diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000000000000000000000000000000000000..d87f5613ec4234f82f8eaeebc563711f587fdf88 --- /dev/null +++ b/.gitattributes @@ -0,0 +1 @@ +*.xz filter=lfs diff=lfs merge=lfs -text diff --git a/.lfsconfig b/.lfsconfig new file mode 100644 index 0000000000000000000000000000000000000000..536e6e32f8e7ef63fd9c3d8cdf2a7091abf17efe --- /dev/null +++ b/.lfsconfig @@ -0,0 +1,2 @@ +[lfs] + url = https://artlfs.openeuler.openatom.cn/src-openEuler/squid diff --git a/backport-CVE-2025-59362.patch b/backport-CVE-2025-59362.patch deleted file mode 100644 index b52ee890e268d3a0a2d38e04cf13dcfc038cef76..0000000000000000000000000000000000000000 --- a/backport-CVE-2025-59362.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 250a18e0a80694b919972a1836cdfe20f2e1baa0 Mon Sep 17 00:00:00 2001 -From: Alex Rousskov -Date: Sat, 30 Aug 2025 06:49:36 +0000 -Subject: [PATCH] Fix ASN.1 encoding of long SNMP OIDs (#2149) - -Conflict: NA -Reference: http://github.com/squid-cache/squid/commit/250a18e0a80694b919972a1836cdfe20f2e1baa0 ---- - lib/snmplib/asn1.c | 13 +++++++++++++ - 1 file changed, 13 insertions(+) - -diff --git a/lib/snmplib/asn1.c b/lib/snmplib/asn1.c -index 81f2051fbe7..2852c26b220 100644 ---- a/lib/snmplib/asn1.c -+++ b/lib/snmplib/asn1.c -@@ -735,6 +735,7 @@ asn_build_objid(u_char * data, int *datalength, - * lastbyte ::= 0 7bitvalue - */ - u_char buf[MAX_OID_LEN]; -+ u_char *bufEnd = buf + sizeof(buf); - u_char *bp = buf; - oid *op = objid; - int asnlength; -@@ -753,6 +754,10 @@ asn_build_objid(u_char * data, int *datalength, - while (objidlength-- > 0) { - subid = *op++; - if (subid < 127) { /* off by one? */ -+ if (bp >= bufEnd) { -+ snmp_set_api_error(SNMPERR_ASN_ENCODE); -+ return (NULL); -+ } - *bp++ = subid; - } else { - mask = 0x7F; /* handle subid == 0 case */ -@@ -770,8 +775,16 @@ asn_build_objid(u_char * data, int *datalength, - /* fix a mask that got truncated above */ - if (mask == 0x1E00000) - mask = 0xFE00000; -+ if (bp >= bufEnd) { -+ snmp_set_api_error(SNMPERR_ASN_ENCODE); -+ return (NULL); -+ } - *bp++ = (u_char) (((subid & mask) >> bits) | ASN_BIT8); - } -+ if (bp >= bufEnd) { -+ snmp_set_api_error(SNMPERR_ASN_ENCODE); -+ return (NULL); -+ } - *bp++ = (u_char) (subid & mask); - } - } diff --git a/backport-CVE-2025-62168.patch b/backport-CVE-2025-62168.patch deleted file mode 100644 index 9ac2bf138f570ef5faaa18048f2e52152844fb63..0000000000000000000000000000000000000000 --- a/backport-CVE-2025-62168.patch +++ /dev/null @@ -1,210 +0,0 @@ -From 0951a0681011dfca3d78c84fd7f1e19c78a4443f Mon Sep 17 00:00:00 2001 -From: Amos Jeffries -Date: Sat, 11 Oct 2025 16:33:02 +1300 -Subject: [PATCH] Bug 3390: Proxy auth data visible to scripts (#2249) - -Original changes to redact credentials from error page %R code -expansion output was incomplete. It missed the parse failure -case where ErrorState::request_hdrs raw buffer contained -sensitive information. - -Also missed was the %W case where full request message headers -were generated in a mailto link. This case is especially -problematic as it may be delivered over insecure SMTP even if -the error was secured with HTTPS. - -After this change: -* The HttpRequest message packing code for error pages is de-duplicated - and elides authentication headers for both %R and %W code outputs. -* The %R code output includes the CRLF request message terminator. -* The email_err_data directive causing advanced details to be added to - %W mailto links is disabled by default. - -Also redact credentials from generated TRACE responses. - ---------- - -Co-authored-by: Alex Rousskov - -Conflict: remove doc/release-notes/release-7.sgml.in -Reference: https://github.com/squid-cache/squid/commit/0951a0681011dfca3d78c84fd7f1e19c78a4443f ---- - src/HttpRequest.cc | 6 +++--- - src/HttpRequest.h | 2 +- - src/cf.data.pre | 8 +++++++- - src/client_side_reply.cc | 14 +++++++------- - src/errorpage.cc | 17 ++++------------- - src/errorpage.h | 1 - - src/tests/stub_HttpRequest.cc | 2 +- - 8 files changed, 26 insertions(+), 27 deletions(-) - -diff --git a/src/HttpRequest.cc b/src/HttpRequest.cc -index cd7ee71d4af..c6ed5bee45d 100644 ---- a/src/HttpRequest.cc -+++ b/src/HttpRequest.cc -@@ -341,7 +341,7 @@ HttpRequest::swapOut(StoreEntry * e) - - /* packs request-line and headers, appends terminator */ - void --HttpRequest::pack(Packable * p) const -+HttpRequest::pack(Packable * const p, const bool maskSensitiveInfo) const - { - assert(p); - /* pack request-line */ -@@ -349,8 +349,8 @@ HttpRequest::pack(Packable * p) const - SQUIDSBUFPRINT(method.image()), SQUIDSBUFPRINT(url.path()), - http_ver.major, http_ver.minor); - /* headers */ -- header.packInto(p); -- /* trailer */ -+ header.packInto(p, maskSensitiveInfo); -+ /* indicate the end of the header section */ - p->append("\r\n", 2); - } - -diff --git a/src/HttpRequest.h b/src/HttpRequest.h -index 6d369029322..28dc4daf99d 100644 ---- a/src/HttpRequest.h -+++ b/src/HttpRequest.h -@@ -206,7 +206,7 @@ class HttpRequest: public Http::Message - - void swapOut(StoreEntry * e); - -- void pack(Packable * p) const; -+ void pack(Packable * p, bool maskSensitiveInfo = false) const; - - static void httpRequestPack(void *obj, Packable *p); - -diff --git a/src/cf.data.pre b/src/cf.data.pre -index 0a73020e111..2dce65a4d0a 100644 ---- a/src/cf.data.pre -+++ b/src/cf.data.pre -@@ -8912,12 +8912,18 @@ NAME: email_err_data - COMMENT: on|off - TYPE: onoff - LOC: Config.onoff.emailErrData --DEFAULT: on -+DEFAULT: off - DOC_START - If enabled, information about the occurred error will be - included in the mailto links of the ERR pages (if %W is set) - so that the email body contains the data. - Syntax is %w -+ -+ SECURITY WARNING: -+ Request headers and other included facts may contain -+ sensitive information about transaction history, the -+ Squid instance, and its environment which would be -+ unavailable to error recipients otherwise. - DOC_END - - NAME: deny_info -diff --git a/src/client_side_reply.cc b/src/client_side_reply.cc -index d73bf3f99f6..fc2feccf802 100644 ---- a/src/client_side_reply.cc -+++ b/src/client_side_reply.cc -@@ -92,7 +92,7 @@ clientReplyContext::clientReplyContext(ClientHttpRequest *clientContext) : - void - clientReplyContext::setReplyToError( - err_type err, Http::StatusCode status, char const *uri, -- const ConnStateData *conn, HttpRequest *failedrequest, const char *unparsedrequest, -+ const ConnStateData *conn, HttpRequest *failedrequest, const char *, - #if USE_AUTH - Auth::UserRequest::Pointer auth_user_request - #else -@@ -102,9 +102,6 @@ clientReplyContext::setReplyToError( - { - auto errstate = clientBuildError(err, status, uri, conn, failedrequest, http->al); - -- if (unparsedrequest) -- errstate->request_hdrs = xstrdup(unparsedrequest); -- - #if USE_AUTH - errstate->auth_user_request = auth_user_request; - #endif -@@ -1004,11 +1001,14 @@ clientReplyContext::traceReply() - triggerInitialStoreRead(); - http->storeEntry()->releaseRequest(); - http->storeEntry()->buffer(); -+ MemBuf content; -+ content.init(); -+ http->request->pack(&content, true /* hide authorization data */); - const HttpReplyPointer rep(new HttpReply); -- rep->setHeaders(Http::scOkay, nullptr, "text/plain", http->request->prefixLen(), 0, squid_curtime); -+ rep->setHeaders(Http::scOkay, nullptr, "message/http", content.contentSize(), 0, squid_curtime); -+ rep->body.set(SBuf(content.buf, content.size)); - http->storeEntry()->replaceHttpReply(rep); -- http->request->swapOut(http->storeEntry()); -- http->storeEntry()->complete(); -+ http->storeEntry()->completeSuccessfully("traceReply() stored the entire response"); - } - - #define SENDING_BODY 0 -diff --git a/src/errorpage.cc b/src/errorpage.cc -index d7a588d099f..06046de9ebb 100644 ---- a/src/errorpage.cc -+++ b/src/errorpage.cc -@@ -837,7 +837,6 @@ ErrorState::~ErrorState() - - safe_free(redirect_url); - safe_free(url); -- safe_free(request_hdrs); - wordlistDestroy(&ftp.server_msg); - safe_free(ftp.request); - safe_free(ftp.reply); -@@ -887,7 +886,7 @@ ErrorState::Dump(MemBuf * mb) - body << "HTTP Request:\r\n"; - MemBuf r; - r.init(); -- request->pack(&r); -+ request->pack(&r, true /* hide authorization data */); - body << r.content(); - } - -@@ -1149,18 +1148,10 @@ ErrorState::compileLegacyCode(Build &build) - p = "[no request]"; - break; - } -- if (request) { -- mb.appendf(SQUIDSBUFPH " " SQUIDSBUFPH " %s/%d.%d\n", -- SQUIDSBUFPRINT(request->method.image()), -- SQUIDSBUFPRINT(request->url.path()), -- AnyP::ProtocolType_str[request->http_ver.protocol], -- request->http_ver.major, request->http_ver.minor); -- request->header.packInto(&mb, true); //hide authorization data -- } else if (request_hdrs) { -- p = request_hdrs; -- } else { -+ else if (request) -+ request->pack(&mb, true /* hide authorization data */); -+ else - p = "[no request]"; -- } - break; - - case 's': -diff --git a/src/errorpage.h b/src/errorpage.h -index abca4a17d7b..297b306978d 100644 ---- a/src/errorpage.h -+++ b/src/errorpage.h -@@ -193,7 +193,6 @@ class ErrorState - MemBuf *listing = nullptr; - } ftp; - -- char *request_hdrs = nullptr; - char *err_msg = nullptr; /* Preformatted error message from the cache */ - - AccessLogEntryPointer ale; ///< transaction details (or nil) -diff --git a/src/tests/stub_HttpRequest.cc b/src/tests/stub_HttpRequest.cc -index 495597d9a1b..48a0f1ce03e 100644 ---- a/src/tests/stub_HttpRequest.cc -+++ b/src/tests/stub_HttpRequest.cc -@@ -45,7 +45,7 @@ bool HttpRequest::expectingBody(const HttpRequestMethod &, int64_t &) const STUB - bool HttpRequest::bodyNibbled() const STUB_RETVAL(false) - int HttpRequest::prefixLen() const STUB_RETVAL(0) - void HttpRequest::swapOut(StoreEntry *) STUB --void HttpRequest::pack(Packable *) const STUB -+void HttpRequest::pack(Packable *, bool) const STUB - void HttpRequest::httpRequestPack(void *, Packable *) STUB - HttpRequest * HttpRequest::FromUrl(const SBuf &, const MasterXaction::Pointer &, const HttpRequestMethod &) STUB_RETVAL(nullptr) - HttpRequest * HttpRequest::FromUrlXXX(const char *, const MasterXaction::Pointer &, const HttpRequestMethod &) STUB_RETVAL(nullptr) diff --git a/backport-squid-6.1-symlink-lang-err.patch b/backport-squid-6.1-symlink-lang-err.patch index 4722b827f03286ed3f41c8ad2eec93a4a85b8d0f..d03ae4c40a5a3d41c957f4d92532798c6ddb10ce 100644 --- a/backport-squid-6.1-symlink-lang-err.patch +++ b/backport-squid-6.1-symlink-lang-err.patch @@ -1,5 +1,5 @@ diff --git a/errors/aliases b/errors/aliases -index c256106..38c123a 100644 +index 1852e72..28310cc 100644 --- a/errors/aliases +++ b/errors/aliases @@ -14,8 +14,7 @@ da da-dk @@ -13,7 +13,7 @@ index c256106..38c123a 100644 fa fa-fa fa-ir fi fi-fi diff --git a/errors/language.am b/errors/language.am -index a437d17..f2fe463 100644 +index b981bc9..e701953 100644 --- a/errors/language.am +++ b/errors/language.am @@ -19,7 +19,6 @@ LANGUAGE_FILES = \ @@ -24,4 +24,3 @@ index a437d17..f2fe463 100644 es.lang \ et.lang \ fa.lang \ --- \ No newline at end of file diff --git a/squid-7.1.tar.xz b/squid-7.1.tar.xz deleted file mode 100644 index 2055fd33cdc7fc5c3a5539d095f4a3787ce29be5..0000000000000000000000000000000000000000 Binary files a/squid-7.1.tar.xz and /dev/null differ diff --git a/squid-7.3.tar.xz b/squid-7.3.tar.xz new file mode 100644 index 0000000000000000000000000000000000000000..99d085d82b3645a5fb57e3c7cfe6ed42c0078fd6 --- /dev/null +++ b/squid-7.3.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:dadc2a9a3926ce1b3babeaa7a7d7b21cbb089025876daa3f5c19e7eb6391ddcd +size 2441828 diff --git a/squid-7.1.tar.xz.asc b/squid-7.3.tar.xz.asc similarity index 42% rename from squid-7.1.tar.xz.asc rename to squid-7.3.tar.xz.asc index 5f14a1ed48ac846280bc57f83edac7822caf383d..de4961c1e5a078c2cb95b087baf2fc9ee6a66222 100644 --- a/squid-7.1.tar.xz.asc +++ b/squid-7.3.tar.xz.asc @@ -1,9 +1,9 @@ -File : squid-7.1.tar.xz -Date : Thu, 10 Jul 2025 12:45:07 +0000 -Size : 2466656 -MD5 : e617871ff11444bdf930aa2455d7627b -SHA1 : ce42e5deb368b0cc122e191abd5a53a9bf556d1d -SHA256 : 763b5a78561cedc4e47634fa42b8e6b8d46c87c949a151b4e7ac2396d2f97dea +File : squid-7.3.tar.xz +Date : Tue, 28 Oct 2025 20:25:12 +0000 +Size : 2441828 +MD5 : 5a137c74c6bb74b2d29ab9fca37f7634 +SHA1 : 135c4a5a3c2d57851f6c33256f6dc6f138e34805 +SHA256 : dadc2a9a3926ce1b3babeaa7a7d7b21cbb089025876daa3f5c19e7eb6391ddcd Key : 29B4B1F7CE03D1B1DED22F3028F85029FEF6E865 Fingerprint: 29B4 B1F7 CE03 D1B1 DED2 2F30 28F8 5029 FEF6 E865 sub cv25519 2021-05-15 [E] @@ -11,8 +11,8 @@ Keyring : http://www.squid-cache.org/pgp.asc Keyserver: keyserver.ubuntu.com -----BEGIN PGP SIGNATURE----- -iHUEABYKAB0WIQQptLH3zgPRsd7SLzAo+FAp/vboZQUCaG+2ogAKCRAo+FAp/vbo -ZR5YAQDZxBJ7pr2wAYqpXLZlVJ9yGAZELp3RiSvkPJKKlQgrewEArbxCkxgqt1OR -tlDlizGP8GR1Y44rBuAJRiwL94GwyQo= -=wjjZ +iHUEABYKAB0WIQQptLH3zgPRsd7SLzAo+FAp/vboZQUCaQEnTQAKCRAo+FAp/vbo +ZQ+5AP9reExpcMwsaneD8pVVX+Ap/kgRYylbM5lVlxwHD/IVNgEA4EHpjuaHPVb6 +YbJ97+HId+XiiCMAyjjkdgHWQxxjbQA= +=0ppx -----END PGP SIGNATURE----- diff --git a/squid.service b/squid.service index e36fbfe29111eb086f02a4640daa3b12649e2471..41345f94e7c09a67a43b90e484879efc7c744262 100644 --- a/squid.service +++ b/squid.service @@ -4,6 +4,18 @@ Documentation=man:squid(8) After=network.target network-online.target nss-lookup.target [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=notify LimitNOFILE=16384 PIDFile=/run/squid.pid diff --git a/squid.spec b/squid.spec index 9ba6369fe8d71f307f80258b9df72e92e64503da..755210a08956a623b63f283e0f77b2e4cd31cb86 100644 --- a/squid.spec +++ b/squid.spec @@ -2,12 +2,12 @@ %define version_underscore %(echo %{version} | tr '.' '_') Name: squid -Version: 7.1 -Release: 2 +Version: 7.3 +Release: 1 Summary: The Squid proxy caching server Epoch: 7 -License: GPLv2+ and (LGPLv2+ and MIT and BSD and Public Domain) -URL: http://www.squid-cache.org +License: GPL-2.0-or-later AND (LGPL-2.0-or-later AND MIT AND BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND BSD-4-Clause-UC AND Public Domain AND Beerware) +URL: https://www.squid-cache.org Source0: https://github.com/squid-cache/squid/releases/download/SQUID_%{version_underscore}/%{name}-%{version}.tar.xz Source1: https://github.com/squid-cache/squid/releases/download/SQUID_%{version_underscore}/%{name}-%{version}.tar.xz.asc Source2: squid.logrotate @@ -17,13 +17,12 @@ Source5: squid.nm Source6: squid.service Source7: cache_swap.sh Source8: perl-requires-squid.sh +Source9: squid.sysusers.conf Patch0: squid-4.0.11-config.patch Patch1: squid-3.1.0.9-location.patch Patch2: squid-3.0.STABLE1-perlpath.patch Patch3: backport-squid-6.1-symlink-lang-err.patch -Patch4: backport-CVE-2025-59362.patch -Patch5: backport-CVE-2025-62168.patch Requires: bash Requires: httpd-filesystem @@ -32,7 +31,8 @@ BuildRequires: libxml2-devel libcap-devel libecap-devel gcc-c++ libtool libtool- BuildRequires: perl-generators pkgconfig(cppunit) BuildRequires: chrpath systemd-devel -%systemd_requires +%{?sysusers_requires_compat} +%{?systemd_requires} Conflicts: NetworkManager < 1.20 @@ -125,10 +125,9 @@ EOF mkdir -p $RPM_BUILD_ROOT/usr/share/snmp/mibs mv $RPM_BUILD_ROOT/usr/share/squid/mib.txt $RPM_BUILD_ROOT/usr/share/snmp/mibs/SQUID-MIB.txt -chrpath -d %{buildroot}%{_sbindir}/squid +install -p -D -m 0644 %{SOURCE9} %{buildroot}%{_sysusersdir}/squid.conf -mkdir -p %{buildroot}/etc/ld.so.conf.d -echo "%{_libdir}" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf +chrpath -d %{buildroot}%{_sbindir}/squid %files %license COPYING @@ -154,7 +153,6 @@ echo "%{_libdir}" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf %config %{_sysconfdir}/squid/errorpage.css.default %config(noreplace) %{_sysconfdir}/pam.d/squid %config(noreplace) %{_sysconfdir}/logrotate.d/squid -%config(noreplace) /etc/ld.so.conf.d/* %dir %{_datadir}/squid %attr(-,root,root) %{_datadir}/squid/errors @@ -165,18 +163,13 @@ echo "%{_libdir}" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf %{_libdir}/squid/* %{_datadir}/snmp/mibs/SQUID-MIB.txt %{_tmpfilesdir}/squid.conf +%{_sysusersdir}/squid.conf %exclude %{_sysconfdir}/squid/squid.conf.documented %exclude %{_bindir}/{RunAccel,RunCache} %exclude /squid.httpd.tmp %pre -if ! getent group squid >/dev/null 2>&1; then - /usr/sbin/groupadd -g 23 squid -fi - -if ! getent passwd squid >/dev/null 2>&1 ; then - /usr/sbin/useradd -g 23 -u 23 -d /var/spool/squid -r -s /sbin/nologin squid >/dev/null 2>&1 || exit 1 -fi +%sysusers_create_compat %{S:9} for i in /var/log/squid /var/spool/squid ; do if [ -d $i ] ; then @@ -218,17 +211,14 @@ do end end - %post %systemd_post squid.service -/sbin/ldconfig %preun %systemd_preun squid.service %postun %systemd_postun_with_restart squid.service -/sbin/ldconfig %triggerin -- samba-common if ! getent group wbpriv >/dev/null 2>&1 ; then @@ -238,6 +228,15 @@ fi chgrp squid /var/cache/samba/winbindd_privileged >/dev/null 2>&1 || : %changelog +* Wed Oct 29 2025 Funda Wang - 7:7.3-1 +- Type:requirements +- ID:NA +- SUG:NA +- DESC:upgrade to 7.3 +- DESC:harden systemd service from openSUSE +- DESC:convert user creation to systemd style +- DESC:drop useless ldconfig setting for standard path + * Tue Oct 21 2025 xinghe - 7:7.1-2 - Type:cves - ID:CVE-2025-62168 diff --git a/squid.sysusers.conf b/squid.sysusers.conf new file mode 100644 index 0000000000000000000000000000000000000000..f9cc56bc726fd6d04cfd4b723d1946e168a7ac9c --- /dev/null +++ b/squid.sysusers.conf @@ -0,0 +1,2 @@ +g squid 23 - +u squid 23 "Squid proxy user" /var/spool/squid /sbin/nologin