![](https://seccdn.libravatar.org/avatar/e2145bc5cf53dda95c308a3c75e8fef3.jpg?s=120&d=mm&r=g)
Hello community, here is the log from the commit of package squid.1977 for openSUSE:12.2:Update checked in at 2013-09-13 09:22:40 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.2:Update/squid.1977 (Old) and /work/SRC/openSUSE:12.2:Update/.squid.1977.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "squid.1977" Changes: -------- New Changes file: --- /dev/null 2013-07-23 23:44:04.804033756 +0200 +++ /work/SRC/openSUSE:12.2:Update/.squid.1977.new/squid.changes 2013-09-13 09:22:41.000000000 +0200 @@ -0,0 +1,1629 @@ +------------------------------------------------------------------- +Thu Aug 22 14:04:31 CEST 2013 - draht@suse.de + +- squid-2.7.x-bnc829084-CVE-2013-4115-BO_request_handling.diff + Squid advisory SQUID-2013_2, CVE-2013-4115, [bnc#829084] + Specially crafted http requests can trigger a buffer overflow + when squid attempts to resolve an overly long hostname. +- squid-2.7.x-bnc796999-bnc794954-CVE-2012-5643-CVE-2013-0188-cachemgr_cgi_dos.diff + memory leak in cachemgr.cgi known as CVE-2013-0189, which is the + underfixed CVE-2012-5643 problem. [bnc#796999] [bnc#794954] +- run logrotate as squid:nogroup [bnc#677335] + +------------------------------------------------------------------- +Wed Feb 15 16:02:51 UTC 2012 - chris@computersalat.de + +- run suse_update_config only on suse_version < 1220 + +------------------------------------------------------------------- +Fri Dec 2 10:01:19 UTC 2011 - chris@computersalat.de + +- fix ip_wccp.c + * update to current online version +- add upstream patches + * 12711 - Correct parsing of large gopher indexes + * 12714 - Fix various harmless warnings detected by gcc 4.6 + +------------------------------------------------------------------- +Thu Dec 1 17:00:11 UTC 2011 - coolo@suse.com + +- add automake as buildrequire to avoid implicit dependency + +------------------------------------------------------------------- +Wed May 25 03:46:39 UTC 2011 - crrodriguez@opensuse.org + +- Supress timestamps from binaries, breaks build-compare. + +------------------------------------------------------------------- +Sat Feb 19 11:45:53 UTC 2011 - chris@computersalat.de + +- update to 2.7.STABLE9 + - 2.7.STABLE8 failed to compile with OpenSSL 0.9.8 on some systems + - failure to detect certain system libraries on some systems + resulting in compilation errors +- Changes to squid-2.7.STABLE8 (10 March 2010) + - Bug #2458: reply_body_max_size incorrectly documented + - Bug #2858: Segment violation in HTCP + - Bug #2773: Segfault in RFC2069 Digest authantication + - 64-bit filesize issue in squidclient if trying to post a file > 2GB + - Improve %nn parser to better deal with certain odd %nn sequences + - Segmentation fault if failed to open cache.log + - Bug #2819: const correctness errors in dns_internal.c + - Handle DNS header-only packets as invalid. (CVE-2010-0308) + - Windows port: Updated mswin_ad_group native helper to version 2.1 + - Cosmetic change to keep GCC happy + - Bug #2678 - storeurl_rewrite does not play nicely with vary + - Bug #2861 - only-if-cached request blocks if it collapsed into + another request + - Use libcap functions instead of raw kernel interface + - No need to sync the store on -k rotate, but instead it needs to be + done in reconfigure + - const correctness in OpenSSL initialization + - Rework the http digest auth parser +- Changes to squid-2.7.STABLE7 (17 September 2009) + - Bug #2661 - Solaris /dev/poll support broken with EINVAL + - Clarify external_acl_type %{Header} documentation slightly + - Bug #2482: Remove mem_obj->old_entry in async code to avoid deep ctx + errors + - GCC-4.x cleanups + - Bug #2605: Don't call setsid() on helper childs when running in + daemon mode + - Windows port: Fix PSAPI.DLL usage, is always available on Windows NT + and later + - Windows port: Added support for Windows 7, Windows Server 2008 R2 + and later + - Bug #2602: increase MAX_URL to 8192 + - The debug mode option '-d' was not documented in LDAP helpers usage + message + - Windows port: Added a note about installation on Windows Vista and + later + - Bug #2642: Remove duplicate peerMonitorInit() on reconfigure + - Bug #2515: Final chunk parsing errors on FreeBSD6+ + - Bug #2647: Reprioritise override-* and stale-while-revalidate + - Windows port: Fix improper access permissions to registry and DNS + parsing from registry + - Windows port: Fix getservbyname() usage abuse. + - Bug #2672: cacheMemMaxSize 32-bit overflow during snmpwalk + - Bug #2691: store_url memory leak + - Accept PUT/POST requests without an entity-body + - Plug request_t + HttpStateData memory leak on PUT/POST requests with + early response + - Bug #2710: squid_kerb_auth non-terminated string + - Bug #2369: squid traffic counter 32-bit overflow + - Bug #2080: wbinfo_group.pl - false positive under certain conditions + - Bug #2739: DNS resolver option ndots can't be parsed from + resolv.conf + - Windows port: fix mswin_negotiate_auth.exe crash when executing a + LocalCall authentication with verbose deBug #enabled + - Add 0.0.0.0 as an to_localhost address + - Windows port: Update mswin_check_ad_group to version 2.0 + - Windows port: There is no "-P" command line option into + mswin_check_ad_group helper. + - Correct Valgrind mempool protection + - Bug #2451: Correct length handling on 304 responses + - Bug #2541: Hang in 100% CPU loop while extacting header details + using a delimiter other than comma (external_acl_type, + access_log_format, external_refresh_check) + - Bug #2768 - squid_ldap_group -K argument parsing error +- removed old upstream patches: 12466, 12480 - 12497 +- added new upstream patch: 12697 +- cleanup spec + +------------------------------------------------------------------- +Tue Nov 3 19:09:46 UTC 2009 - coolo@novell.com + +- updated patches to apply with fuzz=0 + +------------------------------------------------------------------- +Tue Aug 11 12:18:57 UTC 2009 - chris@computersalat.de + +- update to 2.7.STABLE6 + * Bug #2494: Fix tproxy url in configure + * Correct latency measurements + * Correct upgrade_http0.9 example + * Correct parsing of invalid http version numbers + * Crossreference authenticate_ip_shortcircuit_access and + * authenticate_ip_shortcircuit_ttl + * Add in some better documentation for override-expire. +- added upstream patches + o 12466, 12480-12495, 12497 + o disabled 12488.patch (can not patch not existing file) + +------------------------------------------------------------------- +Mon Oct 27 18:04:31 CET 2008 - kssingvo@suse.de + +- update to 2.7.STABLE5, which is a bugfix version only: + * Don't set expires: now in generated error responses + * Old headers still returned after a cache validation + * swap.state permission issues if crashing during "squid -k + reconfigure" + * Limit stale-if-error to 500-504 responses + * Increase negotiate auth token buffer size + * add upgrade_http0.9 option making it possible to disable + upgrade of HTTP/0.9 responses + * assertion failed: sc->new_callback == NULL at store_client.c:190 + * Shut down store url rewrite helpers on squid -k reconfigure + * configuration file contains non-ASCII characters + For complete list of changes see: + http://www.squid-cache.org/Versions/v2/2.7/changesets/SQUID_2_7_STABLE5.html +- removed obsolete, already in upstream version patches + +------------------------------------------------------------------- +Thu Oct 2 14:21:07 CEST 2008 - kssingvo@suse.de + +- bugfix if user is in many kerberos groups (12380.patch) + +------------------------------------------------------------------- +Thu Sep 25 16:56:29 CEST 2008 - kssingvo@suse.de + +- added a few official patches: + * HTTP/0.9: making it possible to disable upgrade of HTTP/0.9 + responses + * assertion failed: sc->new_callback == NULL at store_client.c:190 + * foreground rebuild should do all of the rebuilding before Squid + accepts + * Shut down store url rewrite helpers on squid -k reconfigure + * configuration file contains non-ASCII characters + +------------------------------------------------------------------- +Wed Aug 20 14:38:42 CEST 2008 - kssingvo@suse.de + +- update to 2.7.STABLE4: + * DNS retransmit queue could get hold up + * assertion failed: forward.c:529: "fs" + * assertion failed: forward.c:110: "!EBIT_TEST(e->flags, + ENTRY_FWD_HDR_WAIT)" + * Workaround for Linux-2.6.24 & 2.6.25 netfiler_ipv4.h include + header __u32 problem + * Make dns_nameserver work when using --disable-internal-dns on + glibc based systems + * Handle aborted objects properly. The change in 2.7.STABLE3 + triggered a number of issues. + * access.log logs rewritten URL and strip_query_terms ineffective + For full list of changes see: + http://www.squid-cache.org/Versions/v2/2.7/changesets/SQUID_2_7_STABLE4.html +- added cron to Requires: as rpmlint complains on this + +------------------------------------------------------------------- +Sun Aug 17 09:08:16 CEST 2008 - aj@suse.de + +- Fix init scripts. + +------------------------------------------------------------------- +Wed Jul 2 17:26:29 CEST 2008 - kssingvo@suse.de + +- update to 2.7.STABLE3: + major changes from 2.6 to 2.7: + * HTTP/1.1 support ++++ 1432 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:12.2:Update/.squid.1977.new/squid.changes New: ---- 12697.patch 12711.patch 12714.patch CompleteFaq.html README.SuSE contrib-2.4.STABLE6.tar.bz2 ip_wccp.c pam.squid rc.squid squid-2.6.STABLE19-64bit.patch squid-2.6.STABLE2-ldflags.patch squid-2.7.STABLE3-config.patch squid-2.7.STABLE9-RELEASENOTES.html squid-2.7.STABLE9.tar.bz2 squid-2.7.x-bnc796999-bnc794954-CVE-2012-5643-CVE-2013-0188-cachemgr_cgi_dos.diff squid-2.7.x-bnc829084-CVE-2013-4115-BO_request_handling.diff squid.changes squid.logrotate squid.spec squid.sysconfig squid_ie_blocker.txt squid_ldapauth-1.3.dif squid_ldapauth-1.3.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ squid.spec ++++++ # # spec file for package squid # # Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # # needsrootforbuild %define squid_ldapauth_version 1.3 %define squidconfdir /etc/squid Name: squid Summary: Squid WWW proxy server License: GPL-2.0+ Group: Productivity/Networking/Web/Proxy Version: 2.7.STABLE9 Release: 0 Url: http://www.squid-cache.org Source: http://www.squid-cache.org/Versions/v2/2.7/squid-%{version}.tar.bz2 Source1: squid_ldapauth-%{squid_ldapauth_version}.tar.bz2 Source2: rc.squid Source4: README.SuSE Source5: pam.squid Source6: squid.logrotate Source7: squid-%{version}-RELEASENOTES.html Source8: contrib-2.4.STABLE6.tar.bz2 # OBSOLETE: Create with: wget --cut-dirs=1 -nH -m -k -r -I/Doc/FAQ/ http://www.squid-cache.org/Doc/FAQ/ # FAQ is now changed into a wiki. The complete FAQ can be found at: # http://wiki.squid-cache.org/SquidFaq/CompleteFaq Source10: CompleteFaq.html # Source: http://gaugusch.at/squid.shtml Source11: squid_ie_blocker.txt Source12: http://www.squid-cache.org/WCCP-support/Linux/ip_wccp.c Source13: squid.sysconfig # PATCH-UPSTREAM - Bug #2973: memoryleak on maformed requests Patch0: http://www.squid-cache.org/Versions/v2/2.7/changesets/12697.patch # PATCH-UPSTREAM - Correct parsing of large gopher indexes Patch1: http://www.squid-cache.org/Versions/v2/2.7/changesets/12711.patch # PATCH-UPSTREAM - Fix various harmless warnings detected by gcc 4.6 Patch2: http://www.squid-cache.org/Versions/v2/2.7/changesets/12714.patch Patch100: squid-2.7.STABLE3-config.patch Patch101: squid_ldapauth-%{squid_ldapauth_version}.dif Patch102: %{name}-2.6.STABLE19-64bit.patch Patch103: %{name}-2.6.STABLE2-ldflags.patch Patch104: squid-2.7.x-bnc796999-bnc794954-CVE-2012-5643-CVE-2013-0188-cachemgr_cgi_dos.diff Patch105: squid-2.7.x-bnc829084-CVE-2013-4115-BO_request_handling.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: /usr/sbin/useradd, %insserv_prereq, %fillup_prereq BuildRequires: automake BuildRequires: db-devel BuildRequires: openldap2-devel BuildRequires: opensp-devel BuildRequires: pam-devel BuildRequires: samba BuildRequires: sgmltool BuildRequires: sharutils %ifarch %ix86 x86_64 ppc ppc64 BuildRequires: valgrind BuildRequires: valgrind-devel %endif Conflicts: squid-beta squid2 squid23 Requires: cron Requires: logrotate Provides: http_proxy %description The stable version of the Squid WWW Proxy Server. Home page: http://www.squid-cache.org %prep %setup -n squid-%{version} -a 1 -a 8 #(cd auth_modules #tar xzf %{S:21} #rm -r MSNT #mv msntauth-v2.0.3-squid.1 MSNT #) %patch0 -p1 %patch1 -p1 %patch2 -p1 #%patch3 -p1 #%patch4 -p1 #%patch5 -p1 #%patch6 -p1 #%patch7 -p1 #%patch8 -p1 #%patch9 -p1 #%patch10 -p1 #%patch11 -p1 #%patch12 -p1 #%patch13 -p1 #%patch14 -p1 #%patch15 -p1 #%patch16 -p1 #%patch17 -p1 #%patch18 -p1 #%patch19 -p1 #### %patch100 -p1 perl -pi -e 's%^#!/usr/local/bin/perl%#!/usr/bin/perl%g' `find -name "*.pl"` (cd squid_ldapauth* %patch101 ) %patch102 -p1 %patch103 -p1 %patch104 -p0 %patch105 -p0 %build modified="$(sed -n '/^----/n;s/ - .*$//;p;q' "%{_sourcedir}/%{name}.changes")" DATE="\"$(date -d "${modified}" "+%%b %%e %%Y")\"" TIME="\"$(date -d "${modified}" "+%%R")\"" find . -type f -regex ".*\.c\|.*\.cpp\|.*\.h" -exec sed -i "s/__DATE__/${DATE}/g;s/__TIME__/${TIME}/g" {} + %if 0%{?suse_version} < 1220 %{?suse_update_config:%{suse_update_config}} %endif export RPM_OPT_FLAGS="$RPM_OPT_FLAGS -fPIE -DLDAP_DEPRECATED -fno-strict-aliasing" export CFLAGS="$RPM_OPT_FLAGS" export LDFLAGS="-pie" aclocal touch NEWS AUTHORS automake autoconf ./configure --prefix=/usr \ --sysconfdir=%{squidconfdir} \ --bindir=/usr/sbin \ --sbindir=/usr/sbin \ --localstatedir=/var \ --libexecdir=/usr/sbin \ --datadir=/usr/share/squid \ --mandir=%{_mandir} \ --with-dl \ --with-maxfd=4096 \ %ifarch %ix86 x86_64 ppc ppc64 --with-valgrind-debug \ %endif --enable-snmp \ --enable-carp \ --enable-useragent-log \ --enable-auth="basic digest negotiate ntlm" \ --enable-basic-auth-helpers="LDAP MSNT NCSA PAM SMB YP getpwnam multi-domain-NTLM" \ --enable-ntlm-auth-helpers="SMB fakeauth no_check" \ --enable-digest-auth-helpers="ldap password" \ --enable-external-acl-helpers="ip_user ldap_group session unix_group wbinfo_group" \ --enable-ntlm-fail-open \ --enable-referer-log \ --enable-arp-acl \ --enable-htcp \ --enable-underscores \ --enable-stacktraces \ --enable-delay-pools \ --enable-useragent-log \ --enable-referer-log \ --enable-forward-log \ --enable-multicast-miss \ --enable-ssl \ --enable-cache-digests \ --enable-auth-on-acceleration \ --enable-storeio="aufs,coss,diskd,null,ufs" \ --enable-linux-netfilter \ --enable-removal-policies="heap,lru" \ --enable-icmp \ --with-samba-sources=/usr/include/samba \ --enable-large-cache-files \ --enable-x-accelerator-vary \ --enable-follow-x-forwarded-for make DEFAULT_SWAP_DIR=/var/cache/squid \ DEFAULT_LOG_PREFIX=/var/log/squid \ DEFAULT_PID_FILE=/var/run/squid.pid \ SAMBAPREFIX=/usr make -C squid_ldapauth-%{squid_ldapauth_version} mkdir FAQ cp -p %{S:10} FAQ %install mkdir -p $RPM_BUILD_ROOT/var/{cache,log}/squid mkdir -p $RPM_BUILD_ROOT/usr/sbin make install DESTDIR=$RPM_BUILD_ROOT SAMBAPREFIX=/usr mv $RPM_BUILD_ROOT{/etc/squid/,/usr/share/squid/}mime.conf.default mv $RPM_BUILD_ROOT{/etc/squid/,/usr/share/squid/}msntauth.conf.default cp $RPM_BUILD_ROOT{/etc/squid/,/usr/share/squid/}msntauth.conf ln -s /etc/squid/mime.conf $RPM_BUILD_ROOT/usr/share/squid # backward compatible install -d -m 755 $RPM_BUILD_ROOT/etc/logrotate.d install -m 644 %{S:6} $RPM_BUILD_ROOT/etc/logrotate.d/squid install -d %{buildroot}%{_mandir}/man8/ install -m 644 doc/squid.8 $RPM_BUILD_ROOT/%{_mandir}/man8/ install -m 644 helpers/basic_auth/LDAP/squid_ldap_auth.8 $RPM_BUILD_ROOT/%{_mandir}/man8/ install -m 644 helpers/basic_auth/LDAP/squid_ldap_auth.8 $RPM_BUILD_ROOT/%{_mandir}/man8/ install -m 644 helpers/basic_auth/PAM/pam_auth.8 $RPM_BUILD_ROOT/%{_mandir}/man8/ install -m 644 helpers/external_acl/ldap_group/squid_ldap_group.8 $RPM_BUILD_ROOT/%{_mandir}/man8/ gzip -9 $RPM_BUILD_ROOT/%{_mandir}/man8/*.8 install -D %{S:2} $RPM_BUILD_ROOT/etc/init.d/squid ln -sf /etc/init.d/squid $RPM_BUILD_ROOT/usr/sbin/rcsquid install -d -m 755 doc/scripts install scripts/*.pl doc/scripts cat > doc/scripts/cachemgr.readme <<-EOT cachemgr.cgi will now be found in %{_libdir}/squid EOT install -d -m 755 $RPM_BUILD_ROOT/%{_libdir}/squid mv $RPM_BUILD_ROOT/usr/sbin/cachemgr.cgi $RPM_BUILD_ROOT/%{_libdir}/squid #nothing for squid-2.5.STABLE1: install -d -m 755 doc/contrib install contrib/*.pl doc/contrib #rm doc/Programming-Guide/Makefile install -m 644 %{S:7} doc install -m 644 %{S:4} . install -m 644 %{S:11} doc/contrib install -m 644 %{S:12} doc/contrib install -D -m 644 %{S:5} $RPM_BUILD_ROOT/etc/pam.d/squid pushd squid_ldapauth-%{squid_ldapauth_version} install -m 750 squid_ldapauth $RPM_BUILD_ROOT/usr/sbin/ cp README ../README.squid_ldapauth cp CREDITS ../CREDITS.squid_ldapauth cp squid_ldapauth.conf .. popd cp -a helpers/external_acl/ip_user/README README.ip_user rm %{buildroot}/usr/sbin/Run* install -d -m 755 $RPM_BUILD_ROOT/var/adm/fillup-templates install -m 644 %{S:13} $RPM_BUILD_ROOT/var/adm/fillup-templates/sysconfig.squid rm -f $RPM_BUILD_ROOT/etc/squid/squid.conf.default rm -f $RPM_BUILD_ROOT%{_mandir}/man8/pam_auth.8 rm -f $RPM_BUILD_ROOT%{_mandir}/man8/squid.8 rm -f $RPM_BUILD_ROOT%{_mandir}/man8/squid_ldap_auth.8 rm -f $RPM_BUILD_ROOT%{_mandir}/man8/squid_ldap_group.8 rm -f $RPM_BUILD_ROOT%{_mandir}/man8/squid_unix_group.8 %clean rm -rf $RPM_BUILD_ROOT %pre /usr/sbin/useradd -r -o -g nogroup -u 31 -s /bin/false -c "WWW-proxy squid" -d /var/cache/squid squid 2> /dev/null || : %post %{fillup_and_insserv squid} %preun %stop_on_removal squid %postun %restart_on_update squid %{insserv_cleanup} %verifyscript %files %defattr(-,root,root) %attr(750,squid,root) %dir /var/cache/squid %attr(750,squid,root) %dir /var/log/squid %dir %{squidconfdir} %config(noreplace) %{squidconfdir}/squid.conf %config(noreplace) %{squidconfdir}/cachemgr.conf %config(noreplace) /etc/logrotate.d/squid %config(noreplace) %{squidconfdir}/mime.conf %config(noreplace) %{squidconfdir}/msntauth.conf %config /etc/pam.d/squid %config /etc/init.d/squid %dir /usr/share/squid /usr/share/squid/errors /usr/share/squid/icons %config /usr/share/squid/mib.txt /usr/share/squid/mime.conf /usr/share/squid/mime.conf.default /usr/share/squid/msntauth.conf /usr/share/squid/msntauth.conf.default /usr/sbin/cossdump /usr/sbin/digest_ldap_auth /usr/sbin/digest_pw_auth /usr/sbin/diskd-daemon /usr/sbin/fakeauth_auth /usr/sbin/getpwname_auth /usr/sbin/ip_user_check %attr(750,squid,root) /usr/sbin/squid_ldapauth /usr/sbin/logfile-daemon /usr/sbin/msnt_auth /usr/sbin/ncsa_auth /usr/sbin/no_check.pl /usr/sbin/ntlm_auth %verify(not mode) %attr(4755,root,shadow)/usr/sbin/pam_auth /usr/sbin/pinger /usr/sbin/rcsquid /usr/sbin/smb_auth /usr/sbin/smb_auth.pl /usr/sbin/smb_auth.sh /usr/sbin/squid /usr/sbin/squid_ldap_auth /usr/sbin/squid_ldap_group /usr/sbin/squid_session /usr/sbin/squid_unix_group /usr/sbin/squidclient /usr/sbin/unlinkd /usr/sbin/wbinfo_group.pl /usr/sbin/yp_auth /var/adm/fillup-templates/sysconfig.squid %dir %{_libdir}/squid %{_libdir}/squid/cachemgr.cgi %doc %{_mandir}/man*/* %doc CONTRIBUTORS COPYING COPYRIGHT CREDITS %doc ChangeLog QUICKSTART README README.SuSE #%doc doc/HTTP-codes.txt doc/draft-vixie-htcp-proto-04.txt #%doc doc/Programming-Guide %doc doc/scripts doc/contrib FAQ %doc doc/debug-sections.txt src/squid.conf.default %doc README.squid_ldapauth CREDITS.squid_ldapauth %doc squid_ldapauth.conf doc/%{name}-%{version}-RELEASENOTES.html %doc README.ip_user %changelog ++++++ 12697.patch ++++++ --------------------- PatchSet 12697 Date: 2010/07/13 19:43:08 Author: hno Branch: SQUID_2_7 Tag: (none) Log: Bug 2973: memoryleak on maformed requests Members: src/client_side.c:1.754.2.29->1.754.2.30 Index: squid/src/client_side.c =================================================================== RCS file: /cvsroot/squid/squid/src/client_side.c,v retrieving revision 1.754.2.29 retrieving revision 1.754.2.30 diff -u -r1.754.2.29 -r1.754.2.30 --- squid/src/client_side.c 14 Feb 2010 00:46:25 -0000 1.754.2.29 +++ squid/src/client_side.c 13 Jul 2010 19:43:08 -0000 1.754.2.30 @@ -1,6 +1,6 @@ /* - * $Id: client_side.c,v 1.754.2.29 2010/02/14 00:46:25 hno Exp $ + * $Id: client_side.c,v 1.754.2.30 2010/07/13 19:43:08 hno Exp $ * * DEBUG: section 33 Client-side Routines * AUTHOR: Duane Wessels @@ -3063,6 +3063,7 @@ if (mb.size > 0) { comm_write_mbuf(http->conn->fd, mb, clientWriteComplete, http); } else { + memBufClean(&mb); storeClientCopy(http->sc, http->entry, http->out.offset, http->out.offset, ++++++ 12711.patch ++++++ --------------------- PatchSet 12711 Date: 2011/08/26 21:51:44 Author: hno Branch: SQUID_2_7 Tag: (none) Log: Correct parsing of large gopher indexes Members: src/gopher.c:1.181.2.1->1.181.2.2 Index: squid/src/gopher.c =================================================================== RCS file: /cvsroot/squid/squid/src/gopher.c,v retrieving revision 1.181.2.1 retrieving revision 1.181.2.2 diff -u -r1.181.2.1 -r1.181.2.2 --- squid/src/gopher.c 4 May 2008 23:23:13 -0000 1.181.2.1 +++ squid/src/gopher.c 26 Aug 2011 21:51:44 -0000 1.181.2.2 @@ -1,6 +1,6 @@ /* - * $Id: gopher.c,v 1.181.2.1 2008/05/04 23:23:13 hno Exp $ + * $Id: gopher.c,v 1.181.2.2 2011/08/26 21:51:44 hno Exp $ * * DEBUG: section 10 Gopher * AUTHOR: Harvest Derived @@ -314,8 +314,6 @@ gopherState->HTML_header_added = 1; return; } - inbuf[len] = '\0'; - if (!gopherState->HTML_header_added) { if (gopherState->conversion == HTML_CSO_RESULT) gopherHTMLHeader(entry, "CSO Search Result", NULL); @@ -325,66 +323,41 @@ gopherState->HTML_header_added = 1; gopherState->HTML_pre = 1; } - while ((pos != NULL) && (pos < inbuf + len)) { - + while (pos < inbuf + len) { + int llen; + int left = len - (pos - inbuf); + lpos = memchr(pos, '\n', left); + if (lpos) { + lpos++; /* Next line is after \n */ + llen = lpos - pos; + } else { + llen = left; + } + if (gopherState->len + llen >= TEMP_BUF_SIZE) { + debug(10, 1) ("gopherToHTML: Buffer overflow. Lost some data on URL: %s\n", + storeUrl(entry)); + llen = TEMP_BUF_SIZE - gopherState->len - 1; + } + if (!lpos) { + /* there is no complete line in inbuf */ + /* copy it to temp buffer */ + /* note: llen is adjusted above */ + xmemcpy(gopherState->buf + gopherState->len, pos, llen); + gopherState->len += llen; + break; + } if (gopherState->len != 0) { /* there is something left from last tx. */ - xstrncpy(line, gopherState->buf, gopherState->len + 1); - if (gopherState->len + len > TEMP_BUF_SIZE) { - debug(10, 1) ("gopherToHTML: Buffer overflow. Lost some data on URL: %s\n", - storeUrl(entry)); - len = TEMP_BUF_SIZE - gopherState->len; - } - lpos = (char *) memccpy(line + gopherState->len, inbuf, '\n', len); - if (lpos) - *lpos = '\0'; - else { - /* there is no complete line in inbuf */ - /* copy it to temp buffer */ - if (gopherState->len + len > TEMP_BUF_SIZE) { - debug(10, 1) ("gopherToHTML: Buffer overflow. Lost some data on URL: %s\n", - storeUrl(entry)); - len = TEMP_BUF_SIZE - gopherState->len; - } - xmemcpy(gopherState->buf + gopherState->len, inbuf, len); - gopherState->len += len; - return; - } - - /* skip one line */ - pos = (char *) memchr(pos, '\n', len); - if (pos) - pos++; - - /* we're done with the remain from last tx. */ + xmemcpy(line, gopherState->buf, gopherState->len); + xmemcpy(line + gopherState->len, pos, llen); + llen += gopherState->len; gopherState->len = 0; - *(gopherState->buf) = '\0'; } else { - - lpos = (char *) memccpy(line, pos, '\n', len - (pos - inbuf)); - if (lpos) - *lpos = '\0'; - else { - /* there is no complete line in inbuf */ - /* copy it to temp buffer */ - if ((len - (pos - inbuf)) > TEMP_BUF_SIZE) { - debug(10, 1) ("gopherToHTML: Buffer overflow. Lost some data on URL: %s\n", - storeUrl(entry)); - len = TEMP_BUF_SIZE; - } - if (len > (pos - inbuf)) { - xmemcpy(gopherState->buf, pos, len - (pos - inbuf)); - gopherState->len = len - (pos - inbuf); - } - break; - } - - /* skip one line */ - pos = (char *) memchr(pos, '\n', len); - if (pos) - pos++; - + xmemcpy(line, pos, llen); } + line[llen + 1] = '\0'; + /* move input to next line */ + pos = lpos; /* at this point. We should have one line in buffer to process */ ++++++ 12714.patch ++++++ --------------------- PatchSet 12714 Date: 2011/08/26 22:01:25 Author: hno Branch: SQUID_2_7 Tag: (none) Log: Fix various harmless warnings detected by gcc 4.6 Members: helpers/external_acl/ldap_group/squid_ldap_group.c:1.14.6.5->1.14.6.6 helpers/ntlm_auth/fakeauth/fakeauth_auth.c:1.12->1.12.2.1 src/authenticate.c:1.51.6.2->1.51.6.3 src/client_side.c:1.754.2.30->1.754.2.31 src/forward.c:1.131.2.5->1.131.2.6 src/fqdncache.c:1.158->1.158.2.1 src/neighbors.c:1.319.2.8->1.319.2.9 src/auth/negotiate/auth_negotiate.c:1.12.2.1->1.12.2.2 src/auth/ntlm/auth_ntlm.c:1.42->1.42.2.1 Index: squid/helpers/external_acl/ldap_group/squid_ldap_group.c =================================================================== RCS file: /cvsroot/squid/squid/helpers/external_acl/ldap_group/squid_ldap_group.c,v retrieving revision 1.14.6.5 retrieving revision 1.14.6.6 diff -u -r1.14.6.5 -r1.14.6.6 --- squid/helpers/external_acl/ldap_group/squid_ldap_group.c 16 Sep 2009 20:56:32 -0000 1.14.6.5 +++ squid/helpers/external_acl/ldap_group/squid_ldap_group.c 26 Aug 2011 22:01:25 -0000 1.14.6.6 @@ -218,7 +218,6 @@ int use_extension_dn = 0; int strip_nt_domain = 0; int strip_kerberos_realm = 0; - int err = 0; setbuf(stdout, NULL); @@ -599,7 +598,6 @@ tryagain = 1; } } - err = 0; } if (ld) ldap_unbind(ld); Index: squid/helpers/ntlm_auth/fakeauth/fakeauth_auth.c =================================================================== RCS file: /cvsroot/squid/squid/helpers/ntlm_auth/fakeauth/fakeauth_auth.c,v retrieving revision 1.12 retrieving revision 1.12.2.1 diff -u -r1.12 -r1.12.2.1 --- squid/helpers/ntlm_auth/fakeauth/fakeauth_auth.c 1 Apr 2007 14:17:46 -0000 1.12 +++ squid/helpers/ntlm_auth/fakeauth/fakeauth_auth.c 26 Aug 2011 22:01:25 -0000 1.12.2.1 @@ -145,7 +145,6 @@ { static unsigned hash; int r; - char *d; int i; debug("ntlmMakeChallenge: flg %08x\n", flags); @@ -161,7 +160,6 @@ chal->hdr.type = WSWAP(NTLM_CHALLENGE); chal->unknown[6] = SSWAP(0x003a); - d = (char *) chal + 48; i = 0; if (authenticate_ntlm_domain != NULL) Index: squid/src/authenticate.c =================================================================== RCS file: /cvsroot/squid/squid/src/authenticate.c,v retrieving revision 1.51.6.2 retrieving revision 1.51.6.3 diff -u -r1.51.6.2 -r1.51.6.3 --- squid/src/authenticate.c 4 May 2008 23:23:13 -0000 1.51.6.2 +++ squid/src/authenticate.c 26 Aug 2011 22:01:26 -0000 1.51.6.3 @@ -1,6 +1,6 @@ /* - * $Id: authenticate.c,v 1.51.6.2 2008/05/04 23:23:13 hno Exp $ + * $Id: authenticate.c,v 1.51.6.3 2011/08/26 22:01:26 hno Exp $ * * DEBUG: section 29 Authenticator * AUTHOR: Duane Wessels @@ -333,7 +333,6 @@ { time_t delta = Config.authenticateIpShortcircuitTTL; auth_user_request_ip_hash_t *hash_entry; - auth_user_request_t *auth_user_request = NULL; if (!auth_user_request_ip_hash) return NULL; @@ -342,7 +341,6 @@ if (!hash_entry) return NULL; - auth_user_request = hash_entry->auth_user_request; if (hash_entry->last_seen + delta < squid_curtime) { authenticateAuthUserRequestUnlinkIp(ipaddr); return NULL; Index: squid/src/client_side.c =================================================================== RCS file: /cvsroot/squid/squid/src/client_side.c,v retrieving revision 1.754.2.30 retrieving revision 1.754.2.31 diff -u -r1.754.2.30 -r1.754.2.31 --- squid/src/client_side.c 13 Jul 2010 19:43:08 -0000 1.754.2.30 +++ squid/src/client_side.c 26 Aug 2011 22:01:26 -0000 1.754.2.31 @@ -1,6 +1,6 @@ /* - * $Id: client_side.c,v 1.754.2.30 2010/07/13 19:43:08 hno Exp $ + * $Id: client_side.c,v 1.754.2.31 2011/08/26 22:01:26 hno Exp $ * * DEBUG: section 33 Client-side Routines * AUTHOR: Duane Wessels @@ -3675,7 +3675,6 @@ char *url = urlbuf; const char *req_hdr = NULL; http_version_t http_ver; - size_t header_sz; /* size of headers, not including first line */ size_t prefix_sz; /* size of whole request (req-line + headers) */ size_t req_sz; method_t method; @@ -3742,7 +3741,6 @@ */ /* XXX re-evaluate all of these values and use whats in hmsg instead! */ req_hdr = hmsg->buf + hmsg->r_len; - header_sz = hmsg->h_len; debug(33, 3) ("parseHttpRequest: req_hdr = {%s}\n", req_hdr); prefix_sz = req_sz; Index: squid/src/forward.c =================================================================== RCS file: /cvsroot/squid/squid/src/forward.c,v retrieving revision 1.131.2.5 retrieving revision 1.131.2.6 diff -u -r1.131.2.5 -r1.131.2.6 --- squid/src/forward.c 18 Jul 2008 00:47:48 -0000 1.131.2.5 +++ squid/src/forward.c 26 Aug 2011 22:01:26 -0000 1.131.2.6 @@ -1,6 +1,6 @@ /* - * $Id: forward.c,v 1.131.2.5 2008/07/18 00:47:48 hno Exp $ + * $Id: forward.c,v 1.131.2.6 2011/08/26 22:01:26 hno Exp $ * * DEBUG: section 17 Request Forwarding * AUTHOR: Duane Wessels @@ -59,7 +59,6 @@ static void fwdLogReplyStatus(int tries, http_status status); static OBJH fwdStats; static STABH fwdAbort; -static peer *fwdStateServerPeer(FwdState *); #define MAX_FWD_STATS_IDX 9 static int FwdReplyCodes[MAX_FWD_STATS_IDX + 1][HTTP_INVALID_HEADER + 1]; @@ -69,16 +68,6 @@ static Logfile *logfile = NULL; #endif -static peer * -fwdStateServerPeer(FwdState * fwdState) -{ - if (NULL == fwdState) - return NULL; - if (NULL == fwdState->servers) - return NULL; - return fwdState->servers->peer; -} - static void fwdServerFree(FwdServer * fs) { @@ -92,7 +81,6 @@ { StoreEntry *e = fwdState->entry; int sfd; - peer *p; debug(17, 3) ("fwdStateFree: %p\n", fwdState); assert(e->mem_obj); #if URL_CHECKSUM_DEBUG @@ -109,7 +97,6 @@ storeResetDefer(e); if (storePendingNClients(e) > 0) assert(!EBIT_TEST(e->flags, ENTRY_FWD_HDR_WAIT)); - p = fwdStateServerPeer(fwdState); fwdServersFree(&fwdState->servers); requestUnlink(fwdState->request); fwdState->request = NULL; Index: squid/src/fqdncache.c =================================================================== RCS file: /cvsroot/squid/squid/src/fqdncache.c,v retrieving revision 1.158 retrieving revision 1.158.2.1 diff -u -r1.158 -r1.158.2.1 --- squid/src/fqdncache.c 13 Oct 2007 00:01:38 -0000 1.158 +++ squid/src/fqdncache.c 26 Aug 2011 22:01:27 -0000 1.158.2.1 @@ -1,6 +1,6 @@ /* - * $Id: fqdncache.c,v 1.158 2007/10/13 00:01:38 hno Exp $ + * $Id: fqdncache.c,v 1.158.2.1 2011/08/26 22:01:27 hno Exp $ * * DEBUG: section 35 FQDN Cache * AUTHOR: Harvest Derived @@ -333,12 +333,11 @@ fqdncacheHandleReply(void *data, rfc1035_rr * answers, int na, const char *error_message) #endif { - int n; generic_cbdata *c = data; fqdncache_entry *f = c->data; cbdataFree(c); c = NULL; - n = ++FqdncacheStats.replies; + FqdncacheStats.replies += 1; statHistCount(&statCounter.dns.svc_time, tvSubMsec(f->request_time, current_time)); #if USE_DNSSERVERS Index: squid/src/neighbors.c =================================================================== RCS file: /cvsroot/squid/squid/src/neighbors.c,v retrieving revision 1.319.2.8 retrieving revision 1.319.2.9 diff -u -r1.319.2.8 -r1.319.2.9 --- squid/src/neighbors.c 27 Jun 2008 21:52:56 -0000 1.319.2.8 +++ squid/src/neighbors.c 26 Aug 2011 22:01:27 -0000 1.319.2.9 @@ -1,6 +1,6 @@ /* - * $Id: neighbors.c,v 1.319.2.8 2008/06/27 21:52:56 hno Exp $ + * $Id: neighbors.c,v 1.319.2.9 2011/08/26 22:01:27 hno Exp $ * * DEBUG: section 15 Neighbor Routines * AUTHOR: Harvest Derived @@ -642,7 +642,6 @@ { peer *best_p = NULL; #if USE_CACHE_DIGESTS - const cache_key *key; int best_rtt = 0; int choice_count = 0; int ichoice_count = 0; @@ -651,7 +650,6 @@ int i; if (!request->flags.hierarchical) return NULL; - key = storeKeyPublicByRequest(request); for (i = 0, p = first_ping; i++ < Config.npeers; p = p->next) { lookup_t lookup; if (!p) Index: squid/src/auth/negotiate/auth_negotiate.c =================================================================== RCS file: /cvsroot/squid/squid/src/auth/negotiate/auth_negotiate.c,v retrieving revision 1.12.2.1 retrieving revision 1.12.2.2 diff -u -r1.12.2.1 -r1.12.2.2 --- squid/src/auth/negotiate/auth_negotiate.c 28 Sep 2008 22:44:36 -0000 1.12.2.1 +++ squid/src/auth/negotiate/auth_negotiate.c 26 Aug 2011 22:01:27 -0000 1.12.2.2 @@ -1,6 +1,6 @@ /* - * $Id: auth_negotiate.c,v 1.12.2.1 2008/09/28 22:44:36 hno Exp $ + * $Id: auth_negotiate.c,v 1.12.2.2 2011/08/26 22:01:27 hno Exp $ * * DEBUG: section 29 Negotiate Authenticator * AUTHOR: Robert Collins @@ -701,14 +701,12 @@ const char *proxy_auth, *blob; auth_user_t *auth_user; negotiate_request_t *negotiate_request; - negotiate_user_t *negotiate_user; auth_user = auth_user_request->auth_user; assert(auth_user); assert(auth_user->auth_type == AUTH_NEGOTIATE); assert(auth_user->scheme_data != NULL); assert(auth_user_request->scheme_data != NULL); - negotiate_user = auth_user->scheme_data; negotiate_request = auth_user_request->scheme_data; /* Check that we are in the client side, where we can generate * auth challenges */ Index: squid/src/auth/ntlm/auth_ntlm.c =================================================================== RCS file: /cvsroot/squid/squid/src/auth/ntlm/auth_ntlm.c,v retrieving revision 1.42 retrieving revision 1.42.2.1 diff -u -r1.42 -r1.42.2.1 --- squid/src/auth/ntlm/auth_ntlm.c 28 Aug 2007 22:39:10 -0000 1.42 +++ squid/src/auth/ntlm/auth_ntlm.c 26 Aug 2011 22:01:28 -0000 1.42.2.1 @@ -1,6 +1,6 @@ /* - * $Id: auth_ntlm.c,v 1.42 2007/08/28 22:39:10 hno Exp $ + * $Id: auth_ntlm.c,v 1.42.2.1 2011/08/26 22:01:28 hno Exp $ * * DEBUG: section 29 NTLM Authenticator * AUTHOR: Robert Collins @@ -657,14 +657,12 @@ const char *proxy_auth, *blob; auth_user_t *auth_user; ntlm_request_t *ntlm_request; - ntlm_user_t *ntlm_user; auth_user = auth_user_request->auth_user; assert(auth_user); assert(auth_user->auth_type == AUTH_NTLM); assert(auth_user->scheme_data != NULL); assert(auth_user_request->scheme_data != NULL); - ntlm_user = auth_user->scheme_data; ntlm_request = auth_user_request->scheme_data; /* Check that we are in the client side, where we can generate * auth challenges */ ++++++ CompleteFaq.html ++++++ ++++ 3563 lines (skipped) ++++++ README.SuSE ++++++ This is Squid Version 2, a greatly enhanced new version of the well known Squid proxy. New features (included in the precompiled binaries) include: * SNMP Support * Support for the new HTCP (Hypertext Transfer Cache Protocol) * Support for delay pools (bandwidth usage restrictions) * New Redirector interface * External cache user authentication * better performance for large caches Not included is support for cache digests, as digests cannot be disabled at runtime and may interfere with some Proxy setups. The directory /usr/share/doc/packages/squid/errors contains error messages in different languages. Simply copy the desired language files to /usr/share/squid/errors! The default installation is English. Important changes since Squid 2.2: Domain name matching: The function which checks for a match between a hostname and a domain name has been rewritten, and its behavior is now slightly different. Previously, the domain ``com'' would match the hostname ``foo.com'', but this is no longer the case. Now, if you must write ``.com'' to match ``foo.com''. Removed dnsservers: In this version, DNS lookups are done by the main Squid process by default. Truncate vs unlink: In version 2.2 Squid truncated disk files (by default) instead of unlinking them. This caused some installations to run out of inodes on the cache disks. Even though truncate makes Squid a bit faster, we have made the default to use unlink again. Look at http://www.squid-cache.org/Versions/v2/2.4/ for a full description Have fun! ++++++ ip_wccp.c ++++++ /* * $Id: ip_wccp.c,v 1.7 2005/01/07 17:26:33 hno Exp $ * * Maintainer: * Henrik Nordstrom <hno@squid-cache.org> * * Change log: * 2004-08-19 SONE Naoto * Updated to support Linux 2.6.8 * * 2004-02-17 Henrik Nordstrom <hno@squid-cache.org> * Updated to linux-2.6.0 * WCCPv2 support * * 2003-10-20 Henrik Nordstrom <hno@squid-cache.org> * Dropped support for old kernels. Linux-2.4 or later required * Play well with Netfilter * * 2002-04-16 francis a. vidal <francisv@dagupan.com> * Module license tag * * 2002-04-13 Henrik Nordstrom <hno@squid-cache.org> * Updated to Linux-2.4 * - there no longer is a len argument to ip_wccp_recv * - deal with fragmented skb packets * - incremental checksumming to allow detection of corrupted * packets * * 1999-09-30 Glenn Chisholm <glenn@ircache.net> * Original release */ #include <linux/config.h> #include <linux/module.h> #include <linux/types.h> #include <linux/sched.h> #include <linux/kernel.h> #include <linux/skbuff.h> #include <linux/netdevice.h> #include <linux/in.h> #include <linux/if_arp.h> #include <linux/init.h> #include <linux/inetdevice.h> #include <linux/version.h> #include <net/checksum.h> #include <net/protocol.h> #include <linux/netfilter_ipv4.h> #include <net/ip.h> #include <net/inet_ecn.h> #define WCCP_PROTOCOL_TYPE 0x883E #define WCCP_GRE_LEN sizeof(u32) #define WCCP2_GRE_EXTRA sizeof(u32) #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,9) /* New License scheme */ #ifdef MODULE_LICENSE MODULE_AUTHOR("Glenn Chisholm"); MODULE_DESCRIPTION("WCCP module"); MODULE_LICENSE("GPL"); #endif #endif static inline void ip_wccp_ecn_decapsulate(struct iphdr *outer_iph, struct sk_buff *skb) { struct iphdr *inner_iph = skb->nh.iph; if (INET_ECN_is_ce(outer_iph->tos)) IP_ECN_set_ce(inner_iph); } int ip_wccp_rcv(struct sk_buff *skb) { u32 *gre_hdr; struct iphdr *iph; if (!pskb_may_pull(skb, 16)) goto drop; iph = skb->nh.iph; gre_hdr = (u32 *)skb->h.raw; if(*gre_hdr != __constant_htonl(WCCP_PROTOCOL_TYPE)) goto drop; skb->mac.raw = skb->nh.raw; /* WCCP2 puts an extra 4 octets into the header, but uses the same * encapsulation type; if it looks as if the first octet of the packet * isn't the beginning of an IPv4 header, assume it's WCCP2. * This should be safe as these bits are reserved in the WCCPv2 header * and always zero in WCCPv2. */ if ((skb->h.raw[WCCP_GRE_LEN] & 0xF0) != 0x40) { skb->nh.raw = pskb_pull(skb, WCCP_GRE_LEN + WCCP2_GRE_EXTRA); } else { skb->nh.raw = pskb_pull(skb, WCCP_GRE_LEN); } if (skb->len <= 0) goto drop; memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options)); skb->protocol = __constant_htons(ETH_P_IP); skb->pkt_type = PACKET_HOST; dst_release(skb->dst); skb->dst = NULL; #ifdef CONFIG_NETFILTER nf_conntrack_put(skb->nfct); skb->nfct = NULL; #ifdef CONFIG_NETFILTER_DEBUG skb->nf_debug = 0; #endif #endif ip_wccp_ecn_decapsulate(iph, skb); netif_rx(skb); return(0); drop: kfree_skb(skb); return(0); } #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,8) static struct net_protocol ipwccp_protocol = { #else static struct inet_protocol ipwccp_protocol = { #endif .handler = ip_wccp_rcv }; static inline void wccp_add_protocol(void) { inet_add_protocol(&ipwccp_protocol, IPPROTO_GRE); } static inline int wccp_del_protocol(void) { return inet_del_protocol(&ipwccp_protocol, IPPROTO_GRE); } #else static struct inet_protocol ipwccp_protocol = { ip_wccp_rcv, NULL, 0, IPPROTO_GRE, 0, NULL, "GRE" }; static inline void wccp_add_protocol(void) { inet_add_protocol(&ipwccp_protocol); } static inline int wccp_del_protocol(void) { return inet_del_protocol(&ipwccp_protocol); } #endif int __init ip_wccp_init(void) { printk(KERN_INFO "WCCP IPv4/GRE driver\n"); wccp_add_protocol(); return 0; } static void __exit ip_wccp_fini(void) { if (wccp_del_protocol() < 0) printk(KERN_INFO "ip_wccp: can't remove protocol\n"); else printk(KERN_INFO "WCCP IPv4/GRE driver unloaded\n"); } #ifdef MODULE module_init(ip_wccp_init); #endif module_exit(ip_wccp_fini); ++++++ pam.squid ++++++ #%PAM-1.0 auth include common-auth account include common-account password include common-password session include common-session ++++++ rc.squid ++++++ #! /bin/sh # Copyright (c) 1996, 1997, 1998 S.u.S.E. GmbH # Copyright (c) 1998, 1999, 2000, 2001 SuSE GmbH # Copyright (c) 2002 SuSE Linux AG # # Author: Frank Bodammer, Peter Poeml, Klaus Singvogel <feedback@suse.de> # # init.d/squid # ### BEGIN INIT INFO # Provides: squid # Required-Start: $local_fs $remote_fs $network $time # Should-Start: apache $named # Required-Stop: $local_fs $remote_fs $network # Should-Stop: $null # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # Short-Description: Squid web cache # Description: Start the Squid web cache, providing # HTTP, FTP and other proxy services ### END INIT INFO SQUID_BIN=/usr/sbin/squid SQUID_PID=/var/run/squid.pid SQUID_CONF=/etc/squid/squid.conf SQUID_SYSCONFIG=/etc/sysconfig/squid if [ ! -x $SQUID_BIN ] ; then echo -n "WWW-proxy squid not installed ! " exit 5 fi # check for squid test -r $SQUID_SYSCONFIG || { echo "$SQUID_SYSCONFIG not existing"; if [ "$1" = "stop" ]; then exit 0; else exit 6; fi; } # Read config . $SQUID_SYSCONFIG # handle a special update case for unpopulated sysconfig data test -z "$SQUID_SHUTDOWN_TIMEOUT" && SQUID_SHUTDOWN_TIMEOUT="60" . /etc/rc.status RC_OPTIONS='-v' rc_reset ulimit -n 4096 # determine which one is the cache_swap directory CACHE_SWAP=`perl -n -e \ '/^cache_dir\s+\S+\s+(.*)\s+\d+\s+\d+\s+\d+/ && print "\$1 "' $SQUID_CONF` [ -z "$CACHE_SWAP" ] && CACHE_SWAP=/var/cache/squid case "$1" in start) echo -n "Starting WWW-proxy squid " checkproc $SQUID_BIN if [ $? -eq 0 ] ; then echo -n "- Warning: squid already running ! " rc_failed else [ -e $SQUID_PID ] && echo -n "- Warning: $SQUID_PID exists ! " for adir in $CACHE_SWAP ; do if [ ! -d $adir/00 ]; then # create missing cache directories umask 027 # prevent users reading any cache data echo -n " ($adir)" $SQUID_BIN -z -F > /dev/null 2>&1 fi if [ ! -d $adir/00 ]; then echo " - failed while creating cache_dir ! " rc_failed rc_status -v rc_exit fi done sleep 2 fi startproc -l /var/log/squid/rcsquid.log $SQUID_BIN -sYD rc_status $RC_OPTIONS ;; stop) echo -n "Shutting down WWW-proxy squid " if checkproc $SQUID_BIN ; then $SQUID_BIN -k shutdown sleep 2 if [ -e $SQUID_PID ] ; then echo -n "- wait a minute or two... " i="$SQUID_SHUTDOWN_TIMEOUT" while [ -e $SQUID_PID ] && [ $i -gt 0 ] ; do sleep 2 i=$[$i-1] echo -n "." [ $i -eq 41 ] && echo done fi if checkproc $SQUID_BIN ; then killproc -TERM $SQUID_BIN echo -n " Warning: squid killed !" fi else echo -n "- Warning: squid not running ! " rc_failed 7 fi rc_status -v ;; try-restart) $0 status >/dev/null && $0 restart rc_status ;; restart) $0 stop $0 start rc_status ;; force-reload) $0 reload rc_status ;; reload) echo -n "Reloading WWW-proxy squid " if checkproc $SQUID_BIN ; then $SQUID_BIN -k rotate sleep 2 $SQUID_BIN -k reconfigure rc_status else echo -n "- Warning: squid not running ! " rc_failed 7 fi rc_status -v ;; status) echo -n "Checking for WWW-proxy squid " checkproc $SQUID_BIN rc_status -v ;; probe) test $SQUID_CONF -nt $SQUID_PID && echo reload ;; *) echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}" exit 1 ;; esac rc_exit ++++++ squid-2.6.STABLE19-64bit.patch ++++++ --- squid-2.6.STABLE19/src/HttpHdrRange.c.orig 2008-03-18 00:34:41.000000000 +0100 +++ squid-2.6.STABLE19/src/HttpHdrRange.c 2008-03-26 16:35:07.000000000 +0100 @@ -485,7 +485,7 @@ if (!Config.rangeOffsetLimit) /* disabled */ return 1; - if (-1 == Config.rangeOffsetLimit) + if (-1U == Config.rangeOffsetLimit) /* forced */ return 0; if (Config.rangeOffsetLimit >= httpHdrRangeFirstOffset(range)) --- squid-2.6.STABLE19/src/HttpHeader.c.orig 2007-12-21 10:56:53.000000000 +0100 +++ squid-2.6.STABLE19/src/HttpHeader.c 2008-03-26 16:34:46.000000000 +0100 @@ -817,7 +817,7 @@ /* First try the quick path */ id = httpHeaderIdByNameDef(name, strlen(name)); - if (id != -1) + if (id != -1U) return httpHeaderGetStrOrList(hdr, id); /* Sorry, an unknown header name. Do linear search */ --- squid-2.6.STABLE19/src/store_io.c.orig 2006-11-05 22:14:31.000000000 +0100 +++ squid-2.6.STABLE19/src/store_io.c 2008-03-26 16:34:46.000000000 +0100 @@ -34,7 +34,7 @@ store_io_stats.create.calls++; /* This is just done for logging purposes */ objsize = objectLen(e); - if (objsize != -1) + if (objsize != -1U) objsize += e->mem_obj->swap_hdr_sz; /* --- squid-2.6.STABLE19/src/external_acl.c.orig 2007-01-02 00:32:13.000000000 +0100 +++ squid-2.6.STABLE19/src/external_acl.c 2008-03-26 16:34:46.000000000 +0100 @@ -265,7 +265,7 @@ } format->header = xstrdup(header); format->header_id = httpHeaderIdByNameDef(header, strlen(header)); - if (format->header_id != -1) { + if (format->header_id != -1U) { if (member) format->type = EXT_ACL_HEADER_ID_MEMBER; else ++++++ squid-2.6.STABLE2-ldflags.patch ++++++ Index: squid-2.7.STABLE6/configure.in =================================================================== --- squid-2.7.STABLE6.orig/configure.in +++ squid-2.7.STABLE6/configure.in @@ -2923,6 +2923,7 @@ mingw|mingw32) ;; esac AC_MSG_RESULT($SQUID_MAXFD) +LDFLAGS="$TLDFLAGS $PRESET_LDFLAGS" fi # --with-maxfd SQUID_MAXFD AC_DEFINE_UNQUOTED(SQUID_MAXFD, $SQUID_MAXFD, [Maximum number of open filedescriptors]) if test "$SQUID_MAXFD" -lt 512 ; then @@ -2932,7 +2933,6 @@ if test "$SQUID_MAXFD" -lt 512 ; then echo " on how to increase your filedescriptor limit" sleep 10 fi -LDFLAGS="$TLDFLAGS" dnl Not cached since people are likely to tune this AC_MSG_CHECKING(Default UDP send buffer size) ++++++ squid-2.7.STABLE3-config.patch ++++++ --- squid-2.7.STABLE3/src/Makefile.in.orig 2008-01-03 02:16:40.000000000 +0100 +++ squid-2.7.STABLE3/src/Makefile.in 2008-07-02 17:17:06.000000000 +0200 @@ -651,7 +651,7 @@ DEFAULT_HTTP_PORT = @CACHE_HTTP_PORT@ DEFAULT_ICP_PORT = @CACHE_ICP_PORT@ DEFAULT_PREFIX = $(prefix) DEFAULT_CONFIG_FILE = $(sysconfdir)/squid.conf -DEFAULT_MIME_TABLE = $(sysconfdir)/mime.conf +DEFAULT_MIME_TABLE = $(datadir)/mime.conf DEFAULT_DNSSERVER = $(libexecdir)/`echo dnsserver | sed '$(transform);s/$$/$(EXEEXT)/'` DEFAULT_LOG_PREFIX = $(localstatedir)/logs DEFAULT_CACHE_LOG = $(DEFAULT_LOG_PREFIX)/cache.log --- squid-2.7.STABLE3/src/cf.data.pre.orig 2008-06-25 00:54:18.000000000 +0200 +++ squid-2.7.STABLE3/src/cf.data.pre 2008-07-02 17:19:01.000000000 +0200 @@ -725,6 +725,7 @@ http_access deny CONNECT !SSL_ports # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet +http_access allow localhost # And finally deny all other access to this proxy http_access deny all @@ -2385,7 +2386,7 @@ DOC_END NAME: logfile_rotate TYPE: int -DEFAULT: 10 +DEFAULT: 0 LOC: Config.Log.rotateNumber DOC_START Specifies the number of logfile rotations to make when you @@ -2401,6 +2402,10 @@ DOC_START purposes, so -k rotate uses another signal. It is best to get in the habit of using 'squid -k rotate' instead of 'kill -USR1 <pid>'. + + SUSE LINUX is using the logrotate mechanism and therefore the + rotation is done externaly, which means a default of 0 is + required and therefore set. Modify /etc/logrotate.d/squid instead. DOC_END NAME: emulate_httpd_log @@ -3753,7 +3758,7 @@ DOC_END NAME: cache_effective_user TYPE: string -DEFAULT: nobody +DEFAULT: squid LOC: Config.effectiveUser DOC_START If you start Squid as root, it will change its effective/real @@ -4471,7 +4476,7 @@ DOC_END NAME: htcp_port IFDEF: USE_HTCP TYPE: ushort -DEFAULT: 4827 +DEFAULT: 0 LOC: Config.Port.htcp DOC_START The port number where Squid sends and receives HTCP queries to ++++++ squid-2.7.STABLE9-RELEASENOTES.html ++++++ <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <HTML> <HEAD> <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.65"> <TITLE>Squid 2.7.STABLE9 release notes</TITLE> </HEAD> <BODY> <H1>Squid 2.7.STABLE9 release notes</H1> <H2>Squid Developers</H2>$Id: release.html,v 1.1.2.15 2010/03/14 21:40:46 hno Exp $ <HR> <EM>This document contains the release notes for version 2.7 of Squid. Squid is a WWW Cache application developed by the Web Caching community.</EM> <HR> <P> <H2><A NAME="toc1">1.</A> <A HREF="#s1">Key changes from squid 2.6</A></H2> <P> <H2><A NAME="toc2">2.</A> <A HREF="#s2">Changes to squid.conf</A></H2> <UL> <LI><A NAME="toc2.1">2.1</A> <A HREF="#ss2.1">Added directives</A> <LI><A NAME="toc2.2">2.2</A> <A HREF="#ss2.2">Changed directives</A> <LI><A NAME="toc2.3">2.3</A> <A HREF="#ss2.3">Removed directives</A> </UL> <P> <H2><A NAME="toc3">3.</A> <A HREF="#s3">Known issues & limitations</A></H2> <UL> <LI><A NAME="toc3.1">3.1</A> <A HREF="#ss3.1">Known issues</A> <LI><A NAME="toc3.2">3.2</A> <A HREF="#ss3.2">Known limitations</A> </UL> <P> <H2><A NAME="toc4">4.</A> <A HREF="#s4">Windows support</A></H2> <UL> <LI><A NAME="toc4.1">4.1</A> <A HREF="#ss4.1">Usage</A> <LI><A NAME="toc4.2">4.2</A> <A HREF="#ss4.2">PSAPI.DLL (Process Status Helper) Considerations</A> <LI><A NAME="toc4.3">4.3</A> <A HREF="#ss4.3">Registry DNS lookup</A> <LI><A NAME="toc4.4">4.4</A> <A HREF="#ss4.4">Compatibility Notes</A> <LI><A NAME="toc4.5">4.5</A> <A HREF="#ss4.5">Known Limitations</A> <LI><A NAME="toc4.6">4.6</A> <A HREF="#ss4.6">Using cache manager on Windows</A> </UL> <P> <H2><A NAME="toc5">5.</A> <A HREF="#s5">Key changes in squid-2.7.STABLE2</A></H2> <P> <H2><A NAME="toc6">6.</A> <A HREF="#s6">Key changes in squid-2.7.STABLE3</A></H2> <P> <H2><A NAME="toc7">7.</A> <A HREF="#s7">Key changes in squid-2.7.STABLE4</A></H2> <P> <H2><A NAME="toc8">8.</A> <A HREF="#s8">Key changes in squid-2.7.STABLE5</A></H2> <P> <H2><A NAME="toc9">9.</A> <A HREF="#s9">Key changes in squid-2.7.STABLE6</A></H2> <P> <H2><A NAME="toc10">10.</A> <A HREF="#s10">Key changes in squid-2.7.STABLE7</A></H2> <P> <H2><A NAME="toc11">11.</A> <A HREF="#s11">Key changes in squid-2.7.STABLE8</A></H2> <P> <H2><A NAME="toc12">12.</A> <A HREF="#s12">Key changes in squid-2.7.STABLE9</A></H2> <HR> <H2><A NAME="s1">1.</A> <A HREF="#toc1">Key changes from squid 2.6</A></H2> <P>This section describes the main news since the 2.6 release</P> <P> <UL> <LI>Experimental support for HTTP/1.1, mainly targeted at reverse proxy installations. Not yet HTTP/1.1 compliant hoewever.</LI> <LI>A number of performance improvements; including request/reply parser, eliminating various redundant data copies and some completely rewritten sections.</LI> <LI>Support for WAIS has been removed.</LI> <LI>"act-as-origin" option for http_port - Squid can now emulate an origin server when acting as an accelerator.</LI> <LI>"min-size" option for cache_dir - the minimum object size to store in a cache directory. Previously objects of any size up to a "max-size" maximum size would be considered as candidated for storing in a store_dir; this option allows the administrator to tune various stores for small and large objects rather than trying to tune it for both.</LI> <LI>Support for Solaris /dev/poll for network IO - more efficient than poll() or select() and backwards compatible to Solaris 7. This must be manually enabled during configure by specifying "--enable-devpoll".</LI> <LI>Support for FreeBSD accept filters. Use "accept_filter httpready" in squid.conf to enable this.</LI> <LI>A semi-modular logging framework has been introduced, which both allows for more efficient non-blocking logging with the supplied logging daemon, but also allows for third-party modules to intercept the squid logs and process them. An example "UDP" logging helper, thanks to the Wikimedia Foundation, is included.</LI> <LI>Support for rewriting URLs into canonical forms when storing and retrieving objects. A common practice seen in Content Delivery Networks is to serve the same content from a variety of different URLs or hosts; this makes efficient caching difficult. The store URL rewriting framework allows the administrator to rewrite a variety of URLs into one canonical form, so matching content from a variety of sources can be stored and retrieved as if they came from the same source, whilst still fetching the content from the original destination. See the "storeurl_rewrite_program" option for more information, and http://wiki.squid-cache.org/Features/StoreURLRewrite for some examples.</LI> <LI>Object revalidation can now occur in the background. Cache validation can now occur in the background without requiring an active client to drive it. Stale content being revalidated can be served in situ whilst the object is being refreshed. See the "max_stale" and "refresh_pattern" options for more information.</LI> <LI>introduce a new option, "zero_buffers", which controls whether Squid will zero the memory used for buffers and other data structures before use. This may or may not improve performance on specific workloads.</LI> <LI>Cache authentication based on source IP address. This reduces the pressure on external authenticators which may not be able to keep up under high load - NTLM/winbind is a good example of this. See the "authenticate_ip_shortcircuit_access" and "authenticate_ip_shortcircuit_ttl" options for more information.</LI> <LI>Support for configuration file includes has been added. "include" can now be used to include a configuration file or a glob of configuration files in a directory.</LI> <LI>The default rules to not cache dynamic content from cgi-bin and query URLs have been altered. Previously, the "cache" ACL was used to mark requests as non-cachable - this is enforced even on dynamic content which returns cachability information. This has changed in Squid-2.7 to use the default refresh pattern. Dynamic content is now cached if it is marked as cachable. You should remove the default configuration lines with QUERY (acl, and cache) and replace them with the correct refresh_pattern entries.</LI> <LI>Accelerator mode support cleaned up to behave more consistent when combining multiple accelerator mode options</LI> <LI>Zero Penalty Hit support, allowing cache misses to be marked by custom TOS/priority values, useful when using packet shaping/prioritization outside Squid and needing to separate cache hits from misses.</LI> </UL> </P> <H2><A NAME="s2">2.</A> <A HREF="#toc2">Changes to squid.conf</A></H2> <P>This release has a number of changes and additions to squid.conf</P> <H2><A NAME="ss2.1">2.1</A> <A HREF="#toc2.1">Added directives</A> </H2> <P> <DL> <DT><B>acl myportname</B><DD> <P>new acl matching the incoming port name</P> <DT><B>authenticate_ip_shortcircuit_ttl</B><DD> <DT><B>authenticate_ip_shortcircuit_access</B><DD> <P>controls the new IP based authentication cache.</P> <DT><B>zph_mode</B><DD> <DT><B>zph_local</B><DD> <DT><B>zph_sibling</B><DD> <DT><B>zph_parent</B><DD> <DT><B>zph_option</B><DD> <P>controls the Zero Penalty Hit support</P> <DT><B>update_headers</B><DD> <P>optimization to skip updating on-disk headers</P> <DT><B>logfile_daemon</B><DD> <P>new log file daemon support</P> <DT><B>netdb_filename</B><DD> <P>sas hardcoded to the first cache_dir</P> <DT><B>storeurl_rewrite_program</B><DD> <DT><B>storeurl_rewrite_children</B><DD> <DT><B>storeurl_rewrite_concurrency</B><DD> <DT><B>storeurl_access</B><DD> <P>controls the new store URL rewrite functionality</P> <DT><B>rewrite_access</B><DD> <DT><B>rewrite</B><DD> <P>controls the new builtin URL rewrite functionality</P> <DT><B>max_stale</B><DD> <DT><B>server_http11</B><DD> <DT><B>ignore_expect_100</B><DD> <P>Experimental HTTP/1.1 support knobs</P> <DT><B>external_refresh_check</B><DD> <P>new helper to allow custom cache validations in accelerator setups</P> <DT><B>ignore_ims_on_miss</B><DD> <P>optimization mainly targeted for accelerator setups</P> <DT><B>max_filedescriptors</B><DD> <P>can now be set runtime. Was previously hardcoded at build time and further limited by ulimit</P> <DT><B>accept_filter</B><DD> <P>optimization to avoid waking Squid up until a request has been received</P> <DT><B>incoming_rate</B><DD> <P>new tuning knob for high traffic conditions</P> <DT><B>zero_buffers</B><DD> <P>tuning knob to disable a new optimization</P> </DL> </P> <H2><A NAME="ss2.2">2.2</A> <A HREF="#toc2.2">Changed directives</A> </H2> <P> <DL> <DT><B>cache</B><DD> <P>Suggested defaults modified</P> <DT><B>cache_dir</B><DD> <P>the "read-only" option has been renamed to "no-store" to better reflect the functionality</P> <DT><B>cache_peer</B><DD> <P>new multicast-siblings option, enabling multicast ICP sibling relations</P> <P>new idle=n option to keep a minimum pool of idle connections</P> <P>new http11 option to enable experimental HTTP/1.1 support</P> <DT><B>external_acl_type</B><DD> <P>New %URI format tag</P> <DT><B>acl</B><DD> <P>Suggested defaults cleaned up, defines a new "localnet" acl with RFC1918 addresses</P> <P>new "myportname" acl type matching the http_port name</P> <DT><B>icp_access</B><DD> <P>Suggested defaults cleaned up, now requires configuration to use ICP</P> <DT><B>htcp_access</B><DD> <P>Suggested defaults cleaned up, now requires configuration to use HTCP</P> <DT><B>http_access</B><DD> <P>Suggested defaults cleaned up, using a new "localnet" acl.</P> <DT><B>http_port</B><DD> <P>Accelerator mode options cleaned up (accel, defaultsite, vport, vhost and combinations thereof)</P> <P>new "allow-direct" option</P> <P>new "act-as-origin" option</P> <P>new "http11" option (experimental)</P> <P>new "name=" option</P> <P>nee "keepalive=" option</P> <DT><B>https_port</B><DD> <P>See http_port.</P> <DT><B>logformat</B><DD> <P>New format codes: oa (Our outgoing IP address), rp (Request URL-Path), sn (Unique sequence number)</P> <DT><B>refresh_pattern</B><DD> <P>Several new options: stale-while-revalidate, ignore-stale-while-revalidate, max-stale, negative-ttl</P> <P>Suggested defaults adjusted to match the changes in the cache directive.</P> <DT><B>url_rewrite_program</B><DD> <P>Future protocol change adding key=value pairs after the requests</P> <DT><B>forwarded_for</B><DD> <P>Has several new modes, allowing one to finetune how/if the requesting client IP should be forwarded in X-Forwarded-For</P> </DL> </P> <H2><A NAME="ss2.3">2.3</A> <A HREF="#toc2.3">Removed directives</A> </H2> <P> <DL> <DT><B>incoming_icp_average</B><DD> <DT><B>incoming_http_average</B><DD> <DT><B>incoming_dns_average</B><DD> <DT><B>min_icp_poll_cnt</B><DD> <DT><B>min_dns_poll_cnt</B><DD> <DT><B>min_http_poll_cnt</B><DD> <P>the above tuning knobs no longer have any effect and has been removed.</P> </DL> </P> <H2><A NAME="s3">3.</A> <A HREF="#toc3">Known issues & limitations</A></H2> <P>There is a few known issues and limitations in this release of Squid</P> <H2><A NAME="ss3.1">3.1</A> <A HREF="#toc3.1">Known issues</A> </H2> <P> <UL> <LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=2248">#2248</a> storeurl_rewrite mismatched when object stored on memory</LI> <LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=2112">#2112</a> Squid does not send If-None-Match tag for cache revalidation</LI> <LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=2160">#2160</a> Cache hits on objects with headers > 4KB</LI> </UL> </P> <H2><A NAME="ss3.2">3.2</A> <A HREF="#toc3.2">Known limitations</A> </H2> <P> <UL> <LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=1059">#1059</a>: mime.conf and referenced icons must be within chroot</LI> <LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=692">#692</a>: tcp_outgoing_address using an ident ACL does not work</LI> <LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=581">#581</a>: acl max_user_ip and multiple authentication schemes</LI> <LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=528">#528</a>: miss_access fails on "slow" acl types such as dst.</LI> <LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=513">#513</a>: squid -F is starting server sockets to early</LI> <LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=457">#457</a>: does not handle swap.state corruption properly</LI> <LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=410">#410</a>: unstable if runs out of disk space</LI> <LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=355">#355</a>: diskd may appear slow on low loads</LI> </UL> </P> <H2><A NAME="s4">4.</A> <A HREF="#toc4">Windows support</A></H2> <P>This Squid version can run on Windows as a system service using the Cygwin emulation environment, or can be compiled in Windows native mode using the MinGW + MSYS development environment. Windows NT 4 SP4 and later are supported.</P> <P>On Windows 2000 and later the service is configured to use the Windows Service Recovery option restarting automatically after 60 seconds.</P> <H2><A NAME="ss4.1">4.1</A> <A HREF="#toc4.1">Usage</A> </H2> <P>Some new command line options was added for the Windows service support:</P> <P>The service installation is made with -i command line switch, it's possible to use -f switch at the same time for specify a different config-file settings for the Squid Service that will be stored on the Windows Registry.</P> <P>A new -n switch specify the Windows Service Name, so multiple Squid instance are allowed. <EM>"Squid"</EM> is the default when the switch is not used.</P> <P>So, to install the service, the syntax is: </P> <P> <PRE> squid -i [-f file] [-n name] </PRE> </P> <P>Service uninstallation is made with -r command line switch with the appropriate -n switch.</P> <P>The -k switch family must be used with the appropriate -f and -n switches, so the syntax is: </P> <P> <PRE> squid -k command [-f file] -n service-name </PRE> where <EM>service-name</EM> is the name specified with -n options at service install time.</P> <P>To use the Squid original command line, the new -O switch must be used ONCE, the syntax is: </P> <P> <PRE> squid -O cmdline [-n service-name] </PRE> If multiple service command line options must be specified, use quote. The -n switch is needed only when a non default service name is in use.</P> <P>Don't use the "Start parameters" in the Windows 2000/XP/2003 Service applet: they are specific to Windows services functionality and Squid is not designed for understand they.</P> <P>In the following example the command line of the "squidsvc" Squid service is set to "-D -u 3130": </P> <P> <PRE> squid -O "-D -u 3130" -n squidsvc </PRE> </P> <H2><A NAME="ss4.2">4.2</A> <A HREF="#toc4.2">PSAPI.DLL (Process Status Helper) Considerations</A> </H2> <P>The process status helper functions make it easier for you to obtain information about processes and device drivers running on Microsoft� Windows NT�/Windows� 2000. These functions are available in PSAPI.DLL, which is distributed in the Microsoft� Platform Software Development Kit (SDK). The same information is generally available through the performance data in the registry, but it is more difficult to get to it. PSAPI.DLL is freely redistributable.</P> <P>PSAPI.DLL is available only on Windows NT, 2000, XP and 2003. The implementation in Squid is aware of this, and try to use it only on the right platform.</P> <P>On Windows NT PSAPI.DLL can be found as component of many applications, if you need it, you can find it on Windows NT Resource KIT. If you have problem, it can be downloaded from here: <A HREF="http://download.microsoft.com/download/platformsdk/Redist/4.0.1371.1/NT4/EN-US/psinst.EXE">http://download.microsoft.com/download/platformsdk/Redist/4.0.1371.1/NT4/EN-US/psinst.EXE</A></P> <P>On Windows 2000 and later it is available installing the Windows Support Tools, located on the Support\Tools folder of the installation Windows CD-ROM.</P> <H2><A NAME="ss4.3">4.3</A> <A HREF="#toc4.3">Registry DNS lookup</A> </H2> <P>On Windows platforms, if no value is specified in the <EM>dns_nameservers</EM> option on squid.conf or in the /etc/resolv.conf file, the list of DNS name servers are taken from the Windows registry, both static and dynamic DHCP configurations are supported.</P> <H2><A NAME="ss4.4">4.4</A> <A HREF="#toc4.4">Compatibility Notes</A> </H2> <P> <UL> <LI>It's recommended to use '/' char in Squid paths instead of '\'</LI> <LI>Paths with spaces (like 'C:\Programs Files\Squid) are NOT supported by Squid</LI> <LI>Include wildcard patterns in squid.conf are NOT supported on Windows</LI> <LI>When using ACL like 'acl aclname acltype "file"' the file must be in DOS text format (CR+LF) and the full Windows path must be specified, for example: <PRE> acl blocklist url_regex -i "c:/squid/etc/blocked1.txt" </PRE> </LI> <LI>The Windows equivalent of '/dev/null' is 'NUL'</LI> <LI>Squid doesn't know how to run external helpers based on scripts, like .bat, .cmd, .vbs, .pl, etc. So in squid.conf the interpreter path must be always specified, for example: <PRE> redirect_program c:/perl/bin/perl.exe c:/squid/libexec/redir.pl redirect_program c:/winnt/system32/cmd.exe /C c:/squid/libexec/redir.cmd </PRE> </LI> <LI>When Squid runs in command line mode, the launching user account must have administrative privilege on the system</LI> <LI>"Start parameters" in the Windows 2000/XP/2003 Service applet cannot be used</LI> <LI>Building with MinGW, when the configure option --enable-truncate is used, Squid cannot run on Windows NT, only Windows 2000 and later are supported</LI> <LI>On Windows Vista and later, User Account Control (UAC) must be disabled before running service installation</LI> </UL> </P> <H2><A NAME="ss4.5">4.5</A> <A HREF="#toc4.5">Known Limitations</A> </H2> <P> <UL> <LI>DISKD: still needs to be ported</LI> <LI>WCCP: cannot work because user space GRE support on Windows is missing</LI> <LI>Transparent Proxy: missing Windows non commercial interception driver</LI> <LI>Some code sections can make blocking calls.</LI> <LI>Some external helpers may not work.</LI> <LI>File Descriptors number hard-limited to 2048 when building with MinGW.</LI> </UL> </P> <H2><A NAME="ss4.6">4.6</A> <A HREF="#toc4.6">Using cache manager on Windows</A> </H2> <P>On Windows, cache manager (cachemgr.cgi) can be used with Microsoft IIS or Apache. Some specific configuration could be needed:</P> <H3>IIS 6 (Windows 2003)</H3> <P>On IIS 6.0 all CGI extensions are denied by default for security reason, so the following configuration is needed:</P> <P> <UL> <LI>Create a cgi-bin Directory</LI> <LI>Define the cgi-bin IIS Virtual Directory with read and CGI execute IIS permissions, ASP scripts are not needed. This automatically defines a cgi-bin IIS web application </LI> <LI>Copy cachemgr.cgi into cgi-bin directory and look to file permissions: the IIS system account and SYSTEM must be able to read and execute the file</LI> <LI>In IIS manager go to Web Service extensions and add a new Web Service Extension called <EM>"Squid Cachemgr"</EM>, add the cachemgr.cgi file and set the extension status to <EM>Allowed</EM></LI> </UL> </P> <H3>Apache:</H3> <P>On Windows, cachemgr.cgi needs to create a temporary file, so Apache must be instructed to pass the TMP and TEMP Windows environment variables to CGI applications: <PRE> ScriptAlias /squid/cgi-bin/ "c:/squid/libexec/" <Location /squid/cgi-bin/cachemgr.cgi> PassEnv TMP TEMP Order allow,deny Allow from workstation.example.com </Location> </PRE> </P> <H2><A NAME="s5">5.</A> <A HREF="#toc5">Key changes in squid-2.7.STABLE2</A></H2> <P> <UL> <LI>Compile error if --enable-delaypools used</LI> <LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=1893">#1893</a>: Variant invalidation support removed again, caused a lot content to not get cached.</LI> <LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=2350">#2350</a>: Linux Capabilities version mismatch causing startup crash on newer kernels</LI> <LI>See also the list of <A HREF="http://www.squid-cache.org/Versions/v2/2.7/changesets/SQUID_2_7_STABLE2.html">squid-2.7.STABLE2 changes</A> and the <A HREF="ChangeLog.txt">ChangeLog</A> file for details.</LI> </UL> </P> <H2><A NAME="s6">6.</A> <A HREF="#toc6">Key changes in squid-2.7.STABLE3</A></H2> <P> <UL> <LI>Byg #2376: Round-Robin peer selection becomes unbalanced when a peer dies and comes back</LI> <LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=2122">#2122</a>: Private information leakage in collapsed_forwarding</LI> <LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=1993">#1993</a>: Memory leak in http_reply_access deny processing</LI> <LI>Fix SNMP reporting of counters with a value > 0xFF80000</LI> <LI>Reject ridiculously large ASN.1 lengths</LI> <LI>Off by one error in DNS label decompression could cause valid DNS messages to be rejected</LI> <LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=2241">#2241</a>: weights not applied properly in round-robin peer selection</LI> <LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=2192">#2192</a>: http_port ... vport broken by recent changes in how accelerator mode deals with port numbers</LI> <LI>Fix build error on Solaris using gcc and --with-large-files</LI> <LI>Windows port: new option for control of IP address changes notification in squid.conf</LI> <LI>See also the list of <A HREF="http://www.squid-cache.org/Versions/v2/2.7/changesets/SQUID_2_7_STABLE3.html">squid-2.7.STABLE3 changes</A> and the <A HREF="ChangeLog.txt">ChangeLog</A> file for details.</LI> </UL> </P> <H2><A NAME="s7">7.</A> <A HREF="#toc7">Key changes in squid-2.7.STABLE4</A></H2> <P> <UL> <LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=2393">#2393</a>: DNS retransmit queue could get hold up</LI> <LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=2408">#2408</a>: assertion failed: forward.c:529: "fs"</LI> <LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=2414">#2414</a>: assertion failed: forward.c:110: "!EBIT_TEST(e->flags, ENTRY_FWD_HDR_WAIT)"</LI> <LI>Workaround for Linux-2.6.24 & 2.6.25 netfiler_ipv4.h include header __u32 problem</LI> <LI>Make dns_nameserver work when using --disable-internal-dns on glibc based systems</LI> <LI>Handle aborted objects properly. The change in 2.7.STABLE3 triggered a number of issues.</LI> <LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=2406">#2406</a>: access.log logs rewritten URL and strip_query_terms ineffective</LI> <LI>See also the list of <A HREF="http://www.squid-cache.org/Versions/v2/2.7/changesets/SQUID_2_7_STABLE4.html">squid-2.7.STABLE4 changes</A> and the <A HREF="ChangeLog.txt">ChangeLog</A> file for details.</LI> </UL> </P> <H2><A NAME="s8">8.</A> <A HREF="#toc8">Key changes in squid-2.7.STABLE5</A></H2> <P> <UL> <LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=2441">#2441</a>: Shut down store url rewrite helpers on squid -k reconfigure</LI> <LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=2464">#2464</a>: assertion failed: sc->new_callback == NULL at store_client.c:190</LI> <LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=2394">#2394</a>: add upgrade_http0.9 option making it possible to disable upgrade of HTTP/0.9 responses</LI> <LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=2426">#2426</a>: Increase negotiate auth token buffer size</LI> <LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=2468">#2468</a>: Limit stale-if-error to 500-504 responses</LI> <LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=2477">#2477</a>: swap.state permission issues if crashing during "squid -k reconfigure"</LI> <LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=2430">#2430</a>: Old headers sometimes still returned after a cache validation</LI> <LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=2481">#2481</a>: Don't set expires: now in generated error responses</LI> <LI>Windows port: Fix build error using latest MinGW runtime.</LI> <LI>See also the list of <A HREF="http://www.squid-cache.org/Versions/v2/2.7/changesets/SQUID_2_7_STABLE5.html">squid-2.7.STABLE5 changes</A> and the <A HREF="ChangeLog.txt">ChangeLog</A> file for details.</LI> </UL> </P> <H2><A NAME="s9">9.</A> <A HREF="#toc9">Key changes in squid-2.7.STABLE6</A></H2> <P> <UL> <LI>Crash on certain invalid HTTP messages</LI> <LI>Correct latency measurements</LI> <LI>Various documentation fixes</LI> <LI>See also the list of <A HREF="http://www.squid-cache.org/Versions/v2/2.7/changesets/SQUID_2_7_STABLE6.html">squid-2.7.STABLE6 changes</A> and the <A HREF="ChangeLog.txt">ChangeLog</A> file for details.</LI> </UL> </P> <H2><A NAME="s10">10.</A> <A HREF="#toc10">Key changes in squid-2.7.STABLE7</A></H2> <P> <UL> <LI>Hang in 100% CPU if using external_acl_type or access_log format %{header:;item}</LI> <LI>wbinfo_group.pl false positives under certain conditions</LI> <LI>several memory leaks fixed</LI> <LI>documentation corrections</LI> <LI>Max URL size increased to 8192</LI> <LI>And many other minor bugfixes</LI> <LI>See also the list of <A HREF="http://www.squid-cache.org/Versions/v2/2.7/changesets/SQUID_2_7_STABLE7.html">squid-2.7.STABLE7 changes</A> and the <A HREF="ChangeLog.txt">ChangeLog</A> file for details.</LI> </UL> </P> <H2><A NAME="s11">11.</A> <A HREF="#toc11">Key changes in squid-2.7.STABLE8</A></H2> <P> <UL> <LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=2858">#2858</a>: Segment violation in HTCP</LI> <LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=2773">#2773</a>: Segfault in RFC2069 Digest authantication</LI> <LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=2845">#2845</a>: Crashes on malformed Digest authentication</LI> <LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=2367">#2367</a>: Incorrect stale=true/false indications in Digest auth causing random auth popups.</LI> <LI>Improve %nn parser to better deal with certain odd %nn sequences</LI> <LI>Handle DNS header-only packets as invalid. (CVE-2010-0308)</LI> <LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=2678">#2678</a> - storeurl_rewrite does not play nicely with vary</LI> <LI>And many other minor bugfixes</LI> <LI>See also the list of <A HREF="http://www.squid-cache.org/Versions/v2/2.7/changesets/SQUID_2_7_STABLE8.html">squid-2.7.STABLE8 changes</A> and the <A HREF="ChangeLog.txt">ChangeLog</A> file for details.</LI> </UL> </P> <H2><A NAME="s12">12.</A> <A HREF="#toc12">Key changes in squid-2.7.STABLE9</A></H2> <P>This release has portability fixes only. No change in functionality.</P> <P> <UL> <LI>OpenSSL related compilation issue on some systems introduced in 2.7.STABLE8.</LI> <LI>configure failed to detect certain system libraries on some systems, resulting in compilation failures either in Squid or helpers.</LI> <LI>See also the list of <A HREF="http://www.squid-cache.org/Versions/v2/2.7/changesets/SQUID_2_7_STABLE9.html">squid-2.7.STABLE9 changes</A> and the <A HREF="ChangeLog.txt">ChangeLog</A> file for details.</LI> </UL> </P> </BODY> </HTML> ++++++ squid-2.7.x-bnc796999-bnc794954-CVE-2012-5643-CVE-2013-0188-cachemgr_cgi_dos.diff ++++++ diff -prNU 30 ../squid-2.7.STABLE5-o/tools/cachemgr.c ./tools/cachemgr.c --- ../squid-2.7.STABLE5-o/tools/cachemgr.c 2008-06-25 00:55:11.000000000 +0200 +++ ./tools/cachemgr.c 2013-02-06 18:06:02.000000000 +0100 @@ -482,66 +482,69 @@ munge_other_line(const char *buf, cachem const char *cell = xstrtok(&x, '\t'); while (x && *x == '\t') { column_span++; x++; } l += snprintf(html + l, sizeof(html) - l, "<%s colspan=\"%d\" align=\"%s\">%s</%s>", ttag, column_span, is_header ? "center" : is_number(cell) ? "right" : "left", html_quote(cell), ttag); } xfree(buf_copy); /* record ends */ l += snprintf(html + l, sizeof(html) - l, "</tr>\n"); next_is_header = is_header && strstr(buf, "\t\t"); table_line_num++; return html; } static const char * munge_action_line(const char *_buf, cachemgr_request * req) { static char html[2 * 1024]; char *buf = xstrdup(_buf); char *x = buf; const char *action, *description; char *p; if ((p = strchr(x, '\n'))) *p = '\0'; action = xstrtok(&x, '\t'); + if (!action) { + xfree(buf); + return ""; + } description = xstrtok(&x, '\t'); if (!description) description = action; - if (!action) - return ""; snprintf(html, sizeof(html), " <a href=\"%s\">%s</a>", menu_url(req, action), description); + xfree(buf); return html; } static int read_reply(int s, cachemgr_request * req) { char buf[4 * 1024]; #ifdef _SQUID_MSWIN_ int reply; char *tmpfile = tempnam(NULL, "tmp0000"); FILE *fp = fopen(tmpfile, "w+"); #else FILE *fp = fdopen(s, "r"); #endif /* interpretation states */ enum { isStatusLine, isHeaders, isActions, isBodyStart, isBody, isForward, isEof, isForwardEof, isSuccess, isError } istate = isStatusLine; int parse_menu = 0; const char *action = req->action; const char *statusStr = NULL; int status = -1; if (0 == strlen(req->action)) parse_menu = 1; else if (0 == strcasecmp(req->action, "menu")) parse_menu = 1; if (fp == NULL) { #ifdef _SQUID_MSWIN_ perror(tmpfile); xfree(tmpfile); @@ -663,147 +666,176 @@ read_reply(int s, cachemgr_request * req #endif return 0; } static int process_request(cachemgr_request * req) { const struct hostent *hp; static struct sockaddr_in S; int s; int l; static char buf[2 * 1024]; if (req == NULL) { auth_html(CACHEMGR_HOSTNAME, CACHE_HTTP_PORT, ""); return 1; } if (req->hostname == NULL) { req->hostname = xstrdup(CACHEMGR_HOSTNAME); } if (req->port == 0) { req->port = CACHE_HTTP_PORT; } if (req->action == NULL) { req->action = xstrdup(""); } if (strcmp(req->action, "authenticate") == 0) { auth_html(req->hostname, req->port, req->user_name); return 0; } if (!check_target_acl(req->hostname, req->port)) { - snprintf(buf, 1024, "target %s:%d not allowed in cachemgr.conf\n", req->hostname, req->port); + snprintf(buf, sizeof(buf), "target %s:%d not allowed in cachemgr.conf\n", req->hostname, req->port); error_html(buf); return 1; } if ((s = socket(PF_INET, SOCK_STREAM, 0)) < 0) { - snprintf(buf, 1024, "socket: %s\n", xstrerror()); + snprintf(buf, sizeof(buf), "socket: %s\n", xstrerror()); error_html(buf); return 1; } memset(&S, '\0', sizeof(struct sockaddr_in)); S.sin_family = AF_INET; if ((hp = gethostbyname(req->hostname)) != NULL) { assert(hp->h_length <= sizeof(S.sin_addr.s_addr)); xmemcpy(&S.sin_addr.s_addr, hp->h_addr, hp->h_length); } else if (safe_inet_addr(req->hostname, &S.sin_addr)) (void) 0; else { - snprintf(buf, 1024, "Unknown host: %s\n", req->hostname); + snprintf(buf, sizeof(buf), "Unknown host: %s\n", req->hostname); error_html(buf); return 1; } S.sin_port = htons(req->port); if (connect(s, (struct sockaddr *) &S, sizeof(struct sockaddr_in)) < 0) { - snprintf(buf, 1024, "connect: %s\n", xstrerror()); + snprintf(buf, sizeof(buf), "connect: %s\n", xstrerror()); error_html(buf); return 1; } l = snprintf(buf, sizeof(buf), "GET cache_object://%s/%s HTTP/1.0\r\n" "Accept: */*\r\n" "%s" /* Authentication info or nothing */ "\r\n", req->hostname, req->action, make_auth_header(req)); #ifdef _SQUID_MSWIN_ send(s, buf, l, 0); #else write(s, buf, l); #endif debug(1) fprintf(stderr, "wrote request: '%s'\n", buf); return read_reply(s, req); } int main(int argc, char *argv[]) { char *s; cachemgr_request *req; safe_inet_addr("255.255.255.255", &no_addr); now = time(NULL); #ifdef _SQUID_MSWIN_ Win32SockInit(); atexit(Win32SockCleanup); _setmode(_fileno(stdin), _O_BINARY); _setmode(_fileno(stdout), _O_BINARY); _fmode = _O_BINARY; if ((s = strrchr(argv[0], '\\'))) #else if ((s = strrchr(argv[0], '/'))) #endif progname = xstrdup(s + 1); else progname = xstrdup(argv[0]); if ((s = getenv("SCRIPT_NAME")) != NULL) script_name = xstrdup(s); req = read_request(); return process_request(req); } static char * read_post_request(void) { char *s; - char *buf; - int len; + if ((s = getenv("REQUEST_METHOD")) == NULL) - return NULL; + return NULL; + if (0 != strcasecmp(s, "POST")) - return NULL; + return NULL; + if ((s = getenv("CONTENT_LENGTH")) == NULL) - return NULL; - if ((len = atoi(s)) <= 0) - return NULL; - buf = xmalloc(len + 1); - fread(buf, len, 1, stdin); - buf[len] = '\0'; + return NULL; + + if (*s == '-') // negative length content huh? + return NULL; + + uint64_t len; + + char *endptr = s+ strlen(s); + if ((len = strtoll(s, &endptr, 10)) <= 0) + return NULL; + + // limit the input to something reasonable. + // 4KB should be enough for the GET/POST data length, but may be extended. + if (len >= 4096) { + printf("Status: 400 Bad Request\n\n"); + exit(0); + } + char *buf = (char *)xmalloc(len + 1); + + size_t readLen = fread(buf, 1, len, stdin); + if (readLen == 0) { + xfree(buf); + return NULL; + } + buf[readLen] = '\0'; + len -= readLen; + + // purge the remainder of the request entity + while (len > 0 && readLen) { + char temp[65535]; + readLen = fread(temp, 1, 65535, stdin); + len -= readLen; + } + return buf; } static char * read_get_request(void) { char *s; if ((s = getenv("QUERY_STRING")) == NULL) return NULL; return xstrdup(s); } static cachemgr_request * read_request(void) { char *buf; cachemgr_request *req; char *s; char *t; char *q; if ((buf = read_post_request()) != NULL) (void) 0; else if ((buf = read_get_request()) != NULL) (void) 0; else return NULL; #ifdef _SQUID_MSWIN_ if (strlen(buf) == 0 || strlen(buf) == 4000) #else if (strlen(buf) == 0) @@ -859,110 +891,123 @@ make_pub_auth(cachemgr_request * req) debug(3) fprintf(stderr, "cmgr: encoding for pub...\n"); if (!req->passwd || !strlen(req->passwd)) return; /* host | time | user | passwd */ snprintf(buf, sizeof(buf), "%s|%d|%s|%s", req->hostname, (int) now, req->user_name ? req->user_name : "", req->passwd); debug(3) fprintf(stderr, "cmgr: pre-encoded for pub: %s\n", buf); debug(3) fprintf(stderr, "cmgr: encoded: '%s'\n", base64_encode(buf)); req->pub_auth = xstrdup(base64_encode(buf)); } static void decode_pub_auth(cachemgr_request * req) { char *buf; const char *host_name; const char *time_str; const char *user_name; const char *passwd; debug(2) fprintf(stderr, "cmgr: decoding pub: '%s'\n", safe_str(req->pub_auth)); safe_free(req->passwd); if (!req->pub_auth || strlen(req->pub_auth) < 4 + strlen(safe_str(req->hostname))) return; buf = xstrdup(base64_decode(req->pub_auth)); debug(3) fprintf(stderr, "cmgr: length ok\n"); /* parse ( a lot of memory leaks, but that is cachemgr style :) */ - if ((host_name = strtok(buf, "|")) == NULL) + if ((host_name = strtok(buf, "|")) == NULL) { + xfree(buf); return; + } debug(3) fprintf(stderr, "cmgr: decoded host: '%s'\n", host_name); - if ((time_str = strtok(NULL, "|")) == NULL) + if ((time_str = strtok(NULL, "|")) == NULL) { + xfree(buf); return; + } debug(3) fprintf(stderr, "cmgr: decoded time: '%s' (now: %d)\n", time_str, (int) now); - if ((user_name = strtok(NULL, "|")) == NULL) + if ((user_name = strtok(NULL, "|")) == NULL) { + xfree(buf); return; + } debug(3) fprintf(stderr, "cmgr: decoded uname: '%s'\n", user_name); - if ((passwd = strtok(NULL, "|")) == NULL) + if ((passwd = strtok(NULL, "|")) == NULL) { + xfree(buf); return; + } debug(2) fprintf(stderr, "cmgr: decoded passwd: '%s'\n", passwd); /* verify freshness and validity */ - if (atoi(time_str) + passwd_ttl < now) + if (atoi(time_str) + passwd_ttl < now) { + xfree(buf); return; - if (strcasecmp(host_name, req->hostname)) + } + if (strcasecmp(host_name, req->hostname)) { + xfree(buf); return; + } debug(1) fprintf(stderr, "cmgr: verified auth. info.\n"); /* ok, accept */ - xfree(req->user_name); + safe_free(req->user_name); req->user_name = xstrdup(user_name); req->passwd = xstrdup(passwd); xfree(buf); } static void reset_auth(cachemgr_request * req) { safe_free(req->passwd); safe_free(req->pub_auth); } static const char * make_auth_header(const cachemgr_request * req) { static char buf[1024]; int l = 0; const char *str64; if (!req->passwd) return ""; snprintf(buf, sizeof(buf), "%s:%s", req->user_name ? req->user_name : "", req->passwd); str64 = base64_encode(buf); l += snprintf(buf, sizeof(buf), "Authorization: Basic %s\r\n", str64); assert(l < sizeof(buf)); l += snprintf(&buf[l], sizeof(buf) - l, "Proxy-Authorization: Basic %s\r\n", str64); + xxfree(str64); return buf; } static int check_target_acl(const char *hostname, int port) { char config_line[BUFSIZ]; FILE *fp = NULL; int ret = 0; fp = fopen("cachemgr.conf", "r"); if (fp == NULL) fp = fopen(DEFAULT_CACHEMGR_CONFIG, "r"); if (fp == NULL) { #ifdef CACHEMGR_HOSTNAME_DEFINED if (strcmp(hostname, CACHEMGR_HOSTNAME) == 0 && port == CACHE_HTTP_PORT) return 1; #else if (strcmp(hostname, "localhost") == 0) return 1; if (strcmp(hostname, getfullhostname()) == 0) return 1; #endif return 0; } while (fgets(config_line, BUFSIZ, fp)) { char *token = NULL; strtok(config_line, " \r\n\t"); if (config_line[0] == '#') continue; if (config_line[0] == '\0') ++++++ squid-2.7.x-bnc829084-CVE-2013-4115-BO_request_handling.diff ++++++ ++++ 1260 lines (skipped) ++++++ squid.logrotate ++++++ /var/log/squid/cache.log { su squid nogroup compress dateext maxage 365 rotate 99 size=+1024k notifempty missingok create 640 squid root sharedscripts postrotate /etc/init.d/squid reload endscript } /var/log/squid/access.log { su squid nogroup compress dateext maxage 365 rotate 99 size=+4096k notifempty missingok create 640 squid root sharedscripts postrotate /etc/init.d/squid reload endscript } /var/log/squid/store.log { su squid nogroup compress dateext maxage 365 rotate 99 size=+4096k notifempty missingok create 640 squid root sharedscripts postrotate /etc/init.d/squid reload endscript } ++++++ squid.sysconfig ++++++ ## Path: Network/WWW/Proxy/squid ## Description: squid webproxy options ## Type: integer(1:) ## Default: "60" # # kill squid after this timeout in double-seconds with SIGTERM # SQUID_SHUTDOWN_TIMEOUT="60" ++++++ squid_ie_blocker.txt ++++++ ****** Using Squid to block Internet Explorer ****** After one of the many, many, many security holes in Microsoft Internet Explorer, my company decided to completely block outgoing requests for IE (at least, until a patch is published by MS). For this purpose, we changed our proxy setup to be transparent and block the browser based on its user-agent string. As an alternative, we decided to offer the Mozilla_Firefox browser to our users. You can read more about this on my Firefox_page. Our router was a Cisco 2600, and we chose to use WCCP for transparent proxying. You can read the router-side configuration at this_page or at this_page. I'm no cisco expert, so I won't go into details here. If you don't have a cisco, but a linux router, you can also easily do transparent proxying. There are many howtos for that. Squid configuration ------------------- The linux configuration of squid will be covered here, however, because it seems to be a bit outdated on both pages. I'm using SuSE 9.0 and use the SuSE kernel, which makes updating easier and saves a lot of configuration time :) The kernel config (if you need your own kernel) should be sufficiently described on the other pages I mentioned above. The squid configuration is fairly easy. The following is from my squid config (without comments), some of the values are defaults, important ones are marked in red. useragent_log /var/log/squid/useragent.log # log browser id referer_log /var/log/squid/referer.log acl intranet src 172.16.0.0/255.255.0.0 # intranet machines acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl ie_browser browser ^Mozilla/4\.0.*compatible;.MSIE # die!! acl bad_browser browser ^Gator # Gator is also crap! acl windowsupdate dstdomain .windowsupdate.com # sometimes you have to live with the evil ... acl windowsupdate dstdomain .windowsupdate.microsoft.com acl ie_exceptions dstdomain .mycompany.at # for those who don't turn off proxy for intranet ... acl ie_exceptions2 dst 172.16.0.0/255.255.0.0 http_access deny bad_browser http_access allow windowsupdate http_access allow ie_exceptions http_access allow ie_exceptions2 http_access deny ie_browser http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny to_localhost http_access allow localhost http_access allow intranet http_access deny all http_reply_access allow all icp_access allow all cache_mgr hostmaster@mycompany.at httpd_accel_port 80 httpd_accel_host virtual httpd_accel_with_proxy on httpd_accel_uses_host_header on append_domain .mycompany.at deny_info ERR_IEBROWSER ie_browser wccp_router 172.16.0.1 ie_refresh on The most important settings are the acls to describe the IE browser and the according http_access deny rule. After monitoring the user_agent log at my site, I also noticed Gator on a machine. Gator is spyware (probably auto-executed by some IE bug?) and has surely no right to go into the Internet ... The deny_info is the page that is shown to users that use the IE browser. Put a file named ERR_IEBROWSER into /usr/share/squid/errors/English, that contains some useful text (e.g. where to get the firefox browser inside your LAN). After configuring your squid (I use 2.5.STABLE3), you can enter the proxy in your IE and it should not allow you to surf to any sites except the windowsupdate site and files that end with "mycompany.at". Transparent proxy with Cisco WCCP -------------------------------- The next thing now to do is to get the ip_wccp module. I downloaded it from the squid-homepage. Before compiling it, you must configure your kernel properly. Install the appropriate kernel-source package for your distro and do the following: cd /usr/src/linux make cloneconfig make dep Then compile the ip_wccp module using the following command: gcc -D__KERNEL__ -I/lib/modules/`uname -r`/build/include -Wall -Wstrict-prototypes -O2 -fomit-frame-pointer -fno-strict-aliasing -pipe -fno-strength-reduce -mcpu=i386 -DCPU=386 -DMODULE -DMODVERSIONS -include /usr/src/linux/include/linux/modversions.h -c ip_wccp.c Then copy it to your /lib/modules/`uname -r`/misc directory, run depmod -a and modprobe ip_wccp. To automatically load it on every boot, edit your /etc/init.d/boot.local (or equivalent) and insert the modprobe command there. Final steps - local routing --------------------------- The next step is a simple iptables command: iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 The port 3128 is the port where your squid proxy is running. Put this in some init script that is executed after network start (possibly a custom firewall rule if you are using some kind of firewall).
From now on, the worst of all browsers should no longer harm the internet - at least not from your network :)
Feedback is welcome. Write to articles[at]gaugusch.at Updated: 2004-06-25 Source: http://gaugusch.at/squid.shtml ++++++ squid_ldapauth-1.3.dif ++++++ --- Makefile +++ Makefile @@ -20,7 +20,7 @@ EXEC = squid_ldapauth -all: $(EXEC) strip +all: $(EXEC) $(EXEC): $(OBJS) $(CC) $(CFLAGS) $(OBJS) $(LIBS) -o $@ --- squid_ldapauth.c +++ squid_ldapauth.c @@ -294,14 +294,16 @@ BerElement *ber; char *a = 0; int i, rc= 0; + int lderrno; snprintf(query, sizeof(query), filter, user); if(-1 == ldap_search(ldap, suffix, LDAP_SCOPE_SUBTREE, query, attrs, 0)) { + ldap_get_option(ldap,LDAP_OPT_ERROR_NUMBER,&lderrno); if(use_syslog) { - syslog(LOG_ERR, "ldap search: %d", ldap->ld_errno); + syslog(LOG_ERR, "ldap search: %d", lderrno); } else { fprintf(stderr, "%s[%d]: ldap search: %d\n", - appname, getpid(), ldap->ld_errno); + appname, getpid(), lderrno); } return -1; } -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org