Hello community, here is the log from the commit of package squid for openSUSE:Leap:15.2 checked in at 2020-05-03 14:28:46 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2/squid (Old) and /work/SRC/openSUSE:Leap:15.2/.squid.new.2738 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "squid" Sun May 3 14:28:46 2020 rev:46 rq:799613 version:4.11 Changes: -------- --- /work/SRC/openSUSE:Leap:15.2/squid/squid.changes 2020-02-29 17:18:51.725341465 +0100 +++ /work/SRC/openSUSE:Leap:15.2/.squid.new.2738/squid.changes 2020-05-03 14:28:47.356443393 +0200 @@ -1,0 +2,31 @@ +Thu Apr 23 13:02:37 UTC 2020 - Adam Majer <adam.ma...@suse.de> + +- Update to squid 4.11: + * Fix incorrect buffer handling that can result in cache + poisoning, remote execution, and denial of service attacks when + processing ESI responses + (CVE-2019-12519, CVE-2019-12521, bsc#1169659) + * Fixes possible information disclosure when translating + FTP server listings into HTTP responses. + (CVE-2019-12528, bsc#1162689) + * Fixes possible denial of service caused by incorrect buffer + management ext_lm_group_acl when processing NTLM Authentication + credentials. (CVE-2020-8517, bsc#1162691) + * Fixes a potential remote execution vulnerability when using + HTTP Digest Authentication (CVE-2020-11945, bsc#1170313) + * Fixes problem when reconfigure killed Coordinator in + SMP+ufs configurations (#556) + +------------------------------------------------------------------- +Mon Apr 20 10:24:46 UTC 2020 - Thorsten Kukuk <ku...@suse.com> + +- Make logrotate recommended, it's not strictly required and + doesn't make any sense in containers + +------------------------------------------------------------------- +Tue Feb 18 15:46:02 CET 2020 - ku...@suse.de + +- Use sysusers instead of shadow to create squid user and groups +- Don't hard require systemd + +------------------------------------------------------------------- @@ -35,0 +67,2 @@ + * fixes handling of invalid domain names in cachemgr.cgi + (CVE-2019-18860, bsc#1167373) Old: ---- squid-4.10.tar.xz squid-4.10.tar.xz.asc New: ---- squid-4.11.tar.xz squid-4.11.tar.xz.asc squid-user.conf ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ squid.spec ++++++ --- /var/tmp/diff_new_pack.q5a39X/_old 2020-05-03 14:28:47.896444544 +0200 +++ /var/tmp/diff_new_pack.q5a39X/_new 2020-05-03 14:28:47.896444544 +0200 @@ -19,7 +19,7 @@ %define squidlibdir %{_libdir}/squid %define squidconfdir %{_sysconfdir}/squid Name: squid -Version: 4.10 +Version: 4.11 Release: 0 Summary: Caching and forwarding HTTP web proxy License: GPL-2.0-or-later @@ -33,6 +33,7 @@ Source9: %{name}.permissions Source10: README.kerberos Source11: %{name}.service +Source12: %{name}-user.conf # http://lists.squid-cache.org/pipermail/squid-announce/2016-October/000064.html Source13: http://www.squid-cache.org/pgp.asc#/squid.keyring Source15: cache_dir.sed @@ -55,6 +56,8 @@ BuildRequires: pkgconfig BuildRequires: samba-winbind BuildRequires: sharutils +BuildRequires: sysuser-shadow +BuildRequires: sysuser-tools BuildRequires: pkgconfig(expat) BuildRequires: pkgconfig(gssrpc) BuildRequires: pkgconfig(kdb) @@ -62,18 +65,18 @@ BuildRequires: pkgconfig(libsasl2) BuildRequires: pkgconfig(libxml-2.0) BuildRequires: pkgconfig(nettle) -Requires: logrotate +Recommends: logrotate Requires(pre): permissions -Requires(pre): shadow Provides: http_proxy # due to package rename # Wed Aug 15 17:40:30 UTC 2012 Provides: %{name}3 = %{version} Obsoletes: %{name}3 < %{version} -%{?systemd_requires} +%{?systemd_ordering} %if 0%{?suse_version} >= 1330 BuildRequires: libnsl-devel %endif +%sysusers_requires %description Squid is a caching proxy for the Web supporting HTTP(S), FTP, and @@ -142,6 +145,7 @@ --enable-security-cert-generators \ --enable-security-cert-validators make SAMBAPREFIX=%{_prefix} %{?_smp_mflags} +%sysusers_generate_pre %{SOURCE12} squid %install install -d -m 750 %{buildroot}%{_localstatedir}/{cache,log}/%{name} @@ -197,28 +201,15 @@ mv %{buildroot}%{_datadir}/squid/mib.txt \ %{buildroot}%{_datadir}/snmp/mibs/SQUID-MIB.txt +# Install sysusers file. +mkdir -p %{buildroot}%{_sysusersdir} +install -m 644 %{SOURCE12} %{buildroot}%{_sysusersdir}/ + %check # Fails in chroot environment make %{?_smp_mflags} check -%pre -# we need this group for /usr/sbin/pinger -getent group %{name} >/dev/null || %{_sbindir}/groupadd -g 31 -r %{name} -# we need this group for squid (ntlmauth) -# read access to /var/lib/samba/winbindd_privileged -getent group winbind >/dev/null || %{_sbindir}/groupadd -r winbind -getent passwd squid >/dev/null || \ - %{_sbindir}/useradd -c "WWW-proxy squid" -d %{_localstatedir}/cache/%{name} \ - -G winbind -g %{name} -o -u 31 -r -s /bin/false \ - %{name} -# if default group is not squid, change it -if [ "$(%{_bindir}/id -ng %{name} 2>/dev/null)" != "%{name}" ]; then - %{_sbindir}/usermod -g %{name} %{name} -fi -# if squid is not member of winbind, add him -if [ $(%{_bindir}/id -nG %{name} 2>/dev/null | grep -q winbind; echo $?) -ne 0 ]; then - %{_sbindir}/usermod -G winbind %{name} -fi +%pre -f squid.pre %service_add_pre %{name}.service # update mode? @@ -265,6 +256,7 @@ %dir %{squidconfdir} %dir %{_tmpfilesdir} %{_tmpfilesdir}/squid.conf +%{_sysusersdir}/squid-user.conf %config(noreplace) %{squidconfdir}/cachemgr.conf %config(noreplace) %{squidconfdir}/errorpage.css %config(noreplace) %{squidconfdir}/errors ++++++ squid-4.10.tar.xz -> squid-4.11.tar.xz ++++++ ++++ 4743 lines of diff (skipped) ++++ retrying with extended exclude list diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-4.10/ChangeLog new/squid-4.11/ChangeLog --- old/squid-4.10/ChangeLog 2020-01-20 03:51:40.000000000 +0100 +++ new/squid-4.11/ChangeLog 2020-04-19 14:38:51.000000000 +0200 @@ -1,3 +1,15 @@ +Changes to squid-4.11 (18 Apr 2020): + + - Bug 5036: capital 'L's in logs when daemon queue overflows + - Bug 5022: Reconfigure kills Coordinator in SMP+ufs configurations + - Bug 5016: systemd thinks Squid is ready before Squid listens + - kerberos_ldap_group: fix encryption type for cross realm check + - HTTP: Ignore malformed Host header in intercept and reverse proxy mode + - Fix Digest authentication nonce handling + - Supply ALE to request_header_add/reply_header_add + - ... and some documentation updates + - ... and some compile fixes + Changes to squid-4.10 (14 Jan 2020): - Bug 5009: Build failure with older clang libc++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-4.10/RELEASENOTES.html new/squid-4.11/RELEASENOTES.html --- old/squid-4.10/RELEASENOTES.html 2020-01-20 04:07:14.000000000 +0100 +++ new/squid-4.11/RELEASENOTES.html 2020-04-19 14:50:33.000000000 +0200 @@ -1,11 +1,12 @@ <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <HTML> <HEAD> - <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.73"> - <TITLE>Squid 4.10 release notes</TITLE> + <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.76"> + <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> + <TITLE>Squid 4.11 release notes</TITLE> </HEAD> <BODY> -<H1>Squid 4.10 release notes</H1> +<H1>Squid 4.11 release notes</H1> <H2>Squid Developers</H2> <HR> @@ -63,7 +64,7 @@ <HR> <H2><A NAME="s1">1.</A> <A HREF="#toc1">Notice</A></H2> -<P>The Squid Team are pleased to announce the release of Squid-4.10.</P> +<P>The Squid Team are pleased to announce the release of Squid-4.11.</P> <P>This new release is available for download from <A HREF="http://www.squid-cache.org/Versions/v4/">http://www.squid-cache.org/Versions/v4/</A> or the <A HREF="http://www.squid-cache.org/Download/http-mirrors.html">mirrors</A>.</P> @@ -637,6 +638,10 @@ <P>The cppunit testing framework is auto-detected and used when available. This option can be used to disable it explicitly.</P> +<DT><B>--without-systemd</B><DD> +<P>SystemD init environment features are auto-detected and used when available. +This option can be used to disable systemd features explicitly.</P> + </DL> </P> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-4.10/cfgaux/compile new/squid-4.11/cfgaux/compile --- old/squid-4.10/cfgaux/compile 2020-01-20 03:51:49.000000000 +0100 +++ new/squid-4.11/cfgaux/compile 2020-04-19 14:39:01.000000000 +0200 @@ -3,7 +3,7 @@ scriptversion=2018-03-07.03; # UTC -# Copyright (C) 1999-2018 Free Software Foundation, Inc. +# Copyright (C) 1999-2020 Free Software Foundation, Inc. # Written by Tom Tromey <tro...@cygnus.com>. # # This program is free software; you can redistribute it and/or modify @@ -53,7 +53,7 @@ MINGW*) file_conv=mingw ;; - CYGWIN*) + CYGWIN* | MSYS*) file_conv=cygwin ;; *) @@ -67,7 +67,7 @@ mingw/*) file=`cmd //C echo "$file " | sed -e 's/"\(.*\) " *$/\1/'` ;; - cygwin/*) + cygwin/* | msys/*) file=`cygpath -m "$file" || echo "$file"` ;; wine/*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-4.10/cfgaux/missing new/squid-4.11/cfgaux/missing --- old/squid-4.10/cfgaux/missing 2020-01-20 03:51:49.000000000 +0100 +++ new/squid-4.11/cfgaux/missing 2020-04-19 14:39:01.000000000 +0200 @@ -3,7 +3,7 @@ scriptversion=2018-03-07.03; # UTC -# Copyright (C) 1996-2018 Free Software Foundation, Inc. +# Copyright (C) 1996-2020 Free Software Foundation, Inc. # Originally written by Fran,cois Pinard <pin...@iro.umontreal.ca>, 1996. # This program is free software; you can redistribute it and/or modify diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-4.10/cfgaux/test-driver new/squid-4.11/cfgaux/test-driver --- old/squid-4.10/cfgaux/test-driver 2020-01-20 03:51:57.000000000 +0100 +++ new/squid-4.11/cfgaux/test-driver 2020-04-19 14:39:05.000000000 +0200 @@ -3,7 +3,7 @@ scriptversion=2018-03-07.03; # UTC -# Copyright (C) 2011-2018 Free Software Foundation, Inc. +# Copyright (C) 2011-2020 Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-4.10/compat/getnameinfo.cc new/squid-4.11/compat/getnameinfo.cc --- old/squid-4.10/compat/getnameinfo.cc 2020-01-20 03:51:40.000000000 +0100 +++ new/squid-4.11/compat/getnameinfo.cc 2020-04-19 14:38:51.000000000 +0200 @@ -203,12 +203,12 @@ if (sp) { if (strlen(sp->s_name) + 1 > servlen) return EAI_OVERFLOW; - strncpy(serv, sp->s_name, servlen); + xstrncpy(serv, sp->s_name, servlen); } else { snprintf(numserv, sizeof(numserv), "%u", ntohs(port)); if (strlen(numserv) + 1 > servlen) return EAI_OVERFLOW; - strncpy(serv, numserv, servlen); + xstrncpy(serv, numserv, servlen); } } @@ -301,7 +301,7 @@ #endif return EAI_OVERFLOW; } - strncpy(host, hp->h_name, hostlen); + xstrncpy(host, hp->h_name, hostlen); #if USE_GETIPNODEBY freehostent(hp); #endif @@ -351,7 +351,7 @@ numaddrlen = strlen(numaddr); if (numaddrlen + 1 > hostlen) /* don't forget terminator */ return EAI_OVERFLOW; - strncpy(host, numaddr, hostlen); + xstrncpy(host, numaddr, hostlen); if (((const struct sockaddr_in6 *)sa)->sin6_scope_id) { char zonebuf[SQUIDHOSTNAMELEN]; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-4.10/configure.ac new/squid-4.11/configure.ac --- old/squid-4.10/configure.ac 2020-01-20 03:51:59.000000000 +0100 +++ new/squid-4.11/configure.ac 2020-04-19 14:39:06.000000000 +0200 @@ -5,7 +5,7 @@ ## Please see the COPYING and CONTRIBUTORS files for details. ## -AC_INIT([Squid Web Proxy],[4.10],[http://bugs.squid-cache.org/],[squid]) +AC_INIT([Squid Web Proxy],[4.11],[http://bugs.squid-cache.org/],[squid]) AC_PREREQ(2.61) AC_CONFIG_HEADERS([include/autoconf.h]) AC_CONFIG_AUX_DIR(cfgaux) @@ -2124,6 +2124,51 @@ AC_SUBST(LDAPLIB) AC_SUBST(LBERLIB) +AC_ARG_WITH(systemd, + AS_HELP_STRING([--without-systemd], + [Do not use systemd API to send start-up completion + notification. Default: auto-detect]), [ +case "$with_systemd" in + yes|no) + : # Nothing special to do here + ;; + *) + if test ! -d "$withval" ; then + AC_MSG_ERROR([--with-systemd path does not point to a directory]) + fi + SYSTEMD_PATH="-L$with_systemd/lib" + CPPFLAGS="-I$with_systemd/include $CPPFLAGS" + esac +]) +AH_TEMPLATE(USE_SYSTEMD,[systemd support is available]) +if test "x$with_systemd" != "xno" -a "x$squid_host_os" = "xlinux"; then + SQUID_STATE_SAVE(squid_systemd_state) + + # User may have provided a custom location for systemd. Otherwise... + LIBS="$LIBS $SYSTEMD_PATH" + + # auto-detect using pkg-config + PKG_CHECK_MODULES(SYSTEMD,[libsystemd],,[ + # systemd < 209 + PKG_CHECK_MODULES(SYSTEMD,[libsystemd-daemon],,[:]) + ]) + + AC_CHECK_HEADERS(systemd/sd-daemon.h) + + SQUID_STATE_ROLLBACK(squid_systemd_state) #de-pollute LIBS + + if test "x$with_systemd" = "xyes" -a "x$SYSTEMD_LIBS" = "x"; then + AC_MSG_ERROR([Required systemd library not found]) + fi + if test "x$SYSTEMD_LIBS" != "x" ; then + CXXFLAGS="$SYSTEMD_CFLAGS $CXXFLAGS" + AC_DEFINE(USE_SYSTEMD,1,[systemd support is available]) + else + with_systemd=no + fi +fi +AC_MSG_NOTICE([systemd library support: ${with_systemd:=auto} ${SYSTEMD_PATH} ${SYSTEMD_LIBS}]) + AC_ARG_ENABLE(forw-via-db, AS_HELP_STRING([--enable-forw-via-db],[Enable Forw/Via database]), [ SQUID_YESNO([$enableval],[unrecognized argument to --enable-forw-via-db: $enableval]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-4.10/doc/release-notes/release-4.html new/squid-4.11/doc/release-notes/release-4.html --- old/squid-4.10/doc/release-notes/release-4.html 2020-01-20 04:07:14.000000000 +0100 +++ new/squid-4.11/doc/release-notes/release-4.html 2020-04-19 14:50:33.000000000 +0200 @@ -1,11 +1,12 @@ <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <HTML> <HEAD> - <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.73"> - <TITLE>Squid 4.10 release notes</TITLE> + <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.76"> + <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> + <TITLE>Squid 4.11 release notes</TITLE> </HEAD> <BODY> -<H1>Squid 4.10 release notes</H1> +<H1>Squid 4.11 release notes</H1> <H2>Squid Developers</H2> <HR> @@ -63,7 +64,7 @@ <HR> <H2><A NAME="s1">1.</A> <A HREF="#toc1">Notice</A></H2> -<P>The Squid Team are pleased to announce the release of Squid-4.10.</P> +<P>The Squid Team are pleased to announce the release of Squid-4.11.</P> <P>This new release is available for download from <A HREF="http://www.squid-cache.org/Versions/v4/">http://www.squid-cache.org/Versions/v4/</A> or the <A HREF="http://www.squid-cache.org/Download/http-mirrors.html">mirrors</A>.</P> @@ -637,6 +638,10 @@ <P>The cppunit testing framework is auto-detected and used when available. This option can be used to disable it explicitly.</P> +<DT><B>--without-systemd</B><DD> +<P>SystemD init environment features are auto-detected and used when available. +This option can be used to disable systemd features explicitly.</P> + </DL> </P> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-4.10/include/autoconf.h.in new/squid-4.11/include/autoconf.h.in --- old/squid-4.10/include/autoconf.h.in 2020-01-20 03:51:47.000000000 +0100 +++ new/squid-4.11/include/autoconf.h.in 2020-04-19 14:39:00.000000000 +0200 @@ -1068,6 +1068,9 @@ /* Define to 1 if you have the <syslog.h> header file. */ #undef HAVE_SYSLOG_H +/* Define to 1 if you have the <systemd/sd-daemon.h> header file. */ +#undef HAVE_SYSTEMD_SD_DAEMON_H + /* Define to 1 if you have the <sys/bitypes.h> header file. */ #undef HAVE_SYS_BITYPES_H @@ -1570,6 +1573,9 @@ /* Use ssl-crtd daemon */ #undef USE_SSL_CRTD +/* systemd support is available */ +#undef USE_SYSTEMD + /* Enable extensions on AIX 3, Interix. */ #ifndef _ALL_SOURCE # undef _ALL_SOURCE diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-4.10/include/version.h new/squid-4.11/include/version.h --- old/squid-4.10/include/version.h 2020-01-20 03:51:59.000000000 +0100 +++ new/squid-4.11/include/version.h 2020-04-19 14:39:06.000000000 +0200 @@ -7,7 +7,7 @@ */ #ifndef SQUID_RELEASE_TIME -#define SQUID_RELEASE_TIME 1579488704 +#define SQUID_RELEASE_TIME 1587299937 #endif /* diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-4.10/libltdl/m4/libtool.m4 new/squid-4.11/libltdl/m4/libtool.m4 --- old/squid-4.10/libltdl/m4/libtool.m4 2020-01-20 03:51:48.000000000 +0100 +++ new/squid-4.11/libltdl/m4/libtool.m4 2020-04-19 14:39:00.000000000 +0200 @@ -1041,8 +1041,8 @@ _LT_EOF echo "$LTCC $LTCFLAGS -c -o conftest.o conftest.c" >&AS_MESSAGE_LOG_FD $LTCC $LTCFLAGS -c -o conftest.o conftest.c 2>&AS_MESSAGE_LOG_FD - echo "$AR cru libconftest.a conftest.o" >&AS_MESSAGE_LOG_FD - $AR cru libconftest.a conftest.o 2>&AS_MESSAGE_LOG_FD + echo "$AR cr libconftest.a conftest.o" >&AS_MESSAGE_LOG_FD + $AR cr libconftest.a conftest.o 2>&AS_MESSAGE_LOG_FD echo "$RANLIB libconftest.a" >&AS_MESSAGE_LOG_FD $RANLIB libconftest.a 2>&AS_MESSAGE_LOG_FD cat > conftest.c << _LT_EOF @@ -1492,7 +1492,7 @@ m4_defun([_LT_PROG_AR], [AC_CHECK_TOOLS(AR, [ar], false) : ${AR=ar} -: ${AR_FLAGS=cru} +: ${AR_FLAGS=cr} _LT_DECL([], [AR], [1], [The archiver]) _LT_DECL([], [AR_FLAGS], [1], [Flags to create an archive]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-4.10/src/FwdState.cc new/squid-4.11/src/FwdState.cc --- old/squid-4.10/src/FwdState.cc 2020-01-20 03:51:40.000000000 +0100 +++ new/squid-4.11/src/FwdState.cc 2020-04-19 14:38:51.000000000 +0200 @@ -587,6 +587,9 @@ if (!entry->isEmpty()) return false; + if (request->flags.pinned && !pinnedCanRetry()) + return false; + if (exhaustedTries()) return false; @@ -1068,6 +1071,11 @@ debugs(17, 3, HERE << e->url() << "?" ); + if (request->flags.pinned && !pinnedCanRetry()) { + debugs(17, 3, "pinned connection; cannot retry"); + return 0; + } + if (!EBIT_TEST(e->flags, ENTRY_FWD_HDR_WAIT)) { debugs(17, 3, HERE << "No, ENTRY_FWD_HDR_WAIT isn't set"); return 0; @@ -1229,6 +1237,28 @@ return n_tries >= Config.forward_max_tries; } +bool +FwdState::pinnedCanRetry() const +{ + assert(request->flags.pinned); + + // pconn race on pinned connection: Currently we do not have any mechanism + // to retry current pinned connection path. + if (pconnRace == raceHappened) + return false; + + // If a bumped connection was pinned, then the TLS client was given our peer + // details. Do not retry because we do not ensure that those details stay + // constant. Step1-bumped connections do not get our TLS peer details, are + // never pinned, and, hence, never reach this method. + if (request->flags.sslBumped) + return false; + + // The other pinned cases are FTP proxying and connection-based HTTP + // authentication. TODO: Do these cases have restrictions? + return true; +} + /**** PRIVATE NON-MEMBER FUNCTIONS ********************************************/ /* diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-4.10/src/FwdState.h new/squid-4.11/src/FwdState.h --- old/squid-4.10/src/FwdState.h 2020-01-20 03:51:40.000000000 +0100 +++ new/squid-4.11/src/FwdState.h 2020-04-19 14:38:51.000000000 +0200 @@ -117,6 +117,11 @@ void doneWithRetries(); void completed(); void retryOrBail(); + + /// whether a pinned to-peer connection can be replaced with another one + /// (in order to retry or reforward a failed request) + bool pinnedCanRetry() const; + ErrorState *makeConnectingError(const err_type type) const; void connectedToPeer(Security::EncryptorAnswer &answer); static void RegisterWithCacheManager(void); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-4.10/src/HttpHeaderTools.cc new/squid-4.11/src/HttpHeaderTools.cc --- old/squid-4.10/src/HttpHeaderTools.cc 2020-01-20 03:51:40.000000000 +0100 +++ new/squid-4.11/src/HttpHeaderTools.cc 2020-04-19 14:38:51.000000000 +0200 @@ -477,6 +477,12 @@ { ACLFilledChecklist checklist(NULL, request, NULL); + checklist.al = al; + if (al && al->reply) { + checklist.reply = al->reply; + HTTPMSGLOCK(checklist.reply); + } + for (HeaderWithAclList::const_iterator hwa = headersAdd.begin(); hwa != headersAdd.end(); ++hwa) { if (!hwa->aclList || checklist.fastCheck(hwa->aclList).allowed()) { const char *fieldValue = NULL; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-4.10/src/Makefile.am new/squid-4.11/src/Makefile.am --- old/squid-4.10/src/Makefile.am 2020-01-20 03:51:40.000000000 +0100 +++ new/squid-4.11/src/Makefile.am 2020-04-19 14:38:51.000000000 +0200 @@ -576,6 +576,7 @@ $(EPOLL_LIBS) \ $(MINGW_LIBS) \ $(KRB5LIBS) \ + $(SYSTEMD_LIBS) \ $(COMPAT_LIB) \ $(XTRA_LIBS) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-4.10/src/acl/external/SQL_session/ext_sql_session_acl.8 new/squid-4.11/src/acl/external/SQL_session/ext_sql_session_acl.8 --- old/squid-4.10/src/acl/external/SQL_session/ext_sql_session_acl.8 2020-01-20 04:07:17.000000000 +0100 +++ new/squid-4.11/src/acl/external/SQL_session/ext_sql_session_acl.8 2020-04-19 14:50:35.000000000 +0200 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "EXT_SQL_SESSION_ACL 8" -.TH EXT_SQL_SESSION_ACL 8 "2020-01-20" "perl v5.28.1" "User Contributed Perl Documentation" +.TH EXT_SQL_SESSION_ACL 8 "2020-04-19" "perl v5.28.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-4.10/src/acl/external/delayer/ext_delayer_acl.8 new/squid-4.11/src/acl/external/delayer/ext_delayer_acl.8 --- old/squid-4.10/src/acl/external/delayer/ext_delayer_acl.8 2020-01-20 04:07:17.000000000 +0100 +++ new/squid-4.11/src/acl/external/delayer/ext_delayer_acl.8 2020-04-19 14:50:35.000000000 +0200 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "EXT_DELAYER_ACL 8" -.TH EXT_DELAYER_ACL 8 "2020-01-20" "perl v5.28.1" "User Contributed Perl Documentation" +.TH EXT_DELAYER_ACL 8 "2020-04-19" "perl v5.28.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-4.10/src/acl/external/kerberos_ldap_group/support_krb5.cc new/squid-4.11/src/acl/external/kerberos_ldap_group/support_krb5.cc --- old/squid-4.10/src/acl/external/kerberos_ldap_group/support_krb5.cc 2020-01-20 03:51:40.000000000 +0100 +++ new/squid-4.11/src/acl/external/kerberos_ldap_group/support_krb5.cc 2020-04-19 14:38:51.000000000 +0200 @@ -465,6 +465,12 @@ k5_error("Error while initialising TGT credentials", code); goto loop_end; } + + // overwrite limitation of enctypes + creds->keyblock.enctype = 0; + if (creds->keyblock.contents) + krb5_free_keyblock_contents(kparam.context, &creds->keyblock); + code = krb5_get_credentials(kparam.context, 0, kparam.cc[ccindex], creds, &tgt_creds); if (code) { k5_error("Error while getting tgt", code); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-4.10/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 new/squid-4.11/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 --- old/squid-4.10/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 2020-01-20 04:07:17.000000000 +0100 +++ new/squid-4.11/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 2020-04-19 14:50:36.000000000 +0200 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "EXT_WBINFO_GROUP_ACL 8" -.TH EXT_WBINFO_GROUP_ACL 8 "2020-01-20" "perl v5.28.1" "User Contributed Perl Documentation" +.TH EXT_WBINFO_GROUP_ACL 8 "2020-04-19" "perl v5.28.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-4.10/src/auth/basic/DB/basic_db_auth.8 new/squid-4.11/src/auth/basic/DB/basic_db_auth.8 --- old/squid-4.10/src/auth/basic/DB/basic_db_auth.8 2020-01-20 04:07:18.000000000 +0100 +++ new/squid-4.11/src/auth/basic/DB/basic_db_auth.8 2020-04-19 14:50:36.000000000 +0200 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "BASIC_DB_AUTH 8" -.TH BASIC_DB_AUTH 8 "2020-01-20" "perl v5.28.1" "User Contributed Perl Documentation" +.TH BASIC_DB_AUTH 8 "2020-04-19" "perl v5.28.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-4.10/src/auth/basic/POP3/basic_pop3_auth.8 new/squid-4.11/src/auth/basic/POP3/basic_pop3_auth.8 --- old/squid-4.10/src/auth/basic/POP3/basic_pop3_auth.8 2020-01-20 04:07:18.000000000 +0100 +++ new/squid-4.11/src/auth/basic/POP3/basic_pop3_auth.8 2020-04-19 14:50:37.000000000 +0200 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "BASIC_POP3_AUTH 8" -.TH BASIC_POP3_AUTH 8 "2020-01-20" "perl v5.28.1" "User Contributed Perl Documentation" +.TH BASIC_POP3_AUTH 8 "2020-04-19" "perl v5.28.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-4.10/src/auth/digest/Config.cc new/squid-4.11/src/auth/digest/Config.cc --- old/squid-4.10/src/auth/digest/Config.cc 2020-01-20 03:51:40.000000000 +0100 +++ new/squid-4.11/src/auth/digest/Config.cc 2020-04-19 14:38:51.000000000 +0200 @@ -94,9 +94,6 @@ static void authenticateDigestNonceSetup(void); static void authDigestNonceEncode(digest_nonce_h * nonce); static void authDigestNonceLink(digest_nonce_h * nonce); -#if NOT_USED -static int authDigestNonceLinks(digest_nonce_h * nonce); -#endif static void authDigestNonceUserUnlink(digest_nonce_h * nonce); static void @@ -155,10 +152,10 @@ * really bad timing with expiry and creation). Using a random * component in the nonce allows us to loop to find a unique nonce. * We use H(nonce_data) so the nonce is meaningless to the reciever. - * So our nonce looks like hex(H(timestamp,pointertohash,randomdata)) + * So our nonce looks like hex(H(timestamp,randomdata)) * And even if our randomness is not very random we don't really care - * - the timestamp and memory pointer also guarantee local uniqueness - * in the input to the hash function. + * - the timestamp also guarantees local uniqueness in the input to + * the hash function. */ // NP: this will likely produce the same randomness sequences for each worker // since they should all start within the 1-second resolution of seed value. @@ -168,7 +165,6 @@ /* create a new nonce */ newnonce->nc = 0; newnonce->flags.valid = true; - newnonce->noncedata.self = newnonce; newnonce->noncedata.creationtime = current_time.tv_sec; newnonce->noncedata.randomdata = newRandomData(mt); @@ -290,21 +286,10 @@ { assert(nonce != NULL); ++nonce->references; + assert(nonce->references != 0); // no overflows debugs(29, 9, "nonce '" << nonce << "' now at '" << nonce->references << "'."); } -#if NOT_USED -static int -authDigestNonceLinks(digest_nonce_h * nonce) -{ - if (!nonce) - return -1; - - return nonce->references; -} - -#endif - void authDigestNonceUnlink(digest_nonce_h * nonce) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-4.10/src/auth/digest/Config.h new/squid-4.11/src/auth/digest/Config.h --- old/squid-4.10/src/auth/digest/Config.h 2020-01-20 03:51:40.000000000 +0100 +++ new/squid-4.11/src/auth/digest/Config.h 2020-04-19 14:38:51.000000000 +0200 @@ -32,8 +32,6 @@ /* data to be encoded into the nonce's hex representation */ struct _digest_nonce_data { time_t creationtime; - /* in memory address of the nonce struct (similar purpose to an ETag) */ - digest_nonce_h *self; uint32_t randomdata; }; @@ -44,7 +42,7 @@ /* number of uses we've seen of this nonce */ unsigned long nc; /* reference count */ - short references; + uint64_t references; /* the auth_user this nonce has been tied to */ Auth::Digest::User *user; /* has this nonce been invalidated ? */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-4.10/src/cf.data.pre new/squid-4.11/src/cf.data.pre --- old/squid-4.10/src/cf.data.pre 2020-01-20 03:51:40.000000000 +0100 +++ new/squid-4.11/src/cf.data.pre 2020-04-19 14:38:51.000000000 +0200 @@ -7609,7 +7609,7 @@ DEFAULT_DOC: Address selected by the operating system. IFDEF: USE_WCCP DOC_START - Use this option if you require WCCPv2 to use a specific + Use this option if you require WCCP(v1) to use a specific interface address. The default behavior is to not bind to any specific address. @@ -7622,7 +7622,7 @@ DEFAULT_DOC: Address selected by the operating system. IFDEF: USE_WCCPv2 DOC_START - Use this option if you require WCCP to use a specific + Use this option if you require WCCPv2 to use a specific interface address. The default behavior is to not bind to any specific address. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-4.10/src/client_side.cc new/squid-4.11/src/client_side.cc --- old/squid-4.10/src/client_side.cc 2020-01-20 03:51:40.000000000 +0100 +++ new/squid-4.11/src/client_side.cc 2020-04-19 14:38:51.000000000 +0200 @@ -136,6 +136,10 @@ #include <cmath> #include <limits> +#if HAVE_SYSTEMD_SD_DAEMON_H +#include <systemd/sd-daemon.h> +#endif + #if LINGERING_CLOSE #define comm_close comm_lingering_close #endif @@ -3646,6 +3650,20 @@ << s->listenConn); Must(AddOpenedHttpSocket(s->listenConn)); // otherwise, we have received a fd we did not ask for + +#if USE_SYSTEMD + // When the very first port opens, tell systemd we are able to serve connections. + // Subsequent sd_notify() calls, including calls during reconfiguration, + // do nothing because the first call parameter is 1. + // XXX: Send the notification only after opening all configured ports. + if (opt_foreground || opt_no_daemon) { + const auto result = sd_notify(1, "READY=1"); + if (result < 0) { + debugs(1, DBG_IMPORTANT, "WARNING: failed to send start-up notification to systemd" << + Debug::Extra << "sd_notify() error: " << xstrerr(-result)); + } + } +#endif } void diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-4.10/src/clients/FtpGateway.cc new/squid-4.11/src/clients/FtpGateway.cc --- old/squid-4.10/src/clients/FtpGateway.cc 2020-01-20 03:51:40.000000000 +0100 +++ new/squid-4.11/src/clients/FtpGateway.cc 2020-04-19 14:38:51.000000000 +0200 @@ -564,8 +564,6 @@ n_tokens = 0; - memset(tokens, 0, sizeof(tokens)); - xbuf = xstrdup(buf); if (flags.tried_nlst) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-4.10/src/esi/Context.h new/squid-4.11/src/esi/Context.h --- old/squid-4.10/src/esi/Context.h 2020-01-20 03:51:40.000000000 +0100 +++ new/squid-4.11/src/esi/Context.h 2020-04-19 14:38:51.000000000 +0200 @@ -12,6 +12,7 @@ #include "clientStream.h" #include "err_type.h" #include "esi/Element.h" +#include "esi/Esi.h" #include "esi/Parser.h" #include "http/forward.h" #include "http/StatusCode.h" @@ -113,7 +114,7 @@ { public: - ESIElement::Pointer stack[10]; /* a stack of esi elements that are open */ + ESIElement::Pointer stack[ESI_STACK_DEPTH_LIMIT]; /* a stack of esi elements that are open */ int stackdepth; /* self explanatory */ ESIParser::Pointer theParser; ESIElement::Pointer top(); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-4.10/src/esi/Esi.cc new/squid-4.11/src/esi/Esi.cc --- old/squid-4.10/src/esi/Esi.cc 2020-01-20 03:51:40.000000000 +0100 +++ new/squid-4.11/src/esi/Esi.cc 2020-04-19 14:38:51.000000000 +0200 @@ -29,6 +29,7 @@ #include "esi/Expression.h" #include "esi/Segment.h" #include "esi/VarState.h" +#include "FadingCounter.h" #include "fatal.h" #include "http/Stream.h" #include "HttpHdrSc.h" @@ -930,13 +931,18 @@ ESIContext::addStackElement (ESIElement::Pointer element) { /* Put on the stack to allow skipping of 'invalid' markup */ - assert (parserState.stackdepth <11); + + // throw an error if the stack location would be invalid + if (parserState.stackdepth >= ESI_STACK_DEPTH_LIMIT) + throw Esi::Error("ESI Too many nested elements"); + if (parserState.stackdepth < 0) + throw Esi::Error("ESI elements stack error, probable error in ESI template"); + assert (!failed()); debugs(86, 5, "ESIContext::addStackElement: About to add ESI Node " << element.getRaw()); if (!parserState.top()->addElement(element)) { - debugs(86, DBG_IMPORTANT, "ESIContext::addStackElement: failed to add esi node, probable error in ESI template"); - flags.error = 1; + throw Esi::Error("ESIContext::addStackElement failed, probable error in ESI template"); } else { /* added ok, push onto the stack */ parserState.stack[parserState.stackdepth] = element; @@ -1188,13 +1194,10 @@ assert (len); debugs(86, 5, "literal length is " << len); /* give a literal to the current element */ - assert (parserState.stackdepth <11); ESIElement::Pointer element (new esiLiteral (this, s, len)); - if (!parserState.top()->addElement(element)) { - debugs(86, DBG_IMPORTANT, "ESIContext::addLiteral: failed to add esi node, probable error in ESI template"); - flags.error = 1; - } + if (!parserState.top()->addElement(element)) + throw Esi::Error("ESIContext::addLiteral failed, probable error in ESI template"); } void @@ -1256,8 +1259,24 @@ PROF_start(esiParsing); - while (buffered.getRaw() && !flags.error) - parseOneBuffer(); + try { + while (buffered.getRaw() && !flags.error) + parseOneBuffer(); + + } catch (Esi::ErrorDetail &errMsg) { // FIXME: non-const for c_str() + // level-2: these are protocol/syntax errors from upstream + debugs(86, 2, "WARNING: ESI syntax error: " << errMsg); + setError(); + setErrorMessage(errMsg.c_str()); + + } catch (...) { + // DBG_IMPORTANT because these are local issues the admin needs to fix + static FadingCounter logEntries; // TODO: set horizon less than infinity + if (logEntries.count(1) < 100) + debugs(86, DBG_IMPORTANT, "ERROR: ESI parser: " << CurrentException); + setError(); + setErrorMessage("ESI parser error"); + } PROF_stop(esiParsing); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-4.10/src/esi/Esi.h new/squid-4.11/src/esi/Esi.h --- old/squid-4.10/src/esi/Esi.h 2020-01-20 03:51:40.000000000 +0100 +++ new/squid-4.11/src/esi/Esi.h 2020-04-19 14:38:51.000000000 +0200 @@ -10,6 +10,11 @@ #define SQUID_ESI_H #include "clientStream.h" +#include "sbuf/SBuf.h" + +#if !defined(ESI_STACK_DEPTH_LIMIT) +#define ESI_STACK_DEPTH_LIMIT 20 +#endif /* ESI.c */ extern CSR esiStreamRead; @@ -18,5 +23,14 @@ extern CSS esiStreamStatus; int esiEnableProcessing (HttpReply *); +namespace Esi +{ + +typedef SBuf ErrorDetail; +/// prepare an Esi::ErrorDetail for throw on ESI parser internal errors +inline Esi::ErrorDetail Error(const char *msg) { return ErrorDetail(msg); } + +} // namespace Esi + #endif /* SQUID_ESI_H */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-4.10/src/esi/Expression.cc new/squid-4.11/src/esi/Expression.cc --- old/squid-4.10/src/esi/Expression.cc 2020-01-20 03:51:40.000000000 +0100 +++ new/squid-4.11/src/esi/Expression.cc 2020-04-19 14:38:51.000000000 +0200 @@ -10,6 +10,7 @@ #include "squid.h" #include "Debug.h" +#include "esi/Esi.h" #include "esi/Expression.h" #include "profiler/Profiler.h" @@ -97,6 +98,17 @@ cleanmember(&s[*depth]); } +static void +stackpush(stackmember *stack, stackmember &item, int *depth) +{ + if (*depth < 0) + throw Esi::Error("ESIExpression stack has negative size"); + if (*depth >= ESI_STACK_DEPTH_LIMIT) + throw Esi::Error("ESIExpression stack is full, cannot push"); + + stack[(*depth)++] = item; +} + static evaluate evalnegate; static evaluate evalliteral; static evaluate evalor; @@ -208,6 +220,11 @@ /* invalid stack */ return 1; + if (whereAmI < 0) + throw Esi::Error("negate expression location too small"); + if (*depth >= ESI_STACK_DEPTH_LIMIT) + throw Esi::Error("negate expression too complex"); + if (stack[whereAmI + 1].valuetype != ESI_EXPR_EXPR) /* invalid operand */ return 1; @@ -280,7 +297,7 @@ srv.precedence = 1; - stack[(*depth)++] = srv; + stackpush(stack, srv, depth); /* we're out of way, try adding now */ if (!addmember(stack, depth, candidate)) @@ -327,7 +344,7 @@ srv.precedence = 1; - stack[(*depth)++] = srv; + stackpush(stack, srv, depth); /* we're out of way, try adding now */ if (!addmember(stack, depth, candidate)) @@ -373,7 +390,7 @@ srv.precedence = 1; - stack[(*depth)++] = srv; + stackpush(stack, srv, depth); /* we're out of way, try adding now */ if (!addmember(stack, depth, candidate)) @@ -421,7 +438,7 @@ srv.precedence = 1; - stack[(*depth)++] = srv; + stackpush(stack, srv, depth); /* we're out of way, try adding now */ if (!addmember(stack, depth, candidate)) @@ -469,7 +486,7 @@ srv.precedence = 1; - stack[(*depth)++] = srv; + stackpush(stack, srv, depth); /* we're out of way, try adding now */ if (!addmember(stack, depth, candidate)) @@ -517,7 +534,7 @@ srv.precedence = 1; - stack[(*depth)++] = srv; + stackpush(stack, srv, depth); /* we're out of way, try adding now */ if (!addmember(stack, depth, candidate)) @@ -566,7 +583,7 @@ srv.precedence = 1; - stack[(*depth)++] = srv; + stackpush(stack, srv, depth); /* we're out of way, try adding now */ if (!addmember(stack, depth, candidate)) @@ -613,7 +630,7 @@ srv.precedence = 1; - stack[(*depth)++] = srv; + stackpush(stack, srv, depth); /* we're out of way, try adding now */ if (!addmember(stack, depth, candidate)) @@ -953,6 +970,9 @@ /* !(!(a==b))) is why thats safe */ /* strictly less than until we unwind */ + if (*stackdepth >= ESI_STACK_DEPTH_LIMIT) + throw Esi::Error("ESI expression too complex to add member"); + if (candidate->precedence < stack[*stackdepth - 1].precedence || candidate->precedence < stack[*stackdepth - 2].precedence) { /* must be an operator */ @@ -968,10 +988,10 @@ return 0; } } else { - stack[(*stackdepth)++] = *candidate; + stackpush(stack, *candidate, stackdepth); } } else if (candidate->valuetype != ESI_EXPR_INVALID) - stack[(*stackdepth)++] = *candidate; + stackpush(stack, *candidate, stackdepth); return 1; } @@ -979,7 +999,7 @@ int ESIExpression::Evaluate(char const *s) { - stackmember stack[20]; + stackmember stack[ESI_STACK_DEPTH_LIMIT]; int stackdepth = 0; char const *end; PROF_start(esiExpressionEval); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-4.10/src/fs/ufs/UFSSwapDir.cc new/squid-4.11/src/fs/ufs/UFSSwapDir.cc --- old/squid-4.10/src/fs/ufs/UFSSwapDir.cc 2020-01-20 03:51:40.000000000 +0100 +++ new/squid-4.11/src/fs/ufs/UFSSwapDir.cc 2020-04-19 14:38:51.000000000 +0200 @@ -724,6 +724,9 @@ void Fs::Ufs::UFSSwapDir::openLog() { + if (!IamWorkerProcess()) + return; + assert(NumberOfUFSDirs || !UFSDirToGlobalDirMapping); ++NumberOfUFSDirs; assert(NumberOfUFSDirs <= Config.cacheSwap.n_configured); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-4.10/src/http/url_rewriters/LFS/url_lfs_rewrite.8 new/squid-4.11/src/http/url_rewriters/LFS/url_lfs_rewrite.8 --- old/squid-4.10/src/http/url_rewriters/LFS/url_lfs_rewrite.8 2020-01-20 04:07:19.000000000 +0100 +++ new/squid-4.11/src/http/url_rewriters/LFS/url_lfs_rewrite.8 2020-04-19 14:50:37.000000000 +0200 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "URL_LFS_REWRITE 8" -.TH URL_LFS_REWRITE 8 "2020-01-20" "perl v5.28.1" "User Contributed Perl Documentation" +.TH URL_LFS_REWRITE 8 "2020-04-19" "perl v5.28.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-4.10/src/log/DB/log_db_daemon.8 new/squid-4.11/src/log/DB/log_db_daemon.8 --- old/squid-4.10/src/log/DB/log_db_daemon.8 2020-01-20 04:07:19.000000000 +0100 +++ new/squid-4.11/src/log/DB/log_db_daemon.8 2020-04-19 14:50:38.000000000 +0200 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "LOG_DB_DAEMON 8" -.TH LOG_DB_DAEMON 8 "2020-01-20" "perl v5.28.1" "User Contributed Perl Documentation" +.TH LOG_DB_DAEMON 8 "2020-04-19" "perl v5.28.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-4.10/src/log/ModDaemon.cc new/squid-4.11/src/log/ModDaemon.cc --- old/squid-4.10/src/log/ModDaemon.cc 2020-01-20 03:51:40.000000000 +0100 +++ new/squid-4.11/src/log/ModDaemon.cc 2020-04-19 14:38:51.000000000 +0200 @@ -298,8 +298,14 @@ } return; } - /* Append this data to the end buffer; create a new one if needed */ + /* Are we eol? If so, prefix with our logfile command byte */ + if (ll->eol == 1) { + logfile_mod_daemon_append(lf, "L", 1); + ll->eol = 0; + } + + /* Append this data to the end buffer; create a new one if needed */ logfile_mod_daemon_append(lf, buf, len); } @@ -307,12 +313,8 @@ logfile_mod_daemon_linestart(Logfile * lf) { l_daemon_t *ll = static_cast<l_daemon_t *>(lf->data); - char tb[2]; assert(ll->eol == 1); - ll->eol = 0; - tb[0] = 'L'; - tb[1] = '\0'; - logfile_mod_daemon_append(lf, tb, 1); + // logfile_mod_daemon_writeline() sends the starting command } static void @@ -320,7 +322,8 @@ { l_daemon_t *ll = static_cast<l_daemon_t *>(lf->data); logfile_buffer_t *b; - assert(ll->eol == 0); + if (ll->eol == 1) // logfile_mod_daemon_writeline() wrote nothing + return; ll->eol = 1; /* Kick a write off if the head buffer is -full- */ if (ll->bufs.head != NULL) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-4.10/src/peer_select.cc new/squid-4.11/src/peer_select.cc --- old/squid-4.10/src/peer_select.cc 2020-01-20 03:51:40.000000000 +0100 +++ new/squid-4.11/src/peer_select.cc 2020-04-19 14:38:51.000000000 +0200 @@ -274,6 +274,20 @@ return; } + if (fs && fs->code == PINNED) { + // Send an empty IP address marked as PINNED + const Comm::ConnectionPointer p = new Comm::Connection(); + p->peerType = PINNED; + // Caller requires to check for pinned connections through + // CachePeer object: + p->setPeer(fs->_peer.get()); + psstate->paths->push_back(p); + psstate->servers = fs->next; + delete fs; + peerSelectDnsPaths(psstate); + return; + } + // convert the list of FwdServer destinations into destinations IP addresses if (fs && psstate->paths->size() < (unsigned int)Config.forward_max_tries) { // send the next one off for DNS lookup. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-4.10/src/security/cert_validators/fake/security_fake_certverify.8 new/squid-4.11/src/security/cert_validators/fake/security_fake_certverify.8 --- old/squid-4.10/src/security/cert_validators/fake/security_fake_certverify.8 2020-01-20 04:07:19.000000000 +0100 +++ new/squid-4.11/src/security/cert_validators/fake/security_fake_certverify.8 2020-04-19 14:50:38.000000000 +0200 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "SECURITY_FAKE_CERTVERIFY 8" -.TH SECURITY_FAKE_CERTVERIFY 8 "2020-01-20" "perl v5.28.1" "User Contributed Perl Documentation" +.TH SECURITY_FAKE_CERTVERIFY 8 "2020-04-19" "perl v5.28.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-4.10/src/store/id_rewriters/file/storeid_file_rewrite.8 new/squid-4.11/src/store/id_rewriters/file/storeid_file_rewrite.8 --- old/squid-4.10/src/store/id_rewriters/file/storeid_file_rewrite.8 2020-01-20 04:07:17.000000000 +0100 +++ new/squid-4.11/src/store/id_rewriters/file/storeid_file_rewrite.8 2020-04-19 14:50:36.000000000 +0200 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "STOREID_FILE_REWRITE 8" -.TH STOREID_FILE_REWRITE 8 "2020-01-20" "perl v5.28.1" "User Contributed Perl Documentation" +.TH STOREID_FILE_REWRITE 8 "2020-04-19" "perl v5.28.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-4.10/tools/helper-mux/helper-mux.8 new/squid-4.11/tools/helper-mux/helper-mux.8 --- old/squid-4.10/tools/helper-mux/helper-mux.8 2020-01-20 04:07:20.000000000 +0100 +++ new/squid-4.11/tools/helper-mux/helper-mux.8 2020-04-19 14:50:38.000000000 +0200 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "HELPER-MUX 8" -.TH HELPER-MUX 8 "2020-01-20" "perl v5.28.1" "User Contributed Perl Documentation" +.TH HELPER-MUX 8 "2020-04-19" "perl v5.28.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-4.10/tools/systemd/squid.service new/squid-4.11/tools/systemd/squid.service --- old/squid-4.10/tools/systemd/squid.service 2020-01-20 03:51:40.000000000 +0100 +++ new/squid-4.11/tools/systemd/squid.service 2020-04-19 14:38:51.000000000 +0200 @@ -11,12 +11,13 @@ After=network.target network-online.target nss-lookup.target [Service] -Type=forking +Type=notify PIDFile=/var/run/squid.pid ExecStartPre=/usr/sbin/squid --foreground -z -ExecStart=/usr/sbin/squid -sYC +ExecStart=/usr/sbin/squid --foreground -sYC ExecReload=/bin/kill -HUP $MAINPID KillMode=mixed +NotifyAccess=all [Install] WantedBy=multi-user.target ++++++ squid-4.10.tar.xz.asc -> squid-4.11.tar.xz.asc ++++++ --- /work/SRC/openSUSE:Leap:15.2/squid/squid-4.10.tar.xz.asc 2020-02-29 17:18:51.705341423 +0100 +++ /work/SRC/openSUSE:Leap:15.2/.squid.new.2738/squid-4.11.tar.xz.asc 2020-05-03 14:28:47.300443274 +0200 @@ -1,25 +1,25 @@ -File: squid-4.10.tar.xz -Date: Mon Jan 20 04:10:45 UTC 2020 -Size: 2445848 -MD5 : af7ac6e70f9bd03ae4fcec0c9b99c38a -SHA1: b8b267771550bb8c7f2b2968b305118090e7217a +File: squid-4.11.tar.xz +Date: Sun Apr 19 12:56:37 UTC 2020 +Size: 2447700 +MD5 : 10f34e852153a9996aa4614670e2bda1 +SHA1: 053277bf5497163ffc9261b9807abda5959bb6fc Key : CD6DBF8EF3B17D3E <squ...@treenet.co.nz> B068 84ED B779 C89B 044E 64E3 CD6D BF8E F3B1 7D3E keyring = http://www.squid-cache.org/pgp.asc keyserver = pool.sks-keyservers.net -----BEGIN PGP SIGNATURE----- -iQIzBAABCgAdFiEEsGiE7bd5yJsETmTjzW2/jvOxfT4FAl4lKFMACgkQzW2/jvOx -fT4aUBAAhR5YcsaTdBaFMOTNM0WUp3USNxjhrQtq+rwkQLqwh3hl2idKZY6fmqAJ -cv/m9915T7Nd2H7ROl3vxs0ToP1R5EsEbyvcz/tKPoBrXFDDH9JsgkvbF0A4oxW1 -S8PtRlwXPbllHp/yaEZk9NL0PZCrUeW79s4M2hXSPOsC0/RogUUMN/Saa8VX3ZVe -ZuSZoy+Ew3ZeQ3Y/mqblTN6xRn9zLq+GfqXOjTQQBfAiGprjsPQE4rOame6P9meh -aGOGDABx7YoRsSskiAZY8cfIsunZdHoORi1WXvcu3hAB0zCZjrO0vptSig7sVCFD -pdjLCrxopj/jIpAcVLPhl7AHjirAeTxDraQhgie+PT3M+tVm950HJZRt/idzCiNX -XJj4Tw2gZ+tCKPLUoPvILID8grQQ+HKUA1a8ASeUxUD+sOcwdolUhbzlIl9lMDwY -hxle9J1QH/04MAhMEnfGZH+ekR5PV+XG4iLWQnPcMSKymtDxiYpgJ9GTDBww0phk -P1Tg33kSkHLAecEvcFlkZwrsw57qULFQKo2ZUE7Udm9xwBruwPunc+1XJ/PCs6mc -3RfT5b1rf/fgWhvuwm5vuBkbL1H74gX8u84G984st5zj33t9aagByUXIkxjsLQww -pFHXYm1PbphFsRIAcAGfkEluSz1X9yOwXyy12uuE7Bc/Ox7zIXk= -=vpEO +iQIzBAABCgAdFiEEsGiE7bd5yJsETmTjzW2/jvOxfT4FAl6cSpEACgkQzW2/jvOx +fT6YbA/6A+IbIbNBJUW45oj23Io9Tw/CzAcTeLHR+McKwV77qMbR+L+kQ+fUdM5F +rHAmd8bVVlyHc4WanVfWItEmzBzHA/ifTNvVpefSGGEbDb80RF66k7ACiZUokg1b +kkPwc/SjDhe2wvketIaBiVVd7pylrlCdVvazcF8gE9MWDOIlJND5mnHXidXvwkbJ +T2//8JZVEmcmN9pdFGNAUVckFm+AnwWXcRM1SQPYDGSVUtjVlqido8snLTA1mZwl +rIpjppujMV54OOWlj+Gqa3MZkpNzIaMCAfphzUFlsQY+/sRUYAOv1wmxw2WclxlK +WlWM+fw8OsYNDMwkOScKZZWceoAkq6UsUHzCAdJIdLqV/R6mZ9nfuZ6BHIr0+2dP +bDf9MU4KXbwEuXiRD/KPziUxxOZwSPivbm3wy9DqTTZfO9V+Iq6FVHX+ahxJ0XbM +JWRYA3GW+DRLjorfsWxU5r4UJsrnBfhItPUAfGPjPjEGZ/pn8r9G6MGenNGPLMKy +wP1rMlOhrZPwerzokzAvKx8G0WWkfN+IPv2JK3rDot6RiJIOuvnZZd4RIuVNTGbh +liO7M24JlWX3WD2wHBzxQag46+plb3VvrrVChwIQnZ2Qzpf50w0Bife/wtNBGpK0 +k/Xi/nocO796YS8GZBnmhS1lEGEwp/YpJBFWmIjTWMUMEOcswVA= +=PKl0 -----END PGP SIGNATURE----- ++++++ squid-user.conf ++++++ # Type Name ID GECOS [HOME] u squid - "WWW-proxy squid" /var/cache/squid g winbind - - m squid winbind