diff options
| author | bsiegert <bsiegert@pkgsrc.org> | 2020-04-30 08:35:50 +0000 |
|---|---|---|
| committer | bsiegert <bsiegert@pkgsrc.org> | 2020-04-30 08:35:50 +0000 |
| commit | 31000ad4e93cab572c5073985f5754ffafbd7ace (patch) | |
| tree | 2056fdb2c34c1bae1afc91f57a7040f7ed3a13b3 /www | |
| parent | 3c7cf17f53a6c95d25b498b0f8ac49c638e18496 (diff) | |
| download | pkgsrc-31000ad4e93cab572c5073985f5754ffafbd7ace.tar.gz | |
Pullup ticket #6179 - requested by taca
www/squid4: security fix
Revisions pulled up:
- www/squid4/Makefile 1.6-1.7
- www/squid4/distinfo 1.4-1.6
- www/squid4/patches/patch-acinclude_os-deps.m4 1.1-1.2
- www/squid4/patches/patch-configure 1.3-1.5
- www/squid4/patches/patch-src_ip_Intercept.cc 1.1
---
Module Name: pkgsrc
Committed By: sborrill
Date: Thu Apr 9 09:45:20 UTC 2020
Modified Files:
pkgsrc/www/squid4: Makefile distinfo
pkgsrc/www/squid4/patches: patch-configure
Added Files:
pkgsrc/www/squid4/patches: patch-acinclude_os-deps.m4
patch-src_ip_Intercept.cc
Log Message:
Fix IPFilter transparent proxy support by:
- including correct headers in configure tests
- using correct autoconf value output by configure
Bump PKGREVISION
---
Module Name: pkgsrc
Committed By: sborrill
Date: Thu Apr 9 16:27:15 UTC 2020
Modified Files:
pkgsrc/www/squid4: distinfo
pkgsrc/www/squid4/patches: patch-acinclude_os-deps.m4 patch-configure
Log Message:
Generate correct #defines for the IPFilter IPv6 detection with no trailing
underscores
---
Module Name: pkgsrc
Committed By: mef
Date: Thu Apr 23 13:52:24 UTC 2020
Modified Files:
pkgsrc/www/squid4: Makefile distinfo
pkgsrc/www/squid4/patches: patch-configure
Log Message:
(www/squid4) Updated to 4.10 (and clear pkglint one point in patch)
Changes to squid-4.11 (18 Apr 2020):
- Bug 5036: capital 'L's in logs when daemon queue overflows
- Bug 5022: Reconfigure kills Coordinator in SMP+ufs configurations
- Bug 5016: systemd thinks Squid is ready before Squid listens
- kerberos_ldap_group: fix encryption type for cross realm check
- HTTP: Ignore malformed Host header in intercept and reverse proxy mode
- Fix Digest authentication nonce handling
- Supply ALE to request_header_add/reply_header_add
- ... and some documentation updates
- ... and some compile fixes
Diffstat (limited to 'www')
| -rw-r--r-- | www/squid4/Makefile | 5 | ||||
| -rw-r--r-- | www/squid4/distinfo | 14 | ||||
| -rw-r--r-- | www/squid4/patches/patch-acinclude_os-deps.m4 | 37 | ||||
| -rw-r--r-- | www/squid4/patches/patch-configure | 72 | ||||
| -rw-r--r-- | www/squid4/patches/patch-src_ip_Intercept.cc | 24 |
5 files changed, 133 insertions, 19 deletions
diff --git a/www/squid4/Makefile b/www/squid4/Makefile index 118997a6949..0a71bbb9c06 100644 --- a/www/squid4/Makefile +++ b/www/squid4/Makefile @@ -1,7 +1,6 @@ -# $NetBSD: Makefile,v 1.5 2020/03/08 16:51:39 wiz Exp $ +# $NetBSD: Makefile,v 1.5.2.1 2020/04/30 08:35:50 bsiegert Exp $ -DISTNAME= squid-4.10 -PKGREVISION= 1 +DISTNAME= squid-4.11 CATEGORIES= www MASTER_SITES= http://www.squid-cache.org/Versions/v4/ MASTER_SITES+= ftp://ftp.squid-cache.org/pub/squid/ diff --git a/www/squid4/distinfo b/www/squid4/distinfo index 215bc16deac..1c65d9ecaff 100644 --- a/www/squid4/distinfo +++ b/www/squid4/distinfo @@ -1,14 +1,16 @@ -$NetBSD: distinfo,v 1.3 2020/02/04 03:03:48 taca Exp $ +$NetBSD: distinfo,v 1.3.2.1 2020/04/30 08:35:50 bsiegert Exp $ -SHA1 (squid-4.10.tar.xz) = b8b267771550bb8c7f2b2968b305118090e7217a -RMD160 (squid-4.10.tar.xz) = 33b4f2fb2a428fb37379541eabb1c892fa29ae44 -SHA512 (squid-4.10.tar.xz) = 033891f84789fe23a23fabcfb6f51a5b044c16892600f94380b5f0bcbceaef67b95c7047154d940511146248ca9846a949f00a609c6ed27f9af8829325eb08e0 -Size (squid-4.10.tar.xz) = 2445848 bytes +SHA1 (squid-4.11.tar.xz) = 053277bf5497163ffc9261b9807abda5959bb6fc +RMD160 (squid-4.11.tar.xz) = 14392a0e6a5b44c0673bcc37b5753d274762b10e +SHA512 (squid-4.11.tar.xz) = 02d4bb4d5860124347670615e69b1b92be7ea4fc0131e54091a06cb2e67bd73583d8e6cbe472473f0c59764611a49561d02ab9fe2bf0305ce4652d4ec7714f26 +Size (squid-4.11.tar.xz) = 2447700 bytes +SHA1 (patch-acinclude_os-deps.m4) = 7af769f4df2c8293bec0be1fb4c222da35aa3fee SHA1 (patch-compat_compat.h) = 839381a5e1f46e7d9b822bbb53d82a53c996ddc0 -SHA1 (patch-configure) = e7920ba353716e26d0b7559366c86b22cb03adfd +SHA1 (patch-configure) = 24ae8657741697f4170c5e41657b07715956de95 SHA1 (patch-errors_Makefile.in) = 84cbf5c836f02ed5fbfff140888c6d3aadeac326 SHA1 (patch-src_Makefile.in) = afc5aefd97c46d1ffab43e97aeaeade3a5a8c648 SHA1 (patch-src_acl_external_kerberos__ldap__group_support__resolv.cc) = 0ea41d55e32d689a16e012391a9eea67631daf3a SHA1 (patch-src_comm_ModKqueue.cc) = d8c5d235f07a48731275101d60fcbf2e22f77b96 SHA1 (patch-src_fs_ufs_RebuildState.h) = 76ee5c437b3dad05e428ae89cd5af6c052a40e59 +SHA1 (patch-src_ip_Intercept.cc) = dd24a402f3634d156ecaeb4eae815b21c7a0adfa SHA1 (patch-tools_Makefile.in) = d098c0c9dc4af577f74e562d99f07ed98be5ae01 diff --git a/www/squid4/patches/patch-acinclude_os-deps.m4 b/www/squid4/patches/patch-acinclude_os-deps.m4 new file mode 100644 index 00000000000..c1ebbbe5559 --- /dev/null +++ b/www/squid4/patches/patch-acinclude_os-deps.m4 @@ -0,0 +1,37 @@ +$NetBSD: patch-acinclude_os-deps.m4,v 1.2.2.2 2020/04/30 08:35:50 bsiegert Exp $ + +Fix detection of IPv6 NAT in IPFilter by including correct headers +Generate correct #defines without trailing underscores + +https://github.com/squid-cache/squid/pull/596 + +--- acinclude/os-deps.m4.orig 2020-01-20 02:51:40.000000000 +0000 ++++ acinclude/os-deps.m4 2020-04-09 15:59:34.000000000 +0100 +@@ -925,11 +925,13 @@ + ## Solaris 10+ backported IPv6 NAT to their IPFilter v4.1 instead of using v5 + AC_CHECK_MEMBERS([ + struct natlookup.nl_inipaddr.in6, +- struct natlookup.nl_realipaddr.in6 +- ],,,[ ++ struct natlookup.nl_realipaddr.in6],,,[ + #if USE_SOLARIS_IPFILTER_MINOR_T_HACK + #define minor_t fubar + #endif ++#if HAVE_SYS_PARAM_H ++#include <sys/param.h> ++#endif + #if HAVE_SYS_TYPES_H + #include <sys/types.h> + #endif +@@ -955,7 +957,11 @@ + #elif HAVE_NETINET_IP_FIL_H + #include <netinet/ip_fil.h> + #endif ++#if HAVE_IP_NAT_H + #include <ip_nat.h> ++#elif HAVE_NETINET_IP_NAT_H ++#include <netinet/ip_nat.h> ++#endif + ]) + + ]) diff --git a/www/squid4/patches/patch-configure b/www/squid4/patches/patch-configure index 069c9b14ec7..50f4bdc165d 100644 --- a/www/squid4/patches/patch-configure +++ b/www/squid4/patches/patch-configure @@ -1,14 +1,16 @@ -$NetBSD: patch-configure,v 1.2 2020/02/04 03:03:49 taca Exp $ +$NetBSD: patch-configure,v 1.2.2.1 2020/04/30 08:35:50 bsiegert Exp $ * More support for OpenSSL 1.1; not only check SSL_Library_init() but also check OPENSSL_init_ssl(). * Fix syntax error by accidental new line. -* Utilisze <stdlib.h> on BSD. +* Utilize <stdlib.h> on BSD. * Do not override CFLAGS/CXXFLAGS except linux. +* Fix detection of IPv6 NAT in IPFilter by including correct headers + and generating correct #defines without trailing underscores --- configure.orig 2020-01-20 02:51:59.000000000 +0000 -+++ configure -@@ -23201,10 +23201,12 @@ do ++++ configure 2020-04-09 16:05:04.000000000 +0100 +@@ -23201,10 +23201,12 @@ done # GLIBC 2.30 deprecates sysctl.h. Test with the same flags that (may) break includes later. @@ -24,7 +26,7 @@ $NetBSD: patch-configure,v 1.2 2020/02/04 03:03:49 taca Exp $ ${TRUE} ;; mingw) -@@ -23244,6 +23246,7 @@ done +@@ -23244,6 +23246,7 @@ do : as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` ac_fn_cxx_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" " @@ -32,7 +34,7 @@ $NetBSD: patch-configure,v 1.2 2020/02/04 03:03:49 taca Exp $ #include <sys/types.h> #include <sys/socket.h> -@@ -24080,7 +24083,51 @@ if test "x$ac_cv_lib_ssl_SSL_CTX_new" = +@@ -24080,7 +24083,51 @@ LIBOPENSSL_LIBS="-lssl $LIBOPENSSL_LIBS" else @@ -85,7 +87,7 @@ $NetBSD: patch-configure,v 1.2 2020/02/04 03:03:49 taca Exp $ fi -@@ -24183,7 +24230,51 @@ if test "x$ac_cv_lib_ssl_SSL_CTX_new" = +@@ -24183,7 +24230,51 @@ LIBOPENSSL_LIBS="-lssl $LIBOPENSSL_LIBS" else @@ -138,7 +140,7 @@ $NetBSD: patch-configure,v 1.2 2020/02/04 03:03:49 taca Exp $ fi -@@ -39234,6 +39325,8 @@ else +@@ -39234,6 +39325,8 @@ # ifdef _MSC_VER # include <malloc.h> # define alloca _alloca @@ -147,12 +149,62 @@ $NetBSD: patch-configure,v 1.2 2020/02/04 03:03:49 taca Exp $ # else # ifdef HAVE_ALLOCA_H # include <alloca.h> -@@ -42057,7 +42150,7 @@ _ACEOF +@@ -42021,6 +42114,9 @@ + #if USE_SOLARIS_IPFILTER_MINOR_T_HACK + #define minor_t fubar + #endif ++#if HAVE_SYS_PARAM_H ++#include <sys/param.h> ++#endif + #if HAVE_SYS_TYPES_H + #include <sys/types.h> + #endif +@@ -42046,7 +42142,11 @@ + #elif HAVE_NETINET_IP_FIL_H + #include <netinet/ip_fil.h> + #endif ++#if HAVE_IP_NAT_H + #include <ip_nat.h> ++#elif HAVE_NETINET_IP_NAT_H ++#include <netinet/ip_nat.h> ++#endif + + " + if test "x$ac_cv_member_struct_natlookup_nl_inipaddr_in6" = xyes; then : +@@ -42057,11 +42157,14 @@ fi -ac_fn_cxx_check_member "$LINENO" "struct natlookup" "nl_realipaddr.in6" +- "ac_cv_member_struct_natlookup_nl_realipaddr_in6___" " +ac_fn_cxx_check_member "$LINENO" "struct natlookup" "nl_realipaddr.in6" \ - "ac_cv_member_struct_natlookup_nl_realipaddr_in6___" " ++ "ac_cv_member_struct_natlookup_nl_realipaddr_in6" " #if USE_SOLARIS_IPFILTER_MINOR_T_HACK #define minor_t fubar + #endif ++#if HAVE_SYS_PARAM_H ++#include <sys/param.h> ++#endif + #if HAVE_SYS_TYPES_H + #include <sys/types.h> + #endif +@@ -42087,13 +42190,17 @@ + #elif HAVE_NETINET_IP_FIL_H + #include <netinet/ip_fil.h> + #endif ++#if HAVE_IP_NAT_H + #include <ip_nat.h> ++#elif HAVE_NETINET_IP_NAT_H ++#include <netinet/ip_nat.h> ++#endif + + " +-if test "x$ac_cv_member_struct_natlookup_nl_realipaddr_in6___" = xyes; then : ++if test "x$ac_cv_member_struct_natlookup_nl_realipaddr_in6" = xyes; then : + + cat >>confdefs.h <<_ACEOF +-#define HAVE_STRUCT_NATLOOKUP_NL_REALIPADDR_IN6___ 1 ++#define HAVE_STRUCT_NATLOOKUP_NL_REALIPADDR_IN6 1 + _ACEOF + + diff --git a/www/squid4/patches/patch-src_ip_Intercept.cc b/www/squid4/patches/patch-src_ip_Intercept.cc new file mode 100644 index 00000000000..f1c3ef9be43 --- /dev/null +++ b/www/squid4/patches/patch-src_ip_Intercept.cc @@ -0,0 +1,24 @@ +$NetBSD: patch-src_ip_Intercept.cc,v 1.1.2.2 2020/04/30 08:35:50 bsiegert Exp $ + +Fix: use correct #if to look for IPv6 support + +--- src/ip/Intercept.cc.orig 2020-01-20 02:51:40.000000000 +0000 ++++ src/ip/Intercept.cc 2020-04-09 08:58:13.000000000 +0100 +@@ -204,7 +204,7 @@ + memset(&natLookup, 0, sizeof(natLookup)); + // for NAT lookup set local and remote IP:port's + if (newConn->remote.isIPv6()) { +-#if HAVE_NATLOOKUP_NL_INIPADDR_IN6 ++#if HAVE_STRUCT_NATLOOKUP_NL_INIPADDR_IN6 + natLookup.nl_v = 6; + newConn->local.getInAddr(natLookup.nl_inipaddr.in6); + newConn->remote.getInAddr(natLookup.nl_outipaddr.in6); +@@ -292,7 +292,7 @@ + debugs(89, 9, HERE << "address: " << newConn); + return false; + } else { +-#if HAVE_NATLOOKUP_NL_REALIPADDR_IN6 ++#if HAVE_STRUCT_NATLOOKUP_NL_REALIPADDR_IN6 + if (newConn->remote.isIPv6()) + newConn->local = natLookup.nl_realipaddr.in6; + else |