From 0fffd0e763573f0e4be37653e5e4b8da9eec9531 Mon Sep 17 00:00:00 2001 From: Jan Paul Tuecking Date: Thu, 21 Nov 2013 09:28:44 +0100 Subject: [PATCH 01/12] tor: update to 0.2.4.18-rc --- lfs/tor | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lfs/tor b/lfs/tor index 795f7c3eb..10eaca4b8 100644 --- a/lfs/tor +++ b/lfs/tor @@ -24,7 +24,7 @@ include Config -VER = 0.2.4.17-rc +VER = 0.2.4.18-rc THISAPP = tor-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = tor -PAK_VER = 4 +PAK_VER = 5 DEPS = "libevent2" @@ -44,7 +44,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 2cdfb8dcc3306a43cf465a858bf97b2d +$(DL_FILE)_MD5 = 6cc5bc776e9d61a9fb1b000609ed2692 install : $(TARGET) From fce512dce39a56dc1e099b1c73544f87beedcacf Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Mon, 2 Dec 2013 20:41:25 +0100 Subject: [PATCH 02/12] Create Core Update 74. Will automatically increase the transparent proxy port if it is set to 81. --- config/rootfiles/core/74/exclude | 17 ++++++ config/rootfiles/core/74/filelists/files | 4 ++ config/rootfiles/core/74/meta | 1 + config/rootfiles/core/74/update.sh | 78 ++++++++++++++++++++++++ make.sh | 2 +- 5 files changed, 101 insertions(+), 1 deletion(-) create mode 100644 config/rootfiles/core/74/exclude create mode 100644 config/rootfiles/core/74/filelists/files create mode 100644 config/rootfiles/core/74/meta create mode 100644 config/rootfiles/core/74/update.sh diff --git a/config/rootfiles/core/74/exclude b/config/rootfiles/core/74/exclude new file mode 100644 index 000000000..321a931ca --- /dev/null +++ b/config/rootfiles/core/74/exclude @@ -0,0 +1,17 @@ +srv/web/ipfire/html/proxy.pac +boot/config.txt +etc/udev/rules.d/30-persistent-network.rules +etc/collectd.custom +etc/shadow +etc/ipsec.conf +etc/ipsec.secrets +etc/ipsec.user.conf +etc/ipsec.user.secrets +var/log/cache +var/updatecache +etc/localtime +var/ipfire/ovpn +etc/ssh/ssh_config +etc/ssh/sshd_config +etc/ssl/openssl.cnf +var/state/dhcp/dhcpd.leases diff --git a/config/rootfiles/core/74/filelists/files b/config/rootfiles/core/74/filelists/files new file mode 100644 index 000000000..8dcb0777a --- /dev/null +++ b/config/rootfiles/core/74/filelists/files @@ -0,0 +1,4 @@ +etc/system-release +etc/issue +var/ipfire/header.pl +var/ipfire/langs diff --git a/config/rootfiles/core/74/meta b/config/rootfiles/core/74/meta new file mode 100644 index 000000000..d547fa86f --- /dev/null +++ b/config/rootfiles/core/74/meta @@ -0,0 +1 @@ +DEPS="" diff --git a/config/rootfiles/core/74/update.sh b/config/rootfiles/core/74/update.sh new file mode 100644 index 000000000..50cf903c5 --- /dev/null +++ b/config/rootfiles/core/74/update.sh @@ -0,0 +1,78 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 3 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2013 IPFire-Team . # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +/usr/local/bin/backupctrl exclude >/dev/null 2>&1 + +# +# Remove old core updates from pakfire cache to save space... +core=74 +for (( i=1; i<=$core; i++ )) +do + rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire +done + + +# +#Stop services +/etc/init.d/squid stop + + +# +#Extract files +extract_files + +if [ -e "/var/ipfire/proxy/enable" ] || [ -e "/var/ipfire/proxy/enable_blue" ]; then + ( + eval $(/usr/local/bin/readhash /var/ipfire/proxy/advanced/settings) + + if [ "${TRANSPARENT_PORT}" = "81" ]; then + sed -e "s/^TRANSPARENT_PORT=.*/TRANSPARENT_PORT=${TRANSPARENT_PORT}/" \ + -i /var/ipfire/proxy/advanced/settings + fi + ) +fi + +# Regenerate squid configuration files. +/srv/web/ipfire/cgi-bin/proxy.cgi +chown nobody:nobody /var/ipfire/proxy/squid.conf + +# +#Start services +/etc/init.d/squid start + +# +#Update Language cache +perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang" + +sync + +# This update need a reboot... +#touch /var/run/need_reboot + +# +#Finish +/etc/init.d/fireinfo start +sendprofile +#Don't report the exitcode last command +exit 0 \ No newline at end of file diff --git a/make.sh b/make.sh index ef98d6fa3..c90e89d4a 100755 --- a/make.sh +++ b/make.sh @@ -25,7 +25,7 @@ NAME="IPFire" # Software name SNAME="ipfire" # Short name VERSION="2.13" # Version number -CORE="73" # Core Level (Filename) +CORE="74" # Core Level (Filename) PAKFIRE_CORE="73" # Core Level (PAKFIRE) GIT_BRANCH=`git status | head -n1 | cut -d" " -f4` # Git Branch SLOGAN="www.ipfire.org" # Software slogan From b1c17c7a95e0a108a9ddcf022ec34f30dec1689b Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Mon, 2 Dec 2013 20:43:58 +0100 Subject: [PATCH 03/12] core74: Add squid. Covers the filedescriptors issues. --- config/rootfiles/core/74/filelists/squid | 1 + 1 file changed, 1 insertion(+) create mode 120000 config/rootfiles/core/74/filelists/squid diff --git a/config/rootfiles/core/74/filelists/squid b/config/rootfiles/core/74/filelists/squid new file mode 120000 index 000000000..2dc8372a0 --- /dev/null +++ b/config/rootfiles/core/74/filelists/squid @@ -0,0 +1 @@ +../../../common/squid \ No newline at end of file From ec4a4fafb28f4eaadf122e03754c9d601ec7f881 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Mon, 2 Dec 2013 20:44:28 +0100 Subject: [PATCH 04/12] core74: Add openvpn. This package has been updated before. --- config/rootfiles/core/74/filelists/openvpn | 1 + 1 file changed, 1 insertion(+) create mode 120000 config/rootfiles/core/74/filelists/openvpn diff --git a/config/rootfiles/core/74/filelists/openvpn b/config/rootfiles/core/74/filelists/openvpn new file mode 120000 index 000000000..493f3f7a4 --- /dev/null +++ b/config/rootfiles/core/74/filelists/openvpn @@ -0,0 +1 @@ +../../../common/openvpn \ No newline at end of file From c0a4b928399ca37112dda7de1e55ae93642889dc Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Mon, 2 Dec 2013 20:45:20 +0100 Subject: [PATCH 05/12] core74: Add updated proxy.cgi. Reflects the FD changes. --- config/rootfiles/core/74/filelists/files | 1 + 1 file changed, 1 insertion(+) diff --git a/config/rootfiles/core/74/filelists/files b/config/rootfiles/core/74/filelists/files index 8dcb0777a..74d2466eb 100644 --- a/config/rootfiles/core/74/filelists/files +++ b/config/rootfiles/core/74/filelists/files @@ -1,4 +1,5 @@ etc/system-release etc/issue +srv/web/ipfire/cgi-bin/proxy.cgi var/ipfire/header.pl var/ipfire/langs From 57c8392d1c42e8794ac193a88923d0823103861d Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Mon, 2 Dec 2013 20:48:58 +0100 Subject: [PATCH 06/12] core74: Add dnsforward.cgi to ISO. Bug #10447. --- config/rootfiles/common/apache2 | 1 + 1 file changed, 1 insertion(+) diff --git a/config/rootfiles/common/apache2 b/config/rootfiles/common/apache2 index 9be3581cb..c18b5ed67 100644 --- a/config/rootfiles/common/apache2 +++ b/config/rootfiles/common/apache2 @@ -1388,6 +1388,7 @@ srv/web/ipfire/cgi-bin/connscheduler.cgi srv/web/ipfire/cgi-bin/country.cgi srv/web/ipfire/cgi-bin/credits.cgi srv/web/ipfire/cgi-bin/dns.cgi +srv/web/ipfire/cgi-bin/dnsforward.cgi srv/web/ipfire/cgi-bin/ddns.cgi srv/web/ipfire/cgi-bin/dhcp.cgi srv/web/ipfire/cgi-bin/dmzholes.cgi From bdbfbac6b473908dcf93cf96bce8dc762c87d3fc Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Mon, 2 Dec 2013 20:55:58 +0100 Subject: [PATCH 07/12] core74: Add strongswan update. --- config/rootfiles/core/74/filelists/i586/strongswan-padlock | 1 + config/rootfiles/core/74/filelists/strongswan | 1 + config/rootfiles/core/74/update.sh | 7 ++++++- 3 files changed, 8 insertions(+), 1 deletion(-) create mode 120000 config/rootfiles/core/74/filelists/i586/strongswan-padlock create mode 120000 config/rootfiles/core/74/filelists/strongswan diff --git a/config/rootfiles/core/74/filelists/i586/strongswan-padlock b/config/rootfiles/core/74/filelists/i586/strongswan-padlock new file mode 120000 index 000000000..2412824fb --- /dev/null +++ b/config/rootfiles/core/74/filelists/i586/strongswan-padlock @@ -0,0 +1 @@ +../../../../common/i586/strongswan-padlock \ No newline at end of file diff --git a/config/rootfiles/core/74/filelists/strongswan b/config/rootfiles/core/74/filelists/strongswan new file mode 120000 index 000000000..90c727e26 --- /dev/null +++ b/config/rootfiles/core/74/filelists/strongswan @@ -0,0 +1 @@ +../../../common/strongswan \ No newline at end of file diff --git a/config/rootfiles/core/74/update.sh b/config/rootfiles/core/74/update.sh index 50cf903c5..3f8abce05 100644 --- a/config/rootfiles/core/74/update.sh +++ b/config/rootfiles/core/74/update.sh @@ -35,6 +35,7 @@ done # #Stop services +/etc/init.d/ipsec stop /etc/init.d/squid stop @@ -61,6 +62,10 @@ chown nobody:nobody /var/ipfire/proxy/squid.conf #Start services /etc/init.d/squid start +if grep -q "ENABLED=on" /var/ipfire/vpn/settings; then + /etc/init.d/ipsec start +fi + # #Update Language cache perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang" @@ -75,4 +80,4 @@ sync /etc/init.d/fireinfo start sendprofile #Don't report the exitcode last command -exit 0 \ No newline at end of file +exit 0 From 9f9e43dcdd2517cdd56810a243270e3697844569 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Mon, 2 Dec 2013 21:35:12 +0100 Subject: [PATCH 08/12] core74: Ship dnsforward.cgi in update as well. Adds the CGI file on systems which have been installed with an ISO image where dnsforward.cgi was not included. --- config/rootfiles/core/74/filelists/files | 1 + 1 file changed, 1 insertion(+) diff --git a/config/rootfiles/core/74/filelists/files b/config/rootfiles/core/74/filelists/files index 74d2466eb..5a874e7b3 100644 --- a/config/rootfiles/core/74/filelists/files +++ b/config/rootfiles/core/74/filelists/files @@ -1,5 +1,6 @@ etc/system-release etc/issue +srv/web/ipfire/cgi-bin/dnsforward.cgi srv/web/ipfire/cgi-bin/proxy.cgi var/ipfire/header.pl var/ipfire/langs From 4ea955c544fa5ff4939449bc163426fc36e1482f Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Mon, 2 Dec 2013 21:41:12 +0100 Subject: [PATCH 09/12] core74: Fix incrementation. --- config/rootfiles/core/74/update.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/config/rootfiles/core/74/update.sh b/config/rootfiles/core/74/update.sh index 3f8abce05..ca26b514e 100644 --- a/config/rootfiles/core/74/update.sh +++ b/config/rootfiles/core/74/update.sh @@ -48,6 +48,7 @@ if [ -e "/var/ipfire/proxy/enable" ] || [ -e "/var/ipfire/proxy/enable_blue" ]; eval $(/usr/local/bin/readhash /var/ipfire/proxy/advanced/settings) if [ "${TRANSPARENT_PORT}" = "81" ]; then + TRANSPARENT_PORT="$(( ${TRANSPARENT_PORT} + 1 ))" sed -e "s/^TRANSPARENT_PORT=.*/TRANSPARENT_PORT=${TRANSPARENT_PORT}/" \ -i /var/ipfire/proxy/advanced/settings fi From 6003c4bbdb46094dcbcf63939395fe3bda82da70 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Thu, 24 Oct 2013 19:41:17 +0200 Subject: [PATCH 10/12] strongswan: Rootfile update. --- config/rootfiles/common/strongswan | 1 - 1 file changed, 1 deletion(-) diff --git a/config/rootfiles/common/strongswan b/config/rootfiles/common/strongswan index d045c312c..732e3270c 100644 --- a/config/rootfiles/common/strongswan +++ b/config/rootfiles/common/strongswan @@ -87,7 +87,6 @@ usr/libexec/ipsec/_updown usr/libexec/ipsec/_updown_espmark usr/libexec/ipsec/charon usr/libexec/ipsec/openac -usr/libexec/ipsec/pki usr/libexec/ipsec/scepclient usr/libexec/ipsec/starter usr/libexec/ipsec/stroke From a408e02da29d32d72a570112caec8544f0474f51 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 3 Dec 2013 14:42:30 +0100 Subject: [PATCH 11/12] squid: Update to 3.3.11. --- lfs/squid | 10 +- src/patches/squid-3.1-10486.patch | 54 ------- src/patches/squid-3.1-10487.patch | 73 --------- .../squid-3.3.10-optional-ssl-options.patch | 148 ------------------ src/patches/squid-3.3.10-set-rlimit-fds.patch | 51 ------ 5 files changed, 2 insertions(+), 334 deletions(-) delete mode 100644 src/patches/squid-3.1-10486.patch delete mode 100644 src/patches/squid-3.1-10487.patch delete mode 100644 src/patches/squid-3.3.10-optional-ssl-options.patch delete mode 100644 src/patches/squid-3.3.10-set-rlimit-fds.patch diff --git a/lfs/squid b/lfs/squid index d3bff48b7..3c5f6c54a 100644 --- a/lfs/squid +++ b/lfs/squid @@ -24,7 +24,7 @@ include Config -VER = 3.3.10 +VER = 3.3.11 THISAPP = squid-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 28058812d722cac303517a643e28bcb0 +$(DL_FILE)_MD5 = dd016ff5f14b2548083b3882207914f6 install : $(TARGET) @@ -53,7 +53,6 @@ md5 : $(subst %,%_MD5,$(objects)) ############################################################################### # Downloading, checking, md5sum ############################################################################### - $(patsubst %,$(DIR_CHK)/%,$(objects)) : @$(CHECK) @@ -70,11 +69,6 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xaf $(DIR_DL)/$(DL_FILE) - - cd $(DIR_APP) && patch -Np0 < $(DIR_SRC)/src/patches/squid-3.3.10-optional-ssl-options.patch - cd $(DIR_APP) && patch -Np0 < $(DIR_SRC)/src/patches/squid-3.3.10-set-rlimit-fds.patch - - cd $(DIR_APP) && ./bootstrap.sh cd $(DIR_APP) && ./configure \ --prefix=/usr \ --sysconfdir=/etc/squid \ diff --git a/src/patches/squid-3.1-10486.patch b/src/patches/squid-3.1-10486.patch deleted file mode 100644 index 6a0388e5b..000000000 --- a/src/patches/squid-3.1-10486.patch +++ /dev/null @@ -1,54 +0,0 @@ ------------------------------------------------------------- -revno: 10486 -revision-id: squid3@treenet.co.nz-20130222111325-zizr296kq3te4g7h -parent: squid3@treenet.co.nz-20130109021503-hqg7ufldrudpzr9l -fixes bug(s): http://bugs.squid-cache.org/show_bug.cgi?id=3790 -author: Reinhard Sojka -committer: Amos Jeffries -branch nick: SQUID_3_1 -timestamp: Fri 2013-02-22 04:13:25 -0700 -message: - Bug 3790: cachemgr.cgi crash with authentication ------------------------------------------------------------- -# Bazaar merge directive format 2 (Bazaar 0.90) -# revision_id: squid3@treenet.co.nz-20130222111325-zizr296kq3te4g7h -# target_branch: http://bzr.squid-cache.org/bzr/squid3/branches\ -# /SQUID_3_1 -# testament_sha1: 121adf68a9c3b2eca766cfb768256b6b57d9816b -# timestamp: 2013-02-22 11:17:18 +0000 -# source_branch: http://bzr.squid-cache.org/bzr/squid3/branches\ -# /SQUID_3_1 -# base_revision_id: squid3@treenet.co.nz-20130109021503-\ -# hqg7ufldrudpzr9l -# -# Begin patch -=== modified file 'tools/cachemgr.cc' ---- tools/cachemgr.cc 2013-01-08 23:11:51 +0000 -+++ tools/cachemgr.cc 2013-02-22 11:13:25 +0000 -@@ -1162,7 +1162,6 @@ - { - static char buf[1024]; - size_t stringLength = 0; -- const char *str64; - - if (!req->passwd) - return ""; -@@ -1171,15 +1170,12 @@ - req->user_name ? req->user_name : "", - req->passwd); - -- str64 = base64_encode(buf); -- -- stringLength += snprintf(buf, sizeof(buf), "Authorization: Basic %s\r\n", str64); -+ stringLength += snprintf(buf, sizeof(buf), "Authorization: Basic %s\r\n", base64_encode(buf)); - - assert(stringLength < sizeof(buf)); - -- snprintf(&buf[stringLength], sizeof(buf) - stringLength, "Proxy-Authorization: Basic %s\r\n", str64); -+ snprintf(&buf[stringLength], sizeof(buf) - stringLength, "Proxy-Authorization: Basic %s\r\n", base64_encode(buf)); - -- xxfree(str64); - return buf; - } - - diff --git a/src/patches/squid-3.1-10487.patch b/src/patches/squid-3.1-10487.patch deleted file mode 100644 index 2ca4848c2..000000000 --- a/src/patches/squid-3.1-10487.patch +++ /dev/null @@ -1,73 +0,0 @@ ------------------------------------------------------------- -revno: 10487 -revision-id: squid3@treenet.co.nz-20130710124748-2n6111r04xsi71vx -parent: squid3@treenet.co.nz-20130222111325-zizr296kq3te4g7h -author: Nathan Hoad -committer: Amos Jeffries -branch nick: SQUID_3_1 -timestamp: Wed 2013-07-10 06:47:48 -0600 -message: - Protect against buffer overrun in DNS query generation - - see SQUID-2013:2. - - This bug has been present as long as the internal DNS component however - most code reaching this point is passing through URL validation first. - With Squid-3.2 Host header verification using DNS directly we may have - problems. ------------------------------------------------------------- -# Bazaar merge directive format 2 (Bazaar 0.90) -# revision_id: squid3@treenet.co.nz-20130710124748-2n6111r04xsi71vx -# target_branch: http://bzr.squid-cache.org/bzr/squid3/branches\ -# /SQUID_3_1 -# testament_sha1: b5be85c8876ce15ec8fa173845e61755b6942fe0 -# timestamp: 2013-07-10 12:48:57 +0000 -# source_branch: http://bzr.squid-cache.org/bzr/squid3/branches\ -# /SQUID_3_1 -# base_revision_id: squid3@treenet.co.nz-20130222111325-\ -# zizr296kq3te4g7h -# -# Begin patch -=== modified file 'src/dns_internal.cc' ---- src/dns_internal.cc 2011-10-11 02:12:56 +0000 -+++ src/dns_internal.cc 2013-07-10 12:47:48 +0000 -@@ -1532,22 +1532,26 @@ - void - idnsALookup(const char *name, IDNSCB * callback, void *data) - { -- unsigned int i; -+ size_t nameLength = strlen(name); -+ -+ // Prevent buffer overflow on q->name -+ if (nameLength > NS_MAXDNAME) { -+ debugs(23, DBG_IMPORTANT, "SECURITY ALERT: DNS name too long to perform lookup: '" << name << "'. see access.log for details."); -+ callback(data, NULL, 0, "Internal error"); -+ return; -+ } -+ -+ if (idnsCachedLookup(name, callback, data)) -+ return; -+ -+ idns_query *q = cbdataAlloc(idns_query); -+ q->id = idnsQueryID(); - int nd = 0; -- idns_query *q; -- -- if (idnsCachedLookup(name, callback, data)) -- return; -- -- q = cbdataAlloc(idns_query); -- -- q->id = idnsQueryID(); -- -- for (i = 0; i < strlen(name); i++) -+ for (unsigned int i = 0; i < nameLength; ++i) - if (name[i] == '.') - nd++; - -- if (Config.onoff.res_defnames && npc > 0 && name[strlen(name)-1] != '.') { -+ if (Config.onoff.res_defnames && npc > 0 && name[nameLength-1] != '.') { - q->do_searchpath = 1; - } else { - q->do_searchpath = 0; - diff --git a/src/patches/squid-3.3.10-optional-ssl-options.patch b/src/patches/squid-3.3.10-optional-ssl-options.patch deleted file mode 100644 index f6a108c5f..000000000 --- a/src/patches/squid-3.3.10-optional-ssl-options.patch +++ /dev/null @@ -1,148 +0,0 @@ -From: http://bazaar.launchpad.net/~squid/squid/3-trunk/revision/13115 - -Committer: Christos Tsantilas -Date: 2013-11-07 10:46:14 UTC -Revision ID: chtsanti@users.sourceforge.net-20131107104614-s3a9kzlkgm7x9rhf - -http://bugs.squid-cache.org/show_bug.cgi?id=3936 -Bug 3936: error-details.txt parse error - -Squid fails parsing error-details.txt template when one or more listed OpenSSL -errors are not supported on running platform. -This patch add a hardcoded list of OpenSSL errors wich can be optional. - -This is a Measurement Factory project - -=== modified file 'src/ssl/ErrorDetail.cc' ---- src/ssl/ErrorDetail.cc 2013-07-31 00:13:04 +0000 -+++ src/ssl/ErrorDetail.cc 2013-11-07 10:46:14 +0000 -@@ -221,6 +221,31 @@ - {SSL_ERROR_NONE, NULL} - }; - -+static const char *OptionalSslErrors[] = { -+ "X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER", -+ "X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION", -+ "X509_V_ERR_KEYUSAGE_NO_CRL_SIGN", -+ "X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION", -+ "X509_V_ERR_INVALID_NON_CA", -+ "X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED", -+ "X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE", -+ "X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED", -+ "X509_V_ERR_INVALID_EXTENSION", -+ "X509_V_ERR_INVALID_POLICY_EXTENSION", -+ "X509_V_ERR_NO_EXPLICIT_POLICY", -+ "X509_V_ERR_DIFFERENT_CRL_SCOPE", -+ "X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE", -+ "X509_V_ERR_UNNESTED_RESOURCE", -+ "X509_V_ERR_PERMITTED_VIOLATION", -+ "X509_V_ERR_EXCLUDED_VIOLATION", -+ "X509_V_ERR_SUBTREE_MINMAX", -+ "X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE", -+ "X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX", -+ "X509_V_ERR_UNSUPPORTED_NAME_SYNTAX", -+ "X509_V_ERR_CRL_PATH_VALIDATION_ERROR", -+ NULL -+}; -+ - struct SslErrorAlias { - const char *name; - const Ssl::ssl_error_t *errors; -@@ -331,6 +356,16 @@ - return NULL; - } - -+bool -+Ssl::ErrorIsOptional(const char *name) -+{ -+ for (int i = 0; OptionalSslErrors[i] != NULL; ++i) { -+ if (strcmp(name, OptionalSslErrors[i]) == 0) -+ return true; -+ } -+ return false; -+} -+ - const char * - Ssl::GetErrorDescr(Ssl::ssl_error_t value) - { - -=== modified file 'src/ssl/ErrorDetail.h' ---- src/ssl/ErrorDetail.h 2013-05-30 10:10:29 +0000 -+++ src/ssl/ErrorDetail.h 2013-11-07 10:46:14 +0000 -@@ -40,6 +40,14 @@ - - /** - \ingroup ServerProtocolSSLAPI -+ * Return true if the SSL error is optional and may not supported -+ * by current squid version -+ */ -+ -+bool ErrorIsOptional(const char *name); -+ -+/** -+ \ingroup ServerProtocolSSLAPI - * Used to pass SSL error details to the error pages returned to the - * end user. - */ - -=== modified file 'src/ssl/ErrorDetailManager.cc' ---- src/ssl/ErrorDetailManager.cc 2013-10-25 00:13:46 +0000 -+++ src/ssl/ErrorDetailManager.cc 2013-11-07 10:46:14 +0000 -@@ -218,32 +218,35 @@ - } - - Ssl::ssl_error_t ssl_error = Ssl::GetErrorCode(errorName.termedBuf()); -- if (ssl_error == SSL_ERROR_NONE) { -+ if (ssl_error != SSL_ERROR_NONE) { -+ -+ if (theDetails->getErrorDetail(ssl_error)) { -+ debugs(83, DBG_IMPORTANT, HERE << -+ "WARNING! duplicate entry: " << errorName); -+ return false; -+ } -+ -+ ErrorDetailEntry &entry = theDetails->theList[ssl_error]; -+ entry.error_no = ssl_error; -+ entry.name = errorName; -+ String tmp = parser.getByName("detail"); -+ httpHeaderParseQuotedString(tmp.termedBuf(), tmp.size(), &entry.detail); -+ tmp = parser.getByName("descr"); -+ httpHeaderParseQuotedString(tmp.termedBuf(), tmp.size(), &entry.descr); -+ bool parseOK = entry.descr.defined() && entry.detail.defined(); -+ -+ if (!parseOK) { -+ debugs(83, DBG_IMPORTANT, HERE << -+ "WARNING! missing important field for detail error: " << errorName); -+ return false; -+ } -+ -+ } else if (!Ssl::ErrorIsOptional(errorName.termedBuf())) { - debugs(83, DBG_IMPORTANT, HERE << - "WARNING! invalid error detail name: " << errorName); - return false; - } - -- if (theDetails->getErrorDetail(ssl_error)) { -- debugs(83, DBG_IMPORTANT, HERE << -- "WARNING! duplicate entry: " << errorName); -- return false; -- } -- -- ErrorDetailEntry &entry = theDetails->theList[ssl_error]; -- entry.error_no = ssl_error; -- entry.name = errorName; -- String tmp = parser.getByName("detail"); -- httpHeaderParseQuotedString(tmp.termedBuf(), tmp.size(), &entry.detail); -- tmp = parser.getByName("descr"); -- httpHeaderParseQuotedString(tmp.termedBuf(), tmp.size(), &entry.descr); -- bool parseOK = entry.descr.defined() && entry.detail.defined(); -- -- if (!parseOK) { -- debugs(83, DBG_IMPORTANT, HERE << -- "WARNING! missing imporant field for detail error: " << errorName); -- return false; -- } - }// else {only spaces and black lines; just ignore} - - buf.consume(size); - diff --git a/src/patches/squid-3.3.10-set-rlimit-fds.patch b/src/patches/squid-3.3.10-set-rlimit-fds.patch deleted file mode 100644 index a80ce7316..000000000 --- a/src/patches/squid-3.3.10-set-rlimit-fds.patch +++ /dev/null @@ -1,51 +0,0 @@ -http://bazaar.launchpad.net/~squid/squid/3-trunk/revision/13144 - - Committer: Amos Jeffries - Date: 2013-11-23 01:28:52 UTC - Revision ID: squid3@treenet.co.nz-20131123012852-zpe8hamjrs5vy42w - -http://bugs.squid-cache.org/show_bug.cgi?id=3970 -Bug 3970: max_filedescriptors disabled due to missing setrlimit - -=== modified file 'configure.ac' ---- configure.ac 2013-11-16 13:19:28 +0000 -+++ configure.ac 2013-11-23 01:28:52 +0000 -@@ -2534,7 +2534,6 @@ - ;; - esac - -- - dnl --with-maxfd present for compatibility with Squid-2. - dnl undocumented in ./configure --help to encourage using the Squid-3 directive - AC_ARG_WITH(maxfd,, -@@ -2542,6 +2541,7 @@ - case ${withval} in - [[0-9]]*) - squid_filedescriptors_num=$withval -+ AC_MSG_NOTICE([forcing default of $squid_filedescriptors_num filedescriptors (user-forced)]) - ;; - *) - AC_MSG_ERROR(--with-maxfd expects a numeric argument) -@@ -2556,6 +2556,7 @@ - case ${withval} in - [[0-9]]*) - squid_filedescriptors_num=$withval -+ AC_MSG_NOTICE([forcing default of $squid_filedescriptors_num filedescriptors (user-forced)]) - ;; - *) - AC_MSG_ERROR(--with-filedescriptors expects a numeric argument) -@@ -2564,10 +2565,9 @@ - ]) - - SQUID_CHECK_DEFAULT_FD_SETSIZE --if test "x$squid_filedescriptors_num" = "x"; then -- SQUID_CHECK_MAXFD --else -- AC_MSG_NOTICE([forcing use of $squid_filedescriptors_num filedescriptors (user-forced)]) -+SQUID_CHECK_MAXFD -+if test "x$squid_filedescriptors_num" != "x"; then -+ AC_MSG_NOTICE([Default number of fieldescriptors: $squid_filedescriptors_num]) - fi - if test "$squid_filedescriptors_num" -lt 512 ; then - AC_MSG_WARN([$squid_filedescriptors_num may not be enough filedescriptors if your]) - From af2dcb40f62adcdcb1cbb8303d1f67ff74df6981 Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Tue, 10 Dec 2013 00:07:36 +0100 Subject: [PATCH 12/12] samba: update to 3.6.22. Samba 3.6.22 have been issued as security releases in order to address CVE-2013-4408 (DCE-RPC fragment length field is incorrectly checked) and CVE-2012-6150 (pam_winbind login without require_membership_of restrictions). --- lfs/samba | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lfs/samba b/lfs/samba index 7917dbfae..13110d562 100644 --- a/lfs/samba +++ b/lfs/samba @@ -24,7 +24,7 @@ include Config -VER = 3.6.21 +VER = 3.6.22 THISAPP = samba-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = samba -PAK_VER = 55 +PAK_VER = 56 DEPS = "cups" @@ -44,7 +44,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = faa67c625508dc495c082357913ccea6 +$(DL_FILE)_MD5 = 59add4bb178ebc188d857bc13a508c0b install : $(TARGET)