Hello community, here is the log from the commit of package squid3.1979 for openSUSE:12.2:Update checked in at 2013-09-13 09:22:54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.2:Update/squid3.1979 (Old) and /work/SRC/openSUSE:12.2:Update/.squid3.1979.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "squid3.1979" Changes: -------- New Changes file: --- /dev/null 2013-07-23 23:44:04.804033756 +0200 +++ /work/SRC/openSUSE:12.2:Update/.squid3.1979.new/squid3.changes 2013-09-13 09:22:55.000000000 +0200 @@ -0,0 +1,1315 @@ +------------------------------------------------------------------- +Fri Aug 30 16:24:24 CEST 2013 - dr...@suse.de + +- squid-3.1.x-bnc829084-CVE-2013-4115-BO_request_handling.diff + Squid advisory SQUID-2013_2, CVE-2013-4115, [bnc#829084] + Specially crafted http requests can trigger a buffer overflow + when squid attempts to resolve an overly long hostname. +- run logrotate as squid:nogroup [bnc#677335] + +------------------------------------------------------------------- +Sun Jan 13 21:06:34 UTC 2013 - ch...@computersalat.de + +- update to 3.1.23 + fix for bnc#794954, CVE-2012-5643, SQUID:2012-1 + - Additional fixes for CVE-2012-5643 / SQUID:2012-1 + * http://www.squid-cache.org/Advisories/SQUID-2012_1.txt + * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5643 +- rebase swapdir patch + +------------------------------------------------------------------- +Tue Jun 12 10:22:46 UTC 2012 - ch...@computersalat.de + +- update to 3.1.20 + - Regression Bug 3545: FreeBSD dnsserver segfaults + - Regression Bug 3504: clientside_tos fails to mark traffic + - Bug 3539: CONNECT server connection not closed correctly on errors + - Bug 3502: client timeout uses server-side read_timeout, not request_timeout + - Bug 3466: Adaptation stuck on last single-byte body piece + - Bug 3463: dnsserver fails to compile + - Bug 3439: correct external_acl_type documented default for ipv4/ipv6 option + - Bug 3390: Proxy auth data visible to scripts + - Bug 3263: ssl_crtd: undefined references to squid_curtime + - Bug 3233: Invalid URL accepted with url host is white spaces + - Bug 3133: Memory leak handling requests for sites that don't exist + - Bug 3074: Improper URL handling with empty path (RFC 3986) + - Bug 3013: segmentation fault on shutdown commSetCloseOnExec at comm.cc:1889 + - Regression: snmp/udp address directives not resolving hostname + - Better helper-to-Squid buffer size management. + - Support CoAP over HTTP (coap:// and coaps:// URLs) + - Support for 3.2 error template codes +- rebase config, swapdir patch + +------------------------------------------------------------------- +Fri Feb 17 16:01:23 UTC 2012 - ch...@computersalat.de + +- some cleanup + * rebase patches (p0), remove version from patch_names +- add Source signature file +- add FSF patch (incorrect-fsf-address) +- add rpmlintrc file + * macro-in-comment + * no-manual-page-for-binary + +------------------------------------------------------------------- +Wed Feb 15 20:50:59 UTC 2012 - ch...@computersalat.de + +- update to 3.1.19 + - Regression Bug 3441: part 2: Prevent further cache size corruption of swap.state + - Bug 3473: erase last uses of obsolete auth_user_hash_pointer + - Bug 3470: GCC 4.7 + - Bug 3442: assertion failed: external_acl.cc:908: ch->auth_user_request != NULL + - Bug 3441: part 1: Minimize cache size corruption by malformed swap.state + - Bug 3440: compile error in Adaptation + - Bug 3420: Request body consumption races and !theConsumer exception + - Bug 3370: external ACL sometimes skipping + - Bug 3085: Crash when parsing esi:include + - HTTP/1.1: do not add 110 and 111 Warnings to revalidated responses + - Fix SSL library dependency fixes +- remove obsolete upstream patches + * squid-3.1-10415 - ..421 +- add squid source signature file + +------------------------------------------------------------------- +Mon Jan 16 13:49:22 UTC 2012 - ch...@computersalat.de + +- add upstream patches + * 3.1-10419: Bug #3085: Crash when parsing esi:include + * 3.1-10420: Bug #3473: erase last uses of obsolete auth_user_hash_pointer + * 3.1-10421: Bug #3420: Request body consumption races and !theConsumer + exception. + +------------------------------------------------------------------- +Wed Dec 21 12:12:09 UTC 2011 - ch...@computersalat.de + +- fix for bnc#737905 + * fix test EXPRESSION in post section + +------------------------------------------------------------------- +Mon Dec 12 12:47:50 UTC 2011 - ch...@computersalat.de + +- add upstream patches + * 3.1-10417: Polish: debug messages on swap.state rename failure + * 3.1-10418: Bug #3442: assertion failed: external_acl.cc:908: + ch->auth_user_request != NULL + +------------------------------------------------------------------- +Wed Dec 7 22:33:43 UTC 2011 - ch...@computersalat.de + +- fix build + * add upstream patches + - 3.1-10415: Portability: SSL library dependency fixes + - 3.1-10416: Bug #3440: compile error in Adaptation + +------------------------------------------------------------------- +Mon Dec 5 09:21:26 UTC 2011 - ch...@computersalat.de + +- update to 3.1.18 + - Regression: compile error in FTP +- Changes to squid-3.1.17 (03 Dec 2011): + - Bug 3432: Crash logging FTP errors + - Bug 3428: Active FTP data channel accepted twice + - Bug 3423: access violation in URL parser + - Bug 3422: Buffer overflow in recv-announce + - Bug 3412: External ACL Uses Invalid Cache Entry + - Bug 3408: Wrong header length leads to EFAULTs when creating UFS swap.log.new + - Bug 3398: persistent server connection closed after PUT/DELETE + - Bug 3299: dnsserver: various undefined references + - Bug 3077: '\' in url query strings cause Digest authentication to fail + - Bug 2910: MemBuf may grow beyond max_capacity + - Bug 2619: Excessive RAM growth due to unlimited adapted body data consumption + - Bug 1243: Build overrides configured AR setting + - Avoid crashes when processing bad X509 common names (CN). + - Support %% in external ACL format + - ... and several other compile error fixes + - ... and several documentation fixes + +------------------------------------------------------------------- +Wed Nov 30 18:58:11 UTC 2011 - crrodrig...@opensuse.org + +- make coolo's bot reviewer happy + +------------------------------------------------------------------- +Wed Nov 30 18:11:27 UTC 2011 - crrodrig...@opensuse.org + +- Use service type "simple" + +------------------------------------------------------------------- +Mon Nov 28 20:18:40 UTC 2011 - crrodrig...@opensuse.org + +- Support systemd + +------------------------------------------------------------------- +Sun Nov 27 06:56:29 UTC 2011 - co...@suse.com + +- add libtool as buildrequire to avoid implicit dependency + +------------------------------------------------------------------- +Sat Oct 15 14:00:35 UTC 2011 - ch...@computersalat.de + +- update to 3.1.16 + - Bug 3373: invalid URL in ERR_CACHE_ACCESS_DENIED + - Bug 3368: Unhandled exceptions are not logged (workaround) + - Bug 3326: miss_access incorrect default + - Bug 3320: miss_access description confusing + - Bug 3241: squid_kerb_auth cross compilation fix + - Bug 3237: seq fault in free() from rfc1035RRDestroy + - Bug 3190: Large HTTP POST stuck after early ICAP 400 error response + - db_auth: display available DSN drivers on connect error + - Updated OpenSSL 1.0.0 version checks + - ... and several documentation fixes + +------------------------------------------------------------------- +Wed Oct 5 00:32:36 UTC 2011 - crrodrig...@opensuse.org + +- Build with -DOPENSSL_LOAD_CONF see OPENSSL_config(3) for detail + +------------------------------------------------------------------- +Tue Aug 30 15:44:50 UTC 2011 - ch...@computersalat.de + +- update to 3.1.15 + - Regression fix: vhost and defaultsite causing vport to be ignored + - Regression Bug 3295: broken escaping in rfc1738_do_escape + - Bug #3232: fails to compile with OpenSSL v1.0.0 + - Bug #3222: cache_peer name is not logging on CONNECT + - Bug #3131: fd_table[fd].closing() assert + from ConnStateData::noteMoreBodySpaceAvailable() + - Bug #3217: "!fd_table[fd].closing()" + from ServerStateData::noteMoreBodySpaceAvailable + - Bug #3213: https sites (CONNECT) not open when using NTLM + - Bug #3114: Memory leak in SSL certificate verify code + - Bug #3107: ncsa_auth DES silently truncates passwords to 8 bytes + - Bug #2662: cf_gen failure when cross compiling + - Bug #2655: passing wrong the username to the url_rewrite_program + - Bug #2495: ignore whitespace prefix on config lines + - Bug #2051: 'default' cache_peer option does not match documentation + - Bug #1842: Optimize order of tests in peerWouldBePinged() and peerHTTPOkay() + - Bug #1791: timestampsSet does not validate Date: if server sends very old date + - Correct parsing of large Gopher indexes + - Enable negative cacheing on unknown or -1 expiry timestamp + - Remove hierarchy_stoplist default value + - Migrate cf_gen tool from C-style to C++ + - ... and several documentation and compiler warning fixes + +------------------------------------------------------------------- +Thu Aug 18 04:33:40 UTC 2011 - crrodrig...@opensuse.org + +- Disable "ident" lookups, obsolete and dangerous thing ++++ 1118 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:12.2:Update/.squid3.1979.new/squid3.changes New: ---- README.kerberos RELEASENOTES.html pam.squid rpmlintrc squid-3.1.23.tar.bz2 squid-3.1.23.tar.bz2.asc squid-3.1.x-bnc829084-CVE-2013-4115-BO_request_handling.diff squid-FSF.patch squid-config.patch squid-nobuilddates.patch squid-swapdir.patch squid.init squid.logrotate squid.permissions squid.service squid.sysconfig squid3.changes squid3.spec squid_cache_swap.sh unsquid.pl ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ squid3.spec ++++++ # # spec file for package squid3 # # Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # %define squidlibdir %{_libdir}/squid %define squidconfdir /etc/squid Name: squid3 Summary: Squid Version 3.1 WWW Proxy Server License: GPL-2.0+ Group: Productivity/Networking/Web/Proxy Version: 3.1.23 Release: 0 Url: http://www.squid-cache.org/Versions/v3/3.1 Source0: http://www.squid-cache.org/Versions/v3/3.1/squid-%{version}.tar.bz2 Source1: squid-%{version}.tar.bz2.asc Source2: RELEASENOTES.html Source3: squid.init Source4: squid.sysconfig Source5: pam.squid Source6: unsquid.pl Source7: squid.logrotate Source9: squid.permissions Source10: README.kerberos Source11: squid.service Source12: squid_cache_swap.sh # # the following patches are downloaded directly from the webserver # don't change the names for easier identification # # please read every file if there is interest about what the patch changes # or just visit: http://www.squid-cache.org/Versions/v3/3.0/changesets/ # # Bug #3440: compile error in Adaptation #atch0: http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10415.patch # Portability: SSL library dependency fixes #atch1: http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10416.patch # Polish: debug messages on swap.state rename failure #atch2: http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10417.patch # Bug #3442: assertion failed: external_acl.cc:908: ch->auth_user_request != NULL #atch3: http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10418.patch # Bug #3085: Crash when parsing esi:include #atch4: http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10419.patch # Bug #3473: erase last uses of obsolete auth_user_hash_pointer #atch5: http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10420.patch # Bug #3420: Request body consumption races and !theConsumer exception. #atch6: http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10421.patch # # do not show some rpmlint warnings Source99: rpmlintrc # some useful defaults for squid Patch100: squid-config.patch # FIX SWAPDIR - make it a configure option Patch101: squid-swapdir.patch # make build compare happy - remove build dates Patch102: squid-nobuilddates.patch Patch110: squid-3.1.x-bnc829084-CVE-2013-4115-BO_request_handling.diff # FIX-FOR-UPSTREAM: rpmlint - incorrect-fsf-address Patch200: squid-FSF.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: %fillup_prereq PreReq: %insserv_prereq PreReq: /usr/bin/getent PreReq: permissions PreReq: pwdutils BuildRequires: db-devel # needed by bootstrap.sh BuildRequires: cyrus-sasl-devel BuildRequires: ed BuildRequires: expat BuildRequires: gcc-c++ BuildRequires: libcap-devel BuildRequires: libexpat-devel BuildRequires: libtool BuildRequires: openldap2-devel BuildRequires: opensp-devel BuildRequires: openssl-devel BuildRequires: pam-devel BuildRequires: sharutils # %if 0%{?sles_version} == 9 BuildRequires: heimdal-devel %else BuildRequires: krb5-devel %endif # %if 0%{?suse_version} > 1030 || 0%{?fedora_version} > 8 BuildRequires: fdupes %endif # %if 0%{?suse_version} >= 1130 BuildRequires: pkgconfig(libxml-2.0) %else BuildRequires: libxml2-devel %endif %if 0%{?suse_version} > 1140 BuildRequires: systemd %{?systemd_requires} %define has_systemd 1 %endif Conflicts: squid squid2 squid23 squid-beta Obsoletes: squid-beta Obsoletes: squid2 Requires: logrotate Provides: http_proxy %description Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator. Squid 3.1 represents a new feature release above 3.0. The most important of these new features are: * New Version Numbering System * Minimal squid.conf improvements * Native IPv6 Support * Error Page Localization * Connection Pinning (for NTLM Auth Passthrough) * Quality of Service (QoS) Flow support * SSL Bump (for HTTPS Filtering and Adaptation) * eCAP Adaptation Module support * ICAP Bypass and Retry enhancements * ICY streaming protocol support * Dynamic SSL Certificate Generation (3.1.13 and later) First STABLE release Date: 29 Mar 2010 Latest Release: 3.1.23 Latest Release Date: 09 Jan 2013 %prep %setup -q -n squid-%{version} cp %{SOURCE10} . # upstream patches after RELEASE # ##### other patches %patch100 %if 0%{?suse_version} > 1010 %patch101 %endif perl -p -i -e 's|/usr/local/bin/perl|/usr/bin/perl|' `find -name "*.pl"` chmod a-x CREDITS %patch102 %patch110 %patch200 %build %if 0%{?suse_version} > 1010 ./bootstrap.sh autoreconf -fiv %endif export CFLAGS="%{optflags} -fPIE -fPIC -DOPENSSL_LOAD_CONF" export CXXFLAGS="%{optflags} -fPIE -fPIC -DOPENSSL_LOAD_CONF" export LDFLAGS='-Wl,-z,relro,-z,now -pie' ./configure --prefix=/usr \ --sysconfdir=%{squidconfdir} \ --bindir=/usr/sbin \ --sbindir=/usr/sbin \ --localstatedir=/var \ --libexecdir=/usr/sbin \ --datadir=/usr/share/squid \ --mandir=%{_mandir} \ --libdir=%{_libdir} \ --sharedstatedir=/var/squid \ --with-logdir=/var/log/squid \ %if 0%{?suse_version} > 1010 --with-swapdir=/var/cache/squid \ %endif --with-pidfile=/var/run/squid.pid \ --with-dl \ --enable-storeio \ --enable-disk-io=AIO,Blocking,DiskDaemon,DiskThreads \ --enable-removal-policies=heap,lru \ --enable-icmp \ --enable-delay-pools \ --enable-esi \ --enable-icap-client \ --enable-useragent-log \ --enable-referer-log \ --enable-kill-parent-hack \ --enable-arp-acl \ --enable-ssl \ --enable-forw-via-db \ --enable-cache-digests \ --enable-linux-netfilter \ --with-large-files \ --enable-underscores \ --enable-auth=basic,digest,ntlm,negotiate \ --enable-basic-auth-helpers=DB,LDAP,MSNT,NCSA,PAM,POP3,SASL,SMB,YP,getpwnam,multi-domain-NTLM,squid_radius_auth \ --enable-ntlm-auth-helpers=fakeauth,no_check,smb_lm \ --enable-negotiate-auth-helpers=squid_kerb_auth \ --enable-digest-auth-helpers=eDirectory,ldap,password \ --enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group \ --enable-ntlm-fail-open \ --enable-stacktraces \ --enable-x-accelerator-vary \ --with-default-user=squid \ --disable-ident-lookups \ --enable-follow-x-forwarded-for ## Deprecated # --enable-poll \ # Deprecated. Automatic checks will enable best I/O loop method available. # ## changed to default, use --disable-* to build without # --enable-htcp \ # --enable-snmp \ ##### # problematic options # --enable-truncate \ # overwrite the number of open filedescriptors of configure to 4096 # to be backward compatible, but numbers above should not be overwritten if [ `awk '/SQUID_MAXFD/{print $3}' include/autoconf.h` -lt 4096 ]; then set +x echo "adapting SQUID_MAXFD to 4096" set -x perl -pi -e 's;(\#define SQUID_MAXFD) [0-9]+;$1 4096;' include/autoconf.h fi make SAMBAPREFIX=/usr %{?_smp_mflags} #make DEFAULT_LOG_PREFIX=/var/log/squid \ # DEFAULT_SWAP_DIR=/var/cache/squid \ # DEFAULT_PID_FILE=/var/run/squid.pid \ # SAMBAPREFIX=/usr %install /usr/sbin/useradd -r -o -g nogroup -u 31 -s /bin/false -c "WWW-proxy squid" \ -d /var/cache/squid squid 2> /dev/null || : install -d %{buildroot}%{_localstatedir}/{cache,log}/squid install -d %{buildroot}%{_prefix}/sbin make install DESTDIR=%{buildroot} SAMBAPREFIX=/usr mv %{buildroot}{/etc/squid/,/usr/share/squid/}mime.conf.default ln -s /etc/squid/mime.conf %{buildroot}%{_datadir}/squid # backward compatible install -d -m 755 %{buildroot}%{_sysconfdir}/permissions.d install -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/permissions.d/squid install -d -m 755 %{buildroot}%{_sysconfdir}/logrotate.d install -m 644 %{SOURCE7} %{buildroot}%{_sysconfdir}/logrotate.d/squid install -d %{buildroot}%{_mandir}/man8/ #chown squid:root -R %{buildroot}%{_localstatedir}/{cache,log}/squid chmod 750 %{buildroot}%{_localstatedir}/{cache,log}/squid install -D %{SOURCE3} %{buildroot}%{_sysconfdir}/init.d/squid ln -sf %{_sysconfdir}/init.d/squid %{buildroot}%{_sbindir}/rcsquid install -D -m644 %{SOURCE4} %{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.squid install -D -m 644 doc/squid.8 %{buildroot}/%{_mandir}/man8/ install -m 644 helpers/basic_auth/LDAP/squid_ldap_auth.8 %{buildroot}/%{_mandir}/man8/ install -m 644 helpers/basic_auth/LDAP/squid_ldap_auth.8 %{buildroot}/%{_mandir}/man8/ install -m 644 helpers/basic_auth/PAM/pam_auth.8 %{buildroot}/%{_mandir}/man8/ install -m 644 helpers/external_acl/ldap_group/squid_ldap_group.8 %{buildroot}/%{_mandir}/man8/ gzip -9 %{buildroot}/%{_mandir}/man8/*.8 install -d -m 755 doc/scripts install scripts/*.pl doc/scripts cat > doc/scripts/cachemgr.readme <<-EOT cachemgr.cgi will now be found in %{_libdir}/squid EOT install -d -m 755 %{buildroot}/%{_libdir}/squid mv %{buildroot}%{_sbindir}/cachemgr.cgi %{buildroot}/%{_libdir}/squid install -d -m 755 doc/contrib install %{SOURCE6} doc/contrib install -D -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/pam.d/squid #chown squid:shadow %{buildroot}%{_sbindir}/pam_auth chmod g+s %{buildroot}%{_sbindir}/pam_auth #rm %{buildroot}%{_sbindir}/Run* rm -rf %{buildroot}%{squidconfdir}/errors for i in errors/*; do if [ -d $i ]; then mkdir -p %{buildroot}%{_datadir}/squid/$i install -m 644 $i/* %{buildroot}%{_datadir}/squid/$i fi done ln -sf /usr/share/squid/errors/de %{buildroot}%{squidconfdir}/errors # remove unpackaged files rm -f %{buildroot}%{_prefix}/man/man8/*.8 # fix file duplicates %if 0%{?suse_version} > 1030 %fdupes -s %{buildroot}%{_prefix} %endif %if 0%{?fedora_version} > 8 fdupes -q -n -r %{buildroot}%{_prefix} %endif %if 0%{?has_systemd} install -D -m 644 %{SOURCE11} %{buildroot}%{_unitdir}/squid.service install -D -m 755 %{SOURCE12} %{buildroot}%{_sbindir}/squid_cache_swap.sh %endif %pre # we need this group for squid (ntlmauth) # read access to /var/lib/samba/winbindd_privileged if [ -z "`%{_bindir}/getent group winbind 2>/dev/null`" ]; then %{_sbindir}/groupadd -r winbind 2>/dev/null fi if [ -z "`%{_bindir}/getent passwd squid 2>/dev/null`" ]; then %{_sbindir}/useradd -c "WWW-proxy squid" -d /var/cache/squid \ -G winbind -g nogroup -o -u 31 -r -s /bin/false \ squid 2>/dev/null fi # if squid is not member of winbind, add him if [ `%{_bindir}/id -nG squid 2>/dev/null | grep -q winbind >/dev/null; echo $?` -ne 0 ]; then %{_sbindir}/groupmod -A squid winbind 2>/dev/null fi %if 0%{?has_systemd} %service_add_pre squid.service %endif %post %if 0%{?sles_version} == 10 sed -i -e "s,\(^%{_sbindir}/pam_auth.*\)\(2755\),\14755," /etc/permissions.secure %endif %run_permissions # update mode? if [ "$1" -gt "1" ]; then if [ -e etc/squid.conf -a ! -L etc/squid.conf -a ! -e etc/squid/squid.conf ]; then echo "moving /etc/squid.conf to /etc/squid/squid.conf" mv etc/squid.conf etc/squid/squid.conf fi fi %{fillup_and_insserv -n "squid"} %if 0%{?has_systemd} %service_add_post squid.service %endif %preun %stop_on_removal squid %if 0%{?has_systemd} %service_del_preun squid.service %endif %postun %if 0%{?has_systemd} %service_del_postun squid.service %endif %restart_on_update squid %insserv_cleanup %verifyscript %verify_permissions -e /usr/sbin/pam_auth %clean rm -rf %{buildroot} %files %defattr(-,root,root) %if 0%{?has_systemd} %{_unitdir}/squid.service %{_sbindir}/squid_cache_swap.sh %endif %attr(750,squid,root) %dir %{_localstatedir}/cache/squid/ %attr(750,squid,root) %dir %{_localstatedir}/log/squid/ %dir %{squidconfdir} %config(noreplace) %{squidconfdir}/cachemgr.conf %config(noreplace) %{squidconfdir}/errorpage.css %config(noreplace) %{squidconfdir}/errors %config(noreplace) %{_sysconfdir}/logrotate.d/squid %config(noreplace) %{squidconfdir}/mime.conf %config(noreplace) %{squidconfdir}/msntauth.conf %config(noreplace) %{squidconfdir}/squid.conf %config %{squidconfdir}/cachemgr.conf.default %config %{squidconfdir}/errorpage.css.default %config %{squidconfdir}/msntauth.conf.default %config %{squidconfdir}/squid.conf.default %config %{squidconfdir}/squid.conf.documented %config %{_sysconfdir}/pam.d/squid %config %{_sysconfdir}/init.d/squid %config %{_sysconfdir}/permissions.d/squid %dir %{_datadir}/squid %{_datadir}/squid/errors %{_datadir}/squid/icons %config %{_datadir}/squid/mib.txt %{_sbindir}/diskd %{_sbindir}/digest_pw_auth %{_sbindir}/digest_edir_auth %{_sbindir}/digest_ldap_auth %{_sbindir}/fakeauth_auth %{_sbindir}/getpwname_auth %{_sbindir}/ip_user_check %{_sbindir}/msnt_auth %{_sbindir}/ncsa_auth %{_sbindir}/negotiate_kerb_auth %{_sbindir}/negotiate_kerb_auth_test %{_sbindir}/no_check.pl %{_sbindir}/ntlm_smb_lm_auth %verify(not mode) %attr(4755,root,shadow) %{_sbindir}/pam_auth %{_sbindir}/pinger %{_sbindir}/pop3.pl %{_sbindir}/rcsquid %{_sbindir}/sasl_auth %{_sbindir}/smb_auth %{_sbindir}/smb_auth.sh %{_sbindir}/smb_auth.pl %{_sbindir}/squid %{_sbindir}/squid_db_auth %{_sbindir}/squid_kerb_auth %{_sbindir}/squid_kerb_auth_test %{_sbindir}/squid_ldap_auth %{_sbindir}/squid_ldap_group %{_sbindir}/squid_radius_auth %{_sbindir}/squid_session %{_sbindir}/squid_unix_group %{_sbindir}/squidclient %{_sbindir}/unlinkd %{_sbindir}/wbinfo_group.pl %{_sbindir}/yp_auth %{_datadir}/squid/mime.conf %{_datadir}/squid/mime.conf.default %{_localstatedir}/adm/fillup-templates/sysconfig.squid %dir %{_libdir}/squid %{_libdir}/squid/cachemgr.cgi %doc %{_mandir}/man?/* %doc CONTRIBUTORS COPYING COPYRIGHT CREDITS ChangeLog %doc QUICKSTART README RELEASENOTES.html SPONSORS %doc README.kerberos %doc doc/contrib doc/scripts %doc doc/debug-sections.txt src/squid.conf.default #%doc README.squid_ldapauth CREDITS.squid_ldapauth #%doc squid_ldapauth.conf %changelog ++++++ README.kerberos ++++++ This is the README.kerberos file to have squid negotiate/authenticate via kerberos any addons are very welcome comments could be posted to <chris(at)computersalat.de> 1) you need to add a "USER" inside your "Domain-Computers" Container called "squid". Yes a "USER" and not a Computer. You may use another name, but why ? 2) After having successfully created the user, you need to create a keytab file on your WIN box. Example: !! This is all in one line !! ktpass -princ HTTP/squid@DOMAIN.REALM -pType KRB5_NT_PRINCIPAL \ -mapuser squid -pass * -out HTTP.keytab 3) copy over HTTP.keytab to /etc/squid/ on your linux box 4) you have to tell your browsers to negotiate via kerberos Have a look at: a) Internet Explorer does not support Kerberos authentication with proxy servers http://support.microsoft.com/?scid=kb%3Ben-us%3B321728&x=19&y=14 This limitation was removed in Windows Internet Explorer 7. If Integrated Windows Authentication is turned on in Internet Explorer for Windows 2000 and Windows XP, you can complete Kerberos authentication with Web servers either directly or through a proxy server. However, Internet Explorer cannot use Kerberos to authenticate with the proxy server itself. b) Unable to negotiate Kerberos authentication after upgrading to Internet Explorer 6 http://support.microsoft.com/kb/299838/EN-US/ To resolve this issue, enable Internet Explorer 6 to respond to a negotiate challenge and perform Kerberos authentication: 1. In Internet Explorer, click Internet Options on the Tools menu. 2. Click the Advanced tab, click to select the Enable Integrated Windows Authentication (requires restart) check box in the Security section, and then click OK. 3. Restart Internet Explorer. Administrators can enable Integrated Windows Authentication by setting the EnableNegotiate DWORD value to 1 in the following registry key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings Note Internet Explorer 6, when used with Microsoft Windows 98, Microsoft Windows 98 Second Edition, Microsoft Windows Millennium Edition, and Microsoft Windows NT 4.0 does not respond to a negotiate challenge and default to NTLM (or Windows NT Challenge/Response) authentication even if the Enable Integrated Windows Authentication (requires restart) check box is selected because Kerberos authentication is not available on these operating systems. ++++++ RELEASENOTES.html ++++++ ++++ 2000 lines (skipped) ++++++ pam.squid ++++++ #%PAM-1.0 auth include common-auth account include common-account password include common-password session include common-session ++++++ rpmlintrc ++++++ addFilter("macro-in-comment") addFilter("no-manual-page-for-binary") ++++++ squid-3.1.23.tar.bz2.asc ++++++ File: squid-3.1.23.tar.bz2 Date: Wed Jan 9 02:35:48 UTC 2013 Size: 2560454 MD5 : e15fdb8c615cf1f9525be0a2b75c60a7 SHA1: ae988fc253b0cf556ab7617c72097ae1031f0248 Key : 0xFF5CF463 <squ...@treenet.co.nz> fingerprint = EA31 CC5E 9488 E516 8D2D CC5E B268 E706 FF5C F463 keyring = http://www.squid-cache.org/pgp.asc keyserver = subkeys.pgp.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAABAgAGBQJQ7NgOAAoJELJo5wb/XPRjjJAIAKWbwrjE8Ozw1P50IoGsKZNn Mta+41el+QzrNwlYnRHN6+MTcUhUWmp92nMQ2SvSp4HtQbq3O45a8jy+N6F2wGj5 dGyV3VPZrokO1K9AA5sxWViJkfnFrxxMSkqe4UYn8+7TjsFL9g5JUytBNV30QfA0 Hfz5V1EaOhsx8aeLcz7CQoe7XsonlLA8LYqpMUUC+6+RabBQcoUXxrA0AOTBfC01 sXUrXKzRwYRjg2saIZ4QxuvcnFUcDWTTH+nOvy7BdbnHr/jxq2qbguNDOUPCjTSe bAPzhjxsLnRZBTLZiO8JdGXbgTplNrBtD/7EpWJ384BIUR/3yY/pE6vkvQdoJLY= =8aJk -----END PGP SIGNATURE----- ++++++ squid-3.1.x-bnc829084-CVE-2013-4115-BO_request_handling.diff ++++++ ------------------------------------------------------------ revno: 10487 revision-id: squ...@treenet.co.nz-20130710124748-2n6111r04xsi71vx parent: squ...@treenet.co.nz-20130222111325-zizr296kq3te4g7h author: Nathan Hoad <nat...@getoffmalawn.com> committer: Amos Jeffries <squ...@treenet.co.nz> branch nick: SQUID_3_1 timestamp: Wed 2013-07-10 06:47:48 -0600 message: Protect against buffer overrun in DNS query generation see SQUID-2013:2. This bug has been present as long as the internal DNS component however most code reaching this point is passing through URL validation first. With Squid-3.2 Host header verification using DNS directly we may have problems. ------------------------------------------------------------ # Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: squ...@treenet.co.nz-20130710124748-2n6111r04xsi71vx # target_branch: http://bzr.squid-cache.org/bzr/squid3/branches\ # /SQUID_3_1 # testament_sha1: b5be85c8876ce15ec8fa173845e61755b6942fe0 # timestamp: 2013-07-10 12:48:57 +0000 # source_branch: http://bzr.squid-cache.org/bzr/squid3/branches\ # /SQUID_3_1 # base_revision_id: squ...@treenet.co.nz-20130222111325-\ # zizr296kq3te4g7h # # Begin patch === modified file 'src/dns_internal.cc' --- src/dns_internal.cc 2011-10-11 02:12:56 +0000 +++ src/dns_internal.cc 2013-07-10 12:47:48 +0000 @@ -1532,22 +1532,26 @@ void idnsALookup(const char *name, IDNSCB * callback, void *data) { - unsigned int i; + size_t nameLength = strlen(name); + + // Prevent buffer overflow on q->name + if (nameLength > NS_MAXDNAME) { + debugs(23, DBG_IMPORTANT, "SECURITY ALERT: DNS name too long to perform lookup: '" << name << "'. see access.log for details."); + callback(data, NULL, 0, "Internal error"); + return; + } + + if (idnsCachedLookup(name, callback, data)) + return; + + idns_query *q = cbdataAlloc(idns_query); + q->id = idnsQueryID(); int nd = 0; - idns_query *q; - - if (idnsCachedLookup(name, callback, data)) - return; - - q = cbdataAlloc(idns_query); - - q->id = idnsQueryID(); - - for (i = 0; i < strlen(name); i++) + for (unsigned int i = 0; i < nameLength; ++i) if (name[i] == '.') nd++; - if (Config.onoff.res_defnames && npc > 0 && name[strlen(name)-1] != '.') { + if (Config.onoff.res_defnames && npc > 0 && name[nameLength-1] != '.') { q->do_searchpath = 1; } else { q->do_searchpath = 0; ++++++ squid-FSF.patch ++++++ Index: COPYING =================================================================== --- COPYING.orig +++ COPYING @@ -1,8 +1,8 @@ GNU GENERAL PUBLIC LICENSE Version 2, June 1991 - Copyright (C) 1989, 1991 Free Software Foundation, Inc. - 59 Temple Place, Suite 330, Boston, MA 02111, USA + Copyright (C) 1989, 1991 Free Software Foundation, + 51 Franklin Street, Suite 500, Boston, MA 02110-1335, USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Index: COPYRIGHT =================================================================== --- COPYRIGHT.orig +++ COPYRIGHT @@ -18,8 +18,8 @@ You should have received a copy of the G with this program; if not, write to: The Free Software Foundation - 59 Temple Place - Suite 330 - Boston, MA 02111, USA + 51 Franklin Street + Suite 500 + Boston, MA 02110-1335, USA Or contact i...@squid-cache.org Index: README =================================================================== --- README.orig +++ README @@ -14,7 +14,7 @@ SQUID Web Proxy Cache http://www. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software - Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. + Foundation, 51 Franklin Street, Suite 500, Boston, MA 02110-1335, USA. Squid is derived from the ``cached'' software from the ARPA-funded Harvest research project. Squid includes software copyrighted Index: helpers/basic_auth/SMB/smb_auth.sh =================================================================== --- helpers/basic_auth/SMB/smb_auth.sh.orig +++ helpers/basic_auth/SMB/smb_auth.sh @@ -15,7 +15,7 @@ # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software -# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +# Foundation, 51 Franklin Street, Suite 500, Boston, MA 02110-1335, USA read DOMAINNAME read PASSTHROUGH Index: helpers/basic_auth/POP3/pop3.pl =================================================================== --- helpers/basic_auth/POP3/pop3.pl.orig +++ helpers/basic_auth/POP3/pop3.pl @@ -15,7 +15,7 @@ # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. +# Foundation, 51 Franklin Street, Suite 500, Boston, MA 02110-1335, USA. # # Change log: # 2006-12-10 henrik Initial revision ++++++ squid-config.patch ++++++ Index: src/cf.data.pre =================================================================== --- src/cf.data.pre.orig +++ src/cf.data.pre @@ -924,6 +924,8 @@ http_access deny CONNECT !SSL_ports # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet + +# Allow localhost always proxy functionality http_access allow localhost # And finally deny all other access to this proxy @@ -2357,6 +2359,10 @@ DOC_START Instead, if you want Squid to use the entire disk drive, subtract 20% and use that value. + Note on 'Mbytes': You need to consider the available RAM on the + machine versus the approx. 10MB RAM per 1GB of files which the + cache_dir index will consume. + 'L1' is the number of first-level subdirectories which will be created under the 'Directory'. The default is 16. @@ -2432,7 +2438,7 @@ DOC_START NOCOMMENT_START # Uncomment and adjust the following to add a disk cache directory. -#cache_dir ufs @DEFAULT_SWAP_DIR@ 100 16 256 +#cache_dir aufs @DEFAULT_SWAP_DIR@ 100 16 256 NOCOMMENT_END DOC_END @@ -2844,7 +2850,7 @@ DOC_END NAME: logfile_rotate TYPE: int -DEFAULT: 10 +DEFAULT: 0 LOC: Config.Log.rotateNumber DOC_START Specifies the number of logfile rotations to make when you ++++++ squid-nobuilddates.patch ++++++ Index: helpers/basic_auth/mswin_sspi/mswin_auth.c =================================================================== --- helpers/basic_auth/mswin_sspi/mswin_auth.c.orig +++ helpers/basic_auth/mswin_sspi/mswin_auth.c @@ -118,7 +118,7 @@ main(int argc, char **argv) my_program_name = argv[0]; process_options(argc, argv); - debug("%s build " __DATE__ ", " __TIME__ " starting up...\n", my_program_name); + debug("%s starting up...\n", my_program_name); if (LoadSecurityDll(SSP_BASIC, NTLM_PACKAGE_NAME) == NULL) { fprintf(stderr, "FATAL, can't initialize SSPI, exiting.\n"); Index: helpers/external_acl/mswin_ad_group/mswin_check_ad_group.c =================================================================== --- helpers/external_acl/mswin_ad_group/mswin_check_ad_group.c.orig +++ helpers/external_acl/mswin_ad_group/mswin_check_ad_group.c @@ -430,8 +430,7 @@ main(int argc, char *argv[]) if (!DefaultDomain) DefaultDomain = xstrdup(machinedomain); } - debug("External ACL win32 group helper build " __DATE__ ", " __TIME__ - " starting up...\n"); + debug("External ACL win32 group helper starting up...\n"); if (use_global) debug("Domain Global group mode enabled using '%s' as default domain.\n", DefaultDomain); if (use_case_insensitive_compare) Index: helpers/external_acl/mswin_lm_group/win32_check_group.c =================================================================== --- helpers/external_acl/mswin_lm_group/win32_check_group.c.orig +++ helpers/external_acl/mswin_lm_group/win32_check_group.c @@ -546,8 +546,7 @@ main(int argc, char *argv[]) if (!DefaultDomain) DefaultDomain = xstrdup(machinedomain); } - debug("External ACL win32 group helper build " __DATE__ ", " __TIME__ - " starting up...\n"); + debug("External ACL win32 group helper starting up...\n"); if (use_global) debug("Domain Global group mode enabled using '%s' as default domain.\n", DefaultDomain); if (use_case_insensitive_compare) Index: helpers/negotiate_auth/mswin_sspi/negotiate_auth.c =================================================================== --- helpers/negotiate_auth/mswin_sspi/negotiate_auth.c.orig +++ helpers/negotiate_auth/mswin_sspi/negotiate_auth.c @@ -299,7 +299,7 @@ main(int argc, char *argv[]) process_options(argc, argv); - debug("%s build " __DATE__ ", " __TIME__ " starting up...\n", my_program_name); + debug("%s starting up...\n", my_program_name); if (LoadSecurityDll(SSP_NTLM, NEGOTIATE_PACKAGE_NAME) == NULL) { fprintf(stderr, "FATAL, can't initialize SSPI, exiting.\n"); Index: helpers/ntlm_auth/fakeauth/fakeauth_auth.c =================================================================== --- helpers/ntlm_auth/fakeauth/fakeauth_auth.c.orig +++ helpers/ntlm_auth/fakeauth/fakeauth_auth.c @@ -387,7 +387,7 @@ main(int argc, char *argv[]) process_options(argc, argv); - debug("%s build " __DATE__ ", " __TIME__ " starting up...\n", my_program_name); + debug("%s starting up...\n", my_program_name); while (fgets(buf, BUFFER_SIZE, stdin) != NULL) { user[0] = '\0'; /*no usercode */ Index: helpers/ntlm_auth/mswin_sspi/ntlm_auth.c =================================================================== --- helpers/ntlm_auth/mswin_sspi/ntlm_auth.c.orig +++ helpers/ntlm_auth/mswin_sspi/ntlm_auth.c @@ -381,7 +381,7 @@ main(int argc, char *argv[]) process_options(argc, argv); - debug("%s build " __DATE__ ", " __TIME__ " starting up...\n", my_program_name); + debug("%s starting up...\n", my_program_name); if (LoadSecurityDll(SSP_NTLM, NTLM_PACKAGE_NAME) == NULL) { fprintf(stderr, "FATAL, can't initialize SSPI, exiting.\n"); Index: helpers/ntlm_auth/smb_lm/ntlm_smb_lm_auth.c =================================================================== --- helpers/ntlm_auth/smb_lm/ntlm_smb_lm_auth.c.orig +++ helpers/ntlm_auth/smb_lm/ntlm_smb_lm_auth.c @@ -461,7 +461,7 @@ manage_request() int main(int argc, char *argv[]) { - debug("ntlm_auth build " __DATE__ ", " __TIME__ " starting up...\n"); + debug("ntlm_auth build starting up...\n"); my_program_name = argv[0]; process_options(argc, argv); ++++++ squid-swapdir.patch ++++++ Index: configure.ac =================================================================== --- configure.ac.orig +++ configure.ac @@ -200,6 +200,21 @@ AC_ARG_WITH(logdir, ) AC_SUBST(DEFAULT_LOG_DIR) +DEFAULT_SWAPDIR="$localstatedir/cache" +AC_ARG_WITH(swapdir, + AS_HELP_STRING([--with-swapdir=PATH],[Default location for squid SWAP files. default: $DEFAULT_SWAPDIR]), + [ case $withval in + yes|no) + AC_MSG_ERROR( --with-swapdir requires a directory PATH. --with-swapdir=PATH ) + ;; + *) + DEFAULT_SWAPDIR="$withval" + ;; + esac + ] +) +AC_SUBST(DEFAULT_SWAPDIR) + DEFAULT_PIDFILE="$localstatedir/run/squid.pid" AC_ARG_WITH(pidfile, AS_HELP_STRING([--with-pidfile=PATH],[Default location for squid PID file. default: PREFIX/var/run/squid.pid]), Index: src/Makefile.am =================================================================== --- src/Makefile.am.orig +++ src/Makefile.am @@ -730,7 +730,7 @@ DEFAULT_ACCESS_LOG = $(DEFAULT_LOG_ DEFAULT_STORE_LOG = $(DEFAULT_LOG_PREFIX)/store.log DEFAULT_PID_FILE = $(DEFAULT_PIDFILE) DEFAULT_NETDB_FILE = $(DEFAULT_LOG_PREFIX)/netdb.state -DEFAULT_SWAP_DIR = $(localstatedir)/cache +DEFAULT_SWAP_DIR = $(DEFAULT_SWAPDIR) DEFAULT_SSL_DB_DIR = $(localstatedir)/lib/ssl_db DEFAULT_PINGER = $(libexecdir)/`echo pinger | sed '$(transform);s/$$/$(EXEEXT)/'` DEFAULT_UNLINKD = $(libexecdir)/`echo unlinkd | sed '$(transform);s/$$/$(EXEEXT)/'` Index: src/Makefile.in =================================================================== --- src/Makefile.in.orig +++ src/Makefile.in @@ -2057,7 +2057,7 @@ DEFAULT_ACCESS_LOG = $(DEFAULT_LOG_PREFI DEFAULT_STORE_LOG = $(DEFAULT_LOG_PREFIX)/store.log DEFAULT_PID_FILE = $(DEFAULT_PIDFILE) DEFAULT_NETDB_FILE = $(DEFAULT_LOG_PREFIX)/netdb.state -DEFAULT_SWAP_DIR = $(localstatedir)/cache +DEFAULT_SWAP_DIR = $(DEFAULT_SWAPDIR) DEFAULT_SSL_DB_DIR = $(localstatedir)/lib/ssl_db DEFAULT_PINGER = $(libexecdir)/`echo pinger | sed '$(transform);s/$$/$(EXEEXT)/'` DEFAULT_UNLINKD = $(libexecdir)/`echo unlinkd | sed '$(transform);s/$$/$(EXEEXT)/'` ++++++ squid.init ++++++ #!/bin/sh # Copyright (c) 1996, 1997, 1998 S.u.S.E. GmbH # Copyright (c) 1998, 1999, 2000, 2001 SuSE GmbH # Copyright (c) 2002 SuSE Linux AG # # Author: Frank Bodammer, Peter Poeml, Klaus Singvogel <feedb...@suse.de> # # /etc/init.d/squid # and its symbolic link # /(usr/)sbin/rcsquid # ### BEGIN INIT INFO # Provides: squid # Required-Start: $local_fs $remote_fs $network $time # Should-Start: apache $named winbind # Required-Stop: $local_fs $remote_fs $network $time # Should-Stop: apache $named winbind # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # Short-Description: Squid web cache # Description: Start the Squid web cache, providing # HTTP, FTP and other proxy services ### END INIT INFO # # Note on runlevels: # 0 - halt/poweroff 6 - reboot # 1 - single user 2 - multiuser without network exported # 3 - multiuser w/ network (text mode) 5 - multiuser w/ network and X11 (xdm) # Check for missing binaries (stale symlinks should not happen) # Note: Special treatment of stop for LSB conformance SQUID_BIN=/usr/sbin/squid test -x $SQUID_BIN || { echo "$SQUID_BIN not installed"; if [ "$1" = "stop" ]; then exit 0; else exit 5; fi; } # Check for existence of needed config file and read it SQUID_SYSCONFIG=/etc/sysconfig/squid test -r $SQUID_SYSCONFIG || { echo "$SQUID_SYSCONFIG not existing"; if [ "$1" = "stop" ]; then exit 0; else exit 6; fi; } # Read config . $SQUID_SYSCONFIG SQUID_PID=/var/run/squid.pid SQUID_CONF=/etc/squid/squid.conf SQUID_S_T=${SQUID_SHUTDOWN_TIMEOUT:="60"} SQUID_OPTS=${SQUID_START_OPTIONS:="-sY"} SQUID_ULIMIT=${SQUID_DEFAULT_ULIMT:="4096"} # determine which one is the cache_swap directory SQUID_CACHE_DIR=$(perl -n -e \ '/^cache_dir\s+\S+\s+(.*)\s+\d+\s+\d+\s+\d+/ && print "$1"' $SQUID_CONF) ulimit -n "$SQUID_ULIMIT" #IN: $SQUID_CACHE_DIR setup_squid_cache_dir(){ for adir in "$1" ; do if [ ! -d $adir/00 ]; then # create missing cache directories umask 027 # prevent users reading any cache data echo -n " ($adir)" $SQUID_BIN -z -F > /dev/null 2>&1 fi if [ ! -d $adir/00 ]; then echo " - failed while creating cache_dir ! " rc_failed rc_status -v rc_exit fi done sleep 2 } # Shell functions sourced from /etc/rc.status: # rc_check check and set local and overall rc status # rc_status check and set local and overall rc status # rc_status -v be verbose in local rc status and clear it afterwards # rc_status -v -r ditto and clear both the local and overall rc status # rc_status -s display "skipped" and exit with status 3 # rc_status -u display "unused" and exit with status 3 # rc_failed set local and overall rc status to failed # rc_failed <num> set local and overall rc status to <num> # rc_reset clear both the local and overall rc status # rc_exit exit appropriate to overall rc status # rc_active checks whether a service is activated by symlinks . /etc/rc.status # Reset status of this service rc_reset case "$1" in start) echo -n "Starting WWW-proxy squid " if /sbin/checkproc $SQUID_BIN ; then echo -n "- Warning: squid already running ! " rc_failed else [ -e $SQUID_PID ] && echo -n "- Warning: $SQUID_PID exists ! " if [ -n "$SQUID_CACHE_DIR" -a -d "$SQUID_CACHE_DIR" ]; then setup_squid_cache_dir "$SQUID_CACHE_DIR" fi fi startproc -l /var/log/squid/rcsquid.log $SQUID_BIN "$SQUID_OPTS" # Remember status and be verbose rc_status -v ;; stop) echo -n "Shutting down WWW-proxy squid " if /sbin/checkproc $SQUID_BIN ; then $SQUID_BIN -k shutdown sleep 2 if [ -e $SQUID_PID ] ; then echo -n "- wait a minute or two... " i="$SQUID_S_T" while [ -e $SQUID_PID ] && [ $i -gt 0 ] ; do sleep 2 i=$[$i-1] echo -n "." [ $i -eq 41 ] && echo done fi if /sbin/checkproc $SQUID_BIN ; then killproc -TERM $SQUID_BIN echo -n " Warning: squid killed !" fi else echo -n "- Warning: squid not running ! " rc_failed 7 fi # Remember status and be verbose rc_status -v ;; try-restart) $0 status >/dev/null && $0 restart # Remember status and be quiet rc_status ;; restart) $0 stop $0 start # Remember status and be quiet rc_status ;; force-reload) $0 reload # Remember status and be quiet rc_status ;; reload) echo -n "Reloading WWW-proxy squid " if /sbin/checkproc $SQUID_BIN ; then $SQUID_BIN -k rotate sleep 2 $SQUID_BIN -k reconfigure rc_status else echo -n "- Warning: squid not running ! " rc_failed 7 fi # Remember status and be verbose rc_status -v ;; status) echo -n "Checking for WWW-proxy squid " ## Check status with checkproc(8), if process is running ## checkproc will return with exit status 0. # Return value is slightly different for the status command: # 0 - service up and running # 1 - service dead, but /var/run/ pid file exists # 2 - service dead, but /var/lock/ lock file exists # 3 - service not running (unused) # 4 - service status unknown :-( # 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.) # NOTE: checkproc returns LSB compliant status values. /sbin/checkproc $SQUID_BIN # Remember status and be verbose rc_status -v ;; probe) test $SQUID_CONF -nt $SQUID_PID && echo reload ;; *) echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}" exit 1 ;; esac rc_exit ++++++ squid.logrotate ++++++ /var/log/squid/cache.log { su squid nogroup compress dateext maxage 365 rotate 99 size=+1024k notifempty missingok create 640 squid root sharedscripts postrotate /etc/init.d/squid reload endscript } /var/log/squid/access.log { su squid nogroup compress dateext maxage 365 rotate 99 size=+4096k notifempty missingok create 640 squid root sharedscripts postrotate /etc/init.d/squid reload endscript } /var/log/squid/store.log { su squid nogroup compress dateext maxage 365 rotate 99 size=+4096k notifempty missingok create 640 squid root sharedscripts postrotate /etc/init.d/squid reload endscript } ++++++ squid.permissions ++++++ /var/cache/squid/ squid:root 750 /var/log/squid/ squid:root 750 ++++++ squid.service ++++++ [Unit] Description=Squid caching proxy After=syslog.target network.target named.service [Service] EnvironmentFile=/etc/sysconfig/squid ExecStartPre=/usr/sbin/squid_cache_swap.sh ExecStart=/usr/sbin/squid -F -N $SQUID_START_OPTIONS -f /etc/squid/squid.conf ExecReload=/usr/sbin/squid -F -N $SQUID_START_OPTIONS -k reconfigure -f /etc/squid/squid.conf ExecStop=/usr/sbin/squid -F -N -k shutdown -f /etc/squid/squid.conf [Install] WantedBy=multi-user.target ++++++ squid.sysconfig ++++++ ## Path: Network/WWW/Proxy/squid ## Description: squid webproxy options ## Type: integer(1:) ## Default: "60" # # kill squid after this timeout in double-seconds with SIGTERM # SQUID_SHUTDOWN_TIMEOUT="60" ## Type: text ## Default: "-sY" # # squid daemon start options # SQUID_START_OPTIONS="-sY" ## Type: integer(1:) ## Default: "4096" # # default ulimit to set # SQUID_DEFAULT_ULIMT="4096" ++++++ squid_cache_swap.sh ++++++ #!/bin/bash if [ -f /etc/sysconfig/squid ]; then . /etc/sysconfig/squid fi SQUID_CONF=${SQUID_CONF:-"/etc/squid/squid.conf"} CACHE_SWAP=`sed -e 's/#.*//g' $SQUID_CONF | \ grep cache_dir | awk '{ print $3 }'` for adir in $CACHE_SWAP; do if [ ! -d $adir/00 ]; then echo -n "init_cache_dir $adir... " squid -z -F -f $SQUID_CONF >> /var/log/squid/squid.out 2>&1 fi done ++++++ unsquid.pl ++++++ #!/usr/bin/perl -w # # unsquid v0.2 -- Squid object dumper. # Copyright (C) 2000 Avatar <ava...@deva.net>. # # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, 51 Franklin Street, Suite 500, Boston, MA 02110-1335, USA # # $Id: unsquid,v 1.4 2000/03/11 17:31:06 avatar Exp $ =pod =head1 NAME unsquid - dump Squid objects =head1 SYNOPSIS B<unsquid> S<[ B<-d>I<dir> ]> S<[ B<-t>I<type> ]> S<[ B<-fv> ]> S<[ B<-Vh> ]> =head1 DESCRIPTION unsquid dumps Squid cache files specified on the command line into directories reflecting their original URLs, hence preserving the original site layouts for off-line browsing. Typically usage is find /usr/local/squid/cache/??/ -type f -print | \ xargs unsquid -t 'image/.*' -d /tmp The command line options are explained below. =over =item B<-t>I<type> S<B<--type> I<dir>> Dump only files matching the MIME type regex I<type>. =item B<-f> B<--force> Overwrite existing files. For security reason, this option is disabled when run as root. =item B<-v> B<--verbose> Print the URLs of dumped objects. =item B<-d>I<dir> S<B<--dest> I<dir>> Dump the files inside I<dir>. =item B<-V> B<--version> Print the version number. =item B<-h> B<--help> Print a summary of command line options. =back =head1 AUTHOR Avatar <F<ava...@deva.net>> =cut use POSIX; use Getopt::Long; use strict; my $help = <<EOT; Usage: $0 [OPTION]... FILE... Dumps Squid objects. -t, --type TYPE only dump objects matching the regex TYPE -v, --verbose print dumped object urls -f, --force overwrite existing files -d, --dest DIR use DIR as the destination directory for dumping -V, --version print the version string -h, --help show this help EOT my ($type, $size, $force, $verbose, $showver, $showhelp); my $destdir = "."; my $defaultindex = "index.html"; Getopt::Long::Configure("no_ignore_case"); GetOptions("dest=s" => \$destdir, "type=s" => \$type, "verbose|v+" => \$verbose, "force!" => \$force, "version|V" => \$showver, "help" => \$showhelp); if ($showver) { print <<EOT; Unsquid version 0.2 Copyright (C) 2000 Avatar <avatar\@deva.net>. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE, to the extent permitted by law. EOT exit; } if ($#ARGV < 0 or $showhelp) { print $help; exit; } if ($force and $< == 0) { die "$0: root is not allowed to use the force option"; } for (@ARGV) { my ($url, $urllen); # read 4 bytes from offset 56 as the length of the url open(INFILE, "<$_") or die "$0: cannot open file $_ for reading: $!"; seek(INFILE, 56, SEEK_SET) or die "$0: cannot seek 56 bytes: $!"; read(INFILE, $urllen, 4) or die "$0: cannot read 4 bytes: $!"; $urllen = ord($urllen) - 1; # kill the last NUL # read the url read(INFILE, $url, $urllen); # expand index urls $url =~ s-/$-/$defaultindex-m; # scan the contents my ($seenheader); while (<INFILE>) { if ($seenheader) { print OUTFILE; next; } # if type is specified, do matching if (/^Content-Type: /i and defined $type) { m-[^:]*: (\w+/\w+)-; last if $1 !~ /$type/; next; } # at this point we must have matched the type if (/^\r$/) { $seenheader = 1; makedir($url); if (! defined $force and -e "$destdir/$url") { warn "$0: file $destdir/$url exists, skipped"; last; } open(OUTFILE, ">$destdir/$url") or die "$0: cannot open file $destdir/$url for writing: $!"; print "$url\n" if $verbose; } } close(INFILE); close(OUTFILE); } sub makedir { my ($basename) = @_; my $path = $destdir; if (! -d $destdir) { warn "$0: destination directory $destdir does not exist, making it"; mkdir $destdir, 0777 or die "$0: cannot mkdir $destdir: $!"; } while( $basename =~ m-^([^/]*)/- ) { $path .= "/".$1; if (! -d $path) { if (! mkdir $path, 0777) { if (-f $path) { # move the file in open FILE, $path or die "$0: cannot open $path for reading: $!"; undef $/; my $buf = <FILE>; $/ = "\n"; close FILE; unlink $path; mkdir $path, 0777 or die "$0: cannot make directory $path: $!"; open FILE, ">$path-redirect" or die "$0: cannot open $path/$defaultindex for writing: $!"; print FILE $buf; close FILE; } else { die "d$0: cannot mkdir $path: $!"; } } } $basename = $'; } } -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
