Hello community, here is the log from the commit of package squid.12988 for openSUSE:Leap:15.1:Update checked in at 2020-06-29 20:20:10 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.1:Update/squid.12988 (Old) and /work/SRC/openSUSE:Leap:15.1:Update/.squid.12988.new.3060 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "squid.12988" Mon Jun 29 20:20:10 2020 rev:1 rq:817232 version:4.12 Changes: -------- New Changes file: --- /dev/null 2020-06-25 10:56:43.568241769 +0200 +++ /work/SRC/openSUSE:Leap:15.1:Update/.squid.12988.new.3060/squid.changes 2020-06-29 20:20:10.547029465 +0200 @@ -0,0 +1,2976 @@ +------------------------------------------------------------------- +Sun Jun 21 05:28:33 UTC 2020 - Andreas Stieger <andreas.stie...@gmx.de> + +- squid 4.12: + * Fixes a potential Denial of Service when processing TLS certificates + during HTTPS or SSL-Bump connections (CVE-2020-14059, bsc#1173304) + * Regression Fix: Revert to slow search for new SMP shm pages + * Fix Negative responses are never cached + * HTTP: validate Content-Length value prefix + * HTTP: add flexible RFC 3986 URI encoder + * Fix stall if transaction overwrites a recently active cache + entry + +------------------------------------------------------------------- +Thu Apr 23 13:02:37 UTC 2020 - Adam Majer <adam.ma...@suse.de> + +- Update to squid 4.11: + * Fix incorrect buffer handling that can result in cache + poisoning, remote execution, and denial of service attacks when + processing ESI responses + (CVE-2019-12519, CVE-2019-12521, bsc#1169659) + * Fixes possible information disclosure when translating + FTP server listings into HTTP responses. + (CVE-2019-12528, bsc#1162689) + * Fixes possible denial of service caused by incorrect buffer + management ext_lm_group_acl when processing NTLM Authentication + credentials. (CVE-2020-8517, bsc#1162691) + * Fixes a potential remote execution vulnerability when using + HTTP Digest Authentication (CVE-2020-11945, bsc#1170313) + * Fixes problem when reconfigure killed Coordinator in + SMP+ufs configurations (#556) + +------------------------------------------------------------------- +Mon Apr 20 10:24:46 UTC 2020 - Thorsten Kukuk <ku...@suse.com> + +- Make logrotate recommended, it's not strictly required and + doesn't make any sense in containers + +------------------------------------------------------------------- +Tue Feb 18 15:46:02 CET 2020 - ku...@suse.de + +- Use sysusers instead of shadow to create squid user and groups +- Don't hard require systemd + +------------------------------------------------------------------- +Wed Feb 5 09:57:59 UTC 2020 - Adam Majer <adam.ma...@suse.de> + +- Update to squid 4.10: + * fixes a security issue allowing a remote client ability to cause + use a buffer overflow when squid is acting as reverse-proxy. + (CVE-2020-8449, CVE-2020-8450, bsc#1162687) + * fixes a security issue allowing for information disclosure in + FTP gateway (CVE-2019-12528, bsc#1162689) + * fixes a security issue in ext_lm_group_acl when processing + NTLM Authentication credentials. (CVE-2020-8517, bsc#1162691) + * improve cache handling with chunked responses + +------------------------------------------------------------------- +Fri Nov 8 15:24:15 UTC 2019 - Adam Majer <adam.ma...@suse.de> + +- Update to squid 4.9: + * fixes multiple Cross-Site Scripting issues in cachemgr.cgi + (CVE-2019-13345, bsc#1140738) + * fixes heap overflow in URN processing + (CVE-2019-12526, bsc#1156326) + * fixes multiple issues in URI processing + (CVE-2019-12523, CVE-2019-18676, bsc#1156329) + * fixes Cross-Site Request Forgery in HTTP Request processing + (CVE-2019-18677, bsc#1156328) + * fixes HTTP Request Splitting in HTTP message processing + (CVE-2019-18678, bsc#1156323) + * fixes information disclosure in HTTP Digest Authentication + (CVE-2019-18679, bsc#1156324) + * lower cache_peer hostname - this showed up as DNS failures + if peer name was configured with any upper case characters + * TLS: Multiple SSL-Bump fixes + * TLS: Fix expiration of self-signed generated certs to be 3 years + * TLS: Fix on_unsupported_protocol tunnel action + * Fix several rock cache_dir corruption issues + * fixes handling of invalid domain names in cachemgr.cgi + (CVE-2019-18860, bsc#1167373) + +- fix_configuration_error.patch: upstreamed +- old_nettle_compat.patch: refreshed + +------------------------------------------------------------------- +Tue Aug 6 13:05:58 UTC 2019 - Adam Majer <adam.ma...@suse.de> + +- fix_configuration_error.patch: Fix compilation with -Wreturn-type +- old_nettle_compat.patch: Update to actually use older version + +------------------------------------------------------------------- +Thu Jul 18 14:11:28 UTC 2019 - Adam Majer <adam.ma...@suse.de> + +- old_nettle_compat.patch: Fix compatibility with nettle in SLE-12 + +------------------------------------------------------------------- +Mon Jul 15 14:58:13 UTC 2019 - Adam Majer <adam.ma...@suse.de> + +- Update to squid 4.8: + + Ignore ECONNABORTED in accept(2) + + RFC 7230 forbids generation of userinfo subcomponent of https URL + + cachemgr.cgi: unallocated memory access resulting in a potential + denial of service. (bsc#1141442, CVE-2019-12854) + + terminating c-strings beyond BASE64_DECODE_LENGTH + + Replace uudecode with libnettle base64 decoder fixing a denial + of service vulnerability (bsc#1141329, CVE-2019-12529) + + fix to_localhost does not include :: + + Fix GCC-9 build issues + + Fix Digest auth parameter parsing preventing a potential + denial of service (bsc#1141332, CVE-2019-12525) + + Update HttpHeader::getAuth to SBuf which prevents a potential + heap overflowing allowing a possible remote code execution + attack when processing HTTP Authentication credentials + (bsc#1141330, CVE-2019-12527) + + Add the NO_TLSv1_3 option to available tls-options values + + Fix handling of tiny invalid responses + + Fix Memory leak when http_reply_access uses external_acl + + Fix Multiple XSS issues in cachemgr.cgi + (bsc#1140738, CVE-2019-13345) +- use unbundled version of libnettle +- disable LTO as a workaround to tests failing + +------------------------------------------------------------------- +Wed May 8 10:41:22 UTC 2019 - Adam Majer <adam.ma...@suse.de> + +- Update to squid 4.7: (jsc#SLE-5648) + + Fix stack-based buffer-overflow when parsing SNMP messages + + Fixed squidclient authentication + + Add support for buffer-size= to UDP logging + + Trust intermediate CAs from trusted stores + + Bug #4928: Cannot convert non-IPv4 to IPv4 + + Bug #4796: comm.cc !isOpen(conn->fd) assertion when rotating logs + + Bug #4823: assertion failed: "lowestOffset () <= target_offset" + (bsc#1133089) + + Bug #4942: --with-filedescriptors does not do anything + +------------------------------------------------------------------- +Tue Feb 26 15:53:50 UTC 2019 - adam.ma...@suse.de + +- Syncronize bug and CVE references between 3.x and 4.x squid changelog + versions. These bugs were fixed here either without properly referencing + them during the fix or 4.x branch was never affected by them. + (bsc#1090089, CVE-2018-1172, bsc#979008, CVE-2016-4556, + bsc#938715, CVE-2015-5400, bsc#949942, CVE-2014-9749, + bsc#1016169, CVE-2016-10003, bsc#1016168, CVE-2016-10002, + bsc#979011, CVE-2016-4555, bsc#979010, CVE-2016-4554, + bsc#979009, CVE-2016-4553, bsc#976556, CVE-2016-4054, + bsc#976553, CVE-2016-4051, bsc#973783, CVE-2016-3948, + bsc#973782, CVE-2016-3947, bsc#968395, CVE-2016-2572, + bsc#968394, CVE-2016-2571, bsc#968393, CVE-2016-2570, + bsc#968392, CVE-2016-2569, bsc#967011, CVE-2016-2390, + bsc#959290, CVE-2016-4052, CVE-2016-4053, + bsc#1029157, bsc#1024020, bsc#998595, fate#319674) + +------------------------------------------------------------------- +Sat Feb 23 06:37:31 UTC 2019 - sean...@opensuse.org + +- Update to squid 4.6: + + master commit b599471 leaks memory (#4919) + + SourceFormat Enforcement (#367) + + Detect IPv6 loopack binding errors (#355) + + Do not call setsid() in --foreground mode (#354) + + Fail Rock swapout if the disk dropped write reqs (#352) + + Initialize StoreMapSlice when reserving a new cache slot (#350) + + Fixed disker-to-worker queue overflows (#353) + + Fix OpenSSL builds that define OPENSSL_NO_ENGINE (#349) + + Fix BodyPipe/Sink memory leaks associated with auto-consumption + + Exit when GoIntoBackground() fork() call fails (#344) + + GCC-8 compile errors with -O3 optimization (#4875) + + Initial translations to ka/georgian language (#345) + + basic_ldap_auth: Return BH on internal errors (#347) + +------------------------------------------------------------------- +Mon Feb 18 10:03:23 UTC 2019 - adam.ma...@suse.de + +- Revert whitespace deletions of .changes as it makes diffs a pain. + +------------------------------------------------------------------- +Sat Feb 16 00:19:25 UTC 2019 - Jan Engelhardt <jeng...@inai.de> + +- Do not hide errors from useradd. Make scriptlets + plain sh compatible. + +------------------------------------------------------------------- +Wed Jan 02 05:45:03 UTC 2019 - s...@suspend.net + +- Update to squid 4.5: + + Squid crashes when ICAPS and a sslcrtvalidator used together (#328) + + ssl_bump prevents from accessing some web contents (#304) + + Docs: improved lexgrog compatibility (#340) + + Redesign forward_max_tries count TCP connection attempts + + Fix client_connection_mark ACL handling of clientless transactions + + Fix netdb exchange with a TLS cache peer + + Update netdb when tunneling requests + + Use pkg-config for detecting libxml2 + + Misc doc updates ++++ 2779 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:Leap:15.1:Update/.squid.12988.new.3060/squid.changes New: ---- README.kerberos cache_dir.sed initialize_cache_if_needed.sh missing_installs.patch old_nettle_compat.patch pam.squid squid-4.12.tar.xz squid-4.12.tar.xz.asc squid-user.conf squid.changes squid.keyring squid.logrotate squid.permissions squid.service squid.spec tmpfilesdir.squid.conf unsquid.pl ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ squid.spec ++++++ # # spec file for package squid # # Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via https://bugs.opensuse.org/ # %define squidlibdir %{_libdir}/squid %define squidconfdir %{_sysconfdir}/squid Name: squid Version: 4.12 Release: 0 Summary: Caching and forwarding HTTP web proxy License: GPL-2.0-or-later Group: Productivity/Networking/Web/Proxy URL: http://www.squid-cache.org Source0: http://www.squid-cache.org/Versions/v4/squid-%{version}.tar.xz Source1: http://www.squid-cache.org/Versions/v4/squid-%{version}.tar.xz.asc Source5: pam.squid Source6: unsquid.pl Source7: %{name}.logrotate Source9: %{name}.permissions Source10: README.kerberos Source11: %{name}.service Source12: %{name}-user.conf # http://lists.squid-cache.org/pipermail/squid-announce/2016-October/000064.html Source13: http://www.squid-cache.org/pgp.asc#/squid.keyring Source15: cache_dir.sed Source16: initialize_cache_if_needed.sh Source17: tmpfilesdir.squid.conf Patch1: missing_installs.patch Patch2: old_nettle_compat.patch BuildRequires: cppunit-devel BuildRequires: db-devel BuildRequires: ed BuildRequires: expat BuildRequires: fdupes BuildRequires: gcc-c++ BuildRequires: libcap-devel BuildRequires: libtool BuildRequires: openldap2-devel BuildRequires: opensp-devel BuildRequires: openssl-devel BuildRequires: pam-devel BuildRequires: pkgconfig BuildRequires: samba-winbind BuildRequires: sharutils BuildRequires: sysuser-shadow BuildRequires: sysuser-tools BuildRequires: pkgconfig(expat) BuildRequires: pkgconfig(gssrpc) BuildRequires: pkgconfig(kdb) BuildRequires: pkgconfig(krb5) BuildRequires: pkgconfig(libsasl2) BuildRequires: pkgconfig(libxml-2.0) BuildRequires: pkgconfig(nettle) Requires(pre): permissions Recommends: logrotate Provides: http_proxy # due to package rename # Wed Aug 15 17:40:30 UTC 2012 Provides: %{name}3 = %{version} Obsoletes: %{name}3 < %{version} %{?systemd_ordering} %sysusers_requires %if 0%{?suse_version} >= 1330 BuildRequires: libnsl-devel %endif %description Squid is a caching proxy for the Web supporting HTTP(S), FTP, and some others. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and can also be used as a server accelerator. %prep %setup -q cp %{SOURCE10} . # upstream patches after RELEASE perl -p -i -e 's|%{_prefix}/local/bin/perl|%{_bindir}/perl|' `find -name "*.pl"` %patch1 -p1 %if 0%{?suse_version} < 1500 %patch2 -p1 %endif %build %define _lto_cflags %{nil} autoreconf -fi cd libltdl; autoreconf -fi; cd .. export CFLAGS="%{optflags} -fPIE -fPIC -DOPENSSL_LOAD_CONF" export CXXFLAGS="%{optflags} -fPIE -fPIC -DOPENSSL_LOAD_CONF" export LDFLAGS="-Wl,--as-needed -Wl,--no-undefined -Wl,-z,relro,-z,now -pie" %configure \ --disable-strict-error-checking \ --sysconfdir=%{squidconfdir} \ --libexecdir=%{_sbindir} \ --datadir=%{_datadir}/squid \ --sharedstatedir=%{_localstatedir}/squid \ --with-logdir=%{_localstatedir}/log/squid \ --with-pidfile=/run/squid.pid \ --with-dl \ --enable-disk-io \ --enable-storeio \ --enable-removal-policies=heap,lru \ --enable-icmp \ --enable-delay-pools \ --enable-esi \ --enable-icap-client \ --enable-useragent-log \ --enable-referer-log \ --enable-kill-parent-hack \ --enable-arp-acl \ --enable-ssl-crtd \ --with-openssl \ --enable-forw-via-db \ --enable-cache-digests \ --enable-linux-netfilter \ --with-large-files \ --enable-underscores \ --enable-auth \ --enable-auth-basic="SMB_LM,DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB" \ --enable-auth-ntlm="SMB_LM,fake" \ --enable-auth-negotiate \ --enable-auth-digest \ --enable-external-acl-helpers=LDAP_group,eDirectory_userip,file_userip,kerberos_ldap_group,session,unix_group,wbinfo_group,time_quota \ --enable-stacktraces \ --enable-x-accelerator-vary \ --with-default-user=%{name} \ --disable-ident-lookups \ --enable-follow-x-forwarded-for \ --disable-arch-native \ --enable-security-cert-generators \ --enable-security-cert-validators %make_build SAMBAPREFIX=%{_prefix} %sysusers_generate_pre %{SOURCE12} squid %install install -d -m 750 %{buildroot}%{_localstatedir}/{cache,log}/%{name} install -d %{buildroot}%{_sbindir} # make_install %make_install SAMBAPREFIX=%{_prefix} mv %{buildroot}{%{_sysconfdir}/%{name}/,%{_datadir}/%{name}/}mime.conf.default ln -s %{_sysconfdir}/%{name}/mime.conf %{buildroot}%{_datadir}/%{name} # backward compatible # install logrotate file install -Dpm 644 %{SOURCE7} \ %{buildroot}%{_sysconfdir}/logrotate.d/%{name} install -d -m 755 doc/scripts install scripts/*.pl doc/scripts cat > doc/scripts/cachemgr.readme <<-EOT cachemgr.cgi will now be found in %{_libdir}/%{name} EOT install -dpm 755 %{buildroot}/%{_libdir}/%{name} mv %{buildroot}%{_sbindir}/cachemgr.cgi %{buildroot}/%{_libdir}/%{name} install -dpm 755 doc/contrib install %{SOURCE6} doc/contrib install -Dpm 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/pam.d/%{name} rm -rf %{buildroot}%{squidconfdir}/errors for i in errors/*; do if [ -d $i ]; then mkdir -p %{buildroot}%{_datadir}/%{name}/$i install -m 644 $i/* %{buildroot}%{_datadir}/%{name}/$i fi done ln -sf %{_datadir}/%{name}/errors/en %{buildroot}%{squidconfdir}/errors # fix file duplicates %fdupes -s %{buildroot}%{_prefix} # systemd install -D -m 644 %{SOURCE11} %{buildroot}%{_unitdir}/%{name}.service install -D -m 755 %{SOURCE15} %{buildroot}%{squidlibdir}/cache_dir.sed install -D -m 755 %{SOURCE16} %{buildroot}%{squidlibdir}/initialize_cache_if_needed.sh sed -i -e 's!%%{_libdir}!%{_libdir}!' %{buildroot}%{_unitdir}/%{name}.service ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name} # needed for smp support (bsc#1112695, bsc#1112066) mkdir -p %{buildroot}%{_tmpfilesdir} install -D -m 644 %{SOURCE17} %{buildroot}%{_tmpfilesdir}/squid.conf # Move the MIB definition to the proper place (and name) mkdir -p %{buildroot}%{_datadir}/snmp/mibs mv %{buildroot}%{_datadir}/squid/mib.txt \ %{buildroot}%{_datadir}/snmp/mibs/SQUID-MIB.txt # Install sysusers file. mkdir -p %{buildroot}%{_sysusersdir} install -m 644 %{SOURCE12} %{buildroot}%{_sysusersdir}/ %check # Fails in chroot environment %make_build check %pre -f squid.pre %service_add_pre %{name}.service # update mode? if [ "$1" -gt "1" ]; then if [ -e %{_sysconfdir}/%{name}.conf -a ! -L %{_sysconfdir}/%{name}.conf -a ! -e %{_sysconfdir}/%{name}/%{name}.conf ]; then echo "moving %{_sysconfdir}/%{name}.conf to %{_sysconfdir}/%{name}/%{name}.conf" mv %{_sysconfdir}/%{name}.conf %{_sysconfdir}/%{name}/%{name}.conf fi fi %post %set_permissions %{_sbindir}/basic_pam_auth %set_permissions %{_sbindir}/pinger %set_permissions %{_localstatedir}/cache/squid/ %set_permissions %{_localstatedir}/log/squid/ %tmpfiles_create %{_tmpfilesdir}/squid.conf %service_add_post squid.service %preun %service_del_preun squid.service %verifyscript %verify_permissions -e %{_sbindir}/basic_pam_auth %verify_permissions -e %{_sbindir}/pinger %verify_permissions -e %{_localstatedir}/cache/squid/ %verify_permissions -e %{_localstatedir}/log/squid/ %postun %service_del_postun squid.service %files %license COPYING %doc ChangeLog CONTRIBUTORS CREDITS %doc QUICKSTART README RELEASENOTES.html SPONSORS* %doc README.kerberos %doc doc/contrib doc/scripts %doc doc/debug-sections.txt src/%{name}.conf.default %{_mandir}/man?/* %{_unitdir}/%{name}.service %{squidlibdir}/initialize_cache_if_needed.sh %{squidlibdir}/cache_dir.sed %verify(not user group mode) %attr(750,%{name},root) %dir %{_localstatedir}/cache/%{name}/ %verify(not user group mode) %attr(750,%{name},root) %dir %{_localstatedir}/log/%{name}/ %dir %{squidconfdir} %dir %{_tmpfilesdir} %{_tmpfilesdir}/squid.conf %{_sysusersdir}/squid-user.conf %config(noreplace) %{squidconfdir}/cachemgr.conf %config(noreplace) %{squidconfdir}/errorpage.css %config(noreplace) %{squidconfdir}/errors %config(noreplace) %{_sysconfdir}/logrotate.d/%{name} %config(noreplace) %{squidconfdir}/mime.conf %config(noreplace) %{squidconfdir}/%{name}.conf %config %{squidconfdir}/cachemgr.conf.default %config %{squidconfdir}/errorpage.css.default %config %{squidconfdir}/%{name}.conf.default %config %{squidconfdir}/%{name}.conf.documented %config %{_sysconfdir}/pam.d/%{name} %dir %{_datadir}/%{name} %dir %{_datadir}/snmp %dir %{_datadir}/snmp/mibs %{_datadir}/%{name}/errors %{_datadir}/%{name}/icons %{_datadir}/%{name}/mime.conf %{_datadir}/%{name}/mime.conf.default %{_datadir}/snmp/mibs/SQUID-MIB.txt %{_bindir}/purge %{_bindir}/squidclient %{_sbindir}/basic_db_auth %{_sbindir}/basic_fake_auth %{_sbindir}/basic_getpwnam_auth %{_sbindir}/basic_ldap_auth %{_sbindir}/digest_edirectory_auth %{_sbindir}/basic_ncsa_auth %{_sbindir}/basic_nis_auth %verify(not mode) %attr(2750,root,shadow) %{_sbindir}/basic_pam_auth %{_sbindir}/basic_pop3_auth %{_sbindir}/basic_radius_auth %{_sbindir}/basic_sasl_auth %{_sbindir}/basic_smb_auth %{_sbindir}/basic_smb_auth.sh %{_sbindir}/basic_smb_lm_auth %{_sbindir}/cert_tool %{_sbindir}/digest_file_auth %{_sbindir}/digest_ldap_auth %{_sbindir}/diskd %{_sbindir}/ext_edirectory_userip_acl %{_sbindir}/ext_file_userip_acl %{_sbindir}/ext_kerberos_ldap_group_acl %{_sbindir}/ext_ldap_group_acl %{_sbindir}/ext_session_acl %{_sbindir}/ext_unix_group_acl %{_sbindir}/ext_wbinfo_group_acl %{_sbindir}/helper-mux %{_sbindir}/log_db_daemon %{_sbindir}/log_file_daemon %{_sbindir}/negotiate_kerberos_auth %{_sbindir}/negotiate_kerberos_auth_test %{_sbindir}/negotiate_wrapper_auth %{_sbindir}/ntlm_fake_auth %{_sbindir}/ntlm_smb_lm_auth %verify(not user group mode caps) %attr(0750,root,squid) %{_sbindir}/pinger %{_sbindir}/security_fake_certverify %{_sbindir}/security_file_certgen %{_sbindir}/%{name} %{_sbindir}/storeid_file_rewrite %{_sbindir}/unlinkd %{_sbindir}/url_fake_rewrite %{_sbindir}/url_fake_rewrite.sh %{_sbindir}/url_lfs_rewrite %{_sbindir}/ext_time_quota_acl %{_sbindir}/rc%{name} %dir %{_libdir}/%{name} %{_libdir}/%{name}/cachemgr.cgi %changelog ++++++ README.kerberos ++++++ This is the README.kerberos file to have squid negotiate/authenticate via kerberos any addons are very welcome comments could be posted to <chris(at)computersalat.de> 1) you need to add a "USER" inside your "Domain-Computers" Container called "squid". Yes a "USER" and not a Computer. You may use another name, but why ? 2) After having successfully created the user, you need to create a keytab file on your WIN box. Example: !! This is all in one line !! ktpass -princ HTTP/squid@DOMAIN.REALM -pType KRB5_NT_PRINCIPAL \ -mapuser squid -pass * -out HTTP.keytab 3) copy over HTTP.keytab to /etc/squid/ on your linux box 4) you have to tell your browsers to negotiate via kerberos Have a look at: a) Internet Explorer does not support Kerberos authentication with proxy servers http://support.microsoft.com/?scid=kb%3Ben-us%3B321728&x=19&y=14 This limitation was removed in Windows Internet Explorer 7. If Integrated Windows Authentication is turned on in Internet Explorer for Windows 2000 and Windows XP, you can complete Kerberos authentication with Web servers either directly or through a proxy server. However, Internet Explorer cannot use Kerberos to authenticate with the proxy server itself. b) Unable to negotiate Kerberos authentication after upgrading to Internet Explorer 6 http://support.microsoft.com/kb/299838/EN-US/ To resolve this issue, enable Internet Explorer 6 to respond to a negotiate challenge and perform Kerberos authentication: 1. In Internet Explorer, click Internet Options on the Tools menu. 2. Click the Advanced tab, click to select the Enable Integrated Windows Authentication (requires restart) check box in the Security section, and then click OK. 3. Restart Internet Explorer. Administrators can enable Integrated Windows Authentication by setting the EnableNegotiate DWORD value to 1 in the following registry key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings Note Internet Explorer 6, when used with Microsoft Windows 98, Microsoft Windows 98 Second Edition, Microsoft Windows Millennium Edition, and Microsoft Windows NT 4.0 does not respond to a negotiate challenge and default to NTLM (or Windows NT Challenge/Response) authentication even if the Enable Integrated Windows Authentication (requires restart) check box is selected because Kerberos authentication is not available on these operating systems. ++++++ cache_dir.sed ++++++ #!/usr/bin/sed -nf /^\s*cache_dir\s\+[[:alnum:]]\+\s\+\([[:graph:]\/]\+\)\s.*/ { s//\1\/00/p q } ++++++ initialize_cache_if_needed.sh ++++++ #!/bin/sh DIR=$(dirname $0) CACHE_DIR=$($DIR/cache_dir.sed < /etc/squid/squid.conf) if [ 'x'$CACHE_DIR = 'x' ]; then exit 0 fi if ! test -d $CACHE_DIR; then echo "Initializing cache directories..." exec /usr/sbin/squid -z -F --foreground -S fi ++++++ missing_installs.patch ++++++ Index: squid-4.0.22/src/acl/external/kerberos_ldap_group/Makefile.am =================================================================== --- squid-4.0.22.orig/src/acl/external/kerberos_ldap_group/Makefile.am +++ squid-4.0.22/src/acl/external/kerberos_ldap_group/Makefile.am @@ -15,9 +15,11 @@ EXTRA_DIST= \ AM_CPPFLAGS += -I$(srcdir) + libexec_SCRIPTS = cert_tool libexec_PROGRAMS = ext_kerberos_ldap_group_acl +man_MANS = ext_kerberos_ldap_group_acl.8 ext_kerberos_ldap_group_acl_SOURCES = \ kerberos_ldap_group.cc \ ++++++ old_nettle_compat.patch ++++++ Author: Adam Majer <ama...@suse.de> Date: Thu Jul 18 13:57:22 CEST 2019 nettle from SLE-12 is missing the change from later versions that ignores the destLen parameter size to base64_decode_update function. This is only used in the assert() but we need to pass real size of the buffer as otherwise all we get is a crash. The missing commit in nettle is, commit 07cb0b62a5fab216ed647f5a87e0f17ab3c9a615 Author: Niels Möller <ni...@lysator.liu.se> Date: Fri Feb 7 09:11:20 2014 +0100 Base64 and base16 decoding: Use *dst_length as output only. Index: squid-4.9/src/HttpHeader.cc =================================================================== --- squid-4.9.orig/src/HttpHeader.cc +++ squid-4.9/src/HttpHeader.cc @@ -1298,8 +1298,8 @@ HttpHeader::getAuthToken(Http::HdrType i char *decodedAuthToken = result.rawAppendStart(BASE64_DECODE_LENGTH(fieldLen)); struct base64_decode_ctx ctx; base64_decode_init(&ctx); - size_t decodedLen = 0; - if (!base64_decode_update(&ctx, &decodedLen, reinterpret_cast<uint8_t*>(decodedAuthToken), fieldLen, field) || + unsigned decodedLen = BASE64_DECODE_LENGTH(fieldLen); + if (!base64_decode_update(&ctx, &decodedLen, reinterpret_cast<uint8_t*>(decodedAuthToken), fieldLen, (uint8_t*)field) || !base64_decode_final(&ctx)) { return nil; } Index: squid-4.9/src/auth/basic/Config.cc =================================================================== --- squid-4.9.orig/src/auth/basic/Config.cc +++ squid-4.9/src/auth/basic/Config.cc @@ -176,8 +176,8 @@ Auth::Basic::Config::decodeCleartext(con struct base64_decode_ctx ctx; base64_decode_init(&ctx); - size_t dstLen = 0; - if (base64_decode_update(&ctx, &dstLen, reinterpret_cast<uint8_t*>(cleartext), srcLen, eek) && base64_decode_final(&ctx)) { + unsigned int dstLen = BASE64_DECODE_LENGTH(srcLen)+1; + if (base64_decode_update(&ctx, &dstLen, reinterpret_cast<uint8_t*>(cleartext), srcLen, (const uint8_t*)eek) && base64_decode_final(&ctx)) { cleartext[dstLen] = '\0'; /* Index: squid-4.9/src/auth/negotiate/SSPI/negotiate_sspi_auth.cc =================================================================== --- squid-4.9.orig/src/auth/negotiate/SSPI/negotiate_sspi_auth.cc +++ squid-4.9/src/auth/negotiate/SSPI/negotiate_sspi_auth.cc @@ -131,6 +131,7 @@ token_decode(size_t *decodedLen, uint8_t { struct base64_decode_ctx ctx; base64_decode_init(&ctx); + *decodedLen = BASE64_DECODE_LENGTH(strlen(srcLen)); if (!base64_decode_update(&ctx, decodedLen, decoded, strlen(buf), reinterpret_cast<const uint8_t*>(buf)) || !base64_decode_final(&ctx)) { SEND("BH base64 decode failed"); Index: squid-4.9/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc =================================================================== --- squid-4.9.orig/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc +++ squid-4.9/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc @@ -681,8 +681,8 @@ main(int argc, char *const argv[]) struct base64_decode_ctx ctx; base64_decode_init(&ctx); - size_t dstLen = 0; - if (!base64_decode_update(&ctx, &dstLen, static_cast<uint8_t*>(input_token.value), srcLen, b64Token) || + unsigned dstLen = BASE64_DECODE_LENGTH(srcLen); + if (!base64_decode_update(&ctx, &dstLen, static_cast<uint8_t*>(input_token.value), srcLen, (const uint8_t*)b64Token) || !base64_decode_final(&ctx)) { debug((char *) "%s| %s: ERROR: Invalid base64 token [%s]\n", LogTime(), PROGRAM, b64Token); fprintf(stdout, "BH Invalid negotiate request token\n"); @@ -743,8 +743,8 @@ main(int argc, char *const argv[]) } struct base64_encode_ctx tokCtx; base64_encode_init(&tokCtx); - size_t blen = base64_encode_update(&tokCtx, token, spnegoTokenLength, reinterpret_cast<const uint8_t*>(spnegoToken)); - blen += base64_encode_final(&tokCtx, token+blen); + size_t blen = base64_encode_update(&tokCtx, (uint8_t*)token, spnegoTokenLength, reinterpret_cast<const uint8_t*>(spnegoToken)); + blen += base64_encode_final(&tokCtx, (uint8_t*)token+blen); token[blen] = '\0'; if (check_gss_err(major_status, minor_status, "gss_accept_sec_context()", log, 1)) Index: squid-4.9/src/auth/negotiate/wrapper/negotiate_wrapper.cc =================================================================== --- squid-4.9.orig/src/auth/negotiate/wrapper/negotiate_wrapper.cc +++ squid-4.9/src/auth/negotiate/wrapper/negotiate_wrapper.cc @@ -192,8 +192,8 @@ processingLoop(FILE *FDKIN, FILE *FDKOUT struct base64_decode_ctx ctx; base64_decode_init(&ctx); - size_t dstLen = 0; - if (!base64_decode_update(&ctx, &dstLen, token, strlen(buf+3), buf+3) || + unsigned dstLen = length+1; + if (!base64_decode_update(&ctx, &dstLen, token, strlen(buf+3), (const uint8_t*)buf+3) || !base64_decode_final(&ctx)) { if (debug_enabled) fprintf(stderr, "%s| %s: Invalid base64 token [%s]\n", LogTime(), PROGRAM, buf+3); Index: squid-4.9/src/auth/ntlm/SMB_LM/ntlm_smb_lm_auth.cc =================================================================== --- squid-4.9.orig/src/auth/ntlm/SMB_LM/ntlm_smb_lm_auth.cc +++ squid-4.9/src/auth/ntlm/SMB_LM/ntlm_smb_lm_auth.cc @@ -203,8 +203,8 @@ make_challenge(char *domain, char *domai struct base64_encode_ctx ctx; base64_encode_init(&ctx); - size_t blen = base64_encode_update(&ctx, b64buf, len, reinterpret_cast<const uint8_t *>(&chal)); - blen += base64_encode_final(&ctx, b64buf+blen); + size_t blen = base64_encode_update(&ctx, (uint8_t*)b64buf, len, reinterpret_cast<const uint8_t *>(&chal)); + blen += base64_encode_final(&ctx, (uint8_t*)b64buf+blen); b64buf[blen] = '\0'; return b64buf; } @@ -516,9 +516,9 @@ manage_request() /* figure out what we got */ struct base64_decode_ctx ctx; base64_decode_init(&ctx); - size_t dstLen = 0; + unsigned dstLen = NTLM_BLOB_BUFFER_SIZE; int decodedLen = 0; - if (!base64_decode_update(&ctx, &dstLen, reinterpret_cast<uint8_t*>(decoded), strlen(buf)-3, buf+3) || + if (!base64_decode_update(&ctx, &dstLen, reinterpret_cast<uint8_t*>(decoded), strlen(buf)-3, (const uint8_t*)buf+3) || !base64_decode_final(&ctx)) { SEND("NA Packet format error, couldn't base64-decode"); return; Index: squid-4.9/src/auth/ntlm/SSPI/ntlm_sspi_auth.cc =================================================================== --- squid-4.9.orig/src/auth/ntlm/SSPI/ntlm_sspi_auth.cc +++ squid-4.9/src/auth/ntlm/SSPI/ntlm_sspi_auth.cc @@ -418,6 +418,7 @@ token_decode(size_t *decodedLen, uint8_t { struct base64_decode_ctx ctx; base64_decode_init(&ctx); + *decodedLen = BASE64_DECODE_LENGTH(strlen(buf))+1; if (!base64_decode_update(&ctx, decodedLen, decoded, strlen(buf), reinterpret_cast<const uint8_t*>(buf)) || !base64_decode_final(&ctx)) { SEND_BH("message=\"base64 decode failed\""); Index: squid-4.9/src/auth/ntlm/fake/ntlm_fake_auth.cc =================================================================== --- squid-4.9.orig/src/auth/ntlm/fake/ntlm_fake_auth.cc +++ squid-4.9/src/auth/ntlm/fake/ntlm_fake_auth.cc @@ -153,9 +153,9 @@ main(int argc, char *argv[]) ntlmhdr *packet; struct base64_decode_ctx ctx; base64_decode_init(&ctx); - size_t dstLen = 0; + unsigned dstLen = HELPER_INPUT_BUFFER; if (buflen > 3 && - base64_decode_update(&ctx, &dstLen, decodedBuf, buflen-3, buf+3) && + base64_decode_update(&ctx, &dstLen, decodedBuf, buflen-3, (const uint8_t*)buf+3) && base64_decode_final(&ctx)) { decodedLen = dstLen; packet = (ntlmhdr*)decodedBuf; @@ -190,8 +190,8 @@ main(int argc, char *argv[]) struct base64_encode_ctx eCtx; base64_encode_init(&eCtx); char *data = static_cast<char *>(xcalloc(base64_encode_len(len), 1)); - size_t blen = base64_encode_update(&eCtx, data, len, reinterpret_cast<const uint8_t *>(&chal)); - blen += base64_encode_final(&eCtx, data+blen); + size_t blen = base64_encode_update(&eCtx, (uint8_t*)data, len, reinterpret_cast<const uint8_t *>(&chal)); + blen += base64_encode_final(&eCtx, (uint8_t*)data+blen); if (NTLM_packet_debug_enabled) { printf("TT %.*s\n", (int)blen, data); debug("sending 'TT' to squid with data:\n"); Index: squid-4.9/tools/cachemgr.cc =================================================================== --- squid-4.9.orig/tools/cachemgr.cc +++ squid-4.9/tools/cachemgr.cc @@ -1104,8 +1104,8 @@ make_pub_auth(cachemgr_request * req) req->pub_auth = (char *) xmalloc(encodedLen); struct base64_encode_ctx ctx; base64_encode_init(&ctx); - size_t blen = base64_encode_update(&ctx, req->pub_auth, bufLen, reinterpret_cast<uint8_t*>(buf)); - blen += base64_encode_final(&ctx, req->pub_auth + blen); + size_t blen = base64_encode_update(&ctx, (uint8_t*)req->pub_auth, bufLen, reinterpret_cast<uint8_t*>(buf)); + blen += base64_encode_final(&ctx, (uint8_t*)req->pub_auth + blen); req->pub_auth[blen] = '\0'; debug("cmgr: encoded: '%s'\n", req->pub_auth); } @@ -1125,8 +1125,8 @@ decode_pub_auth(cachemgr_request * req) char *buf = static_cast<char*>(xmalloc(BASE64_DECODE_LENGTH(strlen(req->pub_auth))+1)); struct base64_decode_ctx ctx; base64_decode_init(&ctx); - size_t decodedLen = 0; - if (!base64_decode_update(&ctx, &decodedLen, reinterpret_cast<uint8_t*>(buf), strlen(req->pub_auth), req->pub_auth) || + unsigned decodedLen = BASE64_DECODE_LENGTH(strlen(req->pub_auth))+1; + if (!base64_decode_update(&ctx, &decodedLen, reinterpret_cast<uint8_t*>(buf), strlen(req->pub_auth), (uint8_t*)req->pub_auth) || !base64_decode_final(&ctx)) { debug("cmgr: base64 decode failure. Incomplete auth token string.\n"); xfree(buf); @@ -1219,8 +1219,8 @@ make_auth_header(const cachemgr_request char *str64 = static_cast<char *>(xmalloc(encodedLen)); struct base64_encode_ctx ctx; base64_encode_init(&ctx); - size_t blen = base64_encode_update(&ctx, str64, bufLen, reinterpret_cast<uint8_t*>(buf)); - blen += base64_encode_final(&ctx, str64+blen); + size_t blen = base64_encode_update(&ctx, (uint8_t*)str64, bufLen, reinterpret_cast<uint8_t*>(buf)); + blen += base64_encode_final(&ctx, (uint8_t*)str64+blen); str64[blen] = '\0'; stringLength += snprintf(buf, sizeof(buf), "Authorization: Basic %.*s\r\n", (int)blen, str64); Index: squid-4.9/include/base64.h =================================================================== --- squid-4.9.orig/include/base64.h +++ squid-4.9/include/base64.h @@ -9,11 +9,11 @@ #ifndef _SQUID_BASE64_H #define _SQUID_BASE64_H -#if HAVE_NETTLE_BASE64_H && HAVE_NETTLE34_BASE64 +#if HAVE_NETTLE_BASE64_H #include <nettle/base64.h> #else /* Base64 functions copied from Nettle 3.4 under GPLv2, with adjustments */ - +#error "Mssing libnettle-devel" /* base64.h Base-64 encoding and decoding. Index: squid-4.9/lib/base64.c =================================================================== --- squid-4.9.orig/lib/base64.c +++ squid-4.9/lib/base64.c @@ -13,7 +13,7 @@ #include "squid.h" #include "base64.h" -#if !HAVE_NETTLE_BASE64_H || !HAVE_NETTLE34_BASE64 +#if !HAVE_NETTLE_BASE64_H /* base64-encode.c Index: squid-4.9/src/format/Format.cc =================================================================== --- squid-4.9.orig/src/format/Format.cc +++ squid-4.9/src/format/Format.cc @@ -557,8 +557,8 @@ Format::Format::assemble(MemBuf &mb, con struct base64_encode_ctx ctx; base64_encode_init(&ctx); - auto encLength = base64_encode_update(&ctx, buf, rawLength, reinterpret_cast<const uint8_t*>(handshake.rawContent())); - encLength += base64_encode_final(&ctx, buf + encLength); + auto encLength = base64_encode_update(&ctx, (uint8_t*)buf, rawLength, reinterpret_cast<const uint8_t*>(handshake.rawContent())); + encLength += base64_encode_final(&ctx, (uint8_t*)buf + encLength); sb.rawAppendFinish(buf, encLength); out = sb.c_str(); Index: squid-4.9/src/auth/negotiate/kerberos/negotiate_kerberos_auth_test.cc =================================================================== --- squid-4.9.orig/src/auth/negotiate/kerberos/negotiate_kerberos_auth_test.cc +++ squid-4.9/src/auth/negotiate/kerberos/negotiate_kerberos_auth_test.cc @@ -203,8 +203,8 @@ squid_kerb_proxy_auth(char *proxy) token = (char *) xcalloc(base64_encode_len(output_token.length), 1); struct base64_encode_ctx ctx; base64_encode_init(&ctx); - size_t blen = base64_encode_update(&ctx, token, output_token.length, reinterpret_cast<const uint8_t*>(output_token.value)); - blen += base64_encode_final(&ctx, token+blen); + size_t blen = base64_encode_update(&ctx, (uint8_t*)token, output_token.length, reinterpret_cast<const uint8_t*>(output_token.value)); + blen += base64_encode_final(&ctx, (uint8_t*)token+blen); } } Index: squid-4.9/src/auth/negotiate/kerberos/negotiate_kerberos_pac.cc =================================================================== --- squid-4.9.orig/src/auth/negotiate/kerberos/negotiate_kerberos_pac.cc +++ squid-4.9/src/auth/negotiate/kerberos/negotiate_kerberos_pac.cc @@ -245,8 +245,8 @@ getdomaingids(char *ad_groups, uint32_t base64_encode_init(&ctx); const uint32_t expectedSz = base64_encode_len(length+4) +1 /* terminator */; char *b64buf = static_cast<char *>(xcalloc(expectedSz, 1)); - size_t blen = base64_encode_update(&ctx, b64buf, length+4, reinterpret_cast<uint8_t*>(ag)); - blen += base64_encode_final(&ctx, b64buf+blen); + size_t blen = base64_encode_update(&ctx, (uint8_t*)b64buf, length+4, reinterpret_cast<uint8_t*>(ag)); + blen += base64_encode_final(&ctx, (uint8_t*)b64buf+blen); b64buf[expectedSz-1] = '\0'; if (!pstrcat(ad_groups, b64buf)) { debug((char *) "%s| %s: WARN: Too many groups ! size > %d : %s\n", @@ -334,8 +334,8 @@ getextrasids(char *ad_groups, uint32_t E base64_encode_init(&ctx); const uint32_t expectedSz = base64_encode_len(length) +1 /* terminator */; char *b64buf = static_cast<char *>(xcalloc(expectedSz, 1)); - size_t blen = base64_encode_update(&ctx, b64buf, length, reinterpret_cast<uint8_t*>(ag)); - blen += base64_encode_final(&ctx, b64buf+blen); + size_t blen = base64_encode_update(&ctx, (uint8_t*)b64buf, length, reinterpret_cast<uint8_t*>(ag)); + blen += base64_encode_final(&ctx, (uint8_t*)b64buf+blen); b64buf[expectedSz-1] = '\0'; if (!pstrcat(ad_groups, reinterpret_cast<char*>(b64buf))) { debug((char *) "%s| %s: WARN: Too many groups ! size > %d : %s\n", Index: squid-4.9/src/adaptation/icap/ModXact.cc =================================================================== --- squid-4.9.orig/src/adaptation/icap/ModXact.cc +++ squid-4.9/src/adaptation/icap/ModXact.cc @@ -1369,10 +1369,10 @@ void Adaptation::Icap::ModXact::makeRequ struct base64_encode_ctx ctx; base64_encode_init(&ctx); char base64buf[base64_encode_len(MAX_LOGIN_SZ)]; - size_t resultLen = base64_encode_update(&ctx, base64buf, request->extacl_user.size(), reinterpret_cast<const uint8_t*>(request->extacl_user.rawBuf())); - resultLen += base64_encode_update(&ctx, base64buf+resultLen, 1, reinterpret_cast<const uint8_t*>(":")); - resultLen += base64_encode_update(&ctx, base64buf+resultLen, request->extacl_passwd.size(), reinterpret_cast<const uint8_t*>(request->extacl_passwd.rawBuf())); - resultLen += base64_encode_final(&ctx, base64buf+resultLen); + size_t resultLen = base64_encode_update(&ctx, (uint8_t*)base64buf, request->extacl_user.size(), reinterpret_cast<const uint8_t*>(request->extacl_user.rawBuf())); + resultLen += base64_encode_update(&ctx, (uint8_t*)base64buf+resultLen, 1, reinterpret_cast<const uint8_t*>(":")); + resultLen += base64_encode_update(&ctx, (uint8_t*)base64buf+resultLen, request->extacl_passwd.size(), reinterpret_cast<const uint8_t*>(request->extacl_passwd.rawBuf())); + resultLen += base64_encode_final(&ctx, (uint8_t*)base64buf+resultLen); buf.appendf("Proxy-Authorization: Basic %.*s\r\n", (int)resultLen, base64buf); } @@ -1529,8 +1529,8 @@ void Adaptation::Icap::ModXact::makeUser if (value) { if (TheConfig.client_username_encode) { char base64buf[base64_encode_len(MAX_LOGIN_SZ)]; - size_t resultLen = base64_encode_update(&ctx, base64buf, strlen(value), reinterpret_cast<const uint8_t*>(value)); - resultLen += base64_encode_final(&ctx, base64buf+resultLen); + size_t resultLen = base64_encode_update(&ctx, (uint8_t*)base64buf, strlen(value), reinterpret_cast<const uint8_t*>(value)); + resultLen += base64_encode_final(&ctx, (uint8_t*)base64buf+resultLen); buf.appendf("%s: %.*s\r\n", TheConfig.client_username_header, (int)resultLen, base64buf); } else buf.appendf("%s: %s\r\n", TheConfig.client_username_header, value); Index: squid-4.9/src/http.cc =================================================================== --- squid-4.9.orig/src/http.cc +++ squid-4.9/src/http.cc @@ -1697,9 +1697,9 @@ httpFixupAuthentication(HttpRequest * re username = request->auth_user_request->username(); #endif - blen = base64_encode_update(&ctx, loginbuf, strlen(username), reinterpret_cast<const uint8_t*>(username)); - blen += base64_encode_update(&ctx, loginbuf+blen, strlen(request->peer_login +1), reinterpret_cast<const uint8_t*>(request->peer_login +1)); - blen += base64_encode_final(&ctx, loginbuf+blen); + blen = base64_encode_update(&ctx, (uint8_t*)loginbuf, strlen(username), reinterpret_cast<const uint8_t*>(username)); + blen += base64_encode_update(&ctx, (uint8_t*)loginbuf+blen, strlen(request->peer_login +1), reinterpret_cast<const uint8_t*>(request->peer_login +1)); + blen += base64_encode_final(&ctx, (uint8_t*)loginbuf+blen); httpHeaderPutStrf(hdr_out, header, "Basic %.*s", (int)blen, loginbuf); return; } @@ -1709,10 +1709,10 @@ httpFixupAuthentication(HttpRequest * re (strcmp(request->peer_login, "PASS") == 0 || strcmp(request->peer_login, "PROXYPASS") == 0)) { - blen = base64_encode_update(&ctx, loginbuf, request->extacl_user.size(), reinterpret_cast<const uint8_t*>(request->extacl_user.rawBuf())); - blen += base64_encode_update(&ctx, loginbuf+blen, 1, reinterpret_cast<const uint8_t*>(":")); - blen += base64_encode_update(&ctx, loginbuf+blen, request->extacl_passwd.size(), reinterpret_cast<const uint8_t*>(request->extacl_passwd.rawBuf())); - blen += base64_encode_final(&ctx, loginbuf+blen); + blen = base64_encode_update(&ctx, (uint8_t*)loginbuf, request->extacl_user.size(), reinterpret_cast<const uint8_t*>(request->extacl_user.rawBuf())); + blen += base64_encode_update(&ctx, (uint8_t*)loginbuf+blen, 1, reinterpret_cast<const uint8_t*>(":")); + blen += base64_encode_update(&ctx, (uint8_t*)loginbuf+blen, request->extacl_passwd.size(), reinterpret_cast<const uint8_t*>(request->extacl_passwd.rawBuf())); + blen += base64_encode_final(&ctx, (uint8_t*)loginbuf+blen); httpHeaderPutStrf(hdr_out, header, "Basic %.*s", (int)blen, loginbuf); return; } @@ -1741,8 +1741,8 @@ httpFixupAuthentication(HttpRequest * re } #endif /* HAVE_KRB5 && HAVE_GSSAPI */ - blen = base64_encode_update(&ctx, loginbuf, strlen(request->peer_login), reinterpret_cast<const uint8_t*>(request->peer_login)); - blen += base64_encode_final(&ctx, loginbuf+blen); + blen = base64_encode_update(&ctx, (uint8_t*)loginbuf, strlen(request->peer_login), reinterpret_cast<const uint8_t*>(request->peer_login)); + blen += base64_encode_final(&ctx, (uint8_t*)loginbuf+blen); httpHeaderPutStrf(hdr_out, header, "Basic %.*s", (int)blen, loginbuf); return; } @@ -1869,8 +1869,8 @@ HttpStateData::httpBuildRequestHeader(Ht static char result[base64_encode_len(MAX_URL*2)]; // should be big enough for a single URI segment struct base64_encode_ctx ctx; base64_encode_init(&ctx); - size_t blen = base64_encode_update(&ctx, result, request->url.userInfo().length(), reinterpret_cast<const uint8_t*>(request->url.userInfo().rawContent())); - blen += base64_encode_final(&ctx, result+blen); + size_t blen = base64_encode_update(&ctx, (uint8_t*)result, request->url.userInfo().length(), reinterpret_cast<const uint8_t*>(request->url.userInfo().rawContent())); + blen += base64_encode_final(&ctx, (uint8_t*)result+blen); result[blen] = '\0'; if (blen) httpHeaderPutStrf(hdr_out, Http::HdrType::AUTHORIZATION, "Basic %.*s", (int)blen, result); Index: squid-4.9/src/peer_proxy_negotiate_auth.cc =================================================================== --- squid-4.9.orig/src/peer_proxy_negotiate_auth.cc +++ squid-4.9/src/peer_proxy_negotiate_auth.cc @@ -562,8 +562,8 @@ char *peer_proxy_negotiate_auth(char *pr static char b64buf[8192]; // XXX: 8KB only because base64_encode_bin() used to. struct base64_encode_ctx ctx; base64_encode_init(&ctx); - size_t blen = base64_encode_update(&ctx, b64buf, output_token.length, reinterpret_cast<const uint8_t*>(output_token.value)); - blen += base64_encode_final(&ctx, b64buf+blen); + size_t blen = base64_encode_update(&ctx, (uint8_t*)b64buf, output_token.length, reinterpret_cast<const uint8_t*>(output_token.value)); + blen += base64_encode_final(&ctx, (uint8_t*)b64buf+blen); b64buf[blen] = '\0'; token = reinterpret_cast<char*>(b64buf); Index: squid-4.9/tools/squidclient/gssapi_support.cc =================================================================== --- squid-4.9.orig/tools/squidclient/gssapi_support.cc +++ squid-4.9/tools/squidclient/gssapi_support.cc @@ -134,8 +134,8 @@ GSSAPI_token(const char *server) token = new char[base64_encode_len(output_token.length)]; struct base64_encode_ctx ctx; base64_encode_init(&ctx); - size_t blen = base64_encode_update(&ctx, token, output_token.length, reinterpret_cast<const uint8_t*>(output_token.value)); - blen += base64_encode_final(&ctx, token+blen); + size_t blen = base64_encode_update(&ctx, (uint8_t*)token, output_token.length, reinterpret_cast<const uint8_t*>(output_token.value)); + blen += base64_encode_final(&ctx, (uint8_t*)token+blen); token[blen] = '\0'; } } Index: squid-4.9/tools/squidclient/squidclient.cc =================================================================== --- squid-4.9.orig/tools/squidclient/squidclient.cc +++ squid-4.9/tools/squidclient/squidclient.cc @@ -212,10 +212,10 @@ Authorization::commit(std::ostream &os) const auto buf = new char[bcapacity]; size_t bsize = 0; - bsize += base64_encode_update(&ctx, buf, strlen(user), reinterpret_cast<const uint8_t*>(user)); - bsize += base64_encode_update(&ctx, buf+bsize, 1, reinterpret_cast<const uint8_t*>(":")); - bsize += base64_encode_update(&ctx, buf+bsize, strlen(password), reinterpret_cast<const uint8_t*>(password)); - bsize += base64_encode_final(&ctx, buf+bsize); + bsize += base64_encode_update(&ctx, (uint8_t*)buf, strlen(user), reinterpret_cast<const uint8_t*>(user)); + bsize += base64_encode_update(&ctx, (uint8_t*)buf+bsize, 1, reinterpret_cast<const uint8_t*>(":")); + bsize += base64_encode_update(&ctx, (uint8_t*)buf+bsize, strlen(password), reinterpret_cast<const uint8_t*>(password)); + bsize += base64_encode_final(&ctx, (uint8_t*)buf+bsize); assert(bsize <= bcapacity); // paranoid and late but better than nothing os << header << ": Basic "; ++++++ pam.squid ++++++ #%PAM-1.0 auth include common-auth account include common-account password include common-password session include common-session ++++++ squid-4.12.tar.xz.asc ++++++ File: squid-4.12.tar.xz Date: Tue Jun 9 07:34:59 UTC 2020 Size: 2450564 MD5 : ad7a4a8a0031cae3435717a759173829 SHA1: 316b8a343aa542b5e7469d33b9d726bee00679c6 Key : CD6DBF8EF3B17D3E <squ...@treenet.co.nz> B068 84ED B779 C89B 044E 64E3 CD6D BF8E F3B1 7D3E keyring = http://www.squid-cache.org/pgp.asc keyserver = pool.sks-keyservers.net -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEsGiE7bd5yJsETmTjzW2/jvOxfT4FAl7fO6wACgkQzW2/jvOx fT5dchAAvAB2fh/QBkumskN/K5c061NFA+/ZbHD8gqmvaUUIjXNoEqBhBAzTpCpm 03XcFZdIBFKqkHxiJrlWzdRylSqv5nkw1qZBN6S6NzygYVs3UYHkpNSM8AZLBW4c XDZEnmYbr2HlWHJ9fISsWhwApQ2HXwzUdMAFeN3ADDtT2nbCSjpO89sFj6zHrUVo sWsf+pKuPd6C/30MymsF5ZQVkmAeb1TRDRpnWvg0Ec//m2Sw0p6nKlr0uPBLMALW nIQivuf6MRTaa0iFibWtIyA4m88mUZLifWM9F3DOJcJYjXlKjWpQ0GQY/ylpDpeL DzMbIV/Ycv4R/w6Hk6f4MDva7FRkamlsUhCUrrL09B0CaAjnW3b0wIbFnoiCP2cL 48TST3NjKy2CG8yrHKL2G5mER2T/KyGv3m2TvVNl+sihH35Urtq9ecBCn2UwiRFL mNsEXllhMVzYmRwlN3+1Y+P612jdpdSLzIQH++ih3FYhpiZRrUPKYWNSYnesUQo+ AJiOoDzdqzHlg2P5ZVQlhaTf7qEMLf55w6TzPJ4lo6DuDdIyGVBJBJFiuBMp6JHr jElIYnwgCJ2j+Lmr2pmN0njlhSkio6084Wava37P3c61wqFF47NErO8bwaUZNPT/ 66A23tcqM1ADeBB9Ll4vmxjvn/CHrWmX0RzoOp2VCG8s7i1CT1E= =c3VT -----END PGP SIGNATURE----- ++++++ squid-user.conf ++++++ # Type Name ID GECOS [HOME] u squid - "WWW-proxy squid" /var/cache/squid g winbind - - m squid winbind ++++++ squid.logrotate ++++++ /var/log/squid/access.log /var/log/squid/store.log /var/log/squid/cache.log { su squid squid compress dateext maxage 365 rotate 99 size=+4096k notifempty missingok create 640 squid squid sharedscripts postrotate /usr/bin/systemctl -q is-active squid.service && /usr/sbin/squid -k rotate endscript } ++++++ squid.permissions ++++++ /var/cache/squid/ squid:root 750 /var/log/squid/ squid:root 750 #/usr/sbin/pinger root:squid 4750 #/usr/sbin/basic_pam_auth root:shadow 2750 ++++++ squid.service ++++++ [Unit] Description=Squid caching proxy Documentation=man:squid(8) After=network.target named.service nss-lookup.service [Service] Type=forking ExecStartPre=%{_libdir}/squid/initialize_cache_if_needed.sh ExecStart=/usr/sbin/squid -FC ExecReload=/usr/bin/kill -HUP $MAINPID LimitNOFILE=4096 PIDFile=/run/squid.pid [Install] WantedBy=multi-user.target ++++++ tmpfilesdir.squid.conf ++++++ # See tmpfiles.d(5) for details d /run/squid 0700 squid root - ++++++ unsquid.pl ++++++ #!/usr/bin/perl -w # # unsquid v0.2 -- Squid object dumper. # Copyright (C) 2000 Avatar <ava...@deva.net>. # # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, 51 Franklin Street, Suite 500, Boston, MA 02110-1335, USA # # $Id: unsquid,v 1.4 2000/03/11 17:31:06 avatar Exp $ =pod =head1 NAME unsquid - dump Squid objects =head1 SYNOPSIS B<unsquid> S<[ B<-d>I<dir> ]> S<[ B<-t>I<type> ]> S<[ B<-fv> ]> S<[ B<-Vh> ]> =head1 DESCRIPTION unsquid dumps Squid cache files specified on the command line into directories reflecting their original URLs, hence preserving the original site layouts for off-line browsing. Typically usage is find /usr/local/squid/cache/??/ -type f -print | \ xargs unsquid -t 'image/.*' -d /tmp The command line options are explained below. =over =item B<-t>I<type> S<B<--type> I<dir>> Dump only files matching the MIME type regex I<type>. =item B<-f> B<--force> Overwrite existing files. For security reason, this option is disabled when run as root. =item B<-v> B<--verbose> Print the URLs of dumped objects. =item B<-d>I<dir> S<B<--dest> I<dir>> Dump the files inside I<dir>. =item B<-V> B<--version> Print the version number. =item B<-h> B<--help> Print a summary of command line options. =back =head1 AUTHOR Avatar <F<ava...@deva.net>> =cut use POSIX; use Getopt::Long; use strict; my $help = <<EOT; Usage: $0 [OPTION]... FILE... Dumps Squid objects. -t, --type TYPE only dump objects matching the regex TYPE -v, --verbose print dumped object urls -f, --force overwrite existing files -d, --dest DIR use DIR as the destination directory for dumping -V, --version print the version string -h, --help show this help EOT my ($type, $size, $force, $verbose, $showver, $showhelp); my $destdir = "."; my $defaultindex = "index.html"; Getopt::Long::Configure("no_ignore_case"); GetOptions("dest=s" => \$destdir, "type=s" => \$type, "verbose|v+" => \$verbose, "force!" => \$force, "version|V" => \$showver, "help" => \$showhelp); if ($showver) { print <<EOT; Unsquid version 0.2 Copyright (C) 2000 Avatar <avatar\@deva.net>. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE, to the extent permitted by law. EOT exit; } if ($#ARGV < 0 or $showhelp) { print $help; exit; } if ($force and $< == 0) { die "$0: root is not allowed to use the force option"; } for (@ARGV) { my ($url, $urllen); # read 4 bytes from offset 56 as the length of the url open(INFILE, "<$_") or die "$0: cannot open file $_ for reading: $!"; seek(INFILE, 56, SEEK_SET) or die "$0: cannot seek 56 bytes: $!"; read(INFILE, $urllen, 4) or die "$0: cannot read 4 bytes: $!"; $urllen = ord($urllen) - 1; # kill the last NUL # read the url read(INFILE, $url, $urllen); # expand index urls $url =~ s-/$-/$defaultindex-m; # scan the contents my ($seenheader); while (<INFILE>) { if ($seenheader) { print OUTFILE; next; } # if type is specified, do matching if (/^Content-Type: /i and defined $type) { m-[^:]*: (\w+/\w+)-; last if $1 !~ /$type/; next; } # at this point we must have matched the type if (/^\r$/) { $seenheader = 1; makedir($url); if (! defined $force and -e "$destdir/$url") { warn "$0: file $destdir/$url exists, skipped"; last; } open(OUTFILE, ">$destdir/$url") or die "$0: cannot open file $destdir/$url for writing: $!"; print "$url\n" if $verbose; } } close(INFILE); close(OUTFILE); } sub makedir { my ($basename) = @_; my $path = $destdir; if (! -d $destdir) { warn "$0: destination directory $destdir does not exist, making it"; mkdir $destdir, 0777 or die "$0: cannot mkdir $destdir: $!"; } while( $basename =~ m-^([^/]*)/- ) { $path .= "/".$1; if (! -d $path) { if (! mkdir $path, 0777) { if (-f $path) { # move the file in open FILE, $path or die "$0: cannot open $path for reading: $!"; undef $/; my $buf = <FILE>; $/ = "\n"; close FILE; unlink $path; mkdir $path, 0777 or die "$0: cannot make directory $path: $!"; open FILE, ">$path-redirect" or die "$0: cannot open $path/$defaultindex for writing: $!"; print FILE $buf; close FILE; } else { die "d$0: cannot mkdir $path: $!"; } } } $basename = $'; } }