Fixes:
CVE-2016-4553 - Cache Poisoning issue in HTTP Request handling
CVE-2016-4554 - Header Smuggling issue in HTTP Request processing
CVE-2016-4555 - Multiple Denial of Service issues in ESI Response
processing (client_side_request.cc)
CVE-2016-4556 - Multiple Denial of Service issues in ESI Response
processing (Esi.cc)
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes:
SQUID-2016:5 (CVE-2016-4051) - Buffer overflow in cachemgr.cgi
SQUID-2016:6 (CVE-2016-4052) - Multiple issues in ESI processing.
CVE-2016-4053 & CVE-2016-4054 which are part of SQUID-2016:6.
Switch to xz-compressed tarball as well.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Now that the libcap package has a patch that makes it build with
kernel headers < 3.0 (which was needed for the host variant of
libcap), there is no longer a need to have a dependency on headers >=
3.0 for the target variant of libcap.
All reverse dependencies of libcap are handled in this commit, except
lxc, which will be handled in a separate commit since it needs some
special solution.
The build of all those packages has been tested with a toolchain that
uses kernel headers 2.6.32, which is the oldest that our default glibc
version accepts to use.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
SQUID-2016:2 - Multiple Denial of Service issues in HTTP Response
processing.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
squid can use the __sync built-ins when available, but uses an
AC_TRY_RUN autoconf tests to check their availability, which isn't
compatible with cross-compilation. Due to this, squid.mk is already
hinting the configure script about this by passing
squid_cv_gnu_atomics=yes/no depending on the availability of atomic
operations.
So far, squid.mk was assuming that BR2_ARCH_HAS_ATOMICS &&
BR2_ARCH_IS_64 was needed, since 8 bytes __sync built-ins are
used. However, this was a bit too restrictive, since certain 32 bits
architectures (ARM, x86) do provide 8 bytes __sync built-ins.
So, instead of using BR2_ARCH_HAS_ATOMICS, we now rely on
BR2_TOOLCHAIN_HAS_SYNC_4 and BR2_TOOLCHAIN_HAS_SYNC_8, since both 4
bytes and 8 bytes __sync built-ins are tested by the autoconf test.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Switch to bz2 tarball since there doesn't seem to be an xz release this
time around.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
'echo -n' is not a POSIX construct (no flag support), we shoud use
'printf', especially in init script.
This patch was generated by the following command line:
git grep -l 'echo -n' -- `git ls-files | grep -v 'patch'` | xargs sed -i 's/echo -n/printf/'
Signed-off-by: Maxime Hadjinlian <maxime.hadjinlian@gmail.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
A new --without-gnutls option has been added to configure, so let's use
it in order to enable or disable gnutls support in squid.
Related:
http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.6-RELEASENOTES.html#ss4.1
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
squid comes with a .service file, but does not install it.
[Thomas: use relative path for symlink instead of absolute path.]
Signed-off-by: Alex Suykov <alex.suykov@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Now that IPv6 is mandatory remove package dependencies and conditionals
for it.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
[Thomas: slightly expand the comment about atomic operations, after
the discussion with Baruch.]
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Squid 3.5.x deprecated the use of HOSTCXX & friends in favour of
BUILDCXX and BUILDCXXFLAGS.
When they are not specified BUILDCXXFLAGS takes flags from target
CXXFLAGS which specifies C11 standard and which older vesions of gcc
don't understand, thus causing breakage.
cf_gen hasn't got any C11 features so it's not required. Fixes:
http://autobuild.buildroot.net/results/816/8162e4ec941e7642248373be47cca99113a648e8/
Also drop ACLOCAL and AUTOMAKE trickery from e27ccbab since it's no
longer required.
And fix a typo in the hash file pointing to an improper hash file
upstream.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add SysV-style initscript, complete rewrite from
http://patchwork.ozlabs.org/patch/412057/
'stop' is handled by squid itself to gracefully (as possible) close
every pending connection and commit changes to disk. By default this is
configured for 30 seconds and can be configured via shutdown_lifetime in
/etc/squid.conf if someone is too anxious.
The script won't block until squid is properly shutdown - but people
should _REALLY_ use restart or reload if that's what they want, instead
of stop+start.
'restart' is handled by squid itself, since if we do a stop/start cycle
we must wait for a clean shutdown cycle (takes time).
'reload' is also handled by squid itself and it's not the same as
restart, it will just trigger a configuration reload without purging
runtime cache (RAM) contents.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Even though squid uses nobody/nogroup it ain't good for security if
every daemon around uses it, specially since squid is used as a caching
proxy most of the time and that would mean other daemons/scripts run as
nobody would have access to potentially sensitive information.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Squid bundles a copy of libltdl (from libtool) which autoreconfigures on
its own.
For some odd reason when automake was bumped to version 1.15 and if the host
system has another automake version, for example 1.14, the ACLOCAL and
AUTOMAKE variables don't expand properly when the internal autoreconf is
triggered hence calling the missing handler which in turn tries to use
an incorrect automake version.
The solution is to pass unexpanded ACLOCAL and AUTOMAKE variables that
defer the evaluation to a later moment and avoid the issue.
Fixes:
http://autobuild.buildroot.net/results/73f/73fcffafbea320f8c64378bbe8a96922b5e7c6b5/
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Tested-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Jerzy Grzegorek <jerzy.grzegorek@trzebnica.net>
Reviewed-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
To be consistent with the recent change of FOO_MAKE_OPT into FOO_MAKE_OPTS,
make the same change for FOO_CONF_OPT.
Sed command used:
find * -type f | xargs sed -i 's#_CONF_OPT\>#&S#g'
Signed-off-by: Thomas De Schampheleire <thomas.de.schampheleire@gmail.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
