From 03b76ca4b07957793a8c5bb11a2104344ae15910 Mon Sep 17 00:00:00 2001 From: Jackie Huang Date: Tue, 19 Jul 2016 04:17:37 -0400 Subject: squid: upgrade to 3.5.20 * Remove the blacklist since the issue is gone with new version * Remove two CVE patches which have been fixed: - CVE-2016-3947 and CVE-2016-4553 * Rebased the patch for ptest. Signed-off-by: Jackie Huang Signed-off-by: Martin Jansa Signed-off-by: Joe MacDonald --- .../squid/files/CVE-2016-3947.patch | 48 ------------- .../squid/files/CVE-2016-4553.patch | 51 -------------- ...d-use-serial-tests-config-needed-by-ptest.patch | 18 ++--- .../recipes-daemons/squid/squid_3.5.20.bb | 75 ++++++++++++++++++++ .../recipes-daemons/squid/squid_3.5.7.bb | 80 ---------------------- 5 files changed, 84 insertions(+), 188 deletions(-) delete mode 100644 meta-networking/recipes-daemons/squid/files/CVE-2016-3947.patch delete mode 100644 meta-networking/recipes-daemons/squid/files/CVE-2016-4553.patch create mode 100644 meta-networking/recipes-daemons/squid/squid_3.5.20.bb delete mode 100644 meta-networking/recipes-daemons/squid/squid_3.5.7.bb diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2016-3947.patch b/meta-networking/recipes-daemons/squid/files/CVE-2016-3947.patch deleted file mode 100644 index c83e6ab512..0000000000 --- a/meta-networking/recipes-daemons/squid/files/CVE-2016-3947.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 0fe108ecb2bbdf684f159950eaa55d22f07c4008 Mon Sep 17 00:00:00 2001 -From: Catalin Enache -Date: Wed, 20 Apr 2016 15:17:18 +0300 -Subject: [PATCH] pinger: Fix buffer overflow in Icmp6::Recv - -Upstream-Status: Backport -CVE: CVE-2016-3947 - -Author: Yuriy M. Kaminskiy -Committer: Amos Jeffries ---- - src/icmp/Icmp6.cc | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - -diff --git a/src/icmp/Icmp6.cc b/src/icmp/Icmp6.cc -index 794a51a..ee84b80 100644 ---- a/src/icmp/Icmp6.cc -+++ b/src/icmp/Icmp6.cc -@@ -256,7 +256,7 @@ Icmp6::Recv(void) - #define ip6_hops // HOPS!!! (can it be true??) - - ip = (struct ip6_hdr *) pkt; -- pkt += sizeof(ip6_hdr); -+ NP: echo size needs to +sizeof(ip6_hdr); - - debugs(42, DBG_CRITICAL, HERE << "ip6_nxt=" << ip->ip6_nxt << - ", ip6_plen=" << ip->ip6_plen << -@@ -267,7 +267,6 @@ Icmp6::Recv(void) - */ - - icmp6header = (struct icmp6_hdr *) pkt; -- pkt += sizeof(icmp6_hdr); - - if (icmp6header->icmp6_type != ICMP6_ECHO_REPLY) { - -@@ -292,7 +291,7 @@ Icmp6::Recv(void) - return; - } - -- echo = (icmpEchoData *) pkt; -+ echo = (icmpEchoData *) (pkt + sizeof(icmp6_hdr)); - - preply.opcode = echo->opcode; - --- -2.7.4 - diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2016-4553.patch b/meta-networking/recipes-daemons/squid/files/CVE-2016-4553.patch deleted file mode 100644 index 497ace444b..0000000000 --- a/meta-networking/recipes-daemons/squid/files/CVE-2016-4553.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 41ccaa04bb445f52bdb671ef6fbf994634b6efbe Mon Sep 17 00:00:00 2001 -From: Catalin Enache -Date: Mon, 23 May 2016 12:47:39 +0300 -Subject: [PATCH] Bug 4501: HTTP/1.1: normalize Host header - -Upstream-Status: Backport -CVE: CVE-2016-4553 - -When absolute-URI is provided Host header should be ignored. However some -code still uses Host directly so normalize it using the URL authority -value before doing any further request processing. - -For now preserve the case where Host is completely absent. That matters -to the CVE-2009-0801 protection. - -This also has the desirable side effect of removing multiple or duplicate -Host header entries, and invalid port values. - -Signed-off-by: Catalin Enache ---- - src/client_side.cc | 14 ++++++++++++++ - 1 file changed, 14 insertions(+) - -diff --git a/src/client_side.cc b/src/client_side.cc -index 8c41c21..36a27de 100644 ---- a/src/client_side.cc -+++ b/src/client_side.cc -@@ -2652,6 +2652,20 @@ clientProcessRequest(ConnStateData *conn, HttpParser *hp, ClientSocketContext *c - clientProcessRequestFinished(conn, request); - return; - } -+ -+ // when absolute-URI is provided Host header should be ignored. However -+ // some code still uses Host directly so normalize it. -+ // For now preserve the case where Host is completely absent. That matters. -+ if (request->header.has(HDR_HOST)) { -+ const char *host = request->header.getStr(HDR_HOST); -+ SBuf authority(request->GetHost()); -+ if (request->port != urlDefaultPort(request->url.getScheme())) -+ authority.appendf(":%d", request->port); -+ debugs(33, 5, "URL domain " << authority << " overrides header Host: " << host); -+ // URL authority overrides Host header -+ request->header.delById(HDR_HOST); -+ request->header.putStr(HDR_HOST, authority.c_str()); -+ } - } - - // Some blobs below are still HTTP-specific, but we would have to rewrite --- -2.7.4 - diff --git a/meta-networking/recipes-daemons/squid/files/squid-use-serial-tests-config-needed-by-ptest.patch b/meta-networking/recipes-daemons/squid/files/squid-use-serial-tests-config-needed-by-ptest.patch index 9e2ceab880..01ec596223 100644 --- a/meta-networking/recipes-daemons/squid/files/squid-use-serial-tests-config-needed-by-ptest.patch +++ b/meta-networking/recipes-daemons/squid/files/squid-use-serial-tests-config-needed-by-ptest.patch @@ -1,6 +1,6 @@ -From 2192fdbc90b0ff2d5408e8763df200620870deea Mon Sep 17 00:00:00 2001 +From bd58d3672bc267824000f34a37561c7ab2bd571f Mon Sep 17 00:00:00 2001 From: Jackie Huang -Date: Mon, 13 Oct 2014 01:32:37 -0700 +Date: Tue, 19 Jul 2016 01:56:23 -0400 Subject: [PATCH] squid: use serial-tests config needed by ptest ptest needs buildtest-TESTS and runtest-TESTS targets. @@ -10,22 +10,22 @@ Upstream-Status: Inappropriate [default automake behavior incompatible with ptes Signed-off-by: Jackie Huang --- - configure.ac | 2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) + configure.ac | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac -index 6f7171f..ab9b93e 100644 +index 05ad027..e324b93 100644 --- a/configure.ac +++ b/configure.ac -@@ -3,7 +3,7 @@ AC_PREREQ(2.61) +@@ -10,7 +10,7 @@ AC_PREREQ(2.61) AC_CONFIG_HEADERS([include/autoconf.h]) AC_CONFIG_AUX_DIR(cfgaux) AC_CONFIG_SRCDIR([src/main.cc]) --AM_INIT_AUTOMAKE([tar-ustar nostdinc]) -+AM_INIT_AUTOMAKE([tar-ustar nostdinc serial-tests]) +-AM_INIT_AUTOMAKE([tar-ustar nostdinc subdir-objects]) ++AM_INIT_AUTOMAKE([tar-ustar nostdinc subdir-objects serial-tests]) AC_REVISION($Revision$)dnl AC_PREFIX_DEFAULT(/usr/local/squid) AM_MAINTAINER_MODE -- -1.7.1 +2.8.1 diff --git a/meta-networking/recipes-daemons/squid/squid_3.5.20.bb b/meta-networking/recipes-daemons/squid/squid_3.5.20.bb new file mode 100644 index 0000000000..f26aebe2f8 --- /dev/null +++ b/meta-networking/recipes-daemons/squid/squid_3.5.20.bb @@ -0,0 +1,75 @@ +SUMMARY = "A fully-featured http proxy and web-cache daemon for Linux" +DESCRIPTION = "A fully-featured http proxy and web-cache daemon for Linux. \ +Squid offers a rich access control, authorization and logging environment to \ +develop web proxy and content serving applications. \ +Squid offers a rich set of traffic optimization options, most of which are \ +enabled by default for simpler installation and high performance. \ +" +HOMEPAGE = "http://www.squid-cache.org" +SECTION = "web" +LICENSE = "GPLv2+" + +MAJ_VER = "${@oe.utils.trim_version("${PV}", 1)}" +MIN_VER = "${@oe.utils.trim_version("${PV}", 2)}" + +SRC_URI = "http://www.squid-cache.org/Versions/v${MAJ_VER}/${MIN_VER}/${BPN}-${PV}.tar.bz2 \ + file://Set-up-for-cross-compilation.patch \ + file://Skip-AC_RUN_IFELSE-tests.patch \ + file://Fix-flawed-dynamic-ldb-link-test-in-configure.patch \ + file://squid-use-serial-tests-config-needed-by-ptest.patch \ + file://run-ptest \ + file://volatiles.03_squid \ +" + +LIC_FILES_CHKSUM = "file://COPYING;md5=c492e2d6d32ec5c1aad0e0609a141ce9 \ + file://errors/COPYRIGHT;md5=0d98c4448c368d146f31a970bb0ced21 \ + " +SRC_URI[md5sum] = "6a29d7dfc544205001f7a75c6996dc60" +SRC_URI[sha256sum] = "5a114f8f7f44b5ae3c9b77d7b81aef13fe69e7f530855213d551f48b157cb5f1" + +DEPENDS = "libtool krb5 openldap db cyrus-sasl" + +inherit autotools useradd ptest + +USERADD_PACKAGES = "${PN}" +USERADD_PARAM_${PN} = "--system --no-create-home --home-dir /var/run/squid --shell /bin/false --user-group squid" + +PACKAGECONFIG ??= "${@bb.utils.contains('TARGET_ARCH', 'powerpc', 'noatomics', '', d)} \ + ${@bb.utils.contains('TARGET_ARCH', 'mips', 'noatomics', '', d)} \ + " +PACKAGECONFIG[libnetfilter-conntrack] = "--with-netfilter-conntrack=${includedir}, --without-netfilter-conntrack, libnetfilter-conntrack" +PACKAGECONFIG[noatomics] = "squid_cv_gnu_atomics=no,squid_cv_gnu_atomics=yes,," + +BASIC_AUTH = "DB SASL LDAP NIS" +DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" +BASIC_AUTH += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'PAM', '', d)}" + +EXTRA_OECONF += "--with-default-user=squid --enable-auth-basic='${BASIC_AUTH}'" +export BUILDCXXFLAGS="${BUILD_CXXFLAGS}" + +TESTDIR = "test-suite" +do_compile_ptest() { + oe_runmake -C ${TESTDIR} buildtest-TESTS +} + +do_install_ptest() { + cp -rf ${B}/${TESTDIR} ${D}${PTEST_PATH} + cp -rf ${S}/${TESTDIR} ${D}${PTEST_PATH} + + # do NOT need to rebuild Makefile itself + sed -i 's/^Makefile:.*$/Makefile:/' ${D}${PTEST_PATH}/${TESTDIR}/Makefile +} + +do_install_append() { + install -d ${D}${sysconfdir}/default/volatiles + install -m 0644 ${WORKDIR}/volatiles.03_squid ${D}${sysconfdir}/default/volatiles/volatiles.03_squid + rmdir "${D}${localstatedir}/run/${BPN}" + rmdir --ignore-fail-on-non-empty "${D}${localstatedir}/run" +} + +FILES_${PN} += "${libdir} ${datadir}/errors ${datadir}/icons" +FILES_${PN}-dbg += "/usr/src/debug" +FILES_${PN}-doc += "${datadir}/*.txt" + +RDEPENDS_${PN} += "perl" +RDEPENDS_${PN}-ptest += "make" diff --git a/meta-networking/recipes-daemons/squid/squid_3.5.7.bb b/meta-networking/recipes-daemons/squid/squid_3.5.7.bb deleted file mode 100644 index b571e29a33..0000000000 --- a/meta-networking/recipes-daemons/squid/squid_3.5.7.bb +++ /dev/null @@ -1,80 +0,0 @@ -SUMMARY = "A fully-featured http proxy and web-cache daemon for Linux" -DESCRIPTION = "A fully-featured http proxy and web-cache daemon for Linux. \ -Squid offers a rich access control, authorization and logging environment to \ -develop web proxy and content serving applications. \ -Squid offers a rich set of traffic optimization options, most of which are \ -enabled by default for simpler installation and high performance. \ -" -HOMEPAGE = "http://www.squid-cache.org" -SECTION = "web" -LICENSE = "GPLv2+" - -MAJ_VER = "${@oe.utils.trim_version("${PV}", 1)}" -MIN_VER = "${@oe.utils.trim_version("${PV}", 2)}" - -SRC_URI = "http://www.squid-cache.org/Versions/v${MAJ_VER}/${MIN_VER}/${BPN}-${PV}.tar.bz2 \ - file://Set-up-for-cross-compilation.patch \ - file://Skip-AC_RUN_IFELSE-tests.patch \ - file://Fix-flawed-dynamic-ldb-link-test-in-configure.patch \ - file://squid-use-serial-tests-config-needed-by-ptest.patch \ - file://run-ptest \ - file://volatiles.03_squid \ - file://CVE-2016-3947.patch \ - file://CVE-2016-4553.patch \ -" - -LIC_FILES_CHKSUM = "file://COPYING;md5=c492e2d6d32ec5c1aad0e0609a141ce9 \ - file://errors/COPYRIGHT;md5=0fed8f1462f6fdbc62bb431bcb618f46 \ - " -SRC_URI[md5sum] = "06e43abc67aedcc3903a2780de20a3ed" -SRC_URI[sha256sum] = "b7dcec8c5cb7f5687aff4256a7522f670c310a350cc9e9c0f29f3fd9cf88d017" - -DEPENDS = "libtool krb5 openldap db cyrus-sasl" - -inherit autotools useradd ptest - -USERADD_PACKAGES = "${PN}" -USERADD_PARAM_${PN} = "--system --no-create-home --home-dir /var/run/squid --shell /bin/false --user-group squid" - -PACKAGECONFIG ??= "${@bb.utils.contains('TARGET_ARCH', 'powerpc', 'noatomics', '', d)} \ - ${@bb.utils.contains('TARGET_ARCH', 'mips', 'noatomics', '', d)} \ - " -PACKAGECONFIG[libnetfilter-conntrack] = "--with-netfilter-conntrack=${includedir}, --without-netfilter-conntrack, libnetfilter-conntrack" -PACKAGECONFIG[noatomics] = "squid_cv_gnu_atomics=no,squid_cv_gnu_atomics=yes,," - -BASIC_AUTH = "DB SASL LDAP NIS" -DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" -BASIC_AUTH += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'PAM', '', d)}" - -EXTRA_OECONF += "--with-default-user=squid --enable-auth-basic='${BASIC_AUTH}'" -export BUILDCXXFLAGS="${BUILD_CXXFLAGS}" - -TESTDIR = "test-suite" -do_compile_ptest() { - oe_runmake -C ${TESTDIR} buildtest-TESTS -} - -do_install_ptest() { - cp -rf ${B}/${TESTDIR} ${D}${PTEST_PATH} - cp -rf ${S}/${TESTDIR} ${D}${PTEST_PATH} - - # do NOT need to rebuild Makefile itself - sed -i 's/^Makefile:.*$/Makefile:/' ${D}${PTEST_PATH}/${TESTDIR}/Makefile -} - -do_install_append() { - install -d ${D}${sysconfdir}/default/volatiles - install -m 0644 ${WORKDIR}/volatiles.03_squid ${D}${sysconfdir}/default/volatiles/volatiles.03_squid - rmdir "${D}${localstatedir}/run/${BPN}" - rmdir --ignore-fail-on-non-empty "${D}${localstatedir}/run" -} - -FILES_${PN} += "${libdir} ${datadir}/errors ${datadir}/icons" -FILES_${PN}-dbg += "/usr/src/debug" -FILES_${PN}-doc += "${datadir}/*.txt" - -RDEPENDS_${PN} += "perl" -RDEPENDS_${PN}-ptest += "make" - -# http://errors.yoctoproject.org/Errors/Details/35128/ -PNBLACKLIST[squid] ?= "BROKEN: sysroots/qemuarm/usr/include/linux/in.h:28:16: error: redeclaration of 'IPPROTO_IP'" -- cgit 1.2.3-korg