Fixes:
SQUID-2016:2 - Multiple Denial of Service issues in HTTP Response
processing.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
squid can use the __sync built-ins when available, but uses an
AC_TRY_RUN autoconf tests to check their availability, which isn't
compatible with cross-compilation. Due to this, squid.mk is already
hinting the configure script about this by passing
squid_cv_gnu_atomics=yes/no depending on the availability of atomic
operations.
So far, squid.mk was assuming that BR2_ARCH_HAS_ATOMICS &&
BR2_ARCH_IS_64 was needed, since 8 bytes __sync built-ins are
used. However, this was a bit too restrictive, since certain 32 bits
architectures (ARM, x86) do provide 8 bytes __sync built-ins.
So, instead of using BR2_ARCH_HAS_ATOMICS, we now rely on
BR2_TOOLCHAIN_HAS_SYNC_4 and BR2_TOOLCHAIN_HAS_SYNC_8, since both 4
bytes and 8 bytes __sync built-ins are tested by the autoconf test.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Switch to bz2 tarball since there doesn't seem to be an xz release this
time around.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
'echo -n' is not a POSIX construct (no flag support), we shoud use
'printf', especially in init script.
This patch was generated by the following command line:
git grep -l 'echo -n' -- `git ls-files | grep -v 'patch'` | xargs sed -i 's/echo -n/printf/'
Signed-off-by: Maxime Hadjinlian <maxime.hadjinlian@gmail.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
A new --without-gnutls option has been added to configure, so let's use
it in order to enable or disable gnutls support in squid.
Related:
http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.6-RELEASENOTES.html#ss4.1
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
squid comes with a .service file, but does not install it.
[Thomas: use relative path for symlink instead of absolute path.]
Signed-off-by: Alex Suykov <alex.suykov@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Now that IPv6 is mandatory remove package dependencies and conditionals
for it.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
[Thomas: slightly expand the comment about atomic operations, after
the discussion with Baruch.]
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Squid 3.5.x deprecated the use of HOSTCXX & friends in favour of
BUILDCXX and BUILDCXXFLAGS.
When they are not specified BUILDCXXFLAGS takes flags from target
CXXFLAGS which specifies C11 standard and which older vesions of gcc
don't understand, thus causing breakage.
cf_gen hasn't got any C11 features so it's not required. Fixes:
http://autobuild.buildroot.net/results/816/8162e4ec941e7642248373be47cca99113a648e8/
Also drop ACLOCAL and AUTOMAKE trickery from e27ccbab since it's no
longer required.
And fix a typo in the hash file pointing to an improper hash file
upstream.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add SysV-style initscript, complete rewrite from
http://patchwork.ozlabs.org/patch/412057/
'stop' is handled by squid itself to gracefully (as possible) close
every pending connection and commit changes to disk. By default this is
configured for 30 seconds and can be configured via shutdown_lifetime in
/etc/squid.conf if someone is too anxious.
The script won't block until squid is properly shutdown - but people
should _REALLY_ use restart or reload if that's what they want, instead
of stop+start.
'restart' is handled by squid itself, since if we do a stop/start cycle
we must wait for a clean shutdown cycle (takes time).
'reload' is also handled by squid itself and it's not the same as
restart, it will just trigger a configuration reload without purging
runtime cache (RAM) contents.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Even though squid uses nobody/nogroup it ain't good for security if
every daemon around uses it, specially since squid is used as a caching
proxy most of the time and that would mean other daemons/scripts run as
nobody would have access to potentially sensitive information.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Squid bundles a copy of libltdl (from libtool) which autoreconfigures on
its own.
For some odd reason when automake was bumped to version 1.15 and if the host
system has another automake version, for example 1.14, the ACLOCAL and
AUTOMAKE variables don't expand properly when the internal autoreconf is
triggered hence calling the missing handler which in turn tries to use
an incorrect automake version.
The solution is to pass unexpanded ACLOCAL and AUTOMAKE variables that
defer the evaluation to a later moment and avoid the issue.
Fixes:
http://autobuild.buildroot.net/results/73f/73fcffafbea320f8c64378bbe8a96922b5e7c6b5/
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Tested-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Jerzy Grzegorek <jerzy.grzegorek@trzebnica.net>
Reviewed-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
To be consistent with the recent change of FOO_MAKE_OPT into FOO_MAKE_OPTS,
make the same change for FOO_CONF_OPT.
Sed command used:
find * -type f | xargs sed -i 's#_CONF_OPT\>#&S#g'
Signed-off-by: Thomas De Schampheleire <thomas.de.schampheleire@gmail.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The session external acl helper needs berkeleydb, switch to the basic
file_userip one which was my original intention (renamed from ip_user in
the 3.3.x series). Fixes:
http://autobuild.buildroot.net/results/635/6359137cde3b293d46df732836b8966d30f23cbc/
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
New for 3.4 series:
* SSL Server Certificate Validator
* Multicast DNS
* Transaction Annotations
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
