Hello community, here is the log from the commit of package squid.4001 for openSUSE:13.1:Update checked in at 2015-09-11 16:04:30 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.1:Update/squid.4001 (Old) and /work/SRC/openSUSE:13.1:Update/.squid.4001.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "squid.4001" Changes: -------- New Changes file: --- /dev/null 2015-08-24 19:43:32.284261900 +0200 +++ /work/SRC/openSUSE:13.1:Update/.squid.4001.new/squid.changes 2015-09-11 16:04:32.000000000 +0200 @@ -0,0 +1,1672 @@ +------------------------------------------------------------------- +Tue Sep 1 17:26:15 UTC 2015 - [email protected] + +- fix bsc#929493 + * squid3: Squid HTTP Proxy configured with client-first SSL bumping does + not correctly validate server certificate + * CVE-2015-3455 + * squid:bsc_929493:CVE-2015-3455.patch + +------------------------------------------------------------------- +Thu Jan 29 15:53:05 UTC 2015 - [email protected] + +- Add --disable-arch-native configure param (boo#915397) + +------------------------------------------------------------------- +Fri Sep 12 14:51:40 UTC 2014 - [email protected] + +- Changes to squid-3.3.13 (28 Aug 2014): + * Fix segmentation fault setting up server SSL connnection + * HTTP/1.1: Ignore Range headers with unidentifiable byte-range values +- fix for bnc#893649 (CVE-2014-3609) + http://www.squid-cache.org/Advisories/SQUID-2014_2.txt + Due to incorrect input validation in request parsing Squid is + vulnerable to a denial of service attack when processing + Range requests. +- remove obsolete squid-3.3.8-bnc867533-CVE-2014-0128.diff + +------------------------------------------------------------------- +Wed Apr 9 15:30:43 CEST 2014 - [email protected] + +- squid-3.3.8-bnc867533-CVE-2014-0128.diff: fix for CVE-2014-0128 + (SSLbounce crash due to incorrect state management) [bnc#867533] + +------------------------------------------------------------------- +Thu Sep 5 11:43:22 UTC 2013 - [email protected] + +- fix build for Factory + * rework fix-pod2man-check + +------------------------------------------------------------------- +Mon Sep 2 21:58:38 UTC 2013 - [email protected] + +- fix build for 1110 (SLES_11) + * add configure --disable-strict-error-checking + +------------------------------------------------------------------- +Sun Sep 1 12:25:46 UTC 2013 - [email protected] + +- Changes to squid-3.3.8 (13 Jul 2013): + * Bug 3869: assertion failed: MemBuf.cc:272: size < capacity + * Improved handling of port values in Host: header validation +- Changes to squid-3.3.7 (11 Jul 2013): + * Bug 3297: Fix openSSL related build failures + * Fix build on FreeBSD 9.x platform with clang + * Protect against buffer overrun in DNS query generation +- Changes to squid-3.3.6 (01 Jul 2013): + * Bug 3854: pt1: compile errors on AIX + * Bug 3802: Fix wrong check inside Format::Format::assemble + * Bug 3762: remove bogus WARNING in cache.log + * Bug 3717: assertion failed with dstdom_regex with IP based URL + * Bug 1991: kqueue causes SSL to hang + * Ask for SSL key password when started with -N but without sslpassword_program + * Make sure %<tt includes all [failed] connection attempts + * Support HTTP reply ACLs in icap_log and log_icap + * Fix incorrect external_acl_type codes + * Fix ICAP logging request headers and segmentation faults + * ... and some documentation polish +- Changes to squid-3.3.5 (20 May 2013): + * Bug 3851: Delay Pool class 5 tag:levels displayed incorrectly in cache manager + * Bug 3845: http_port tcpkeepalive= option fails parsing + * Bug 3840: assertion failed 'sde' in UFS cache loading + * Bug 3836: make check failures with automake-1.13 + * Bug 3827: Remove AccessLogEntry::cache.authuser + * Bug 3816 pt2: SSL_get_certificate call inside Ssl::verifySslCertificate crashes + * Bug 3780: cachemgr.cgi: output problem in HTTP Header Statistics + * Bug 3759: OpenSSL compilation error on stock Fedora17, RHEL, CentOS 6 systems + * Bug 3744: squid terminated: FATAL: Bungled (null) line 3: sslproxy_cert_sign + signTrusted all + * Port from 2.6: external acl %ACL and %DATA tags + * Update copyright on SN.png + * ... and several minor memory leaks + * ... and some documentation polish +- Changes to squid-3.3.4 (27 Apr 2013): + * Bug 3831: basic_ncsa_auth Blowfish and SHA support + * Bug 3816: SSL_get_certificate call inside Ssl::verifySslCertificate crashes + * Bug 3794: MacOS: workaround compiler errors and case-insensitivity + * Bug 3781: Proxy Authentication not sent to cache_peer + * Bug 3720 pt1: SourceLayout: shuffle fd_table definition into fde.h + * Bug 3720 pt2: Add missing include in /dev/poll I/O module + * Bug 3674: Improve compiler detection, better support warnings-as-errors on clang + * Add support for TPROXY on BSD + * Fix SSL Bump bypass for intercepted traffic + * Fix memory leaks in ConnStateData pinning + * Fix external_acl.cc "inBackground" assertion on queue overloads + * CacheMgr: fix missing column separator in helper stats + * OpenBSD: libpthreads requires OpenBSD 5.2 or later + * ... and lots of documentation updates + * ... and all changes from squid 3.2.10 +- Changes to squid-3.3.3 (12 Mar 2013): + * Bug 3720: Add missing include in /dev/poll I/O module (pt2) + * ... and all changes from squid 3.2.9 +- Changes to squid-3.3.2 (02 Mar 2013): + * Bug 3781: Proxy Authentication not sent to cache_peer + * Bug 3794: MacOS: workaround compiler errors + * Bug 3720: Compile error in Solaris /OpenIndiana + * ... and all changes from squid 3.2.8 +- Changes to squid-3.3.1 (09 Feb 2013): + * Bug 3726: build errors with --disable-ssl + * Propigate pinned connection persistency and closures to the client. + * Mimic SSL certificate Key Usage and Basic Constraints + * Fix segmentation fault on missing squid.conf values + * ext_sql_session_acl: Fix hex decoding on UID + * ... and some code polish + * ... and a lot of documentation polish + * ... and all changes from squid 3.2.7 +- rebase patches + * config, nobuilddates, compiled_without_RPM_OPT_FLAGS + +------------------------------------------------------------------- +Sun Jul 28 12:44:37 UTC 2013 - [email protected] + +- Changes for squid 3.2.13 release (July 13th 2013) + Better handling of strange port values in Host: + Bug #3869: assertion failed: MemBuf.cc:272: size < capacity + +- Changes for squid 3.2.12 release (July 10th 2013) + Protect against buffer overrun in DNS query generation + Revert rev.11818 - not applicable to 3.2. + Allocate ClientInfo::hash.key using malloc() instead of new char[] + Remove origin_tries limiter on forwarding + Fixed leaking configurable SSL error details. + Fix memory error with Kerberos authentication + Avoid !closing assertions when helpers call comm_read [during reconfigure]. + Avoid Comm::Connection leaks when helpers are reconfigured or otherwise closed. + Add missing piece omitted from rev.9677 + +------------------------------------------------------------------- +Thu Jul 25 10:19:05 UTC 2013 - [email protected] + +- Add patch squid-fix-pod2man-check.patch solving building with + new perl. + +------------------------------------------------------------------- +Tue Apr 30 11:42:06 UTC 2013 - [email protected] + +- Changes for squid 3.2.11 release (29 April 2013) + - Fix enter_suid/leave_suid build errors in ip/Intercept.cc + - GNU Hurd: define MAP_NORESERVE as no-op when missing + - Bug #3833: Option '-k' is not present in squidclient man page + - Bug #3817: Memory leak in SSL cert validate for alt_name peer certs + - Bug #3822: Locate LDAP and SASL headers in /usr/local/include for BSD support + - Bug #3825: basic_ncsa_auth segfaulting with glibc-2.17 + - Bug #3774: -k reconfigure drops rock + - Bug #3565: Resuming postponed accept kills Squid + - HTTP/1.1: partial support for no-cache and private controls with parameters + - ssl_crtd: helpers dying during startup on ARM + - Updated copyright for icons/SN.png squid-3.2-11813.patch + - Revert r11810 - tools.h does not exist in 3.2 squid-3.2-11812.patch + +------------------------------------------------------------------- +Sun Mar 24 18:57:26 UTC 2013 - [email protected] + +- Fixed squid.service +- Removed commented patch lines + +------------------------------------------------------------------- +Fri Mar 15 10:31:02 UTC 2013 - [email protected] + +- New revision for squid.service (using only sed) + handle multiple cache_dir line + Added sed as require + +Thu Mar 14 13:08:54 UTC 2013 - [email protected] + +- Packaging : fixed systemd squid.service + - Rework on squid.service ExecStartPre line + remove dependency on unfunctionnal wrapper + - Fix bnc#802635 (creating cache struture fail on first call) + - Fixed Type=forking and remove the use off -N (non daemon flag) + - Fixed missing pid file + - Structural : add all -k to end of Exec/Stop line + - Ulimit : Added LimitNOFile=4096 ( same value as in /etc/sysconfig) + but there's no way to decode dynamically /etc/sysconfig + - Remove syslog.target ( no need anymore : advise from fcrozat ) + - Clean up squid_cache_build.sh +- Changes to squid-3.2.9 (12 Mar 2013): + - Regression fix: Accept-Language header parse + - Bug 3673: Silence 'Failed to select source' messages + - Fix authentication headers sent on peer digest requests + - Fix build error on Solaris, OpenIndiana, Omnios + +- Changes to squid-3.2.8 (02 Mar 2013): + + - Bug 3767: tcp_outgoing_tos/mark ACLs do not obey acl_uses_indirect_client + - Bug 3763: diskd Error: no filename in shm buffer + - Bug 3752: objects that cannot be cached in memory are not cached on disk + - Bug 3753: Removes the domain from the cache_peer server pconn key ++++ 1475 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:13.1:Update/.squid.4001.new/squid.changes New: ---- README.kerberos RELEASENOTES.html pam.squid rpmlintrc squid-3.3.13.tar.bz2 squid-3.3.13.tar.bz2.asc squid-compiled_without_RPM_OPT_FLAGS.patch squid-config.patch squid-fix-pod2man-check.patch squid-nobuilddates.patch squid.changes squid.init squid.keyring squid.logrotate squid.permissions squid.service squid.spec squid.sysconfig squid:bsc_929493:CVE-2015-3455.patch unsquid.pl ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ squid.spec ++++++ # # spec file for package squid # # Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # %define squidlibdir %{_libdir}/squid %define squidconfdir /etc/squid Name: squid Summary: Squid Version 3.3 WWW Proxy Server License: GPL-2.0+ Group: Productivity/Networking/Web/Proxy Version: 3.3.13 Release: 0 Url: http://www.squid-cache.org/Versions/v3/3.3 Source0: http://www.squid-cache.org/Versions/v3/3.3/%{name}-%{version}.tar.bz2 Source1: %{name}-%{version}.tar.bz2.asc Source2: RELEASENOTES.html Source3: squid.init Source4: squid.sysconfig Source5: pam.squid Source6: unsquid.pl Source7: %{name}.logrotate Source9: %{name}.permissions Source10: README.kerberos Source11: %{name}.service Source13: %{name}.keyring # # the following patches are downloaded directly from the webserver # don't change the names for easier identification # # please read every file if there is interest about what the patch changes # or just visit: http://www.squid-cache.org/Versions/v3/3.2/changesets/ # # # Upstream patch # Patch0: # do not show some rpmlint warnings Source99: rpmlintrc # some useful defaults for squid Patch100: %{name}-config.patch # make build compare happy - remove build dates Patch101: %{name}-nobuilddates.patch ## File is compiled without RPM_OPT_FLAGS # squid3 no-rpm-opt-flags <cmdline>:./cf_gen.cc Patch102: %{name}-compiled_without_RPM_OPT_FLAGS.patch # Upstream notified of this problem by mageia guys Patch103: %{name}-fix-pod2man-check.patch # PATCH-FIX-OPENSUSE squid:bsc_929493:CVE-2015-3455.patch bnc#123456 # [email protected] -- squid3: Squid HTTP Proxy configured with client-first SSL # bumping does not correctly validate server certificate Patch110: squid:bsc_929493:CVE-2015-3455.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: %fillup_prereq PreReq: %insserv_prereq PreReq: /usr/bin/getent PreReq: permissions PreReq: pwdutils BuildRequires: db-devel # needed by bootstrap.sh BuildRequires: cyrus-sasl-devel BuildRequires: ed BuildRequires: expat BuildRequires: fdupes BuildRequires: gcc-c++ BuildRequires: gpg-offline BuildRequires: krb5-devel BuildRequires: libcap-devel BuildRequires: libexpat-devel BuildRequires: libtool BuildRequires: openldap2-devel BuildRequires: opensp-devel BuildRequires: openssl-devel BuildRequires: pam-devel BuildRequires: pkgconfig BuildRequires: sharutils %if 0%{?suse_version} < 1220 BuildRequires: libxml2-devel %else BuildRequires: pkgconfig(libxml-2.0) %endif %if 0%{?suse_version} >= 1210 BuildRequires: systemd %{?systemd_requires} %define has_systemd 1 %endif Requires: logrotate Requires: sed Provides: http_proxy # due to package rename # Wed Aug 15 17:40:30 UTC 2012 Provides: %{name}3 = %{version} Obsoletes: %{name}3 < %{version} %description Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator. Squid 3.3 represents a new feature release above 3.2. The most important of these new features are: * SQL Database logging helper * Time-Quota session helper * SSL-Bump Server First * Server Certificate Mimic * Custom HTTP request headers Most user-facing changes are reflected in squid.conf (see below). First STABLE release Date: 20 Oct 2012 %prep %gpg_verify %{S:1} %setup -q -n %{name}-%{version} cp %{S:10} . # upstream patches after RELEASE # ##### other patches %patch100 perl -p -i -e 's|/usr/local/bin/perl|/usr/bin/perl|' `find -name "*.pl"` chmod a-x CREDITS %patch101 %patch102 %patch103 %patch110 %build export CFLAGS="%{optflags} -fPIE -fPIC -DOPENSSL_LOAD_CONF" export CXXFLAGS="%{optflags} -fPIE -fPIC -DOPENSSL_LOAD_CONF" export LDFLAGS='-Wl,-z,relro,-z,now -pie' %configure \ --disable-strict-error-checking \ --sysconfdir=%{squidconfdir} \ --libexecdir=/usr/sbin \ --datadir=/usr/share/squid \ --sharedstatedir=/var/squid \ --with-logdir=/var/log/squid \ %if 0%{?has_systemd} --with-pidfile=/run/squid.pid \ %else --with-pidfile=/var/run/squid.pid \ %endif --with-dl \ --enable-disk-io \ --enable-storeio \ --enable-removal-policies=heap,lru \ --enable-icmp \ --enable-delay-pools \ --enable-esi \ --enable-icap-client \ --enable-useragent-log \ --enable-referer-log \ --enable-kill-parent-hack \ --enable-arp-acl \ --enable-ssl \ --enable-forw-via-db \ --enable-cache-digests \ --enable-linux-netfilter \ --with-large-files \ --enable-underscores \ --enable-auth \ --enable-auth-basic \ --enable-auth-ntlm \ --enable-auth-negotiate \ --enable-auth-digest \ --enable-external-acl-helpers=LDAP_group,eDirectory_userip,file_userip,kerberos_ldap_group,session,unix_group,wbinfo_group \ --enable-ntlm-fail-open \ --enable-stacktraces \ --enable-x-accelerator-vary \ --with-default-user=%{name} \ --disable-ident-lookups \ --enable-follow-x-forwarded-for \ --disable-arch-native # overwrite the number of open filedescriptors of configure to 4096 # to be backward compatible, but numbers above should not be overwritten if [ `awk '/SQUID_MAXFD/{print $3}' include/autoconf.h` -lt 4096 ]; then set +x echo "adapting SQUID_MAXFD to 4096" set -x perl -pi -e 's;(\#define SQUID_MAXFD) [0-9]+;$1 4096;' include/autoconf.h fi make SAMBAPREFIX=/usr %{?_smp_mflags} %install /usr/sbin/useradd -r -o -g nogroup -u 31 -s /bin/false -c "WWW-proxy squid" \ -d /var/cache/%{name} %{name} 2> /dev/null || : install -d %{buildroot}%{_localstatedir}/{cache,log}/%{name} chmod 750 %{buildroot}%{_localstatedir}/{cache,log}/%{name} install -d %{buildroot}%{_prefix}/sbin make install DESTDIR=%{buildroot} SAMBAPREFIX=/usr mv %{buildroot}{/etc/%{name}/,/usr/share/%{name}/}mime.conf.default ln -s /etc/%{name}/mime.conf %{buildroot}%{_datadir}/%{name} # backward compatible install -d -m 755 %{buildroot}%{_sysconfdir}/permissions.d install -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/permissions.d/%{name} install -d -m 755 %{buildroot}%{_sysconfdir}/logrotate.d install -m 644 %{SOURCE7} %{buildroot}%{_sysconfdir}/logrotate.d/%{name} install -D %{SOURCE3} %{buildroot}%{_sysconfdir}/init.d/%{name} ln -sf %{_sysconfdir}/init.d/%{name} %{buildroot}%{_sbindir}/rcsquid install -D -m644 %{SOURCE4} %{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.%{name} install -d -m 755 doc/scripts install scripts/*.pl doc/scripts cat > doc/scripts/cachemgr.readme <<-EOT cachemgr.cgi will now be found in %{_libdir}/%{name} EOT install -d -m 755 %{buildroot}/%{_libdir}/%{name} mv %{buildroot}%{_sbindir}/cachemgr.cgi %{buildroot}/%{_libdir}/%{name} install -d -m 755 doc/contrib install %{SOURCE6} doc/contrib install -D -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/pam.d/%{name} rm -rf %{buildroot}%{squidconfdir}/errors for i in errors/*; do if [ -d $i ]; then mkdir -p %{buildroot}%{_datadir}/%{name}/$i install -m 644 $i/* %{buildroot}%{_datadir}/%{name}/$i fi done ln -sf /usr/share/%{name}/errors/de %{buildroot}%{squidconfdir}/errors # fix file duplicates %if 0%{?suse_version} > 1030 %fdupes -s %{buildroot}%{_prefix} %endif %if 0%{?fedora_version} > 8 fdupes -q -n -r %{buildroot}%{_prefix} %endif %if 0%{?has_systemd} install -D -m 644 %{SOURCE11} %{buildroot}%{_unitdir}/%{name}.service %endif %pre # we need this group for squid (ntlmauth) # read access to /var/lib/samba/winbindd_privileged if [ -z "`%{_bindir}/getent group winbind 2>/dev/null`" ]; then %{_sbindir}/groupadd -r winbind 2>/dev/null fi if [ -z "`%{_bindir}/getent passwd squid 2>/dev/null`" ]; then %{_sbindir}/useradd -c "WWW-proxy squid" -d /var/cache/%{name} \ -G winbind -g nogroup -o -u 31 -r -s /bin/false \ %{name} 2>/dev/null fi # if squid is not member of winbind, add him if [ `%{_bindir}/id -nG %{name} 2>/dev/null | grep -q winbind >/dev/null; echo $?` -ne 0 ]; then %{_sbindir}/groupmod -A %{name} winbind 2>/dev/null fi %if 0%{?has_systemd} %service_add_pre %{name}.service %endif %post #%if 0%{?sles_version} == 10 #sed -i -e "s,\(^%{_sbindir}/pam_auth.*\)\(2755\),\14755," /etc/permissions.secure #%endif %if 0%{?suse_version} >= 1140 %set_permissions %{_localstatedir}/cache/%{name} %set_permissions %{_localstatedir}/log/%{name} %endif # update mode? if [ "$1" -gt "1" ]; then if [ -e etc/%{name}.conf -a ! -L etc/%{name}.conf -a ! -e etc/%{name}/%{name}.conf ]; then echo "moving /etc/%{name}.conf to /etc/%{name}/%{name}.conf" mv etc/%{name}.conf etc/%{name}/%{name}.conf fi fi %{fillup_and_insserv -n "squid"} %if 0%{?has_systemd} %service_add_post squid.service %endif %preun %stop_on_removal squid %if 0%{?has_systemd} %service_del_preun squid.service %endif %postun %if 0%{?has_systemd} %service_del_postun squid.service %endif %restart_on_update squid %insserv_cleanup %verifyscript %verify_permissions -e /usr/sbin/pam_auth %files %defattr(-,root,root) %doc CONTRIBUTORS COPYING COPYRIGHT CREDITS ChangeLog %doc QUICKSTART README RELEASENOTES.html SPONSORS* %doc README.kerberos %doc doc/contrib doc/scripts %doc doc/debug-sections.txt src/%{name}.conf.default %doc %{_mandir}/man?/* %if 0%{?has_systemd} %{_unitdir}/%{name}.service %endif %attr(750,%{name},root) %dir %{_localstatedir}/cache/%{name}/ %attr(750,%{name},root) %dir %{_localstatedir}/log/%{name}/ %dir %{squidconfdir} %config(noreplace) %{squidconfdir}/cachemgr.conf %config(noreplace) %{squidconfdir}/errorpage.css %config(noreplace) %{squidconfdir}/errors %config(noreplace) %{_sysconfdir}/logrotate.d/%{name} %config(noreplace) %{squidconfdir}/mime.conf %config(noreplace) %{squidconfdir}/msntauth.conf %config(noreplace) %{squidconfdir}/%{name}.conf %config %{squidconfdir}/cachemgr.conf.default %config %{squidconfdir}/errorpage.css.default %config %{squidconfdir}/msntauth.conf.default %config %{squidconfdir}/%{name}.conf.default %config %{squidconfdir}/%{name}.conf.documented %config %{_sysconfdir}/pam.d/%{name} %config %{_sysconfdir}/init.d/%{name} %config %{_sysconfdir}/permissions.d/%{name} %dir %{_datadir}/%{name} %{_datadir}/%{name}/errors %{_datadir}/%{name}/icons %config %{_datadir}/%{name}/mib.txt %{_datadir}/%{name}/mime.conf %{_datadir}/%{name}/mime.conf.default %{_bindir}/purge %{_bindir}/squidclient %{_sbindir}/basic_db_auth %{_sbindir}/basic_fake_auth %{_sbindir}/basic_getpwnam_auth %{_sbindir}/basic_ldap_auth %{_sbindir}/basic_msnt_auth %{_sbindir}/basic_msnt_multi_domain_auth %{_sbindir}/basic_ncsa_auth %{_sbindir}/basic_nis_auth #verify(not mode) %attr(4755,root,shadow) %{_sbindir}/basic_pam_auth %{_sbindir}/basic_pam_auth %{_sbindir}/basic_pop3_auth %{_sbindir}/basic_radius_auth %{_sbindir}/basic_sasl_auth %{_sbindir}/basic_smb_auth %{_sbindir}/basic_smb_auth.sh %{_sbindir}/cert_tool %{_sbindir}/digest_edirectory_auth %{_sbindir}/digest_file_auth %{_sbindir}/digest_ldap_auth %{_sbindir}/diskd %{_sbindir}/ext_edirectory_userip_acl %{_sbindir}/ext_file_userip_acl %{_sbindir}/ext_kerberos_ldap_group_acl %{_sbindir}/ext_ldap_group_acl %{_sbindir}/ext_unix_group_acl %{_sbindir}/ext_wbinfo_group_acl %{_sbindir}/helper-mux.pl %{_sbindir}/log_db_daemon %{_sbindir}/log_file_daemon %{_sbindir}/negotiate_kerberos_auth %{_sbindir}/negotiate_kerberos_auth_test %{_sbindir}/negotiate_wrapper_auth %{_sbindir}/ntlm_fake_auth %{_sbindir}/ntlm_smb_lm_auth %{_sbindir}/pinger %{_sbindir}/rc%{name} %{_sbindir}/%{name} %{_sbindir}/unlinkd %{_sbindir}/url_fake_rewrite %{_sbindir}/url_fake_rewrite.sh %{_localstatedir}/adm/fillup-templates/sysconfig.%{name} %dir %{_libdir}/%{name} %{_libdir}/%{name}/cachemgr.cgi %changelog ++++++ README.kerberos ++++++ This is the README.kerberos file to have squid negotiate/authenticate via kerberos any addons are very welcome comments could be posted to <chris(at)computersalat.de> 1) you need to add a "USER" inside your "Domain-Computers" Container called "squid". Yes a "USER" and not a Computer. You may use another name, but why ? 2) After having successfully created the user, you need to create a keytab file on your WIN box. Example: !! This is all in one line !! ktpass -princ HTTP/[email protected] -pType KRB5_NT_PRINCIPAL \ -mapuser squid -pass * -out HTTP.keytab 3) copy over HTTP.keytab to /etc/squid/ on your linux box 4) you have to tell your browsers to negotiate via kerberos Have a look at: a) Internet Explorer does not support Kerberos authentication with proxy servers http://support.microsoft.com/?scid=kb%3Ben-us%3B321728&x=19&y=14 This limitation was removed in Windows Internet Explorer 7. If Integrated Windows Authentication is turned on in Internet Explorer for Windows 2000 and Windows XP, you can complete Kerberos authentication with Web servers either directly or through a proxy server. However, Internet Explorer cannot use Kerberos to authenticate with the proxy server itself. b) Unable to negotiate Kerberos authentication after upgrading to Internet Explorer 6 http://support.microsoft.com/kb/299838/EN-US/ To resolve this issue, enable Internet Explorer 6 to respond to a negotiate challenge and perform Kerberos authentication: 1. In Internet Explorer, click Internet Options on the Tools menu. 2. Click the Advanced tab, click to select the Enable Integrated Windows Authentication (requires restart) check box in the Security section, and then click OK. 3. Restart Internet Explorer. Administrators can enable Integrated Windows Authentication by setting the EnableNegotiate DWORD value to 1 in the following registry key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings Note Internet Explorer 6, when used with Microsoft Windows 98, Microsoft Windows 98 Second Edition, Microsoft Windows Millennium Edition, and Microsoft Windows NT 4.0 does not respond to a negotiate challenge and default to NTLM (or Windows NT Challenge/Response) authentication even if the Enable Integrated Windows Authentication (requires restart) check box is selected because Kerberos authentication is not available on these operating systems. ++++++ RELEASENOTES.html ++++++ <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <HTML> <HEAD> <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.69"> <TITLE>Squid 3.3.13 release notes</TITLE> </HEAD> <BODY> <H1>Squid 3.3.13 release notes</H1> <H2>Squid Developers</H2> <HR> <EM>This document contains the release notes for version 3.3 of Squid. Squid is a WWW Cache application developed by the National Laboratory for Applied Network Research and members of the Web Caching community.</EM> <HR> <P> <H2><A NAME="toc1">1.</A> <A HREF="#s1">Notice</A></H2> <UL> <LI><A NAME="toc1.1">1.1</A> <A HREF="#ss1.1">Known issues</A> <LI><A NAME="toc1.2">1.2</A> <A HREF="#ss1.2">Changes since earlier releases of Squid-3.3</A> </UL> <P> <H2><A NAME="toc2">2.</A> <A HREF="#s2">Major new features since Squid-3.2</A></H2> <UL> <LI><A NAME="toc2.1">2.1</A> <A HREF="#ss2.1">SQL Database logging helper</A> <LI><A NAME="toc2.2">2.2</A> <A HREF="#ss2.2">Time-Quota session helper</A> <LI><A NAME="toc2.3">2.3</A> <A HREF="#ss2.3">SSL-Bump Server First</A> <LI><A NAME="toc2.4">2.4</A> <A HREF="#ss2.4">Server Certificate Mimic</A> <LI><A NAME="toc2.5">2.5</A> <A HREF="#ss2.5">Custom HTTP request headers</A> </UL> <P> <H2><A NAME="toc3">3.</A> <A HREF="#s3">Changes to squid.conf since Squid-3.2</A></H2> <UL> <LI><A NAME="toc3.1">3.1</A> <A HREF="#ss3.1">New tags</A> <LI><A NAME="toc3.2">3.2</A> <A HREF="#ss3.2">Changes to existing tags</A> <LI><A NAME="toc3.3">3.3</A> <A HREF="#ss3.3">Removed tags</A> </UL> <P> <H2><A NAME="toc4">4.</A> <A HREF="#s4">Changes to ./configure options since Squid-3.2</A></H2> <UL> <LI><A NAME="toc4.1">4.1</A> <A HREF="#ss4.1">New options</A> <LI><A NAME="toc4.2">4.2</A> <A HREF="#ss4.2">Changes to existing options</A> <LI><A NAME="toc4.3">4.3</A> <A HREF="#ss4.3">Removed options</A> </UL> <P> <H2><A NAME="toc5">5.</A> <A HREF="#s5">Regressions since Squid-2.7</A></H2> <UL> <LI><A NAME="toc5.1">5.1</A> <A HREF="#ss5.1">Missing squid.conf options available in Squid-2.7</A> </UL> <HR> <H2><A NAME="s1">1.</A> <A HREF="#toc1">Notice</A></H2> <P>The Squid Team are pleased to announce the release of Squid-3.3.13.</P> <P>This new release is available for download from <A HREF="http://www.squid-cache.org/Versions/v3/3.3/";>http://www.squid-cache.org/Versions/v3/3.3/</A> or the <A HREF="http://www.squid-cache.org/Mirrors/http-mirrors.html";>mirrors</A>.</P> <P>A large number of the design flaws in SSL-Bump feature have been fixed along with general improvements all around. While this release is not fully bug-free we believe it is ready for use in production on many systems.</P> <P>We welcome feedback and bug reports. If you find a bug, please see <A HREF="http://wiki.squid-cache.org/SquidFaq/BugReporting";>http://wiki.squid-cache.org/SquidFaq/BugReporting</A> for how to submit a report with a stack trace.</P> <H2><A NAME="ss1.1">1.1</A> <A HREF="#toc1.1">Known issues</A> </H2> <P>Although this release is deemed good enough for use in many setups, please note the existence of <A HREF="http://bugs.squid-cache.org/buglist.cgi?query_format=advanced&product=Squid&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&version=3.3";>open bugs against Squid-3.3</A>.</P> <H2><A NAME="ss1.2">1.2</A> <A HREF="#toc1.2">Changes since earlier releases of Squid-3.3</A> </H2> <P>The 3.3 change history can be <A HREF="http://www.squid-cache.org/Versions/v3/3.3/changesets/";>viewed here</A>.</P> <H2><A NAME="s2">2.</A> <A HREF="#toc2">Major new features since Squid-3.2</A></H2> <P>Squid 3.3 represents a new feature release above 3.2.</P> <P>The most important of these new features are: <UL> <LI>SQL Database logging helper</LI> <LI>Time-Quota session helper</LI> <LI>SSL-Bump Server First</LI> <LI>Server Certificate Mimic</LI> <LI>Custom HTTP request headers</LI> </UL> </P> <P>Most user-facing changes are reflected in squid.conf (see below).</P> <H2><A NAME="ss2.1">2.1</A> <A HREF="#toc2.1">SQL Database logging helper</A> </H2> <P><EM>log_db_daemon</EM> - Database logging daemon for Squid</P> <P>This program writes Squid access.log entries to an SQL database. Written in Perl it can utilize any database supported by the Perl database abstraction layer.</P> <P>NOTE: Presently it only accepts the Squid native log format.</P> <H2><A NAME="ss2.2">2.2</A> <A HREF="#toc2.2">Time-Quota session helper</A> </H2> <P><EM>ext_time_quota_acl</EM> - Time quota external ACL helper.</P> <P>Allows an administrator to define time budgets (quota) for the users of Squid to limit the time using Squid.</P> <P>This is useful for corporate lunch time allocations, wifi portal pay-per-minute installations or for parental control of children.</P> <P>The administrator can define a time budget (e.g. 1 hour per day) which is enforced through this helper using session estimations of their browsing time. A 'pause' threshold is given in seconds and defines the period between two requests to be treated as part of the same session. Pauses shorter than this value will be counted against the quota, longer ones ignored.</P> <H2><A NAME="ss2.3">2.3</A> <A HREF="#toc2.3">SSL-Bump Server First</A> </H2> <P>Details at <A HREF="http://wiki.squid-cache.org/Features/BumpSslServerFirst";>http://wiki.squid-cache.org/Features/BumpSslServerFirst</A>.</P> <P>When an intercepted connection is received, Squid first connects to the server using SSL and receives the server certificate. Squid then uses the host name inside the true server certificate to generate a fake one and impersonates the server while still using the already established secure connection to the server.</P> <P>Bumping server first is essentially required for handling intercepted HTTPS connections but the same scheme should be used for most HTTP CONNECT requests because it offers a few advantages compared to the old bump-client-first approach:</P> <P> <UL> <LI>When Squid knows valid server certificate details, it can generate its fake server certificate with those details. With the bump-client-first scheme, all those details are lost. In general, browsers do not care about those details but there may be HTTP clients (or even human users) that require or could benefit from knowing them. </LI> <LI>When a server sends a bad certificate, Squid may be able to replicate that brokenness in its own fake certificate, giving the HTTP client control whether to ignore the problem or terminate the transaction. With bump-client-furst, it is difficult to support similar dynamic, user-directed opt out; Squid itself has to decide what to do when the server certificate cannot be validated. </LI> <LI>When a server asks for a client certificate, Squid may be able to ask the client and then forward the client certificate to the server. Such client certificate handling may not be possible with the bump-client-first scheme because it would have to be done after the SSL handshake. </LI> <LI>Some clients (e.g., Rekonq browser v0.7.x) do not send host names in CONNECT requests. Such clients require bump-server-first even in forward proxying mode. Unfortunately, there are other problems with fully supporting such clients (i.e., Squid does not know whether the IP address in the CONNECT request is what the user have typed into the address bar) so not all features will work well for them until more specialized detection code is added.</LI> </UL> </P> <H2><A NAME="ss2.4">2.4</A> <A HREF="#toc2.4">Server Certificate Mimic</A> </H2> <P>Details at <A HREF="http://wiki.squid-cache.org/Features/MimicSslServerCert";>http://wiki.squid-cache.org/Features/MimicSslServerCert</A>.</P> <P>One of the SslBump features serious drawbacks is the loss of information embedded in SSL server certificate. This certificate mimic feature passes original SSL server certificate information to the user. Allowing the user to make an informed decision on whether to trust the server certificate.</P> <H2><A NAME="ss2.5">2.5</A> <A HREF="#toc2.5">Custom HTTP request headers</A> </H2> <P>The <EM>request_header_add</EM> option is added to insert HTTP header fields to outgoing HTTP requests (i.e., request headers sent by Squid to the next HTTP hop such as a cache peer or an origin server). The option has no effect on cache hit traffic or requests serviced by Squid and ICAP.</P> <P>WARNING: If a standard HTTP header name is used, Squid does not check whether the new header conflicts with any existing headers or violates HTTP rules. If the request to be modified already contains a field with the same name, the old field is preserved but the header field values are not merged.</P> <P>Field-value set can be either a token or a quoted string. If quoted string format is used, then the surrounding quotes are removed while escape sequences and %macros are processed.</P> <P>In theory, all of the <EM>logformat</EM> codes can be used as %macros. However, unlike logging (which happens at the very end of transaction lifetime), the transaction may not yet have enough information to expand a macro when the new header value is needed. And some information may already be available to Squid but not yet committed where the macro expansion code can access it (please report such instances!). The macro will be expanded into a single dash ('-') in such cases. Not all macros have been tested.</P> <P>One or more Squid ACLs may be specified to restrict header injection to matching requests. As always in squid.conf, all ACLs in an option ACL list must be satisfied for the insertion to happen. The <EM>request_header_add</EM> option supports fast ACLs only.</P> <H2><A NAME="s3">3.</A> <A HREF="#toc3">Changes to squid.conf since Squid-3.2</A></H2> <P>There have been changes to Squid's configuration file since Squid-3.2.</P> <P>This section gives a thorough account of those changes in three categories:</P> <P> <UL> <LI> <A HREF="#newtags">New tags</A></LI> <LI> <A HREF="#modifiedtags">Changes to existing tags</A></LI> <LI> <A HREF="#removedtags">Removed tags</A></LI> </UL> </P> <H2><A NAME="newtags"></A> <A NAME="ss3.1">3.1</A> <A HREF="#toc3.1">New tags</A> </H2> <P> <DL> <DT><B>cache_miss_revalidate</B><DD> <P>Whether Squid is to pass-through If-Modified-Since and If-None-Match headers on cache MISS. Revalidation requests can prevent cache gathering objects to HIT on.</P> <P>Based on the Squid-2.7 <EM>ignore_ims_on_miss</EM> feature.</P> <P><EM>IMPORTANT:</EM> the meaning for on/off values has changed along with the name since 2.7.</P> <DT><B>request_header_add</B><DD> <P>New directive to add custom headers on HTTP traffic sent to upstream servers.</P> <DT><B>sslproxy_cert_sign</B><DD> <P>New option to determine how the client certificate sent to upstream servers is signed.</P> <DT><B>sslproxy_cert_adapt</B><DD> <P>New option to adapt certain properties of outgoing SSL certificates generated for use when bumping SSL to an upstream server.</P> </DL> </P> <H2><A NAME="modifiedtags"></A> <A NAME="ss3.2">3.2</A> <A HREF="#toc3.2">Changes to existing tags</A> </H2> <P> <DL> <DT><B>acl</B><DD> <P><EM>myport</EM> and <EM>myip</EM>ACL types replaced with <EM>localport</EM> and <EM>localip</EM> respectively. To reflect that it matches the TCP connection details and not the squid.conf port. This matters when dealing with intercepted traffic, where the Squid receiving port differs from the TCP connection IP:port. Always use <EM>myportname</EM> type to match the squid.conf port details.</P> <P>New default built-in ACLs for testing SSL certificate properties.</P> <P><EM>ssl::certHasExpired</EM>, <EM>ssl::certNotYetValid</EM>, <EM>ssl::certDomainMismatch</EM>, <EM>ssl::certUntrusted</EM>, <EM>ssl::certSelfSigned</EM>.</P> <DT><B>client_netmask</B><DD> <P>IP address 127.0.0.1 (localhost IPv4) is no longer masked.</P> <DT><B>external_acl_type</B><DD> <P><EM>%ACL</EM> format tag ported from 2.6. Sends the name of ACL being tested to the external helper.</P> <P><EM>%DATA</EM> format tag ported from 2.6. Inserts the ACL arguments into a particular location of the helper input instead of at the end of the line.</P> <DT><B>logformat</B><DD> <P>New token <EM>%ssl::bump_mode</EM> to log the SSL-bump mode type performed on a request. Logs values of: <EM>-</EM>, <EM>none</EM>, <EM>client-first</EM>, or <EM>server-first</EM>.</P> <P>New token of <EM>%ssl::>cert_subject</EM> to log the Subject field of a SSL certificate received from the client.</P> <P>New token of <EM>%ssl::>cert_issuer</EM> to log the Issuer field of a SSL certificate received from the client.</P> <DT><B>ssl_bump</B><DD> <P>New action types <EM>none</EM>, <EM>client-first</EM>, <EM>server-first</EM>. The default is <EM>none</EM>.</P> <P>Use of <EM>allow</EM>/<EM>deny</EM> is now deprecated and they should be removed as soon as possible. To retain the exact same behaviour between 3.3 and older releases replace <EM>deny</EM> with <EM>none</EM>, and <EM>allow</EM> with <EM>client-first</EM>. However an upgrade to <EM>server-first</EM> is the recommended.</P> <P><EM>NOTE</EM>: Mixing of allow/deny with the new action types is prohibited and will cause Squid to exit with a FATAL error.</P> </DL> </P> <H2><A NAME="removedtags"></A> <A NAME="ss3.3">3.3</A> <A HREF="#toc3.3">Removed tags</A> </H2> <P> <DL> <DT><B>ignore_ims_on_miss</B><DD> <P>This option has been replaced by the <EM>cache_miss_revalidate</EM> feature.</P> </DL> </P> <H2><A NAME="s4">4.</A> <A HREF="#toc4">Changes to ./configure options since Squid-3.2</A></H2> <P>There have been some changes to Squid's build configuration since Squid-3.2.</P> <P>This section gives an account of those changes in three categories:</P> <P> <UL> <LI> <A HREF="#newoptions">New options</A></LI> <LI> <A HREF="#modifiedoptions">Changes to existing options</A></LI> <LI> <A HREF="#removedoptions">Removed options</A></LI> </UL> </P> <H2><A NAME="newoptions"></A> <A NAME="ss4.1">4.1</A> <A HREF="#toc4.1">New options</A> </H2> <P> <DL> <P><EM>There are no new ./configure options in Squid-3.3.</EM></P> </DL> </P> <H2><A NAME="modifiedoptions"></A> <A NAME="ss4.2">4.2</A> <A HREF="#toc4.2">Changes to existing options</A> </H2> <P> <DL> <DT><B>--enable-kqueue</B><DD> <P>kqueue network I/O module is now built by default when it is available. This option is no longer required to enable kqueue support, but if used will abort build when kqueue dependencies are missing or broken.</P> <DT><B>--disable-kqueue</B><DD> <P>kqueue network I/O module is now built by default when it is available. This configure option is now needed to disable it. Previously it did nothing.</P> </DL> </P> <H2><A NAME="removedoptions"></A> <A NAME="ss4.3">4.3</A> <A HREF="#toc4.3">Removed options</A> </H2> <P> <DL> <DT><B>--enable-ntlm-fail-open</B><DD> <P>This has not been supported by Squid for several versions.</P> </DL> </P> <H2><A NAME="s5">5.</A> <A HREF="#toc5">Regressions since Squid-2.7</A></H2> <P>Some squid.conf and ./configure options which were available in Squid-2.7 are not yet available in Squid-3.3</P> <P>If you need something to do then porting one of these from Squid-2 to Squid-3 is most welcome.</P> <H2><A NAME="ss5.1">5.1</A> <A HREF="#toc5.1">Missing squid.conf options available in Squid-2.7</A> </H2> <P> <DL> <DT><B>broken_vary_encoding</B><DD> <P>Not yet ported from 2.6</P> <DT><B>cache_dir</B><DD> <P><EM>COSS</EM> storage type is lacking stability fixes from 2.6</P> <P>COSS <EM>overwrite-percent=</EM> option not yet ported from 2.6</P> <P>COSS <EM>max-stripe-waste=</EM> option not yet ported from 2.6</P> <P>COSS <EM>membufs=</EM> option not yet ported from 2.6</P> <P>COSS <EM>maxfullbufs=</EM> option not yet ported from 2.6</P> <DT><B>cache_peer</B><DD> <P><EM>idle=</EM> not yet ported from 2.7</P> <P><EM>monitorinterval=</EM> not yet ported from 2.6</P> <P><EM>monitorsize=</EM> not yet ported from 2.6</P> <P><EM>monitortimeout=</EM> not yet ported from 2.6</P> <P><EM>monitorurl=</EM> not yet ported from 2.6</P> <DT><B>cache_vary</B><DD> <P>Not yet ported from 2.6</P> <DT><B>collapsed_forwarding</B><DD> <P>Not yet ported from 2.6</P> <DT><B>error_map</B><DD> <P>Not yet ported from 2.6</P> <DT><B>external_refresh_check</B><DD> <P>Not yet ported from 2.7</P> <DT><B>location_rewrite_access</B><DD> <P>Not yet ported from 2.6</P> <DT><B>location_rewrite_children</B><DD> <P>Not yet ported from 2.6</P> <DT><B>location_rewrite_concurrency</B><DD> <P>Not yet ported from 2.6</P> <DT><B>location_rewrite_program</B><DD> <P>Not yet ported from 2.6</P> <DT><B>refresh_pattern</B><DD> <P><EM>stale-while-revalidate=</EM> not yet ported from 2.7</P> <P><EM>ignore-stale-while-revalidate=</EM> not yet ported from 2.7</P> <P><EM>negative-ttl=</EM> not yet ported from 2.7</P> <DT><B>refresh_stale_hit</B><DD> <P>Not yet ported from 2.7</P> <DT><B>storeurl_access</B><DD> <P>Not yet ported from 2.7</P> <DT><B>storeurl_rewrite_children</B><DD> <P>Not yet ported from 2.7</P> <DT><B>storeurl_rewrite_concurrency</B><DD> <P>Not yet ported from 2.7</P> <DT><B>storeurl_rewrite_program</B><DD> <P>Not yet ported from 2.7</P> </DL> </P> </BODY> </HTML> ++++++ pam.squid ++++++ #%PAM-1.0 auth include common-auth account include common-account password include common-password session include common-session ++++++ rpmlintrc ++++++ addFilter("macro-in-comment") addFilter("no-manual-page-for-binary") ++++++ squid-3.3.13.tar.bz2.asc ++++++ File: squid-3.3.13.tar.bz2 Date: Wed Aug 27 14:42:39 UTC 2014 Size: 2991135 MD5 : 3dd2b6900a6c84ada22b10d32a541148 SHA1: f8d22fdf31d4f074095e292ccaeae521d7262694 Key : 0xFF5CF463 <[email protected]> fingerprint = EA31 CC5E 9488 E516 8D2D CC5E B268 E706 FF5C F463 keyring = http://www.squid-cache.org/pgp.asc keyserver = subkeys.pgp.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAABAgAGBQJT/fDVAAoJELJo5wb/XPRj/AsIALm+V/rShWK4glp1VYVm+xBs 8UjMGaWhMbikFHIiWZEGSM4kBXxcQ2sRNtcEKZz7wX1h8HH/YtFMCyaBDT6+zk5o sgj/FfAMkxxjS9BOAyKG6C3qbA01ii1+e4PKD7l2mc3/x2+C3xpwbXfKsqM8FRCT +g9vvgSQ5ojv4xrlMElM9WxCP11CnLUCUDmuVaRE/8R/d9vQzZ39ODdObzYs6VNs 6eKI2SUIF7UtRI7ZpX+FAiL4aEPn3S4s0VI3mrDBqWxEMZciSJuXyIaiNaTyIQm9 9CMPI2IL7LJyQD3TueqKd0yWtVa6FZhIeAinTmvYpdskPM4XqfYCa5UI0L2RQ2E= =ZRui -----END PGP SIGNATURE----- ++++++ squid-compiled_without_RPM_OPT_FLAGS.patch ++++++ Index: src/Makefile.am =================================================================== --- src/Makefile.am.orig +++ src/Makefile.am @@ -975,7 +975,7 @@ cache_cf.o: cf_parser.cci # cf_gen builds the configuration files. cf_gen$(EXEEXT): $(cf_gen_SOURCES) $(cf_gen_DEPENDENCIES) cf_gen_defines.cci - $(HOSTCXX) -o $@ $(srcdir)/cf_gen.cc -I$(srcdir) -I$(top_builddir)/include/ -I$(top_builddir)/src + $(HOSTCXX) $(CXXFLAGS) -o $@ $(srcdir)/cf_gen.cc -I$(srcdir) -I$(top_builddir)/include/ -I$(top_builddir)/src # squid.conf.default is built by cf_gen when making cf_parser.cci squid.conf.default squid.conf.documented: cf_parser.cci Index: src/Makefile.in =================================================================== --- src/Makefile.in.orig +++ src/Makefile.in @@ -7306,7 +7306,7 @@ cache_cf.o: cf_parser.cci # cf_gen builds the configuration files. cf_gen$(EXEEXT): $(cf_gen_SOURCES) $(cf_gen_DEPENDENCIES) cf_gen_defines.cci - $(HOSTCXX) -o $@ $(srcdir)/cf_gen.cc -I$(srcdir) -I$(top_builddir)/include/ -I$(top_builddir)/src + $(HOSTCXX) $(CXXFLAGS) -o $@ $(srcdir)/cf_gen.cc -I$(srcdir) -I$(top_builddir)/include/ -I$(top_builddir)/src # squid.conf.default is built by cf_gen when making cf_parser.cci squid.conf.default squid.conf.documented: cf_parser.cci ++++++ squid-config.patch ++++++ Index: src/cf.data.pre =================================================================== --- src/cf.data.pre.orig +++ src/cf.data.pre @@ -1196,6 +1196,8 @@ http_access deny manager # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet + +# Allow localhost always proxy functionality http_access allow localhost # And finally deny all other access to this proxy @@ -3144,6 +3146,10 @@ DOC_START Instead, if you want Squid to use the entire disk drive, subtract 20% and use that value. + Note on 'Mbytes': You need to consider the available RAM on the + machine versus the approx. 10MB RAM per 1GB of files which the + cache_dir index will consume. + 'L1' is the number of first-level subdirectories which will be created under the 'Directory'. The default is 16. @@ -3277,7 +3283,7 @@ DOC_START NOCOMMENT_START # Uncomment and adjust the following to add a disk cache directory. -#cache_dir ufs @DEFAULT_SWAP_DIR@ 100 16 256 +#cache_dir aufs @DEFAULT_SWAP_DIR@ 100 16 256 NOCOMMENT_END DOC_END @@ -3890,7 +3896,7 @@ DOC_END NAME: logfile_rotate TYPE: int -DEFAULT: 10 +DEFAULT: 0 LOC: Config.Log.rotateNumber DOC_START Specifies the number of logfile rotations to make when you ++++++ squid-fix-pod2man-check.patch ++++++ Index: helpers/basic_auth/DB/config.test =================================================================== --- helpers/basic_auth/DB/config.test.orig +++ helpers/basic_auth/DB/config.test @@ -2,6 +2,6 @@ ## Test: do we have perl to build the helper scripts? ## Test: do we have pod2man to build the manual? -perl --version >/dev/null && echo | pod2man >/dev/null +perl --version >/dev/null && pod2man --help >/dev/null exit $? Index: helpers/log_daemon/DB/config.test =================================================================== --- helpers/log_daemon/DB/config.test.orig +++ helpers/log_daemon/DB/config.test @@ -2,6 +2,6 @@ ## Test: do we have perl to build the helper scripts? ## Test: do we have pod2man to build the manual? -perl --version >/dev/null && echo | pod2man >/dev/null +perl --version >/dev/null && pod2man --help >/dev/null exit $? ++++++ squid-nobuilddates.patch ++++++ Index: helpers/basic_auth/fake/fake.cc =================================================================== --- helpers/basic_auth/fake/fake.cc.orig +++ helpers/basic_auth/fake/fake.cc @@ -74,7 +74,7 @@ main(int argc, char *argv[]) process_options(argc, argv); - debug("%s build " __DATE__ ", " __TIME__ " starting up...\n", program_name); + debug("%s starting up...\n", program_name); while (fgets(buf, HELPER_INPUT_BUFFER, stdin) != NULL) { char *p; @@ -90,6 +90,6 @@ main(int argc, char *argv[]) /* send 'OK' result back to Squid */ SEND_OK(""); } - debug("%s build " __DATE__ ", " __TIME__ " shutting down...\n", program_name); + debug("%s shutting down...\n", program_name); exit(0); } Index: helpers/external_acl/AD_group/ext_ad_group_acl.cc =================================================================== --- helpers/external_acl/AD_group/ext_ad_group_acl.cc.orig +++ helpers/external_acl/AD_group/ext_ad_group_acl.cc @@ -800,8 +800,7 @@ main(int argc, char *argv[]) if (!DefaultDomain) DefaultDomain = xstrdup(machinedomain); } - debug("External ACL win32 group helper build " __DATE__ ", " __TIME__ - " starting up...\n"); + debug("External ACL win32 group helper build starting up...\n"); if (use_global) debug("Domain Global group mode enabled using '%s' as default domain.\n", DefaultDomain); if (use_case_insensitive_compare) Index: helpers/external_acl/LM_group/ext_lm_group_acl.cc =================================================================== --- helpers/external_acl/LM_group/ext_lm_group_acl.cc.orig +++ helpers/external_acl/LM_group/ext_lm_group_acl.cc @@ -539,8 +539,7 @@ main(int argc, char *argv[]) if (!DefaultDomain) DefaultDomain = xstrdup(machinedomain); } - debug("External ACL win32 group helper build " __DATE__ ", " __TIME__ - " starting up...\n"); + debug("External ACL win32 group helper build starting up...\n"); if (use_global) debug("Domain Global group mode enabled using '%s' as default domain.\n", DefaultDomain); if (use_case_insensitive_compare) Index: helpers/negotiate_auth/SSPI/negotiate_sspi_auth.cc =================================================================== --- helpers/negotiate_auth/SSPI/negotiate_sspi_auth.cc.orig +++ helpers/negotiate_auth/SSPI/negotiate_sspi_auth.cc @@ -272,7 +272,7 @@ main(int argc, char *argv[]) process_options(argc, argv); - debug("%s build " __DATE__ ", " __TIME__ " starting up...\n", my_program_name); + debug("%s starting up...\n", my_program_name); if (LoadSecurityDll(SSP_NTLM, NEGOTIATE_PACKAGE_NAME) == NULL) { fprintf(stderr, "FATAL: %s: can't initialize SSPI, exiting.\n", argv[0]); Index: helpers/ntlm_auth/SSPI/ntlm_sspi_auth.cc =================================================================== --- helpers/ntlm_auth/SSPI/ntlm_sspi_auth.cc.orig +++ helpers/ntlm_auth/SSPI/ntlm_sspi_auth.cc @@ -609,7 +609,7 @@ main(int argc, char *argv[]) process_options(argc, argv); - debug("%s build " __DATE__ ", " __TIME__ " starting up...\n", my_program_name); + debug("%s starting up...\n", my_program_name); if (LoadSecurityDll(SSP_NTLM, NTLM_PACKAGE_NAME) == NULL) { fprintf(stderr, "FATAL, can't initialize SSPI, exiting.\n"); Index: helpers/ntlm_auth/fake/ntlm_fake_auth.cc =================================================================== --- helpers/ntlm_auth/fake/ntlm_fake_auth.cc.orig +++ helpers/ntlm_auth/fake/ntlm_fake_auth.cc @@ -173,7 +173,7 @@ main(int argc, char *argv[]) process_options(argc, argv); - debug("%s build " __DATE__ ", " __TIME__ " starting up...\n", my_program_name); + debug("%s starting up...\n", my_program_name); while (fgets(buf, HELPER_INPUT_BUFFER, stdin) != NULL) { user[0] = '\0'; /*no user code */ Index: helpers/ntlm_auth/smb_lm/ntlm_smb_lm_auth.cc =================================================================== --- helpers/ntlm_auth/smb_lm/ntlm_smb_lm_auth.cc.orig +++ helpers/ntlm_auth/smb_lm/ntlm_smb_lm_auth.cc @@ -632,7 +632,7 @@ manage_request() int main(int argc, char *argv[]) { - debug("ntlm_auth build " __DATE__ ", " __TIME__ " starting up...\n"); + debug("ntlm_auth build starting up...\n"); my_program_name = argv[0]; process_options(argc, argv); Index: helpers/url_rewrite/fake/fake.cc =================================================================== --- helpers/url_rewrite/fake/fake.cc.orig +++ helpers/url_rewrite/fake/fake.cc @@ -79,7 +79,7 @@ main(int argc, char *argv[]) process_options(argc, argv); - debug("%s build " __DATE__ ", " __TIME__ " starting up...\n", my_program_name); + debug("%s starting up...\n", my_program_name); while (fgets(buf, HELPER_INPUT_BUFFER, stdin) != NULL) { char *p; @@ -95,6 +95,6 @@ main(int argc, char *argv[]) /* send 'no-change' result back to Squid */ fprintf(stdout,"\n"); } - debug("%s build " __DATE__ ", " __TIME__ " shutting down...\n", my_program_name); + debug("%s shutting down...\n", my_program_name); exit(0); } ++++++ squid.init ++++++ #!/bin/sh # Copyright (c) 1996, 1997, 1998 S.u.S.E. GmbH # Copyright (c) 1998, 1999, 2000, 2001 SuSE GmbH # Copyright (c) 2002 SuSE Linux AG # # Author: Frank Bodammer, Peter Poeml, Klaus Singvogel <[email protected]> # # /etc/init.d/squid # and its symbolic link # /(usr/)sbin/rcsquid # ### BEGIN INIT INFO # Provides: squid # Required-Start: $local_fs $remote_fs $network $time # Should-Start: apache $named winbind # Required-Stop: $local_fs $remote_fs $network $time # Should-Stop: apache $named winbind # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # Short-Description: Squid web cache # Description: Start the Squid web cache, providing # HTTP, FTP and other proxy services ### END INIT INFO # # Note on runlevels: # 0 - halt/poweroff 6 - reboot # 1 - single user 2 - multiuser without network exported # 3 - multiuser w/ network (text mode) 5 - multiuser w/ network and X11 (xdm) # Check for missing binaries (stale symlinks should not happen) # Note: Special treatment of stop for LSB conformance SQUID_BIN=/usr/sbin/squid test -x $SQUID_BIN || { echo "$SQUID_BIN not installed"; if [ "$1" = "stop" ]; then exit 0; else exit 5; fi; } # Check for existence of needed config file and read it SQUID_SYSCONFIG=/etc/sysconfig/squid test -r $SQUID_SYSCONFIG || { echo "$SQUID_SYSCONFIG not existing"; if [ "$1" = "stop" ]; then exit 0; else exit 6; fi; } # Read config . $SQUID_SYSCONFIG SQUID_PID=/var/run/squid.pid SQUID_CONF=/etc/squid/squid.conf SQUID_S_T=${SQUID_SHUTDOWN_TIMEOUT:="60"} SQUID_OPTS=${SQUID_START_OPTIONS:="-sY"} SQUID_ULIMIT=${SQUID_DEFAULT_ULIMT:="4096"} # determine which one is the cache_swap directory SQUID_CACHE_DIR=$(perl -n -e \ '/^cache_dir\s+\S+\s+(.*)\s+\d+\s+\d+\s+\d+/ && print "$1"' $SQUID_CONF) ulimit -n "$SQUID_ULIMIT" #IN: $SQUID_CACHE_DIR setup_squid_cache_dir(){ for adir in "$1" ; do if [ ! -d $adir/00 ]; then # create missing cache directories umask 027 # prevent users reading any cache data echo -n " ($adir)" $SQUID_BIN -z -F > /dev/null 2>&1 fi if [ ! -d $adir/00 ]; then echo " - failed while creating cache_dir ! " rc_failed rc_status -v rc_exit fi done sleep 2 } # Shell functions sourced from /etc/rc.status: # rc_check check and set local and overall rc status # rc_status check and set local and overall rc status # rc_status -v be verbose in local rc status and clear it afterwards # rc_status -v -r ditto and clear both the local and overall rc status # rc_status -s display "skipped" and exit with status 3 # rc_status -u display "unused" and exit with status 3 # rc_failed set local and overall rc status to failed # rc_failed <num> set local and overall rc status to <num> # rc_reset clear both the local and overall rc status # rc_exit exit appropriate to overall rc status # rc_active checks whether a service is activated by symlinks . /etc/rc.status # Reset status of this service rc_reset case "$1" in start) echo -n "Starting WWW-proxy squid " if /sbin/checkproc $SQUID_BIN ; then echo -n "- Warning: squid already running ! " rc_failed else [ -e $SQUID_PID ] && echo -n "- Warning: $SQUID_PID exists ! " if [ -n "$SQUID_CACHE_DIR" -a -d "$SQUID_CACHE_DIR" ]; then setup_squid_cache_dir "$SQUID_CACHE_DIR" fi fi startproc -l /var/log/squid/rcsquid.log $SQUID_BIN "$SQUID_OPTS" # Remember status and be verbose rc_status -v ;; stop) echo -n "Shutting down WWW-proxy squid " if /sbin/checkproc $SQUID_BIN ; then $SQUID_BIN -k shutdown sleep 2 if [ -e $SQUID_PID ] ; then echo -n "- wait a minute or two... " i="$SQUID_S_T" while [ -e $SQUID_PID ] && [ $i -gt 0 ] ; do sleep 2 i=$[$i-1] echo -n "." [ $i -eq 41 ] && echo done fi if /sbin/checkproc $SQUID_BIN ; then killproc -TERM $SQUID_BIN echo -n " Warning: squid killed !" fi else echo -n "- Warning: squid not running ! " rc_failed 7 fi # Remember status and be verbose rc_status -v ;; try-restart) $0 status >/dev/null && $0 restart # Remember status and be quiet rc_status ;; restart) $0 stop $0 start # Remember status and be quiet rc_status ;; force-reload) $0 reload # Remember status and be quiet rc_status ;; reload) echo -n "Reloading WWW-proxy squid " if /sbin/checkproc $SQUID_BIN ; then $SQUID_BIN -k rotate sleep 2 $SQUID_BIN -k reconfigure rc_status else echo -n "- Warning: squid not running ! " rc_failed 7 fi # Remember status and be verbose rc_status -v ;; status) echo -n "Checking for WWW-proxy squid " ## Check status with checkproc(8), if process is running ## checkproc will return with exit status 0. # Return value is slightly different for the status command: # 0 - service up and running # 1 - service dead, but /var/run/ pid file exists # 2 - service dead, but /var/lock/ lock file exists # 3 - service not running (unused) # 4 - service status unknown :-( # 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.) # NOTE: checkproc returns LSB compliant status values. /sbin/checkproc $SQUID_BIN # Remember status and be verbose rc_status -v ;; probe) test $SQUID_CONF -nt $SQUID_PID && echo reload ;; *) echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}" exit 1 ;; esac rc_exit ++++++ squid.keyring ++++++ pub 2048R/FF5CF463 2008-03-08 uid Amos Jeffries <[email protected]> uid Amos Jeffries <[email protected]> uid Amos Jeffries (Squid 3.0 Release Key) <[email protected]> uid Amos Jeffries (Squid 3.1 Release Key) <[email protected]> sub 2048R/D0F41EA3 2009-04-08 [expires: 2010-04-08] sub 2048R/5EF49CEC 2010-05-01 [expires: 2011-05-01] -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.19 (GNU/Linux) mQENBEfSAIMBCADk3IDpqpCzbLbSliZzXr5Z+K9ytG/qGlGut1be1ZQLcyaMKImi xKCDwdxYS3N1B8Oj2mHxbEk/8pHZzX/K7l21HQotuj31y0Y9hNz4Sd06SuYm8XUa ml8dHEtm9OfgRWkvexCp79CtFJQ1H6NL12d+XFosfRlUXxAWX3orLEtMWgdUmIXb BaQjf+exkGisN1FPh9/ooOOuTu1c0LIRFUhb2kII7HuihaqEpSDdqTEefHWF8AbA ZDs1+9nNIROJFsY5MX7QNnFnYC94J1aqImVoNbg0knurdPo8iR4hN5ZRUsj/Yjev cbv0wisZryCtpPrGQ9r/i8bd0UxKql4VW9MXABEBAAG0IkFtb3MgSmVmZnJpZXMg PGFtb3NAdHJlZW5ldC5jby5uej6JATkEEwECACMCGwMGCwkIBwMCBBUCCAMEFgID AQIeAQIXgAIZAQUCS9wlXwAKCRCyaOcG/1z0Y9FpB/4sp8CCdb4agK4/EP/olLcN 1em51BS3715Q3A/iOuU9giMTfToqd94qDWiHCbNN+vrx4jjVPYok6QXEzKz5jK6n VoRSaK+Se72GxdZVhcpcIHsdYcofmR6135RlC3W8aBTYlmX4Uw0FI3Cd9sthsBG0 sVy9tGDbhmUOsLsqzPyY1FIpq/FyZxoNIjUqaZWVqtOmw7+3LLdjp7xCgQ3dkqmX d4KDhOWemwSMwD+v4eXSZ7KfHxIPG8Ep7nQfU5+0POl7oC5mVjSSUkWxDWAiFKZE 5H705J/8FUrOFmTO6D5esVgZ6BZ6ktXnRYzXmsN+7Yk+TLvP6MtBT09Q/y1IR21Z tCRBbW9zIEplZmZyaWVzIDxzcXVpZDNAdHJlZW5ldC5jby5uej6JATYEEwECACAC GwMGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAUCS9wlXwAKCRCyaOcG/1z0Y9gACACK Y9HWgOhXP67v+ha8cSsUmOCtwVRt7cZ1xCs3kFTvgbUL2isBOORiDCuXjLEYBS8W a9WCkmqznck+zwhwN8nRCZetTnrqa+elihcjM1wk+XaZRvOjV3Hjtr43hhBiQyJD jWil0LL/R8Ul3l81zsLvUAXTZXSwxrbkscbfDG8HmYfeVT7WbuDAVTnFLVvip8u3 tOAy8GU0Kli0aTnVCBczejddM6Qerqiq4gSyove7y2S0PC0G0Nm7j/mqbngd0Inl cSrC36+hWq8wU7/1skfLIALqMpvpMP8lqpvzzQyTameMOu79BZMw14FiZcELSAri cbfFzUFgQ/qPdXS1J2P1tDxBbW9zIEplZmZyaWVzIChTcXVpZCAzLjAgUmVsZWFz ZSBLZXkpIDxzcXVpZDNAdHJlZW5ldC5jby5uej6JATYEEwECACACGwMGCwkIBwMC BBUCCAMEFgIDAQIeAQIXgAUCS9wlXwAKCRCyaOcG/1z0Y/UcB/473QtJku9QSHaH 68h+vXi9GU7rWGHcCs+HL20fzSnim+trAyoxv+MPUfPH416fgIIMmM9oZlTulp02 7AwHHUYXZsxzYLA/1bqCKYy7TF6DQ6bLVyuM/SddtAiajZQKUq8UwKILSRcGooJc p4Iu8J7y4jLm/c+hjoLK6jK92tNUtoKGdLOQQ1JpKRRissihGvFg9nxFoFP+i531 3k6DKj91G1Z5R+bbP7Jf65CjdBENNq7rRNVHMBBscCHG7X332kVSacqEi4WFrjBT EasduOmQRQ/frdptK2PmYrqw7F4CsQGo0C1WWXv/5q0gJFb1ovptL9QxmhvVHU0I S0tnKl04tDxBbW9zIEplZmZyaWVzIChTcXVpZCAzLjEgUmVsZWFzZSBLZXkpIDxz cXVpZDNAdHJlZW5ldC5jby5uej6JATYEEwECACACGwMGCwkIBwMCBBUCCAMEFgID AQIeAQIXgAUCS9wlXwAKCRCyaOcG/1z0Y6WjB/0fFm7hFYxZxJvfm+GVU2DpWfQ7 5bW4f2WqjWJfKNpCwAILkySoD0B+h+HQRkbAQ/IjifbORdTUGuYqURysaJhCEP5J eQ26hs9dUw/agpEamvROHE/PltHl1K3XIXs7mB2iwexhgncmpp0D4VH39cQiMkIL Hixv5xRioXHK5P4JkclHJ+zLL3IbdgmS7UijA3Bg8hIUcpy2s+4hy5So8OrcgxDu q4KwxKcQsklHYqXfxF9+tiy02FeGTSX3JyCVUuGCLMOMbFO6oWP3YWKQUuE9XpgG 0ykz2zEYHbzh8CG+AT/dA1sbjkQP5yTfR3NpPNilwJ7HK9Kn+2AXstRCuLSBuQEN BEncrb0BCACtTMCBEd5FgBjNxrb+yzUKQtu8cZy6PmpeEaMlEDtAbs+Sd6wbyJe0 9ZY3OwSDisnA05hPqd3bxmi4CFtxE/2C//jWl1i9xVU7NyK+2CUxEHRoNBY9DAp0 IAvnZ1BNQcf6CYEMoyTR60GjTnCet2kHt+q9F+vVFmGVatPojUtg2irh+rYjvWbr iiNCoweqeBqvp2beVqZChQDm5bRamgFW7S8bAhSn24tBZmettXQ6j4ZgjdqNIMgy O80sCA31LTc3Jcd9WEIYEbJ/9aK+zVHdB1Tw43YQq62OosDeVENwSdE1pjh8R48W dzCT5Rwe73X/ct5DRi0S/0QkcsjAep45ABEBAAGJAkQEGAECAA8FAkncrb0CGwIF CQHhM4ABKQkQsmjnBv9c9GPAXSAEGQECAAYFAkncrb0ACgkQB4pjqtD0HqNTXwf/ fQcDlC/Nx4n4G2LFBRUNanlg3iAInNOfVPyB5fVWwLHZUVpxNm4qNKSGxw1YjVEl h6EuMjNfQeE+i7Z4/L2Hbqd17M4vXXO4PxqkkUVmqIcIH/PKWJKI2gLlKjSebo4V vgzPZXFzbKBeTy4URXyifVxu8p+i0+e1eyFB80+EACaHX1b8S9cl88ZgbEqm7mVg HT+L28o+Y3MrSRpqkTnqfYA5I+bxMO2LNZShtReeKdDU1YB0XOKOB9Y6jOoOLt5g GKAjYByFeqFbvCJhwfncDuZZ7Ny8PIXj0a8j8e7zZH9I4iCTrRt5eK/+8KBHwuTU dliCktqtjYKTevjlaPlPw4qsB/496HNciuFiDHmofLKnuYXoR2N2Uo4b6ErmyuKT KAXFhDiOj8MoN49mEbm0/FdZe+IL0aG7EEIz2+h3h9y7q15dqRawbchMBX1bu7aK GdiQenyiWbGsliE7h/crxtLHqDQPg2CimQJI1Msx4ee2ePQ9DMPBHgd1TVN9B75Q h46mJ612j4cIDYspFnqWKqXx52XRVEgyVL0ZFN0On5WukNoBWINqRnLlTJM0zdw5 jGhRad7B5ubdcPpbbDw9VLfNOOCAPK8jeQNPXMtvFIEoLXeo8wKbVQX33hV2y7kH GCamA1A05gmJtiVaZBfph5MxAjYx0JdrzlcwrPB+4DNdj1jYuQENBEvcJYoBCADw e4s2CBQxFf/yenctJYnmiFhppGH3f3RgteKl1rt2mpL3wK79IDrXucfzbxAbwSdA 52wcbaqBbsdguzyOF3bVPJL3c/bVZ/As7m3oOr4HRSpuh2cs5gATesjWRITVMMkO kHo+69isPAe7vCX6+CgeldPjWSfIcg5sfEo183+V0g8bWiYemGueDKmLqLkwAyCM gARpDPMKBgShnvRPe1ovG4a/GZilpS5u4QKzyj+3GmLbCHJQOODdDHdt0/AVkbh0 KUrneKZbvGQdWzC2NXyENa+13U1lG+WSyTsuQN09szd3rRCVITQKR+jnmWlIn3Ji p0LpMazTENxcn4EN1s0tABEBAAGJAkQEGAECAA8FAkvcJYoCGwIFCQHhM4ABKQkQ smjnBv9c9GPAXSAEGQECAAYFAkvcJYoACgkQ87HMiV70nOwr/QgAsQiZjDV70LrG eh6GJvKYWpK35w57krCbqwivzZKDD499Et0DvIFUmkdn6xJAUpuFXzxkPHXWuCqn cCQjRnqSm0sAVC612cQGStBZm73J0htqLbQc/NGqAzbc/5eOW5BxQJG0fhGIvNhu 1JS8Acbti2q0XfnDKuAwnJyZQsZmZBOAqj9kuB4ATwU4KWwPQGkfZ38W6VSlXbCV NYoP7+PBSjM6gyjoOzC5U+1Tf7lZvlNEZEmR4Ls0V9XteGTnnJrpJLQ6iVB2dr97 ZY36Q3aOBhPMSxg/I6scj1iSgmAuAqTpY53qdSf2X24HEERtxR5AVFwmRVI0YQgx KTeFJLIJMym+CACttZmyZoSWS1atRNhPb44/NRmtDv4mfFRgtwg2VcXAEL/ipPi5 nMYrfgZ1Zjbzf5e6r6O6qrBTjy7sHCIpT8E/RV0U7Wmh/MqCaJ6TlSFDLaoIYyl8 m5J46VDOd7XFEbU/59LwwP7wcgU4iNbjxNmjZy/zZCwi8zWnKLVGTgkqx51zsurF 5ZIzDS72Atlg2RAHdGhOaCqeNb5cw44Rh3XPdzTklcpoo3NcMXx/aUPHrRc+SBS6 iP6UMH+/IuiwOG6UhV1VxRlrVDb5J3/GTxHWPGtEiHNUjxHuH3EN2lj9oTKPKIhs SHFot7e7PTf5fJ6rTzeQTL4VOWVOkq4M4xmZ =k8xm -----END PGP PUBLIC KEY BLOCK----- ++++++ squid.logrotate ++++++ /var/log/squid/cache.log { compress dateext maxage 365 rotate 99 size=+1024k notifempty missingok create 640 squid root sharedscripts postrotate /etc/init.d/squid reload endscript } /var/log/squid/access.log { compress dateext maxage 365 rotate 99 size=+4096k notifempty missingok create 640 squid root sharedscripts postrotate /etc/init.d/squid reload endscript } /var/log/squid/store.log { compress dateext maxage 365 rotate 99 size=+4096k notifempty missingok create 640 squid root sharedscripts postrotate /etc/init.d/squid reload endscript } ++++++ squid.permissions ++++++ /var/cache/squid/ squid:root 750 /var/log/squid/ squid:root 750 ++++++ squid.service ++++++ [Unit] Description=Squid caching proxy After=network.target named.service nss-lookup.service [Service] Type=forking EnvironmentFile=-/etc/sysconfig/squid ExecStartPre=/bin/sh -c "test -d \"`sed -n 's/^cache_dir\s\+[[:alnum:]]\+\s\+\([[:graph:]\/]\+\)\s.*/\1/p' /etc/squid/squid.conf | sed '1 q'`/00\" || /usr/sbin/squid -z -F -N -S -f /etc/squid/squid.conf" ExecStart=/usr/sbin/squid -F $SQUID_START_OPTIONS -f /etc/squid/squid.conf ExecReload=/usr/sbin/squid -F $SQUID_START_OPTIONS -f /etc/squid/squid.conf -k reconfigure ExecStop=/usr/sbin/squid -F -f /etc/squid/squid.conf -k shutdown LimitNOFILE=4096 PIDFile=/run/squid.pid [Install] WantedBy=multi-user.target ++++++ squid.sysconfig ++++++ ## Path: Network/WWW/Proxy/squid ## Description: squid webproxy options ## Type: integer(1:) ## Default: "60" # # kill squid after this timeout in double-seconds with SIGTERM # SQUID_SHUTDOWN_TIMEOUT="60" ## Type: text ## Default: "-sY" # # squid daemon start options # SQUID_START_OPTIONS="-sY" ## Type: integer(1:) ## Default: "4096" # # default ulimit to set # SQUID_DEFAULT_ULIMT="4096" ++++++ squid:bsc_929493:CVE-2015-3455.patch ++++++ ------------------------------------------------------------ revno: 12690 revision-id: [email protected] parent: [email protected] author: Amos Jeffries <[email protected]>, Christos Tsantilas <[email protected]> committer: Amos Jeffries <[email protected]> branch nick: 3.3 timestamp: Fri 2015-05-01 00:21:50 -0700 message: Fix X509 server certificate domain matching The X509 certificate domain fields may contain non-ASCII encodings. Ensure the domain match algorithm is only passed UTF-8 ASCII-compatible strings. ------------------------------------------------------------ # Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: [email protected] # target_branch: http://bzr.squid-cache.org/bzr/squid3/3.3 # testament_sha1: 71f7464710595ffb8da41f6645ff84d45ce479ec # timestamp: 2015-05-01 07:22:40 +0000 # source_branch: http://bzr.squid-cache.org/bzr/squid3/3.3 # base_revision_id: [email protected]\ # r22x5azlu3sf49nk # # Begin patch === modified file 'src/ssl/support.cc' --- src/ssl/support.cc 2013-09-11 01:53:34 +0000 +++ src/ssl/support.cc 2015-05-01 07:21:50 +0000 @@ -208,7 +208,13 @@ if (cn_data->length > (int)sizeof(cn) - 1) { return 1; //if does not fit our buffer just ignore } - memcpy(cn, cn_data->data, cn_data->length); + char *s = reinterpret_cast<char*>(cn_data->data); + char *d = cn; + for (int i = 0; i < cn_data->length; ++i, ++d, ++s) { + if (*s == '\0') + return 1; // always a domain mismatch. contains 0x00 + *d = *s; + } cn[cn_data->length] = '\0'; debugs(83, 4, "Verifying server domain " << server << " to certificate name/subjectAltName " << cn); return matchDomainName(server, cn[0] == '*' ? cn + 1 : cn); ++++++ unsquid.pl ++++++ #!/usr/bin/perl -w # # unsquid v0.2 -- Squid object dumper. # Copyright (C) 2000 Avatar <[email protected]>. # # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, 51 Franklin Street, Suite 500, Boston, MA 02110-1335, USA # # $Id: unsquid,v 1.4 2000/03/11 17:31:06 avatar Exp $ =pod =head1 NAME unsquid - dump Squid objects =head1 SYNOPSIS B<unsquid> S<[ B<-d>I<dir> ]> S<[ B<-t>I<type> ]> S<[ B<-fv> ]> S<[ B<-Vh> ]> =head1 DESCRIPTION unsquid dumps Squid cache files specified on the command line into directories reflecting their original URLs, hence preserving the original site layouts for off-line browsing. Typically usage is find /usr/local/squid/cache/??/ -type f -print | \ xargs unsquid -t 'image/.*' -d /tmp The command line options are explained below. =over =item B<-t>I<type> S<B<--type> I<dir>> Dump only files matching the MIME type regex I<type>. =item B<-f> B<--force> Overwrite existing files. For security reason, this option is disabled when run as root. =item B<-v> B<--verbose> Print the URLs of dumped objects. =item B<-d>I<dir> S<B<--dest> I<dir>> Dump the files inside I<dir>. =item B<-V> B<--version> Print the version number. =item B<-h> B<--help> Print a summary of command line options. =back =head1 AUTHOR Avatar <F<[email protected]>> =cut use POSIX; use Getopt::Long; use strict; my $help = <<EOT; Usage: $0 [OPTION]... FILE... Dumps Squid objects. -t, --type TYPE only dump objects matching the regex TYPE -v, --verbose print dumped object urls -f, --force overwrite existing files -d, --dest DIR use DIR as the destination directory for dumping -V, --version print the version string -h, --help show this help EOT my ($type, $size, $force, $verbose, $showver, $showhelp); my $destdir = "."; my $defaultindex = "index.html"; Getopt::Long::Configure("no_ignore_case"); GetOptions("dest=s" => \$destdir, "type=s" => \$type, "verbose|v+" => \$verbose, "force!" => \$force, "version|V" => \$showver, "help" => \$showhelp); if ($showver) { print <<EOT; Unsquid version 0.2 Copyright (C) 2000 Avatar <avatar\@deva.net>. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE, to the extent permitted by law. EOT exit; } if ($#ARGV < 0 or $showhelp) { print $help; exit; } if ($force and $< == 0) { die "$0: root is not allowed to use the force option"; } for (@ARGV) { my ($url, $urllen); # read 4 bytes from offset 56 as the length of the url open(INFILE, "<$_") or die "$0: cannot open file $_ for reading: $!"; seek(INFILE, 56, SEEK_SET) or die "$0: cannot seek 56 bytes: $!"; read(INFILE, $urllen, 4) or die "$0: cannot read 4 bytes: $!"; $urllen = ord($urllen) - 1; # kill the last NUL # read the url read(INFILE, $url, $urllen); # expand index urls $url =~ s-/$-/$defaultindex-m; # scan the contents my ($seenheader); while (<INFILE>) { if ($seenheader) { print OUTFILE; next; } # if type is specified, do matching if (/^Content-Type: /i and defined $type) { m-[^:]*: (\w+/\w+)-; last if $1 !~ /$type/; next; } # at this point we must have matched the type if (/^\r$/) { $seenheader = 1; makedir($url); if (! defined $force and -e "$destdir/$url") { warn "$0: file $destdir/$url exists, skipped"; last; } open(OUTFILE, ">$destdir/$url") or die "$0: cannot open file $destdir/$url for writing: $!"; print "$url\n" if $verbose; } } close(INFILE); close(OUTFILE); } sub makedir { my ($basename) = @_; my $path = $destdir; if (! -d $destdir) { warn "$0: destination directory $destdir does not exist, making it"; mkdir $destdir, 0777 or die "$0: cannot mkdir $destdir: $!"; } while( $basename =~ m-^([^/]*)/- ) { $path .= "/".$1; if (! -d $path) { if (! mkdir $path, 0777) { if (-f $path) { # move the file in open FILE, $path or die "$0: cannot open $path for reading: $!"; undef $/; my $buf = <FILE>; $/ = "\n"; close FILE; unlink $path; mkdir $path, 0777 or die "$0: cannot make directory $path: $!"; open FILE, ">$path-redirect" or die "$0: cannot open $path/$defaultindex for writing: $!"; print FILE $buf; close FILE; } else { die "d$0: cannot mkdir $path: $!"; } } } $basename = $'; } }
