- up to 4.11; SECURITY fixes

diff --git a/debug.patch b/debug.patch
new file mode 100644 (file)
index 0000000..bc3310c
--- /dev/null
+++ b/debug.patch
@@ -0,0 +1,54 @@
+From c26cd1cb6a60ff196ef13c00e82576d3bfeb2e30 Mon Sep 17 00:00:00 2001
+From: Alex Rousskov <rousskov@measurement-factory.com>
+Date: Thu, 23 Apr 2020 05:56:35 -0600
+Subject: [PATCH] Bug 5041: Missing Debug::Extra breaks build on hosts with
+ systemd (#611)
+
+* Bug 5041: Missing Debug::Extra breaks build on hosts with systemd
+
+Master commit 6fa8c66 (i.e. Bug 5016 fix) relied on Debug::Extra added
+by master commit (ccfbe8f) that was not ported to v4. The port of the
+former master commit lacked the required piece of the latter commit.
+
+The problem is invisible on hosts without a systemd package (that Squid
+can find/use) and with Squids explicitly ./configured --without-systemd.
+
+* "Minimum features" build test should be --without-systemd
+
+* LDFLAGS were missing SYSTEMD_LIBS in builds with systemd support
+
+Co-authored-by: Amos Jeffries <yadij@users.noreply.github.com>
+---
+ configure.ac                                | 1 +
+ src/Debug.h                                 | 4 ++++
+ test-suite/buildtests/layer-01-minimal.opts | 1 +
+ 3 files changed, 6 insertions(+)
+
+diff --git a/configure.ac b/configure.ac
+index 9d1a38c4f8..281d237bc5 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -2162,6 +2162,7 @@ if test "x$with_systemd" != "xno" -a "x$squid_host_os" = "xlinux"; then
+   fi
+   if test "x$SYSTEMD_LIBS" != "x" ; then
+     CXXFLAGS="$SYSTEMD_CFLAGS $CXXFLAGS"
++    LDFLAGS="$SYSTEMD_LIBS $LDFLAGS"
+     AC_DEFINE(USE_SYSTEMD,1,[systemd support is available])
+   else
+     with_systemd=no
+diff --git a/src/Debug.h b/src/Debug.h
+index 6eecd01bf9..ddd9e38f8f 100644
+--- a/src/Debug.h
++++ b/src/Debug.h
+@@ -99,6 +99,10 @@ class Debug
+ 
+     /// configures the active debugging context to write syslog ALERT
+     static void ForceAlert();
++
++    /// prefixes each grouped debugs() line after the first one in the group
++    static std::ostream& Extra(std::ostream &os) { return os << "\n    "; }
++
+ private:
+     static Context *Current; ///< deepest active context; nil outside debugs()
+ };
+

diff --git a/krb.patch b/krb.patch
new file mode 100644 (file)
index 0000000..9555b76
--- /dev/null
+++ b/krb.patch
@@ -0,0 +1,32 @@
+From 990f3cb0266779b329dca303cc7ec8977ed8a0b5 Mon Sep 17 00:00:00 2001
+From: Markus Moeller <markus_moeller@compuserve.com>
+Date: Sat, 9 May 2020 14:00:23 +0100
+Subject: [PATCH 4/5] Add Heimdal check for keyblock
+
+---
+ src/acl/external/kerberos_ldap_group/support_krb5.cc | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/acl/external/kerberos_ldap_group/support_krb5.cc b/src/acl/external/kerberos_ldap_group/support_krb5.cc
+index 6d50c73166..b4964d83ee 100644
+--- a/src/acl/external/kerberos_ldap_group/support_krb5.cc
++++ b/src/acl/external/kerberos_ldap_group/support_krb5.cc
+@@ -467,10 +467,15 @@ krb5_create_cache(char *domain, char *service_principal_name)
+                 }
+ 
+                 // overwrite limitation of enctypes
++#if USE_HEIMDAL_KRB5
++                creds->session.keytype = 0;
++                if (creds->session.keyvalue.length>0)
++                    krb5_free_keyblock_contents(kparam.context, &creds->session);
++#else
+                 creds->keyblock.enctype = 0;
+                 if (creds->keyblock.contents)
+                     krb5_free_keyblock_contents(kparam.context, &creds->keyblock);
+-
++#endif
+                 code = krb5_get_credentials(kparam.context, 0, kparam.cc[ccindex], creds, &tgt_creds);
+                 if (code) {
+                     k5_error("Error while getting tgt", code);
+
+

diff --git a/squid.spec b/squid.spec
index e0b6b20c83c610697cbfbbcfbbfdc4e4a0d3e0a3..78234e7954a88d1320e7a4ee88cb1df280e0cd70 100644 (file)
--- a/squid.spec
+++ b/squid.spec
@@ -16,13 +16,13 @@ Summary(ru.UTF-8):  Squid - кэш объектов Internet
 Summary(uk.UTF-8):     Squid - кеш об'єктів Internet
 Summary(zh_CN.UTF-8):  SQUID 高速缓冲代理服务器
 Name:          squid
 Summary(uk.UTF-8):     Squid - кеш об'єктів Internet
 Summary(zh_CN.UTF-8):  SQUID 高速缓冲代理服务器
 Name:          squid

-Version:       4.10
+Version:       4.11

 Release:       1
 Epoch:         7
 License:       GPL v2
 Group:         Networking/Daemons
 Source0:       http://www.squid-cache.org/Versions/v4/%{name}-%{version}.tar.xz
 Release:       1
 Epoch:         7
 License:       GPL v2
 Group:         Networking/Daemons
 Source0:       http://www.squid-cache.org/Versions/v4/%{name}-%{version}.tar.xz

-# Source0-md5: af7ac6e70f9bd03ae4fcec0c9b99c38a
+# Source0-md5: 10f34e852153a9996aa4614670e2bda1

 Source1:       %{name}.init
 Source2:       %{name}.sysconfig
 Source3:       http://squid-docs.sourceforge.net/latest/zip-files/book-full-html.zip
 Source1:       %{name}.init
 Source2:       %{name}.sysconfig
 Source3:       http://squid-docs.sourceforge.net/latest/zip-files/book-full-html.zip


@@ -38,12 +38,14 @@ Source11:   %{name}-check_cache
 
 Patch1:                %{name}-location.patch
 Patch2:                %{name}-crash-on-ENOSPC.patch
 
 Patch1:                %{name}-location.patch
 Patch2:                %{name}-crash-on-ENOSPC.patch

+Patch3:                krb.patch

 Patch4:                %{name}-2.5.STABLE4-apache-like-combined-log.patch
 Patch5:                %{name}-ppc-m32.patch
 Patch6:                %{name}-cachemgr-webapp.patch
 # still needed? http://bugs.squid-cache.org/show_bug.cgi?id=3806
 # http://www.squid-cache.org/mail-archive/squid-dev/201207/att-0177/squidv3-vary-headers-shm-hack.patch
 Patch7:                squidv3-vary-headers-shm-hack.patch
 Patch4:                %{name}-2.5.STABLE4-apache-like-combined-log.patch
 Patch5:                %{name}-ppc-m32.patch
 Patch6:                %{name}-cachemgr-webapp.patch
 # still needed? http://bugs.squid-cache.org/show_bug.cgi?id=3806
 # http://www.squid-cache.org/mail-archive/squid-dev/201207/att-0177/squidv3-vary-headers-shm-hack.patch
 Patch7:                squidv3-vary-headers-shm-hack.patch

+Patch8:                debug.patch

 URL:           http://www.squid-cache.org/
 BuildRequires: autoconf
 BuildRequires: automake
 URL:           http://www.squid-cache.org/
 BuildRequires: autoconf
 BuildRequires: automake


@@ -629,12 +631,14 @@ Ten pakiet zawiera skrypty perlowe i dodatkowe programy dla Squida.
 
 %patch1 -p1
 %patch2 -p1
 
 %patch1 -p1
 %patch2 -p1

+%patch3 -p1

 %{?with_combined_log:%patch4 -p1}
 %ifarch ppc
 %patch5 -p1
 %endif
 %patch6 -p1
 #%patch7 -p1
 %{?with_combined_log:%patch4 -p1}
 %ifarch ppc
 %patch5 -p1
 %endif
 %patch6 -p1
 #%patch7 -p1

+%patch8 -p1

 
 %{__sed} -i -e '1s#!.*bin/perl#!%{__perl}#' {contrib,scripts}/*.pl
 
 
 %{__sed} -i -e '1s#!.*bin/perl#!%{__perl}#' {contrib,scripts}/*.pl