diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2020-04-02 17:39:21 +0200 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2020-04-02 17:42:13 +0200 |
commit | cca1978fca0677250ca84f4bdcb86b395a64b6e9 (patch) | |
tree | 8bd4c2ff75bc071d3370ccf0e4ae4426fd04c948 | |
parent | 70887376e8deea648f023181bbbe7d2ef17ed5af (diff) | |
download | alpine_aports-cca1978fca0677250ca84f4bdcb86b395a64b6e9.tar.bz2 alpine_aports-cca1978fca0677250ca84f4bdcb86b395a64b6e9.tar.xz alpine_aports-cca1978fca0677250ca84f4bdcb86b395a64b6e9.zip |
main/squid: security upgrade to 4.10
- CVE-2019-12528
- CVE-2020-8449
- CVE-2020-8450
- CVE-2020-8517
fixes #11284
-rw-r--r-- | main/squid/APKBUILD | 13 | ||||
-rw-r--r-- | main/squid/CVE-2019-18679.patch | 120 |
2 files changed, 8 insertions, 125 deletions
diff --git a/main/squid/APKBUILD b/main/squid/APKBUILD index 7c4ae5ffff..bea34bb801 100644 --- a/main/squid/APKBUILD +++ b/main/squid/APKBUILD | |||
@@ -1,8 +1,8 @@ | |||
1 | # Contributor: Carlo Landmeter <clandmeter@gmail.com> | 1 | # Contributor: Carlo Landmeter <clandmeter@gmail.com> |
2 | # Maintainer: Natanael Copa <ncopa@alpinelinux.org> | 2 | # Maintainer: Natanael Copa <ncopa@alpinelinux.org> |
3 | pkgname=squid | 3 | pkgname=squid |
4 | pkgver=4.8 | 4 | pkgver=4.10 |
5 | pkgrel=1 | 5 | pkgrel=0 |
6 | pkgdesc="A full-featured Web proxy cache server." | 6 | pkgdesc="A full-featured Web proxy cache server." |
7 | url="http://www.squid-cache.org" | 7 | url="http://www.squid-cache.org" |
8 | install="squid.pre-install squid.pre-upgrade" | 8 | install="squid.pre-install squid.pre-upgrade" |
@@ -18,7 +18,6 @@ linguas="af ar az bg ca cs da de el es et fa fi fr he hu hy id it ja ka ko lt | |||
18 | lv ms nl oc pl pt ro ru sk sl sr sv th tr uk uz vi zh" | 18 | lv ms nl oc pl pt ro ru sk sl sr sv th tr uk uz vi zh" |
19 | langdir="/usr/share/squid/errors" | 19 | langdir="/usr/share/squid/errors" |
20 | source="http://www.squid-cache.org/Versions/v4/squid-${pkgver}.tar.xz | 20 | source="http://www.squid-cache.org/Versions/v4/squid-${pkgver}.tar.xz |
21 | CVE-2019-18679.patch | ||
22 | 21 | ||
23 | $pkgname.initd | 22 | $pkgname.initd |
24 | $pkgname.confd | 23 | $pkgname.confd |
@@ -30,6 +29,11 @@ builddir="$srcdir"/$pkgname-$pkgver | |||
30 | options="!check" # does not work. Error message is about "applet not found", some issue with the installed busybox | 29 | options="!check" # does not work. Error message is about "applet not found", some issue with the installed busybox |
31 | 30 | ||
32 | # secfixes: | 31 | # secfixes: |
32 | # 4.10-r0: | ||
33 | # - CVE-2019-12528 | ||
34 | # - CVE-2020-8449 | ||
35 | # - CVE-2020-8450 | ||
36 | # - CVE-2020-8517 | ||
33 | # 4.8-r1: | 37 | # 4.8-r1: |
34 | # - CVE-2019-18679 | 38 | # - CVE-2019-18679 |
35 | # 4.8-r0: | 39 | # 4.8-r0: |
@@ -108,8 +112,7 @@ squid_kerb_auth() { | |||
108 | install -d "$subpkgdir"/usr/lib/squid | 112 | install -d "$subpkgdir"/usr/lib/squid |
109 | mv "$pkgdir"/usr/lib/squid/squid_kerb_auth "$subpkgdir"/usr/lib/squid/ | 113 | mv "$pkgdir"/usr/lib/squid/squid_kerb_auth "$subpkgdir"/usr/lib/squid/ |
110 | } | 114 | } |
111 | sha512sums="2223f299950ded074faca6e3d09c15bc26e8644c3019b36a612f5d424e25b02a528c4b3c8a9463864f71edc29f17c5662f16ffda18c76317405cb97657e5e823 squid-4.8.tar.xz | 115 | sha512sums="033891f84789fe23a23fabcfb6f51a5b044c16892600f94380b5f0bcbceaef67b95c7047154d940511146248ca9846a949f00a609c6ed27f9af8829325eb08e0 squid-4.10.tar.xz |
112 | e2a38576105eb056640f334499504e10605e5b7e82bcd602fe019dd010beb2c70eddc931ca2b3e452f229a28de0f6c7fb6b770bcf2f3c406044286d8fed18490 CVE-2019-18679.patch | ||
113 | 15d95f7d787be8c2e6619ef1661fd8aae8d2c1ede706748764644c7dc3d7c34515ef6e8b7543295fddc4e767bbd74a7cf8c42e77cf60b3d574ff11b3f6e336c9 squid.initd | 116 | 15d95f7d787be8c2e6619ef1661fd8aae8d2c1ede706748764644c7dc3d7c34515ef6e8b7543295fddc4e767bbd74a7cf8c42e77cf60b3d574ff11b3f6e336c9 squid.initd |
114 | 7292661de344e8a87d855c83afce49511685d2680effab3afab110e45144c0117935f3bf73ab893c9e6d43f7fb5ba013635e24f6da6daf0eeb895ef2e9b5baa9 squid.confd | 117 | 7292661de344e8a87d855c83afce49511685d2680effab3afab110e45144c0117935f3bf73ab893c9e6d43f7fb5ba013635e24f6da6daf0eeb895ef2e9b5baa9 squid.confd |
115 | 89a703fa4f21b6c7c26e64a46fd52407e20f00c34146ade0bea0c4b63d050117c0f8e218f2256a1fbf6abb84f4ec9b0472c9a4092ff6e78f07c4f5a25d0892a5 squid.logrotate" | 118 | 89a703fa4f21b6c7c26e64a46fd52407e20f00c34146ade0bea0c4b63d050117c0f8e218f2256a1fbf6abb84f4ec9b0472c9a4092ff6e78f07c4f5a25d0892a5 squid.logrotate" |
diff --git a/main/squid/CVE-2019-18679.patch b/main/squid/CVE-2019-18679.patch deleted file mode 100644 index 9ad820d319..0000000000 --- a/main/squid/CVE-2019-18679.patch +++ /dev/null | |||
@@ -1,120 +0,0 @@ | |||
1 | commit 671ba97abe929156dc4c717ee52ad22fba0f7443 | ||
2 | Author: Amos Jeffries <yadij@users.noreply.github.com> | ||
3 | Date: 2019-09-11 02:52:52 +0000 | ||
4 | |||
5 | RFC 7230: server MUST reject messages with BWS after field-name (#445) | ||
6 | |||
7 | Obey the RFC requirement to reject HTTP requests with whitespace | ||
8 | between field-name and the colon delimiter. Rejection is | ||
9 | critical in the presence of broken HTTP agents that mishandle | ||
10 | malformed messages. | ||
11 | |||
12 | Also obey requirement to always strip such whitespace from HTTP | ||
13 | response messages. The relaxed parser is no longer necessary for | ||
14 | this response change. | ||
15 | |||
16 | For now non-HTTP protocols retain the old behaviour of removal | ||
17 | only when using the relaxed parser. | ||
18 | |||
19 | diff --git a/src/HttpHeader.cc b/src/HttpHeader.cc | ||
20 | index dd320d5..a36ad85 100644 | ||
21 | --- a/src/HttpHeader.cc | ||
22 | +++ b/src/HttpHeader.cc | ||
23 | @@ -421,15 +421,12 @@ HttpHeader::parse(const char *header_start, size_t hdrLen) | ||
24 | break; /* terminating blank line */ | ||
25 | } | ||
26 | |||
27 | - HttpHeaderEntry *e; | ||
28 | - if ((e = HttpHeaderEntry::parse(field_start, field_end)) == NULL) { | ||
29 | + const auto e = HttpHeaderEntry::parse(field_start, field_end, owner); | ||
30 | + if (!e) { | ||
31 | debugs(55, warnOnError, "WARNING: unparseable HTTP header field {" << | ||
32 | getStringPrefix(field_start, field_end-field_start) << "}"); | ||
33 | debugs(55, warnOnError, " in {" << getStringPrefix(header_start, hdrLen) << "}"); | ||
34 | |||
35 | - if (Config.onoff.relaxed_header_parser) | ||
36 | - continue; | ||
37 | - | ||
38 | PROF_stop(HttpHeaderParse); | ||
39 | clean(); | ||
40 | return 0; | ||
41 | @@ -1386,7 +1383,7 @@ HttpHeaderEntry::~HttpHeaderEntry() | ||
42 | |||
43 | /* parses and inits header entry, returns true/false */ | ||
44 | HttpHeaderEntry * | ||
45 | -HttpHeaderEntry::parse(const char *field_start, const char *field_end) | ||
46 | +HttpHeaderEntry::parse(const char *field_start, const char *field_end, const http_hdr_owner_type msgType) | ||
47 | { | ||
48 | /* note: name_start == field_start */ | ||
49 | const char *name_end = (const char *)memchr(field_start, ':', field_end - field_start); | ||
50 | @@ -1403,19 +1400,41 @@ HttpHeaderEntry::parse(const char *field_start, const char *field_end) | ||
51 | |||
52 | if (name_len > 65534) { | ||
53 | /* String must be LESS THAN 64K and it adds a terminating NULL */ | ||
54 | - debugs(55, DBG_IMPORTANT, "WARNING: ignoring header name of " << name_len << " bytes"); | ||
55 | + // TODO: update this to show proper name_len in Raw markup, but not print all that | ||
56 | + debugs(55, 2, "ignoring huge header field (" << Raw("field_start", field_start, 100) << "...)"); | ||
57 | return NULL; | ||
58 | } | ||
59 | |||
60 | - if (Config.onoff.relaxed_header_parser && xisspace(field_start[name_len - 1])) { | ||
61 | + /* | ||
62 | + * RFC 7230 section 3.2.4: | ||
63 | + * "No whitespace is allowed between the header field-name and colon. | ||
64 | + * ... | ||
65 | + * A server MUST reject any received request message that contains | ||
66 | + * whitespace between a header field-name and colon with a response code | ||
67 | + * of 400 (Bad Request). A proxy MUST remove any such whitespace from a | ||
68 | + * response message before forwarding the message downstream." | ||
69 | + */ | ||
70 | + if (xisspace(field_start[name_len - 1])) { | ||
71 | + | ||
72 | + if (msgType == hoRequest) | ||
73 | + return nullptr; | ||
74 | + | ||
75 | + // for now, also let relaxed parser remove this BWS from any non-HTTP messages | ||
76 | + const bool stripWhitespace = (msgType == hoReply) || | ||
77 | + Config.onoff.relaxed_header_parser; | ||
78 | + if (!stripWhitespace) | ||
79 | + return nullptr; // reject if we cannot strip | ||
80 | + | ||
81 | debugs(55, Config.onoff.relaxed_header_parser <= 0 ? 1 : 2, | ||
82 | "NOTICE: Whitespace after header name in '" << getStringPrefix(field_start, field_end-field_start) << "'"); | ||
83 | |||
84 | while (name_len > 0 && xisspace(field_start[name_len - 1])) | ||
85 | --name_len; | ||
86 | |||
87 | - if (!name_len) | ||
88 | + if (!name_len) { | ||
89 | + debugs(55, 2, "found header with only whitespace for name"); | ||
90 | return NULL; | ||
91 | + } | ||
92 | } | ||
93 | |||
94 | /* now we know we can parse it */ | ||
95 | @@ -1448,11 +1467,7 @@ HttpHeaderEntry::parse(const char *field_start, const char *field_end) | ||
96 | |||
97 | if (field_end - value_start > 65534) { | ||
98 | /* String must be LESS THAN 64K and it adds a terminating NULL */ | ||
99 | - debugs(55, DBG_IMPORTANT, "WARNING: ignoring '" << name << "' header of " << (field_end - value_start) << " bytes"); | ||
100 | - | ||
101 | - if (id == Http::HdrType::OTHER) | ||
102 | - name.clean(); | ||
103 | - | ||
104 | + debugs(55, 2, "WARNING: found '" << name << "' header of " << (field_end - value_start) << " bytes"); | ||
105 | return NULL; | ||
106 | } | ||
107 | |||
108 | diff --git a/src/HttpHeader.h b/src/HttpHeader.h | ||
109 | index 35a9410..be175b7 100644 | ||
110 | --- a/src/HttpHeader.h | ||
111 | +++ b/src/HttpHeader.h | ||
112 | @@ -54,7 +54,7 @@ class HttpHeaderEntry | ||
113 | public: | ||
114 | HttpHeaderEntry(Http::HdrType id, const char *name, const char *value); | ||
115 | ~HttpHeaderEntry(); | ||
116 | - static HttpHeaderEntry *parse(const char *field_start, const char *field_end); | ||
117 | + static HttpHeaderEntry *parse(const char *field_start, const char *field_end, const http_hdr_owner_type msgType); | ||
118 | HttpHeaderEntry *clone() const; | ||
119 | void packInto(Packable *p) const; | ||
120 | int getInt() const; | ||