Hello community, here is the log from the commit of package squidGuard for openSUSE:Factory checked in at 2017-10-06 11:03:44 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/squidGuard (Old) and /work/SRC/openSUSE:Factory/.squidGuard.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "squidGuard" Fri Oct 6 11:03:44 2017 rev:27 rq:531548 version:1.4 Changes: -------- --- /work/SRC/openSUSE:Factory/squidGuard/squidGuard.changes 2015-03-30 19:33:14.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.squidGuard.new/squidGuard.changes 2017-10-06 11:03:50.681765498 +0200 @@ -1,0 +2,20 @@ +Wed Oct 4 14:13:11 UTC 2017 - [email protected] + +- Merge SLE changes into Factory + +------------------------------------------------------------------- +Thu Jun 29 12:03:06 UTC 2017 - [email protected] + +- default_config_pathfixes.patch: + reference only existing filter lists in default installed config + (bnc#961499) + +------------------------------------------------------------------- +Mon Jun 20 11:29:28 UTC 2016 - [email protected] + +- add xss_fix_02_2015.patch: + o fix XSS possibility in blocked error page by escaping all + < and > in the printed url (CVE-2015-8936, bnc#985612) +- fix URL in README so it doesn't point at non-existent page + +------------------------------------------------------------------- @@ -5 +25 @@ - see http://bugs.squid-cache.org/show_bug.cgi?id=3978 + see http://bugs.squid-cache.org/show_bug.cgi?id=3978 (bnc#1040757) New: ---- default_config_pathfixes.patch xss_fix_02_2015.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ squidGuard.spec ++++++ --- /var/tmp/diff_new_pack.djZ4Hj/_old 2017-10-06 11:03:51.937575576 +0200 +++ /var/tmp/diff_new_pack.djZ4Hj/_new 2017-10-06 11:03:51.941574971 +0200 @@ -1,7 +1,7 @@ # # spec file for package squidGuard # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -40,7 +40,9 @@ Patch4: squidGuard-unusual_url_end.patch Patch5: squidGuard-CVE-2009-3700.patch Patch6: squidGuard-CVE-2009-3826.patch -Patch7: squidGuard-1.4_upgrade.patch +Patch7: xss_fix_02_2015.patch +Patch8: squidGuard-1.4_upgrade.patch +Patch9: default_config_pathfixes.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: http_proxy BuildRequires: bison @@ -102,6 +104,8 @@ %patch5 -p1 %patch6 -p1 %patch7 -p1 +%patch8 -p1 +%patch9 -p1 find -type d | xargs chmod 755 cp %{SOURCE1} . # patch the test configs ++++++ README.SUSE ++++++ --- /var/tmp/diff_new_pack.djZ4Hj/_old 2017-10-06 11:03:51.969570737 +0200 +++ /var/tmp/diff_new_pack.djZ4Hj/_new 2017-10-06 11:03:51.969570737 +0200 @@ -13,6 +13,6 @@ (/var/squidGuard/logs/squidGuard.log). squidGuard is not blocking anything. The latest blacklists can be found under: - http://www.squidguard.org/blacklist/ + http://www.squidguard.org ... Your SUSE team ++++++ default_config_pathfixes.patch ++++++ Index: squidGuard-1.4/samples/sample.conf.in =================================================================== --- squidGuard-1.4.orig/samples/sample.conf.in +++ squidGuard-1.4/samples/sample.conf.in @@ -53,9 +53,9 @@ dest local { } dest adult { - domainlist dest/adult/domains - urllist dest/adult/urls - expressionlist dest/adult/expressions + domainlist blacklist/domains + urllist blacklist/urls + expressionlist blacklist/expressions redirect http://admin.foo.bar.de/cgi/blocked?clientaddr=%a+clientname=%n+clientuser=%i+clientgroup=%s+targetgroup=%t+url=%u } ++++++ xss_fix_02_2015.patch ++++++ CVE: CVE-2015-8936 URL: http://seclists.org/oss-sec/2016/q2/569 Index: squidGuard-1.4/samples/squidGuard.cgi.in =================================================================== --- squidGuard-1.4.orig/samples/squidGuard.cgi.in +++ squidGuard-1.4/samples/squidGuard.cgi.in @@ -317,6 +317,9 @@ if ($targetgroup eq "in-addr") { showinaddr($targetgroup,$protocol,$address,$port,$path); } +$url =~ s/</</g ; +$url =~ s/>/>/g ; + status("403 Forbidden"); expires(0); print "Content-type: text/html\n\n";
