: translation string unused: ConnSched scheduler WARNING: translation string unused: ConnSched select profile @@ -353,6 +354,7 @@ WARNING: translation string unused: local hard disk WARNING: translation string unused: localkey WARNING: translation string unused: localkeyfile WARNING: translation string unused: log enabled +WARNING: translation string unused: log var messages WARNING: translation string unused: log viewer WARNING: translation string unused: logging WARNING: translation string unused: loosedirectorychecking @@ -379,6 +381,7 @@ WARNING: translation string unused: mbmon fan in WARNING: translation string unused: mbmon graphs WARNING: translation string unused: mbmon temp in WARNING: translation string unused: mbmon value +WARNING: translation string unused: messages logging WARNING: translation string unused: min size WARNING: translation string unused: missing dat WARNING: translation string unused: missing gz diff --git a/doc/language_issues.nl b/doc/language_issues.nl index 1dfc968..c9b10dc 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -1,3 +1,4 @@ +WARNING: translation string unused: Async logging enabled WARNING: translation string unused: Client status and controlc WARNING: translation string unused: ConnSched scheduler WARNING: translation string unused: ConnSched select profile @@ -352,6 +353,7 @@ WARNING: translation string unused: local hard disk WARNING: translation string unused: localkey WARNING: translation string unused: localkeyfile WARNING: translation string unused: log enabled +WARNING: translation string unused: log var messages WARNING: translation string unused: log viewer WARNING: translation string unused: logging WARNING: translation string unused: loosedirectorychecking @@ -378,6 +380,7 @@ WARNING: translation string unused: mbmon fan in WARNING: translation string unused: mbmon graphs WARNING: translation string unused: mbmon temp in WARNING: translation string unused: mbmon value +WARNING: translation string unused: messages logging WARNING: translation string unused: min size WARNING: translation string unused: missing dat WARNING: translation string unused: missing gz diff --git a/doc/language_issues.pl b/doc/language_issues.pl index ad64380..60ba499 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -305,6 +305,7 @@ WARNING: translation string unused: local hard disk WARNING: translation string unused: localkey WARNING: translation string unused: localkeyfile WARNING: translation string unused: log enabled +WARNING: translation string unused: log var messages WARNING: translation string unused: log viewer WARNING: translation string unused: logging WARNING: translation string unused: loosedirectorychecking @@ -331,6 +332,7 @@ WARNING: translation string unused: mbmon fan in WARNING: translation string unused: mbmon graphs WARNING: translation string unused: mbmon temp in WARNING: translation string unused: mbmon value +WARNING: translation string unused: messages logging WARNING: translation string unused: min size WARNING: translation string unused: missing dat WARNING: translation string unused: missing gz @@ -616,7 +618,6 @@ WARNING: translation string unused: xtaccess all error WARNING: translation string unused: xtaccess bad transfert WARNING: translation string unused: year-graph WARNING: translation string unused: yearly firewallhits -WARNING: untranslated string: Async logging enabled WARNING: untranslated string: ConnSched dial WARNING: untranslated string: ConnSched hangup WARNING: untranslated string: ConnSched reboot diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 31855fa..255df2f 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -1,3 +1,4 @@ +WARNING: translation string unused: Async logging enabled WARNING: translation string unused: Client status and controlc WARNING: translation string unused: ConnSched scheduler WARNING: translation string unused: ConnSched select profile @@ -297,6 +298,7 @@ WARNING: translation string unused: local hard disk WARNING: translation string unused: localkey WARNING: translation string unused: localkeyfile WARNING: translation string unused: log enabled +WARNING: translation string unused: log var messages WARNING: translation string unused: log viewer WARNING: translation string unused: logging WARNING: translation string unused: loosedirectorychecking @@ -323,6 +325,7 @@ WARNING: translation string unused: mbmon fan in WARNING: translation string unused: mbmon graphs WARNING: translation string unused: mbmon temp in WARNING: translation string unused: mbmon value +WARNING: translation string unused: messages logging WARNING: translation string unused: min size WARNING: translation string unused: missing dat WARNING: translation string unused: missing gz diff --git a/doc/language_issues.tr b/doc/language_issues.tr index 6629cd6..8cf2dfe 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -1,3 +1,4 @@ +WARNING: translation string unused: Async logging enabled WARNING: translation string unused: ConnSched scheduler WARNING: translation string unused: ConnSched select profile WARNING: translation string unused: HDD temperature @@ -361,6 +362,7 @@ WARNING: translation string unused: local hard disk WARNING: translation string unused: localkey WARNING: translation string unused: localkeyfile WARNING: translation string unused: log enabled +WARNING: translation string unused: log var messages WARNING: translation string unused: log viewer WARNING: translation string unused: logging WARNING: translation string unused: loosedirectorychecking @@ -387,6 +389,7 @@ WARNING: translation string unused: mbmon fan in WARNING: translation string unused: mbmon graphs WARNING: translation string unused: mbmon temp in WARNING: translation string unused: mbmon value +WARNING: translation string unused: messages logging WARNING: translation string unused: min size WARNING: translation string unused: missing dat WARNING: translation string unused: missing gz diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index 35afad3..1b0fe07 100644 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -624,9 +624,9 @@ if ($fwhostsettings{'ACTION'} eq 'savegrp') } #check if host/net exists in grp =09 - my $test=3D"$grp,$fwhostsettings{'oldremark'},@target"; + my $test=3D"$grp,$fwhostsettings{'oldremark'},@target,$type"; foreach my $key (keys %customgrp) { - my $test1=3D"$customgrp{$key}[0],$customgrp{$key}[1],$customgrp{$key}[2]"; + my $test1=3D"$customgrp{$key}[0],$customgrp{$key}[1],$customgrp{$key}[2],= $customgrp{$key}[3]"; if ($test1 eq $test){ $errormessage=3D$Lang::tr{'fwhost err isingrp'}; $fwhostsettings{'update'} =3D 'on'; diff --git a/html/cgi-bin/logs.cgi/config.dat b/html/cgi-bin/logs.cgi/config.= dat index 1f97a17..789341d 100644 --- a/html/cgi-bin/logs.cgi/config.dat +++ b/html/cgi-bin/logs.cgi/config.dat @@ -32,9 +32,7 @@ $logsettings{'LOGWATCH_LEVEL'} =3D 'Low'; $logsettings{'LOGWATCH_KEEP'} =3D '56'; my @VS =3D ('15','50','100','150','250','500'); $logsettings{'ENABLE_REMOTELOG'} =3D 'off'; -$logsettings{'ENABLE_ASYNCLOG'} =3D 'off'; $logsettings{'REMOTELOG_ADDR'} =3D ''; -$logsettings{'VARMESSAGES'} =3D 'cron.none;daemon.*;local0.*;local2.*;*.info= ;mail.none;authpriv.*'; $logsettings{'ACTION'} =3D ''; &Header::getcgihash(\%logsettings); =20 @@ -67,10 +65,6 @@ if ($logsettings{'ACTION'} eq $Lang::tr{'save'}) =20 &General::readhash("${General::swroot}/logging/settings", \%logsettings); =20 -$checked{'ENABLE_ASYNCLOG'}{'off'} =3D ''; -$checked{'ENABLE_ASYNCLOG'}{'on'} =3D ''; -$checked{'ENABLE_ASYNCLOG'}{$logsettings{'ENABLE_ASYNCLOG'}} =3D "checked=3D= 'checked'"; - $checked{'ENABLE_REMOTELOG'}{'off'} =3D ''; $checked{'ENABLE_REMOTELOG'}{'on'} =3D ''; $checked{'ENABLE_REMOTELOG'}{$logsettings{'ENABLE_REMOTELOG'}} =3D "checked= =3D'checked'"; @@ -151,20 +145,6 @@ END ; &Header::closebox(); =20 -&Header::openbox('100%', 'left', $Lang::tr{'messages logging'}); -print < - - $Lang::tr{'Async logging enabled= '} - - - $Lang::tr{'log var messages'} - - -END -; -&Header::closebox(); - print < diff --git a/lfs/ddns b/lfs/ddns index 422f8e3..3d7efa5 100644 --- a/lfs/ddns +++ b/lfs/ddns @@ -71,6 +71,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) =20 + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ddns-0001-New-provide= r-Schokokeks.org.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ddns-0002-Schokokeks.= org-Fix-malformed-update-URL.patch + cd $(DIR_APP) && [ -x "configure" ] || sh ./autogen.sh cd $(DIR_APP) && ./configure \ --prefix=3D/usr \ diff --git a/lfs/nano b/lfs/nano index 5dcf484..fbe88bd 100644 --- a/lfs/nano +++ b/lfs/nano @@ -24,7 +24,7 @@ =20 include Config =20 -VER =3D 2.6.3 +VER =3D 2.7.1 =20 THISAPP =3D nano-$(VER) DL_FILE =3D $(THISAPP).tar.gz @@ -32,7 +32,7 @@ DL_FROM =3D $(URL_IPFIRE) DIR_APP =3D $(DIR_SRC)/$(THISAPP) TARGET =3D $(DIR_INFO)/$(THISAPP) PROG =3D nano -PAK_VER =3D 11 +PAK_VER =3D 12 =20 DEPS =3D "" =20 @@ -44,7 +44,7 @@ objects =3D $(DL_FILE) =20 $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) =20 -$(DL_FILE)_MD5 =3D 1213c7f17916e65afefc95054c1f90f9 +$(DL_FILE)_MD5 =3D 6d6aea789dd15171d8d05d2359c52f23 =20 install : $(TARGET) =20 diff --git a/lfs/ntp b/lfs/ntp index 536a4a8..572bb88 100644 --- a/lfs/ntp +++ b/lfs/ntp @@ -1,7 +1,7 @@ ############################################################################= ### # = # # IPFire.org - A linux based firewall = # -# Copyright (C) 2016 Michael Tremer & Christian Schmidt = # +# Copyright (C) 2007-2016 IPFire Team = # # = # # This program is free software: you can redistribute it and/or modify = # # it under the terms of the GNU General Public License as published by = # @@ -24,7 +24,7 @@ =20 include Config =20 -VER =3D 4.2.8p8 +VER =3D 4.2.8p9 =20 THISAPP =3D ntp-$(VER) DL_FILE =3D $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects =3D $(DL_FILE) =20 $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) =20 -$(DL_FILE)_MD5 =3D 4a8636260435b230636f053ffd070e34 +$(DL_FILE)_MD5 =3D 857452b05f5f2e033786f77ade1974ed =20 install : $(TARGET) =20 diff --git a/lfs/squid b/lfs/squid index 269c663..70d90d8 100644 --- a/lfs/squid +++ b/lfs/squid @@ -70,6 +70,30 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xaf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14099= .patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14100= .patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14101= .patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14102= .patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14103= .patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14104= .patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14105= .patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14106= .patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14107= .patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14108= .patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14109= .patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14110= .patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14111= .patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14112= .patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14113= .patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14114= .patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14115= .patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14116= .patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14117= .patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14118= .patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14119= .patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14120= .patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14121= .patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14122= .patch cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.5.22-fix-max-= file-descriptors.patch =20 cd $(DIR_APP) && autoreconf -vfi diff --git a/lfs/strongswan b/lfs/strongswan index 17c1a01..9e8f155 100644 --- a/lfs/strongswan +++ b/lfs/strongswan @@ -24,7 +24,7 @@ =20 include Config =20 -VER =3D 5.5.0 +VER =3D 5.5.1 =20 THISAPP =3D strongswan-$(VER) DL_FILE =3D $(THISAPP).tar.bz2 @@ -48,7 +48,7 @@ objects =3D $(DL_FILE) =20 $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) =20 -$(DL_FILE)_MD5 =3D a96fa7eb6c62b40143dadb064b6bd586 +$(DL_FILE)_MD5 =3D 4eba9474f7dc6c8c8d7037261358e68d =20 install : $(TARGET) =20 diff --git a/lfs/tor b/lfs/tor index a00ff25..5f39d78 100644 --- a/lfs/tor +++ b/lfs/tor @@ -24,7 +24,7 @@ =20 include Config =20 -VER =3D 0.2.7.6 +VER =3D 0.2.8.10 =20 THISAPP =3D tor-$(VER) DL_FILE =3D $(THISAPP).tar.gz @@ -32,7 +32,7 @@ DL_FROM =3D $(URL_IPFIRE) DIR_APP =3D $(DIR_SRC)/$(THISAPP) TARGET =3D $(DIR_INFO)/$(THISAPP) PROG =3D tor -PAK_VER =3D 17 +PAK_VER =3D 18 =20 DEPS =3D "" =20 @@ -44,7 +44,7 @@ objects =3D $(DL_FILE) =20 $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) =20 -$(DL_FILE)_MD5 =3D cc19107b57136a68e8c563bf2d35b072 +$(DL_FILE)_MD5 =3D f5762c9eeb7bc68a6405cd5d6a53b5d7 =20 install : $(TARGET) =20 diff --git a/make.sh b/make.sh index 4b7beb8..390c719 100755 --- a/make.sh +++ b/make.sh @@ -25,8 +25,8 @@ NAME=3D"IPFire" # Software name SNAME=3D"ipfire" # Short name VERSION=3D"2.19" # Version number -CORE=3D"107" # Core Level (Filename) -PAKFIRE_CORE=3D"107" # Core Level (PAKFIRE) +CORE=3D"108" # Core Level (Filename) +PAKFIRE_CORE=3D"108" # Core Level (PAKFIRE) GIT_BRANCH=3D`git rev-parse --abbrev-ref HEAD` # Git Branch SLOGAN=3D"www.ipfire.org" # Software slogan CONFIG_ROOT=3D/var/ipfire # Configuration rootdir diff --git a/src/initscripts/init.d/unbound b/src/initscripts/init.d/unbound index 01a560d..6c7be6c 100644 --- a/src/initscripts/init.d/unbound +++ b/src/initscripts/init.d/unbound @@ -259,9 +259,6 @@ test_name_server() { # Exit when the server is not reachable ns_is_online ${ns} || return 1 =20 - # Return 0 if validating - ns_is_validating ${ns} && return 0 - local errors for rr in DNSKEY DS RRSIG; do if ! ns_forwards_${rr} ${ns}; then @@ -274,8 +271,13 @@ test_name_server() { return 3 fi =20 - # Is DNSSEC-aware - return 2 + if ns_is_validating ${ns}; then + # Return 0 if validating + return 0 + else + # Is DNSSEC-aware + return 2 + fi } =20 # Sends an A query to the nameserver w/o DNSSEC @@ -366,6 +368,11 @@ case "$1" in ;; =20 update-forwarders) + # Do not try updating forwarders when unbound is not running + if ! pgrep unbound &>/dev/null; then + exit 0 + fi + update_forwarders ;; =20 diff --git a/src/misc-progs/syslogdctrl.c b/src/misc-progs/syslogdctrl.c index 8111c84..5271902 100644 --- a/src/misc-progs/syslogdctrl.c +++ b/src/misc-progs/syslogdctrl.c @@ -67,19 +67,6 @@ int main(void) exit(ERR_SETTINGS); } =20 - if (!findkey(kv, "ENABLE_ASYNCLOG", asynclog)) - { - fprintf(stderr, "Cannot read ENABLE_ASYNCLOG\n"); - exit(ERR_SETTINGS); - } - - =20 - if (!findkey(kv, "VARMESSAGES", varmessages)) - { - fprintf(stderr, "Cannot read VARMESSAGES\n"); - exit(ERR_SETTINGS); - } - if (strspn(hostname, VALID_FQDN) !=3D strlen(hostname)) { fprintf(stderr, "Bad REMOTELOG_ADDR: %s\n", hostname); @@ -133,16 +120,6 @@ int main(void) } close(config_fd); =20 - /* Replace the logging option*/ - safe_system("grep -v '/var/log/messages' < /etc/syslog.conf.new > /etc/= syslog.conf.tmp && mv /etc/syslog.conf.tmp /etc/syslog.conf.new"); - =20 - if (!strcmp(asynclog,"on")) - snprintf(command, STRING_SIZE - 1, "printf '%s -/var/log/messages' = >> /etc/syslog.conf.new", varmessages ); - else - snprintf(command, STRING_SIZE - 1, "printf '%s /var/log/messages' >= > /etc/syslog.conf.new", varmessages ); - - safe_system(command); - if (rename("/etc/syslog.conf.new", "/etc/syslog.conf") =3D=3D -1) { perror("Unable to replace old config file"); diff --git a/src/patches/ddns-0001-New-provider-Schokokeks.org.patch b/src/pa= tches/ddns-0001-New-provider-Schokokeks.org.patch new file mode 100644 index 0000000..be123a5 --- /dev/null +++ b/src/patches/ddns-0001-New-provider-Schokokeks.org.patch @@ -0,0 +1,47 @@ +From 521c9d90f4e879ef3d9e1590f29e27990011ae46 Mon Sep 17 00:00:00 2001 +From: Steffen Peters +Date: Mon, 4 Jul 2016 22:14:10 +0200 +Subject: [PATCH 185/185] New provider: Schokokeks.org + +Signed-off-by: Steffen Peters +Signed-off-by: Stefan Schantl +--- + README | 1 + + src/ddns/providers.py | 12 ++++++++++++ + 2 files changed, 13 insertions(+) + +diff --git a/README b/README +index d8027a4..cedbf21 100644 +--- a/README ++++ b/README +@@ -75,6 +75,7 @@ SUPPORTED PROVIDERS: + opendns.com + ovh.com + regfish.com ++ schokokeks.org + selfhost.de + spdns.org + strato.com +diff --git a/src/ddns/providers.py b/src/ddns/providers.py +index 6b25cb6..c482dad 100644 +--- a/src/ddns/providers.py ++++ b/src/ddns/providers.py +@@ -1687,3 +1687,15 @@ class DDNSProviderZZZZ(DDNSProvider): +=20 + # If we got here, some other update error happened. + raise DDNSUpdateError ++ ++class DDNSProviderSchokokeksDNS(DDNSProtocolDynDNS2, DDNSProvider): ++ handle =3D "schokokeks.org" ++ name =3D "Schokokeks" ++ website =3D "http://www.schokokeks.org/" ++ protocols =3D ("ipv4",) ++ ++ # Information about the format of the request is to be found ++ # https://wiki.schokokeks.org/DynDNS ++ ++ url =3D "https://dyndns.schokokeks.org/nic/update?myip=3D" ++ +--=20 +2.7.4 + diff --git a/src/patches/ddns-0002-Schokokeks.org-Fix-malformed-update-URL.pa= tch b/src/patches/ddns-0002-Schokokeks.org-Fix-malformed-update-URL.patch new file mode 100644 index 0000000..e00dcf6 --- /dev/null +++ b/src/patches/ddns-0002-Schokokeks.org-Fix-malformed-update-URL.patch @@ -0,0 +1,55 @@ +From f77e6bc92825d65e881d5dc7fc443139278c0d5f Mon Sep 17 00:00:00 2001 +From: Stefan Schantl +Date: Fri, 28 Oct 2016 12:35:20 +0200 +Subject: [PATCH 3/3] Schockokeks.org: Fix malformed update URL. + +* Move Provider Class into correct alphabetical order. + +Signed-off-by: Stefan Schantl +Reviewed-by: Michael Tremer +Signed-off-by: Stefan Schantl +--- + src/ddns/providers.py | 23 +++++++++++------------ + 1 file changed, 11 insertions(+), 12 deletions(-) + +diff --git a/src/ddns/providers.py b/src/ddns/providers.py +index c482dad..2c30d42 100644 +--- a/src/ddns/providers.py ++++ b/src/ddns/providers.py +@@ -1424,6 +1424,17 @@ class DDNSProviderRegfish(DDNSProvider): + raise DDNSUpdateError +=20 +=20 ++class DDNSProviderSchokokeksDNS(DDNSProtocolDynDNS2, DDNSProvider): ++ handle =3D "schokokeks.org" ++ name =3D "Schokokeks" ++ website =3D "http://www.schokokeks.org/" ++ protocols =3D ("ipv4",) ++ ++ # Information about the format of the request is to be found ++ # https://wiki.schokokeks.org/DynDNS ++ url =3D "https://dyndns.schokokeks.org/nic/update" ++ ++ + class DDNSProviderSelfhost(DDNSProtocolDynDNS2, DDNSProvider): + handle =3D "selfhost.de" + name =3D "Selfhost.de" +@@ -1687,15 +1698,3 @@ class DDNSProviderZZZZ(DDNSProvider): +=20 + # If we got here, some other update error happened. + raise DDNSUpdateError +- +-class DDNSProviderSchokokeksDNS(DDNSProtocolDynDNS2, DDNSProvider): +- handle =3D "schokokeks.org" +- name =3D "Schokokeks" +- website =3D "http://www.schokokeks.org/" +- protocols =3D ("ipv4",) +- +- # Information about the format of the request is to be found +- # https://wiki.schokokeks.org/DynDNS +- +- url =3D "https://dyndns.schokokeks.org/nic/update?myip=3D" +- +--=20 +2.7.4 + diff --git a/src/patches/squid/squid-3.5-14099.patch b/src/patches/squid/squi= d-3.5-14099.patch new file mode 100644 index 0000000..0e10eff --- /dev/null +++ b/src/patches/squid/squid-3.5-14099.patch @@ -0,0 +1,65 @@ +------------------------------------------------------------ +revno: 14099 +revision-id: squid3(a)treenet.co.nz-20161015042024-jagzafukd2t6gcr0 +parent: squid3(a)treenet.co.nz-20161009195739-pcju9hl8vqwijt26 +author: Alex Rousskov +committer: Amos Jeffries +branch nick: 3.5 +timestamp: Sat 2016-10-15 17:20:24 +1300 +message: + Fix build with eCAP but without ICAP support. + =20 + That is, when ./configured with --enable-ecap --disable-icap-client. + =20 + AccessLogEntry::icap requires ICAP_CLIENT, not just USE_ADAPTATION. +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3(a)treenet.co.nz-20161015042024-jagzafukd2t6gcr0 +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# testament_sha1: 4cd2e7bf4e2be0acd252963afc107537b17450fc +# timestamp: 2016-10-15 04:52:07 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# base_revision_id: squid3(a)treenet.co.nz-20161009195739-\ +# pcju9hl8vqwijt26 +#=20 +# Begin patch +=3D=3D=3D modified file 'src/format/Format.cc' +--- src/format/Format.cc 2016-09-16 11:53:28 +0000 ++++ src/format/Format.cc 2016-10-15 04:20:24 +0000 +@@ -318,7 +318,7 @@ + actualReplyHeader(const AccessLogEntry::Pointer &al) + { + const HttpMsg *msg =3D al->reply; +-#if USE_ADAPTATION ++#if ICAP_CLIENT + // al->icap.reqMethod is methodNone in access.log context + if (!msg && al->icap.reqMethod =3D=3D Adaptation::methodReqmod) + msg =3D al->adapted_request; +@@ -331,7 +331,7 @@ + static const HttpMsg * + actualRequestHeader(const AccessLogEntry::Pointer &al) + { +-#if USE_ADAPTATION ++#if ICAP_CLIENT + // al->icap.reqMethod is methodNone in access.log context + if (al->icap.reqMethod =3D=3D Adaptation::methodRespmod) { + // XXX: for now AccessLogEntry lacks virgin response headers +@@ -819,7 +819,7 @@ + break; +=20 + case LFT_REQUEST_ALL_HEADERS: +-#if USE_ADAPTATION ++#if ICAP_CLIENT + if (al->icap.reqMethod =3D=3D Adaptation::methodRespmod) { + // XXX: since AccessLogEntry::Headers lacks virgin response + // headers, do nothing for now +@@ -843,7 +843,7 @@ +=20 + case LFT_REPLY_ALL_HEADERS: + out =3D al->headers.reply; +-#if USE_ADAPTATION ++#if ICAP_CLIENT + if (!out && al->icap.reqMethod =3D=3D Adaptation::methodReqmod) + out =3D al->headers.adapted_request; + #endif + diff --git a/src/patches/squid/squid-3.5-14100.patch b/src/patches/squid/squi= d-3.5-14100.patch new file mode 100644 index 0000000..7e5335a --- /dev/null +++ b/src/patches/squid/squid-3.5-14100.patch @@ -0,0 +1,39 @@ +------------------------------------------------------------ +revno: 14100 +revision-id: squid3(a)treenet.co.nz-20161025081949-3sxzd0n4snmadlke +parent: squid3(a)treenet.co.nz-20161015042024-jagzafukd2t6gcr0 +author: Christos Tsantilas +committer: Amos Jeffries +branch nick: 3.5 +timestamp: Tue 2016-10-25 21:19:49 +1300 +message: + Fix regression bug introduced by r14089. + =20 + Squid crashed because HttpMsg::body_pipe was used without check that it + was initialized. The message lacks body pipe when it has no body or + empty body. +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3(a)treenet.co.nz-20161025081949-3sxzd0n4snmadlke +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# testament_sha1: 50468130801fc3ebf75129c103bcfe4be9b6d4b7 +# timestamp: 2016-10-25 08:28:30 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# base_revision_id: squid3(a)treenet.co.nz-20161015042024-\ +# jagzafukd2t6gcr0 +#=20 +# Begin patch +=3D=3D=3D modified file 'src/adaptation/icap/ModXact.cc' +--- src/adaptation/icap/ModXact.cc 2016-09-16 18:50:04 +0000 ++++ src/adaptation/icap/ModXact.cc 2016-10-25 08:19:49 +0000 +@@ -1303,7 +1303,8 @@ + virgin_msg =3D virgin_request_; + assert(virgin_msg !=3D virgin.cause); + al.http.clientRequestSz.header =3D virgin_msg->hdr_sz; +- al.http.clientRequestSz.payloadData =3D virgin_msg->body_pipe->produced= Size(); ++ if (virgin_msg->body_pipe !=3D NULL) ++ al.http.clientRequestSz.payloadData =3D virgin_msg->body_pipe->prod= ucedSize(); +=20 + // leave al.icap.bodyBytesRead negative if no body + if (replyHttpHeaderSize >=3D 0 || replyHttpBodySize >=3D 0) { + diff --git a/src/patches/squid/squid-3.5-14101.patch b/src/patches/squid/squi= d-3.5-14101.patch new file mode 100644 index 0000000..92ff4d4 --- /dev/null +++ b/src/patches/squid/squid-3.5-14101.patch @@ -0,0 +1,59 @@ +------------------------------------------------------------ +revno: 14101 +revision-id: squid3(a)treenet.co.nz-20161025082349-4gds2nic8qcahkem +parent: squid3(a)treenet.co.nz-20161025081949-3sxzd0n4snmadlke +committer: Amos Jeffries +branch nick: 3.5 +timestamp: Tue 2016-10-25 21:23:49 +1300 +message: + Fix external_acl_type default children documentations + =20 + The max children has always been 5, not 20. + =20 + Also, make mgr:config report dumper actually hide only the real default + values. (sync with helper/ChildConfig.cc defaults) +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3(a)treenet.co.nz-20161025082349-4gds2nic8qcahkem +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# testament_sha1: 02234eff0589032ea31d911c20f792617eeb18a9 +# timestamp: 2016-10-25 08:28:32 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# base_revision_id: squid3(a)treenet.co.nz-20161025081949-\ +# 3sxzd0n4snmadlke +#=20 +# Begin patch +=3D=3D=3D modified file 'src/cf.data.pre' +--- src/cf.data.pre 2016-09-23 15:28:42 +0000 ++++ src/cf.data.pre 2016-10-25 08:23:49 +0000 +@@ -678,7 +678,7 @@ +=20 + children-max=3Dn + Maximum number of acl helper processes spawned to service +- external acl lookups of this type. (default 20) ++ external acl lookups of this type. (default 5) +=20 + children-startup=3Dn + Minimum number of acl helper processes to spawn during + +=3D=3D=3D modified file 'src/external_acl.cc' +--- src/external_acl.cc 2016-05-17 18:14:16 +0000 ++++ src/external_acl.cc 2016-10-25 08:23:49 +0000 +@@ -474,13 +474,13 @@ + if (node->children.n_max !=3D DEFAULT_EXTERNAL_ACL_CHILDREN) + storeAppendPrintf(sentry, " children-max=3D%d", node->children.= n_max); +=20 +- if (node->children.n_startup !=3D 1) ++ if (node->children.n_startup !=3D 0) // sync with helper/ChildConfi= g.cc default + storeAppendPrintf(sentry, " children-startup=3D%d", node->child= ren.n_startup); +=20 +- if (node->children.n_idle !=3D (node->children.n_max + node->childr= en.n_startup) ) ++ if (node->children.n_idle !=3D 1) // sync with helper/ChildConfig.c= c default + storeAppendPrintf(sentry, " children-idle=3D%d", node->children= .n_idle); +=20 +- if (node->children.concurrency) ++ if (node->children.concurrency !=3D 0) + storeAppendPrintf(sentry, " concurrency=3D%d", node->children.c= oncurrency); +=20 + if (node->cache) + diff --git a/src/patches/squid/squid-3.5-14102.patch b/src/patches/squid/squi= d-3.5-14102.patch new file mode 100644 index 0000000..f592531 --- /dev/null +++ b/src/patches/squid/squid-3.5-14102.patch @@ -0,0 +1,38 @@ +------------------------------------------------------------ +revno: 14102 +revision-id: squid3(a)treenet.co.nz-20161025082530-do632qnr9bwyk5et +parent: squid3(a)treenet.co.nz-20161025082349-4gds2nic8qcahkem +fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=3D4620 +author: Takahiro Kambe +committer: Amos Jeffries +branch nick: 3.5 +timestamp: Tue 2016-10-25 21:25:30 +1300 +message: + Bug 4620: NetBSD build error with --enable-ipf-transparent + =20 + On NetBSD sys/param.h must be included before netinet/ip_compat.h +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3(a)treenet.co.nz-20161025082530-do632qnr9bwyk5et +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# testament_sha1: eedfc8764a631aa008fd4aba589ca08ee161c3a5 +# timestamp: 2016-10-25 08:28:35 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# base_revision_id: squid3(a)treenet.co.nz-20161025082349-\ +# 4gds2nic8qcahkem +#=20 +# Begin patch +=3D=3D=3D modified file 'src/ip/Intercept.cc' +--- src/ip/Intercept.cc 2016-10-09 00:14:14 +0000 ++++ src/ip/Intercept.cc 2016-10-25 08:25:30 +0000 +@@ -25,6 +25,9 @@ + #define IPFILTER_VERSION 5000004 + #endif +=20 ++#if HAVE_SYS_PARAM_H ++#include ++#endif + #if HAVE_SYS_IOCCOM_H + #include + #endif + diff --git a/src/patches/squid/squid-3.5-14103.patch b/src/patches/squid/squi= d-3.5-14103.patch new file mode 100644 index 0000000..816aa91 --- /dev/null +++ b/src/patches/squid/squid-3.5-14103.patch @@ -0,0 +1,61 @@ +------------------------------------------------------------ +revno: 14103 +revision-id: squid3(a)treenet.co.nz-20161029232628-1y2u918re62uqs3v +parent: squid3(a)treenet.co.nz-20161025082530-do632qnr9bwyk5et +fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=3D4627 +committer: Amos Jeffries +branch nick: 3.5 +timestamp: Sun 2016-10-30 12:26:28 +1300 +message: + Bug 4627: fix generate-host-certificates and dynamic_cert_mem_cache_size d= ocs + =20 + For Squid-3 the fix is just to update the documentation. +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3(a)treenet.co.nz-20161029232628-1y2u918re62uqs3v +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# testament_sha1: ea728cefc977ea5489da01b7a742821121c29476 +# timestamp: 2016-10-29 23:51:13 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# base_revision_id: squid3(a)treenet.co.nz-20161025082530-\ +# do632qnr9bwyk5et +#=20 +# Begin patch +=3D=3D=3D modified file 'src/cf.data.pre' +--- src/cf.data.pre 2016-10-25 08:23:49 +0000 ++++ src/cf.data.pre 2016-10-29 23:26:28 +0000 +@@ -1787,13 +1787,12 @@ + certificate equals lifetime of the CA certificate. If + generated certificate is selfsigned lifetime is three=20 + years. +- This option is enabled by default when ssl-bump is used. +- See the ssl-bump option above for more information. ++ This option is disabled by default. See the ssl-bump ++ option above for more information. + =09 + dynamic_cert_mem_cache_size=3DSIZE + Approximate total RAM size spent on cached generated +- certificates. If set to zero, caching is disabled. The +- default value is 4MB. ++ certificates. If set to zero, caching is disabled. +=20 + TLS / SSL Options: +=20 +@@ -2063,13 +2062,12 @@ + certificate equals lifetime of CA certificate. If + generated certificate is selfsigned lifetime is three + years. +- This option is enabled by default when SslBump is used. +- See the sslBump option above for more information. ++ This option is disabled by default. See the ssl-bump ++ option above for more information. +=20 + dynamic_cert_mem_cache_size=3DSIZE + Approximate total RAM size spent on cached generated +- certificates. If set to zero, caching is disabled. The +- default value is 4MB. ++ certificates. If set to zero, caching is disabled. +=20 + See http_port for a list of available options. + DOC_END + diff --git a/src/patches/squid/squid-3.5-14104.patch b/src/patches/squid/squi= d-3.5-14104.patch new file mode 100644 index 0000000..c5d6ed0 --- /dev/null +++ b/src/patches/squid/squid-3.5-14104.patch @@ -0,0 +1,66 @@ +------------------------------------------------------------ +revno: 14104 +revision-id: squid3(a)treenet.co.nz-20161030093816-7vwnk5zrrql2p5ks +parent: squid3(a)treenet.co.nz-20161029232628-1y2u918re62uqs3v +committer: Amos Jeffries +branch nick: 3.5 +timestamp: Sun 2016-10-30 22:38:16 +1300 +message: + Copyright: add some missing blurbs and contributor details +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3(a)treenet.co.nz-20161030093816-7vwnk5zrrql2p5ks +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# testament_sha1: 8d44709a8f9c34926ce569e58aef82603a3d514b +# timestamp: 2016-10-30 09:40:44 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# base_revision_id: squid3(a)treenet.co.nz-20161029232628-\ +# 1y2u918re62uqs3v +#=20 +# Begin patch +=3D=3D=3D modified file 'CONTRIBUTORS' +--- CONTRIBUTORS 2016-01-06 14:27:36 +0000 ++++ CONTRIBUTORS 2016-10-30 09:38:16 +0000 +@@ -211,6 +211,8 @@ + Joe Ramey + Joerg Lehrke + Johnathan Conley ++ John(a)MCC.ac.uk ++ John(a)Pharmweb.NET + John Dilley + John M Cooper + John Saunders + +=3D=3D=3D modified file 'contrib/url-normalizer.pl' +--- contrib/url-normalizer.pl 1996-12-07 00:54:31 +0000 ++++ contrib/url-normalizer.pl 2016-10-30 09:38:16 +0000 +@@ -1,4 +1,11 @@ + #!/usr/local/bin/perl -Tw ++# ++# * Copyright (C) 1996-2016 The Squid Software Foundation and contributors ++# * ++# * Squid software is distributed under GPLv2+ license and includes ++# * contributions from numerous individuals and organizations. ++# * Please see the COPYING and CONTRIBUTORS files for details. ++# +=20 + # From: Markus Gyger + # + +=3D=3D=3D modified file 'contrib/user-agents.pl' +--- contrib/user-agents.pl 1996-12-07 00:28:56 +0000 ++++ contrib/user-agents.pl 2016-10-30 09:38:16 +0000 +@@ -1,5 +1,13 @@ + #!/usr/bin/perl + # ++# * Copyright (C) 1996-2016 The Squid Software Foundation and contributors ++# * ++# * Squid software is distributed under GPLv2+ license and includes ++# * contributions from numerous individuals and organizations. ++# * Please see the COPYING and CONTRIBUTORS files for details. ++# ++ ++# + # John(a)MCC.ac.uk + # John(a)Pharmweb.NET +=20 diff --git a/src/patches/squid/squid-3.5-14105.patch b/src/patches/squid/squi= d-3.5-14105.patch new file mode 100644 index 0000000..d73dcea --- /dev/null +++ b/src/patches/squid/squid-3.5-14105.patch @@ -0,0 +1,48 @@ +------------------------------------------------------------ +revno: 14105 +revision-id: squid3(a)treenet.co.nz-20161030093920-5f7f2px9ea08rxlq +parent: squid3(a)treenet.co.nz-20161030093816-7vwnk5zrrql2p5ks +fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=3D4567 +committer: Amos Jeffries +branch nick: 3.5 +timestamp: Sun 2016-10-30 22:39:20 +1300 +message: + Bug 4567: Strange IPv6 shown in access.log +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3(a)treenet.co.nz-20161030093920-5f7f2px9ea08rxlq +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# testament_sha1: 8dbae4e7fc5fb80afc6eee6800743abd1b1eaa47 +# timestamp: 2016-10-30 09:40:47 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# base_revision_id: squid3(a)treenet.co.nz-20161030093816-\ +# 7vwnk5zrrql2p5ks +#=20 +# Begin patch +=3D=3D=3D modified file 'src/AccessLogEntry.cc' +--- src/AccessLogEntry.cc 2016-01-01 00:14:27 +0000 ++++ src/AccessLogEntry.cc 2016-10-30 09:39:20 +0000 +@@ -30,14 +30,17 @@ + log_ip =3D request->indirect_client_addr; + else + #endif +- if (tcpClient !=3D NULL) ++ if (tcpClient) + log_ip =3D tcpClient->remote; +- else if (cache.caddr.isNoAddr()) { // e.g., ICAP OPTIONS lack client +- strncpy(buf, "-", bufsz); +- return; +- } else ++ else + log_ip =3D cache.caddr; +=20 ++ // internally generated requests (and some ICAP) lack client IP ++ if (log_ip.isNoAddr()) { ++ strncpy(buf, "-", bufsz); ++ return; ++ } ++ + // Apply so-called 'privacy masking' to IPv4 clients + // - localhost IP is always shown in full + // - IPv4 clients masked with client_netmask + diff --git a/src/patches/squid/squid-3.5-14106.patch b/src/patches/squid/squi= d-3.5-14106.patch new file mode 100644 index 0000000..cd3f63f --- /dev/null +++ b/src/patches/squid/squid-3.5-14106.patch @@ -0,0 +1,34 @@ +------------------------------------------------------------ +revno: 14106 +revision-id: squid3(a)treenet.co.nz-20161030094025-l4b8fdahoru8h16d +parent: squid3(a)treenet.co.nz-20161030093920-5f7f2px9ea08rxlq +author: Garri Djavadyan +committer: Amos Jeffries +branch nick: 3.5 +timestamp: Sun 2016-10-30 22:40:25 +1300 +message: + Fix debug message in ACLChecklist::bannedAction() +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3(a)treenet.co.nz-20161030094025-l4b8fdahoru8h16d +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# testament_sha1: 4fd7942b294096f5c27e3d460b6d4c79580443e1 +# timestamp: 2016-10-30 09:40:49 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# base_revision_id: squid3(a)treenet.co.nz-20161030093920-\ +# 5f7f2px9ea08rxlq +#=20 +# Begin patch +=3D=3D=3D modified file 'src/acl/Checklist.cc' +--- src/acl/Checklist.cc 2016-01-01 00:14:27 +0000 ++++ src/acl/Checklist.cc 2016-10-30 09:40:25 +0000 +@@ -397,7 +397,7 @@ + ACLChecklist::bannedAction(const allow_t &action) const + { + const bool found =3D std::find(bannedActions_.begin(), bannedActions_.e= nd(), action) !=3D bannedActions_.end(); +- debugs(28, 5, "Action '" << action << "/" << action.kind << (found ? " = is " : "is not") << " banned"); ++ debugs(28, 5, "Action '" << action << "/" << action.kind << (found ? "'= is " : "' is not") << " banned"); + return found; + } +=20 + diff --git a/src/patches/squid/squid-3.5-14107.patch b/src/patches/squid/squi= d-3.5-14107.patch new file mode 100644 index 0000000..34b0ace --- /dev/null +++ b/src/patches/squid/squid-3.5-14107.patch @@ -0,0 +1,56 @@ +------------------------------------------------------------ +revno: 14107 +revision-id: squid3(a)treenet.co.nz-20161030094503-rwdft21ffff44rns +parent: squid3(a)treenet.co.nz-20161030094025-l4b8fdahoru8h16d +committer: Amos Jeffries +branch nick: 3.5 +timestamp: Sun 2016-10-30 22:45:03 +1300 +message: + HTTP/1.1: make Vary:* objects cacheable + =20 + Under new clauses from RFC 7231 section 7.1.4 and HTTP response + containing header Vary:* (wifcard variant) can be cached, but + requires revalidation with server before each use. + =20 + Use the new mandatory revalidation flags to allow storing of any + wildcard Vary:* response. + =20 + Note that responses with headers like Vary:A,B,C,* are equivalent + to Vary:*. The cache key string for these objects is normalized. +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3(a)treenet.co.nz-20161030094503-rwdft21ffff44rns +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# testament_sha1: 2652a5a689745e31fc450e0dfd1c5c472f6d68d6 +# timestamp: 2016-10-30 09:45:47 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# base_revision_id: squid3(a)treenet.co.nz-20161030094025-\ +# l4b8fdahoru8h16d +#=20 +# Begin patch +=3D=3D=3D modified file 'src/http.cc' +--- src/http.cc 2016-10-09 19:47:26 +0000 ++++ src/http.cc 2016-10-30 09:45:03 +0000 +@@ -594,7 +594,7 @@ + while (strListGetItem(&vary, ',', &item, &ilen, &pos)) { + SBuf name(item, ilen); + if (name =3D=3D asterisk) { +- vstr.clear(); ++ vstr =3D asterisk; + break; + } + name.toLower(); +@@ -917,6 +917,12 @@ + varyFailure =3D true; + } else { + entry->mem_obj->vary_headers =3D vary; ++ ++ // RFC 7231 section 7.1.4 ++ // Vary:* can be cached, but has mandatory revalidation ++ static const SBuf asterisk("*"); ++ if (vary =3D=3D asterisk) ++ EBIT_SET(entry->flags, ENTRY_REVALIDATE_ALWAYS); + } + } +=20 + diff --git a/src/patches/squid/squid-3.5-14108.patch b/src/patches/squid/squi= d-3.5-14108.patch new file mode 100644 index 0000000..282fe41 --- /dev/null +++ b/src/patches/squid/squid-3.5-14108.patch @@ -0,0 +1,33 @@ +------------------------------------------------------------ +revno: 14108 +revision-id: squid3(a)treenet.co.nz-20161101112231-k77st4up2sekl5zx +parent: squid3(a)treenet.co.nz-20161030094503-rwdft21ffff44rns +committer: Amos Jeffries +branch nick: 3.5 +timestamp: Wed 2016-11-02 00:22:31 +1300 +message: + Fix build issue after rev.14105 +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3(a)treenet.co.nz-20161101112231-k77st4up2sekl5zx +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# testament_sha1: fea1ede525ccb3ad7bf50e8de8f125a86a8dc016 +# timestamp: 2016-11-01 11:51:06 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# base_revision_id: squid3(a)treenet.co.nz-20161030094503-\ +# rwdft21ffff44rns +#=20 +# Begin patch +=3D=3D=3D modified file 'src/AccessLogEntry.cc' +--- src/AccessLogEntry.cc 2016-10-30 09:39:20 +0000 ++++ src/AccessLogEntry.cc 2016-11-01 11:22:31 +0000 +@@ -30,7 +30,7 @@ + log_ip =3D request->indirect_client_addr; + else + #endif +- if (tcpClient) ++ if (tcpClient !=3D NULL) + log_ip =3D tcpClient->remote; + else + log_ip =3D cache.caddr; + diff --git a/src/patches/squid/squid-3.5-14109.patch b/src/patches/squid/squi= d-3.5-14109.patch new file mode 100644 index 0000000..82b7dd2 --- /dev/null +++ b/src/patches/squid/squid-3.5-14109.patch @@ -0,0 +1,167 @@ +------------------------------------------------------------ +revno: 14109 +revision-id: squid3(a)treenet.co.nz-20161111060325-yh8chavvnzuvfh3h +parent: squid3(a)treenet.co.nz-20161101112231-k77st4up2sekl5zx +fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=3D3379 +author: Garri Djavadyan , Amos Jeffries +committer: Amos Jeffries +branch nick: 3.5 +timestamp: Fri 2016-11-11 19:03:25 +1300 +message: + Bug 3379: Combination of If-Match and a Cache Hit result in TCP Connection= Failure +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3(a)treenet.co.nz-20161111060325-yh8chavvnzuvfh3h +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# testament_sha1: 50d66878a765925d9a64569b3c226bebdee1f736 +# timestamp: 2016-11-11 06:10:37 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# base_revision_id: squid3(a)treenet.co.nz-20161101112231-\ +# k77st4up2sekl5zx +#=20 +# Begin patch +=3D=3D=3D modified file 'src/client_side_reply.cc' +--- src/client_side_reply.cc 2016-10-09 19:47:26 +0000 ++++ src/client_side_reply.cc 2016-11-11 06:03:25 +0000 +@@ -589,6 +589,7 @@ + debugs(88, 5, "negative-HIT"); + http->logType =3D LOG_TCP_NEGATIVE_HIT; + sendMoreData(result); ++ return; + } else if (blockedHit()) { + debugs(88, 5, "send_hit forces a MISS"); + http->logType =3D LOG_TCP_MISS; +@@ -641,27 +642,29 @@ + http->logType =3D LOG_TCP_MISS; + processMiss(); + } ++ return; + } else if (r->conditional()) { + debugs(88, 5, "conditional HIT"); +- processConditional(result); +- } else { +- /* +- * plain ol' cache hit +- */ +- debugs(88, 5, "plain old HIT"); ++ if (processConditional(result)) ++ return; ++ } ++ ++ /* ++ * plain ol' cache hit ++ */ ++ debugs(88, 5, "plain old HIT"); +=20 + #if USE_DELAY_POOLS +- if (e->store_status !=3D STORE_OK) +- http->logType =3D LOG_TCP_MISS; +- else ++ if (e->store_status !=3D STORE_OK) ++ http->logType =3D LOG_TCP_MISS; ++ else + #endif +- if (e->mem_status =3D=3D IN_MEMORY) +- http->logType =3D LOG_TCP_MEM_HIT; +- else if (Config.onoff.offline) +- http->logType =3D LOG_TCP_OFFLINE_HIT; ++ if (e->mem_status =3D=3D IN_MEMORY) ++ http->logType =3D LOG_TCP_MEM_HIT; ++ else if (Config.onoff.offline) ++ http->logType =3D LOG_TCP_OFFLINE_HIT; +=20 +- sendMoreData(result); +- } ++ sendMoreData(result); + } +=20 + /** +@@ -755,17 +758,16 @@ + } +=20 + /// process conditional request from client +-void ++bool + clientReplyContext::processConditional(StoreIOBuffer &result) + { + StoreEntry *const e =3D http->storeEntry(); +=20 + if (e->getReply()->sline.status() !=3D Http::scOkay) { +- debugs(88, 4, "clientReplyContext::processConditional: Reply code "= << +- e->getReply()->sline.status() << " !=3D 200"); ++ debugs(88, 4, "Reply code " << e->getReply()->sline.status() << " != =3D 200"); + http->logType =3D LOG_TCP_MISS; + processMiss(); +- return; ++ return true; + } +=20 + HttpRequest &r =3D *http->request; +@@ -773,7 +775,7 @@ + if (r.header.has(HDR_IF_MATCH) && !e->hasIfMatchEtag(r)) { + // RFC 2616: reply with 412 Precondition Failed if If-Match did not= match + sendPreconditionFailedError(); +- return; ++ return true; + } +=20 + bool matchedIfNoneMatch =3D false; +@@ -786,14 +788,14 @@ + r.header.delById(HDR_IF_MODIFIED_SINCE); + http->logType =3D LOG_TCP_MISS; + sendMoreData(result); +- return; ++ return true; + } +=20 + if (!r.flags.ims) { + // RFC 2616: if If-None-Match matched and there is no IMS, + // reply with 304 Not Modified or 412 Precondition Failed + sendNotModifiedOrPreconditionFailedError(); +- return; ++ return true; + } +=20 + // otherwise check IMS below to decide if we reply with 304 or 412 +@@ -805,19 +807,20 @@ + if (e->modifiedSince(r.ims, r.imslen)) { + http->logType =3D LOG_TCP_IMS_HIT; + sendMoreData(result); +- return; +- } +=20 +- if (matchedIfNoneMatch) { ++ } else if (matchedIfNoneMatch) { + // If-None-Match matched, reply with 304 Not Modified or + // 412 Precondition Failed + sendNotModifiedOrPreconditionFailedError(); +- return; ++ ++ } else { ++ // otherwise reply with 304 Not Modified ++ sendNotModified(); + } +- +- // otherwise reply with 304 Not Modified +- sendNotModified(); ++ return true; + } ++ ++ return false; + } +=20 + /// whether squid.conf send_hit prevents us from serving this hit + +=3D=3D=3D modified file 'src/client_side_reply.h' +--- src/client_side_reply.h 2016-09-23 15:28:42 +0000 ++++ src/client_side_reply.h 2016-11-11 06:03:25 +0000 +@@ -114,7 +114,7 @@ + bool alwaysAllowResponse(Http::StatusCode sline) const; + int checkTransferDone(); + void processOnlyIfCachedMiss(); +- void processConditional(StoreIOBuffer &result); ++ bool processConditional(StoreIOBuffer &result); + void cacheHit(StoreIOBuffer result); + void handleIMSReply(StoreIOBuffer result); + void sendMoreData(StoreIOBuffer result); + diff --git a/src/patches/squid/squid-3.5-14110.patch b/src/patches/squid/squi= d-3.5-14110.patch new file mode 100644 index 0000000..0d0a9db --- /dev/null +++ b/src/patches/squid/squid-3.5-14110.patch @@ -0,0 +1,102 @@ +------------------------------------------------------------ +revno: 14110 +revision-id: squid3(a)treenet.co.nz-20161114105124-46hmtnsg8uj4owxz +parent: squid3(a)treenet.co.nz-20161111060325-yh8chavvnzuvfh3h +author: Christos Tsantilas +committer: Amos Jeffries +branch nick: 3.5 +timestamp: Mon 2016-11-14 23:51:24 +1300 +message: + Fix ssl::server_name ACL badly broken since inception. + =20 + The original server_name code mishandled all SNI checks and some rare + host checks: + =20 + * The SNI-derived value was pointing to an already freed memory storage. + * Missing host-derived values were not detected (host() is never nil). + * Mismatches were re-checked with an undocumented "none" value + instead of being treated as mismatches. + =20 + Same for ssl::server_name_regex. + =20 + Also set SNI for more server-first and client-first transactions. + =20 + This is a Measurement Factory project. +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3(a)treenet.co.nz-20161114105124-46hmtnsg8uj4owxz +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# testament_sha1: 46aadc410b46d91d597218961dbf1c634fb834fb +# timestamp: 2016-11-14 10:56:00 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# base_revision_id: squid3(a)treenet.co.nz-20161111060325-\ +# yh8chavvnzuvfh3h +#=20 +# Begin patch +=3D=3D=3D modified file 'src/acl/ServerName.cc' +--- src/acl/ServerName.cc 2016-09-08 12:27:06 +0000 ++++ src/acl/ServerName.cc 2016-11-14 10:51:24 +0000 +@@ -90,27 +90,28 @@ + { + assert(checklist !=3D NULL && checklist->request !=3D NULL); +=20 +- if (checklist->conn() && checklist->conn()->serverBump()) { +- if (X509 *peer_cert =3D checklist->conn()->serverBump()->serverCert= .get()) { +- if (Ssl::matchX509CommonNames(peer_cert, (void *)data, check_ce= rt_domain)) +- return 1; +- } +- } +- + const char *serverName =3D NULL; +- if (checklist->conn() && !checklist->conn()->sslCommonName().isEmpty())= { +- SBuf scn =3D checklist->conn()->sslCommonName(); +- serverName =3D scn.c_str(); +- } +- +- if (serverName =3D=3D NULL) +- serverName =3D checklist->request->GetHost(); +- +- if (serverName && data->match(serverName)) { +- return 1; +- } +- +- return data->match("none"); ++ SBuf serverNameKeeper; // because c_str() is not constant ++ if (ConnStateData *conn =3D checklist->conn()) { ++ if (conn->serverBump()) { ++ if (X509 *peer_cert =3D conn->serverBump()->serverCert.get()) ++ return Ssl::matchX509CommonNames(peer_cert, (void *)data, c= heck_cert_domain); ++ } ++ ++ if (conn->sslCommonName().isEmpty()) { ++ const char *host =3D checklist->request->GetHost(); ++ if (host && *host) // paranoid first condition: host() is never= nil ++ serverName =3D host; ++ } else { ++ serverNameKeeper =3D conn->sslCommonName(); ++ serverName =3D serverNameKeeper.c_str(); ++ } ++ } ++ ++ if (!serverName) ++ serverName =3D "none"; ++ ++ return data->match(serverName); + } +=20 + ACLServerNameStrategy * + +=3D=3D=3D modified file 'src/cf.data.pre' +--- src/cf.data.pre 2016-10-29 23:26:28 +0000 ++++ src/cf.data.pre 2016-11-14 10:51:24 +0000 +@@ -1167,6 +1167,9 @@ + # During each Ssl-Bump step, Squid may improve its understanding of a + # "true server name". Unlike dstdomain, this ACL does not perform + # DNS lookups. ++ # The "none" name can be used to match transactions where Squid ++ # could not compute the server name using any information source ++ # already available at the ACL evaluation time. +=20 + acl aclname ssl::server_name_regex [-i] \.foo\.com ... + # regex matches server name obtained from various sources [fast] + diff --git a/src/patches/squid/squid-3.5-14111.patch b/src/patches/squid/squi= d-3.5-14111.patch new file mode 100644 index 0000000..984069b --- /dev/null +++ b/src/patches/squid/squid-3.5-14111.patch @@ -0,0 +1,43 @@ +------------------------------------------------------------ +revno: 14111 +revision-id: squid3(a)treenet.co.nz-20161114105434-f1uvw2lu8l4lpgay +parent: squid3(a)treenet.co.nz-20161114105124-46hmtnsg8uj4owxz +author: Garri Djavadyan +committer: Amos Jeffries +branch nick: 3.5 +timestamp: Mon 2016-11-14 23:54:34 +1300 +message: + Fix spelling for digest nonce cache maintenance event +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3(a)treenet.co.nz-20161114105434-f1uvw2lu8l4lpgay +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# testament_sha1: 8c91678868beb689db5e0e6eaa6911c44f503ac8 +# timestamp: 2016-11-14 10:56:03 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# base_revision_id: squid3(a)treenet.co.nz-20161114105124-\ +# 46hmtnsg8uj4owxz +#=20 +# Begin patch +=3D=3D=3D modified file 'src/auth/digest/Config.cc' +--- src/auth/digest/Config.cc 2016-01-01 00:14:27 +0000 ++++ src/auth/digest/Config.cc 2016-11-14 10:54:34 +0000 +@@ -204,7 +204,7 @@ + if (!digest_nonce_cache) { + digest_nonce_cache =3D hash_create((HASHCMP *) strcmp, 7921, hash_s= tring); + assert(digest_nonce_cache); +- eventAdd("Digest none cache maintenance", authenticateDigestNonceCa= cheCleanup, NULL, static_cast(Auth::Config::Find("dige= st"))->nonceGCInterval, 1); ++ eventAdd("Digest nonce cache maintenance", authenticateDigestNonceC= acheCleanup, NULL, static_cast(Auth::Config::Find("dig= est"))->nonceGCInterval, 1); + } + } +=20 +@@ -268,7 +268,7 @@ + debugs(29, 3, "Finished cleaning the nonce cache."); +=20 + if (static_cast(Auth::Config::Find("digest"))->a= ctive()) +- eventAdd("Digest none cache maintenance", authenticateDigestNonceCa= cheCleanup, NULL, static_cast(Auth::Config::Find("dige= st"))->nonceGCInterval, 1); ++ eventAdd("Digest nonce cache maintenance", authenticateDigestNonceC= acheCleanup, NULL, static_cast(Auth::Config::Find("dig= est"))->nonceGCInterval, 1); + } +=20 + static void + diff --git a/src/patches/squid/squid-3.5-14112.patch b/src/patches/squid/squi= d-3.5-14112.patch new file mode 100644 index 0000000..a63c1c0 --- /dev/null +++ b/src/patches/squid/squid-3.5-14112.patch @@ -0,0 +1,60 @@ +------------------------------------------------------------ +revno: 14112 +revision-id: squid3(a)treenet.co.nz-20161114124051-s0vzoj5exv5g8w56 +parent: squid3(a)treenet.co.nz-20161114105434-f1uvw2lu8l4lpgay +author: Alex Rousskov +committer: Amos Jeffries +branch nick: 3.5 +timestamp: Tue 2016-11-15 01:40:51 +1300 +message: + Honor SBufReservationRequirements::minSize regardless of idealSize. + =20 + In a fully specified SBufReservationRequirements, idealSize would + naturally match or exceed minSize. However, the idealSize default value + (zero) may not. We should honor minSize regardless of idealSize, just as + the API documentation promises to do. + =20 + No runtime changes expected right now because the only existing user of + SBufReservationRequirements sets .idealSize to CLIENT_REQ_BUF_SZ (4096) + and .minSize to 1024. +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3(a)treenet.co.nz-20161114124051-s0vzoj5exv5g8w56 +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# testament_sha1: fb0969aa035352582364b529a70286cbfd89564a +# timestamp: 2016-11-14 12:43:10 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# base_revision_id: squid3(a)treenet.co.nz-20161114105434-\ +# f1uvw2lu8l4lpgay +#=20 +# Begin patch +=3D=3D=3D modified file 'src/SBuf.cc' +--- src/SBuf.cc 2016-06-18 13:36:07 +0000 ++++ src/SBuf.cc 2016-11-14 12:40:51 +0000 +@@ -178,7 +178,8 @@ + if (!mustRealloc && len_ >=3D req.maxCapacity) + return spaceSize(); // but we cannot reallocate +=20 +- const size_type newSpace =3D std::min(req.idealSpace, maxSize - len_); ++ const size_type desiredSpace =3D std::max(req.minSpace, req.idealSpace); ++ const size_type newSpace =3D std::min(desiredSpace, maxSize - len_); + reserveCapacity(std::min(len_ + newSpace, req.maxCapacity)); + debugs(24, 7, id << " now: " << off_ << '+' << len_ << '+' << spaceSize= () << + '=3D' << store_->capacity); + +=3D=3D=3D modified file 'src/SBuf.h' +--- src/SBuf.h 2016-06-18 13:36:07 +0000 ++++ src/SBuf.h 2016-11-14 12:40:51 +0000 +@@ -635,9 +635,10 @@ + /* + * Parameters are listed in the reverse order of importance: Satisfacti= on of + * the lower-listed requirements may violate the higher-listed requirem= ents. ++ * For example, idealSpace has no effect unless it exceeds minSpace. + */ + size_type idealSpace; ///< if allocating anyway, provide this much space +- size_type minSpace; ///< allocate if spaceSize() is smaller ++ size_type minSpace; ///< allocate [at least this much] if spaceSize() i= s smaller + size_type maxCapacity; ///< do not allocate more than this + bool allowShared; ///< whether sharing our storage with others is OK + }; + diff --git a/src/patches/squid/squid-3.5-14113.patch b/src/patches/squid/squi= d-3.5-14113.patch new file mode 100644 index 0000000..d545026 --- /dev/null +++ b/src/patches/squid/squid-3.5-14113.patch @@ -0,0 +1,47 @@ +------------------------------------------------------------ +revno: 14113 +revision-id: squid3(a)treenet.co.nz-20161115075728-2xj2621oh5bwn8wn +parent: squid3(a)treenet.co.nz-20161114124051-s0vzoj5exv5g8w56 +committer: Amos Jeffries +branch nick: 3.5 +timestamp: Tue 2016-11-15 20:57:28 +1300 +message: + TLS: Make key=3D before cert=3D an error instead of quietly hiding the iss= ue + =20 + This squid.conf setup is fatal in Squid-4. So best to fix these installati= ons. + Even though Squdi-3 can cope with it. +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3(a)treenet.co.nz-20161115075728-2xj2621oh5bwn8wn +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# testament_sha1: a18738f4cbf0c1bd368e61d4b19c5d6f5005b919 +# timestamp: 2016-11-15 07:58:39 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# base_revision_id: squid3(a)treenet.co.nz-20161114124051-\ +# s0vzoj5exv5g8w56 +#=20 +# Begin patch +=3D=3D=3D modified file 'src/cache_cf.cc' +--- src/cache_cf.cc 2016-09-23 11:11:48 +0000 ++++ src/cache_cf.cc 2016-11-15 07:57:28 +0000 +@@ -2257,6 +2257,9 @@ + safe_free(p->sslcert); + p->sslcert =3D xstrdup(token + 8); + } else if (strncmp(token, "sslkey=3D", 7) =3D=3D 0) { ++ if (!p->sslcert) { ++ debugs(3, DBG_CRITICAL, "ERROR: " << cfg_directive << ": ss= lcert=3D option must be set before sslkey=3D is used."); ++ } + safe_free(p->sslkey); + p->sslkey =3D xstrdup(token + 7); + } else if (strncmp(token, "sslversion=3D", 11) =3D=3D 0) { +@@ -3729,6 +3732,9 @@ + safe_free(s->cert); + s->cert =3D xstrdup(token + 5); + } else if (strncmp(token, "key=3D", 4) =3D=3D 0) { ++ if (!s->cert) { ++ debugs(3, DBG_CRITICAL, "ERROR: " << cfg_directive << ": cert= =3D option must be set before key=3D is used."); ++ } + safe_free(s->key); + s->key =3D xstrdup(token + 4); + } else if (strncmp(token, "version=3D", 8) =3D=3D 0) { + diff --git a/src/patches/squid/squid-3.5-14114.patch b/src/patches/squid/squi= d-3.5-14114.patch new file mode 100644 index 0000000..0985004 --- /dev/null +++ b/src/patches/squid/squid-3.5-14114.patch @@ -0,0 +1,46 @@ +------------------------------------------------------------ +revno: 14114 +revision-id: squid3(a)treenet.co.nz-20161130154205-c9z1bhqzuh3rafl3 +parent: squid3(a)treenet.co.nz-20161115075728-2xj2621oh5bwn8wn +committer: Amos Jeffries +branch nick: 3.5 +timestamp: Thu 2016-12-01 04:42:05 +1300 +message: + Improve debugs warnings when loading signing certs fails +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3(a)treenet.co.nz-20161130154205-c9z1bhqzuh3rafl3 +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# testament_sha1: e760bf590489a354e314f19dd158b063d23ef7a7 +# timestamp: 2016-11-30 15:51:47 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# base_revision_id: squid3(a)treenet.co.nz-20161115075728-\ +# 2xj2621oh5bwn8wn +#=20 +# Begin patch +=3D=3D=3D modified file 'src/ssl/support.cc' +--- src/ssl/support.cc 2016-10-09 14:30:11 +0000 ++++ src/ssl/support.cc 2016-11-30 15:42:05 +0000 +@@ -2011,10 +2011,17 @@ + pem_password_cb *cb =3D ::Config.Program.ssl_password ? &ssl_ask_passwo= rd_cb : NULL; + pkey.reset(readSslPrivateKey(keyFilename, cb)); + cert.reset(readSslX509CertificatesChain(certFilename, chain.get())); +- if (!pkey || !cert || !X509_check_private_key(cert.get(), pkey.get())) { +- pkey.reset(NULL); +- cert.reset(NULL); +- } ++ if (!cert) { ++ debugs(83, DBG_IMPORTANT, "WARNING: missing cert in '" << certFilen= ame << "'"); ++ } else if (!pkey) { ++ debugs(83, DBG_IMPORTANT, "WARNING: missing private key in '" << ke= yFilename << "'"); ++ } else if (!X509_check_private_key(cert.get(), pkey.get())) { ++ debugs(83, DBG_IMPORTANT, "WARNING: X509_check_private_key() failed= to verify signing cert"); ++ } else ++ return; // everything is okay ++ ++ pkey.reset(NULL); ++ cert.reset(NULL); + } +=20 + bool Ssl::generateUntrustedCert(X509_Pointer &untrustedCert, EVP_PKEY_Point= er &untrustedPkey, X509_Pointer const &cert, EVP_PKEY_Pointer const & pkey) + diff --git a/src/patches/squid/squid-3.5-14115.patch b/src/patches/squid/squi= d-3.5-14115.patch new file mode 100644 index 0000000..4e5e3cf --- /dev/null +++ b/src/patches/squid/squid-3.5-14115.patch @@ -0,0 +1,197 @@ +------------------------------------------------------------ +revno: 14115 +revision-id: squid3(a)treenet.co.nz-20161130215630-c42qucqar9bi9a1k +parent: squid3(a)treenet.co.nz-20161130154205-c9z1bhqzuh3rafl3 +fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=3D4004 +author: Christos Tsantilas +committer: Amos Jeffries +branch nick: 3.5 +timestamp: Thu 2016-12-01 10:56:30 +1300 +message: + Bug 4004 partial: Fix segfault via Ftp::Client::readControlReply + =20 + Added nil dereference checks for Ftp::Client::ctrl.conn, including: + - Ftp::Client::handlePasvReply() and handleEpsvReply() that dereference + ctrl.conn in DBG_IMPORTANT messages. + - Many functions inside FtpClient.cc and FtpGateway.cc files. + =20 + TODO: We need to find a better way to handle nil ctrl.conn. It is only + a matter of time when we forget to add another dereference check or + discover a place we missed during this change. + =20 + Also disabled forwarding of EPRT and PORT commands to origin servers. + Squid support for those commands is broken and their forwarding may + cause segfaults (bug #4004). Active FTP is still supported, of course. + =20 + This is a Measurement Factory project +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3(a)treenet.co.nz-20161130215630-c42qucqar9bi9a1k +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# testament_sha1: 345883c1b5a5cd221e9d0e68b254df7d955372ad +# timestamp: 2016-11-30 22:42:02 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# base_revision_id: squid3(a)treenet.co.nz-20161130154205-\ +# c9z1bhqzuh3rafl3 +#=20 +# Begin patch +=3D=3D=3D modified file 'src/clients/FtpClient.cc' +--- src/clients/FtpClient.cc 2016-08-05 14:59:33 +0000 ++++ src/clients/FtpClient.cc 2016-11-30 21:56:30 +0000 +@@ -442,6 +442,11 @@ + char *buf; + debugs(9, 3, status()); +=20 ++ if (!Comm::IsConnOpen(ctrl.conn)) { ++ debugs(9, 5, "The control connection to the remote end is closed"); ++ return false; ++ } ++ + if (code !=3D 227) { + debugs(9, 2, "PASV not supported by remote end"); + return false; +@@ -473,6 +478,11 @@ + char *buf; + debugs(9, 3, status()); +=20 ++ if (!Comm::IsConnOpen(ctrl.conn)) { ++ debugs(9, 5, "The control connection to the remote end is closed"); ++ return false; ++ } ++ + if (code !=3D 229 && code !=3D 522) { + if (code =3D=3D 200) { + /* handle broken servers (RFC 2428 says OK code for EPSV MUST b= e 229 not 200) */ +@@ -733,6 +743,11 @@ + void + Ftp::Client::connectDataChannel() + { ++ if (!Comm::IsConnOpen(ctrl.conn)) { ++ debugs(9, 5, "The control connection to the remote end is closed"); ++ return; ++ } ++ + safe_free(ctrl.last_command); +=20 + safe_free(ctrl.last_reply); + +=3D=3D=3D modified file 'src/clients/FtpGateway.cc' +--- src/clients/FtpGateway.cc 2016-01-31 05:39:09 +0000 ++++ src/clients/FtpGateway.cc 2016-11-30 21:56:30 +0000 +@@ -212,7 +212,9 @@ + static FTPSM ftpReadMdtm; + static FTPSM ftpSendSize; + static FTPSM ftpReadSize; ++#if 0 + static FTPSM ftpSendEPRT; ++#endif + static FTPSM ftpReadEPRT; + static FTPSM ftpSendPORT; + static FTPSM ftpReadPORT; +@@ -450,6 +452,11 @@ + void + Ftp::Gateway::listenForDataChannel(const Comm::ConnectionPointer &conn) + { ++ if (!Comm::IsConnOpen(ctrl.conn)) { ++ debugs(9, 5, "The control connection to the remote end is closed"); ++ return; ++ } ++ + assert(!Comm::IsConnOpen(data.conn)); +=20 + typedef CommCbMemFunT AcceptDialer; +@@ -1183,7 +1190,7 @@ +=20 + checkUrlpath(); + buildTitleUrl(); +- debugs(9, 5, HERE << "FD " << ctrl.conn->fd << " : host=3D" << request-= >GetHost() << ++ debugs(9, 5, "FD " << (ctrl.conn !=3D NULL ? ctrl.conn->fd : -1) << " := host=3D" << request->GetHost() << + ", path=3D" << request->urlpath << ", user=3D" << user << ", pas= swd=3D" << password); + state =3D BEGIN; + Ftp::Client::start(); +@@ -1750,7 +1757,9 @@ + if (ftpState->handlePasvReply(srvAddr)) + ftpState->connectDataChannel(); + else { +- ftpSendEPRT(ftpState); ++ ftpFail(ftpState); ++ // Currently disabled, does not work correctly: ++ // ftpSendEPRT(ftpState); + return; + } + } +@@ -1790,6 +1799,11 @@ + } + safe_free(ftpState->data.host); +=20 ++ if (!Comm::IsConnOpen(ftpState->ctrl.conn)) { ++ debugs(9, 5, "The control connection to the remote end is closed"); ++ return; ++ } ++ + /* + * Set up a listen socket on the same local address as the + * control connection. +@@ -1875,9 +1889,14 @@ + ftpRestOrList(ftpState); + } +=20 ++#if 0 + static void + ftpSendEPRT(Ftp::Gateway * ftpState) + { ++ /* check the server control channel is still available */ ++ if (!ftpState || !ftpState->haveControlChannel("ftpSendEPRT")) ++ return; ++ + if (Config.Ftp.epsv_all && ftpState->flags.epsv_all_sent) { + debugs(9, DBG_IMPORTANT, "FTP does not allow EPRT method after 'EPS= V ALL' has been sent."); + return; +@@ -1913,6 +1932,7 @@ + ftpState->writeCommand(cbuf); + ftpState->state =3D Ftp::Client::SENT_EPRT; + } ++#endif +=20 + static void + ftpReadEPRT(Ftp::Gateway * ftpState) +@@ -1939,10 +1959,8 @@ + { + debugs(9, 3, HERE); +=20 +- if (EBIT_TEST(entry->flags, ENTRY_ABORTED)) { +- abortAll("entry aborted when accepting data conn"); +- data.listenConn->close(); +- data.listenConn =3D NULL; ++ if (!Comm::IsConnOpen(ctrl.conn)) { /*Close handlers will cleanup*/ ++ debugs(9, 5, "The control connection to the remote end is closed"); + return; + } +=20 +@@ -1955,6 +1973,14 @@ + return; + } +=20 ++ if (EBIT_TEST(entry->flags, ENTRY_ABORTED)) { ++ abortAll("entry aborted when accepting data conn"); ++ data.listenConn->close(); ++ data.listenConn =3D NULL; ++ io.conn->close(); ++ return; ++ } ++ + /* data listening conn is no longer even open. abort. */ + if (!Comm::IsConnOpen(data.listenConn)) { + data.listenConn =3D NULL; // ensure that it's cleared and not just = closed. +@@ -2705,8 +2731,8 @@ + Ftp::Gateway::completeForwarding() + { + if (fwd =3D=3D NULL || flags.completed_forwarding) { +- debugs(9, 3, HERE << "completeForwarding avoids " << +- "double-complete on FD " << ctrl.conn->fd << ", Data FD " <<= data.conn->fd << ++ debugs(9, 3, "avoid double-complete on FD " << ++ (ctrl.conn !=3D NULL ? ctrl.conn->fd : -1) << ", Data FD " <= < data.conn->fd << + ", this " << this << ", fwd " << fwd); + return; + } + diff --git a/src/patches/squid/squid-3.5-14116.patch b/src/patches/squid/squi= d-3.5-14116.patch new file mode 100644 index 0000000..c92d8b8 --- /dev/null +++ b/src/patches/squid/squid-3.5-14116.patch @@ -0,0 +1,38 @@ +------------------------------------------------------------ +revno: 14116 +revision-id: squid3(a)treenet.co.nz-20161130223332-zcaxll4prj3kag1b +parent: squid3(a)treenet.co.nz-20161130215630-c42qucqar9bi9a1k +fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=3D3533 +author: Garri Djavadyan +committer: Amos Jeffries +branch nick: 3.5 +timestamp: Thu 2016-12-01 11:33:32 +1300 +message: + Bug 3533: Cache still valid after HTTP/1.1 303 See Other + =20 + RFC7231 does not mention 303 response as non-cacheable. + So, assuming that means it *is* cacheable. +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3(a)treenet.co.nz-20161130223332-zcaxll4prj3kag1b +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# testament_sha1: c90320c95a4b64c8d18794fbe5df526fe0f9f702 +# timestamp: 2016-11-30 22:42:05 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# base_revision_id: squid3(a)treenet.co.nz-20161130215630-\ +# c42qucqar9bi9a1k +#=20 +# Begin patch +=3D=3D=3D modified file 'src/http.cc' +--- src/http.cc 2016-10-30 09:45:03 +0000 ++++ src/http.cc 2016-11-30 22:33:32 +0000 +@@ -203,6 +203,8 @@ +=20 + case Http::scFound: +=20 ++ case Http::scSeeOther: ++ + case Http::scGone: +=20 + case Http::scNotFound: + diff --git a/src/patches/squid/squid-3.5-14117.patch b/src/patches/squid/squi= d-3.5-14117.patch new file mode 100644 index 0000000..23d5376 --- /dev/null +++ b/src/patches/squid/squid-3.5-14117.patch @@ -0,0 +1,152 @@ +------------------------------------------------------------ +revno: 14117 +revision-id: squid3(a)treenet.co.nz-20161130232039-z18ikhhcf3j185my +parent: squid3(a)treenet.co.nz-20161130223332-zcaxll4prj3kag1b +fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=3D4007 +author: Stephen Baynes , Amos Jeffries +committer: Amos Jeffries +branch nick: 3.5 +timestamp: Thu 2016-12-01 12:20:39 +1300 +message: + Bug 4007: Hang on DNS query with dead-end CNAME + =20 + DNS lookup recursion no longer occurs. ipcacheParse() return values are no + longer useful. + =20 + Also, cleanup the debugging output. +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3(a)treenet.co.nz-20161130232039-z18ikhhcf3j185my +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# testament_sha1: 9059c7a07e5366bd2eac606c72f875077766ed34 +# timestamp: 2016-11-30 23:27:11 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# base_revision_id: squid3(a)treenet.co.nz-20161130223332-\ +# zcaxll4prj3kag1b +#=20 +# Begin patch +=3D=3D=3D modified file 'src/ipcache.cc' +--- src/ipcache.cc 2016-01-01 00:14:27 +0000 ++++ src/ipcache.cc 2016-11-30 23:20:39 +0000 +@@ -123,7 +123,6 @@ + static FREE ipcacheFreeEntry; + static IDNSCB ipcacheHandleReply; + static int ipcacheExpiredEntry(ipcache_entry *); +-static int ipcacheParse(ipcache_entry *, const rfc1035_rr *, int, const cha= r *error); + static ipcache_entry *ipcache_get(const char *); + static void ipcacheLockEntry(ipcache_entry *); + static void ipcacheStatPrint(ipcache_entry *, StoreEntry *); +@@ -328,8 +327,7 @@ + ipcacheUnlockEntry(i); + } +=20 +-/// \ingroup IPCacheAPI +-static int ++static void + ipcacheParse(ipcache_entry *i, const rfc1035_rr * answers, int nr, const ch= ar *error_message) + { + int k; +@@ -350,25 +348,25 @@ + i->addrs.count =3D 0; +=20 + if (nr < 0) { +- debugs(14, 3, "ipcacheParse: Lookup failed '" << error_message << "= ' for '" << (const char *)i->hash.key << "'"); ++ debugs(14, 3, "Lookup failed '" << error_message << "' for '" << (c= onst char *)i->hash.key << "'"); + i->error_message =3D xstrdup(error_message); +- return -1; ++ return; + } +=20 + if (nr =3D=3D 0) { +- debugs(14, 3, "ipcacheParse: No DNS records in response to '" << na= me << "'"); ++ debugs(14, 3, "No DNS records in response to '" << name << "'"); + i->error_message =3D xstrdup("No DNS records"); +- return -1; ++ return; + } +=20 +- debugs(14, 3, "ipcacheParse: " << nr << " answers for '" << name << "'"= ); ++ debugs(14, 3, nr << " answers for '" << name << "'"); + assert(answers); +=20 + for (k =3D 0; k < nr; ++k) { +=20 + if (Ip::EnableIpv6 && answers[k].type =3D=3D RFC1035_TYPE_AAAA) { + if (answers[k].rdlength !=3D sizeof(struct in6_addr)) { +- debugs(14, DBG_IMPORTANT, "ipcacheParse: Invalid IPv6 addre= ss in response to '" << name << "'"); ++ debugs(14, DBG_IMPORTANT, MYNAME << "Invalid IPv6 address i= n response to '" << name << "'"); + continue; + } + ++na; +@@ -378,7 +376,7 @@ +=20 + if (answers[k].type =3D=3D RFC1035_TYPE_A) { + if (answers[k].rdlength !=3D sizeof(struct in_addr)) { +- debugs(14, DBG_IMPORTANT, "ipcacheParse: Invalid IPv4 addre= ss in response to '" << name << "'"); ++ debugs(14, DBG_IMPORTANT, MYNAME << "Invalid IPv4 address i= n response to '" << name << "'"); + continue; + } + ++na; +@@ -394,14 +392,14 @@ + } +=20 + // otherwise its an unknown RR. debug at level 9 since we usually w= ant to ignore these and they are common. +- debugs(14, 9, HERE << "Unknown RR type received: type=3D" << answer= s[k].type << " starting at " << &(answers[k]) ); ++ debugs(14, 9, "Unknown RR type received: type=3D" << answers[k].typ= e << " starting at " << &(answers[k]) ); + } + if (na =3D=3D 0) { +- debugs(14, DBG_IMPORTANT, "ipcacheParse: No Address records in resp= onse to '" << name << "'"); ++ debugs(14, DBG_IMPORTANT, MYNAME << "No Address records in response= to '" << name << "'"); + i->error_message =3D xstrdup("No Address records"); + if (cname_found) + ++IpcacheStats.cname_only; +- return 0; ++ return; + } +=20 + i->addrs.in_addrs =3D static_cast(xcalloc(na, sizeof(Ip:= :Address))); +@@ -419,7 +417,7 @@ + memcpy(&temp, answers[k].rdata, sizeof(struct in_addr)); + i->addrs.in_addrs[j] =3D temp; +=20 +- debugs(14, 3, "ipcacheParse: " << name << " #" << j << " " << i= ->addrs.in_addrs[j]); ++ debugs(14, 3, name << " #" << j << " " << i->addrs.in_addrs[j]); + ++j; +=20 + } else if (Ip::EnableIpv6 && answers[k].type =3D=3D RFC1035_TYPE_AA= AA) { +@@ -430,7 +428,7 @@ + memcpy(&temp, answers[k].rdata, sizeof(struct in6_addr)); + i->addrs.in_addrs[j] =3D temp; +=20 +- debugs(14, 3, "ipcacheParse: " << name << " #" << j << " " << i= ->addrs.in_addrs[j] ); ++ debugs(14, 3, name << " #" << j << " " << i->addrs.in_addrs[j] = ); + ++j; + } + if (ttl =3D=3D 0 || (int) answers[k].ttl < ttl) +@@ -453,8 +451,6 @@ + i->expires =3D squid_curtime + ttl; +=20 + i->flags.negcached =3D false; +- +- return i->addrs.count; + } +=20 + /// \ingroup IPCacheInternal +@@ -467,13 +463,9 @@ + const int age =3D i->age(); + statCounter.dns.svcTime.count(age); +=20 +- int done =3D ipcacheParse(i, answers, na, error_message); +- +- /* If we have not produced either IPs or Error immediately, wait for re= cursion to finish. */ +- if (done !=3D 0 || error_message !=3D NULL) { +- ipcacheAddEntry(i); +- ipcacheCallback(i, age); +- } ++ ipcacheParse(i, answers, na, error_message); ++ ipcacheAddEntry(i); ++ ipcacheCallback(i, age); + } +=20 + /** + diff --git a/src/patches/squid/squid-3.5-14118.patch b/src/patches/squid/squi= d-3.5-14118.patch new file mode 100644 index 0000000..1e36294 --- /dev/null +++ b/src/patches/squid/squid-3.5-14118.patch @@ -0,0 +1,55 @@ +------------------------------------------------------------ +revno: 14118 +revision-id: squid3(a)treenet.co.nz-20161130233304-lk3q0bx8gn5l3l85 +parent: squid3(a)treenet.co.nz-20161130232039-z18ikhhcf3j185my +fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=3D3290 +author: Garri Djavadyan +committer: Amos Jeffries +branch nick: 3.5 +timestamp: Thu 2016-12-01 12:33:04 +1300 +message: + Bug 3290: authenticate_ttl not working for digest authentication +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3(a)treenet.co.nz-20161130233304-lk3q0bx8gn5l3l85 +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# testament_sha1: 50ff391db1484222ead5fb50b1bca0694c37ed4c +# timestamp: 2016-11-30 23:34:59 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# base_revision_id: squid3(a)treenet.co.nz-20161130232039-\ +# z18ikhhcf3j185my +#=20 +# Begin patch +=3D=3D=3D modified file 'src/auth/digest/Config.cc' +--- src/auth/digest/Config.cc 2016-11-14 10:54:34 +0000 ++++ src/auth/digest/Config.cc 2016-11-30 23:33:04 +0000 +@@ -1058,6 +1058,10 @@ + * the user agent won't change user name without warning. + */ + authDigestUserLinkNonce(digest_user, nonce); ++ ++ /* auth_user is now linked, we reset these values ++ * after external auth occurs anyway */ ++ auth_user->expiretime =3D current_time.tv_sec; + } else { + debugs(29, 9, "Found user '" << username << "' in the user cache as= '" << auth_user << "'"); + digest_user =3D static_cast(auth_user.getRaw(= )); + +=3D=3D=3D modified file 'src/auth/digest/UserRequest.cc' +--- src/auth/digest/UserRequest.cc 2016-01-01 00:14:27 +0000 ++++ src/auth/digest/UserRequest.cc 2016-11-30 23:33:04 +0000 +@@ -187,12 +187,7 @@ + auth_user->credentials(Auth::Ok); +=20 + /* password was checked and did match */ +- debugs(29, 4, HERE << "user '" << auth_user->username() << "' validated= OK"); +- +- /* auth_user is now linked, we reset these values +- * after external auth occurs anyway */ +- auth_user->expiretime =3D current_time.tv_sec; +- return; ++ debugs(29, 4, "user '" << auth_user->username() << "' validated OK"); + } +=20 + Auth::Direction + diff --git a/src/patches/squid/squid-3.5-14119.patch b/src/patches/squid/squi= d-3.5-14119.patch new file mode 100644 index 0000000..d6e85a5 --- /dev/null +++ b/src/patches/squid/squid-3.5-14119.patch @@ -0,0 +1,184 @@ +------------------------------------------------------------ +revno: 14119 +revision-id: squid3(a)treenet.co.nz-20161209015833-xm965d5l6u03qhew +parent: squid3(a)treenet.co.nz-20161130233304-lk3q0bx8gn5l3l85 +fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=3D4174 +author: Christos Tsantilas +committer: Amos Jeffries +branch nick: 3.5 +timestamp: Fri 2016-12-09 14:58:33 +1300 +message: + Bug 4174 partial: fix Write.cc:41 "!ccb->active()" assertion. + =20 + The following sequence of events triggers this assertion: + - The server sends an 1xx control message. + - http.cc schedules ConnStateData::sendControlMsg call. + - Before sendControlMsg is fired, http.cc detects an error (e.g., I/O + error or timeout) and starts writing the reply to the user. + - The ConnStateData::sendControlMsg is fired, starts writing 1xx, and + hits the "no concurrent writes" assertion. + =20 + We could only reproduce this sequence in the lab after changing Squid + code to trigger a timeout at the right moment, but the sequence looks + plausible. Other event sequences might result in the same outcome. + =20 + To avoid concurrent writes, Squid now drops the control message if + Http::One::Server detects that a reply is already being written. Also, + ConnStateData delays reply writing until a pending control message write + has been completed. + =20 + This is a Measurement Factory project. +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3(a)treenet.co.nz-20161209015833-xm965d5l6u03qhew +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# testament_sha1: 103c6fc1fa45d78ba7f9e85ab3d89fff898ee762 +# timestamp: 2016-12-09 02:51:06 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# base_revision_id: squid3(a)treenet.co.nz-20161130233304-\ +# lk3q0bx8gn5l3l85 +#=20 +# Begin patch +=3D=3D=3D modified file 'src/client_side.cc' +--- src/client_side.cc 2016-09-23 20:49:24 +0000 ++++ src/client_side.cc 2016-12-09 01:58:33 +0000 +@@ -340,7 +340,21 @@ + AsyncCall::Pointer call =3D commCbCall(33, 5, "ClientSocketContext::wro= teControlMsg", + CommIoCbPtrFun(&WroteControlMsg, t= his)); +=20 +- getConn()->writeControlMsgAndCall(this, rep.getRaw(), call); ++ if (!getConn()->writeControlMsgAndCall(this, rep.getRaw(), call)) { ++ // but still inform the caller (so it may resume its operation) ++ doneWithControlMsg(); ++ } ++} ++ ++void ++ClientSocketContext::doneWithControlMsg() ++{ ++ ScheduleCallHere(cbControlMsgSent); ++ cbControlMsgSent =3D NULL; ++ ++ debugs(33, 3, clientConnection << ": calling PushDeferredIfNeeded after= control msg wrote"); ++ ClientSocketContextPushDeferredIfNeeded(this, getConn()); ++ + } +=20 + /// called when we wrote the 1xx response +@@ -351,7 +365,7 @@ + return; +=20 + if (errflag =3D=3D Comm::OK) { +- ScheduleCallHere(cbControlMsgSent); ++ doneWithControlMsg(); + return; + } +=20 +@@ -1455,6 +1469,8 @@ +=20 + if (context !=3D http->getConn()->getCurrentContext()) + context->deferRecipientForLater(node, rep, receivedData); ++ else if (context->controlMsgIsPending()) ++ context->deferRecipientForLater(node, rep, receivedData); + else + http->getConn()->handleReply(rep, receivedData); +=20 + +=3D=3D=3D modified file 'src/client_side.h' +--- src/client_side.h 2016-06-18 13:36:07 +0000 ++++ src/client_side.h 2016-12-09 01:58:33 +0000 +@@ -129,9 +129,13 @@ + /// starts writing 1xx control message to the client + void writeControlMsg(HttpControlMsg &msg); +=20 ++ /// true if 1xx to the user is pending ++ bool controlMsgIsPending() {return cbControlMsgSent !=3D NULL;} ++ + protected: + static IOCB WroteControlMsg; + void wroteControlMsg(const Comm::ConnectionPointer &conn, char *bufnotu= sed, size_t size, Comm::Flag errflag, int xerrno); ++ void doneWithControlMsg(); +=20 + private: + void prepareReply(HttpReply * rep); +@@ -387,7 +391,7 @@ + void connectionTag(const char *aTag) { connectionTag_ =3D aTag; } +=20 + /// handle a control message received by context from a peer and call b= ack +- virtual void writeControlMsgAndCall(ClientSocketContext *context, HttpR= eply *rep, AsyncCall::Pointer &call) =3D 0; ++ virtual bool writeControlMsgAndCall(ClientSocketContext *context, HttpR= eply *rep, AsyncCall::Pointer &call) =3D 0; +=20 + /// ClientStream calls this to supply response header (once) and data + /// for the current ClientSocketContext. + +=3D=3D=3D modified file 'src/servers/FtpServer.cc' +--- src/servers/FtpServer.cc 2016-06-30 21:09:12 +0000 ++++ src/servers/FtpServer.cc 2016-12-09 01:58:33 +0000 +@@ -1152,12 +1152,13 @@ + writeErrorReply(reply, 451); + } +=20 +-void ++bool + Ftp::Server::writeControlMsgAndCall(ClientSocketContext *context, HttpReply= *reply, AsyncCall::Pointer &call) + { + // the caller guarantees that we are dealing with the current context o= nly + // the caller should also make sure reply->header.has(HDR_FTP_STATUS) + writeForwardedReplyAndCall(reply, call); ++ return true; + } +=20 + void + +=3D=3D=3D modified file 'src/servers/FtpServer.h' +--- src/servers/FtpServer.h 2016-03-15 18:14:15 +0000 ++++ src/servers/FtpServer.h 2016-12-09 01:58:33 +0000 +@@ -94,7 +94,7 @@ + virtual void clientPinnedConnectionClosed(const CommCloseCbParams &io); + virtual void handleReply(HttpReply *header, StoreIOBuffer receivedData); + virtual int pipelinePrefetchMax() const; +- virtual void writeControlMsgAndCall(ClientSocketContext *context, HttpR= eply *rep, AsyncCall::Pointer &call); ++ virtual bool writeControlMsgAndCall(ClientSocketContext *context, HttpR= eply *rep, AsyncCall::Pointer &call); + virtual time_t idleTimeout() const; +=20 + /* BodyPipe API */ + +=3D=3D=3D modified file 'src/servers/HttpServer.cc' +--- src/servers/HttpServer.cc 2016-01-01 00:14:27 +0000 ++++ src/servers/HttpServer.cc 2016-12-09 01:58:33 +0000 +@@ -35,7 +35,7 @@ + virtual ClientSocketContext *parseOneRequest(Http::ProtocolVersion &ver= ); + virtual void processParsedRequest(ClientSocketContext *context, const H= ttp::ProtocolVersion &ver); + virtual void handleReply(HttpReply *rep, StoreIOBuffer receivedData); +- virtual void writeControlMsgAndCall(ClientSocketContext *context, HttpR= eply *rep, AsyncCall::Pointer &call); ++ virtual bool writeControlMsgAndCall(ClientSocketContext *context, HttpR= eply *rep, AsyncCall::Pointer &call); + virtual time_t idleTimeout() const; +=20 + /* BodyPipe API */ +@@ -167,9 +167,16 @@ + context->sendStartOfMessage(rep, receivedData); + } +=20 +-void ++bool + Http::Server::writeControlMsgAndCall(ClientSocketContext *context, HttpRepl= y *rep, AsyncCall::Pointer &call) + { ++ // Ignore this late control message if we have started sending a=20 ++ // reply to the user already (e.g., after an error). ++ if (context->reply) { ++ debugs(11, 2, "drop 1xx made late by " << context->reply); ++ return false; ++ } ++ + // apply selected clientReplyContext::buildReplyHeader() mods + // it is not clear what headers are required for control messages + rep->header.removeHopByHopEntries(); +@@ -184,6 +191,7 @@ + Comm::Write(context->clientConnection, mb, call); +=20 + delete mb; ++ return true; + } +=20 + ConnStateData * + diff --git a/src/patches/squid/squid-3.5-14120.patch b/src/patches/squid/squi= d-3.5-14120.patch new file mode 100644 index 0000000..4d28d4a --- /dev/null +++ b/src/patches/squid/squid-3.5-14120.patch @@ -0,0 +1,62 @@ +------------------------------------------------------------ +revno: 14120 +revision-id: squid3(a)treenet.co.nz-20161209034636-wytrnx7ks2jv0sxt +parent: squid3(a)treenet.co.nz-20161209015833-xm965d5l6u03qhew +author: Egervary Gergely +committer: Amos Jeffries +branch nick: 3.5 +timestamp: Fri 2016-12-09 16:46:36 +1300 +message: + Support IPv6 NAT with PF for NetBSD and FreeBSD +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3(a)treenet.co.nz-20161209034636-wytrnx7ks2jv0sxt +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# testament_sha1: b47da8d30fe000bbe50ea978bab7594065f7dc07 +# timestamp: 2016-12-09 03:51:01 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# base_revision_id: squid3(a)treenet.co.nz-20161209015833-\ +# xm965d5l6u03qhew +#=20 +# Begin patch +=3D=3D=3D modified file 'src/ip/Intercept.cc' +--- src/ip/Intercept.cc 2016-10-25 08:25:30 +0000 ++++ src/ip/Intercept.cc 2016-12-09 03:46:36 +0000 +@@ -339,13 +339,20 @@ + } +=20 + memset(&nl, 0, sizeof(struct pfioc_natlook)); +- newConn->remote.getInAddr(nl.saddr.v4); ++ ++ if (newConn->remote.isIPv6()) { ++ newConn->remote.getInAddr(nl.saddr.v6); ++ newConn->local.getInAddr(nl.daddr.v6); ++ nl.af =3D AF_INET6; ++ } else { ++ newConn->remote.getInAddr(nl.saddr.v4); ++ newConn->local.getInAddr(nl.daddr.v4); ++ nl.af =3D AF_INET; ++ } ++ + nl.sport =3D htons(newConn->remote.port()); +- +- newConn->local.getInAddr(nl.daddr.v4); + nl.dport =3D htons(newConn->local.port()); +=20 +- nl.af =3D AF_INET; + nl.proto =3D IPPROTO_TCP; + nl.direction =3D PF_OUT; +=20 +@@ -361,7 +368,10 @@ + debugs(89, 9, HERE << "address: " << newConn); + return false; + } else { +- newConn->local =3D nl.rdaddr.v4; ++ if (newConn->remote.isIPv6()) ++ newConn->local =3D nl.rdaddr.v6; ++ else ++ newConn->local =3D nl.rdaddr.v4; + newConn->local.port(ntohs(nl.rdport)); + debugs(89, 5, HERE << "address NAT: " << newConn); + return true; + diff --git a/src/patches/squid/squid-3.5-14121.patch b/src/patches/squid/squi= d-3.5-14121.patch new file mode 100644 index 0000000..36f3f7a --- /dev/null +++ b/src/patches/squid/squid-3.5-14121.patch @@ -0,0 +1,36 @@ +------------------------------------------------------------ +revno: 14121 +revision-id: squid3(a)treenet.co.nz-20161209043304-krtzvsm4a0zbzgi8 +parent: squid3(a)treenet.co.nz-20161209034636-wytrnx7ks2jv0sxt +fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=3D4406 +author: Michael Buchau +committer: Amos Jeffries +branch nick: 3.5 +timestamp: Fri 2016-12-09 17:33:04 +1300 +message: + Bug 4406: SIGSEV in TunnelStateData::handleConnectResponse() during reconf= igure and restart +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3(a)treenet.co.nz-20161209043304-krtzvsm4a0zbzgi8 +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# testament_sha1: ce1153061cb79ac9ede6851f438ec830ed7a3e78 +# timestamp: 2016-12-09 04:51:01 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# base_revision_id: squid3(a)treenet.co.nz-20161209034636-\ +# wytrnx7ks2jv0sxt +#=20 +# Begin patch +=3D=3D=3D modified file 'src/tunnel.cc' +--- src/tunnel.cc 2016-08-17 13:34:13 +0000 ++++ src/tunnel.cc 2016-12-09 04:33:04 +0000 +@@ -475,7 +475,8 @@ + *status_ptr =3D rep.sline.status(); +=20 + // we need to relay the 401/407 responses when login=3DPASS(THRU) +- const char *pwd =3D server.conn->getPeer()->login; ++ const CachePeer *peer =3D server.conn->getPeer(); ++ const char *pwd =3D (peer ? peer->login : NULL); + const bool relay =3D pwd && (strcmp(pwd, "PASS") =3D=3D 0 || strcmp(pwd= , "PASSTHRU") =3D=3D 0) && + (*status_ptr =3D=3D Http::scProxyAuthenticationRequi= red || + *status_ptr =3D=3D Http::scUnauthorized); + diff --git a/src/patches/squid/squid-3.5-14122.patch b/src/patches/squid/squi= d-3.5-14122.patch new file mode 100644 index 0000000..292306e --- /dev/null +++ b/src/patches/squid/squid-3.5-14122.patch @@ -0,0 +1,34 @@ +------------------------------------------------------------ +revno: 14122 +revision-id: squidadm(a)squid-cache.org-20161209061551-361ava4lrrmbwiy9 +parent: squid3(a)treenet.co.nz-20161209043304-krtzvsm4a0zbzgi8 +committer: Source Maintenance +branch nick: 3.5 +timestamp: Fri 2016-12-09 06:15:51 +0000 +message: + SourceFormat Enforcement +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squidadm(a)squid-cache.org-20161209061551-\ +# 361ava4lrrmbwiy9 +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# testament_sha1: cb4bfe0e0aaf3e3d107ffb16e2729c6f46d5a822 +# timestamp: 2016-12-09 06:51:04 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# base_revision_id: squid3(a)treenet.co.nz-20161209043304-\ +# krtzvsm4a0zbzgi8 +#=20 +# Begin patch +=3D=3D=3D modified file 'src/servers/HttpServer.cc' +--- src/servers/HttpServer.cc 2016-12-09 01:58:33 +0000 ++++ src/servers/HttpServer.cc 2016-12-09 06:15:51 +0000 +@@ -170,7 +170,7 @@ + bool + Http::Server::writeControlMsgAndCall(ClientSocketContext *context, HttpRepl= y *rep, AsyncCall::Pointer &call) + { +- // Ignore this late control message if we have started sending a=20 ++ // Ignore this late control message if we have started sending a + // reply to the user already (e.g., after an error). + if (context->reply) { + debugs(11, 2, "drop 1xx made late by " << context->reply); + hooks/post-receive -- IPFire 2.x development tree --===============8054862863865369410==--