webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-15 21:43:00 +02:00
Code Issues Packages Projects Releases Wiki Activity

squid: Update to 3.5.25

Browse Source 
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This commit is contained in:
Matthias Fischer
2017-04-03 21:26:44 +02:00
committed by Michael Tremer
parent 24a80f0c22
commit bffe0abd59
14 changed files with 4 additions and 893 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
lfs/squid
View File

@@ -24,7 +24,7 @@
include Config
VER = 3.5.24
VER = 3.5.25
THISAPP = squid-$(VER)
DL_FILE = $(THISAPP).tar.xz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
$(DL_FILE)_MD5 = 3fae511e16b6379b61c011914673973d
$(DL_FILE)_MD5 = 6b7dd7b42b1adacf08f3155640ea2782
install : $(TARGET)
@@ -70,19 +70,7 @@ $(subst %,%_MD5,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xaf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14142.patch
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14143.patch
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14144.patch
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14145.patch
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14146.patch
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14147.patch
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14148.patch
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14149.patch
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14150.patch
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14151.patch
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14152.patch
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14153.patch
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.5.24-fix-max-file-descriptors.patch
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.5.25-fix-max-file-descriptors.patch
cd $(DIR_APP) && autoreconf -vfi
cd $(DIR_APP)/libltdl && autoreconf -vfi
@@ -159,7 +147,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
cp -f $(DIR_SRC)/config/updxlrator/lscache /var/ipfire/updatexlrator/bin/lscache
cp -f $(DIR_SRC)/config/updxlrator/checkdeaddl /var/ipfire/updatexlrator/bin/checkdeaddl
cp -f $(DIR_SRC)/config/updxlrator/updxlrator-lib.pl /var/ipfire/updatexlrator//updxlrator-lib.pl
cp -f $(DIR_SRC)/config/updxlrator/updxlrator-lib.pl /var/ipfire/updatexlrator/updxlrator-lib.pl
chmod 755 /usr/sbin/updxlrator /var/ipfire/updatexlrator/bin/checkup \
/var/ipfire/updatexlrator/bin/download \

0
src/patches/squid-3.5.24-fix-max-file-descriptors.patch → src/patches/squid-3.5.25-fix-max-file-descriptors.patch
View File

72
src/patches/squid/squid-3.5-14142.patch
View File

@@ -1,72 +0,0 @@
------------------------------------------------------------
revno: 14142
revision-id: squid3@treenet.co.nz-20170208054033-pxqn8rs4yu713ijq
parent: squid3@treenet.co.nz-20170128035415-bpwt79jsobv1rqx3
author: Christos Tsantilas <chtsanti@users.sourceforge.net>
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.5
timestamp: Wed 2017-02-08 18:40:33 +1300
message:
Bump SSL client on [more] errors encountered before ssl_bump evaluation
... such as ERR_ACCESS_DENIED with HTTP/403 Forbidden triggered by an
http_access deny rule match.
The old code allowed ssl_bump step1 rules to be evaluated in the
presence of an error. An ssl_bump splicing decision would then trigger
the useless "send the error to the client now" processing logic instead
of going down the "to serve an error, bump the client first" path.
Furthermore, the ssl_bump evaluation result itself could be surprising
to the admin because ssl_bump (and most other) rules are not meant to be
evaluated for a transaction in an error state. This complicated triage.
Also polished an important comment to clarify that we want to bump on
error if (and only if) the SslBump feature is applicable to the failed
transaction (i.e., if the ssl_bump rules would have been evaluated if
there were no prior errors). The old comment could have been
misinterpreted that ssl_bump rules must be evaluated to allow an
"ssl_bump splice" match to hide the error.
This is a Measurement Factory project.
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20170208054033-pxqn8rs4yu713ijq
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# testament_sha1: 8c3f2a03f86aa1b1484195a63742bc4002ba2359
# timestamp: 2017-02-08 05:51:15 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# base_revision_id: squid3@treenet.co.nz-20170128035415-\
# bpwt79jsobv1rqx3
#
# Begin patch
=== modified file 'src/client_side_request.cc'
--- src/client_side_request.cc 2017-01-23 02:05:46 +0000
+++ src/client_side_request.cc 2017-02-08 05:40:33 +0000
@@ -1442,6 +1442,13 @@
return false;
}
+ if (error) {
+ debugs(85, 5, "SslBump applies. Force bump action on error " << err_type_str[(error->type >= ERR_NONE && error->type < ERR_MAX) ? error->type : ERR_NONE]);
+ http->sslBumpNeed(Ssl::bumpBump);
+ http->al->ssl.bumpMode = Ssl::bumpBump;
+ return false;
+ }
+
// Do not bump during authentication: clients would not proxy-authenticate
// if we delay a 407 response and respond with 200 OK to CONNECT.
if (error && error->httpStatus == Http::scProxyAuthenticationRequired) {
@@ -1781,8 +1788,9 @@
}
#if USE_OPENSSL
- // We need to check for SslBump even if the calloutContext->error is set
- // because bumping may require delaying the error until after CONNECT.
+ // Even with calloutContext->error, we call sslBumpAccessCheck() to decide
+ // whether SslBump applies to this transaction. If it applies, we will
+ // attempt to bump the client to serve the error.
if (!calloutContext->sslBumpCheckDone) {
calloutContext->sslBumpCheckDone = true;
if (calloutContext->sslBumpAccessCheck())

55
src/patches/squid/squid-3.5-14143.patch
View File

@@ -1,55 +0,0 @@
------------------------------------------------------------
revno: 14143
revision-id: squid3@treenet.co.nz-20170225055014-j7v5xax13u4jddr9
parent: squid3@treenet.co.nz-20170208054033-pxqn8rs4yu713ijq
author: Christos Tsantilas <chtsanti@users.sourceforge.net>
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.5
timestamp: Sat 2017-02-25 18:50:14 +1300
message:
Fix regression in CONNECT authentication after rev.14142
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20170225055014-j7v5xax13u4jddr9
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# testament_sha1: bedc99ffdffd1e999c98c33faa830d4e9d1fc01d
# timestamp: 2017-02-25 05:51:22 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# base_revision_id: squid3@treenet.co.nz-20170208054033-\
# pxqn8rs4yu713ijq
#
# Begin patch
=== modified file 'src/client_side_request.cc'
--- src/client_side_request.cc 2017-02-08 05:40:33 +0000
+++ src/client_side_request.cc 2017-02-25 05:50:14 +0000
@@ -1442,6 +1442,14 @@
return false;
}
+ // Do not bump during authentication: clients would not proxy-authenticate
+ // if we delay a 407 response and respond with 200 OK to CONNECT.
+ if (error && error->httpStatus == Http::scProxyAuthenticationRequired) {
+ http->al->ssl.bumpMode = Ssl::bumpEnd; // SslBump does not apply; log -
+ debugs(85, 5, HERE << "no SslBump during proxy authentication");
+ return false;
+ }
+
if (error) {
debugs(85, 5, "SslBump applies. Force bump action on error " << err_type_str[(error->type >= ERR_NONE && error->type < ERR_MAX) ? error->type : ERR_NONE]);
http->sslBumpNeed(Ssl::bumpBump);
@@ -1449,14 +1457,6 @@
return false;
}
- // Do not bump during authentication: clients would not proxy-authenticate
- // if we delay a 407 response and respond with 200 OK to CONNECT.
- if (error && error->httpStatus == Http::scProxyAuthenticationRequired) {
- http->al->ssl.bumpMode = Ssl::bumpEnd; // SslBump does not apply; log -
- debugs(85, 5, HERE << "no SslBump during proxy authentication");
- return false;
- }
-
debugs(85, 5, HERE << "SslBump possible, checking ACL");
ACLFilledChecklist *aclChecklist = clientAclChecklistCreate(Config.accessList.ssl_bump, http);

43
src/patches/squid/squid-3.5-14144.patch
View File

@@ -1,43 +0,0 @@
------------------------------------------------------------
revno: 14144
revision-id: squid3@treenet.co.nz-20170226084624-5tkl3bdrqz8nlp9g
parent: squid3@treenet.co.nz-20170225055014-j7v5xax13u4jddr9
author: Alex Rousskov <rousskov@measurement-factory.com>
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.5
timestamp: Sun 2017-02-26 21:46:24 +1300
message:
Fix crash when configuring with invalid delay_parameters restore value.
... like none/none. Introduced in rev which fixed another, much
bigger delay_parameters parsing bug.
TODO: Reject all invalid input, including restore/max of "-/100".
TODO: Fix misleading/wrong associated error messages. For example:
ERROR: invalid delay rate 'none/none'. Expecting restore/max or 'none'
ERROR: restore rate in '1/none' is not a number.
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20170226084624-5tkl3bdrqz8nlp9g
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# testament_sha1: 42f47b8ee1da049d57e6af76ce755e459d2fc9fd
# timestamp: 2017-02-26 08:51:02 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# base_revision_id: squid3@treenet.co.nz-20170225055014-\
# j7v5xax13u4jddr9
#
# Begin patch
=== modified file 'src/DelaySpec.cc'
--- src/DelaySpec.cc 2017-01-01 00:16:45 +0000
+++ src/DelaySpec.cc 2017-02-26 08:46:24 +0000
@@ -55,7 +55,7 @@
// parse the first digits into restore_bps
const char *p = NULL;
- if (!StringToInt(token, restore_bps, &p, 10) && *p != '/') {
+ if (!StringToInt(token, restore_bps, &p, 10) || *p != '/') {
debugs(77, DBG_CRITICAL, "ERROR: invalid delay rate '" << token << "'. Expecting restore/max or 'none'.");
self_destruct();
}

33
src/patches/squid/squid-3.5-14145.patch
View File

@@ -1,33 +0,0 @@
------------------------------------------------------------
revno: 14145
revision-id: squid3@treenet.co.nz-20170226085009-tj3o81s5ybk8ly9s
parent: squid3@treenet.co.nz-20170226084624-5tkl3bdrqz8nlp9g
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.5
timestamp: Sun 2017-02-26 21:50:09 +1300
message:
Fix missing CRLF on FTP timeout ABORT commands
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20170226085009-tj3o81s5ybk8ly9s
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# testament_sha1: a290f77545e17012eea87e6315a9d375bff16752
# timestamp: 2017-02-26 08:51:05 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# base_revision_id: squid3@treenet.co.nz-20170226084624-\
# 5tkl3bdrqz8nlp9g
#
# Begin patch
=== modified file 'src/clients/FtpGateway.cc'
--- src/clients/FtpGateway.cc 2017-01-01 00:16:45 +0000
+++ src/clients/FtpGateway.cc 2017-02-26 08:50:09 +0000
@@ -1775,7 +1775,7 @@
// ABORT on timeouts. server may be waiting on a broken TCP link.
if (io.xerrno == Comm::TIMEOUT)
- writeCommand("ABOR");
+ writeCommand("ABOR\r\n");
// try another connection attempt with some other method
ftpSendPassive(this);

41
src/patches/squid/squid-3.5-14146.patch
View File

@@ -1,41 +0,0 @@
------------------------------------------------------------
revno: 14146
revision-id: squid3@treenet.co.nz-20170226085245-vcvc7nemupizbe4t
parent: squid3@treenet.co.nz-20170226085009-tj3o81s5ybk8ly9s
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.5
timestamp: Sun 2017-02-26 21:52:45 +1300
message:
Check that -k argument is provided before trying to use it.
Detected by Coverity Scan. Issue 1364726.
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20170226085245-vcvc7nemupizbe4t
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# testament_sha1: 31bba06ced5b67f892e4be897b05ec3744b2a942
# timestamp: 2017-02-26 09:51:00 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# base_revision_id: squid3@treenet.co.nz-20170226085009-\
# tj3o81s5ybk8ly9s
#
# Begin patch
=== modified file 'src/main.cc'
--- src/main.cc 2017-01-01 00:16:45 +0000
+++ src/main.cc 2017-02-26 08:52:45 +0000
@@ -425,11 +425,11 @@
/** \par k
* Run the administrative action given following the option */
- /** \li When its an unknown option display the usage help. */
- if ((int) strlen(optarg) < 1)
+ /** \li When it is missing or an unknown option display the usage help. */
+ if (!optarg || strlen(optarg) < 1)
usage();
- if (!strncmp(optarg, "reconfigure", strlen(optarg)))
+ else if (!strncmp(optarg, "reconfigure", strlen(optarg)))
/** \li On reconfigure send SIGHUP. */
opt_send_signal = SIGHUP;
else if (!strncmp(optarg, "rotate", strlen(optarg)))

37
src/patches/squid/squid-3.5-14147.patch
View File

@@ -1,37 +0,0 @@
------------------------------------------------------------
revno: 14147
revision-id: squid3@treenet.co.nz-20170226085617-89jfjndt62i83qtn
parent: squid3@treenet.co.nz-20170226085245-vcvc7nemupizbe4t
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.5
timestamp: Sun 2017-02-26 21:56:17 +1300
message:
ext_kerberos_ldap_group_acl: fix unused value warnings
Detected by Coverity Scan. Issues 1364748 and 1364749.
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20170226085617-89jfjndt62i83qtn
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# testament_sha1: fd770175ba851fc62de4a085414c8fd996b53e46
# timestamp: 2017-02-26 09:51:04 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# base_revision_id: squid3@treenet.co.nz-20170226085245-\
# vcvc7nemupizbe4t
#
# Begin patch
=== modified file 'helpers/external_acl/kerberos_ldap_group/support_ldap.cc'
--- helpers/external_acl/kerberos_ldap_group/support_ldap.cc 2017-01-01 00:16:45 +0000
+++ helpers/external_acl/kerberos_ldap_group/support_ldap.cc 2017-02-26 08:56:17 +0000
@@ -919,8 +919,8 @@
/*
* Initialise ldap
*/
- ldap_debug = 127 /* LDAP_DEBUG_TRACE */ ;
- ldap_debug = -1 /* LDAP_DEBUG_ANY */ ;
+// ldap_debug = 127 /* LDAP_DEBUG_TRACE */ ;
+// ldap_debug = -1 /* LDAP_DEBUG_ANY */ ;
ldap_debug = 0;
(void) ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &ldap_debug);
#endif

62
src/patches/squid/squid-3.5-14148.patch
View File

@@ -1,62 +0,0 @@
------------------------------------------------------------
revno: 14148
revision-id: squid3@treenet.co.nz-20170226110942-90rcwhx3fwa2l7is
parent: squid3@treenet.co.nz-20170226085617-89jfjndt62i83qtn
author: Alexander Gozman <a.gozman@securitycode.ru>
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.5
timestamp: Mon 2017-02-27 00:09:42 +1300
message:
Native FTP relay: NAT and TPROXY interception fixes
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20170226110942-90rcwhx3fwa2l7is
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# testament_sha1: 63f57f0ddddf0f231c3ef88a12728a707828c6ad
# timestamp: 2017-02-26 11:51:04 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# base_revision_id: squid3@treenet.co.nz-20170226085617-\
# 89jfjndt62i83qtn
#
# Begin patch
=== modified file 'src/servers/FtpServer.cc'
--- src/servers/FtpServer.cc 2017-01-01 00:16:45 +0000
+++ src/servers/FtpServer.cc 2017-02-26 11:09:42 +0000
@@ -1454,9 +1454,33 @@
Comm::ConnectionPointer conn = new Comm::Connection();
conn->flags |= COMM_DOBIND;
- // Use local IP address of the control connection as the source address
- // of the active data connection, or some clients will refuse to accept.
- conn->setAddrs(clientConnection->local, cltAddr);
+ if (clientConnection->flags & COMM_INTERCEPTION) {
+ // In the case of NAT interception conn->local value is not set
+ // because the TCP stack will automatically pick correct source
+ // address for the data connection. We must only ensure that IP
+ // version matches client's address.
+ conn->local.setAnyAddr();
+
+ if (cltAddr.isIPv4())
+ conn->local.setIPv4();
+
+ conn->remote = cltAddr;
+ } else {
+ // In the case of explicit-proxy the local IP of the control connection
+ // is the Squid IP the client is knowingly talking to.
+ //
+ // In the case of TPROXY the IP address of the control connection is
+ // server IP the client is connecting to, it can be spoofed by Squid.
+ //
+ // In both cases some clients may refuse to accept data connections if
+ // these control connectin local-IP's are not used.
+ conn->setAddrs(clientConnection->local, cltAddr);
+
+ // Using non-local addresses in TPROXY mode requires appropriate socket option.
+ if (clientConnection->flags & COMM_TRANSPARENT)
+ conn->flags |= COMM_TRANSPARENT;
+ }
+
// RFC 959 requires active FTP connections to originate from port 20
// but that would preclude us from supporting concurrent transfers! (XXX?)
conn->local.port(0);

78
src/patches/squid/squid-3.5-14149.patch
View File

@@ -1,78 +0,0 @@
------------------------------------------------------------
revno: 14149
revision-id: squid3@treenet.co.nz-20170330133122-zcpblbvnuq7mjvq3
parent: squid3@treenet.co.nz-20170226110942-90rcwhx3fwa2l7is
fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4508
author: Christos Tsantilas <chtsanti@users.sourceforge.net>
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.5
timestamp: Fri 2017-03-31 01:31:22 +1200
message:
Bug 4508: Host forgery stalls intercepted being-spliced connections.
Most SslBump splicing happens after getting SNI. SNI goes into the
second fake CONNECT request, where it may fail the host forgery check.
A failed check triggers an HTTP error response from Squid. When
attempting to send that response to the TLS client, Squid checks whether
all previously pipelined HTTP requests on the connection have finished.
Prior to this fix, Squid left the first fake CONNECT request in the
connection pipeline despite adding the second fake CONNECT. That first
CONNECT stalled the error response described above, with Squid waiting,
in vain, for that already handled [fake] transaction to finish.
Also call quitAfterError() to force Squid to close the connection (after
writing the discussed error response) instead of just logging a
[misleading] "kick abandoning [connection]" message in cache.log.
TODO: Always pop the first CONNECT when generating a second one.
Unifying CONNECT treatment is difficult because code like tunnel.cc
wants that CONNECT to be in the pipeline. Polishing that would probably
require disassociating ConnStateData from tunnel.cc (at least).
TODO: Apply the existing "delayed error" logic (that optionally bumps
TLS connections to deliver [some] errors to [some] SSL/TLS clients) to
host forgery errors. Otherwise, the plain HTTP error message cannot be
understood by the intercepted TLS client.
This is a Measurement Factory project
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20170330133122-zcpblbvnuq7mjvq3
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# testament_sha1: db616fff2ac0df73cf41d380f07a96b773cf2be5
# timestamp: 2017-03-30 13:51:17 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# base_revision_id: squid3@treenet.co.nz-20170226110942-\
# 90rcwhx3fwa2l7is
#
# Begin patch
=== modified file 'src/client_side.cc'
--- src/client_side.cc 2017-01-27 13:38:24 +0000
+++ src/client_side.cc 2017-03-30 13:31:22 +0000
@@ -4376,7 +4376,12 @@
fd_table[connState->clientConnection->fd].read_method = &default_read_method;
fd_table[connState->clientConnection->fd].write_method = &default_write_method;
+ ClientSocketContext::Pointer context = connState->getCurrentContext();
+ Must(context != NULL);
if (connState->transparent()) {
+ // If we are going to fake the second CONNECT, clear the first one.
+ context->connIsFinished();
+
// fake a CONNECT request to force connState to tunnel
// XXX: copy from MemBuf reallocates, not a regression since old code did too
SBuf temp;
=== modified file 'src/client_side_request.cc'
--- src/client_side_request.cc 2017-02-25 05:50:14 +0000
+++ src/client_side_request.cc 2017-03-30 13:31:22 +0000
@@ -561,6 +561,7 @@
debugs(85, DBG_IMPORTANT, "SECURITY ALERT: on URL: " << urlCanonical(http->request));
// IP address validation for Host: failed. reject the connection.
+ http->getConn()->quitAfterError(http->request);
clientStreamNode *node = (clientStreamNode *)http->client_stream.tail->prev->data;
clientReplyContext *repContext = dynamic_cast<clientReplyContext *>(node->data.getRaw());
assert (repContext);

32
src/patches/squid/squid-3.5-14150.patch
View File

@@ -1,32 +0,0 @@
------------------------------------------------------------
revno: 14150
revision-id: squid3@treenet.co.nz-20170331005152-8exm3hsly1v1jk8y
parent: squid3@treenet.co.nz-20170330133122-zcpblbvnuq7mjvq3
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.5
timestamp: Fri 2017-03-31 12:51:52 +1200
message:
Fix variable shadowing after rev.14149
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20170331005152-8exm3hsly1v1jk8y
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# testament_sha1: ae1e30fff31cf8b411c62eba344fdc944692aecf
# timestamp: 2017-03-31 01:51:06 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# base_revision_id: squid3@treenet.co.nz-20170330133122-\
# zcpblbvnuq7mjvq3
#
# Begin patch
=== modified file 'src/client_side.cc'
--- src/client_side.cc 2017-03-30 13:31:22 +0000
+++ src/client_side.cc 2017-03-31 00:51:52 +0000
@@ -4390,7 +4390,6 @@
} else {
// in.buf still has the "CONNECT ..." request data, reset it to SSL hello message
connState->in.buf.append(rbuf.content(), rbuf.contentSize());
- ClientSocketContext::Pointer context = connState->getCurrentContext();
ClientHttpRequest *http = context->http;
tunnelStart(http, &http->out.size, &http->al->http.code, http->al);
}

36
src/patches/squid/squid-3.5-14151.patch
View File

@@ -1,36 +0,0 @@
------------------------------------------------------------
revno: 14151
revision-id: squid3@treenet.co.nz-20170331233831-m3hfrigo82uhz4id
parent: squid3@treenet.co.nz-20170331005152-8exm3hsly1v1jk8y
author: Garri Djavadyan <garryd@comnet.uz>
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.5
timestamp: Sat 2017-04-01 12:38:31 +1300
message:
Docs: update refresh_pattern description regarding 'max' option
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20170331233831-m3hfrigo82uhz4id
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# testament_sha1: be64101730dcb2deb664d6594d20a7295a666b98
# timestamp: 2017-03-31 23:40:50 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# base_revision_id: squid3@treenet.co.nz-20170331005152-\
# 8exm3hsly1v1jk8y
#
# Begin patch
=== modified file 'src/cf.data.pre'
--- src/cf.data.pre 2017-01-01 00:16:45 +0000
+++ src/cf.data.pre 2017-03-31 23:38:31 +0000
@@ -5401,7 +5401,9 @@
will be considered fresh.
'Max' is an upper limit on how long objects without an explicit
- expiry time will be considered fresh.
+ expiry time will be considered fresh. The value is also used
+ to form Cache-Control: max-age header for a request sent from
+ Squid to origin/parent.
options: override-expire
override-lastmod

35
src/patches/squid/squid-3.5-14152.patch
View File

@@ -1,35 +0,0 @@
------------------------------------------------------------
revno: 14152
revision-id: squid3@treenet.co.nz-20170331233921-efxhs8vy025fvrnl
parent: squid3@treenet.co.nz-20170331233831-m3hfrigo82uhz4id
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.5
timestamp: Sat 2017-04-01 12:39:21 +1300
message:
libtrie: Fix 'make check' when run before 'make all'
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20170331233921-efxhs8vy025fvrnl
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# testament_sha1: 8399bbfe7b517fa6306bdc61d212a9a4fcc9e88b
# timestamp: 2017-03-31 23:40:52 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# base_revision_id: squid3@treenet.co.nz-20170331233831-\
# m3hfrigo82uhz4id
#
# Begin patch
=== modified file 'lib/libTrie/Makefile.am'
--- lib/libTrie/Makefile.am 2017-01-01 00:16:45 +0000
+++ lib/libTrie/Makefile.am 2017-03-31 23:39:21 +0000
@@ -8,8 +8,8 @@
include $(top_srcdir)/src/Common.am
include $(top_srcdir)/src/TestHeaders.am
-DIST_SUBDIRS = test
-SUBDIRS = test
+DIST_SUBDIRS = . test
+SUBDIRS = . test
noinst_LIBRARIES = libTrie.a

353
src/patches/squid/squid-3.5-14153.patch
View File

@@ -1,353 +0,0 @@
------------------------------------------------------------
revno: 14153
revision-id: squid3@treenet.co.nz-20170331234747-59glu40hhx0kf8fx
parent: squid3@treenet.co.nz-20170331233921-efxhs8vy025fvrnl
fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4688
author: Lubos Uhliarik <luhliari@redhat.com>
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.5
timestamp: Sat 2017-04-01 12:47:47 +1300
message:
Bug 4688: various typo error(s) in man page(s)
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20170331234747-59glu40hhx0kf8fx
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# testament_sha1: a05d98a4e328e39f2a490cfeff72ad8735cc6b6e
# timestamp: 2017-03-31 23:48:51 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# base_revision_id: squid3@treenet.co.nz-20170331233921-\
# efxhs8vy025fvrnl
#
# Begin patch
=== modified file 'compat/compat.h'
--- compat/compat.h 2017-01-01 00:16:45 +0000
+++ compat/compat.h 2017-03-31 23:47:47 +0000
@@ -11,7 +11,7 @@
/*
* From discussions it was chosen to push compat code as far down as possible.
- * That means we can have a seperate compat for most
+ * That means we can have a separate compat for most
* compatability and portability hacks and resolutions.
*
* This file is meant to collate all those hacks files together and
=== modified file 'helpers/basic_auth/DB/basic_db_auth.pl.in'
--- helpers/basic_auth/DB/basic_db_auth.pl.in 2017-01-01 00:16:45 +0000
+++ helpers/basic_auth/DB/basic_db_auth.pl.in 2017-03-31 23:47:47 +0000
@@ -14,7 +14,7 @@
basic_db_auth [options]
-=head1 DESCRIPTOIN
+=head1 DESCRIPTION
This program verifies username & password to a database
@@ -97,7 +97,7 @@
Copyright (C) 2007 Henrik Nordstrom <henrik@henriknordstrom.net>
Copyright (C) 2010 Luis Daniel Lucio Quiroz <dlucio@okay.com.mx> (Joomla support)
This program is free software. You may redistribute copies of it under the
-terms of the GNU General Public License version 2, or (at youropinion) any
+terms of the GNU General Public License version 2, or (at your opinion) any
later version.
=head1 QUESTIONS
=== modified file 'helpers/basic_auth/LDAP/basic_ldap_auth.8'
--- helpers/basic_auth/LDAP/basic_ldap_auth.8 2017-01-01 00:16:45 +0000
+++ helpers/basic_auth/LDAP/basic_ldap_auth.8 2017-03-31 23:47:47 +0000
@@ -98,7 +98,7 @@
.B Note:
This can only be done if all your users are located directly under
the same position in the LDAP tree and the login name is used for naming
-each user object. If your LDAP tree does not match these criterias or if
+each user object. If your LDAP tree does not match these criteria or if
you want to filter who are valid users then you need to use a search filter
to search for your users DN (
.B \-f
@@ -186,15 +186,15 @@
.B never
dereference aliases (default),
.B always
-dereference aliases, only while
-.B search ing
+dereference aliases, only during a
+.B search
or only to
.B find
the base object.
.
.if !'po4a'hide' .TP
.if !'po4a'hide' .B "\-H ldap_uri
-Specity the LDAP server to connect to by LDAP URI (requires OpenLDAP libraries).
+Specify the LDAP server to connect to by LDAP URI (requires OpenLDAP libraries).
Servers can also be specified last on the command line.
.
.if !'po4a'hide' .TP
=== modified file 'helpers/digest_auth/LDAP/digest_pw_auth.cc'
--- helpers/digest_auth/LDAP/digest_pw_auth.cc 2017-01-01 00:16:45 +0000
+++ helpers/digest_auth/LDAP/digest_pw_auth.cc 2017-03-31 23:47:47 +0000
@@ -30,7 +30,7 @@
* the file format. However storing such a triple does little to
* improve security: If compromised the username:realm:HA1 combination
* is "plaintext equivalent" - for the purposes of digest authentication
- * they allow the user access. Password syncronisation is not tackled
+ * they allow the user access. Password synchronization is not tackled
* by digest - just preventing on the wire compromise.
*
* Copyright (c) 2003 Robert Collins <robertc@squid-cache.org>
=== modified file 'helpers/digest_auth/eDirectory/digest_pw_auth.cc'
--- helpers/digest_auth/eDirectory/digest_pw_auth.cc 2017-01-01 00:16:45 +0000
+++ helpers/digest_auth/eDirectory/digest_pw_auth.cc 2017-03-31 23:47:47 +0000
@@ -30,7 +30,7 @@
* the file format. However storing such a triple does little to
* improve security: If compromised the username:realm:HA1 combination
* is "plaintext equivalent" - for the purposes of digest authentication
- * they allow the user access. Password syncronisation is not tackled
+ * they allow the user access. Password synchronization is not tackled
* by digest - just preventing on the wire compromise.
*
* Copyright (c) 2003 Robert Collins <robertc@squid-cache.org>
=== modified file 'helpers/digest_auth/file/digest_file_auth.8'
--- helpers/digest_auth/file/digest_file_auth.8 2017-01-01 00:16:45 +0000
+++ helpers/digest_auth/file/digest_file_auth.8 2017-03-31 23:47:47 +0000
@@ -15,7 +15,7 @@
is an installed binary authentication program for Squid. It handles digest
authentication protocol and authenticates against a text file backend.
.
-This program will automatically detect the existence of a concurrecy channel-ID and adjust appropriately.
+This program will automatically detect the existence of a concurrency channel-ID and adjust appropriately.
It may be used with any value 0 or above for the auth_param children concurrency= parameter.
.
.SH OPTIONS
@@ -54,7 +54,7 @@
improve security: If compromised the
.B username:realm:HA1
combination is "plaintext equivalent" - for the purposes of digest authentication
-they allow the user access. Password syncronisation is not tackled
+they allow the user access. Password synchronization is not tackled
by digest - just preventing on the wire compromise.
.
.SH AUTHOR
=== modified file 'helpers/digest_auth/file/digest_file_auth.cc'
--- helpers/digest_auth/file/digest_file_auth.cc 2017-01-01 00:16:45 +0000
+++ helpers/digest_auth/file/digest_file_auth.cc 2017-03-31 23:47:47 +0000
@@ -33,7 +33,7 @@
* the file format. However storing such a triple does little to
* improve security: If compromised the username:realm:HA1 combination
* is "plaintext equivalent" - for the purposes of digest authentication
- * they allow the user access. Password syncronisation is not tackled
+ * they allow the user access. Password synchronization is not tackled
* by digest - just preventing on the wire compromise.
*
* Copyright (c) 2003 Robert Collins <robertc@squid-cache.org>
=== modified file 'helpers/digest_auth/file/text_backend.cc'
--- helpers/digest_auth/file/text_backend.cc 2017-01-01 00:16:45 +0000
+++ helpers/digest_auth/file/text_backend.cc 2017-03-31 23:47:47 +0000
@@ -29,7 +29,7 @@
* the file format. However storing such a triple does little to
* improve security: If compromised the username:realm:HA1 combination
* is "plaintext equivalent" - for the purposes of digest authentication
- * they allow the user access. Password syncronisation is not tackled
+ * they allow the user access. Password synchronization is not tackled
* by digest - just preventing on the wire compromise.
*
* Copyright (c) 2003 Robert Collins <robertc@squid-cache.org>
=== modified file 'helpers/external_acl/LDAP_group/ext_ldap_group_acl.8'
--- helpers/external_acl/LDAP_group/ext_ldap_group_acl.8 2017-01-01 00:16:45 +0000
+++ helpers/external_acl/LDAP_group/ext_ldap_group_acl.8 2017-03-31 23:47:47 +0000
@@ -52,8 +52,8 @@
.BI never
dereference aliases (default),
.BI always
-dereference aliases, only while
-.BR search ing
+dereference aliases, only during a
+.BR search
or only to
.B find
the base object
@@ -143,7 +143,7 @@
.
.if !'po4a'hide' .TP
.if !'po4a'hide' .BI \-H " ldapuri"
-Specity the LDAP server to connect to by a LDAP URI (requires OpenLDAP libraries)
+Specify the LDAP server to connect to by a LDAP URI (requires OpenLDAP libraries)
.
.if !'po4a'hide' .TP
.if !'po4a'hide' .BI \-K
=== modified file 'helpers/external_acl/kerberos_ldap_group/README'
--- helpers/external_acl/kerberos_ldap_group/README 2010-08-13 10:17:20 +0000
+++ helpers/external_acl/kerberos_ldap_group/README 2017-03-31 23:47:47 +0000
@@ -65,7 +65,7 @@
export KRB5_KTNAME
If you use a different Kerberos domain than the machine itself is in you can point squid to
-the seperate Kerberos config file by setting the following environmnet variable in the startup
+the separate Kerberos config file by setting the following environment variable in the startup
script.
KRB5_CONFIG=/etc/krb5-squid.conf
=== modified file 'helpers/external_acl/kerberos_ldap_group/ext_kerberos_ldap_group_acl.8'
--- helpers/external_acl/kerberos_ldap_group/ext_kerberos_ldap_group_acl.8 2015-03-21 06:32:34 +0000
+++ helpers/external_acl/kerberos_ldap_group/ext_kerberos_ldap_group_acl.8 2017-03-31 23:47:47 +0000
@@ -163,7 +163,7 @@
.if !'po4a'hide' .ft
.
If you use a different Kerberos domain than the machine itself is in you can point squid to
-the seperate Kerberos config file by setting the following environmnet variable in the startup
+the separate Kerberos config file by setting the following environment variable in the startup
script.
.if !'po4a'hide' .P
.if !'po4a'hide' .ft CR
=== modified file 'helpers/external_acl/session/ext_session_acl.8'
--- helpers/external_acl/session/ext_session_acl.8 2017-01-01 00:16:45 +0000
+++ helpers/external_acl/session/ext_session_acl.8 2017-03-31 23:47:47 +0000
@@ -21,7 +21,7 @@
) or a fixed period of time (
.B \-T
). The former is suitable for displaying terms and conditions to a user; the
-latter is suitable for the display of advertisments or other notices (both as a
+latter is suitable for the display of advertisements or other notices (both as a
splash page \- see config examples in the wiki online). The session helper can also be used
to force users to re\-authenticate if the
.B %LOGIN
@@ -55,7 +55,7 @@
environment is created within the directory. The advantage of the latter
is better database support between multiple instances of the session
helper. Using multiple instances of the session helper with a single
-database file will cause synchronisation problems between processes.
+database file will cause synchronization problems between processes.
If this option is not specified the session details will be kept in
memory only and all sessions will reset each time Squid restarts its
helpers (Squid restart or rotation of logs).
=== modified file 'helpers/log_daemon/DB/log_db_daemon.pl.in'
--- helpers/log_daemon/DB/log_db_daemon.pl.in 2017-01-01 00:16:45 +0000
+++ helpers/log_daemon/DB/log_db_daemon.pl.in 2017-03-31 23:47:47 +0000
@@ -18,7 +18,7 @@
log_db_daemon DSN [options]
-=head1 DESCRIPTOIN
+=head1 DESCRIPTION
This program writes Squid access.log entries to a database.
Presently only accepts the B<squid> native format
@@ -373,7 +373,7 @@
WHERE squid_request_status LIKE '%MISS%')
/
(SELECT COUNT(*) FROM access_log)*100
- AS pecentage;
+ AS percentage;
=item Response time ranges
@@ -433,7 +433,7 @@
This script currently implements only the C<L> (i.e. "append a line to the log") command, therefore the log lines are never purged from the table. This approach has an obvious scalability problem.
-One solution would be to implement e.g. the "rotate log" command in a way that would calculate some summary values, put them in a "summary table" and then delete the lines used to caluclate those values.
+One solution would be to implement e.g. the "rotate log" command in a way that would calculate some summary values, put them in a "summary table" and then delete the lines used to calculate those values.
Similar cleanup code could be implemented in an external script and run periodically independently from squid log commands.
=== modified file 'helpers/negotiate_auth/kerberos/README'
--- helpers/negotiate_auth/kerberos/README 2008-10-03 02:25:50 +0000
+++ helpers/negotiate_auth/kerberos/README 2017-03-31 23:47:47 +0000
@@ -53,7 +53,7 @@
export KRB5_KTNAME
If you use a different Kerberos domain than the machine itself is in you can point squid to
-the seperate Kerberos config file by setting the following environmnet variable in the startup
+the separate Kerberos config file by setting the following environment variable in the startup
script.
KRB5_CONFIG=/etc/krb-squid5.conf
=== modified file 'helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.8'
--- helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.8 2014-12-20 17:10:25 +0000
+++ helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.8 2017-03-31 23:47:47 +0000
@@ -69,7 +69,7 @@
export KRB5_KTNAME
If you use a different Kerberos domain than the machine itself is in you can point squid to
-the seperate Kerberos config file by setting the following environmnet variable in the startup
+the separate Kerberos config file by setting the following environment variable in the startup
script.
KRB5_CONFIG=/etc/krb5\-squid.conf
=== modified file 'helpers/storeid_rewrite/file/storeid_file_rewrite.pl.in'
--- helpers/storeid_rewrite/file/storeid_file_rewrite.pl.in 2017-01-01 00:16:45 +0000
+++ helpers/storeid_rewrite/file/storeid_file_rewrite.pl.in 2017-03-31 23:47:47 +0000
@@ -29,7 +29,7 @@
Rewrite rules are matched in the same order as they appear in the rules file.
So for best performance, sort it in order of frequency of occurrence.
-This program will automatically detect the existence of a concurrecy channel-ID and adjust appropriately.
+This program will automatically detect the existence of a concurrency channel-ID and adjust appropriately.
It may be used with any value 0 or above for the store_id_children concurrency= parameter.
=head1 OPTIONS
=== modified file 'src/StoreFileSystem.h'
--- src/StoreFileSystem.h 2017-01-01 00:16:45 +0000
+++ src/StoreFileSystem.h 2017-03-31 23:47:47 +0000
@@ -47,7 +47,7 @@
\par
* configure will take a list of storage types through the
* --enable-store-io parameter. This parameter takes a list of
- * space seperated storage types. For example,
+ * space separated storage types. For example,
* --enable-store-io="ufs aufs" .
*
\par
=== modified file 'src/ipcache.cc'
--- src/ipcache.cc 2017-01-01 00:16:45 +0000
+++ src/ipcache.cc 2017-03-31 23:47:47 +0000
@@ -50,7 +50,7 @@
\defgroup IPCacheInternal IP Cache Internals
\ingroup IPCacheAPI
\todo when IP cache is provided as a class. These sub-groups will be obsolete
- * for now they are used to seperate the public and private functions.
+ * for now they are used to separate the public and private functions.
* with the private ones all being in IPCachInternal and public in IPCacheAPI
*
\section InternalOperation Internal Operation
=== modified file 'src/ssl/ssl_crtd.8'
--- src/ssl/ssl_crtd.8 2017-01-01 00:16:45 +0000
+++ src/ssl/ssl_crtd.8 2017-03-31 23:47:47 +0000
@@ -33,7 +33,7 @@
Because the generation and signing of SSL certificates takes time
Squid must use external process to handle the work.
.
-This process generates new SSL certificates and uses a disk cache of certificatess
+This process generates new SSL certificates and uses a disk cache of certificates
to improve response times on repeated requests.
Communication occurs via TCP sockets bound to the loopback interface.
.
@@ -122,7 +122,7 @@
.
.PP
For simple configuration the helper defaults can be used.
-Only HTTP listening port options are required to enable generation and set the signign CA certificate.
+Only HTTP listening port options are required to enable generation and set the signing CA certificate.
For Example:
.if !'po4a'hide' .RS
.if !'po4a'hide' .B http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/www.sample.com.pem