Hello community,
here is the log from the commit of package squid.1977 for openSUSE:12.2:Update checked in at 2013-09-13 09:22:40
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:12.2:Update/squid.1977 (Old)
and /work/SRC/openSUSE:12.2:Update/.squid.1977.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "squid.1977"
Changes:
--------
New Changes file:
--- /dev/null 2013-07-23 23:44:04.804033756 +0200
+++ /work/SRC/openSUSE:12.2:Update/.squid.1977.new/squid.changes 2013-09-13 09:22:41.000000000 +0200
@@ -0,0 +1,1629 @@
+-------------------------------------------------------------------
+Thu Aug 22 14:04:31 CEST 2013 - draht@suse.de
+
+- squid-2.7.x-bnc829084-CVE-2013-4115-BO_request_handling.diff
+ Squid advisory SQUID-2013_2, CVE-2013-4115, [bnc#829084]
+ Specially crafted http requests can trigger a buffer overflow
+ when squid attempts to resolve an overly long hostname.
+- squid-2.7.x-bnc796999-bnc794954-CVE-2012-5643-CVE-2013-0188-cachemgr_cgi_dos.diff
+ memory leak in cachemgr.cgi known as CVE-2013-0189, which is the
+ underfixed CVE-2012-5643 problem. [bnc#796999] [bnc#794954]
+- run logrotate as squid:nogroup [bnc#677335]
+
+-------------------------------------------------------------------
+Wed Feb 15 16:02:51 UTC 2012 - chris@computersalat.de
+
+- run suse_update_config only on suse_version < 1220
+
+-------------------------------------------------------------------
+Fri Dec 2 10:01:19 UTC 2011 - chris@computersalat.de
+
+- fix ip_wccp.c
+ * update to current online version
+- add upstream patches
+ * 12711 - Correct parsing of large gopher indexes
+ * 12714 - Fix various harmless warnings detected by gcc 4.6
+
+-------------------------------------------------------------------
+Thu Dec 1 17:00:11 UTC 2011 - coolo@suse.com
+
+- add automake as buildrequire to avoid implicit dependency
+
+-------------------------------------------------------------------
+Wed May 25 03:46:39 UTC 2011 - crrodriguez@opensuse.org
+
+- Supress timestamps from binaries, breaks build-compare.
+
+-------------------------------------------------------------------
+Sat Feb 19 11:45:53 UTC 2011 - chris@computersalat.de
+
+- update to 2.7.STABLE9
+ - 2.7.STABLE8 failed to compile with OpenSSL 0.9.8 on some systems
+ - failure to detect certain system libraries on some systems
+ resulting in compilation errors
+- Changes to squid-2.7.STABLE8 (10 March 2010)
+ - Bug #2458: reply_body_max_size incorrectly documented
+ - Bug #2858: Segment violation in HTCP
+ - Bug #2773: Segfault in RFC2069 Digest authantication
+ - 64-bit filesize issue in squidclient if trying to post a file > 2GB
+ - Improve %nn parser to better deal with certain odd %nn sequences
+ - Segmentation fault if failed to open cache.log
+ - Bug #2819: const correctness errors in dns_internal.c
+ - Handle DNS header-only packets as invalid. (CVE-2010-0308)
+ - Windows port: Updated mswin_ad_group native helper to version 2.1
+ - Cosmetic change to keep GCC happy
+ - Bug #2678 - storeurl_rewrite does not play nicely with vary
+ - Bug #2861 - only-if-cached request blocks if it collapsed into
+ another request
+ - Use libcap functions instead of raw kernel interface
+ - No need to sync the store on -k rotate, but instead it needs to be
+ done in reconfigure
+ - const correctness in OpenSSL initialization
+ - Rework the http digest auth parser
+- Changes to squid-2.7.STABLE7 (17 September 2009)
+ - Bug #2661 - Solaris /dev/poll support broken with EINVAL
+ - Clarify external_acl_type %{Header} documentation slightly
+ - Bug #2482: Remove mem_obj->old_entry in async code to avoid deep ctx
+ errors
+ - GCC-4.x cleanups
+ - Bug #2605: Don't call setsid() on helper childs when running in
+ daemon mode
+ - Windows port: Fix PSAPI.DLL usage, is always available on Windows NT
+ and later
+ - Windows port: Added support for Windows 7, Windows Server 2008 R2
+ and later
+ - Bug #2602: increase MAX_URL to 8192
+ - The debug mode option '-d' was not documented in LDAP helpers usage
+ message
+ - Windows port: Added a note about installation on Windows Vista and
+ later
+ - Bug #2642: Remove duplicate peerMonitorInit() on reconfigure
+ - Bug #2515: Final chunk parsing errors on FreeBSD6+
+ - Bug #2647: Reprioritise override-* and stale-while-revalidate
+ - Windows port: Fix improper access permissions to registry and DNS
+ parsing from registry
+ - Windows port: Fix getservbyname() usage abuse.
+ - Bug #2672: cacheMemMaxSize 32-bit overflow during snmpwalk
+ - Bug #2691: store_url memory leak
+ - Accept PUT/POST requests without an entity-body
+ - Plug request_t + HttpStateData memory leak on PUT/POST requests with
+ early response
+ - Bug #2710: squid_kerb_auth non-terminated string
+ - Bug #2369: squid traffic counter 32-bit overflow
+ - Bug #2080: wbinfo_group.pl - false positive under certain conditions
+ - Bug #2739: DNS resolver option ndots can't be parsed from
+ resolv.conf
+ - Windows port: fix mswin_negotiate_auth.exe crash when executing a
+ LocalCall authentication with verbose deBug #enabled
+ - Add 0.0.0.0 as an to_localhost address
+ - Windows port: Update mswin_check_ad_group to version 2.0
+ - Windows port: There is no "-P" command line option into
+ mswin_check_ad_group helper.
+ - Correct Valgrind mempool protection
+ - Bug #2451: Correct length handling on 304 responses
+ - Bug #2541: Hang in 100% CPU loop while extacting header details
+ using a delimiter other than comma (external_acl_type,
+ access_log_format, external_refresh_check)
+ - Bug #2768 - squid_ldap_group -K argument parsing error
+- removed old upstream patches: 12466, 12480 - 12497
+- added new upstream patch: 12697
+- cleanup spec
+
+-------------------------------------------------------------------
+Tue Nov 3 19:09:46 UTC 2009 - coolo@novell.com
+
+- updated patches to apply with fuzz=0
+
+-------------------------------------------------------------------
+Tue Aug 11 12:18:57 UTC 2009 - chris@computersalat.de
+
+- update to 2.7.STABLE6
+ * Bug #2494: Fix tproxy url in configure
+ * Correct latency measurements
+ * Correct upgrade_http0.9 example
+ * Correct parsing of invalid http version numbers
+ * Crossreference authenticate_ip_shortcircuit_access and
+ * authenticate_ip_shortcircuit_ttl
+ * Add in some better documentation for override-expire.
+- added upstream patches
+ o 12466, 12480-12495, 12497
+ o disabled 12488.patch (can not patch not existing file)
+
+-------------------------------------------------------------------
+Mon Oct 27 18:04:31 CET 2008 - kssingvo@suse.de
+
+- update to 2.7.STABLE5, which is a bugfix version only:
+ * Don't set expires: now in generated error responses
+ * Old headers still returned after a cache validation
+ * swap.state permission issues if crashing during "squid -k
+ reconfigure"
+ * Limit stale-if-error to 500-504 responses
+ * Increase negotiate auth token buffer size
+ * add upgrade_http0.9 option making it possible to disable
+ upgrade of HTTP/0.9 responses
+ * assertion failed: sc->new_callback == NULL at store_client.c:190
+ * Shut down store url rewrite helpers on squid -k reconfigure
+ * configuration file contains non-ASCII characters
+ For complete list of changes see:
+ http://www.squid-cache.org/Versions/v2/2.7/changesets/SQUID_2_7_STABLE5.html
+- removed obsolete, already in upstream version patches
+
+-------------------------------------------------------------------
+Thu Oct 2 14:21:07 CEST 2008 - kssingvo@suse.de
+
+- bugfix if user is in many kerberos groups (12380.patch)
+
+-------------------------------------------------------------------
+Thu Sep 25 16:56:29 CEST 2008 - kssingvo@suse.de
+
+- added a few official patches:
+ * HTTP/0.9: making it possible to disable upgrade of HTTP/0.9
+ responses
+ * assertion failed: sc->new_callback == NULL at store_client.c:190
+ * foreground rebuild should do all of the rebuilding before Squid
+ accepts
+ * Shut down store url rewrite helpers on squid -k reconfigure
+ * configuration file contains non-ASCII characters
+
+-------------------------------------------------------------------
+Wed Aug 20 14:38:42 CEST 2008 - kssingvo@suse.de
+
+- update to 2.7.STABLE4:
+ * DNS retransmit queue could get hold up
+ * assertion failed: forward.c:529: "fs"
+ * assertion failed: forward.c:110: "!EBIT_TEST(e->flags,
+ ENTRY_FWD_HDR_WAIT)"
+ * Workaround for Linux-2.6.24 & 2.6.25 netfiler_ipv4.h include
+ header __u32 problem
+ * Make dns_nameserver work when using --disable-internal-dns on
+ glibc based systems
+ * Handle aborted objects properly. The change in 2.7.STABLE3
+ triggered a number of issues.
+ * access.log logs rewritten URL and strip_query_terms ineffective
+ For full list of changes see:
+ http://www.squid-cache.org/Versions/v2/2.7/changesets/SQUID_2_7_STABLE4.html
+- added cron to Requires: as rpmlint complains on this
+
+-------------------------------------------------------------------
+Sun Aug 17 09:08:16 CEST 2008 - aj@suse.de
+
+- Fix init scripts.
+
+-------------------------------------------------------------------
+Wed Jul 2 17:26:29 CEST 2008 - kssingvo@suse.de
+
+- update to 2.7.STABLE3:
+ major changes from 2.6 to 2.7:
+ * HTTP/1.1 support
++++ 1432 more lines (skipped)
++++ between /dev/null
++++ and /work/SRC/openSUSE:12.2:Update/.squid.1977.new/squid.changes
New:
----
12697.patch
12711.patch
12714.patch
CompleteFaq.html
README.SuSE
contrib-2.4.STABLE6.tar.bz2
ip_wccp.c
pam.squid
rc.squid
squid-2.6.STABLE19-64bit.patch
squid-2.6.STABLE2-ldflags.patch
squid-2.7.STABLE3-config.patch
squid-2.7.STABLE9-RELEASENOTES.html
squid-2.7.STABLE9.tar.bz2
squid-2.7.x-bnc796999-bnc794954-CVE-2012-5643-CVE-2013-0188-cachemgr_cgi_dos.diff
squid-2.7.x-bnc829084-CVE-2013-4115-BO_request_handling.diff
squid.changes
squid.logrotate
squid.spec
squid.sysconfig
squid_ie_blocker.txt
squid_ldapauth-1.3.dif
squid_ldapauth-1.3.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ squid.spec ++++++
#
# spec file for package squid
#
# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
# needsrootforbuild
%define squid_ldapauth_version 1.3
%define squidconfdir /etc/squid
Name: squid
Summary: Squid WWW proxy server
License: GPL-2.0+
Group: Productivity/Networking/Web/Proxy
Version: 2.7.STABLE9
Release: 0
Url: http://www.squid-cache.org
Source: http://www.squid-cache.org/Versions/v2/2.7/squid-%{version}.tar.bz2
Source1: squid_ldapauth-%{squid_ldapauth_version}.tar.bz2
Source2: rc.squid
Source4: README.SuSE
Source5: pam.squid
Source6: squid.logrotate
Source7: squid-%{version}-RELEASENOTES.html
Source8: contrib-2.4.STABLE6.tar.bz2
# OBSOLETE: Create with: wget --cut-dirs=1 -nH -m -k -r -I/Doc/FAQ/ http://www.squid-cache.org/Doc/FAQ/
# FAQ is now changed into a wiki. The complete FAQ can be found at:
# http://wiki.squid-cache.org/SquidFaq/CompleteFaq
Source10: CompleteFaq.html
# Source: http://gaugusch.at/squid.shtml
Source11: squid_ie_blocker.txt
Source12: http://www.squid-cache.org/WCCP-support/Linux/ip_wccp.c
Source13: squid.sysconfig
# PATCH-UPSTREAM - Bug #2973: memoryleak on maformed requests
Patch0: http://www.squid-cache.org/Versions/v2/2.7/changesets/12697.patch
# PATCH-UPSTREAM - Correct parsing of large gopher indexes
Patch1: http://www.squid-cache.org/Versions/v2/2.7/changesets/12711.patch
# PATCH-UPSTREAM - Fix various harmless warnings detected by gcc 4.6
Patch2: http://www.squid-cache.org/Versions/v2/2.7/changesets/12714.patch
Patch100: squid-2.7.STABLE3-config.patch
Patch101: squid_ldapauth-%{squid_ldapauth_version}.dif
Patch102: %{name}-2.6.STABLE19-64bit.patch
Patch103: %{name}-2.6.STABLE2-ldflags.patch
Patch104: squid-2.7.x-bnc796999-bnc794954-CVE-2012-5643-CVE-2013-0188-cachemgr_cgi_dos.diff
Patch105: squid-2.7.x-bnc829084-CVE-2013-4115-BO_request_handling.diff
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: /usr/sbin/useradd, %insserv_prereq, %fillup_prereq
BuildRequires: automake
BuildRequires: db-devel
BuildRequires: openldap2-devel
BuildRequires: opensp-devel
BuildRequires: pam-devel
BuildRequires: samba
BuildRequires: sgmltool
BuildRequires: sharutils
%ifarch %ix86 x86_64 ppc ppc64
BuildRequires: valgrind
BuildRequires: valgrind-devel
%endif
Conflicts: squid-beta squid2 squid23
Requires: cron
Requires: logrotate
Provides: http_proxy
%description
The stable version of the Squid WWW Proxy Server.
Home page: http://www.squid-cache.org
%prep
%setup -n squid-%{version} -a 1 -a 8
#(cd auth_modules
#tar xzf %{S:21}
#rm -r MSNT
#mv msntauth-v2.0.3-squid.1 MSNT
#)
%patch0 -p1
%patch1 -p1
%patch2 -p1
#%patch3 -p1
#%patch4 -p1
#%patch5 -p1
#%patch6 -p1
#%patch7 -p1
#%patch8 -p1
#%patch9 -p1
#%patch10 -p1
#%patch11 -p1
#%patch12 -p1
#%patch13 -p1
#%patch14 -p1
#%patch15 -p1
#%patch16 -p1
#%patch17 -p1
#%patch18 -p1
#%patch19 -p1
####
%patch100 -p1
perl -pi -e 's%^#!/usr/local/bin/perl%#!/usr/bin/perl%g' `find -name "*.pl"`
(cd squid_ldapauth*
%patch101
)
%patch102 -p1
%patch103 -p1
%patch104 -p0
%patch105 -p0
%build
modified="$(sed -n '/^----/n;s/ - .*$//;p;q' "%{_sourcedir}/%{name}.changes")"
DATE="\"$(date -d "${modified}" "+%%b %%e %%Y")\""
TIME="\"$(date -d "${modified}" "+%%R")\""
find . -type f -regex ".*\.c\|.*\.cpp\|.*\.h" -exec sed -i "s/__DATE__/${DATE}/g;s/__TIME__/${TIME}/g" {} +
%if 0%{?suse_version} < 1220
%{?suse_update_config:%{suse_update_config}}
%endif
export RPM_OPT_FLAGS="$RPM_OPT_FLAGS -fPIE -DLDAP_DEPRECATED -fno-strict-aliasing"
export CFLAGS="$RPM_OPT_FLAGS"
export LDFLAGS="-pie"
aclocal
touch NEWS AUTHORS
automake
autoconf
./configure --prefix=/usr \
--sysconfdir=%{squidconfdir} \
--bindir=/usr/sbin \
--sbindir=/usr/sbin \
--localstatedir=/var \
--libexecdir=/usr/sbin \
--datadir=/usr/share/squid \
--mandir=%{_mandir} \
--with-dl \
--with-maxfd=4096 \
%ifarch %ix86 x86_64 ppc ppc64
--with-valgrind-debug \
%endif
--enable-snmp \
--enable-carp \
--enable-useragent-log \
--enable-auth="basic digest negotiate ntlm" \
--enable-basic-auth-helpers="LDAP MSNT NCSA PAM SMB YP getpwnam multi-domain-NTLM" \
--enable-ntlm-auth-helpers="SMB fakeauth no_check" \
--enable-digest-auth-helpers="ldap password" \
--enable-external-acl-helpers="ip_user ldap_group session unix_group wbinfo_group" \
--enable-ntlm-fail-open \
--enable-referer-log \
--enable-arp-acl \
--enable-htcp \
--enable-underscores \
--enable-stacktraces \
--enable-delay-pools \
--enable-useragent-log \
--enable-referer-log \
--enable-forward-log \
--enable-multicast-miss \
--enable-ssl \
--enable-cache-digests \
--enable-auth-on-acceleration \
--enable-storeio="aufs,coss,diskd,null,ufs" \
--enable-linux-netfilter \
--enable-removal-policies="heap,lru" \
--enable-icmp \
--with-samba-sources=/usr/include/samba \
--enable-large-cache-files \
--enable-x-accelerator-vary \
--enable-follow-x-forwarded-for
make DEFAULT_SWAP_DIR=/var/cache/squid \
DEFAULT_LOG_PREFIX=/var/log/squid \
DEFAULT_PID_FILE=/var/run/squid.pid \
SAMBAPREFIX=/usr
make -C squid_ldapauth-%{squid_ldapauth_version}
mkdir FAQ
cp -p %{S:10} FAQ
%install
mkdir -p $RPM_BUILD_ROOT/var/{cache,log}/squid
mkdir -p $RPM_BUILD_ROOT/usr/sbin
make install DESTDIR=$RPM_BUILD_ROOT SAMBAPREFIX=/usr
mv $RPM_BUILD_ROOT{/etc/squid/,/usr/share/squid/}mime.conf.default
mv $RPM_BUILD_ROOT{/etc/squid/,/usr/share/squid/}msntauth.conf.default
cp $RPM_BUILD_ROOT{/etc/squid/,/usr/share/squid/}msntauth.conf
ln -s /etc/squid/mime.conf $RPM_BUILD_ROOT/usr/share/squid # backward compatible
install -d -m 755 $RPM_BUILD_ROOT/etc/logrotate.d
install -m 644 %{S:6} $RPM_BUILD_ROOT/etc/logrotate.d/squid
install -d %{buildroot}%{_mandir}/man8/
install -m 644 doc/squid.8 $RPM_BUILD_ROOT/%{_mandir}/man8/
install -m 644 helpers/basic_auth/LDAP/squid_ldap_auth.8 $RPM_BUILD_ROOT/%{_mandir}/man8/
install -m 644 helpers/basic_auth/LDAP/squid_ldap_auth.8 $RPM_BUILD_ROOT/%{_mandir}/man8/
install -m 644 helpers/basic_auth/PAM/pam_auth.8 $RPM_BUILD_ROOT/%{_mandir}/man8/
install -m 644 helpers/external_acl/ldap_group/squid_ldap_group.8 $RPM_BUILD_ROOT/%{_mandir}/man8/
gzip -9 $RPM_BUILD_ROOT/%{_mandir}/man8/*.8
install -D %{S:2} $RPM_BUILD_ROOT/etc/init.d/squid
ln -sf /etc/init.d/squid $RPM_BUILD_ROOT/usr/sbin/rcsquid
install -d -m 755 doc/scripts
install scripts/*.pl doc/scripts
cat > doc/scripts/cachemgr.readme <<-EOT
cachemgr.cgi will now be found in %{_libdir}/squid
EOT
install -d -m 755 $RPM_BUILD_ROOT/%{_libdir}/squid
mv $RPM_BUILD_ROOT/usr/sbin/cachemgr.cgi $RPM_BUILD_ROOT/%{_libdir}/squid
#nothing for squid-2.5.STABLE1:
install -d -m 755 doc/contrib
install contrib/*.pl doc/contrib
#rm doc/Programming-Guide/Makefile
install -m 644 %{S:7} doc
install -m 644 %{S:4} .
install -m 644 %{S:11} doc/contrib
install -m 644 %{S:12} doc/contrib
install -D -m 644 %{S:5} $RPM_BUILD_ROOT/etc/pam.d/squid
pushd squid_ldapauth-%{squid_ldapauth_version}
install -m 750 squid_ldapauth $RPM_BUILD_ROOT/usr/sbin/
cp README ../README.squid_ldapauth
cp CREDITS ../CREDITS.squid_ldapauth
cp squid_ldapauth.conf ..
popd
cp -a helpers/external_acl/ip_user/README README.ip_user
rm %{buildroot}/usr/sbin/Run*
install -d -m 755 $RPM_BUILD_ROOT/var/adm/fillup-templates
install -m 644 %{S:13} $RPM_BUILD_ROOT/var/adm/fillup-templates/sysconfig.squid
rm -f $RPM_BUILD_ROOT/etc/squid/squid.conf.default
rm -f $RPM_BUILD_ROOT%{_mandir}/man8/pam_auth.8
rm -f $RPM_BUILD_ROOT%{_mandir}/man8/squid.8
rm -f $RPM_BUILD_ROOT%{_mandir}/man8/squid_ldap_auth.8
rm -f $RPM_BUILD_ROOT%{_mandir}/man8/squid_ldap_group.8
rm -f $RPM_BUILD_ROOT%{_mandir}/man8/squid_unix_group.8
%clean
rm -rf $RPM_BUILD_ROOT
%pre
/usr/sbin/useradd -r -o -g nogroup -u 31 -s /bin/false -c "WWW-proxy squid" -d /var/cache/squid squid 2> /dev/null || :
%post
%{fillup_and_insserv squid}
%preun
%stop_on_removal squid
%postun
%restart_on_update squid
%{insserv_cleanup}
%verifyscript
%files
%defattr(-,root,root)
%attr(750,squid,root) %dir /var/cache/squid
%attr(750,squid,root) %dir /var/log/squid
%dir %{squidconfdir}
%config(noreplace) %{squidconfdir}/squid.conf
%config(noreplace) %{squidconfdir}/cachemgr.conf
%config(noreplace) /etc/logrotate.d/squid
%config(noreplace) %{squidconfdir}/mime.conf
%config(noreplace) %{squidconfdir}/msntauth.conf
%config /etc/pam.d/squid
%config /etc/init.d/squid
%dir /usr/share/squid
/usr/share/squid/errors
/usr/share/squid/icons
%config /usr/share/squid/mib.txt
/usr/share/squid/mime.conf
/usr/share/squid/mime.conf.default
/usr/share/squid/msntauth.conf
/usr/share/squid/msntauth.conf.default
/usr/sbin/cossdump
/usr/sbin/digest_ldap_auth
/usr/sbin/digest_pw_auth
/usr/sbin/diskd-daemon
/usr/sbin/fakeauth_auth
/usr/sbin/getpwname_auth
/usr/sbin/ip_user_check
%attr(750,squid,root) /usr/sbin/squid_ldapauth
/usr/sbin/logfile-daemon
/usr/sbin/msnt_auth
/usr/sbin/ncsa_auth
/usr/sbin/no_check.pl
/usr/sbin/ntlm_auth
%verify(not mode) %attr(4755,root,shadow)/usr/sbin/pam_auth
/usr/sbin/pinger
/usr/sbin/rcsquid
/usr/sbin/smb_auth
/usr/sbin/smb_auth.pl
/usr/sbin/smb_auth.sh
/usr/sbin/squid
/usr/sbin/squid_ldap_auth
/usr/sbin/squid_ldap_group
/usr/sbin/squid_session
/usr/sbin/squid_unix_group
/usr/sbin/squidclient
/usr/sbin/unlinkd
/usr/sbin/wbinfo_group.pl
/usr/sbin/yp_auth
/var/adm/fillup-templates/sysconfig.squid
%dir %{_libdir}/squid
%{_libdir}/squid/cachemgr.cgi
%doc %{_mandir}/man*/*
%doc CONTRIBUTORS COPYING COPYRIGHT CREDITS
%doc ChangeLog QUICKSTART README README.SuSE
#%doc doc/HTTP-codes.txt doc/draft-vixie-htcp-proto-04.txt
#%doc doc/Programming-Guide
%doc doc/scripts doc/contrib FAQ
%doc doc/debug-sections.txt src/squid.conf.default
%doc README.squid_ldapauth CREDITS.squid_ldapauth
%doc squid_ldapauth.conf doc/%{name}-%{version}-RELEASENOTES.html
%doc README.ip_user
%changelog
++++++ 12697.patch ++++++
---------------------
PatchSet 12697
Date: 2010/07/13 19:43:08
Author: hno
Branch: SQUID_2_7
Tag: (none)
Log:
Bug 2973: memoryleak on maformed requests
Members:
src/client_side.c:1.754.2.29->1.754.2.30
Index: squid/src/client_side.c
===================================================================
RCS file: /cvsroot/squid/squid/src/client_side.c,v
retrieving revision 1.754.2.29
retrieving revision 1.754.2.30
diff -u -r1.754.2.29 -r1.754.2.30
--- squid/src/client_side.c 14 Feb 2010 00:46:25 -0000 1.754.2.29
+++ squid/src/client_side.c 13 Jul 2010 19:43:08 -0000 1.754.2.30
@@ -1,6 +1,6 @@
/*
- * $Id: client_side.c,v 1.754.2.29 2010/02/14 00:46:25 hno Exp $
+ * $Id: client_side.c,v 1.754.2.30 2010/07/13 19:43:08 hno Exp $
*
* DEBUG: section 33 Client-side Routines
* AUTHOR: Duane Wessels
@@ -3063,6 +3063,7 @@
if (mb.size > 0) {
comm_write_mbuf(http->conn->fd, mb, clientWriteComplete, http);
} else {
+ memBufClean(&mb);
storeClientCopy(http->sc, http->entry,
http->out.offset,
http->out.offset,
++++++ 12711.patch ++++++
---------------------
PatchSet 12711
Date: 2011/08/26 21:51:44
Author: hno
Branch: SQUID_2_7
Tag: (none)
Log:
Correct parsing of large gopher indexes
Members:
src/gopher.c:1.181.2.1->1.181.2.2
Index: squid/src/gopher.c
===================================================================
RCS file: /cvsroot/squid/squid/src/gopher.c,v
retrieving revision 1.181.2.1
retrieving revision 1.181.2.2
diff -u -r1.181.2.1 -r1.181.2.2
--- squid/src/gopher.c 4 May 2008 23:23:13 -0000 1.181.2.1
+++ squid/src/gopher.c 26 Aug 2011 21:51:44 -0000 1.181.2.2
@@ -1,6 +1,6 @@
/*
- * $Id: gopher.c,v 1.181.2.1 2008/05/04 23:23:13 hno Exp $
+ * $Id: gopher.c,v 1.181.2.2 2011/08/26 21:51:44 hno Exp $
*
* DEBUG: section 10 Gopher
* AUTHOR: Harvest Derived
@@ -314,8 +314,6 @@
gopherState->HTML_header_added = 1;
return;
}
- inbuf[len] = '\0';
-
if (!gopherState->HTML_header_added) {
if (gopherState->conversion == HTML_CSO_RESULT)
gopherHTMLHeader(entry, "CSO Search Result", NULL);
@@ -325,66 +323,41 @@
gopherState->HTML_header_added = 1;
gopherState->HTML_pre = 1;
}
- while ((pos != NULL) && (pos < inbuf + len)) {
-
+ while (pos < inbuf + len) {
+ int llen;
+ int left = len - (pos - inbuf);
+ lpos = memchr(pos, '\n', left);
+ if (lpos) {
+ lpos++; /* Next line is after \n */
+ llen = lpos - pos;
+ } else {
+ llen = left;
+ }
+ if (gopherState->len + llen >= TEMP_BUF_SIZE) {
+ debug(10, 1) ("gopherToHTML: Buffer overflow. Lost some data on URL: %s\n",
+ storeUrl(entry));
+ llen = TEMP_BUF_SIZE - gopherState->len - 1;
+ }
+ if (!lpos) {
+ /* there is no complete line in inbuf */
+ /* copy it to temp buffer */
+ /* note: llen is adjusted above */
+ xmemcpy(gopherState->buf + gopherState->len, pos, llen);
+ gopherState->len += llen;
+ break;
+ }
if (gopherState->len != 0) {
/* there is something left from last tx. */
- xstrncpy(line, gopherState->buf, gopherState->len + 1);
- if (gopherState->len + len > TEMP_BUF_SIZE) {
- debug(10, 1) ("gopherToHTML: Buffer overflow. Lost some data on URL: %s\n",
- storeUrl(entry));
- len = TEMP_BUF_SIZE - gopherState->len;
- }
- lpos = (char *) memccpy(line + gopherState->len, inbuf, '\n', len);
- if (lpos)
- *lpos = '\0';
- else {
- /* there is no complete line in inbuf */
- /* copy it to temp buffer */
- if (gopherState->len + len > TEMP_BUF_SIZE) {
- debug(10, 1) ("gopherToHTML: Buffer overflow. Lost some data on URL: %s\n",
- storeUrl(entry));
- len = TEMP_BUF_SIZE - gopherState->len;
- }
- xmemcpy(gopherState->buf + gopherState->len, inbuf, len);
- gopherState->len += len;
- return;
- }
-
- /* skip one line */
- pos = (char *) memchr(pos, '\n', len);
- if (pos)
- pos++;
-
- /* we're done with the remain from last tx. */
+ xmemcpy(line, gopherState->buf, gopherState->len);
+ xmemcpy(line + gopherState->len, pos, llen);
+ llen += gopherState->len;
gopherState->len = 0;
- *(gopherState->buf) = '\0';
} else {
-
- lpos = (char *) memccpy(line, pos, '\n', len - (pos - inbuf));
- if (lpos)
- *lpos = '\0';
- else {
- /* there is no complete line in inbuf */
- /* copy it to temp buffer */
- if ((len - (pos - inbuf)) > TEMP_BUF_SIZE) {
- debug(10, 1) ("gopherToHTML: Buffer overflow. Lost some data on URL: %s\n",
- storeUrl(entry));
- len = TEMP_BUF_SIZE;
- }
- if (len > (pos - inbuf)) {
- xmemcpy(gopherState->buf, pos, len - (pos - inbuf));
- gopherState->len = len - (pos - inbuf);
- }
- break;
- }
-
- /* skip one line */
- pos = (char *) memchr(pos, '\n', len);
- if (pos)
- pos++;
-
+ xmemcpy(line, pos, llen);
}
+ line[llen + 1] = '\0';
+ /* move input to next line */
+ pos = lpos;
/* at this point. We should have one line in buffer to process */
++++++ 12714.patch ++++++
---------------------
PatchSet 12714
Date: 2011/08/26 22:01:25
Author: hno
Branch: SQUID_2_7
Tag: (none)
Log:
Fix various harmless warnings detected by gcc 4.6
Members:
helpers/external_acl/ldap_group/squid_ldap_group.c:1.14.6.5->1.14.6.6
helpers/ntlm_auth/fakeauth/fakeauth_auth.c:1.12->1.12.2.1
src/authenticate.c:1.51.6.2->1.51.6.3
src/client_side.c:1.754.2.30->1.754.2.31
src/forward.c:1.131.2.5->1.131.2.6
src/fqdncache.c:1.158->1.158.2.1
src/neighbors.c:1.319.2.8->1.319.2.9
src/auth/negotiate/auth_negotiate.c:1.12.2.1->1.12.2.2
src/auth/ntlm/auth_ntlm.c:1.42->1.42.2.1
Index: squid/helpers/external_acl/ldap_group/squid_ldap_group.c
===================================================================
RCS file: /cvsroot/squid/squid/helpers/external_acl/ldap_group/squid_ldap_group.c,v
retrieving revision 1.14.6.5
retrieving revision 1.14.6.6
diff -u -r1.14.6.5 -r1.14.6.6
--- squid/helpers/external_acl/ldap_group/squid_ldap_group.c 16 Sep 2009 20:56:32 -0000 1.14.6.5
+++ squid/helpers/external_acl/ldap_group/squid_ldap_group.c 26 Aug 2011 22:01:25 -0000 1.14.6.6
@@ -218,7 +218,6 @@
int use_extension_dn = 0;
int strip_nt_domain = 0;
int strip_kerberos_realm = 0;
- int err = 0;
setbuf(stdout, NULL);
@@ -599,7 +598,6 @@
tryagain = 1;
}
}
- err = 0;
}
if (ld)
ldap_unbind(ld);
Index: squid/helpers/ntlm_auth/fakeauth/fakeauth_auth.c
===================================================================
RCS file: /cvsroot/squid/squid/helpers/ntlm_auth/fakeauth/fakeauth_auth.c,v
retrieving revision 1.12
retrieving revision 1.12.2.1
diff -u -r1.12 -r1.12.2.1
--- squid/helpers/ntlm_auth/fakeauth/fakeauth_auth.c 1 Apr 2007 14:17:46 -0000 1.12
+++ squid/helpers/ntlm_auth/fakeauth/fakeauth_auth.c 26 Aug 2011 22:01:25 -0000 1.12.2.1
@@ -145,7 +145,6 @@
{
static unsigned hash;
int r;
- char *d;
int i;
debug("ntlmMakeChallenge: flg %08x\n", flags);
@@ -161,7 +160,6 @@
chal->hdr.type = WSWAP(NTLM_CHALLENGE);
chal->unknown[6] = SSWAP(0x003a);
- d = (char *) chal + 48;
i = 0;
if (authenticate_ntlm_domain != NULL)
Index: squid/src/authenticate.c
===================================================================
RCS file: /cvsroot/squid/squid/src/authenticate.c,v
retrieving revision 1.51.6.2
retrieving revision 1.51.6.3
diff -u -r1.51.6.2 -r1.51.6.3
--- squid/src/authenticate.c 4 May 2008 23:23:13 -0000 1.51.6.2
+++ squid/src/authenticate.c 26 Aug 2011 22:01:26 -0000 1.51.6.3
@@ -1,6 +1,6 @@
/*
- * $Id: authenticate.c,v 1.51.6.2 2008/05/04 23:23:13 hno Exp $
+ * $Id: authenticate.c,v 1.51.6.3 2011/08/26 22:01:26 hno Exp $
*
* DEBUG: section 29 Authenticator
* AUTHOR: Duane Wessels
@@ -333,7 +333,6 @@
{
time_t delta = Config.authenticateIpShortcircuitTTL;
auth_user_request_ip_hash_t *hash_entry;
- auth_user_request_t *auth_user_request = NULL;
if (!auth_user_request_ip_hash)
return NULL;
@@ -342,7 +341,6 @@
if (!hash_entry)
return NULL;
- auth_user_request = hash_entry->auth_user_request;
if (hash_entry->last_seen + delta < squid_curtime) {
authenticateAuthUserRequestUnlinkIp(ipaddr);
return NULL;
Index: squid/src/client_side.c
===================================================================
RCS file: /cvsroot/squid/squid/src/client_side.c,v
retrieving revision 1.754.2.30
retrieving revision 1.754.2.31
diff -u -r1.754.2.30 -r1.754.2.31
--- squid/src/client_side.c 13 Jul 2010 19:43:08 -0000 1.754.2.30
+++ squid/src/client_side.c 26 Aug 2011 22:01:26 -0000 1.754.2.31
@@ -1,6 +1,6 @@
/*
- * $Id: client_side.c,v 1.754.2.30 2010/07/13 19:43:08 hno Exp $
+ * $Id: client_side.c,v 1.754.2.31 2011/08/26 22:01:26 hno Exp $
*
* DEBUG: section 33 Client-side Routines
* AUTHOR: Duane Wessels
@@ -3675,7 +3675,6 @@
char *url = urlbuf;
const char *req_hdr = NULL;
http_version_t http_ver;
- size_t header_sz; /* size of headers, not including first line */
size_t prefix_sz; /* size of whole request (req-line + headers) */
size_t req_sz;
method_t method;
@@ -3742,7 +3741,6 @@
*/
/* XXX re-evaluate all of these values and use whats in hmsg instead! */
req_hdr = hmsg->buf + hmsg->r_len;
- header_sz = hmsg->h_len;
debug(33, 3) ("parseHttpRequest: req_hdr = {%s}\n", req_hdr);
prefix_sz = req_sz;
Index: squid/src/forward.c
===================================================================
RCS file: /cvsroot/squid/squid/src/forward.c,v
retrieving revision 1.131.2.5
retrieving revision 1.131.2.6
diff -u -r1.131.2.5 -r1.131.2.6
--- squid/src/forward.c 18 Jul 2008 00:47:48 -0000 1.131.2.5
+++ squid/src/forward.c 26 Aug 2011 22:01:26 -0000 1.131.2.6
@@ -1,6 +1,6 @@
/*
- * $Id: forward.c,v 1.131.2.5 2008/07/18 00:47:48 hno Exp $
+ * $Id: forward.c,v 1.131.2.6 2011/08/26 22:01:26 hno Exp $
*
* DEBUG: section 17 Request Forwarding
* AUTHOR: Duane Wessels
@@ -59,7 +59,6 @@
static void fwdLogReplyStatus(int tries, http_status status);
static OBJH fwdStats;
static STABH fwdAbort;
-static peer *fwdStateServerPeer(FwdState *);
#define MAX_FWD_STATS_IDX 9
static int FwdReplyCodes[MAX_FWD_STATS_IDX + 1][HTTP_INVALID_HEADER + 1];
@@ -69,16 +68,6 @@
static Logfile *logfile = NULL;
#endif
-static peer *
-fwdStateServerPeer(FwdState * fwdState)
-{
- if (NULL == fwdState)
- return NULL;
- if (NULL == fwdState->servers)
- return NULL;
- return fwdState->servers->peer;
-}
-
static void
fwdServerFree(FwdServer * fs)
{
@@ -92,7 +81,6 @@
{
StoreEntry *e = fwdState->entry;
int sfd;
- peer *p;
debug(17, 3) ("fwdStateFree: %p\n", fwdState);
assert(e->mem_obj);
#if URL_CHECKSUM_DEBUG
@@ -109,7 +97,6 @@
storeResetDefer(e);
if (storePendingNClients(e) > 0)
assert(!EBIT_TEST(e->flags, ENTRY_FWD_HDR_WAIT));
- p = fwdStateServerPeer(fwdState);
fwdServersFree(&fwdState->servers);
requestUnlink(fwdState->request);
fwdState->request = NULL;
Index: squid/src/fqdncache.c
===================================================================
RCS file: /cvsroot/squid/squid/src/fqdncache.c,v
retrieving revision 1.158
retrieving revision 1.158.2.1
diff -u -r1.158 -r1.158.2.1
--- squid/src/fqdncache.c 13 Oct 2007 00:01:38 -0000 1.158
+++ squid/src/fqdncache.c 26 Aug 2011 22:01:27 -0000 1.158.2.1
@@ -1,6 +1,6 @@
/*
- * $Id: fqdncache.c,v 1.158 2007/10/13 00:01:38 hno Exp $
+ * $Id: fqdncache.c,v 1.158.2.1 2011/08/26 22:01:27 hno Exp $
*
* DEBUG: section 35 FQDN Cache
* AUTHOR: Harvest Derived
@@ -333,12 +333,11 @@
fqdncacheHandleReply(void *data, rfc1035_rr * answers, int na, const char *error_message)
#endif
{
- int n;
generic_cbdata *c = data;
fqdncache_entry *f = c->data;
cbdataFree(c);
c = NULL;
- n = ++FqdncacheStats.replies;
+ FqdncacheStats.replies += 1;
statHistCount(&statCounter.dns.svc_time,
tvSubMsec(f->request_time, current_time));
#if USE_DNSSERVERS
Index: squid/src/neighbors.c
===================================================================
RCS file: /cvsroot/squid/squid/src/neighbors.c,v
retrieving revision 1.319.2.8
retrieving revision 1.319.2.9
diff -u -r1.319.2.8 -r1.319.2.9
--- squid/src/neighbors.c 27 Jun 2008 21:52:56 -0000 1.319.2.8
+++ squid/src/neighbors.c 26 Aug 2011 22:01:27 -0000 1.319.2.9
@@ -1,6 +1,6 @@
/*
- * $Id: neighbors.c,v 1.319.2.8 2008/06/27 21:52:56 hno Exp $
+ * $Id: neighbors.c,v 1.319.2.9 2011/08/26 22:01:27 hno Exp $
*
* DEBUG: section 15 Neighbor Routines
* AUTHOR: Harvest Derived
@@ -642,7 +642,6 @@
{
peer *best_p = NULL;
#if USE_CACHE_DIGESTS
- const cache_key *key;
int best_rtt = 0;
int choice_count = 0;
int ichoice_count = 0;
@@ -651,7 +650,6 @@
int i;
if (!request->flags.hierarchical)
return NULL;
- key = storeKeyPublicByRequest(request);
for (i = 0, p = first_ping; i++ < Config.npeers; p = p->next) {
lookup_t lookup;
if (!p)
Index: squid/src/auth/negotiate/auth_negotiate.c
===================================================================
RCS file: /cvsroot/squid/squid/src/auth/negotiate/auth_negotiate.c,v
retrieving revision 1.12.2.1
retrieving revision 1.12.2.2
diff -u -r1.12.2.1 -r1.12.2.2
--- squid/src/auth/negotiate/auth_negotiate.c 28 Sep 2008 22:44:36 -0000 1.12.2.1
+++ squid/src/auth/negotiate/auth_negotiate.c 26 Aug 2011 22:01:27 -0000 1.12.2.2
@@ -1,6 +1,6 @@
/*
- * $Id: auth_negotiate.c,v 1.12.2.1 2008/09/28 22:44:36 hno Exp $
+ * $Id: auth_negotiate.c,v 1.12.2.2 2011/08/26 22:01:27 hno Exp $
*
* DEBUG: section 29 Negotiate Authenticator
* AUTHOR: Robert Collins
@@ -701,14 +701,12 @@
const char *proxy_auth, *blob;
auth_user_t *auth_user;
negotiate_request_t *negotiate_request;
- negotiate_user_t *negotiate_user;
auth_user = auth_user_request->auth_user;
assert(auth_user);
assert(auth_user->auth_type == AUTH_NEGOTIATE);
assert(auth_user->scheme_data != NULL);
assert(auth_user_request->scheme_data != NULL);
- negotiate_user = auth_user->scheme_data;
negotiate_request = auth_user_request->scheme_data;
/* Check that we are in the client side, where we can generate
* auth challenges */
Index: squid/src/auth/ntlm/auth_ntlm.c
===================================================================
RCS file: /cvsroot/squid/squid/src/auth/ntlm/auth_ntlm.c,v
retrieving revision 1.42
retrieving revision 1.42.2.1
diff -u -r1.42 -r1.42.2.1
--- squid/src/auth/ntlm/auth_ntlm.c 28 Aug 2007 22:39:10 -0000 1.42
+++ squid/src/auth/ntlm/auth_ntlm.c 26 Aug 2011 22:01:28 -0000 1.42.2.1
@@ -1,6 +1,6 @@
/*
- * $Id: auth_ntlm.c,v 1.42 2007/08/28 22:39:10 hno Exp $
+ * $Id: auth_ntlm.c,v 1.42.2.1 2011/08/26 22:01:28 hno Exp $
*
* DEBUG: section 29 NTLM Authenticator
* AUTHOR: Robert Collins
@@ -657,14 +657,12 @@
const char *proxy_auth, *blob;
auth_user_t *auth_user;
ntlm_request_t *ntlm_request;
- ntlm_user_t *ntlm_user;
auth_user = auth_user_request->auth_user;
assert(auth_user);
assert(auth_user->auth_type == AUTH_NTLM);
assert(auth_user->scheme_data != NULL);
assert(auth_user_request->scheme_data != NULL);
- ntlm_user = auth_user->scheme_data;
ntlm_request = auth_user_request->scheme_data;
/* Check that we are in the client side, where we can generate
* auth challenges */
++++++ CompleteFaq.html ++++++
++++ 3563 lines (skipped)
++++++ README.SuSE ++++++
This is Squid Version 2, a greatly enhanced new version
of the well known Squid proxy.
New features (included in the precompiled binaries) include:
* SNMP Support
* Support for the new HTCP (Hypertext Transfer Cache Protocol)
* Support for delay pools (bandwidth usage restrictions)
* New Redirector interface
* External cache user authentication
* better performance for large caches
Not included is support for cache digests, as digests cannot be disabled
at runtime and may interfere with some Proxy setups.
The directory /usr/share/doc/packages/squid/errors contains error
messages in different languages. Simply copy the desired language
files to /usr/share/squid/errors! The default installation is English.
Important changes since Squid 2.2:
Domain name matching:
The function which checks for a match between a hostname and a
domain name has been rewritten, and its behavior is now slightly
different. Previously, the domain ``com'' would match the hostname
``foo.com'', but this is no longer the case. Now, if you must write
``.com'' to match ``foo.com''.
Removed dnsservers:
In this version, DNS lookups are done by the main Squid process
by default.
Truncate vs unlink:
In version 2.2 Squid truncated disk files (by default) instead
of unlinking them. This caused some installations to run out
of inodes on the cache disks. Even though truncate makes Squid
a bit faster, we have made the default to use unlink again.
Look at http://www.squid-cache.org/Versions/v2/2.4/ for a full description
Have fun!
++++++ ip_wccp.c ++++++
/*
* $Id: ip_wccp.c,v 1.7 2005/01/07 17:26:33 hno Exp $
*
* Maintainer:
* Henrik Nordstrom
*
* Change log:
* 2004-08-19 SONE Naoto
* Updated to support Linux 2.6.8
*
* 2004-02-17 Henrik Nordstrom
* Updated to linux-2.6.0
* WCCPv2 support
*
* 2003-10-20 Henrik Nordstrom
* Dropped support for old kernels. Linux-2.4 or later required
* Play well with Netfilter
*
* 2002-04-16 francis a. vidal
* Module license tag
*
* 2002-04-13 Henrik Nordstrom
* Updated to Linux-2.4
* - there no longer is a len argument to ip_wccp_recv
* - deal with fragmented skb packets
* - incremental checksumming to allow detection of corrupted
* packets
*
* 1999-09-30 Glenn Chisholm
* Original release
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define WCCP_PROTOCOL_TYPE 0x883E
#define WCCP_GRE_LEN sizeof(u32)
#define WCCP2_GRE_EXTRA sizeof(u32)
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,9)
/* New License scheme */
#ifdef MODULE_LICENSE
MODULE_AUTHOR("Glenn Chisholm");
MODULE_DESCRIPTION("WCCP module");
MODULE_LICENSE("GPL");
#endif
#endif
static inline void ip_wccp_ecn_decapsulate(struct iphdr *outer_iph, struct sk_buff *skb)
{
struct iphdr *inner_iph = skb->nh.iph;
if (INET_ECN_is_ce(outer_iph->tos))
IP_ECN_set_ce(inner_iph);
}
int ip_wccp_rcv(struct sk_buff *skb)
{
u32 *gre_hdr;
struct iphdr *iph;
if (!pskb_may_pull(skb, 16))
goto drop;
iph = skb->nh.iph;
gre_hdr = (u32 *)skb->h.raw;
if(*gre_hdr != __constant_htonl(WCCP_PROTOCOL_TYPE))
goto drop;
skb->mac.raw = skb->nh.raw;
/* WCCP2 puts an extra 4 octets into the header, but uses the same
* encapsulation type; if it looks as if the first octet of the packet
* isn't the beginning of an IPv4 header, assume it's WCCP2.
* This should be safe as these bits are reserved in the WCCPv2 header
* and always zero in WCCPv2.
*/
if ((skb->h.raw[WCCP_GRE_LEN] & 0xF0) != 0x40) {
skb->nh.raw = pskb_pull(skb, WCCP_GRE_LEN + WCCP2_GRE_EXTRA);
} else {
skb->nh.raw = pskb_pull(skb, WCCP_GRE_LEN);
}
if (skb->len <= 0)
goto drop;
memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
skb->protocol = __constant_htons(ETH_P_IP);
skb->pkt_type = PACKET_HOST;
dst_release(skb->dst);
skb->dst = NULL;
#ifdef CONFIG_NETFILTER
nf_conntrack_put(skb->nfct);
skb->nfct = NULL;
#ifdef CONFIG_NETFILTER_DEBUG
skb->nf_debug = 0;
#endif
#endif
ip_wccp_ecn_decapsulate(iph, skb);
netif_rx(skb);
return(0);
drop:
kfree_skb(skb);
return(0);
}
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,8)
static struct net_protocol ipwccp_protocol = {
#else
static struct inet_protocol ipwccp_protocol = {
#endif
.handler = ip_wccp_rcv
};
static inline void wccp_add_protocol(void) { inet_add_protocol(&ipwccp_protocol, IPPROTO_GRE); }
static inline int wccp_del_protocol(void) { return inet_del_protocol(&ipwccp_protocol, IPPROTO_GRE); }
#else
static struct inet_protocol ipwccp_protocol = {
ip_wccp_rcv,
NULL,
0,
IPPROTO_GRE,
0,
NULL,
"GRE"
};
static inline void wccp_add_protocol(void) { inet_add_protocol(&ipwccp_protocol); }
static inline int wccp_del_protocol(void) { return inet_del_protocol(&ipwccp_protocol); }
#endif
int __init ip_wccp_init(void)
{
printk(KERN_INFO "WCCP IPv4/GRE driver\n");
wccp_add_protocol();
return 0;
}
static void __exit ip_wccp_fini(void)
{
if (wccp_del_protocol() < 0)
printk(KERN_INFO "ip_wccp: can't remove protocol\n");
else
printk(KERN_INFO "WCCP IPv4/GRE driver unloaded\n");
}
#ifdef MODULE
module_init(ip_wccp_init);
#endif
module_exit(ip_wccp_fini);
++++++ pam.squid ++++++
#%PAM-1.0
auth include common-auth
account include common-account
password include common-password
session include common-session
++++++ rc.squid ++++++
#! /bin/sh
# Copyright (c) 1996, 1997, 1998 S.u.S.E. GmbH
# Copyright (c) 1998, 1999, 2000, 2001 SuSE GmbH
# Copyright (c) 2002 SuSE Linux AG
#
# Author: Frank Bodammer, Peter Poeml, Klaus Singvogel
#
# init.d/squid
#
### BEGIN INIT INFO
# Provides: squid
# Required-Start: $local_fs $remote_fs $network $time
# Should-Start: apache $named
# Required-Stop: $local_fs $remote_fs $network
# Should-Stop: $null
# Default-Start: 3 5
# Default-Stop: 0 1 2 6
# Short-Description: Squid web cache
# Description: Start the Squid web cache, providing
# HTTP, FTP and other proxy services
### END INIT INFO
SQUID_BIN=/usr/sbin/squid
SQUID_PID=/var/run/squid.pid
SQUID_CONF=/etc/squid/squid.conf
SQUID_SYSCONFIG=/etc/sysconfig/squid
if [ ! -x $SQUID_BIN ] ; then
echo -n "WWW-proxy squid not installed ! "
exit 5
fi
# check for squid
test -r $SQUID_SYSCONFIG || { echo "$SQUID_SYSCONFIG not existing";
if [ "$1" = "stop" ]; then exit 0; else exit 6; fi; }
# Read config
. $SQUID_SYSCONFIG
# handle a special update case for unpopulated sysconfig data
test -z "$SQUID_SHUTDOWN_TIMEOUT" && SQUID_SHUTDOWN_TIMEOUT="60"
. /etc/rc.status
RC_OPTIONS='-v'
rc_reset
ulimit -n 4096
# determine which one is the cache_swap directory
CACHE_SWAP=`perl -n -e \
'/^cache_dir\s+\S+\s+(.*)\s+\d+\s+\d+\s+\d+/ && print "\$1 "' $SQUID_CONF`
[ -z "$CACHE_SWAP" ] && CACHE_SWAP=/var/cache/squid
case "$1" in
start)
echo -n "Starting WWW-proxy squid "
checkproc $SQUID_BIN
if [ $? -eq 0 ] ; then
echo -n "- Warning: squid already running ! "
rc_failed
else
[ -e $SQUID_PID ] && echo -n "- Warning: $SQUID_PID exists ! "
for adir in $CACHE_SWAP ; do
if [ ! -d $adir/00 ]; then # create missing cache directories
umask 027 # prevent users reading any cache data
echo -n " ($adir)"
$SQUID_BIN -z -F > /dev/null 2>&1
fi
if [ ! -d $adir/00 ]; then
echo " - failed while creating cache_dir ! "
rc_failed
rc_status -v
rc_exit
fi
done
sleep 2
fi
startproc -l /var/log/squid/rcsquid.log $SQUID_BIN -sYD
rc_status $RC_OPTIONS
;;
stop)
echo -n "Shutting down WWW-proxy squid "
if checkproc $SQUID_BIN ; then
$SQUID_BIN -k shutdown
sleep 2
if [ -e $SQUID_PID ] ; then
echo -n "- wait a minute or two... "
i="$SQUID_SHUTDOWN_TIMEOUT"
while [ -e $SQUID_PID ] && [ $i -gt 0 ] ; do
sleep 2
i=$[$i-1]
echo -n "."
[ $i -eq 41 ] && echo
done
fi
if checkproc $SQUID_BIN ; then
killproc -TERM $SQUID_BIN
echo -n " Warning: squid killed !"
fi
else
echo -n "- Warning: squid not running ! "
rc_failed 7
fi
rc_status -v
;;
try-restart)
$0 status >/dev/null && $0 restart
rc_status
;;
restart)
$0 stop
$0 start
rc_status
;;
force-reload)
$0 reload
rc_status
;;
reload)
echo -n "Reloading WWW-proxy squid "
if checkproc $SQUID_BIN ; then
$SQUID_BIN -k rotate
sleep 2
$SQUID_BIN -k reconfigure
rc_status
else
echo -n "- Warning: squid not running ! "
rc_failed 7
fi
rc_status -v
;;
status)
echo -n "Checking for WWW-proxy squid "
checkproc $SQUID_BIN
rc_status -v
;;
probe)
test $SQUID_CONF -nt $SQUID_PID && echo reload
;;
*)
echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}"
exit 1
;;
esac
rc_exit
++++++ squid-2.6.STABLE19-64bit.patch ++++++
--- squid-2.6.STABLE19/src/HttpHdrRange.c.orig 2008-03-18 00:34:41.000000000 +0100
+++ squid-2.6.STABLE19/src/HttpHdrRange.c 2008-03-26 16:35:07.000000000 +0100
@@ -485,7 +485,7 @@
if (!Config.rangeOffsetLimit)
/* disabled */
return 1;
- if (-1 == Config.rangeOffsetLimit)
+ if (-1U == Config.rangeOffsetLimit)
/* forced */
return 0;
if (Config.rangeOffsetLimit >= httpHdrRangeFirstOffset(range))
--- squid-2.6.STABLE19/src/HttpHeader.c.orig 2007-12-21 10:56:53.000000000 +0100
+++ squid-2.6.STABLE19/src/HttpHeader.c 2008-03-26 16:34:46.000000000 +0100
@@ -817,7 +817,7 @@
/* First try the quick path */
id = httpHeaderIdByNameDef(name, strlen(name));
- if (id != -1)
+ if (id != -1U)
return httpHeaderGetStrOrList(hdr, id);
/* Sorry, an unknown header name. Do linear search */
--- squid-2.6.STABLE19/src/store_io.c.orig 2006-11-05 22:14:31.000000000 +0100
+++ squid-2.6.STABLE19/src/store_io.c 2008-03-26 16:34:46.000000000 +0100
@@ -34,7 +34,7 @@
store_io_stats.create.calls++;
/* This is just done for logging purposes */
objsize = objectLen(e);
- if (objsize != -1)
+ if (objsize != -1U)
objsize += e->mem_obj->swap_hdr_sz;
/*
--- squid-2.6.STABLE19/src/external_acl.c.orig 2007-01-02 00:32:13.000000000 +0100
+++ squid-2.6.STABLE19/src/external_acl.c 2008-03-26 16:34:46.000000000 +0100
@@ -265,7 +265,7 @@
}
format->header = xstrdup(header);
format->header_id = httpHeaderIdByNameDef(header, strlen(header));
- if (format->header_id != -1) {
+ if (format->header_id != -1U) {
if (member)
format->type = EXT_ACL_HEADER_ID_MEMBER;
else
++++++ squid-2.6.STABLE2-ldflags.patch ++++++
Index: squid-2.7.STABLE6/configure.in
===================================================================
--- squid-2.7.STABLE6.orig/configure.in
+++ squid-2.7.STABLE6/configure.in
@@ -2923,6 +2923,7 @@ mingw|mingw32)
;;
esac
AC_MSG_RESULT($SQUID_MAXFD)
+LDFLAGS="$TLDFLAGS $PRESET_LDFLAGS"
fi # --with-maxfd SQUID_MAXFD
AC_DEFINE_UNQUOTED(SQUID_MAXFD, $SQUID_MAXFD, [Maximum number of open filedescriptors])
if test "$SQUID_MAXFD" -lt 512 ; then
@@ -2932,7 +2933,6 @@ if test "$SQUID_MAXFD" -lt 512 ; then
echo " on how to increase your filedescriptor limit"
sleep 10
fi
-LDFLAGS="$TLDFLAGS"
dnl Not cached since people are likely to tune this
AC_MSG_CHECKING(Default UDP send buffer size)
++++++ squid-2.7.STABLE3-config.patch ++++++
--- squid-2.7.STABLE3/src/Makefile.in.orig 2008-01-03 02:16:40.000000000 +0100
+++ squid-2.7.STABLE3/src/Makefile.in 2008-07-02 17:17:06.000000000 +0200
@@ -651,7 +651,7 @@ DEFAULT_HTTP_PORT = @CACHE_HTTP_PORT@
DEFAULT_ICP_PORT = @CACHE_ICP_PORT@
DEFAULT_PREFIX = $(prefix)
DEFAULT_CONFIG_FILE = $(sysconfdir)/squid.conf
-DEFAULT_MIME_TABLE = $(sysconfdir)/mime.conf
+DEFAULT_MIME_TABLE = $(datadir)/mime.conf
DEFAULT_DNSSERVER = $(libexecdir)/`echo dnsserver | sed '$(transform);s/$$/$(EXEEXT)/'`
DEFAULT_LOG_PREFIX = $(localstatedir)/logs
DEFAULT_CACHE_LOG = $(DEFAULT_LOG_PREFIX)/cache.log
--- squid-2.7.STABLE3/src/cf.data.pre.orig 2008-06-25 00:54:18.000000000 +0200
+++ squid-2.7.STABLE3/src/cf.data.pre 2008-07-02 17:19:01.000000000 +0200
@@ -725,6 +725,7 @@ http_access deny CONNECT !SSL_ports
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
+http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
@@ -2385,7 +2386,7 @@ DOC_END
NAME: logfile_rotate
TYPE: int
-DEFAULT: 10
+DEFAULT: 0
LOC: Config.Log.rotateNumber
DOC_START
Specifies the number of logfile rotations to make when you
@@ -2401,6 +2402,10 @@ DOC_START
purposes, so -k rotate uses another signal. It is best to get
in the habit of using 'squid -k rotate' instead of 'kill -USR1
<pid>'.
+
+ SUSE LINUX is using the logrotate mechanism and therefore the
+ rotation is done externaly, which means a default of 0 is
+ required and therefore set. Modify /etc/logrotate.d/squid instead.
DOC_END
NAME: emulate_httpd_log
@@ -3753,7 +3758,7 @@ DOC_END
NAME: cache_effective_user
TYPE: string
-DEFAULT: nobody
+DEFAULT: squid
LOC: Config.effectiveUser
DOC_START
If you start Squid as root, it will change its effective/real
@@ -4471,7 +4476,7 @@ DOC_END
NAME: htcp_port
IFDEF: USE_HTCP
TYPE: ushort
-DEFAULT: 4827
+DEFAULT: 0
LOC: Config.Port.htcp
DOC_START
The port number where Squid sends and receives HTCP queries to
++++++ squid-2.7.STABLE9-RELEASENOTES.html ++++++
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.65">
<TITLE>Squid 2.7.STABLE9 release notes</TITLE>
</HEAD>
<BODY>
<H1>Squid 2.7.STABLE9 release notes</H1>
<H2>Squid Developers</H2>$Id: release.html,v 1.1.2.15 2010/03/14 21:40:46 hno Exp $
<HR>
<EM>This document contains the release notes for version 2.7 of Squid.
Squid is a WWW Cache application developed by the Web Caching community.</EM>
<HR>
<P>
<H2><A NAME="toc1">1.</A> <A HREF="#s1">Key changes from squid 2.6</A></H2>
<P>
<H2><A NAME="toc2">2.</A> <A HREF="#s2">Changes to squid.conf</A></H2>
<UL>
<LI><A NAME="toc2.1">2.1</A> <A HREF="#ss2.1">Added directives</A>
<LI><A NAME="toc2.2">2.2</A> <A HREF="#ss2.2">Changed directives</A>
<LI><A NAME="toc2.3">2.3</A> <A HREF="#ss2.3">Removed directives</A>
</UL>
<P>
<H2><A NAME="toc3">3.</A> <A HREF="#s3">Known issues & limitations</A></H2>
<UL>
<LI><A NAME="toc3.1">3.1</A> <A HREF="#ss3.1">Known issues</A>
<LI><A NAME="toc3.2">3.2</A> <A HREF="#ss3.2">Known limitations</A>
</UL>
<P>
<H2><A NAME="toc4">4.</A> <A HREF="#s4">Windows support</A></H2>
<UL>
<LI><A NAME="toc4.1">4.1</A> <A HREF="#ss4.1">Usage</A>
<LI><A NAME="toc4.2">4.2</A> <A HREF="#ss4.2">PSAPI.DLL (Process Status Helper) Considerations</A>
<LI><A NAME="toc4.3">4.3</A> <A HREF="#ss4.3">Registry DNS lookup</A>
<LI><A NAME="toc4.4">4.4</A> <A HREF="#ss4.4">Compatibility Notes</A>
<LI><A NAME="toc4.5">4.5</A> <A HREF="#ss4.5">Known Limitations</A>
<LI><A NAME="toc4.6">4.6</A> <A HREF="#ss4.6">Using cache manager on Windows</A>
</UL>
<P>
<H2><A NAME="toc5">5.</A> <A HREF="#s5">Key changes in squid-2.7.STABLE2</A></H2>
<P>
<H2><A NAME="toc6">6.</A> <A HREF="#s6">Key changes in squid-2.7.STABLE3</A></H2>
<P>
<H2><A NAME="toc7">7.</A> <A HREF="#s7">Key changes in squid-2.7.STABLE4</A></H2>
<P>
<H2><A NAME="toc8">8.</A> <A HREF="#s8">Key changes in squid-2.7.STABLE5</A></H2>
<P>
<H2><A NAME="toc9">9.</A> <A HREF="#s9">Key changes in squid-2.7.STABLE6</A></H2>
<P>
<H2><A NAME="toc10">10.</A> <A HREF="#s10">Key changes in squid-2.7.STABLE7</A></H2>
<P>
<H2><A NAME="toc11">11.</A> <A HREF="#s11">Key changes in squid-2.7.STABLE8</A></H2>
<P>
<H2><A NAME="toc12">12.</A> <A HREF="#s12">Key changes in squid-2.7.STABLE9</A></H2>
<HR>
<H2><A NAME="s1">1.</A> <A HREF="#toc1">Key changes from squid 2.6</A></H2>
<P>This section describes the main news since the 2.6 release</P>
<P>
<UL>
<LI>Experimental support for HTTP/1.1, mainly targeted at reverse proxy
installations. Not yet HTTP/1.1 compliant hoewever.</LI>
<LI>A number of performance improvements; including request/reply parser,
eliminating various redundant data copies and some completely rewritten
sections.</LI>
<LI>Support for WAIS has been removed.</LI>
<LI>"act-as-origin" option for http_port - Squid can now emulate an origin
server when acting as an accelerator.</LI>
<LI>"min-size" option for cache_dir - the minimum object size to store in
a cache directory. Previously objects of any size up to a "max-size"
maximum size would be considered as candidated for storing in a store_dir;
this option allows the administrator to tune various stores for small
and large objects rather than trying to tune it for both.</LI>
<LI>Support for Solaris /dev/poll for network IO - more efficient than
poll() or select() and backwards compatible to Solaris 7. This must
be manually enabled during configure by specifying "--enable-devpoll".</LI>
<LI>Support for FreeBSD accept filters. Use "accept_filter httpready"
in squid.conf to enable this.</LI>
<LI>A semi-modular logging framework has been introduced, which both
allows for more efficient non-blocking logging with the supplied logging
daemon, but also allows for third-party modules to intercept the squid
logs and process them. An example "UDP" logging helper, thanks to the
Wikimedia Foundation, is included.</LI>
<LI>Support for rewriting URLs into canonical forms when storing and retrieving
objects. A common practice seen in Content Delivery Networks is to serve
the same content from a variety of different URLs or hosts; this makes
efficient caching difficult. The store URL rewriting framework allows the
administrator to rewrite a variety of URLs into one canonical form, so
matching content from a variety of sources can be stored and retrieved
as if they came from the same source, whilst still fetching the content
from the original destination.
See the "storeurl_rewrite_program" option for more information, and
http://wiki.squid-cache.org/Features/StoreURLRewrite for some examples.</LI>
<LI>Object revalidation can now occur in the background. Cache validation can
now occur in the background without requiring an active client to drive it.
Stale content being revalidated can be served in situ whilst the object
is being refreshed. See the "max_stale" and "refresh_pattern" options for more
information.</LI>
<LI>introduce a new option, "zero_buffers", which controls whether Squid will
zero the memory used for buffers and other data structures before use.
This may or may not improve performance on specific workloads.</LI>
<LI>Cache authentication based on source IP address. This reduces the pressure
on external authenticators which may not be able to keep up under high load -
NTLM/winbind is a good example of this. See the "authenticate_ip_shortcircuit_access"
and "authenticate_ip_shortcircuit_ttl" options for more information.</LI>
<LI>Support for configuration file includes has been added. "include" can now be
used to include a configuration file or a glob of configuration files in a
directory.</LI>
<LI>The default rules to not cache dynamic content from cgi-bin and query URLs
have been altered. Previously, the "cache" ACL was used to mark requests
as non-cachable - this is enforced even on dynamic content which returns
cachability information. This has changed in Squid-2.7 to use the default
refresh pattern. Dynamic content is now cached if it is marked as cachable.
You should remove the default configuration lines with QUERY (acl, and cache)
and replace them with the correct refresh_pattern entries.</LI>
<LI>Accelerator mode support cleaned up to behave more consistent when
combining multiple accelerator mode options</LI>
<LI>Zero Penalty Hit support, allowing cache misses to be marked by custom
TOS/priority values, useful when using packet shaping/prioritization
outside Squid and needing to separate cache hits from misses.</LI>
</UL>
</P>
<H2><A NAME="s2">2.</A> <A HREF="#toc2">Changes to squid.conf</A></H2>
<P>This release has a number of changes and additions to squid.conf</P>
<H2><A NAME="ss2.1">2.1</A> <A HREF="#toc2.1">Added directives</A>
</H2>
<P>
<DL>
<DT><B>acl myportname</B><DD>
<P>new acl matching the incoming port name</P>
<DT><B>authenticate_ip_shortcircuit_ttl</B><DD>
<DT><B>authenticate_ip_shortcircuit_access</B><DD>
<P>controls the new IP based authentication cache.</P>
<DT><B>zph_mode</B><DD>
<DT><B>zph_local</B><DD>
<DT><B>zph_sibling</B><DD>
<DT><B>zph_parent</B><DD>
<DT><B>zph_option</B><DD>
<P>controls the Zero Penalty Hit support</P>
<DT><B>update_headers</B><DD>
<P>optimization to skip updating on-disk headers</P>
<DT><B>logfile_daemon</B><DD>
<P>new log file daemon support</P>
<DT><B>netdb_filename</B><DD>
<P>sas hardcoded to the first cache_dir</P>
<DT><B>storeurl_rewrite_program</B><DD>
<DT><B>storeurl_rewrite_children</B><DD>
<DT><B>storeurl_rewrite_concurrency</B><DD>
<DT><B>storeurl_access</B><DD>
<P>controls the new store URL rewrite functionality</P>
<DT><B>rewrite_access</B><DD>
<DT><B>rewrite</B><DD>
<P>controls the new builtin URL rewrite functionality</P>
<DT><B>max_stale</B><DD>
<DT><B>server_http11</B><DD>
<DT><B>ignore_expect_100</B><DD>
<P>Experimental HTTP/1.1 support knobs</P>
<DT><B>external_refresh_check</B><DD>
<P>new helper to allow custom cache validations in accelerator setups</P>
<DT><B>ignore_ims_on_miss</B><DD>
<P>optimization mainly targeted for accelerator setups</P>
<DT><B>max_filedescriptors</B><DD>
<P>can now be set runtime. Was previously hardcoded at build time and further limited by ulimit</P>
<DT><B>accept_filter</B><DD>
<P>optimization to avoid waking Squid up until a request has been received</P>
<DT><B>incoming_rate</B><DD>
<P>new tuning knob for high traffic conditions</P>
<DT><B>zero_buffers</B><DD>
<P>tuning knob to disable a new optimization</P>
</DL>
</P>
<H2><A NAME="ss2.2">2.2</A> <A HREF="#toc2.2">Changed directives</A>
</H2>
<P>
<DL>
<DT><B>cache</B><DD>
<P>Suggested defaults modified</P>
<DT><B>cache_dir</B><DD>
<P>the "read-only" option has been renamed to "no-store" to better reflect the functionality</P>
<DT><B>cache_peer</B><DD>
<P>new multicast-siblings option, enabling multicast ICP sibling relations</P>
<P>new idle=n option to keep a minimum pool of idle connections</P>
<P>new http11 option to enable experimental HTTP/1.1 support</P>
<DT><B>external_acl_type</B><DD>
<P>New %URI format tag</P>
<DT><B>acl</B><DD>
<P>Suggested defaults cleaned up, defines a new "localnet" acl with RFC1918 addresses</P>
<P>new "myportname" acl type matching the http_port name</P>
<DT><B>icp_access</B><DD>
<P>Suggested defaults cleaned up, now requires configuration to use ICP</P>
<DT><B>htcp_access</B><DD>
<P>Suggested defaults cleaned up, now requires configuration to use HTCP</P>
<DT><B>http_access</B><DD>
<P>Suggested defaults cleaned up, using a new "localnet" acl.</P>
<DT><B>http_port</B><DD>
<P>Accelerator mode options cleaned up (accel, defaultsite, vport, vhost and combinations thereof)</P>
<P>new "allow-direct" option</P>
<P>new "act-as-origin" option</P>
<P>new "http11" option (experimental)</P>
<P>new "name=" option</P>
<P>nee "keepalive=" option</P>
<DT><B>https_port</B><DD>
<P>See http_port.</P>
<DT><B>logformat</B><DD>
<P>New format codes: oa (Our outgoing IP address), rp (Request URL-Path), sn (Unique sequence number)</P>
<DT><B>refresh_pattern</B><DD>
<P>Several new options: stale-while-revalidate, ignore-stale-while-revalidate, max-stale, negative-ttl</P>
<P>Suggested defaults adjusted to match the changes in the cache directive.</P>
<DT><B>url_rewrite_program</B><DD>
<P>Future protocol change adding key=value pairs after the requests</P>
<DT><B>forwarded_for</B><DD>
<P>Has several new modes, allowing one to finetune how/if the requesting
client IP should be forwarded in X-Forwarded-For</P>
</DL>
</P>
<H2><A NAME="ss2.3">2.3</A> <A HREF="#toc2.3">Removed directives</A>
</H2>
<P>
<DL>
<DT><B>incoming_icp_average</B><DD>
<DT><B>incoming_http_average</B><DD>
<DT><B>incoming_dns_average</B><DD>
<DT><B>min_icp_poll_cnt</B><DD>
<DT><B>min_dns_poll_cnt</B><DD>
<DT><B>min_http_poll_cnt</B><DD>
<P>the above tuning knobs no longer have any effect and has been removed.</P>
</DL>
</P>
<H2><A NAME="s3">3.</A> <A HREF="#toc3">Known issues & limitations</A></H2>
<P>There is a few known issues and limitations in this release of Squid</P>
<H2><A NAME="ss3.1">3.1</A> <A HREF="#toc3.1">Known issues</A>
</H2>
<P>
<UL>
<LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=2248">#2248</a> storeurl_rewrite mismatched when object stored on memory</LI>
<LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=2112">#2112</a> Squid does not send If-None-Match tag for cache revalidation</LI>
<LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=2160">#2160</a> Cache hits on objects with headers > 4KB</LI>
</UL>
</P>
<H2><A NAME="ss3.2">3.2</A> <A HREF="#toc3.2">Known limitations</A>
</H2>
<P>
<UL>
<LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=1059">#1059</a>: mime.conf and referenced icons must be within chroot</LI>
<LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=692">#692</a>: tcp_outgoing_address using an ident ACL does not work</LI>
<LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=581">#581</a>: acl max_user_ip and multiple authentication schemes</LI>
<LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=528">#528</a>: miss_access fails on "slow" acl types such as dst.</LI>
<LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=513">#513</a>: squid -F is starting server sockets to early</LI>
<LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=457">#457</a>: does not handle swap.state corruption properly</LI>
<LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=410">#410</a>: unstable if runs out of disk space</LI>
<LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=355">#355</a>: diskd may appear slow on low loads</LI>
</UL>
</P>
<H2><A NAME="s4">4.</A> <A HREF="#toc4">Windows support</A></H2>
<P>This Squid version can run on Windows as a system service using the Cygwin emulation environment,
or can be compiled in Windows native mode using the MinGW + MSYS development environment. Windows NT 4 SP4 and later are supported.</P>
<P>On Windows 2000 and later the service is configured to use the Windows Service Recovery option
restarting automatically after 60 seconds.</P>
<H2><A NAME="ss4.1">4.1</A> <A HREF="#toc4.1">Usage</A>
</H2>
<P>Some new command line options was added for the Windows service support:</P>
<P>The service installation is made with -i command line switch, it's possible to use -f switch at
the same time for specify a different config-file settings for the Squid Service that will be
stored on the Windows Registry.</P>
<P>A new -n switch specify the Windows Service Name, so multiple Squid instance are allowed.
<EM>"Squid"</EM> is the default when the switch is not used.</P>
<P>So, to install the service, the syntax is: </P>
<P>
<PRE>
squid -i [-f file] [-n name]
</PRE>
</P>
<P>Service uninstallation is made with -r command line switch with the appropriate -n switch.</P>
<P>The -k switch family must be used with the appropriate -f and -n switches, so the syntax is: </P>
<P>
<PRE>
squid -k command [-f file] -n service-name
</PRE>
where <EM>service-name</EM> is the name specified with -n options at service install time.</P>
<P>To use the Squid original command line, the new -O switch must be used ONCE, the syntax is: </P>
<P>
<PRE>
squid -O cmdline [-n service-name]
</PRE>
If multiple service command line options must be specified, use quote. The -n switch is
needed only when a non default service name is in use.</P>
<P>Don't use the "Start parameters" in the Windows 2000/XP/2003 Service applet: they are
specific to Windows services functionality and Squid is not designed for understand they.</P>
<P>In the following example the command line of the "squidsvc" Squid service is set to "-D -u 3130": </P>
<P>
<PRE>
squid -O "-D -u 3130" -n squidsvc
</PRE>
</P>
<H2><A NAME="ss4.2">4.2</A> <A HREF="#toc4.2">PSAPI.DLL (Process Status Helper) Considerations</A>
</H2>
<P>The process status helper functions make it easier for you to obtain information about
processes and device drivers running on Microsoft� Windows NT�/Windows� 2000. These
functions are available in PSAPI.DLL, which is distributed in the Microsoft� Platform
Software Development Kit (SDK). The same information is generally available through the
performance data in the registry, but it is more difficult to get to it. PSAPI.DLL is
freely redistributable.</P>
<P>PSAPI.DLL is available only on Windows NT, 2000, XP and 2003. The implementation in Squid is
aware of this, and try to use it only on the right platform.</P>
<P>On Windows NT PSAPI.DLL can be found as component of many applications, if you need it,
you can find it on Windows NT Resource KIT. If you have problem, it can be
downloaded from here:
<A HREF="http://download.microsoft.com/download/platformsdk/Redist/4.0.1371.1/NT4/EN-US/psinst.EXE">http://download.microsoft.com/download/platformsdk/Redist/4.0.1371.1/NT4/EN-US/psinst.EXE</A></P>
<P>On Windows 2000 and later it is available installing the Windows Support Tools, located on the
Support\Tools folder of the installation Windows CD-ROM.</P>
<H2><A NAME="ss4.3">4.3</A> <A HREF="#toc4.3">Registry DNS lookup</A>
</H2>
<P>On Windows platforms, if no value is specified in the <EM>dns_nameservers</EM> option on
squid.conf or in the /etc/resolv.conf file, the list of DNS name servers are
taken from the Windows registry, both static and dynamic DHCP configurations
are supported.</P>
<H2><A NAME="ss4.4">4.4</A> <A HREF="#toc4.4">Compatibility Notes</A>
</H2>
<P>
<UL>
<LI>It's recommended to use '/' char in Squid paths instead of '\'</LI>
<LI>Paths with spaces (like 'C:\Programs Files\Squid) are NOT supported by Squid</LI>
<LI>Include wildcard patterns in squid.conf are NOT supported on Windows</LI>
<LI>When using ACL like 'acl aclname acltype "file"' the file must be in DOS text
format (CR+LF) and the full Windows path must be specified, for example:
<PRE>
acl blocklist url_regex -i "c:/squid/etc/blocked1.txt"
</PRE>
</LI>
<LI>The Windows equivalent of '/dev/null' is 'NUL'</LI>
<LI>Squid doesn't know how to run external helpers based on scripts, like .bat, .cmd,
.vbs, .pl, etc. So in squid.conf the interpreter path must be always specified, for example:
<PRE>
redirect_program c:/perl/bin/perl.exe c:/squid/libexec/redir.pl
redirect_program c:/winnt/system32/cmd.exe /C c:/squid/libexec/redir.cmd
</PRE>
</LI>
<LI>When Squid runs in command line mode, the launching user account must have administrative privilege on the system</LI>
<LI>"Start parameters" in the Windows 2000/XP/2003 Service applet cannot be used</LI>
<LI>Building with MinGW, when the configure option --enable-truncate is used, Squid cannot run on Windows NT, only Windows 2000 and later are supported</LI>
<LI>On Windows Vista and later, User Account Control (UAC) must be disabled before running service installation</LI>
</UL>
</P>
<H2><A NAME="ss4.5">4.5</A> <A HREF="#toc4.5">Known Limitations</A>
</H2>
<P>
<UL>
<LI>DISKD: still needs to be ported</LI>
<LI>WCCP: cannot work because user space GRE support on Windows is missing</LI>
<LI>Transparent Proxy: missing Windows non commercial interception driver</LI>
<LI>Some code sections can make blocking calls.</LI>
<LI>Some external helpers may not work.</LI>
<LI>File Descriptors number hard-limited to 2048 when building with MinGW.</LI>
</UL>
</P>
<H2><A NAME="ss4.6">4.6</A> <A HREF="#toc4.6">Using cache manager on Windows</A>
</H2>
<P>On Windows, cache manager (cachemgr.cgi) can be used with Microsoft IIS or Apache.
Some specific configuration could be needed:</P>
<H3>IIS 6 (Windows 2003)</H3>
<P>On IIS 6.0 all CGI extensions are denied by default for security reason, so the following configuration is needed:</P>
<P>
<UL>
<LI>Create a cgi-bin Directory</LI>
<LI>Define the cgi-bin IIS Virtual Directory with read and CGI execute IIS
permissions, ASP scripts are not needed. This automatically defines a
cgi-bin IIS web application </LI>
<LI>Copy cachemgr.cgi into cgi-bin directory and look to file permissions:
the IIS system account and SYSTEM must be able to read and execute the file</LI>
<LI>In IIS manager go to Web Service extensions and add a new Web Service
Extension called <EM>"Squid Cachemgr"</EM>, add the cachemgr.cgi file and set the
extension status to <EM>Allowed</EM></LI>
</UL>
</P>
<H3>Apache:</H3>
<P>On Windows, cachemgr.cgi needs to create a temporary file, so Apache must be instructed
to pass the TMP and TEMP Windows environment variables to CGI applications:
<PRE>
ScriptAlias /squid/cgi-bin/ "c:/squid/libexec/"
<Location /squid/cgi-bin/cachemgr.cgi>
PassEnv TMP TEMP
Order allow,deny
Allow from workstation.example.com
</Location>
</PRE>
</P>
<H2><A NAME="s5">5.</A> <A HREF="#toc5">Key changes in squid-2.7.STABLE2</A></H2>
<P>
<UL>
<LI>Compile error if --enable-delaypools used</LI>
<LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=1893">#1893</a>: Variant invalidation support removed again, caused a lot content to not get cached.</LI>
<LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=2350">#2350</a>: Linux Capabilities version mismatch causing startup crash on newer kernels</LI>
<LI>See also the list of
<A HREF="http://www.squid-cache.org/Versions/v2/2.7/changesets/SQUID_2_7_STABLE2.html">squid-2.7.STABLE2 changes</A> and the
<A HREF="ChangeLog.txt">ChangeLog</A> file for details.</LI>
</UL>
</P>
<H2><A NAME="s6">6.</A> <A HREF="#toc6">Key changes in squid-2.7.STABLE3</A></H2>
<P>
<UL>
<LI>Byg #2376: Round-Robin peer selection becomes unbalanced when a peer dies and comes back</LI>
<LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=2122">#2122</a>: Private information leakage in collapsed_forwarding</LI>
<LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=1993">#1993</a>: Memory leak in http_reply_access deny processing</LI>
<LI>Fix SNMP reporting of counters with a value > 0xFF80000</LI>
<LI>Reject ridiculously large ASN.1 lengths</LI>
<LI>Off by one error in DNS label decompression could cause valid DNS messages to be rejected</LI>
<LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=2241">#2241</a>: weights not applied properly in round-robin peer selection</LI>
<LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=2192">#2192</a>: http_port ... vport broken by recent changes in how accelerator mode deals with port numbers</LI>
<LI>Fix build error on Solaris using gcc and --with-large-files</LI>
<LI>Windows port: new option for control of IP address changes notification in squid.conf</LI>
<LI>See also the list of
<A HREF="http://www.squid-cache.org/Versions/v2/2.7/changesets/SQUID_2_7_STABLE3.html">squid-2.7.STABLE3 changes</A> and the
<A HREF="ChangeLog.txt">ChangeLog</A> file for details.</LI>
</UL>
</P>
<H2><A NAME="s7">7.</A> <A HREF="#toc7">Key changes in squid-2.7.STABLE4</A></H2>
<P>
<UL>
<LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=2393">#2393</a>: DNS retransmit queue could get hold up</LI>
<LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=2408">#2408</a>: assertion failed: forward.c:529: "fs"</LI>
<LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=2414">#2414</a>: assertion failed: forward.c:110: "!EBIT_TEST(e->flags, ENTRY_FWD_HDR_WAIT)"</LI>
<LI>Workaround for Linux-2.6.24 & 2.6.25 netfiler_ipv4.h include header __u32 problem</LI>
<LI>Make dns_nameserver work when using --disable-internal-dns on glibc based systems</LI>
<LI>Handle aborted objects properly. The change in 2.7.STABLE3 triggered a number of issues.</LI>
<LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=2406">#2406</a>: access.log logs rewritten URL and strip_query_terms ineffective</LI>
<LI>See also the list of
<A HREF="http://www.squid-cache.org/Versions/v2/2.7/changesets/SQUID_2_7_STABLE4.html">squid-2.7.STABLE4 changes</A> and the
<A HREF="ChangeLog.txt">ChangeLog</A> file for details.</LI>
</UL>
</P>
<H2><A NAME="s8">8.</A> <A HREF="#toc8">Key changes in squid-2.7.STABLE5</A></H2>
<P>
<UL>
<LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=2441">#2441</a>: Shut down store url rewrite helpers on squid -k reconfigure</LI>
<LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=2464">#2464</a>: assertion failed: sc->new_callback == NULL at store_client.c:190</LI>
<LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=2394">#2394</a>: add upgrade_http0.9 option making it possible to disable upgrade of HTTP/0.9 responses</LI>
<LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=2426">#2426</a>: Increase negotiate auth token buffer size</LI>
<LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=2468">#2468</a>: Limit stale-if-error to 500-504 responses</LI>
<LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=2477">#2477</a>: swap.state permission issues if crashing during "squid -k reconfigure"</LI>
<LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=2430">#2430</a>: Old headers sometimes still returned after a cache validation</LI>
<LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=2481">#2481</a>: Don't set expires: now in generated error responses</LI>
<LI>Windows port: Fix build error using latest MinGW runtime.</LI>
<LI>See also the list of
<A HREF="http://www.squid-cache.org/Versions/v2/2.7/changesets/SQUID_2_7_STABLE5.html">squid-2.7.STABLE5 changes</A> and the
<A HREF="ChangeLog.txt">ChangeLog</A> file for details.</LI>
</UL>
</P>
<H2><A NAME="s9">9.</A> <A HREF="#toc9">Key changes in squid-2.7.STABLE6</A></H2>
<P>
<UL>
<LI>Crash on certain invalid HTTP messages</LI>
<LI>Correct latency measurements</LI>
<LI>Various documentation fixes</LI>
<LI>See also the list of
<A HREF="http://www.squid-cache.org/Versions/v2/2.7/changesets/SQUID_2_7_STABLE6.html">squid-2.7.STABLE6 changes</A> and the
<A HREF="ChangeLog.txt">ChangeLog</A> file for details.</LI>
</UL>
</P>
<H2><A NAME="s10">10.</A> <A HREF="#toc10">Key changes in squid-2.7.STABLE7</A></H2>
<P>
<UL>
<LI>Hang in 100% CPU if using external_acl_type or access_log format %{header:;item}</LI>
<LI>wbinfo_group.pl false positives under certain conditions</LI>
<LI>several memory leaks fixed</LI>
<LI>documentation corrections</LI>
<LI>Max URL size increased to 8192</LI>
<LI>And many other minor bugfixes</LI>
<LI>See also the list of
<A HREF="http://www.squid-cache.org/Versions/v2/2.7/changesets/SQUID_2_7_STABLE7.html">squid-2.7.STABLE7 changes</A> and the
<A HREF="ChangeLog.txt">ChangeLog</A> file for details.</LI>
</UL>
</P>
<H2><A NAME="s11">11.</A> <A HREF="#toc11">Key changes in squid-2.7.STABLE8</A></H2>
<P>
<UL>
<LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=2858">#2858</a>: Segment violation in HTCP</LI>
<LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=2773">#2773</a>: Segfault in RFC2069 Digest authantication</LI>
<LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=2845">#2845</a>: Crashes on malformed Digest authentication</LI>
<LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=2367">#2367</a>: Incorrect stale=true/false indications in Digest auth
causing random auth popups.</LI>
<LI>Improve %nn parser to better deal with certain odd %nn sequences</LI>
<LI>Handle DNS header-only packets as invalid. (CVE-2010-0308)</LI>
<LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=2678">#2678</a> - storeurl_rewrite does not play nicely with vary</LI>
<LI>And many other minor bugfixes</LI>
<LI>See also the list of
<A HREF="http://www.squid-cache.org/Versions/v2/2.7/changesets/SQUID_2_7_STABLE8.html">squid-2.7.STABLE8 changes</A> and the
<A HREF="ChangeLog.txt">ChangeLog</A> file for details.</LI>
</UL>
</P>
<H2><A NAME="s12">12.</A> <A HREF="#toc12">Key changes in squid-2.7.STABLE9</A></H2>
<P>This release has portability fixes only. No change in functionality.</P>
<P>
<UL>
<LI>OpenSSL related compilation issue on some systems introduced
in 2.7.STABLE8.</LI>
<LI>configure failed to detect certain system libraries on some
systems, resulting in compilation failures either in Squid or helpers.</LI>
<LI>See also the list of
<A HREF="http://www.squid-cache.org/Versions/v2/2.7/changesets/SQUID_2_7_STABLE9.html">squid-2.7.STABLE9 changes</A> and the
<A HREF="ChangeLog.txt">ChangeLog</A> file for details.</LI>
</UL>
</P>
</BODY>
</HTML>
++++++ squid-2.7.x-bnc796999-bnc794954-CVE-2012-5643-CVE-2013-0188-cachemgr_cgi_dos.diff ++++++
diff -prNU 30 ../squid-2.7.STABLE5-o/tools/cachemgr.c ./tools/cachemgr.c
--- ../squid-2.7.STABLE5-o/tools/cachemgr.c 2008-06-25 00:55:11.000000000 +0200
+++ ./tools/cachemgr.c 2013-02-06 18:06:02.000000000 +0100
@@ -482,66 +482,69 @@ munge_other_line(const char *buf, cachem
const char *cell = xstrtok(&x, '\t');
while (x && *x == '\t') {
column_span++;
x++;
}
l += snprintf(html + l, sizeof(html) - l, "<%s colspan=\"%d\" align=\"%s\">%s%s>",
ttag, column_span,
is_header ? "center" : is_number(cell) ? "right" : "left",
html_quote(cell), ttag);
}
xfree(buf_copy);
/* record ends */
l += snprintf(html + l, sizeof(html) - l, "</tr>\n");
next_is_header = is_header && strstr(buf, "\t\t");
table_line_num++;
return html;
}
static const char *
munge_action_line(const char *_buf, cachemgr_request * req)
{
static char html[2 * 1024];
char *buf = xstrdup(_buf);
char *x = buf;
const char *action, *description;
char *p;
if ((p = strchr(x, '\n')))
*p = '\0';
action = xstrtok(&x, '\t');
+ if (!action) {
+ xfree(buf);
+ return "";
+ }
description = xstrtok(&x, '\t');
if (!description)
description = action;
- if (!action)
- return "";
snprintf(html, sizeof(html), " %s</a>", menu_url(req, action), description);
+ xfree(buf);
return html;
}
static int
read_reply(int s, cachemgr_request * req)
{
char buf[4 * 1024];
#ifdef _SQUID_MSWIN_
int reply;
char *tmpfile = tempnam(NULL, "tmp0000");
FILE *fp = fopen(tmpfile, "w+");
#else
FILE *fp = fdopen(s, "r");
#endif
/* interpretation states */
enum {
isStatusLine, isHeaders, isActions, isBodyStart, isBody, isForward, isEof, isForwardEof, isSuccess, isError
} istate = isStatusLine;
int parse_menu = 0;
const char *action = req->action;
const char *statusStr = NULL;
int status = -1;
if (0 == strlen(req->action))
parse_menu = 1;
else if (0 == strcasecmp(req->action, "menu"))
parse_menu = 1;
if (fp == NULL) {
#ifdef _SQUID_MSWIN_
perror(tmpfile);
xfree(tmpfile);
@@ -663,147 +666,176 @@ read_reply(int s, cachemgr_request * req
#endif
return 0;
}
static int
process_request(cachemgr_request * req)
{
const struct hostent *hp;
static struct sockaddr_in S;
int s;
int l;
static char buf[2 * 1024];
if (req == NULL) {
auth_html(CACHEMGR_HOSTNAME, CACHE_HTTP_PORT, "");
return 1;
}
if (req->hostname == NULL) {
req->hostname = xstrdup(CACHEMGR_HOSTNAME);
}
if (req->port == 0) {
req->port = CACHE_HTTP_PORT;
}
if (req->action == NULL) {
req->action = xstrdup("");
}
if (strcmp(req->action, "authenticate") == 0) {
auth_html(req->hostname, req->port, req->user_name);
return 0;
}
if (!check_target_acl(req->hostname, req->port)) {
- snprintf(buf, 1024, "target %s:%d not allowed in cachemgr.conf\n", req->hostname, req->port);
+ snprintf(buf, sizeof(buf), "target %s:%d not allowed in cachemgr.conf\n", req->hostname, req->port);
error_html(buf);
return 1;
}
if ((s = socket(PF_INET, SOCK_STREAM, 0)) < 0) {
- snprintf(buf, 1024, "socket: %s\n", xstrerror());
+ snprintf(buf, sizeof(buf), "socket: %s\n", xstrerror());
error_html(buf);
return 1;
}
memset(&S, '\0', sizeof(struct sockaddr_in));
S.sin_family = AF_INET;
if ((hp = gethostbyname(req->hostname)) != NULL) {
assert(hp->h_length <= sizeof(S.sin_addr.s_addr));
xmemcpy(&S.sin_addr.s_addr, hp->h_addr, hp->h_length);
} else if (safe_inet_addr(req->hostname, &S.sin_addr))
(void) 0;
else {
- snprintf(buf, 1024, "Unknown host: %s\n", req->hostname);
+ snprintf(buf, sizeof(buf), "Unknown host: %s\n", req->hostname);
error_html(buf);
return 1;
}
S.sin_port = htons(req->port);
if (connect(s, (struct sockaddr *) &S, sizeof(struct sockaddr_in)) < 0) {
- snprintf(buf, 1024, "connect: %s\n", xstrerror());
+ snprintf(buf, sizeof(buf), "connect: %s\n", xstrerror());
error_html(buf);
return 1;
}
l = snprintf(buf, sizeof(buf),
"GET cache_object://%s/%s HTTP/1.0\r\n"
"Accept: */*\r\n"
"%s" /* Authentication info or nothing */
"\r\n",
req->hostname,
req->action,
make_auth_header(req));
#ifdef _SQUID_MSWIN_
send(s, buf, l, 0);
#else
write(s, buf, l);
#endif
debug(1) fprintf(stderr, "wrote request: '%s'\n", buf);
return read_reply(s, req);
}
int
main(int argc, char *argv[])
{
char *s;
cachemgr_request *req;
safe_inet_addr("255.255.255.255", &no_addr);
now = time(NULL);
#ifdef _SQUID_MSWIN_
Win32SockInit();
atexit(Win32SockCleanup);
_setmode(_fileno(stdin), _O_BINARY);
_setmode(_fileno(stdout), _O_BINARY);
_fmode = _O_BINARY;
if ((s = strrchr(argv[0], '\\')))
#else
if ((s = strrchr(argv[0], '/')))
#endif
progname = xstrdup(s + 1);
else
progname = xstrdup(argv[0]);
if ((s = getenv("SCRIPT_NAME")) != NULL)
script_name = xstrdup(s);
req = read_request();
return process_request(req);
}
static char *
read_post_request(void)
{
char *s;
- char *buf;
- int len;
+
if ((s = getenv("REQUEST_METHOD")) == NULL)
- return NULL;
+ return NULL;
+
if (0 != strcasecmp(s, "POST"))
- return NULL;
+ return NULL;
+
if ((s = getenv("CONTENT_LENGTH")) == NULL)
- return NULL;
- if ((len = atoi(s)) <= 0)
- return NULL;
- buf = xmalloc(len + 1);
- fread(buf, len, 1, stdin);
- buf[len] = '\0';
+ return NULL;
+
+ if (*s == '-') // negative length content huh?
+ return NULL;
+
+ uint64_t len;
+
+ char *endptr = s+ strlen(s);
+ if ((len = strtoll(s, &endptr, 10)) <= 0)
+ return NULL;
+
+ // limit the input to something reasonable.
+ // 4KB should be enough for the GET/POST data length, but may be extended.
+ if (len >= 4096) {
+ printf("Status: 400 Bad Request\n\n");
+ exit(0);
+ }
+ char *buf = (char *)xmalloc(len + 1);
+
+ size_t readLen = fread(buf, 1, len, stdin);
+ if (readLen == 0) {
+ xfree(buf);
+ return NULL;
+ }
+ buf[readLen] = '\0';
+ len -= readLen;
+
+ // purge the remainder of the request entity
+ while (len > 0 && readLen) {
+ char temp[65535];
+ readLen = fread(temp, 1, 65535, stdin);
+ len -= readLen;
+ }
+
return buf;
}
static char *
read_get_request(void)
{
char *s;
if ((s = getenv("QUERY_STRING")) == NULL)
return NULL;
return xstrdup(s);
}
static cachemgr_request *
read_request(void)
{
char *buf;
cachemgr_request *req;
char *s;
char *t;
char *q;
if ((buf = read_post_request()) != NULL)
(void) 0;
else if ((buf = read_get_request()) != NULL)
(void) 0;
else
return NULL;
#ifdef _SQUID_MSWIN_
if (strlen(buf) == 0 || strlen(buf) == 4000)
#else
if (strlen(buf) == 0)
@@ -859,110 +891,123 @@ make_pub_auth(cachemgr_request * req)
debug(3) fprintf(stderr, "cmgr: encoding for pub...\n");
if (!req->passwd || !strlen(req->passwd))
return;
/* host | time | user | passwd */
snprintf(buf, sizeof(buf), "%s|%d|%s|%s",
req->hostname,
(int) now,
req->user_name ? req->user_name : "",
req->passwd);
debug(3) fprintf(stderr, "cmgr: pre-encoded for pub: %s\n", buf);
debug(3) fprintf(stderr, "cmgr: encoded: '%s'\n", base64_encode(buf));
req->pub_auth = xstrdup(base64_encode(buf));
}
static void
decode_pub_auth(cachemgr_request * req)
{
char *buf;
const char *host_name;
const char *time_str;
const char *user_name;
const char *passwd;
debug(2) fprintf(stderr, "cmgr: decoding pub: '%s'\n", safe_str(req->pub_auth));
safe_free(req->passwd);
if (!req->pub_auth || strlen(req->pub_auth) < 4 + strlen(safe_str(req->hostname)))
return;
buf = xstrdup(base64_decode(req->pub_auth));
debug(3) fprintf(stderr, "cmgr: length ok\n");
/* parse ( a lot of memory leaks, but that is cachemgr style :) */
- if ((host_name = strtok(buf, "|")) == NULL)
+ if ((host_name = strtok(buf, "|")) == NULL) {
+ xfree(buf);
return;
+ }
debug(3) fprintf(stderr, "cmgr: decoded host: '%s'\n", host_name);
- if ((time_str = strtok(NULL, "|")) == NULL)
+ if ((time_str = strtok(NULL, "|")) == NULL) {
+ xfree(buf);
return;
+ }
debug(3) fprintf(stderr, "cmgr: decoded time: '%s' (now: %d)\n", time_str, (int) now);
- if ((user_name = strtok(NULL, "|")) == NULL)
+ if ((user_name = strtok(NULL, "|")) == NULL) {
+ xfree(buf);
return;
+ }
debug(3) fprintf(stderr, "cmgr: decoded uname: '%s'\n", user_name);
- if ((passwd = strtok(NULL, "|")) == NULL)
+ if ((passwd = strtok(NULL, "|")) == NULL) {
+ xfree(buf);
return;
+ }
debug(2) fprintf(stderr, "cmgr: decoded passwd: '%s'\n", passwd);
/* verify freshness and validity */
- if (atoi(time_str) + passwd_ttl < now)
+ if (atoi(time_str) + passwd_ttl < now) {
+ xfree(buf);
return;
- if (strcasecmp(host_name, req->hostname))
+ }
+ if (strcasecmp(host_name, req->hostname)) {
+ xfree(buf);
return;
+ }
debug(1) fprintf(stderr, "cmgr: verified auth. info.\n");
/* ok, accept */
- xfree(req->user_name);
+ safe_free(req->user_name);
req->user_name = xstrdup(user_name);
req->passwd = xstrdup(passwd);
xfree(buf);
}
static void
reset_auth(cachemgr_request * req)
{
safe_free(req->passwd);
safe_free(req->pub_auth);
}
static const char *
make_auth_header(const cachemgr_request * req)
{
static char buf[1024];
int l = 0;
const char *str64;
if (!req->passwd)
return "";
snprintf(buf, sizeof(buf), "%s:%s",
req->user_name ? req->user_name : "",
req->passwd);
str64 = base64_encode(buf);
l += snprintf(buf, sizeof(buf), "Authorization: Basic %s\r\n", str64);
assert(l < sizeof(buf));
l += snprintf(&buf[l], sizeof(buf) - l,
"Proxy-Authorization: Basic %s\r\n", str64);
+ xxfree(str64);
return buf;
}
static int
check_target_acl(const char *hostname, int port)
{
char config_line[BUFSIZ];
FILE *fp = NULL;
int ret = 0;
fp = fopen("cachemgr.conf", "r");
if (fp == NULL)
fp = fopen(DEFAULT_CACHEMGR_CONFIG, "r");
if (fp == NULL) {
#ifdef CACHEMGR_HOSTNAME_DEFINED
if (strcmp(hostname, CACHEMGR_HOSTNAME) == 0 && port == CACHE_HTTP_PORT)
return 1;
#else
if (strcmp(hostname, "localhost") == 0)
return 1;
if (strcmp(hostname, getfullhostname()) == 0)
return 1;
#endif
return 0;
}
while (fgets(config_line, BUFSIZ, fp)) {
char *token = NULL;
strtok(config_line, " \r\n\t");
if (config_line[0] == '#')
continue;
if (config_line[0] == '\0')
++++++ squid-2.7.x-bnc829084-CVE-2013-4115-BO_request_handling.diff ++++++
++++ 1260 lines (skipped)
++++++ squid.logrotate ++++++
/var/log/squid/cache.log {
su squid nogroup
compress
dateext
maxage 365
rotate 99
size=+1024k
notifempty
missingok
create 640 squid root
sharedscripts
postrotate
/etc/init.d/squid reload
endscript
}
/var/log/squid/access.log {
su squid nogroup
compress
dateext
maxage 365
rotate 99
size=+4096k
notifempty
missingok
create 640 squid root
sharedscripts
postrotate
/etc/init.d/squid reload
endscript
}
/var/log/squid/store.log {
su squid nogroup
compress
dateext
maxage 365
rotate 99
size=+4096k
notifempty
missingok
create 640 squid root
sharedscripts
postrotate
/etc/init.d/squid reload
endscript
}
++++++ squid.sysconfig ++++++
## Path: Network/WWW/Proxy/squid
## Description: squid webproxy options
## Type: integer(1:)
## Default: "60"
#
# kill squid after this timeout in double-seconds with SIGTERM
#
SQUID_SHUTDOWN_TIMEOUT="60"
++++++ squid_ie_blocker.txt ++++++
****** Using Squid to block Internet Explorer ******
After one of the many, many, many security holes in Microsoft Internet
Explorer, my company decided to completely block outgoing requests for IE (at
least, until a patch is published by MS). For this purpose, we changed our
proxy setup to be transparent and block the browser based on its user-agent
string.
As an alternative, we decided to offer the Mozilla_Firefox browser to our
users. You can read more about this on my Firefox_page.
Our router was a Cisco 2600, and we chose to use WCCP for transparent proxying.
You can read the router-side configuration at this_page or at this_page. I'm no
cisco expert, so I won't go into details here. If you don't have a cisco, but a
linux router, you can also easily do transparent proxying. There are many
howtos for that.
Squid configuration
-------------------
The linux configuration of squid will be covered here, however, because it
seems to be a bit outdated on both pages. I'm using SuSE 9.0 and use the SuSE
kernel, which makes updating easier and saves a lot of configuration time :)
The kernel config (if you need your own kernel) should be sufficiently
described on the other pages I mentioned above.
The squid configuration is fairly easy. The following is from my squid config
(without comments), some of the values are defaults, important ones are marked
in red.
useragent_log /var/log/squid/useragent.log # log browser id
referer_log /var/log/squid/referer.log
acl intranet src 172.16.0.0/255.255.0.0 # intranet machines
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl ie_browser browser ^Mozilla/4\.0.*compatible;.MSIE # die!!
acl bad_browser browser ^Gator # Gator is also crap!
acl windowsupdate dstdomain .windowsupdate.com # sometimes you have to live with the evil ...
acl windowsupdate dstdomain .windowsupdate.microsoft.com
acl ie_exceptions dstdomain .mycompany.at # for those who don't turn off proxy for intranet ...
acl ie_exceptions2 dst 172.16.0.0/255.255.0.0
http_access deny bad_browser
http_access allow windowsupdate
http_access allow ie_exceptions
http_access allow ie_exceptions2
http_access deny ie_browser
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow localhost
http_access allow intranet
http_access deny all
http_reply_access allow all
icp_access allow all
cache_mgr hostmaster@mycompany.at
httpd_accel_port 80
httpd_accel_host virtual
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
append_domain .mycompany.at
deny_info ERR_IEBROWSER ie_browser
wccp_router 172.16.0.1
ie_refresh on
The most important settings are the acls to describe the IE browser and the
according http_access deny rule. After monitoring the user_agent log at my
site, I also noticed Gator on a machine. Gator is spyware (probably
auto-executed by some IE bug?) and has surely no right to go into the Internet
... The deny_info is the page that is shown to users that use the IE browser.
Put a file named ERR_IEBROWSER into /usr/share/squid/errors/English, that
contains some useful text (e.g. where to get the firefox browser inside your
LAN). After configuring your squid (I use 2.5.STABLE3), you can enter the proxy
in your IE and it should not allow you to surf to any sites except the
windowsupdate site and files that end with "mycompany.at".
Transparent proxy with Cisco WCCP
--------------------------------
The next thing now to do is to get the ip_wccp module. I downloaded it from the
squid-homepage. Before compiling it, you must configure your kernel properly.
Install the appropriate kernel-source package for your distro and do the
following:
cd /usr/src/linux
make cloneconfig
make dep
Then compile the ip_wccp module using the following command:
gcc -D__KERNEL__ -I/lib/modules/`uname -r`/build/include -Wall -Wstrict-prototypes -O2 -fomit-frame-pointer -fno-strict-aliasing -pipe -fno-strength-reduce -mcpu=i386 -DCPU=386 -DMODULE -DMODVERSIONS -include /usr/src/linux/include/linux/modversions.h -c ip_wccp.c
Then copy it to your /lib/modules/`uname -r`/misc directory, run depmod -a and
modprobe ip_wccp. To automatically load it on every boot, edit your
/etc/init.d/boot.local (or equivalent) and insert the modprobe command there.
Final steps - local routing
---------------------------
The next step is a simple iptables command:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
The port 3128 is the port where your squid proxy is running. Put this in some
init script that is executed after network start (possibly a custom firewall
rule if you are using some kind of firewall).
From now on, the worst of all browsers should no longer harm the internet - at
least not from your network :)
Feedback is welcome. Write to articles[at]gaugusch.at
Updated: 2004-06-25
Source: http://gaugusch.at/squid.shtml
++++++ squid_ldapauth-1.3.dif ++++++
--- Makefile
+++ Makefile
@@ -20,7 +20,7 @@
EXEC = squid_ldapauth
-all: $(EXEC) strip
+all: $(EXEC)
$(EXEC): $(OBJS)
$(CC) $(CFLAGS) $(OBJS) $(LIBS) -o $@
--- squid_ldapauth.c
+++ squid_ldapauth.c
@@ -294,14 +294,16 @@
BerElement *ber;
char *a = 0;
int i, rc= 0;
+ int lderrno;
snprintf(query, sizeof(query), filter, user);
if(-1 == ldap_search(ldap, suffix, LDAP_SCOPE_SUBTREE, query, attrs, 0)) {
+ ldap_get_option(ldap,LDAP_OPT_ERROR_NUMBER,&lderrno);
if(use_syslog) {
- syslog(LOG_ERR, "ldap search: %d", ldap->ld_errno);
+ syslog(LOG_ERR, "ldap search: %d", lderrno);
} else {
fprintf(stderr, "%s[%d]: ldap search: %d\n",
- appname, getpid(), ldap->ld_errno);
+ appname, getpid(), lderrno);
}
return -1;
}
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org