squid 3.5.24: latest patches (14144-14148)

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2026-04-09 18:45:54 +02:00 · 2017-02-27 18:38:17 +01:00
parent 39e7154976
commit a5c0ef3679
6 changed files with 221 additions and 0 deletions
--- a/lfs/squid
+++ b/lfs/squid
@@ -72,6 +72,11 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xaf $(DIR_DL)/$(DL_FILE)
 	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14142.patch
 	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14143.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14144.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14145.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14146.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14147.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14148.patch
 	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.5.24-fix-max-file-descriptors.patch

 	cd $(DIR_APP) && autoreconf -vfi
--- a/src/patches/squid/squid-3.5-14144.patch
+++ b/src/patches/squid/squid-3.5-14144.patch
@@ -0,0 +1,43 @@
+------------------------------------------------------------
+revno: 14144
+revision-id: squid3@treenet.co.nz-20170226084624-5tkl3bdrqz8nlp9g
+parent: squid3@treenet.co.nz-20170225055014-j7v5xax13u4jddr9
+author: Alex Rousskov <rousskov@measurement-factory.com>
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.5
+timestamp: Sun 2017-02-26 21:46:24 +1300
+message:
+  Fix crash when configuring with invalid delay_parameters restore value.
+  
+  ... like none/none. Introduced in rev which fixed another, much
+  bigger delay_parameters parsing bug.
+  
+  TODO: Reject all invalid input, including restore/max of "-/100".
+  
+  TODO: Fix misleading/wrong associated error messages. For example:
+    ERROR: invalid delay rate 'none/none'. Expecting restore/max or 'none'
+    ERROR: restore rate in '1/none' is not a number.
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20170226084624-5tkl3bdrqz8nlp9g
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 42f47b8ee1da049d57e6af76ce755e459d2fc9fd
+# timestamp: 2017-02-26 08:51:02 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20170225055014-\
+#   j7v5xax13u4jddr9
+# 
+# Begin patch
+=== modified file 'src/DelaySpec.cc'
+--- src/DelaySpec.cc	2017-01-01 00:16:45 +0000
+++ src/DelaySpec.cc	2017-02-26 08:46:24 +0000
+@@ -55,7 +55,7 @@
+ 
+     // parse the first digits into restore_bps
+     const char *p = NULL;
+-    if (!StringToInt(token, restore_bps, &p, 10) && *p != '/') {
+    if (!StringToInt(token, restore_bps, &p, 10) || *p != '/') {
+         debugs(77, DBG_CRITICAL, "ERROR: invalid delay rate '" << token << "'. Expecting restore/max or 'none'.");
+         self_destruct();
+     }
+
--- a/src/patches/squid/squid-3.5-14145.patch
+++ b/src/patches/squid/squid-3.5-14145.patch
@@ -0,0 +1,33 @@
+------------------------------------------------------------
+revno: 14145
+revision-id: squid3@treenet.co.nz-20170226085009-tj3o81s5ybk8ly9s
+parent: squid3@treenet.co.nz-20170226084624-5tkl3bdrqz8nlp9g
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.5
+timestamp: Sun 2017-02-26 21:50:09 +1300
+message:
+  Fix missing CRLF on FTP timeout ABORT commands
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20170226085009-tj3o81s5ybk8ly9s
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: a290f77545e17012eea87e6315a9d375bff16752
+# timestamp: 2017-02-26 08:51:05 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20170226084624-\
+#   5tkl3bdrqz8nlp9g
+# 
+# Begin patch
+=== modified file 'src/clients/FtpGateway.cc'
+--- src/clients/FtpGateway.cc	2017-01-01 00:16:45 +0000
+++ src/clients/FtpGateway.cc	2017-02-26 08:50:09 +0000
+@@ -1775,7 +1775,7 @@
+ 
+         // ABORT on timeouts. server may be waiting on a broken TCP link.
+         if (io.xerrno == Comm::TIMEOUT)
+-            writeCommand("ABOR");
+            writeCommand("ABOR\r\n");
+ 
+         // try another connection attempt with some other method
+         ftpSendPassive(this);
+
--- a/src/patches/squid/squid-3.5-14146.patch
+++ b/src/patches/squid/squid-3.5-14146.patch
@@ -0,0 +1,41 @@
+------------------------------------------------------------
+revno: 14146
+revision-id: squid3@treenet.co.nz-20170226085245-vcvc7nemupizbe4t
+parent: squid3@treenet.co.nz-20170226085009-tj3o81s5ybk8ly9s
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.5
+timestamp: Sun 2017-02-26 21:52:45 +1300
+message:
+  Check that -k argument is provided before trying to use it.
+  
+   Detected by Coverity Scan. Issue 1364726.
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20170226085245-vcvc7nemupizbe4t
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 31bba06ced5b67f892e4be897b05ec3744b2a942
+# timestamp: 2017-02-26 09:51:00 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20170226085009-\
+#   tj3o81s5ybk8ly9s
+# 
+# Begin patch
+=== modified file 'src/main.cc'
+--- src/main.cc	2017-01-01 00:16:45 +0000
+++ src/main.cc	2017-02-26 08:52:45 +0000
+@@ -425,11 +425,11 @@
+             /** \par k
+              * Run the administrative action given following the option */
+ 
+-            /** \li When its an unknown option display the usage help. */
+-            if ((int) strlen(optarg) < 1)
+            /** \li When it is missing or an unknown option display the usage help. */
+            if (!optarg || strlen(optarg) < 1)
+                 usage();
+ 
+-            if (!strncmp(optarg, "reconfigure", strlen(optarg)))
+            else if (!strncmp(optarg, "reconfigure", strlen(optarg)))
+                 /** \li On reconfigure send SIGHUP. */
+                 opt_send_signal = SIGHUP;
+             else if (!strncmp(optarg, "rotate", strlen(optarg)))
+
--- a/src/patches/squid/squid-3.5-14147.patch
+++ b/src/patches/squid/squid-3.5-14147.patch
@@ -0,0 +1,37 @@
+------------------------------------------------------------
+revno: 14147
+revision-id: squid3@treenet.co.nz-20170226085617-89jfjndt62i83qtn
+parent: squid3@treenet.co.nz-20170226085245-vcvc7nemupizbe4t
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.5
+timestamp: Sun 2017-02-26 21:56:17 +1300
+message:
+  ext_kerberos_ldap_group_acl: fix unused value warnings
+  
+   Detected by Coverity Scan. Issues 1364748 and 1364749.
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20170226085617-89jfjndt62i83qtn
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: fd770175ba851fc62de4a085414c8fd996b53e46
+# timestamp: 2017-02-26 09:51:04 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20170226085245-\
+#   vcvc7nemupizbe4t
+# 
+# Begin patch
+=== modified file 'helpers/external_acl/kerberos_ldap_group/support_ldap.cc'
+--- helpers/external_acl/kerberos_ldap_group/support_ldap.cc	2017-01-01 00:16:45 +0000
+++ helpers/external_acl/kerberos_ldap_group/support_ldap.cc	2017-02-26 08:56:17 +0000
+@@ -919,8 +919,8 @@
+     /*
+      * Initialise ldap
+      */
+-    ldap_debug = 127 /* LDAP_DEBUG_TRACE */ ;
+-    ldap_debug = -1 /* LDAP_DEBUG_ANY */ ;
+//    ldap_debug = 127 /* LDAP_DEBUG_TRACE */ ;
+//    ldap_debug = -1 /* LDAP_DEBUG_ANY */ ;
+     ldap_debug = 0;
+     (void) ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &ldap_debug);
+ #endif
+
--- a/src/patches/squid/squid-3.5-14148.patch
+++ b/src/patches/squid/squid-3.5-14148.patch
@@ -0,0 +1,62 @@
+------------------------------------------------------------
+revno: 14148
+revision-id: squid3@treenet.co.nz-20170226110942-90rcwhx3fwa2l7is
+parent: squid3@treenet.co.nz-20170226085617-89jfjndt62i83qtn
+author: Alexander Gozman <a.gozman@securitycode.ru>
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.5
+timestamp: Mon 2017-02-27 00:09:42 +1300
+message:
+  Native FTP relay: NAT and TPROXY interception fixes
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20170226110942-90rcwhx3fwa2l7is
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 63f57f0ddddf0f231c3ef88a12728a707828c6ad
+# timestamp: 2017-02-26 11:51:04 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20170226085617-\
+#   89jfjndt62i83qtn
+# 
+# Begin patch
+=== modified file 'src/servers/FtpServer.cc'
+--- src/servers/FtpServer.cc	2017-01-01 00:16:45 +0000
+++ src/servers/FtpServer.cc	2017-02-26 11:09:42 +0000
+@@ -1454,9 +1454,33 @@
+     Comm::ConnectionPointer conn = new Comm::Connection();
+     conn->flags |= COMM_DOBIND;
+ 
+-    // Use local IP address of the control connection as the source address
+-    // of the active data connection, or some clients will refuse to accept.
+-    conn->setAddrs(clientConnection->local, cltAddr);
+    if (clientConnection->flags & COMM_INTERCEPTION) {
+        // In the case of NAT interception conn->local value is not set
+        // because the TCP stack will automatically pick correct source
+        // address for the data connection. We must only ensure that IP
+        // version matches client's address.
+        conn->local.setAnyAddr();
+
+        if (cltAddr.isIPv4())
+            conn->local.setIPv4();
+
+        conn->remote = cltAddr;
+    } else {
+        // In the case of explicit-proxy the local IP of the control connection
+        // is the Squid IP the client is knowingly talking to.
+        //
+        // In the case of TPROXY the IP address of the control connection is
+        // server IP the client is connecting to, it can be spoofed by Squid.
+        //
+        // In both cases some clients may refuse to accept data connections if
+        // these control connectin local-IP's are not used.
+        conn->setAddrs(clientConnection->local, cltAddr);
+
+        // Using non-local addresses in TPROXY mode requires appropriate socket option.
+        if (clientConnection->flags & COMM_TRANSPARENT)
+            conn->flags |= COMM_TRANSPARENT;
+    }
+
+     // RFC 959 requires active FTP connections to originate from port 20
+     // but that would preclude us from supporting concurrent transfers! (XXX?)
+     conn->local.port(0);
+