ports/opt (3.3): [notify] squid: two security fixes. Closes FS#1564
commit a37c1e095c271c4c3f982c7dd729015c892f7e8d Author: Juergen Daubert <jue@jue.li> Date: Tue Jan 23 10:18:49 2018 +0100 [notify] squid: two security fixes. Closes FS#1564 See - http://www.squid-cache.org/Advisories/SQUID-2018_1.txt - http://www.squid-cache.org/Advisories/SQUID-2018_2.txt diff --git a/squid/.md5sum b/squid/.md5sum index b5cc78109..e4f6bb8f8 100644 --- a/squid/.md5sum +++ b/squid/.md5sum @@ -1,2 +1,4 @@ +b969921543380b268b1604d2d5c10f70 SQUID-2018_1.patch +2d6ea612cb5035ff846ac7cee781649e SQUID-2018_2.patch be8031c772fc51aaa1a9fb22ecac6585 squid 39ef8199675d48a314b540f92c00c545 squid-3.5.27.tar.xz diff --git a/squid/.signature b/squid/.signature index f558f7e66..3770fec7e 100644 --- a/squid/.signature +++ b/squid/.signature @@ -1,6 +1,8 @@ untrusted comment: verify with /etc/ports/opt.pub -RWSE3ohX2g5d/dO+ySYEb8pcOpIuTrOscix67dvC5mH05ZF52FgVtycRJ+9/wH5iDPBn8F9/D+nsT8yLPKUG0ymTRj48bWkT/wo= -SHA256 (Pkgfile) = b535767e1d28e24ecd6d3fca210a005154441f650a88773d7c84311cdac61692 +RWSE3ohX2g5d/XBSSGTiSDM0sTRcj8avSWpdJdT+0s9YWDFH9OHpk3WUcc6Sd0Y9QHxXN9HQ1qulKOGUUxth41DdOjVB6R4irwg= +SHA256 (Pkgfile) = 2435660c65d45ec2cbae6afe455dfa032de45625b494d7516fe4b4e388e556fc SHA256 (.footprint) = 5c5505b0fed5776588a490a9ac02b1dd2ce859adcce704d8df54da39a9afc77d SHA256 (squid-3.5.27.tar.xz) = 5ddb4367f2dc635921f9ca7a59d8b87edb0412fa203d1543393ac3c7f9fef0ec +SHA256 (SQUID-2018_1.patch) = b83fb203a7f42868603205419d9a28c64af8eaf7be92a6a7b9b95210cb4f6b2f +SHA256 (SQUID-2018_2.patch) = 676d3f3b5bc0ca09760aba6af3f8fb837dfc52b82f7765317be30b33e350fad2 SHA256 (squid) = d4ff0ac128250907e7cce4a01d6d92d9ca7dde7d59e1c72fe89de72fa5488ec4 diff --git a/squid/Pkgfile b/squid/Pkgfile index 9b6521dfa..694f4f862 100644 --- a/squid/Pkgfile +++ b/squid/Pkgfile @@ -1,16 +1,20 @@ # Description: A full-featured web proxy cache # URL: http://www.squid-cache.org # Maintainer: Juergen Daubert, jue at crux dot nu +# Depends on: db libcap libtool name=squid version=3.5.27 -release=1 +release=2 source=(http://www.squid-cache.org/Versions/v3/3.5/$name-$version.tar.xz - squid) + SQUID-2018_1.patch SQUID-2018_2.patch squid) build () { cd $name-$version + patch -p1 -i $SRC/SQUID-2018_1.patch + patch -p1 -i $SRC/SQUID-2018_2.patch + ./configure --prefix=/usr \ --sysconfdir=/etc/squid \ --libexecdir=/usr/lib/squid \ diff --git a/squid/SQUID-2018_1.patch b/squid/SQUID-2018_1.patch new file mode 100644 index 000000000..9392219a9 --- /dev/null +++ b/squid/SQUID-2018_1.patch @@ -0,0 +1,28 @@ +commit eb2db98a676321b814fc4a51c4fb7928a8bb45d9 (refs/remotes/origin/v3.5) +Author: Amos Jeffries <yadij@users.noreply.github.com> +Date: 2018-01-19 13:54:14 +1300 + + ESI: make sure endofName never exceeds tagEnd (#130) + +diff --git a/src/esi/CustomParser.cc b/src/esi/CustomParser.cc +index d86d2d3..db634d9 100644 +--- a/src/esi/CustomParser.cc ++++ b/src/esi/CustomParser.cc +@@ -121,7 +121,7 @@ ESICustomParser::parse(char const *dataToParse, size_t const lengthOfData, bool + + char * endofName = strpbrk(const_cast<char *>(tag), w_space); + +- if (endofName > tagEnd) ++ if (!endofName || endofName > tagEnd) + endofName = const_cast<char *>(tagEnd); + + *endofName = '\0'; +@@ -214,7 +214,7 @@ ESICustomParser::parse(char const *dataToParse, size_t const lengthOfData, bool + + char * endofName = strpbrk(const_cast<char *>(tag), w_space); + +- if (endofName > tagEnd) ++ if (!endofName || endofName > tagEnd) + endofName = const_cast<char *>(tagEnd); + + *endofName = '\0'; diff --git a/squid/SQUID-2018_2.patch b/squid/SQUID-2018_2.patch new file mode 100644 index 000000000..9ecd8a5b7 --- /dev/null +++ b/squid/SQUID-2018_2.patch @@ -0,0 +1,23 @@ +commit 8232b83d3fa47a1399f155cb829db829369fbae9 (refs/remotes/origin/v3.5) +Author: squidadm <squidadm@users.noreply.github.com> +Date: 2018-01-21 08:07:08 +1300 + + Fix indirect IP logging for transactions without a client connection (#129) (#136) + +diff --git a/src/client_side_request.cc b/src/client_side_request.cc +index be124f3..203f89d 100644 +--- a/src/client_side_request.cc ++++ b/src/client_side_request.cc +@@ -488,9 +488,9 @@ clientFollowXForwardedForCheck(allow_t answer, void *data) + * Ensure that the access log shows the indirect client + * instead of the direct client. + */ +- ConnStateData *conn = http->getConn(); +- conn->log_addr = request->indirect_client_addr; +- http->al->cache.caddr = conn->log_addr; ++ http->al->cache.caddr = request->indirect_client_addr; ++ if (ConnStateData *conn = http->getConn()) ++ conn->log_addr = request->indirect_client_addr; + } + request->x_forwarded_for_iterator.clean(); + request->flags.done_follow_x_forwarded_for = true;
participants (1)
-
crux@crux.nu