pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/www/squid4 www/squid4: update to 4.10



details:   https://anonhg.NetBSD.org/pkgsrc/rev/ff6befb997e8
branches:  trunk
changeset: 411049:ff6befb997e8
user:      taca <taca%pkgsrc.org@localhost>
date:      Tue Feb 04 03:03:48 2020 +0000

description:
www/squid4: update to 4.10

pkgsrc changes: clean up PKG_OPTIONS and enable several backends default.

Quote from release announce:

This release is a security release resolving several issues found in
the prior Squid releases.

The major changes to be aware of:

 * SQUID-2020:1 Improper Input Validation issues in HTTP Request
   processing
   (CVE-2020-8449, CVE-2020-8450)

This issue allows attackers to perform denial of service on the
proxy and all clients using it.

This issue potentially allows attackers to bypass security access
controls in systems between client and proxy.

This issue potentially allows remote code execution under the
proxy low-privilege level. While restricted, it does have access
to a wide range of information about the network structure and
other clients using the proxy.

This issue is limited to Squid acting as a reverse-proxy. Some
effects also require allow_direct permissions.

See the advisory for updated patches:
 <http://www.squid-cache.org/Advisories/SQUID-2020_1.txt>

Please note that NTLM is a deprecated authentication mechanism.
All users of this tool are advised to plan migration to
Negotiate/Kerberos authentication.

 * SQUID-2020:2 Information Disclosure issue in FTP Gateway.
   (CVE-2019-12528)

Certain FTP server responses can result in Squid revealing
random amounts of memory content from heap.

When Squid mempools feature is enabled the leak is limited to
lines in FTP directory listings, possibly from other clients.

When mempools is disabled the information may be anything from
the heap area including information from other processes on the
machine.

See the advisory for more details:
 <http://www.squid-cache.org/Advisories/SQUID-2020_2.txt>

 * SQUID-2020:3 Buffer Overflow issue in ext_lm_group_acl helper.
   (CVE-2020-8517)

This problem is limited to installations using the ext_lm_group_acl
binary (previously shipped as mswin_check_lm_group).

Due to incorrect input validation the NTLM authentication
credentials parser in ext_lm_group_acl may write to memory
outside the credentials buffer.

On systems with memory access protections this can result in
the the helper process being terminated unexpectedly. Resulting
in Squid process also terminating and a denial of service for
all clients using the proxy.

See the advisory for more details:
 <http://www.squid-cache.org/Advisories/SQUID-2020_3.txt>

 * Bug 5008: SIGBUS in PagePool::level() with custom rock slot size

This shows up as SMP Squids crashing on arm64 with a SIGBUS error. The
issues was incorrect memory alignment with certain cache sizes. This
Squid release now forces alignment of the critical rock page details.

 * Bug 4735: Truncated chunked responses cached as whole

This bug shows up as clients getting the cached truncated response
objects until the cache object expires or is force removed.

In absence of partial-object caching this Squid release treats
incomplete responses as non-cacheable and prevents the chunked encoding
terminator chunk being delivered to the active client(s).

 * Fix server_cert_fingerprint on cert validator-reported errors

This bug shows up as a server_cert_fingerprint ACL mismatch when
sslproxy_cert_error directive was applied to validation errors reported
by the certificate validator, because the ACL could not find the server
certificate.

  All users of Squid are urged to upgrade as soon as possible.

diffstat:

 www/squid4/Makefile                                   |   6 +-
 www/squid4/Makefile.common                            |   4 +-
 www/squid4/PLIST                                      |   6 +-
 www/squid4/distinfo                                   |  13 ++--
 www/squid4/options.mk                                 |  50 ++++++++++--------
 www/squid4/patches/patch-configure                    |  37 +++++++++++--
 www/squid4/patches/patch-src_security_ServerOptions.h |  12 ----
 7 files changed, 73 insertions(+), 55 deletions(-)

diffs (259 lines):

diff -r bd2d0f42f8a0 -r ff6befb997e8 www/squid4/Makefile
--- a/www/squid4/Makefile       Tue Feb 04 01:58:26 2020 +0000
+++ b/www/squid4/Makefile       Tue Feb 04 03:03:48 2020 +0000
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.3 2020/01/23 14:49:09 jperkin Exp $
+# $NetBSD: Makefile,v 1.4 2020/02/04 03:03:48 taca Exp $
 
-DISTNAME=      squid-4.9
-PKGREVISION=   1
+DISTNAME=      squid-4.10
 CATEGORIES=    www
 MASTER_SITES=  http://www.squid-cache.org/Versions/v4/
 MASTER_SITES+= ftp://ftp.squid-cache.org/pub/squid/
@@ -36,7 +35,6 @@
 
 BUILDLINK_TRANSFORM+=  rm:-Werror
 
-BUILD_DEFS+=           VARBASE
 MAKE_ENV+=             INSTALL_SCRIPT=${INSTALL_SCRIPT:Q}
 MAKE_ENV+=             PKG_PREFIX=${PREFIX} VARBASE=${VARBASE}
 REPLACE_PERL+=         contrib/url-normalizer.pl contrib/user-agents.pl \
diff -r bd2d0f42f8a0 -r ff6befb997e8 www/squid4/Makefile.common
--- a/www/squid4/Makefile.common        Tue Feb 04 01:58:26 2020 +0000
+++ b/www/squid4/Makefile.common        Tue Feb 04 03:03:48 2020 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile.common,v 1.1 2020/01/04 10:57:18 taca Exp $
+# $NetBSD: Makefile.common,v 1.2 2020/02/04 03:03:48 taca Exp $
 #
 # used by www/squid4/Makefile
 
@@ -15,3 +15,5 @@
 PKG_GROUPS=                    ${SQUID_GROUP}
 PKG_USERS=                     ${SQUID_USER}:${SQUID_GROUP}
 PKG_GECOS.${SQUID_USER}=       Squid Web-Cache pseudo-user
+
+BUILD_DEFS+=                   VARBASE
diff -r bd2d0f42f8a0 -r ff6befb997e8 www/squid4/PLIST
--- a/www/squid4/PLIST  Tue Feb 04 01:58:26 2020 +0000
+++ b/www/squid4/PLIST  Tue Feb 04 03:03:48 2020 +0000
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.1 2020/01/04 10:57:18 taca Exp $
+@comment $NetBSD: PLIST,v 1.2 2020/02/04 03:03:48 taca Exp $
 bin/purge
 bin/squidclient
 libexec/basic_db_auth
@@ -23,7 +23,7 @@
 libexec/ntlm_smb_lm_auth
 libexec/pinger
 libexec/security_fake_certverify
-libexec/security_file_certgen
+${PLIST.openssl}libexec/security_file_certgen
 libexec/storeid_file_rewrite
 ${PLIST.unlinkd}libexec/unlinkd
 libexec/url_fake_rewrite
@@ -45,7 +45,7 @@
 man/man8/log_db_daemon.8
 ${PLIST.ta_kerberos}man/man8/negotiate_kerberos_auth.8
 man/man8/security_fake_certverify.8
-man/man8/security_file_certgen.8
+${PLIST.openssl}man/man8/security_file_certgen.8
 man/man8/squid.8
 man/man8/storeid_file_rewrite.8
 man/man8/url_lfs_rewrite.8
diff -r bd2d0f42f8a0 -r ff6befb997e8 www/squid4/distinfo
--- a/www/squid4/distinfo       Tue Feb 04 01:58:26 2020 +0000
+++ b/www/squid4/distinfo       Tue Feb 04 03:03:48 2020 +0000
@@ -1,15 +1,14 @@
-$NetBSD: distinfo,v 1.2 2020/01/10 21:22:22 joerg Exp $
+$NetBSD: distinfo,v 1.3 2020/02/04 03:03:48 taca Exp $
 
-SHA1 (squid-4.9.tar.xz) = 43c90a1a2eb4d1613f1bfc603ad08e8a835be319
-RMD160 (squid-4.9.tar.xz) = 164d000671dba370ebd1b1d1e36137b1d9d7df67
-SHA512 (squid-4.9.tar.xz) = ca3db39379ea0582ff28297dde21899d02916ea499fb9c0f86aa60301829b7c601bb21ee274f841555047bc911e878717b38670b8796e5d717862b7a285ef84f
-Size (squid-4.9.tar.xz) = 2444664 bytes
+SHA1 (squid-4.10.tar.xz) = b8b267771550bb8c7f2b2968b305118090e7217a
+RMD160 (squid-4.10.tar.xz) = 33b4f2fb2a428fb37379541eabb1c892fa29ae44
+SHA512 (squid-4.10.tar.xz) = 033891f84789fe23a23fabcfb6f51a5b044c16892600f94380b5f0bcbceaef67b95c7047154d940511146248ca9846a949f00a609c6ed27f9af8829325eb08e0
+Size (squid-4.10.tar.xz) = 2445848 bytes
 SHA1 (patch-compat_compat.h) = 839381a5e1f46e7d9b822bbb53d82a53c996ddc0
-SHA1 (patch-configure) = 1474c9b2a2706b3105ee6ebe9354d33a66deb0c7
+SHA1 (patch-configure) = e7920ba353716e26d0b7559366c86b22cb03adfd
 SHA1 (patch-errors_Makefile.in) = 84cbf5c836f02ed5fbfff140888c6d3aadeac326
 SHA1 (patch-src_Makefile.in) = afc5aefd97c46d1ffab43e97aeaeade3a5a8c648
 SHA1 (patch-src_acl_external_kerberos__ldap__group_support__resolv.cc) = 0ea41d55e32d689a16e012391a9eea67631daf3a
 SHA1 (patch-src_comm_ModKqueue.cc) = d8c5d235f07a48731275101d60fcbf2e22f77b96
 SHA1 (patch-src_fs_ufs_RebuildState.h) = 76ee5c437b3dad05e428ae89cd5af6c052a40e59
-SHA1 (patch-src_security_ServerOptions.h) = 36ed59837040d652ca00ca685970f7c728ff67c3
 SHA1 (patch-tools_Makefile.in) = d098c0c9dc4af577f74e562d99f07ed98be5ae01
diff -r bd2d0f42f8a0 -r ff6befb997e8 www/squid4/options.mk
--- a/www/squid4/options.mk     Tue Feb 04 01:58:26 2020 +0000
+++ b/www/squid4/options.mk     Tue Feb 04 03:03:48 2020 +0000
@@ -1,26 +1,27 @@
-# $NetBSD: options.mk,v 1.2 2020/01/23 14:47:56 jperkin Exp $
+# $NetBSD: options.mk,v 1.3 2020/02/04 03:03:48 taca Exp $
 
-PKG_OPTIONS_VAR=       PKG_OPTIONS.squid4
-PKG_SUPPORTED_OPTIONS= ecap gnutls inet6 snmp openssl squid-backend-aufs \
-                       squid-backend-diskd squid-backend-rock \
-                       squid-backend-ufs squid-unlinkd squid-kerberos-helper \
-                       squid-ldap-helper squid-pam-helper
-PKG_OPTIONS_LEGACY_OPTS+= \
-       diskd:squid-backend-diskd \
-       null:squid-backend-null ufs:squid-backend-ufs \
-       linux-netfilter:squid-netfilter ipf-transparent:squid-ipf \
-       pf-transparent:squid-pf unlinkd:squid-unlinkd \
-       arp-acl:squid-arp-acl pam-helper:squid-pam-helper
+PKG_OPTIONS_VAR=               PKG_OPTIONS.squid4
+PKG_SUPPORTED_OPTIONS=         ecap esi inet6 snmp squid-backend-aufs \
+                               squid-backend-diskd squid-backend-rock \
+                               squid-backend-ufs squid-unlinkd \
+                               squid-kerberos-helper squid-ldap-helper \
+                               squid-pam-helper
+PKG_OPTIONS_REQUIRED_GROUPS=   ssl
+PKG_OPTIONS_GROUP.ssl=         openssl gnutls
+PKG_OPTIONS_LEGACY_OPTS+=      diskd:squid-backend-diskd \
+                               null:squid-backend-null ufs:squid-backend-ufs \
+                               linux-netfilter:squid-netfilter \
+                               ipf-transparent:squid-ipf \
+                               pf-transparent:squid-pf unlinkd:squid-unlinkd \
+                               arp-acl:squid-arp-acl \
+                               pam-helper:squid-pam-helper
 
-PLIST_VARS+=   diskd snmp unlinkd
 PLIST_VARS+=   ba_LDAP ba_NCSA ba_PAM ba_getpwnam
-PLIST_VARS+=   da_file da_LDAP
-PLIST_VARS+=   na_sml_lm
-PLIST_VARS+=   ta_kerberos
-PLIST_VARS+=   eacl_file_userip eacl_LDAP_group eacl_unix_group
-PLIST_VARS+=   openssl
+PLIST_VARS+=   da_LDAP da_file diskd
+PLIST_VARS+=   eacl_LDAP_group eacl_file_userip eacl_unix_group
+PLIST_VARS+=   openssl ta_kerberos unlinkd
 
-PKG_SUGGESTED_OPTIONS= inet6 snmp openssl squid-backend-aufs \
+PKG_SUGGESTED_OPTIONS= inet6 esi openssl snmp squid-backend-aufs \
                        squid-backend-diskd squid-backend-ufs \
                        squid-pam-helper squid-unlinkd
 
@@ -94,6 +95,13 @@
 CONFIGURE_ARGS+=       --disable-ecap
 .endif
 
+.if !empty(PKG_OPTIONS:Mesi)
+CONFIGURE_ARGS+=       --enable-esi
+.include "../../textproc/expat/buildlink3.mk"
+.else
+CONFIGURE_ARGS+=       --disable-esi
+.endif
+
 .if !empty(PKG_SUPPORTED_OPTIONS:Minet6) && empty(PKG_OPTIONS:Minet6)
 CONFIGURE_ARGS+=       --disable-ipv6
 .endif
@@ -122,7 +130,6 @@
 
 .if !empty(PKG_OPTIONS:Msnmp)
 CONFIGURE_ARGS+=       --enable-snmp
-PLIST.snmp=            yes
 .else
 CONFIGURE_ARGS+=       --disable-snmp
 .endif
@@ -136,9 +143,8 @@
 
 .if !empty(PKG_OPTIONS:Mgnutls)
 CONFIGURE_ARGS+=       --with-gnutls=${PREFIX:Q}
-CONFIGURE_ARGS+=       --enable-ssl-crtd --without-openssl
+CONFIGURE_ARGS+=       --without-openssl
 .  include "../../security/gnutls/buildlink3.mk"
-PLIST.openssl=         yes
 .endif
 
 .if !empty(PKG_OPTIONS:Msquid-backend-aufs)
diff -r bd2d0f42f8a0 -r ff6befb997e8 www/squid4/patches/patch-configure
--- a/www/squid4/patches/patch-configure        Tue Feb 04 01:58:26 2020 +0000
+++ b/www/squid4/patches/patch-configure        Tue Feb 04 03:03:48 2020 +0000
@@ -1,13 +1,38 @@
-$NetBSD: patch-configure,v 1.1 2020/01/04 10:57:18 taca Exp $
+$NetBSD: patch-configure,v 1.2 2020/02/04 03:03:49 taca Exp $
 
 * More support for OpenSSL 1.1; not only check SSL_Library_init() but
   also check OPENSSL_init_ssl().
 * Fix syntax error by accidental new line.
 * Utilisze <stdlib.h> on BSD.
+* Do not override CFLAGS/CXXFLAGS except linux.
 
---- configure.orig     2019-07-09 19:16:52.000000000 +0000
+--- configure.orig     2020-01-20 02:51:59.000000000 +0000
 +++ configure
-@@ -24032,7 +24032,51 @@ if test "x$ac_cv_lib_ssl_SSL_library_ini
+@@ -23201,10 +23201,12 @@ do
+ done
+ 
+   # GLIBC 2.30 deprecates sysctl.h. Test with the same flags that (may) break includes later.
+-  CFLAGS=$SQUID_CFLAGS
+-  CXXFLAGS=$SQUID_CXXFLAGS
+   case "$squid_host_os" in
+-    linux|solaris|freebsd|openbsd|netbsd|cygwin)
++    linux)
++      CFLAGS=$SQUID_CFLAGS
++      CXXFLAGS=$SQUID_CXXFLAGS
++      ;;
++    solaris|freebsd|openbsd|netbsd|cygwin)
+       ${TRUE}
+       ;;
+     mingw)
+@@ -23244,6 +23246,7 @@ done
+ do :
+   as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
+ ac_fn_cxx_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "
++#include <stdio.h>
+ #include <sys/types.h>
+ #include <sys/socket.h>
+ 
+@@ -24080,7 +24083,51 @@ if test "x$ac_cv_lib_ssl_SSL_CTX_new" = 
    LIBOPENSSL_LIBS="-lssl $LIBOPENSSL_LIBS"
  else
  
@@ -60,7 +85,7 @@
  
  fi
  
-@@ -24135,7 +24179,51 @@ if test "x$ac_cv_lib_ssl_SSL_library_ini
+@@ -24183,7 +24230,51 @@ if test "x$ac_cv_lib_ssl_SSL_CTX_new" = 
    LIBOPENSSL_LIBS="-lssl $LIBOPENSSL_LIBS"
  else
  
@@ -113,7 +138,7 @@
  
  fi
  
-@@ -39186,6 +39274,8 @@ else
+@@ -39234,6 +39325,8 @@ else
  # ifdef _MSC_VER
  #  include <malloc.h>
  #  define alloca _alloca
@@ -122,7 +147,7 @@
  # else
  #  ifdef HAVE_ALLOCA_H
  #   include <alloca.h>
-@@ -42012,7 +42102,7 @@ _ACEOF
+@@ -42057,7 +42150,7 @@ _ACEOF
  
  
  fi
diff -r bd2d0f42f8a0 -r ff6befb997e8 www/squid4/patches/patch-src_security_ServerOptions.h
--- a/www/squid4/patches/patch-src_security_ServerOptions.h     Tue Feb 04 01:58:26 2020 +0000
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,12 +0,0 @@
-$NetBSD: patch-src_security_ServerOptions.h,v 1.1 2020/01/10 21:22:22 joerg Exp $
-
---- src/security/ServerOptions.h.orig  2020-01-09 22:33:01.407843695 +0000
-+++ src/security/ServerOptions.h
-@@ -35,7 +35,6 @@ public:
-         // is more secure to have only a small set of trusted CA.
-         flags.tlsDefaultCa.defaultTo(false);
-     }
--    ServerOptions(const ServerOptions &) = default;
-     ServerOptions &operator =(const ServerOptions &);
-     ServerOptions(ServerOptions &&o) { this->operator =(o); }
-     ServerOptions &operator =(ServerOptions &&o) { this->operator =(o); return *this; }



Home | Main Index | Thread Index | Old Index