From mboxrd@z Thu Jan 1 00:00:00 1970
From: Michael Tremer <git@ipfire.org>
To: ipfire-scm@lists.ipfire.org
Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated.
898b355abd27b86193dd6496a43e49e5bdf672a6
Date: Thu, 01 Nov 2018 10:33:13 +0000
Message-ID: <20181101103314.7048C1081BB0@git01.ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3750428156846642883=="
List-Id: <ipfire-scm.lists.ipfire.org>
--===============3750428156846642883==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via 898b355abd27b86193dd6496a43e49e5bdf672a6 (commit)
via 6eb221c2e5529945a6f31bf5be466795d917cf55 (commit)
via 2e0660f9ce59433831d619dad546e3d31bc22612 (commit)
via c22498887d13776a694d25f6aa465c4e0eb47cee (commit)
via 0c451a4a3262d564e298a13a252fd59e573da3a5 (commit)
via c3070d32e3f1223ff3a35f190978883b0804eb3f (commit)
via e2bd68dfad370340c343aa3d18b2fabf87c3f221 (commit)
from 4f10c0b3a3a3441f352ff10d1a46c702a93f84f4 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 898b355abd27b86193dd6496a43e49e5bdf672a6
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Nov 1 10:31:45 2018 +0000
core125: Ship updated ca-certificates
=20
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 6eb221c2e5529945a6f31bf5be466795d917cf55
Author: Peter M=C3=BCller <peter.mueller(a)link38.eu>
Date: Sat Oct 27 15:37:45 2018 +0200
update ca-certificates CA bundle
=20
Update the CA certificates list to what Mozilla NSS ships currently.
=20
The original file can be retrieved from:
https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw=
/builtins/certdata.txt
=20
The second version of this patch superseds the first one and
bumps the LFS version of ca-certificate, too. Me stupid...
=20
Signed-off-by: Peter M=C3=BCller <peter.mueller(a)link38.eu>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 2e0660f9ce59433831d619dad546e3d31bc22612
Author: Peter M=C3=BCller <peter.mueller(a)link38.eu>
Date: Sat Oct 27 15:44:02 2018 +0200
Unbound: output statistics daily instead of just on shutdown
=20
Currently, Unbound only prints statistics if it is being shutdown
(mostly because of a machine reboot). This makes detecting DNS
anomalies hard as no intermediate statistic result is being logged.
=20
This patch changes Unbound's behaviour in order to log statistics
every 86,400 seconds (i.e. 24 hours).
=20
Signed-off-by: Peter M=C3=BCller <peter.mueller(a)link38.eu>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit c22498887d13776a694d25f6aa465c4e0eb47cee
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Nov 1 10:30:49 2018 +0000
core125: Ship updated ids.cgi
=20
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 0c451a4a3262d564e298a13a252fd59e573da3a5
Author: Peter M=C3=BCller <peter.mueller(a)link38.eu>
Date: Mon Oct 29 18:49:49 2018 +0100
fix downloading Snort rules if behind upstream proxy
=20
Currently, the wget call only uses proxy information for HTTP.
Since rulesets are downloaded via HTTPS now, the same information
also needs to be applied for HTTPS.
=20
Signed-off-by: Peter M=C3=BCller <peter.mueller(a)link38.eu>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit c3070d32e3f1223ff3a35f190978883b0804eb3f
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Nov 1 10:29:48 2018 +0000
core125: Ship updated squid
=20
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit e2bd68dfad370340c343aa3d18b2fabf87c3f221
Author: Matthias Fischer <matthias.fischer(a)ipfire.org>
Date: Thu Nov 1 09:24:24 2018 +0100
squid 3.5.28: latest patches (01-02)
=20
For details see:
http://www.squid-cache.org/Versions/v3/3.5/changesets/
=20
Best,
Matthias
=20
Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/ca-certificates/certdata.txt | 140 -------------------=
--
.../121 =3D> core/125}/filelists/ca-certificates | 0
config/rootfiles/core/125/filelists/files | 1 +
.../{oldcore/100 =3D> core/125}/filelists/squid | 0
config/rootfiles/core/125/update.sh | 2 +
config/unbound/unbound.conf | 2 +-
html/cgi-bin/ids.cgi | 2 +-
lfs/ca-certificates | 2 +-
lfs/squid | 2 +
...tion_via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch | 72 +++++++++++
..._memory_leak_when_parsing_SNMP_packet_313.patch | 22 ++++
11 files changed, 102 insertions(+), 143 deletions(-)
copy config/rootfiles/{oldcore/121 =3D> core/125}/filelists/ca-certificates =
(100%)
copy config/rootfiles/{oldcore/100 =3D> core/125}/filelists/squid (100%)
create mode 100644 src/patches/squid/01_Certificate_fields_injection_via_D_i=
n_ERR_SECURE_CONNECT_FAIL_306.patch
create mode 100644 src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_pa=
cket_313.patch
Difference in files:
diff --git a/config/ca-certificates/certdata.txt b/config/ca-certificates/cer=
tdata.txt
index 193cef38f..61c37a8bd 100644
--- a/config/ca-certificates/certdata.txt
+++ b/config/ca-certificates/certdata.txt
@@ -2144,146 +2144,6 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_D=
ELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
=20
-#
-# Certificate "Visa eCommerce Root"
-#
-# Issuer: CN=3DVisa eCommerce Root,OU=3DVisa International Service Associati=
on,O=3DVISA,C=3DUS
-# Serial Number:13:86:35:4d:1d:3f:06:f2:c1:f9:65:05:d5:90:1c:62
-# Subject: CN=3DVisa eCommerce Root,OU=3DVisa International Service Associat=
ion,O=3DVISA,C=3DUS
-# Not Valid Before: Wed Jun 26 02:18:36 2002
-# Not Valid After : Fri Jun 24 00:16:12 2022
-# Fingerprint (MD5): FC:11:B8:D8:08:93:30:00:6D:23:F9:7E:EB:52:1E:02
-# Fingerprint (SHA1): 70:17:9B:86:8C:00:A4:FA:60:91:52:22:3F:9F:3E:32:BD:E0:=
05:62
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Visa eCommerce Root"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\153\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057
-\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156
-\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166
-\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061
-\034\060\032\006\003\125\004\003\023\023\126\151\163\141\040\145
-\103\157\155\155\145\162\143\145\040\122\157\157\164
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\153\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057
-\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156
-\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166
-\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061
-\034\060\032\006\003\125\004\003\023\023\126\151\163\141\040\145
-\103\157\155\155\145\162\143\145\040\122\157\157\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\023\206\065\115\035\077\006\362\301\371\145\005\325\220
-\034\142
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\242\060\202\002\212\240\003\002\001\002\002\020\023
-\206\065\115\035\077\006\362\301\371\145\005\325\220\034\142\060
-\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\153
-\061\013\060\011\006\003\125\004\006\023\002\125\123\061\015\060
-\013\006\003\125\004\012\023\004\126\111\123\101\061\057\060\055
-\006\003\125\004\013\023\046\126\151\163\141\040\111\156\164\145
-\162\156\141\164\151\157\156\141\154\040\123\145\162\166\151\143
-\145\040\101\163\163\157\143\151\141\164\151\157\156\061\034\060
-\032\006\003\125\004\003\023\023\126\151\163\141\040\145\103\157
-\155\155\145\162\143\145\040\122\157\157\164\060\036\027\015\060
-\062\060\066\062\066\060\062\061\070\063\066\132\027\015\062\062
-\060\066\062\064\060\060\061\066\061\062\132\060\153\061\013\060
-\011\006\003\125\004\006\023\002\125\123\061\015\060\013\006\003
-\125\004\012\023\004\126\111\123\101\061\057\060\055\006\003\125
-\004\013\023\046\126\151\163\141\040\111\156\164\145\162\156\141
-\164\151\157\156\141\154\040\123\145\162\166\151\143\145\040\101
-\163\163\157\143\151\141\164\151\157\156\061\034\060\032\006\003
-\125\004\003\023\023\126\151\163\141\040\145\103\157\155\155\145
-\162\143\145\040\122\157\157\164\060\202\001\042\060\015\006\011
-\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017\000
-\060\202\001\012\002\202\001\001\000\257\127\336\126\036\156\241
-\332\140\261\224\047\313\027\333\007\077\200\205\117\310\234\266
-\320\364\157\117\317\231\330\341\333\302\110\134\072\254\071\063
-\307\037\152\213\046\075\053\065\365\110\261\221\301\002\116\004
-\226\221\173\260\063\360\261\024\116\021\157\265\100\257\033\105
-\245\112\357\176\266\254\362\240\037\130\077\022\106\140\074\215
-\241\340\175\317\127\076\063\036\373\107\361\252\025\227\007\125
-\146\245\265\055\056\330\200\131\262\247\015\267\106\354\041\143
-\377\065\253\245\002\317\052\364\114\376\173\365\224\135\204\115
-\250\362\140\217\333\016\045\074\237\163\161\317\224\337\112\352
-\333\337\162\070\214\363\226\275\361\027\274\322\272\073\105\132
-\306\247\366\306\027\213\001\235\374\031\250\052\203\026\270\072
-\110\376\116\076\240\253\006\031\351\123\363\200\023\007\355\055
-\277\077\012\074\125\040\071\054\054\000\151\164\225\112\274\040
-\262\251\171\345\030\211\221\250\334\034\115\357\273\176\067\013
-\135\376\071\245\210\122\214\000\154\354\030\174\101\275\366\213
-\165\167\272\140\235\204\347\376\055\002\003\001\000\001\243\102
-\060\100\060\017\006\003\125\035\023\001\001\377\004\005\060\003
-\001\001\377\060\016\006\003\125\035\017\001\001\377\004\004\003
-\002\001\006\060\035\006\003\125\035\016\004\026\004\024\025\070
-\203\017\077\054\077\160\063\036\315\106\376\007\214\040\340\327
-\303\267\060\015\006\011\052\206\110\206\367\015\001\001\005\005
-\000\003\202\001\001\000\137\361\101\175\174\134\010\271\053\340
-\325\222\107\372\147\134\245\023\303\003\041\233\053\114\211\106
-\317\131\115\311\376\245\100\266\143\315\335\161\050\225\147\021
-\314\044\254\323\104\154\161\256\001\040\153\003\242\217\030\267
-\051\072\175\345\026\140\123\170\074\300\257\025\203\367\217\122
-\063\044\275\144\223\227\356\213\367\333\030\250\155\161\263\367
-\054\027\320\164\045\151\367\376\153\074\224\276\115\113\101\214
-\116\342\163\320\343\220\042\163\103\315\363\357\352\163\316\105
-\212\260\246\111\377\114\175\235\161\210\304\166\035\220\133\035
-\356\375\314\367\356\375\140\245\261\172\026\161\321\026\320\174
-\022\074\154\151\227\333\256\137\071\232\160\057\005\074\031\106
-\004\231\040\066\320\140\156\141\006\273\026\102\214\160\367\060
-\373\340\333\146\243\000\001\275\346\054\332\221\137\240\106\213
-\115\152\234\075\075\335\005\106\376\166\277\240\012\074\344\000
-\346\047\267\377\204\055\336\272\042\047\226\020\161\353\042\355
-\337\337\063\234\317\343\255\256\216\324\216\346\117\121\257\026
-\222\340\134\366\007\017
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for Certificate "Visa eCommerce Root"
-# Issuer: CN=3DVisa eCommerce Root,OU=3DVisa International Service Associati=
on,O=3DVISA,C=3DUS
-# Serial Number:13:86:35:4d:1d:3f:06:f2:c1:f9:65:05:d5:90:1c:62
-# Subject: CN=3DVisa eCommerce Root,OU=3DVisa International Service Associat=
ion,O=3DVISA,C=3DUS
-# Not Valid Before: Wed Jun 26 02:18:36 2002
-# Not Valid After : Fri Jun 24 00:16:12 2022
-# Fingerprint (MD5): FC:11:B8:D8:08:93:30:00:6D:23:F9:7E:EB:52:1E:02
-# Fingerprint (SHA1): 70:17:9B:86:8C:00:A4:FA:60:91:52:22:3F:9F:3E:32:BD:E0:=
05:62
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Visa eCommerce Root"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\160\027\233\206\214\000\244\372\140\221\122\042\077\237\076\062
-\275\340\005\142
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\374\021\270\330\010\223\060\000\155\043\371\176\353\122\036\002
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\153\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057
-\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156
-\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166
-\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061
-\034\060\032\006\003\125\004\003\023\023\126\151\163\141\040\145
-\103\157\155\155\145\162\143\145\040\122\157\157\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\023\206\065\115\035\077\006\362\301\371\145\005\325\220
-\034\142
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
#
# Certificate "Certum Root CA"
#
diff --git a/config/rootfiles/core/125/filelists/ca-certificates b/config/roo=
tfiles/core/125/filelists/ca-certificates
new file mode 120000
index 000000000..320fea8f4
--- /dev/null
+++ b/config/rootfiles/core/125/filelists/ca-certificates
@@ -0,0 +1 @@
+../../../common/ca-certificates
\ No newline at end of file
diff --git a/config/rootfiles/core/125/filelists/files b/config/rootfiles/cor=
e/125/filelists/files
index 59de43460..ab7eeee47 100644
--- a/config/rootfiles/core/125/filelists/files
+++ b/config/rootfiles/core/125/filelists/files
@@ -4,6 +4,7 @@ etc/ssh/sshd_config
etc/sysctl.conf
srv/web/ipfire/cgi-bin/credits.cgi
srv/web/ipfire/cgi-bin/hardwaregraphs.cgi
+srv/web/ipfire/cgi-bin/ids.cgi
srv/web/ipfire/cgi-bin/media.cgi
srv/web/ipfire/cgi-bin/pakfire.cgi
usr/local/bin/makegraphs
diff --git a/config/rootfiles/core/125/filelists/squid b/config/rootfiles/cor=
e/125/filelists/squid
new file mode 120000
index 000000000..2dc8372a0
--- /dev/null
+++ b/config/rootfiles/core/125/filelists/squid
@@ -0,0 +1 @@
+../../../common/squid
\ No newline at end of file
diff --git a/config/rootfiles/core/125/update.sh b/config/rootfiles/core/125/=
update.sh
index 9d056f921..a4ae0993c 100644
--- a/config/rootfiles/core/125/update.sh
+++ b/config/rootfiles/core/125/update.sh
@@ -32,6 +32,7 @@ for (( i=3D1; i<=3D$core; i++ )); do
done
=20
# Stop services
+/etc/init.d/squid stop
=20
# Extract files
extract_files
@@ -46,6 +47,7 @@ ldconfig
/etc/init.d/unbound restart
/etc/init.d/apache restart
/etc/init.d/sshd restart
+/etc/init.d/squid start
=20
# Reload sysctl.conf
sysctl -p
diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
index cda591dab..2cc5bab8a 100644
--- a/config/unbound/unbound.conf
+++ b/config/unbound/unbound.conf
@@ -28,7 +28,7 @@ server:
log-queries: no
=20
# Unbound Statistics
- statistics-interval: 0
+ statistics-interval: 86400
statistics-cumulative: yes
extended-statistics: yes
=20
diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index d9d697deb..eddfc387c 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -692,7 +692,7 @@ sub downloadrulesfile {
}
=20
if ($peer) {
- system("wget -r --proxy=3Don --proxy-user=3D$proxysettings{'UPSTREAM_USER'=
} --proxy-passwd=3D$proxysettings{'UPSTREAM_PASSWORD'} -e http_proxy=3Dhttp:/=
/$peer:$peerport/ -o /var/tmp/log --output-document=3D/var/tmp/snortrules.tar=
.gz $url");
+ system("wget -r --proxy=3Don --proxy-user=3D$proxysettings{'UPSTREAM_USER'=
} --proxy-passwd=3D$proxysettings{'UPSTREAM_PASSWORD'} -e http_proxy=3Dhttp:/=
/$peer:$peerport/ -e https_proxy=3Dhttp://$peer:$peerport/ -o /var/tmp/log --=
output-document=3D/var/tmp/snortrules.tar.gz $url");
} else {
system("wget -r -o /var/tmp/log --output-document=3D/var/tmp/snortrules.ta=
r.gz $url");
}
diff --git a/lfs/ca-certificates b/lfs/ca-certificates
index e063b6439..6c684702a 100644
--- a/lfs/ca-certificates
+++ b/lfs/ca-certificates
@@ -24,7 +24,7 @@
=20
include Config
=20
-VER =3D 20180910
+VER =3D 20181027
=20
THISAPP =3D ca-certificates
DIR_APP =3D $(DIR_SRC)/$(THISAPP)
diff --git a/lfs/squid b/lfs/squid
index cae56407c..11b84d719 100644
--- a/lfs/squid
+++ b/lfs/squid
@@ -72,6 +72,8 @@ $(subst %,%_MD5,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xaf $(DIR_DL)/$(DL_FILE)
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squid/01_Certificate_=
fields_injection_via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squid/02_Fix_memory_l=
eak_when_parsing_SNMP_packet_313.patch
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5.28-fi=
x-max-file-descriptors.patch
=20
cd $(DIR_APP) && autoreconf -vfi
diff --git a/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_S=
ECURE_CONNECT_FAIL_306.patch b/src/patches/squid/01_Certificate_fields_inject=
ion_via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch
new file mode 100644
index 000000000..fadb1d48c
--- /dev/null
+++ b/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_C=
ONNECT_FAIL_306.patch
@@ -0,0 +1,72 @@
+commit f1657a9decc820f748fa3aff68168d3145258031
+Author: Christos Tsantilas <christos(a)chtsanti.net>
+Date: 2018-10-17 15:14:07 +0000
+
+ Certificate fields injection via %D in ERR_SECURE_CONNECT_FAIL (#306)
+ =20
+ %ssl_subject, %ssl_ca_name, and %ssl_cn values were not properly escaped=
when %D code was expanded in HTML context of the ERR_SECURE_CONNECT_FAIL tem=
plate. This bug affects all
+ ERR_SECURE_CONNECT_FAIL page templates containing %D, including the defa=
ult template.
+ =20
+ Other error pages are not vulnerable because Squid does not populate %D =
with certificate details in other contexts (yet).
+ =20
+ Thanks to Nikolas Lohmann [eBlocker] for identifying the problem.
+ =20
+ TODO: If those certificate details become needed for ACL checks or other=
non-HTML purposes, make their HTML-escaping conditional.
+ =20
+ This is a Measurement Factory project.
+
+diff --git a/src/ssl/ErrorDetail.cc b/src/ssl/ErrorDetail.cc
+index b5030e3..314e998 100644
+--- a/src/ssl/ErrorDetail.cc
++++ b/src/ssl/ErrorDetail.cc
+@@ -8,6 +8,8 @@
+=20
+ #include "squid.h"
+ #include "errorpage.h"
++#include "fatal.h"
++#include "html_quote.h"
+ #include "ssl/ErrorDetail.h"
+=20
+ #include <climits>
+@@ -432,8 +434,11 @@ const char *Ssl::ErrorDetail::subject() const
+ {
+ if (broken_cert.get()) {
+ static char tmpBuffer[256]; // A temporary buffer
+- if (X509_NAME_oneline(X509_get_subject_name(broken_cert.get()), tmp=
Buffer, sizeof(tmpBuffer)))
+- return tmpBuffer;
++ if (X509_NAME_oneline(X509_get_subject_name(broken_cert.get()), tmp=
Buffer, sizeof(tmpBuffer))) {
++ // quote to avoid possible html code injection through
++ // certificate subject
++ return html_quote(tmpBuffer);
++ }
+ }
+ return "[Not available]";
+ }
+@@ -461,8 +466,11 @@ const char *Ssl::ErrorDetail::cn() const
+ static String tmpStr; ///< A temporary string buffer
+ tmpStr.clean();
+ Ssl::matchX509CommonNames(broken_cert.get(), &tmpStr, copy_cn);
+- if (tmpStr.size())
+- return tmpStr.termedBuf();
++ if (tmpStr.size()) {
++ // quote to avoid possible html code injection through
++ // certificate subject
++ return html_quote(tmpStr.termedBuf());
++ }
+ }
+ return "[Not available]";
+ }
+@@ -474,8 +482,11 @@ const char *Ssl::ErrorDetail::ca_name() const
+ {
+ if (broken_cert.get()) {
+ static char tmpBuffer[256]; // A temporary buffer
+- if (X509_NAME_oneline(X509_get_issuer_name(broken_cert.get()), tmpB=
uffer, sizeof(tmpBuffer)))
+- return tmpBuffer;
++ if (X509_NAME_oneline(X509_get_issuer_name(broken_cert.get()), tmpB=
uffer, sizeof(tmpBuffer))) {
++ // quote to avoid possible html code injection through
++ // certificate issuer subject
++ return html_quote(tmpBuffer);
++ }
+ }
+ return "[Not available]";
+ }
diff --git a/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_31=
3.patch b/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.p=
atch
new file mode 100644
index 000000000..2ae034c20
--- /dev/null
+++ b/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch
@@ -0,0 +1,22 @@
+commit bc9786119f058a76ddf0625424bc33d36460b9a2 (refs/remotes/origin/v3.5)
+Author: flozilla <fishyflow(a)gmail.com>
+Date: 2018-10-24 14:12:01 +0200
+
+ Fix memory leak when parsing SNMP packet (#313)
+ =20
+ SNMP queries denied by snmp_access rules and queries with certain
+ unsupported SNMPv2 commands were leaking a few hundred bytes each. Such
+ queries trigger "SNMP agent query DENIED from..." WARNINGs in cache.log.
+
+diff --git a/src/snmp_core.cc b/src/snmp_core.cc
+index c4d21c1..16c2993 100644
+--- a/src/snmp_core.cc
++++ b/src/snmp_core.cc
+@@ -409,6 +409,7 @@ snmpDecodePacket(SnmpRequest * rq)
+ snmpConstructReponse(rq);
+ } else {
+ debugs(49, DBG_IMPORTANT, "WARNING: SNMP agent query DENIED fro=
m : " << rq->from);
++ snmp_free_pdu(PDU);
+ }
+ xfree(Community);
+=20
hooks/post-receive
--
IPFire 2.x development tree
--===============3750428156846642883==--