main/squid: security upgrade to 4.10

- CVE-2019-12528 - CVE-2020-8449 - CVE-2020-8450 - CVE-2020-8517 fixes #11284
author: Natanael Copa <ncopa@alpinelinux.org> 2020-04-02 17:39:21 +0200
committer: Natanael Copa <ncopa@alpinelinux.org> 2020-04-02 17:42:13 +0200
commit: cca1978fca0677250ca84f4bdcb86b395a64b6e9 (patch)
tree: 8bd4c2ff75bc071d3370ccf0e4ae4426fd04c948
parent: 70887376e8deea648f023181bbbe7d2ef17ed5af (diff)
download: alpine_aports-cca1978fca0677250ca84f4bdcb86b395a64b6e9.tar.bz2
alpine_aports-cca1978fca0677250ca84f4bdcb86b395a64b6e9.tar.xz
alpine_aports-cca1978fca0677250ca84f4bdcb86b395a64b6e9.zip
2 files changed, 8 insertions, 125 deletions
diff --git a/main/squid/APKBUILD b/main/squid/APKBUILD
index 7c4ae5ffff..bea34bb801 100644
--- a/main/squid/APKBUILD
+++ b/main/squid/APKBUILD
@@ -1,8 +1,8 @@
 # Contributor: Carlo Landmeter <clandmeter@gmail.com>
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=squid
-pkgver=4.8
+pkgver=4.10
-pkgrel=1
+pkgrel=0
 pkgdesc="A full-featured Web proxy cache server."
 url="http://www.squid-cache.org"
 install="squid.pre-install squid.pre-upgrade"
@@ -18,7 +18,6 @@ linguas="af ar az bg ca cs da de el es et fa fi fr he hu hy id it ja ka ko lt
        lv ms nl oc pl pt ro ru sk sl sr sv th tr uk uz vi zh"
 langdir="/usr/share/squid/errors"
 source="http://www.squid-cache.org/Versions/v4/squid-${pkgver}.tar.xz
-        CVE-2019-18679.patch
        $pkgname.initd
        $pkgname.confd
@@ -30,6 +29,11 @@ builddir="$srcdir"/$pkgname-$pkgver
 options="!check"  # does not work. Error message is about "applet not found", some issue with the installed busybox
 # secfixes:
+#   4.10-r0:
+#     - CVE-2019-12528
+#     - CVE-2020-8449
+#     - CVE-2020-8450
+#     - CVE-2020-8517
 #   4.8-r1:
 #     - CVE-2019-18679
 #   4.8-r0:
@@ -108,8 +112,7 @@ squid_kerb_auth() {
        install -d "$subpkgdir"/usr/lib/squid
        mv "$pkgdir"/usr/lib/squid/squid_kerb_auth "$subpkgdir"/usr/lib/squid/
 }
-sha512sums="2223f299950ded074faca6e3d09c15bc26e8644c3019b36a612f5d424e25b02a528c4b3c8a9463864f71edc29f17c5662f16ffda18c76317405cb97657e5e823  squid-4.8.tar.xz
+sha512sums="033891f84789fe23a23fabcfb6f51a5b044c16892600f94380b5f0bcbceaef67b95c7047154d940511146248ca9846a949f00a609c6ed27f9af8829325eb08e0  squid-4.10.tar.xz
-e2a38576105eb056640f334499504e10605e5b7e82bcd602fe019dd010beb2c70eddc931ca2b3e452f229a28de0f6c7fb6b770bcf2f3c406044286d8fed18490  CVE-2019-18679.patch
 15d95f7d787be8c2e6619ef1661fd8aae8d2c1ede706748764644c7dc3d7c34515ef6e8b7543295fddc4e767bbd74a7cf8c42e77cf60b3d574ff11b3f6e336c9  squid.initd
 7292661de344e8a87d855c83afce49511685d2680effab3afab110e45144c0117935f3bf73ab893c9e6d43f7fb5ba013635e24f6da6daf0eeb895ef2e9b5baa9  squid.confd
 89a703fa4f21b6c7c26e64a46fd52407e20f00c34146ade0bea0c4b63d050117c0f8e218f2256a1fbf6abb84f4ec9b0472c9a4092ff6e78f07c4f5a25d0892a5  squid.logrotate"
diff --git a/main/squid/CVE-2019-18679.patch b/main/squid/CVE-2019-18679.patch
deleted file mode 100644
index 9ad820d319..0000000000
--- a/main/squid/CVE-2019-18679.patch
+++ /dev/null
@@ -1,120 +0,0 @@
-commit 671ba97abe929156dc4c717ee52ad22fba0f7443
-Author: Amos Jeffries <yadij@users.noreply.github.com>
-Date:   2019-09-11 02:52:52 +0000
-    RFC 7230: server MUST reject messages with BWS after field-name (#445)
-    
-    Obey the RFC requirement to reject HTTP requests with whitespace
-    between field-name and the colon delimiter. Rejection is
-    critical in the presence of broken HTTP agents that mishandle
-    malformed messages.
-    
-    Also obey requirement to always strip such whitespace from HTTP
-    response messages. The relaxed parser is no longer necessary for
-    this response change.
-    
-    For now non-HTTP protocols retain the old behaviour of removal
-    only when using the relaxed parser.
-diff --git a/src/HttpHeader.cc b/src/HttpHeader.cc
-index dd320d5..a36ad85 100644
--- a/src/HttpHeader.cc
-+++ b/src/HttpHeader.cc
-@@ -421,15 +421,12 @@ HttpHeader::parse(const char *header_start, size_t hdrLen)
-             break;      /* terminating blank line */
-         }
- 
-        HttpHeaderEntry *e;
-        if ((e = HttpHeaderEntry::parse(field_start, field_end)) == NULL) {
-+        const auto e = HttpHeaderEntry::parse(field_start, field_end, owner);
-+        if (!e) {
-             debugs(55, warnOnError, "WARNING: unparseable HTTP header field {" <<
-                    getStringPrefix(field_start, field_end-field_start) << "}");
-             debugs(55, warnOnError, " in {" << getStringPrefix(header_start, hdrLen) << "}");
- 
-            if (Config.onoff.relaxed_header_parser)
-                continue;
-
-             PROF_stop(HttpHeaderParse);
-             clean();
-             return 0;
-@@ -1386,7 +1383,7 @@ HttpHeaderEntry::~HttpHeaderEntry()
- 
- /* parses and inits header entry, returns true/false */
- HttpHeaderEntry *
-HttpHeaderEntry::parse(const char *field_start, const char *field_end)
-+HttpHeaderEntry::parse(const char *field_start, const char *field_end, const http_hdr_owner_type msgType)
- {
-     /* note: name_start == field_start */
-     const char *name_end = (const char *)memchr(field_start, ':', field_end - field_start);
-@@ -1403,19 +1400,41 @@ HttpHeaderEntry::parse(const char *field_start, const char *field_end)
- 
-     if (name_len > 65534) {
-         /* String must be LESS THAN 64K and it adds a terminating NULL */
-        debugs(55, DBG_IMPORTANT, "WARNING: ignoring header name of " << name_len << " bytes");
-+        // TODO: update this to show proper name_len in Raw markup, but not print all that
-+        debugs(55, 2, "ignoring huge header field (" << Raw("field_start", field_start, 100) << "...)");
-         return NULL;
-     }
- 
-    if (Config.onoff.relaxed_header_parser && xisspace(field_start[name_len - 1])) {
-+    /*
-+     * RFC 7230 section 3.2.4:
-+     * "No whitespace is allowed between the header field-name and colon.
-+     * ...
-+     *  A server MUST reject any received request message that contains
-+     *  whitespace between a header field-name and colon with a response code
-+     *  of 400 (Bad Request).  A proxy MUST remove any such whitespace from a
-+     *  response message before forwarding the message downstream."
-+     */
-+    if (xisspace(field_start[name_len - 1])) {
-+
-+        if (msgType == hoRequest)
-+            return nullptr;
-+
-+        // for now, also let relaxed parser remove this BWS from any non-HTTP messages
-+        const bool stripWhitespace = (msgType == hoReply) ||
-+                                     Config.onoff.relaxed_header_parser;
-+        if (!stripWhitespace)
-+            return nullptr; // reject if we cannot strip
-+
-         debugs(55, Config.onoff.relaxed_header_parser <= 0 ? 1 : 2,
-                "NOTICE: Whitespace after header name in '" << getStringPrefix(field_start, field_end-field_start) << "'");
- 
-         while (name_len > 0 && xisspace(field_start[name_len - 1]))
-             --name_len;
- 
-        if (!name_len)
-+        if (!name_len) {
-+            debugs(55, 2, "found header with only whitespace for name");
-             return NULL;
-+        }
-     }
- 
-     /* now we know we can parse it */
-@@ -1448,11 +1467,7 @@ HttpHeaderEntry::parse(const char *field_start, const char *field_end)
- 
-     if (field_end - value_start > 65534) {
-         /* String must be LESS THAN 64K and it adds a terminating NULL */
-        debugs(55, DBG_IMPORTANT, "WARNING: ignoring '" << name << "' header of " << (field_end - value_start) << " bytes");
-
-        if (id == Http::HdrType::OTHER)
-            name.clean();
-
-+        debugs(55, 2, "WARNING: found '" << name << "' header of " << (field_end - value_start) << " bytes");
-         return NULL;
-     }
- 
-diff --git a/src/HttpHeader.h b/src/HttpHeader.h
-index 35a9410..be175b7 100644
--- a/src/HttpHeader.h
-+++ b/src/HttpHeader.h
-@@ -54,7 +54,7 @@ class HttpHeaderEntry
- public:
-     HttpHeaderEntry(Http::HdrType id, const char *name, const char *value);
-     ~HttpHeaderEntry();
-    static HttpHeaderEntry *parse(const char *field_start, const char *field_end);
-+    static HttpHeaderEntry *parse(const char *field_start, const char *field_end, const http_hdr_owner_type msgType);
-     HttpHeaderEntry *clone() const;
-     void packInto(Packable *p) const;
-     int getInt() const;
author	Natanael Copa <ncopa@alpinelinux.org>	2020-04-02 17:39:21 +0200
committer	Natanael Copa <ncopa@alpinelinux.org>	2020-04-02 17:42:13 +0200
commit	cca1978fca0677250ca84f4bdcb86b395a64b6e9 (patch)
tree	8bd4c2ff75bc071d3370ccf0e4ae4426fd04c948
parent	70887376e8deea648f023181bbbe7d2ef17ed5af (diff)
download	alpine_aports-cca1978fca0677250ca84f4bdcb86b395a64b6e9.tar.bz2 alpine_aports-cca1978fca0677250ca84f4bdcb86b395a64b6e9.tar.xz alpine_aports-cca1978fca0677250ca84f4bdcb86b395a64b6e9.zip

diff --git a/main/squid/APKBUILD b/main/squid/APKBUILD index 7c4ae5ffff..bea34bb801 100644 --- a/main/squid/APKBUILD +++ b/main/squid/APKBUILD
@@ -1,8 +1,8 @@
1	# Contributor: Carlo Landmeter <clandmeter@gmail.com>	1	# Contributor: Carlo Landmeter <clandmeter@gmail.com>
2	# Maintainer: Natanael Copa <ncopa@alpinelinux.org>	2	# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
3	pkgname=squid	3	pkgname=squid
4	pkgver=4.8	4	pkgver=4.10
5	pkgrel=1	5	pkgrel=0
6	pkgdesc="A full-featured Web proxy cache server."	6	pkgdesc="A full-featured Web proxy cache server."
7	url="http://www.squid-cache.org"	7	url="http://www.squid-cache.org"
8	install="squid.pre-install squid.pre-upgrade"	8	install="squid.pre-install squid.pre-upgrade"
@@ -18,7 +18,6 @@ linguas="af ar az bg ca cs da de el es et fa fi fr he hu hy id it ja ka ko lt
18	lv ms nl oc pl pt ro ru sk sl sr sv th tr uk uz vi zh"	18	lv ms nl oc pl pt ro ru sk sl sr sv th tr uk uz vi zh"
19	langdir="/usr/share/squid/errors"	19	langdir="/usr/share/squid/errors"
20	source="http://www.squid-cache.org/Versions/v4/squid-${pkgver}.tar.xz	20	source="http://www.squid-cache.org/Versions/v4/squid-${pkgver}.tar.xz
21	CVE-2019-18679.patch
22		21
23	$pkgname.initd	22	$pkgname.initd
24	$pkgname.confd	23	$pkgname.confd
@@ -30,6 +29,11 @@ builddir="$srcdir"/$pkgname-$pkgver
30	options="!check" # does not work. Error message is about "applet not found", some issue with the installed busybox	29	options="!check" # does not work. Error message is about "applet not found", some issue with the installed busybox
31		30
32	# secfixes:	31	# secfixes:
		32	# 4.10-r0:
		33	# - CVE-2019-12528
		34	# - CVE-2020-8449
		35	# - CVE-2020-8450
		36	# - CVE-2020-8517
33	# 4.8-r1:	37	# 4.8-r1:
34	# - CVE-2019-18679	38	# - CVE-2019-18679
35	# 4.8-r0:	39	# 4.8-r0:
@@ -108,8 +112,7 @@ squid_kerb_auth() {
108	install -d "$subpkgdir"/usr/lib/squid	112	install -d "$subpkgdir"/usr/lib/squid
109	mv "$pkgdir"/usr/lib/squid/squid_kerb_auth "$subpkgdir"/usr/lib/squid/	113	mv "$pkgdir"/usr/lib/squid/squid_kerb_auth "$subpkgdir"/usr/lib/squid/
110	}	114	}
111	sha512sums="2223f299950ded074faca6e3d09c15bc26e8644c3019b36a612f5d424e25b02a528c4b3c8a9463864f71edc29f17c5662f16ffda18c76317405cb97657e5e823 squid-4.8.tar.xz	115	sha512sums="033891f84789fe23a23fabcfb6f51a5b044c16892600f94380b5f0bcbceaef67b95c7047154d940511146248ca9846a949f00a609c6ed27f9af8829325eb08e0 squid-4.10.tar.xz
112	e2a38576105eb056640f334499504e10605e5b7e82bcd602fe019dd010beb2c70eddc931ca2b3e452f229a28de0f6c7fb6b770bcf2f3c406044286d8fed18490 CVE-2019-18679.patch
113	15d95f7d787be8c2e6619ef1661fd8aae8d2c1ede706748764644c7dc3d7c34515ef6e8b7543295fddc4e767bbd74a7cf8c42e77cf60b3d574ff11b3f6e336c9 squid.initd	116	15d95f7d787be8c2e6619ef1661fd8aae8d2c1ede706748764644c7dc3d7c34515ef6e8b7543295fddc4e767bbd74a7cf8c42e77cf60b3d574ff11b3f6e336c9 squid.initd
114	7292661de344e8a87d855c83afce49511685d2680effab3afab110e45144c0117935f3bf73ab893c9e6d43f7fb5ba013635e24f6da6daf0eeb895ef2e9b5baa9 squid.confd	117	7292661de344e8a87d855c83afce49511685d2680effab3afab110e45144c0117935f3bf73ab893c9e6d43f7fb5ba013635e24f6da6daf0eeb895ef2e9b5baa9 squid.confd
115	89a703fa4f21b6c7c26e64a46fd52407e20f00c34146ade0bea0c4b63d050117c0f8e218f2256a1fbf6abb84f4ec9b0472c9a4092ff6e78f07c4f5a25d0892a5 squid.logrotate"	118	89a703fa4f21b6c7c26e64a46fd52407e20f00c34146ade0bea0c4b63d050117c0f8e218f2256a1fbf6abb84f4ec9b0472c9a4092ff6e78f07c4f5a25d0892a5 squid.logrotate"


diff --git a/main/squid/CVE-2019-18679.patch b/main/squid/CVE-2019-18679.patch deleted file mode 100644 index 9ad820d319..0000000000 --- a/main/squid/CVE-2019-18679.patch +++ /dev/null
@@ -1,120 +0,0 @@
1	commit 671ba97abe929156dc4c717ee52ad22fba0f7443
2	Author: Amos Jeffries <yadij@users.noreply.github.com>
3	Date: 2019-09-11 02:52:52 +0000
4
5	RFC 7230: server MUST reject messages with BWS after field-name (#445)
6
7	Obey the RFC requirement to reject HTTP requests with whitespace
8	between field-name and the colon delimiter. Rejection is
9	critical in the presence of broken HTTP agents that mishandle
10	malformed messages.
11
12	Also obey requirement to always strip such whitespace from HTTP
13	response messages. The relaxed parser is no longer necessary for
14	this response change.
15
16	For now non-HTTP protocols retain the old behaviour of removal
17	only when using the relaxed parser.
18
19	diff --git a/src/HttpHeader.cc b/src/HttpHeader.cc
20	index dd320d5..a36ad85 100644
21	--- a/src/HttpHeader.cc
22	+++ b/src/HttpHeader.cc
23	@@ -421,15 +421,12 @@ HttpHeader::parse(const char *header_start, size_t hdrLen)
24	break; /* terminating blank line */
25	}
26
27	- HttpHeaderEntry *e;
28	- if ((e = HttpHeaderEntry::parse(field_start, field_end)) == NULL) {
29	+ const auto e = HttpHeaderEntry::parse(field_start, field_end, owner);
30	+ if (!e) {
31	debugs(55, warnOnError, "WARNING: unparseable HTTP header field {" <<
32	getStringPrefix(field_start, field_end-field_start) << "}");
33	debugs(55, warnOnError, " in {" << getStringPrefix(header_start, hdrLen) << "}");
34
35	- if (Config.onoff.relaxed_header_parser)
36	- continue;
37	-
38	PROF_stop(HttpHeaderParse);
39	clean();
40	return 0;
41	@@ -1386,7 +1383,7 @@ HttpHeaderEntry::~HttpHeaderEntry()
42
43	/* parses and inits header entry, returns true/false */
44	HttpHeaderEntry *
45	-HttpHeaderEntry::parse(const char field_start, const char field_end)
46	+HttpHeaderEntry::parse(const char field_start, const char field_end, const http_hdr_owner_type msgType)
47	{
48	/* note: name_start == field_start */
49	const char name_end = (const char )memchr(field_start, ':', field_end - field_start);
50	@@ -1403,19 +1400,41 @@ HttpHeaderEntry::parse(const char field_start, const char field_end)
51
52	if (name_len > 65534) {
53	/* String must be LESS THAN 64K and it adds a terminating NULL */
54	- debugs(55, DBG_IMPORTANT, "WARNING: ignoring header name of " << name_len << " bytes");
55	+ // TODO: update this to show proper name_len in Raw markup, but not print all that
56	+ debugs(55, 2, "ignoring huge header field (" << Raw("field_start", field_start, 100) << "...)");
57	return NULL;
58	}
59
60	- if (Config.onoff.relaxed_header_parser && xisspace(field_start[name_len - 1])) {
61	+ /*
62	+ * RFC 7230 section 3.2.4:
63	+ * "No whitespace is allowed between the header field-name and colon.
64	+ * ...
65	+ * A server MUST reject any received request message that contains
66	+ * whitespace between a header field-name and colon with a response code
67	+ * of 400 (Bad Request). A proxy MUST remove any such whitespace from a
68	+ * response message before forwarding the message downstream."
69	+ */
70	+ if (xisspace(field_start[name_len - 1])) {
71	+
72	+ if (msgType == hoRequest)
73	+ return nullptr;
74	+
75	+ // for now, also let relaxed parser remove this BWS from any non-HTTP messages
76	+ const bool stripWhitespace = (msgType == hoReply) \|\|
77	+ Config.onoff.relaxed_header_parser;
78	+ if (!stripWhitespace)
79	+ return nullptr; // reject if we cannot strip
80	+
81	debugs(55, Config.onoff.relaxed_header_parser <= 0 ? 1 : 2,
82	"NOTICE: Whitespace after header name in '" << getStringPrefix(field_start, field_end-field_start) << "'");
83
84	while (name_len > 0 && xisspace(field_start[name_len - 1]))
85	--name_len;
86
87	- if (!name_len)
88	+ if (!name_len) {
89	+ debugs(55, 2, "found header with only whitespace for name");
90	return NULL;
91	+ }
92	}
93
94	/* now we know we can parse it */
95	@@ -1448,11 +1467,7 @@ HttpHeaderEntry::parse(const char field_start, const char field_end)
96
97	if (field_end - value_start > 65534) {
98	/* String must be LESS THAN 64K and it adds a terminating NULL */
99	- debugs(55, DBG_IMPORTANT, "WARNING: ignoring '" << name << "' header of " << (field_end - value_start) << " bytes");
100	-
101	- if (id == Http::HdrType::OTHER)
102	- name.clean();
103	-
104	+ debugs(55, 2, "WARNING: found '" << name << "' header of " << (field_end - value_start) << " bytes");
105	return NULL;
106	}
107
108	diff --git a/src/HttpHeader.h b/src/HttpHeader.h
109	index 35a9410..be175b7 100644
110	--- a/src/HttpHeader.h
111	+++ b/src/HttpHeader.h
112	@@ -54,7 +54,7 @@ class HttpHeaderEntry
113	public:
114	HttpHeaderEntry(Http::HdrType id, const char name, const char value);
115	~HttpHeaderEntry();
116	- static HttpHeaderEntry parse(const char field_start, const char *field_end);
117	+ static HttpHeaderEntry parse(const char field_start, const char *field_end, const http_hdr_owner_type msgType);
118	HttpHeaderEntry *clone() const;
119	void packInto(Packable *p) const;
120	int getInt() const;