diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2020-04-02 17:39:21 +0200 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2020-04-02 17:42:13 +0200 |
| commit | cca1978fca0677250ca84f4bdcb86b395a64b6e9 (patch) | |
| tree | 8bd4c2ff75bc071d3370ccf0e4ae4426fd04c948 | |
| parent | 70887376e8deea648f023181bbbe7d2ef17ed5af (diff) | |
| download | aports-cca1978fca0677250ca84f4bdcb86b395a64b6e9.tar.bz2 aports-cca1978fca0677250ca84f4bdcb86b395a64b6e9.tar.xz | |
main/squid: security upgrade to 4.10
| -rw-r--r-- | main/squid/APKBUILD | 13 | ||||
| -rw-r--r-- | main/squid/CVE-2019-18679.patch | 120 |
2 files changed, 8 insertions, 125 deletions
diff --git a/main/squid/APKBUILD b/main/squid/APKBUILD index 7c4ae5ffff..bea34bb801 100644 --- a/main/squid/APKBUILD +++ b/main/squid/APKBUILD @@ -1,8 +1,8 @@ # Contributor: Carlo Landmeter <clandmeter@gmail.com> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=squid -pkgver=4.8 -pkgrel=1 +pkgver=4.10 +pkgrel=0 pkgdesc="A full-featured Web proxy cache server." url="http://www.squid-cache.org" install="squid.pre-install squid.pre-upgrade" @@ -18,7 +18,6 @@ linguas="af ar az bg ca cs da de el es et fa fi fr he hu hy id it ja ka ko lt lv ms nl oc pl pt ro ru sk sl sr sv th tr uk uz vi zh" langdir="/usr/share/squid/errors" source="http://www.squid-cache.org/Versions/v4/squid-${pkgver}.tar.xz - CVE-2019-18679.patch $pkgname.initd $pkgname.confd @@ -30,6 +29,11 @@ builddir="$srcdir"/$pkgname-$pkgver options="!check" # does not work. Error message is about "applet not found", some issue with the installed busybox # secfixes: +# 4.10-r0: +# - CVE-2019-12528 +# - CVE-2020-8449 +# - CVE-2020-8450 +# - CVE-2020-8517 # 4.8-r1: # - CVE-2019-18679 # 4.8-r0: @@ -108,8 +112,7 @@ squid_kerb_auth() { install -d "$subpkgdir"/usr/lib/squid mv "$pkgdir"/usr/lib/squid/squid_kerb_auth "$subpkgdir"/usr/lib/squid/ } -sha512sums="2223f299950ded074faca6e3d09c15bc26e8644c3019b36a612f5d424e25b02a528c4b3c8a9463864f71edc29f17c5662f16ffda18c76317405cb97657e5e823 squid-4.8.tar.xz -e2a38576105eb056640f334499504e10605e5b7e82bcd602fe019dd010beb2c70eddc931ca2b3e452f229a28de0f6c7fb6b770bcf2f3c406044286d8fed18490 CVE-2019-18679.patch +sha512sums="033891f84789fe23a23fabcfb6f51a5b044c16892600f94380b5f0bcbceaef67b95c7047154d940511146248ca9846a949f00a609c6ed27f9af8829325eb08e0 squid-4.10.tar.xz 15d95f7d787be8c2e6619ef1661fd8aae8d2c1ede706748764644c7dc3d7c34515ef6e8b7543295fddc4e767bbd74a7cf8c42e77cf60b3d574ff11b3f6e336c9 squid.initd 7292661de344e8a87d855c83afce49511685d2680effab3afab110e45144c0117935f3bf73ab893c9e6d43f7fb5ba013635e24f6da6daf0eeb895ef2e9b5baa9 squid.confd 89a703fa4f21b6c7c26e64a46fd52407e20f00c34146ade0bea0c4b63d050117c0f8e218f2256a1fbf6abb84f4ec9b0472c9a4092ff6e78f07c4f5a25d0892a5 squid.logrotate" diff --git a/main/squid/CVE-2019-18679.patch b/main/squid/CVE-2019-18679.patch deleted file mode 100644 index 9ad820d319..0000000000 --- a/main/squid/CVE-2019-18679.patch +++ /dev/null @@ -1,120 +0,0 @@ -commit 671ba97abe929156dc4c717ee52ad22fba0f7443 -Author: Amos Jeffries <yadij@users.noreply.github.com> -Date: 2019-09-11 02:52:52 +0000 - - RFC 7230: server MUST reject messages with BWS after field-name (#445) - - Obey the RFC requirement to reject HTTP requests with whitespace - between field-name and the colon delimiter. Rejection is - critical in the presence of broken HTTP agents that mishandle - malformed messages. - - Also obey requirement to always strip such whitespace from HTTP - response messages. The relaxed parser is no longer necessary for - this response change. - - For now non-HTTP protocols retain the old behaviour of removal - only when using the relaxed parser. - -diff --git a/src/HttpHeader.cc b/src/HttpHeader.cc -index dd320d5..a36ad85 100644 ---- a/src/HttpHeader.cc -+++ b/src/HttpHeader.cc -@@ -421,15 +421,12 @@ HttpHeader::parse(const char *header_start, size_t hdrLen) - break; /* terminating blank line */ - } - -- HttpHeaderEntry *e; -- if ((e = HttpHeaderEntry::parse(field_start, field_end)) == NULL) { -+ const auto e = HttpHeaderEntry::parse(field_start, field_end, owner); -+ if (!e) { - debugs(55, warnOnError, "WARNING: unparseable HTTP header field {" << - getStringPrefix(field_start, field_end-field_start) << "}"); - debugs(55, warnOnError, " in {" << getStringPrefix(header_start, hdrLen) << "}"); - -- if (Config.onoff.relaxed_header_parser) -- continue; -- - PROF_stop(HttpHeaderParse); - clean(); - return 0; -@@ -1386,7 +1383,7 @@ HttpHeaderEntry::~HttpHeaderEntry() - - /* parses and inits header entry, returns true/false */ - HttpHeaderEntry * --HttpHeaderEntry::parse(const char *field_start, const char *field_end) -+HttpHeaderEntry::parse(const char *field_start, const char *field_end, const http_hdr_owner_type msgType) - { - /* note: name_start == field_start */ - const char *name_end = (const char *)memchr(field_start, ':', field_end - field_start); -@@ -1403,19 +1400,41 @@ HttpHeaderEntry::parse(const char *field_start, const char *field_end) - - if (name_len > 65534) { - /* String must be LESS THAN 64K and it adds a terminating NULL */ -- debugs(55, DBG_IMPORTANT, "WARNING: ignoring header name of " << name_len << " bytes"); -+ // TODO: update this to show proper name_len in Raw markup, but not print all that -+ debugs(55, 2, "ignoring huge header field (" << Raw("field_start", field_start, 100) << "...)"); - return NULL; - } - -- if (Config.onoff.relaxed_header_parser && xisspace(field_start[name_len - 1])) { -+ /* -+ * RFC 7230 section 3.2.4: -+ * "No whitespace is allowed between the header field-name and colon. -+ * ... -+ * A server MUST reject any received request message that contains -+ * whitespace between a header field-name and colon with a response code -+ * of 400 (Bad Request). A proxy MUST remove any such whitespace from a -+ * response message before forwarding the message downstream." -+ */ -+ if (xisspace(field_start[name_len - 1])) { -+ -+ if (msgType == hoRequest) -+ return nullptr; -+ -+ // for now, also let relaxed parser remove this BWS from any non-HTTP messages -+ const bool stripWhitespace = (msgType == hoReply) || -+ Config.onoff.relaxed_header_parser; -+ if (!stripWhitespace) -+ return nullptr; // reject if we cannot strip -+ - debugs(55, Config.onoff.relaxed_header_parser <= 0 ? 1 : 2, - "NOTICE: Whitespace after header name in '" << getStringPrefix(field_start, field_end-field_start) << "'"); - - while (name_len > 0 && xisspace(field_start[name_len - 1])) - --name_len; - -- if (!name_len) -+ if (!name_len) { -+ debugs(55, 2, "found header with only whitespace for name"); - return NULL; -+ } - } - - /* now we know we can parse it */ -@@ -1448,11 +1467,7 @@ HttpHeaderEntry::parse(const char *field_start, const char *field_end) - - if (field_end - value_start > 65534) { - /* String must be LESS THAN 64K and it adds a terminating NULL */ -- debugs(55, DBG_IMPORTANT, "WARNING: ignoring '" << name << "' header of " << (field_end - value_start) << " bytes"); -- -- if (id == Http::HdrType::OTHER) -- name.clean(); -- -+ debugs(55, 2, "WARNING: found '" << name << "' header of " << (field_end - value_start) << " bytes"); - return NULL; - } - -diff --git a/src/HttpHeader.h b/src/HttpHeader.h -index 35a9410..be175b7 100644 ---- a/src/HttpHeader.h -+++ b/src/HttpHeader.h -@@ -54,7 +54,7 @@ class HttpHeaderEntry - public: - HttpHeaderEntry(Http::HdrType id, const char *name, const char *value); - ~HttpHeaderEntry(); -- static HttpHeaderEntry *parse(const char *field_start, const char *field_end); -+ static HttpHeaderEntry *parse(const char *field_start, const char *field_end, const http_hdr_owner_type msgType); - HttpHeaderEntry *clone() const; - void packInto(Packable *p) const; - int getInt() const; |