[packages/squid] - up to 4.11; SECURITY fixes

arekm arekm at pld-linux.org
Thu May 14 23:43:58 CEST 2020 

commit d4bb55ac3c1b3a707a583f303f5b3cc535a8306d
Author: Arkadiusz Miśkiewicz <arekm at maven.pl>
Date:   Thu May 14 23:43:39 2020 +0200

    - up to 4.11; SECURITY fixes

 debug.patch | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 krb.patch   | 32 ++++++++++++++++++++++++++++++++
 squid.spec  |  8 ++++++--
 3 files changed, 92 insertions(+), 2 deletions(-)
---
diff --git a/squid.spec b/squid.spec
index e0b6b20..78234e7 100644
--- a/squid.spec
+++ b/squid.spec
@@ -16,13 +16,13 @@ Summary(ru.UTF-8):	Squid - кэш объектов Internet
 Summary(uk.UTF-8):	Squid - кеш об'єктів Internet
 Summary(zh_CN.UTF-8):	SQUID 高速缓冲代理服务器
 Name:		squid
-Version:	4.10
+Version:	4.11
 Release:	1
 Epoch:		7
 License:	GPL v2
 Group:		Networking/Daemons
 Source0:	http://www.squid-cache.org/Versions/v4/%{name}-%{version}.tar.xz
-# Source0-md5:	af7ac6e70f9bd03ae4fcec0c9b99c38a
+# Source0-md5:	10f34e852153a9996aa4614670e2bda1
 Source1:	%{name}.init
 Source2:	%{name}.sysconfig
 Source3:	http://squid-docs.sourceforge.net/latest/zip-files/book-full-html.zip
@@ -38,12 +38,14 @@ Source11:	%{name}-check_cache
 
 Patch1:		%{name}-location.patch
 Patch2:		%{name}-crash-on-ENOSPC.patch
+Patch3:		krb.patch
 Patch4:		%{name}-2.5.STABLE4-apache-like-combined-log.patch
 Patch5:		%{name}-ppc-m32.patch
 Patch6:		%{name}-cachemgr-webapp.patch
 # still needed? http://bugs.squid-cache.org/show_bug.cgi?id=3806
 # http://www.squid-cache.org/mail-archive/squid-dev/201207/att-0177/squidv3-vary-headers-shm-hack.patch
 Patch7:		squidv3-vary-headers-shm-hack.patch
+Patch8:		debug.patch
 URL:		http://www.squid-cache.org/
 BuildRequires:	autoconf
 BuildRequires:	automake
@@ -629,12 +631,14 @@ Ten pakiet zawiera skrypty perlowe i dodatkowe programy dla Squida.
 
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
 %{?with_combined_log:%patch4 -p1}
 %ifarch ppc
 %patch5 -p1
 %endif
 %patch6 -p1
 #%patch7 -p1
+%patch8 -p1
 
 %{__sed} -i -e '1s#!.*bin/perl#!%{__perl}#' {contrib,scripts}/*.pl
 
diff --git a/debug.patch b/debug.patch
new file mode 100644
index 0000000..bc3310c
--- /dev/null
+++ b/debug.patch
@@ -0,0 +1,54 @@
+From c26cd1cb6a60ff196ef13c00e82576d3bfeb2e30 Mon Sep 17 00:00:00 2001
+From: Alex Rousskov <rousskov at measurement-factory.com>
+Date: Thu, 23 Apr 2020 05:56:35 -0600
+Subject: [PATCH] Bug 5041: Missing Debug::Extra breaks build on hosts with
+ systemd (#611)
+
+* Bug 5041: Missing Debug::Extra breaks build on hosts with systemd
+
+Master commit 6fa8c66 (i.e. Bug 5016 fix) relied on Debug::Extra added
+by master commit (ccfbe8f) that was not ported to v4. The port of the
+former master commit lacked the required piece of the latter commit.
+
+The problem is invisible on hosts without a systemd package (that Squid
+can find/use) and with Squids explicitly ./configured --without-systemd.
+
+* "Minimum features" build test should be --without-systemd
+
+* LDFLAGS were missing SYSTEMD_LIBS in builds with systemd support
+
+Co-authored-by: Amos Jeffries <yadij at users.noreply.github.com>
+---
+ configure.ac                                | 1 +
+ src/Debug.h                                 | 4 ++++
+ test-suite/buildtests/layer-01-minimal.opts | 1 +
+ 3 files changed, 6 insertions(+)
+
+diff --git a/configure.ac b/configure.ac
+index 9d1a38c4f8..281d237bc5 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -2162,6 +2162,7 @@ if test "x$with_systemd" != "xno" -a "x$squid_host_os" = "xlinux"; then
+   fi
+   if test "x$SYSTEMD_LIBS" != "x" ; then
+     CXXFLAGS="$SYSTEMD_CFLAGS $CXXFLAGS"
++    LDFLAGS="$SYSTEMD_LIBS $LDFLAGS"
+     AC_DEFINE(USE_SYSTEMD,1,[systemd support is available])
+   else
+     with_systemd=no
+diff --git a/src/Debug.h b/src/Debug.h
+index 6eecd01bf9..ddd9e38f8f 100644
+--- a/src/Debug.h
++++ b/src/Debug.h
+@@ -99,6 +99,10 @@ class Debug
+ 
+     /// configures the active debugging context to write syslog ALERT
+     static void ForceAlert();
++
++    /// prefixes each grouped debugs() line after the first one in the group
++    static std::ostream& Extra(std::ostream &os) { return os << "\n    "; }
++
+ private:
+     static Context *Current; ///< deepest active context; nil outside debugs()
+ };
+
diff --git a/krb.patch b/krb.patch
new file mode 100644
index 0000000..9555b76
--- /dev/null
+++ b/krb.patch
@@ -0,0 +1,32 @@
+From 990f3cb0266779b329dca303cc7ec8977ed8a0b5 Mon Sep 17 00:00:00 2001
+From: Markus Moeller <markus_moeller at compuserve.com>
+Date: Sat, 9 May 2020 14:00:23 +0100
+Subject: [PATCH 4/5] Add Heimdal check for keyblock
+
+---
+ src/acl/external/kerberos_ldap_group/support_krb5.cc | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/acl/external/kerberos_ldap_group/support_krb5.cc b/src/acl/external/kerberos_ldap_group/support_krb5.cc
+index 6d50c73166..b4964d83ee 100644
+--- a/src/acl/external/kerberos_ldap_group/support_krb5.cc
++++ b/src/acl/external/kerberos_ldap_group/support_krb5.cc
+@@ -467,10 +467,15 @@ krb5_create_cache(char *domain, char *service_principal_name)
+                 }
+ 
+                 // overwrite limitation of enctypes
++#if USE_HEIMDAL_KRB5
++                creds->session.keytype = 0;
++                if (creds->session.keyvalue.length>0)
++                    krb5_free_keyblock_contents(kparam.context, &creds->session);
++#else
+                 creds->keyblock.enctype = 0;
+                 if (creds->keyblock.contents)
+                     krb5_free_keyblock_contents(kparam.context, &creds->keyblock);
+-
++#endif
+                 code = krb5_get_credentials(kparam.context, 0, kparam.cc[ccindex], creds, &tgt_creds);
+                 if (code) {
+                     k5_error("Error while getting tgt", code);
+
+
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/squid.git/commitdiff/d4bb55ac3c1b3a707a583f303f5b3cc535a8306d

More information about the pld-cvs-commit mailing list