commit d901b97ce81f4b00eda2f363518ae0aa3f66a49f Author: overweight <5324761+overweight@user.noreply.gitee.com> Date: Mon Sep 30 11:17:36 2019 -0400 Package init diff --git a/CVE-2019-12525.patch b/CVE-2019-12525.patch new file mode 100644 index 0000000..28ae9cb --- /dev/null +++ b/CVE-2019-12525.patch @@ -0,0 +1,32 @@ +From 409956536647b3a05ee1e367424a24ae6b8f13fd Mon Sep 17 00:00:00 2001 +From: Amos Jeffries +Date: Sat, 8 Jun 2019 21:09:23 +0000 +Subject: [PATCH] Fix Digest auth parameter parsing (#415) + +Only remove quoting if the domain=, uri= or qop= parameter +value is surrounded by double-quotes. +--- + src/auth/digest/Config.cc | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/auth/digest/Config.cc b/src/auth/digest/Config.cc +index a8a07cd4db..b547bf83d3 100644 +--- a/src/auth/digest/Config.cc ++++ b/src/auth/digest/Config.cc +@@ -787,14 +787,14 @@ Auth::Digest::Config::decode(char const *proxy_auth, const char *aRequestRealm) + if (keyName == SBuf("domain",6) || keyName == SBuf("uri",3)) { + // domain is Special. Not a quoted-string, must not be de-quoted. But is wrapped in '"' + // BUG 3077: uri= can also be sent to us in a mangled (invalid!) form like domain +- if (*p == '"' && *(p + vlen -1) == '"') { ++ if (vlen > 1 && *p == '"' && *(p + vlen -1) == '"') { + value.limitInit(p+1, vlen-2); + } + } else if (keyName == SBuf("qop",3)) { + // qop is more special. + // On request this must not be quoted-string de-quoted. But is several values wrapped in '"' + // On response this is a single un-quoted token. +- if (*p == '"' && *(p + vlen -1) == '"') { ++ if (vlen > 1 && *p == '"' && *(p + vlen -1) == '"') { + value.limitInit(p+1, vlen-2); + } else { + value.limitInit(p, vlen); diff --git a/CVE-2019-12527.patch b/CVE-2019-12527.patch new file mode 100644 index 0000000..ecf395a --- /dev/null +++ b/CVE-2019-12527.patch @@ -0,0 +1,144 @@ +From 7f73e9c5d17664b882ed32590e6af310c247f320 Mon Sep 17 00:00:00 2001 +From: Amos Jeffries +Date: Wed, 19 Jun 2019 05:58:36 +0000 +Subject: [PATCH] Update HttpHeader::getAuth to SBuf (#416) + +Replace the fixed-size buffer for decoding base64 tokens with an +SBuf to avoid decoder issues on large inputs. + +Update callers to SBuf API operations for more efficient memory +management. +--- + src/HttpHeader.cc | 25 ++++++++++++++----------- + src/HttpHeader.h | 2 +- + src/cache_manager.cc | 13 +++++++------ + src/clients/FtpGateway.cc | 2 +- + 4 files changed, 23 insertions(+), 19 deletions(-) + +diff --git a/src/HttpHeader.cc b/src/HttpHeader.cc +index 9f747f9958..dd320d5629 100644 +--- a/src/HttpHeader.cc ++++ b/src/HttpHeader.cc +@@ -1268,43 +1268,46 @@ HttpHeader::getContRange() const + return cr; + } + +-const char * +-HttpHeader::getAuth(Http::HdrType id, const char *auth_scheme) const ++SBuf ++HttpHeader::getAuthToken(Http::HdrType id, const char *auth_scheme) const + { + const char *field; + int l; + assert(auth_scheme); + field = getStr(id); + ++ static const SBuf nil; + if (!field) /* no authorization field */ +- return NULL; ++ return nil; + + l = strlen(auth_scheme); + + if (!l || strncasecmp(field, auth_scheme, l)) /* wrong scheme */ +- return NULL; ++ return nil; + + field += l; + + if (!xisspace(*field)) /* wrong scheme */ +- return NULL; ++ return nil; + + /* skip white space */ + for (; field && xisspace(*field); ++field); + + if (!*field) /* no authorization cookie */ +- return NULL; ++ return nil; + +- static char decodedAuthToken[8192]; ++ const auto fieldLen = strlen(field); ++ SBuf result; ++ char *decodedAuthToken = result.rawAppendStart(BASE64_DECODE_LENGTH(fieldLen)); + struct base64_decode_ctx ctx; + base64_decode_init(&ctx); + size_t decodedLen = 0; +- if (!base64_decode_update(&ctx, &decodedLen, reinterpret_cast(decodedAuthToken), strlen(field), field) || ++ if (!base64_decode_update(&ctx, &decodedLen, reinterpret_cast(decodedAuthToken), fieldLen, field) || + !base64_decode_final(&ctx)) { +- return NULL; ++ return nil; + } +- decodedAuthToken[decodedLen] = '\0'; +- return decodedAuthToken; ++ result.rawAppendFinish(decodedAuthToken, decodedLen); ++ return result; + } + + ETag +diff --git a/src/HttpHeader.h b/src/HttpHeader.h +index 64fd2781e4..35a941058c 100644 +--- a/src/HttpHeader.h ++++ b/src/HttpHeader.h +@@ -134,7 +134,7 @@ class HttpHeader + HttpHdrRange *getRange() const; + HttpHdrSc *getSc() const; + HttpHdrContRange *getContRange() const; +- const char *getAuth(Http::HdrType id, const char *auth_scheme) const; ++ SBuf getAuthToken(Http::HdrType id, const char *auth_scheme) const; + ETag getETag(Http::HdrType id) const; + TimeOrTag getTimeOrTag(Http::HdrType id) const; + int hasListMember(Http::HdrType id, const char *member, const char separator) const; +diff --git a/src/cache_manager.cc b/src/cache_manager.cc +index f88cd1c46b..3556a44618 100644 +--- a/src/cache_manager.cc ++++ b/src/cache_manager.cc +@@ -27,6 +27,7 @@ + #include "mgr/FunAction.h" + #include "mgr/QueryParams.h" + #include "protos.h" ++#include "sbuf/StringConvert.h" + #include "SquidConfig.h" + #include "SquidTime.h" + #include "Store.h" +@@ -243,20 +244,20 @@ CacheManager::ParseHeaders(const HttpRequest * request, Mgr::ActionParams ¶m + // TODO: use the authentication system decode to retrieve these details properly. + + /* base 64 _decoded_ user:passwd pair */ +- const char *basic_cookie = request->header.getAuth(Http::HdrType::AUTHORIZATION, "Basic"); ++ const auto basic_cookie(request->header.getAuthToken(Http::HdrType::AUTHORIZATION, "Basic")); + +- if (!basic_cookie) ++ if (basic_cookie.isEmpty()) + return; + +- const char *passwd_del; +- if (!(passwd_del = strchr(basic_cookie, ':'))) { ++ const auto colonPos = basic_cookie.find(':'); ++ if (colonPos == SBuf::npos) { + debugs(16, DBG_IMPORTANT, "CacheManager::ParseHeaders: unknown basic_cookie format '" << basic_cookie << "'"); + return; + } + + /* found user:password pair, reset old values */ +- params.userName.limitInit(basic_cookie, passwd_del - basic_cookie); +- params.password = passwd_del + 1; ++ params.userName = SBufToString(basic_cookie.substr(0, colonPos)); ++ params.password = SBufToString(basic_cookie.substr(colonPos+1)); + + /* warning: this prints decoded password which maybe not be what you want to do @?@ @?@ */ + debugs(16, 9, "CacheManager::ParseHeaders: got user: '" << +diff --git a/src/clients/FtpGateway.cc b/src/clients/FtpGateway.cc +index 9afe3781cd..140c441394 100644 +--- a/src/clients/FtpGateway.cc ++++ b/src/clients/FtpGateway.cc +@@ -1039,7 +1039,7 @@ Ftp::Gateway::checkAuth(const HttpHeader * req_hdr) + + #if HAVE_AUTH_MODULE_BASIC + /* Check HTTP Authorization: headers (better than defaults, but less than URL) */ +- const SBuf auth(req_hdr->getAuth(Http::HdrType::AUTHORIZATION, "Basic")); ++ const auto auth(req_hdr->getAuthToken(Http::HdrType::AUTHORIZATION, "Basic")); + if (!auth.isEmpty()) { + flags.authenticated = 1; + loginParser(auth, false); diff --git a/CVE-2019-12529.patch b/CVE-2019-12529.patch new file mode 100644 index 0000000..ddd1c47 --- /dev/null +++ b/CVE-2019-12529.patch @@ -0,0 +1,225 @@ +Backport of: + +From dd46b5417809647f561d8a5e0e74c3aacd235258 Mon Sep 17 00:00:00 2001 +From: Amos Jeffries +Date: Tue, 21 May 2019 21:31:31 +0000 +Subject: [PATCH] Replace uudecode with libnettle base64 decoder (#406) + +Since RFC 7235 updated the HTTP Authentication credentials token +to the token68 characterset it is possible that characters +uudecode cannot cope with are received. + +The Nettle decoder better handles characters which are valid but +not to be used for Basic auth token. +--- + include/uudecode.h | 21 ------------ + lib/Makefile.am | 3 +- + lib/uudecode.c | 73 ---------------------------------------- + src/auth/basic/Config.cc | 20 ++++++++--- + 4 files changed, 17 insertions(+), 100 deletions(-) + delete mode 100644 include/uudecode.h + delete mode 100644 lib/uudecode.c + +Index: squid-4.4/lib/Makefile.am +=================================================================== +--- squid-4.4.orig/lib/Makefile.am 2019-07-16 12:03:04.428684097 -0400 ++++ squid-4.4/lib/Makefile.am 2019-07-16 12:03:04.424684101 -0400 +@@ -61,8 +61,7 @@ libmiscencoding_la_SOURCES = \ + html_quote.c \ + md5.c \ + rfc1738.c \ +- rfc2617.c \ +- uudecode.c ++ rfc2617.c + + libmisccontainers_la_SOURCES = \ + hash.cc +Index: squid-4.4/src/auth/basic/Config.cc +=================================================================== +--- squid-4.4.orig/src/auth/basic/Config.cc 2019-07-16 12:03:04.428684097 -0400 ++++ squid-4.4/src/auth/basic/Config.cc 2019-07-16 12:03:04.424684101 -0400 +@@ -20,6 +20,7 @@ + #include "auth/CredentialsCache.h" + #include "auth/Gadgets.h" + #include "auth/State.h" ++#include "base64.h" + #include "cache_cf.h" + #include "charset.h" + #include "helper.h" +@@ -30,7 +31,6 @@ + #include "SquidTime.h" + #include "Store.h" + #include "util.h" +-#include "uudecode.h" + #include "wordlist.h" + + /* Basic Scheme */ +@@ -169,10 +169,17 @@ Auth::Basic::Config::decodeCleartext(con + // XXX: really? is the \n actually still there? does the header parse not drop it? + char *eek = xstrdup(proxy_auth); + strtok(eek, "\n"); +- char *cleartext = uudecode(eek); +- safe_free(eek); + +- if (cleartext) { ++ const size_t srcLen = strlen(eek); ++ char *cleartext = static_cast(xmalloc(BASE64_DECODE_LENGTH(srcLen)+1)); ++ ++ struct base64_decode_ctx ctx; ++ base64_decode_init(&ctx); ++ ++ size_t dstLen = 0; ++ if (base64_decode_update(&ctx, &dstLen, reinterpret_cast(cleartext), srcLen, eek) && base64_decode_final(&ctx)) { ++ cleartext[dstLen] = '\0'; ++ + /* + * Don't allow NL or CR in the credentials. + * Oezguer Kesim +@@ -183,7 +190,12 @@ Auth::Basic::Config::decodeCleartext(con + debugs(29, DBG_IMPORTANT, "WARNING: Bad characters in authorization header '" << httpAuthHeader << "'"); + safe_free(cleartext); + } ++ } else { ++ debugs(29, 2, "WARNING: Invalid Base64 character in authorization header '" << httpAuthHeader << "'"); ++ safe_free(cleartext); + } ++ ++ safe_free(eek); + return cleartext; + } + +Index: squid-4.4/include/uudecode.h +=================================================================== +--- squid-4.4.orig/include/uudecode.h 2019-07-16 12:03:04.428684097 -0400 ++++ /dev/null 1970-01-01 00:00:00.000000000 +0000 +@@ -1,21 +0,0 @@ +-/* +- * Copyright (C) 1996-2018 The Squid Software Foundation and contributors +- * +- * Squid software is distributed under GPLv2+ license and includes +- * contributions from numerous individuals and organizations. +- * Please see the COPYING and CONTRIBUTORS files for details. +- */ +- +-#ifndef _SQUID_UUDECODE_H +-#define _SQUID_UUDECODE_H +- +-#ifdef __cplusplus +-extern "C" +-#else +-extern +-#endif +- +-char *uudecode(const char *); +- +-#endif /* _SQUID_UUDECODE_H */ +- +Index: squid-4.4/lib/uudecode.c +=================================================================== +--- squid-4.4.orig/lib/uudecode.c 2019-07-16 12:03:04.428684097 -0400 ++++ /dev/null 1970-01-01 00:00:00.000000000 +0000 +@@ -1,73 +0,0 @@ +-/* +- * Copyright (C) 1996-2018 The Squid Software Foundation and contributors +- * +- * Squid software is distributed under GPLv2+ license and includes +- * contributions from numerous individuals and organizations. +- * Please see the COPYING and CONTRIBUTORS files for details. +- */ +- +-#include "squid.h" +-#include "uudecode.h" +- +-/* aaaack but it's fast and const should make it shared text page. */ +-const int pr2six[256] = { +- 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, +- 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 62, 64, 64, 64, 63, +- 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 64, 64, 64, 64, 64, 64, 64, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, +- 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 64, 64, 64, 64, 64, 64, 26, 27, +- 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, +- 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, +- 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, +- 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, +- 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, +- 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, +- 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64 +-}; +- +-char * +-uudecode(const char *bufcoded) +-{ +- int nbytesdecoded; +- const unsigned char *bufin; +- char *bufplain; +- unsigned char *bufout; +- int nprbytes; +- +- /* Strip leading whitespace. */ +- +- while (*bufcoded == ' ' || *bufcoded == '\t') +- bufcoded++; +- +- /* Figure out how many characters are in the input buffer. +- * Allocate this many from the per-transaction pool for the result. +- */ +- bufin = (const unsigned char *) bufcoded; +- while (pr2six[*(bufin++)] <= 63); +- nprbytes = (const char *) bufin - bufcoded - 1; +- nbytesdecoded = ((nprbytes + 3) / 4) * 3; +- +- bufplain = xmalloc(nbytesdecoded + 1); +- bufout = (unsigned char *) bufplain; +- bufin = (const unsigned char *) bufcoded; +- +- while (nprbytes > 0) { +- *(bufout++) = +- (unsigned char) (pr2six[*bufin] << 2 | pr2six[bufin[1]] >> 4); +- *(bufout++) = +- (unsigned char) (pr2six[bufin[1]] << 4 | pr2six[bufin[2]] >> 2); +- *(bufout++) = +- (unsigned char) (pr2six[bufin[2]] << 6 | pr2six[bufin[3]]); +- bufin += 4; +- nprbytes -= 4; +- } +- +- if (nprbytes & 03) { +- if (pr2six[bufin[-2]] > 63) +- nbytesdecoded -= 2; +- else +- nbytesdecoded -= 1; +- } +- bufplain[nbytesdecoded] = '\0'; +- return bufplain; +-} +- +Index: squid-4.4/lib/Makefile.in +=================================================================== +--- squid-4.4.orig/lib/Makefile.in 2018-10-27 21:50:06.000000000 -0400 ++++ squid-4.4/lib/Makefile.in 2019-07-16 12:03:48.588632154 -0400 +@@ -185,7 +185,7 @@ am__v_lt_0 = --silent + am__v_lt_1 = + libmiscencoding_la_LIBADD = + am_libmiscencoding_la_OBJECTS = base64.lo charset.lo html_quote.lo \ +- md5.lo rfc1738.lo rfc2617.lo uudecode.lo ++ md5.lo rfc1738.lo rfc2617.lo + libmiscencoding_la_OBJECTS = $(am_libmiscencoding_la_OBJECTS) + libmiscutil_la_LIBADD = + am_libmiscutil_la_OBJECTS = getfullhostname.lo heap.lo iso3307.lo \ +@@ -836,8 +835,7 @@ libmiscencoding_la_SOURCES = \ + html_quote.c \ + md5.c \ + rfc1738.c \ +- rfc2617.c \ +- uudecode.c ++ rfc2617.c + + libmisccontainers_la_SOURCES = \ + hash.cc +@@ -970,7 +968,6 @@ distclean-compile: + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sspwin32.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stub_memaccount.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/util.Plo@am__quote@ +-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/uudecode.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xusleep.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@tests/$(DEPDIR)/testRFC1738.Po@am__quote@ + diff --git a/CVE-2019-12854.patch b/CVE-2019-12854.patch new file mode 100644 index 0000000..23a5774 --- /dev/null +++ b/CVE-2019-12854.patch @@ -0,0 +1,43 @@ +commit 2981a957716c61ff7e21eee1d7d6eb5a237e466d +Author: Amos Jeffries +Date: 2019-05-18 17:02:33 +0000 + + Bug 4937: cachemgr.cgi: unallocated memory access (#407) + + ... after base64_decode_update + + Ensure that a terminator exists for the decoded string before + using str*() syscalls. + +diff --git a/tools/cachemgr.cc b/tools/cachemgr.cc +index 0e5d4f1..1a05cb4 100644 +--- a/tools/cachemgr.cc ++++ b/tools/cachemgr.cc +@@ -1091,7 +1091,6 @@ make_pub_auth(cachemgr_request * req) + static void + decode_pub_auth(cachemgr_request * req) + { +- char *buf; + const char *host_name; + const char *time_str; + const char *user_name; +@@ -1103,16 +1102,17 @@ decode_pub_auth(cachemgr_request * req) + if (!req->pub_auth || strlen(req->pub_auth) < 4 + strlen(safe_str(req->hostname))) + return; + +- size_t decodedLen = BASE64_DECODE_LENGTH(strlen(req->pub_auth)); +- buf = (char*)xmalloc(decodedLen); ++ char *buf = static_cast(xmalloc(BASE64_DECODE_LENGTH(strlen(req->pub_auth))+1)); + struct base64_decode_ctx ctx; + base64_decode_init(&ctx); ++ size_t decodedLen = 0; + if (!base64_decode_update(&ctx, &decodedLen, reinterpret_cast(buf), strlen(req->pub_auth), req->pub_auth) || + !base64_decode_final(&ctx)) { + debug("cmgr: base64 decode failure. Incomplete auth token string.\n"); + xfree(buf); + return; + } ++ buf[decodedLen] = '\0'; + + debug("cmgr: length ok\n"); + diff --git a/CVE-2019-13345.patch b/CVE-2019-13345.patch new file mode 100644 index 0000000..c2c160c --- /dev/null +++ b/CVE-2019-13345.patch @@ -0,0 +1,75 @@ +From be1dc8614e7514103ba84d4067ed6fd15ab8f82e Mon Sep 17 00:00:00 2001 +From: Amos Jeffries +Date: Fri, 5 Jul 2019 03:17:26 +0000 +Subject: [PATCH] Bug 4957: Multiple XSS issues in cachemgr.cgi (#429) + +The cachemgr.cgi web module of the squid proxy is vulnerable +to XSS issue. The vulnerable parameters "user_name" and "auth" +have insufficient sanitization in place. +--- + tools/cachemgr.cc | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +Index: squid-4.6/tools/cachemgr.cc +=================================================================== +--- squid-4.6.orig/tools/cachemgr.cc 2019-07-11 13:05:23.027988071 -0400 ++++ squid-4.6/tools/cachemgr.cc 2019-07-11 13:05:23.027988071 -0400 +@@ -355,7 +355,7 @@ auth_html(const char *host, int port, co + + printf("Manager name:\n", user_name); ++ printf("size=\"30\" VALUE=\"%s\">\n", rfc1738_escape(user_name)); + + printf("Password:hostname, + req->port, +- safe_str(req->user_name), ++ rfc1738_escape(safe_str(req->user_name)), + action, + safe_str(req->pub_auth)); + return url; +@@ -1074,8 +1074,8 @@ make_pub_auth(cachemgr_request * req) + const int bufLen = snprintf(buf, sizeof(buf), "%s|%d|%s|%s", + req->hostname, + (int) now, +- req->user_name ? req->user_name : "", +- req->passwd); ++ rfc1738_escape(safe_str(req->user_name)), ++ rfc1738_escape(req->passwd)); + debug("cmgr: pre-encoded for pub: %s\n", buf); + + const int encodedLen = base64_encode_len(bufLen); +@@ -1094,7 +1094,5 @@ decode_pub_auth(cachemgr_request * req) + const char *host_name; + const char *time_str; +- const char *user_name; +- const char *passwd; + + debug("cmgr: decoding pub: '%s'\n", safe_str(req->pub_auth)); + safe_free(req->passwd); +@@ -1131,17 +1129,21 @@ decode_pub_auth(cachemgr_request * req) + + debug("cmgr: decoded time: '%s' (now: %d)\n", time_str, (int) now); + ++ char *user_name; + if ((user_name = strtok(NULL, "|")) == NULL) { + xfree(buf); + return; + } ++ rfc1738_unescape(user_name); + + debug("cmgr: decoded uname: '%s'\n", user_name); + ++ char *passwd; + if ((passwd = strtok(NULL, "|")) == NULL) { + xfree(buf); + return; + } ++ rfc1738_unescape(passwd); + + debug("cmgr: decoded passwd: '%s'\n", passwd); + diff --git a/cache_swap.sh b/cache_swap.sh new file mode 100644 index 0000000..5e94072 --- /dev/null +++ b/cache_swap.sh @@ -0,0 +1,16 @@ +#!/bin/bash +if [ -f /etc/sysconfig/squid ]; then + . /etc/sysconfig/squid +fi + +SQUID_CONF=${SQUID_CONF:-"/etc/squid/squid.conf"} + +CACHE_SWAP=`sed -e 's/#.*//g' $SQUID_CONF | \ + grep cache_dir | awk '{ print $3 }'` + +for adir in $CACHE_SWAP; do + if [ ! -d $adir/00 ]; then + echo -n "init_cache_dir $adir... " + squid -N -z -F -f $SQUID_CONF >> /var/log/squid/squid.out 2>&1 + fi +done diff --git a/perl-requires-squid.sh b/perl-requires-squid.sh new file mode 100755 index 0000000..029e7b9 --- /dev/null +++ b/perl-requires-squid.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +/usr/lib/rpm/perl.req $* | grep -v "Authen::Smb" diff --git a/squid-3.0.STABLE1-perlpath.patch b/squid-3.0.STABLE1-perlpath.patch new file mode 100644 index 0000000..052b8d7 --- /dev/null +++ b/squid-3.0.STABLE1-perlpath.patch @@ -0,0 +1,10 @@ +diff --git a/contrib/url-normalizer.pl b/contrib/url-normalizer.pl +index 90ac6a4..8dbed90 100755 +--- a/contrib/url-normalizer.pl ++++ b/contrib/url-normalizer.pl +@@ -1,4 +1,4 @@ +-#!/usr/local/bin/perl -Tw ++#!/usr/bin/perl -Tw + # + # * Copyright (C) 1996-2018 The Squid Software Foundation and contributors + # * diff --git a/squid-3.1.0.9-location.patch b/squid-3.1.0.9-location.patch new file mode 100644 index 0000000..4abd519 --- /dev/null +++ b/squid-3.1.0.9-location.patch @@ -0,0 +1,32 @@ +diff -up squid-3.1.0.9/QUICKSTART.location squid-3.1.0.9/QUICKSTART +--- squid-3.1.0.9/QUICKSTART.location 2009-06-26 12:35:27.000000000 +0200 ++++ squid-3.1.0.9/QUICKSTART 2009-07-17 14:03:10.000000000 +0200 +@@ -10,10 +10,9 @@ After you retrieved, compiled and instal + INSTALL in the same directory), you have to configure the squid.conf + file. This is the list of the values you *need* to change, because no + sensible defaults could be defined. Do not touch the other variables +-for now. We assume you have installed Squid in the default location: +-/usr/local/squid ++for now. + +-Uncomment and edit the following lines in /usr/local/squid/etc/squid.conf: ++Uncomment and edit the following lines in /etc/squid/squid.conf: + + ============================================================================== + +@@ -82,12 +81,12 @@ After editing squid.conf to your liking, + line TWICE: + + To create any disk cache_dir configured: +- % /usr/local/squid/sbin/squid -z ++ % /usr/sbin/squid -z + + To start squid: +- % /usr/local/squid/sbin/squid ++ % /usr/sbin/squid + +-Check in the cache.log (/usr/local/squid/var/logs/cache.log) that ++Check in the cache.log (/var/log/squid/cache.log) that + everything is all right. + + Once Squid created all its files (it can take several minutes on some diff --git a/squid-3.5.9-include-guards.patch b/squid-3.5.9-include-guards.patch new file mode 100644 index 0000000..e2d4ff9 --- /dev/null +++ b/squid-3.5.9-include-guards.patch @@ -0,0 +1,95 @@ +------------------------------------------------------------ +revno: 14311 +revision-id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4 +parent: squid3@treenet.co.nz-20150924032241-6cx3g6hwz9xfoybr +------------------------------------------------------------ +revno: 14311 +revision-id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4 +parent: squid3@treenet.co.nz-20150924032241-6cx3g6hwz9xfoybr +fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4323 +author: Francesco Chemolli +committer: Amos Jeffries +branch nick: trunk +timestamp: Thu 2015-09-24 06:05:37 -0700 +message: + Bug 4323: Netfilter broken cross-includes with Linux 4.2 +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4 +# target_branch: http://bzr.squid-cache.org/bzr/squid3/trunk/ +# testament_sha1: c67cfca81040f3845d7c4caf2f40518511f14d0b +# timestamp: 2015-09-24 13:06:33 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/trunk +# base_revision_id: squid3@treenet.co.nz-20150924032241-\ +# 6cx3g6hwz9xfoybr +# +# Begin patch +=== modified file 'compat/os/linux.h' +--- compat/os/linux.h 2015-01-13 07:25:36 +0000 ++++ compat/os/linux.h 2015-09-24 13:05:37 +0000 +@@ -30,6 +30,21 @@ + #endif + + /* ++ * Netfilter header madness. (see Bug 4323) ++ * ++ * Netfilter have a history of defining their own versions of network protocol ++ * primitives without sufficient protection against the POSIX defines which are ++ * aways present in Linux. ++ * ++ * netinet/in.h must be included before any other sys header in order to properly ++ * activate include guards in the kernel maintainers added ++ * to workaround it. ++ */ ++#if HAVE_NETINET_IN_H ++#include ++#endif ++ ++/* + * sys/capability.h is only needed in Linux apparently. + * + * HACK: LIBCAP_BROKEN Ugly glue to get around linux header madness colliding with glibc +fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4323 +author: Francesco Chemolli +committer: Amos Jeffries +branch nick: trunk +timestamp: Thu 2015-09-24 06:05:37 -0700 +message: + Bug 4323: Netfilter broken cross-includes with Linux 4.2 +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4 +# target_branch: http://bzr.squid-cache.org/bzr/squid3/trunk/ +# testament_sha1: c67cfca81040f3845d7c4caf2f40518511f14d0b +# timestamp: 2015-09-24 13:06:33 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/trunk +# base_revision_id: squid3@treenet.co.nz-20150924032241-\ +# 6cx3g6hwz9xfoybr +# +# Begin patch +=== modified file 'compat/os/linux.h' +--- compat/os/linux.h 2015-01-13 07:25:36 +0000 ++++ compat/os/linux.h 2015-09-24 13:05:37 +0000 +@@ -30,6 +30,21 @@ + #endif + + /* ++ * Netfilter header madness. (see Bug 4323) ++ * ++ * Netfilter have a history of defining their own versions of network protocol ++ * primitives without sufficient protection against the POSIX defines which are ++ * aways present in Linux. ++ * ++ * netinet/in.h must be included before any other sys header in order to properly ++ * activate include guards in the kernel maintainers added ++ * to workaround it. ++ */ ++#if HAVE_NETINET_IN_H ++#include ++#endif ++ ++/* + * sys/capability.h is only needed in Linux apparently. + * + * HACK: LIBCAP_BROKEN Ugly glue to get around linux header madness colliding with glibc + diff --git a/squid-4.0.11-config.patch b/squid-4.0.11-config.patch new file mode 100644 index 0000000..a4faae8 --- /dev/null +++ b/squid-4.0.11-config.patch @@ -0,0 +1,26 @@ +diff -up squid-4.0.11/src/cf.data.pre.config squid-4.0.11/src/cf.data.pre +--- squid-4.0.11/src/cf.data.pre.config 2016-06-09 22:32:57.000000000 +0200 ++++ squid-4.0.11/src/cf.data.pre 2016-07-11 21:08:35.090976840 +0200 +@@ -4658,7 +4658,7 @@ DOC_END + + NAME: logfile_rotate + TYPE: int +-DEFAULT: 10 ++DEFAULT: 0 + LOC: Config.Log.rotateNumber + DOC_START + Specifies the default number of logfile rotations to make when you +@@ -6444,11 +6444,11 @@ COMMENT_END + + NAME: cache_mgr + TYPE: string +-DEFAULT: webmaster ++DEFAULT: root + LOC: Config.adminEmail + DOC_START + Email-address of local cache manager who will receive +- mail if the cache dies. The default is "webmaster". ++ mail if the cache dies. The default is "root". + DOC_END + + NAME: mail_from diff --git a/squid-4.0.21-large-acl.patch b/squid-4.0.21-large-acl.patch new file mode 100644 index 0000000..8aacf38 --- /dev/null +++ b/squid-4.0.21-large-acl.patch @@ -0,0 +1,178 @@ +diff --git a/src/acl/RegexData.cc b/src/acl/RegexData.cc +index 01a4c12..b5c1679 100644 +--- a/src/acl/RegexData.cc ++++ b/src/acl/RegexData.cc +@@ -22,6 +22,7 @@ + #include "ConfigParser.h" + #include "Debug.h" + #include "sbuf/List.h" ++#include "sbuf/Algorithms.h" + + ACLRegexData::~ACLRegexData() + { +@@ -129,6 +130,18 @@ compileRE(std::list &curlist, const char * RE, int flags) + return true; + } + ++static bool ++compileRE(std::list &curlist, const SBufList &RE, int flags) ++{ ++ if (RE.empty()) ++ return curlist.empty(); // XXX: old code did this. It looks wrong. ++ SBuf regexp; ++ static const SBuf openparen("("), closeparen(")"), separator(")|("); ++ JoinContainerIntoSBuf(regexp, RE.begin(), RE.end(), separator, openparen, ++ closeparen); ++ return compileRE(curlist, regexp.c_str(), flags); ++} ++ + /** Compose and compile one large RE from a set of (small) REs. + * The ultimate goal is to have only one RE per ACL so that match() is + * called only once per ACL. +@@ -137,16 +150,11 @@ static int + compileOptimisedREs(std::list &curlist, const SBufList &sl) + { + std::list newlist; +- int numREs = 0; ++ SBufList accumulatedRE; ++ int numREs = 0, reSize = 0; + int flags = REG_EXTENDED | REG_NOSUB; +- int largeREindex = 0; +- char largeRE[BUFSIZ]; +- *largeRE = 0; + + for (const SBuf & configurationLineWord : sl) { +- int RElen; +- RElen = configurationLineWord.length(); +- + static const SBuf minus_i("-i"); + static const SBuf plus_i("+i"); + if (configurationLineWord == minus_i) { +@@ -155,10 +163,11 @@ compileOptimisedREs(std::list &curlist, const SBufList &sl) + debugs(28, 2, "optimisation of -i ... -i" ); + } else { + debugs(28, 2, "-i" ); +- if (!compileRE(newlist, largeRE, flags)) ++ if (!compileRE(newlist, accumulatedRE, flags)) + return 0; + flags |= REG_ICASE; +- largeRE[largeREindex=0] = '\0'; ++ accumulatedRE.clear(); ++ reSize = 0; + } + } else if (configurationLineWord == plus_i) { + if ((flags & REG_ICASE) == 0) { +@@ -166,37 +175,34 @@ compileOptimisedREs(std::list &curlist, const SBufList &sl) + debugs(28, 2, "optimisation of +i ... +i"); + } else { + debugs(28, 2, "+i"); +- if (!compileRE(newlist, largeRE, flags)) ++ if (!compileRE(newlist, accumulatedRE, flags)) + return 0; + flags &= ~REG_ICASE; +- largeRE[largeREindex=0] = '\0'; ++ accumulatedRE.clear(); ++ reSize = 0; + } +- } else if (RElen + largeREindex + 3 < BUFSIZ-1) { ++ } else if (reSize < 1024) { + debugs(28, 2, "adding RE '" << configurationLineWord << "'"); +- if (largeREindex > 0) { +- largeRE[largeREindex] = '|'; +- ++largeREindex; +- } +- largeRE[largeREindex] = '('; +- ++largeREindex; +- configurationLineWord.copy(largeRE+largeREindex, BUFSIZ-largeREindex); +- largeREindex += configurationLineWord.length(); +- largeRE[largeREindex] = ')'; +- ++largeREindex; +- largeRE[largeREindex] = '\0'; ++ accumulatedRE.push_back(configurationLineWord); + ++numREs; ++ reSize += configurationLineWord.length(); + } else { + debugs(28, 2, "buffer full, generating new optimised RE..." ); +- if (!compileRE(newlist, largeRE, flags)) ++ accumulatedRE.push_back(configurationLineWord); ++ if (!compileRE(newlist, accumulatedRE, flags)) + return 0; +- largeRE[largeREindex=0] = '\0'; ++ accumulatedRE.clear(); ++ reSize = 0; + continue; /* do the loop again to add the RE to largeRE */ + } + } + +- if (!compileRE(newlist, largeRE, flags)) ++ if (!compileRE(newlist, accumulatedRE, flags)) + return 0; + ++ accumulatedRE.clear(); ++ reSize = 0; ++ + /* all was successful, so put the new list at the tail */ + curlist.splice(curlist.end(), newlist); + +diff --git a/src/sbuf/Algorithms.h b/src/sbuf/Algorithms.h +index 21ee889..338e9c0 100644 +--- a/src/sbuf/Algorithms.h ++++ b/src/sbuf/Algorithms.h +@@ -81,6 +81,57 @@ SBufContainerJoin(const Container &items, const SBuf& separator) + return rv; + } + ++/** Join container of SBufs and append to supplied target ++ * ++ * append to the target SBuf all elements in the [begin,end) range from ++ * an iterable container, prefixed by prefix, separated by separator and ++ * followed by suffix. Prefix and suffix are added also in case of empty ++ * iterable ++ * ++ * \return the modified dest ++ */ ++template ++SBuf& ++JoinContainerIntoSBuf(SBuf &dest, const ContainerIterator &begin, ++ const ContainerIterator &end, const SBuf& separator, ++ const SBuf& prefix = SBuf(), const SBuf& suffix = SBuf()) ++{ ++ if (begin == end) { ++ dest.append(prefix).append(suffix); ++ return dest; ++ } ++ ++ // optimization: pre-calculate needed storage ++ const SBuf::size_type totalContainerSize = ++ std::accumulate(begin, end, 0, SBufAddLength(separator)) + ++ dest.length() + prefix.length() + suffix.length(); ++ SBufReservationRequirements req; ++ req.minSpace = totalContainerSize; ++ dest.reserve(req); ++ ++ auto i = begin; ++ dest.append(prefix); ++ dest.append(*i); ++ ++i; ++ for (; i != end; ++i) ++ dest.append(separator).append(*i); ++ dest.append(suffix); ++ return dest; ++} ++ ++ ++/// convenience wrapper of JoinContainerIntoSBuf with no caller-supplied SBuf ++template ++SBuf ++JoinContainerToSBuf(const ContainerIterator &begin, ++ const ContainerIterator &end, const SBuf& separator, ++ const SBuf& prefix = SBuf(), const SBuf& suffix = SBuf()) ++{ ++ SBuf rv; ++ return JoinContainerIntoSBuf(rv, begin, end, separator, prefix, suffix); ++} ++ ++ + namespace std { + /// default hash functor to support std::unordered_map + template <> diff --git a/squid-4.2.tar.xz b/squid-4.2.tar.xz new file mode 100644 index 0000000..a79bfe4 Binary files /dev/null and b/squid-4.2.tar.xz differ diff --git a/squid-4.2.tar.xz.asc b/squid-4.2.tar.xz.asc new file mode 100644 index 0000000..717a1bc --- /dev/null +++ b/squid-4.2.tar.xz.asc @@ -0,0 +1,25 @@ +File: squid-4.2.tar.xz +Date: Sun Aug 5 15:04:50 UTC 2018 +Size: 2426856 +MD5 : 2cf3f5f183d04322d798f98ea5ead43f +SHA1: 77fd6f06e6028780faf85ba7e7e9aef0922e9dc0 +Key : CD6DBF8EF3B17D3E + B068 84ED B779 C89B 044E 64E3 CD6D BF8E F3B1 7D3E + keyring = http://www.squid-cache.org/pgp.asc + keyserver = pool.sks-keyservers.net +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEsGiE7bd5yJsETmTjzW2/jvOxfT4FAltnEhsACgkQzW2/jvOx +fT5elRAAvdmTD1kxfE4CZEmp2SJ1KgfMaCXehFFtFYRbdi8oNYoN5u75mwgo2VO1 +WmBedYJ3c9UKyaqu5AIc60WRIE+boFBy0vvaJO5T+wl3Ay1SKkuS5253dllxg6RT +r+1Kh9j72rchyBTerWClAydH5PRc9r5fNOzufJGTV8s/SCoAD+dxZHFZT6kad9U1 +n0+vcOM1I8dJCVNDakTXqY0zou/gURLfl7EJW/PYkHatJitXazoRVPROF0G1U4Xh ++/wDGj+1+bUEj7K4YIJ2/LfftnVY+c85UiG7URFZ32uNJx8aM7zevfSePdgN6U7c +DUBvtIScI/b2NOgp3scNKuDFs61aLIx8qOjXa603xQs2xbsufCaTv8vFnEz/oO0F ++924pcT3Fbh3vYe3iWP9MejaFf2dDF+1OAGt2sY/LX10VO68bEGpF0fAWGbyDEOC +HGk5cNdfUIK3TISbTOGzG7X3ysZ+5/UxtX4Q1y7x9vBVXGfdZrixfWG9BZkcYyxz +SvykpFe9WvNw1zoIUED/8Sf1FgK0f+WGrpyCnDSDnUrJ26NZOtTkXkJgf239yNBH +KUNgaTxH20Ix8mPGDohT5QgmvpULz0r5ZecHkeoYzyxvF8c6EFOdVt6Iq4jdOT3v +QpcZhfxQhg8yklE+cQjbD0Qywc0QIu19Uzh5URDu4UrarsVVpKM= +=I3Em +-----END PGP SIGNATURE----- diff --git a/squid.logrotate b/squid.logrotate new file mode 100644 index 0000000..4a0406f --- /dev/null +++ b/squid.logrotate @@ -0,0 +1,16 @@ +/var/log/squid/*.log { + weekly + rotate 5 + compress + notifempty + missingok + nocreate + sharedscripts + postrotate + # Asks squid to reopen its logs. (logfile_rotate 0 is set in squid.conf) + # errors redirected to make it silent if squid is not running + /usr/sbin/squid -k rotate 2>/dev/null + # Wait a little to allow Squid to catch up before the logs is compressed + sleep 1 + endscript +} diff --git a/squid.nm b/squid.nm new file mode 100755 index 0000000..5e40f76 --- /dev/null +++ b/squid.nm @@ -0,0 +1,7 @@ +#!/bin/sh + +case "$2" in + up|down|vpn-up|vpn-down) + /bin/systemctl -q reload squid.service || : + ;; +esac diff --git a/squid.pam b/squid.pam new file mode 100644 index 0000000..1d78594 --- /dev/null +++ b/squid.pam @@ -0,0 +1,3 @@ +#%PAM-1.0 +auth include password-auth +account include password-auth diff --git a/squid.service b/squid.service new file mode 100644 index 0000000..da1c0ea --- /dev/null +++ b/squid.service @@ -0,0 +1,16 @@ +[Unit] +Description=Squid caching proxy +After=network.target nss-lookup.target + +[Service] +Type=forking +LimitNOFILE=16384 +EnvironmentFile=/etc/sysconfig/squid +ExecStartPre=/usr/libexec/squid/cache_swap.sh +ExecStart=/usr/sbin/squid $SQUID_OPTS -f $SQUID_CONF +ExecReload=/usr/sbin/squid $SQUID_OPTS -k reconfigure -f $SQUID_CONF +ExecStop=/usr/sbin/squid -k shutdown -f $SQUID_CONF +TimeoutSec=0 + +[Install] +WantedBy=multi-user.target diff --git a/squid.spec b/squid.spec new file mode 100644 index 0000000..8559387 --- /dev/null +++ b/squid.spec @@ -0,0 +1,232 @@ +%define __perl_requires %{SOURCE8} + +Name: squid +Version: 4.2 +Release: 3 +Summary: The Squid proxy caching server +Epoch: 7 +License: GPLv2+ and (LGPLv2+ and MIT and BSD and Public Domain) +URL: http://www.squid-cache.org +Source0: http://www.squid-cache.org/Versions/v4/squid-4.2.tar.xz +Source1: http://www.squid-cache.org/Versions/v4/squid-4.2.tar.xz.asc +Source2: squid.logrotate +Source3: squid.sysconfig +Source4: squid.pam +Source5: squid.nm +Source6: squid.service +Source7: cache_swap.sh +Source8: perl-requires-squid.sh + +Patch0: squid-4.0.11-config.patch +Patch1: squid-3.1.0.9-location.patch +Patch2: squid-3.0.STABLE1-perlpath.patch +Patch3: squid-3.5.9-include-guards.patch +Patch4: squid-4.0.21-large-acl.patch + +Patch6000: CVE-2019-12525.patch +Patch6001: CVE-2019-12527.patch +Patch6002: CVE-2019-12529.patch +Patch6003: CVE-2019-12854.patch +Patch6004: CVE-2019-13345.patch + +Buildroot: %{_tmppath}/squid-4.2-2-root-%(%{__id_u} -n) +Requires: bash >= 2.0 +Requires(pre): shadow-utils +Requires(post): /sbin/chkconfig +Requires(preun): /sbin/chkconfig +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd +BuildRequires: openldap-devel pam-devel openssl-devel krb5-devel libdb-devel expat-devel +BuildRequires: libxml2-devel libcap-devel libecap-devel gcc-c++ libtool libtool-ltdl-devel +BuildRequires: perl-generators pkgconfig(cppunit) autoconf + +%description +Squid is a high-performance proxy caching server. It handles all requests in a single, +non-blocking, I/O-driven process and keeps meta data and implements negative caching of failed requests. + +%prep +%setup -q +%patch0 -p1 -b .config +%patch1 -p1 -b .location +%patch2 -p1 -b .perlpath +%patch3 -p0 -b .include-guards +%patch4 -p1 -b .large_acl + +%patch6000 -p1 +%patch6001 -p1 +%patch6002 -p1 +%patch6003 -p1 +%patch6004 -p1 + +%build +autoconf + +CXXFLAGS="$RPM_OPT_FLAGS -fPIC" +CFLAGS="$RPM_OPT_FLAGS -fPIC" +LDFLAGS="$RPM_LD_FLAGS -pie -Wl,-z,relro -Wl,-z,now -Wl,--warn-shared-textrel" + +%configure \ + --exec_prefix=%{_prefix} --libexecdir=%{_libdir}/squid \ + --localstatedir=%{_localstatedir} --datadir=%{_datadir}/squid \ + --sysconfdir=%{_sysconfdir}/squid --with-logdir='%{_localstatedir}/log/squid' \ + --with-pidfile='%{_localstatedir}/run/squid.pid' \ + --disable-dependency-tracking --enable-eui \ + --enable-follow-x-forwarded-for --enable-auth \ + --enable-auth-basic="DB,fake,getpwnam,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB,SMB_LM" \ + --enable-auth-ntlm="SMB_LM,fake" --enable-auth-digest="file,LDAP" \ + --enable-auth-negotiate="kerberos" \ + --enable-external-acl-helpers="LDAP_group,time_quota,session,unix_group,wbinfo_group,kerberos_ldap_group" \ + --enable-storeid-rewrite-helpers="file" --enable-cache-digests \ + --enable-cachemgr-hostname=localhost --enable-delay-pools \ + --enable-epoll --enable-icap-client --enable-ident-lookups \ + %ifnarch %{power64} ia64 x86_64 s390x aarch64 + --with-large-files \ + %endif + --enable-linux-netfilter --enable-removal-policies="heap,lru" \ + --enable-snmp --enable-ssl --enable-ssl-crtd \ + --enable-storeio="aufs,diskd,ufs,rock" --enable-diskio --enable-wccpv2 \ + --enable-esi --enable-ecap --with-aio --with-default-user="squid" \ + --with-dl --with-openssl --with-pthreads --disable-arch-native \ + --with-pic --disable-security-cert-validators + +make DEFAULT_SWAP_DIR=%{_localstatedir}/spool/squid %{?_smp_mflags} + +%check +make check + +%install +rm -rf $RPM_BUILD_ROOT +make DESTDIR=$RPM_BUILD_ROOT install +echo " +# +# This is %{_sysconfdir}/httpd/conf.d/squid.conf +# + +ScriptAlias /Squid/cgi-bin/cachemgr.cgi %{_libdir}/squid/cachemgr.cgi + +# Only allow access from localhost by default + + Require local + # Add additional allowed hosts as needed + # Require host example.com +" > $RPM_BUILD_ROOT/squid.httpd.tmp + +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pam.d +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d/ +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/NetworkManager/dispatcher.d +mkdir -p $RPM_BUILD_ROOT%{_unitdir} +mkdir -p $RPM_BUILD_ROOT%{_libexecdir}/squid +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/rc.d/init.d +install -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/squid +install -m 644 %{SOURCE3} $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/squid +install -m 644 %{SOURCE4} $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/squid +install -m 644 %{SOURCE6} $RPM_BUILD_ROOT%{_unitdir} +install -m 755 %{SOURCE7} $RPM_BUILD_ROOT%{_libexecdir}/squid +install -m 644 $RPM_BUILD_ROOT/squid.httpd.tmp $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d/squid.conf +install -m 644 %{SOURCE5} $RPM_BUILD_ROOT%{_sysconfdir}/NetworkManager/dispatcher.d/20-squid +mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/log/squid +mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/spool/squid +mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/run/squid +chmod 644 contrib/url-normalizer.pl contrib/user-agents.pl +iconv -f ISO88591 -t UTF8 ChangeLog -o ChangeLog.tmp +mv -f ChangeLog.tmp ChangeLog + +mkdir -p ${RPM_BUILD_ROOT}%{_tmpfilesdir} +cat > ${RPM_BUILD_ROOT}%{_tmpfilesdir}/squid.conf </dev/null 2>&1; then + /usr/sbin/groupadd -g 23 squid +fi + +if ! getent passwd squid >/dev/null 2>&1 ; then + /usr/sbin/useradd -g 23 -u 23 -d /var/spool/squid -r -s /sbin/nologin squid >/dev/null 2>&1 || exit 1 +fi + +for i in /var/log/squid /var/spool/squid ; do + if [ -d $i ] ; then + for adir in `find $i -maxdepth 0 \! -user squid`; do + chown -R squid:squid $adir + done + fi +done + +exit 0 + +%post +%systemd_post squid.service + +%preun +%systemd_preun squid.service + +%postun +%systemd_postun_with_restart squid.service + +%triggerin -- samba-common +if ! getent group wbpriv >/dev/null 2>&1 ; then + /usr/sbin/groupadd -g 88 wbpriv >/dev/null 2>&1 || : +fi +/usr/sbin/usermod -a -G wbpriv squid >/dev/null 2>&1 || \ + chgrp squid /var/cache/samba/winbindd_privileged >/dev/null 2>&1 || : + +%changelog +* Wed Sep 25 2019 majun - 4.2-3 +- Type:cves +- ID:CVE-2019-12525 CVE-2019-12527 CVE-2019-12529 CVE-2019-12854 CVE-2019-13345 +- SUG:restart +- DESC:fix cves + +* Thu Sep 12 2019 openEuler Buildteam - 4.2-2 +- Package init diff --git a/squid.sysconfig b/squid.sysconfig new file mode 100644 index 0000000..3864bd8 --- /dev/null +++ b/squid.sysconfig @@ -0,0 +1,9 @@ +# default squid options +SQUID_OPTS="" + +# Time to wait for Squid to shut down when asked. Should not be necessary +# most of the time. +SQUID_SHUTDOWN_TIMEOUT=100 + +# default squid conf file +SQUID_CONF="/etc/squid/squid.conf"