Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/www/squid4 www/squid4: update to 4.13
details: https://anonhg.NetBSD.org/pkgsrc/rev/c3fc4c9b7cd4
branches: trunk
changeset: 437395:c3fc4c9b7cd4
user: taca <taca%pkgsrc.org@localhost>
date: Sun Aug 23 09:51:35 2020 +0000
description:
www/squid4: update to 4.13
Update squid4 to 4.13 (Squid 4.13).
Here is release announce:
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.13 release!
This release is a security release resolving several issues found in
the prior Squid releases.
The major changes to be aware of:
* SQUID-2020:8 HTTP(S) Request Splitting
(CVE-2020-15811)
This problem is serious because it allows any client, including
browser scripts, to bypass local security and poison the browser
cache and any downstream caches with content from an arbitrary
source.
See the advisory for patches:
<https://github.com/squid-cache/squid/security/advisories/GHSA-c7p8-xqhm-49wv>
* SQUID-2020:9 Denial of Service processing Cache Digest Response
(CVE pending allocation)
This problem allows a trusted peer to deliver to perform Denial
of Service by consuming all available CPU cycles on the machine
running Squid when handling a crafted Cache Digest response
message.
This attack is limited to Squid using cache_peer with cache
digests feature.
See the advisory for patches:
<https://github.com/squid-cache/squid/security/advisories/GHSA-vvj7-xjgq-g2jg>
* SQUID-2020:10 HTTP(S) Request Smuggling
(CVE-2020-15810)
This problem is serious because it allows any client, including
browser scripts, to bypass local security and poison the proxy
cache and any downstream caches with content from an arbitrary
source.
See the advisory for patches:
<https://github.com/squid-cache/squid/security/advisories/GHSA-3365-q9qx-f98m>
* Bug 5051: Some collapsed revalidation responses never expire
This bug appears as a 4xx or 5xx status response becoming the only
response delivered by Squid to a URL when Collapsed Forwarding
feature is used.
It primarily affects Squid which are caching the 4xx/5xx status
object since Bug 5030 fix in Squid-4.11. But may have been
occurring for short times on any proxy with Collapsed Forwarding.
* SSL-Bump: Support parsing GREASEd (and future) TLS handshakes
Chrome Browser intentionally sends random garbage values in the
TLS handshake to force TLS implementations to cope with future TLS
extensions cleanly. The changes in Squid-4.12 to disable TLS/1.3
caused our parser to be extra strict and reject this TLS garbage.
This release adds explicit support for Chrome, or any other TLS
agent performing these "GREASE" behaviours.
* Honor on_unsupported_protocol for intercepted https_port
This behaviour was one of the intended use-cases for unsupported
protocol handling, but somehow was not enabled earlier.
Squid should now be able to perform the on_unsupported_protocol
selected action for any traffic handled by SSL-Bump.
All users of Squid are urged to upgrade as soon as possible.
See the ChangeLog for the full list of changes in this and earlier
releases.
Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4
diffstat:
www/squid4/Makefile | 5 +-
www/squid4/distinfo | 10 +-
www/squid4/patches/patch-src_security_Handshake.cc | 157 ---------------------
3 files changed, 7 insertions(+), 165 deletions(-)
diffs (192 lines):
diff -r 68f3534ff092 -r c3fc4c9b7cd4 www/squid4/Makefile
--- a/www/squid4/Makefile Sun Aug 23 08:31:57 2020 +0000
+++ b/www/squid4/Makefile Sun Aug 23 09:51:35 2020 +0000
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.11 2020/07/09 20:57:11 otis Exp $
+# $NetBSD: Makefile,v 1.12 2020/08/23 09:51:35 taca Exp $
-DISTNAME= squid-4.12
-PKGREVISION= 1
+DISTNAME= squid-4.13
CATEGORIES= www
MASTER_SITES= http://www.squid-cache.org/Versions/v4/
MASTER_SITES+= ftp://ftp.squid-cache.org/pub/squid/
diff -r 68f3534ff092 -r c3fc4c9b7cd4 www/squid4/distinfo
--- a/www/squid4/distinfo Sun Aug 23 08:31:57 2020 +0000
+++ b/www/squid4/distinfo Sun Aug 23 09:51:35 2020 +0000
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.8 2020/07/09 20:57:11 otis Exp $
+$NetBSD: distinfo,v 1.9 2020/08/23 09:51:35 taca Exp $
-SHA1 (squid-4.12.tar.xz) = 316b8a343aa542b5e7469d33b9d726bee00679c6
-RMD160 (squid-4.12.tar.xz) = 5d593efe84ca34c39a21bab523e75621dec4e9bb
-SHA512 (squid-4.12.tar.xz) = 96fa700a0c28711eb1ec5e44e1d324dc8d3accdddbc675def8babe057e2cc71083bd3817bc37cbd9f3c03772743df578573ee3698bbd6131df68c3580ad31ef4
-Size (squid-4.12.tar.xz) = 2450564 bytes
+SHA1 (squid-4.13.tar.xz) = cac95c18789e9ecd6620c2f278fc3900498c065b
+RMD160 (squid-4.13.tar.xz) = e49c1b0c6154a3ec0c1ce84e1d9c1c76733cefc1
+SHA512 (squid-4.13.tar.xz) = 06807f82ed01e12afe2dd843aa0a94f69c351765b1889c4c5c3da1cf2ecb06ac3a4be6a24a62f04397299c8fc0df5397f76f64df5422ff78b37a9382d5fdf7fc
+Size (squid-4.13.tar.xz) = 2452752 bytes
SHA1 (patch-compat_compat.h) = 839381a5e1f46e7d9b822bbb53d82a53c996ddc0
SHA1 (patch-configure) = 0d204989666c36172f0765f2a44766d9194c7bb2
SHA1 (patch-errors_Makefile.in) = 84cbf5c836f02ed5fbfff140888c6d3aadeac326
diff -r 68f3534ff092 -r c3fc4c9b7cd4 www/squid4/patches/patch-src_security_Handshake.cc
--- a/www/squid4/patches/patch-src_security_Handshake.cc Sun Aug 23 08:31:57 2020 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,157 +0,0 @@
-$NetBSD: patch-src_security_Handshake.cc,v 1.1 2020/07/09 20:57:11 otis Exp $
-
-Address:
-https://github.com/squid-cache/squid/pull/663
-https://www.spinics.net/lists/squid/msg92728.html
-https://www.spinics.net/lists/squid/msg92814.html
-
-See also:
-https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=247397
-
---- src/security/Handshake.cc.orig 2020-07-09 19:09:34.152270307 +0000
-+++ src/security/Handshake.cc
-@@ -9,6 +9,7 @@
- /* DEBUG: section 83 SSL-Bump Server/Peer negotiation */
-
- #include "squid.h"
-+#include "sbuf/Stream.h"
- #include "security/Handshake.h"
- #if USE_OPENSSL
- #include "ssl/support.h"
-@@ -104,25 +105,52 @@ public:
- typedef std::unordered_set<Extension::Type> Extensions;
- static Extensions SupportedExtensions();
-
--} // namespace Security
--
- /// parse TLS ProtocolVersion (uint16) and convert it to AnyP::ProtocolVersion
-+/// \retval PROTO_NONE for unsupported values (in relaxed mode)
- static AnyP::ProtocolVersion
--ParseProtocolVersion(Parser::BinaryTokenizer &tk, const char *contextLabel = ".version")
-+ParseProtocolVersionBase(Parser::BinaryTokenizer &tk, const char *contextLabel, const bool beStrict)
- {
- Parser::BinaryTokenizerContext context(tk, contextLabel);
- uint8_t vMajor = tk.uint8(".major");
- uint8_t vMinor = tk.uint8(".minor");
-+
- if (vMajor == 0 && vMinor == 2)
- return AnyP::ProtocolVersion(AnyP::PROTO_SSL, 2, 0);
-
-- Must(vMajor == 3);
-- if (vMinor == 0)
-- return AnyP::ProtocolVersion(AnyP::PROTO_SSL, 3, 0);
-+ if (vMajor == 3) {
-+ if (vMinor == 0)
-+ return AnyP::ProtocolVersion(AnyP::PROTO_SSL, 3, 0);
-+ return AnyP::ProtocolVersion(AnyP::PROTO_TLS, 1, (vMinor - 1));
-+ }
-+
-+ /* handle unsupported versions */
-+
-+ const uint16_t vRaw = (vMajor << 8) | vMinor;
-+ debugs(83, 7, "unsupported: " << asHex(vRaw));
-+ if (beStrict)
-+ throw TextException(ToSBuf("unsupported TLS version: ", asHex(vRaw)), Here());
-+ // else hide unsupported version details from the caller behind PROTO_NONE
-+ return AnyP::ProtocolVersion();
-+}
-+
-+/// parse a framing-related TLS ProtocolVersion
-+/// \returns a supported SSL or TLS Anyp::ProtocolVersion, never PROTO_NONE
-+static AnyP::ProtocolVersion
-+ParseProtocolVersion(Parser::BinaryTokenizer &tk)
-+{
-+ return ParseProtocolVersionBase(tk, ".version", true);
-+}
-
-- return AnyP::ProtocolVersion(AnyP::PROTO_TLS, 1, (vMinor - 1));
-+/// parse a framing-unrelated TLS ProtocolVersion
-+/// \retval PROTO_NONE for unsupported values
-+static AnyP::ProtocolVersion
-+ParseOptionalProtocolVersion(Parser::BinaryTokenizer &tk, const char *contextLabel)
-+{
-+ return ParseProtocolVersionBase(tk, contextLabel, false);
- }
-
-+} // namespace Security
-+
- Security::TLSPlaintext::TLSPlaintext(Parser::BinaryTokenizer &tk)
- {
- Parser::BinaryTokenizerContext context(tk, "TLSPlaintext");
-@@ -431,6 +459,8 @@ Security::HandshakeParser::parseExtensio
- break;
- case 16: { // Application-Layer Protocol Negotiation Extension, RFC 7301
- Parser::BinaryTokenizer tkAPN(extension.data);
-+ // Store the entire protocol list, including unsupported-by-Squid
-+ // values (if any). We have to use all when peeking at the server.
- details->tlsAppLayerProtoNeg = tkAPN.pstring16("APN");
- break;
- }
-@@ -441,8 +471,9 @@ Security::HandshakeParser::parseExtensio
- case 43: // supported_versions extension; RFC 8446
- parseSupportedVersionsExtension(extension.data);
- break;
-- case 13172: // Next Protocol Negotiation Extension (expired draft?)
- default:
-+ // other extensions, including those that Squid does not support, do
-+ // not require special handling here, but see unsupportedExtensions
- break;
- }
- }
-@@ -455,7 +486,7 @@ Security::HandshakeParser::parseCiphers(
- Parser::BinaryTokenizer tk(raw);
- while (!tk.atEnd()) {
- const uint16_t cipher = tk.uint16("cipher");
-- details->ciphers.insert(cipher);
-+ details->ciphers.insert(cipher); // including Squid-unsupported ones
- }
- }
-
-@@ -473,7 +504,7 @@ Security::HandshakeParser::parseV23Ciphe
- const uint8_t prefix = tk.uint8("prefix");
- const uint16_t cipher = tk.uint16("cipher");
- if (prefix == 0)
-- details->ciphers.insert(cipher);
-+ details->ciphers.insert(cipher); // including Squid-unsupported ones
- }
- }
-
-@@ -486,6 +517,7 @@ Security::HandshakeParser::parseServerHe
- details->tlsSupportedVersion = ParseProtocolVersion(tk);
- tk.skip(HelloRandomSize, ".random");
- details->sessionId = tk.pstring8(".session_id");
-+ // cipherSuite may be unsupported by a peeking Squid
- details->ciphers.insert(tk.uint16(".cipher_suite"));
- details->compressionSupported = tk.uint8(".compression_method") != 0; // not null
- if (!tk.atEnd()) // extensions present
-@@ -554,12 +586,15 @@ Security::HandshakeParser::parseSupporte
- Parser::BinaryTokenizer tkList(extensionData);
- Parser::BinaryTokenizer tkVersions(tkList.pstring8("SupportedVersions"));
- while (!tkVersions.atEnd()) {
-- const auto version = ParseProtocolVersion(tkVersions, "supported_version");
-+ const auto version = ParseOptionalProtocolVersion(tkVersions, "supported_version");
-+ // ignore values unsupported by Squid,represented by a falsy version
-+ if (!version)
-+ continue;
- if (!supportedVersionMax || TlsVersionEarlierThan(supportedVersionMax, version))
- supportedVersionMax = version;
- }
-
-- // ignore empty supported_versions
-+ // ignore empty and ignored-values-only supported_versions
- if (!supportedVersionMax)
- return;
-
-@@ -569,7 +604,11 @@ Security::HandshakeParser::parseSupporte
- } else {
- assert(messageSource == fromServer);
- Parser::BinaryTokenizer tkVersion(extensionData);
-- const auto version = ParseProtocolVersion(tkVersion, "selected_version");
-+ const auto version = ParseOptionalProtocolVersion(tkVersion, "selected_version");
-+ // Ignore values unsupported by Squid. There should not be any until we
-+ // start seeing TLS v2+, but they do not affect TLS framing anyway.
-+ if (!version)
-+ return;
- // RFC 8446 Section 4.2.1:
- // A server which negotiates a version of TLS prior to TLS 1.3 [...]
- // MUST NOT send the "supported_versions" extension.
Home |
Main Index |
Thread Index |
Old Index