>From the advisory:
Due to incorrect input handling, Squid is vulnerable to a
Cross-Site Scripting vulnerability when generating HTTPS response
messages about TLS errors.
http://www.squid-cache.org/Advisories/SQUID-2018_4.txt
Add the patch from the 3.5 branch fixing this issue.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The test doesn't make sense. It just exits without any error if the
binary doesn't exist, which is silly.
Signed-off-by: Carlos Santos <casantos@datacom.ind.br>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This commit fixes the warnings reported by check-package on the help
text of all package Config.in files, related to the formatting of the
help text: should start with a tab, then 2 spaces, then at most 62
characters.
The vast majority of warnings fixed were caused by too long lines. A
few warnings were related to spaces being used instead of a tab to
indent the help text.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
As all librt and libpthread functions are integrated into
libc for a while, workaround no longer required.
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Acked-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
We want to use SPDX identifier for license strings as much as possible.
SPDX short identifier for GPLv2/GPLv2+ is GPL-2.0/GPL-2.0+.
This change is done by using following command.
find . -name "*.mk" | xargs sed -ri '/LICENSE( )?[\+:]?=/s/\<GPLv2\>/GPL-2.0/g'
Signed-off-by: Rahul Bedarkar <rahulbedarkar89@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes:
* Mitigate DoS attacks that use client-initiated SSL/TLS renegotiation.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
CVE-2016-4553 - Cache Poisoning issue in HTTP Request handling
CVE-2016-4554 - Header Smuggling issue in HTTP Request processing
CVE-2016-4555 - Multiple Denial of Service issues in ESI Response
processing (client_side_request.cc)
CVE-2016-4556 - Multiple Denial of Service issues in ESI Response
processing (Esi.cc)
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes:
SQUID-2016:5 (CVE-2016-4051) - Buffer overflow in cachemgr.cgi
SQUID-2016:6 (CVE-2016-4052) - Multiple issues in ESI processing.
CVE-2016-4053 & CVE-2016-4054 which are part of SQUID-2016:6.
Switch to xz-compressed tarball as well.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Now that the libcap package has a patch that makes it build with
kernel headers < 3.0 (which was needed for the host variant of
libcap), there is no longer a need to have a dependency on headers >=
3.0 for the target variant of libcap.
All reverse dependencies of libcap are handled in this commit, except
lxc, which will be handled in a separate commit since it needs some
special solution.
The build of all those packages has been tested with a toolchain that
uses kernel headers 2.6.32, which is the oldest that our default glibc
version accepts to use.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
squid can use the __sync built-ins when available, but uses an
AC_TRY_RUN autoconf tests to check their availability, which isn't
compatible with cross-compilation. Due to this, squid.mk is already
hinting the configure script about this by passing
squid_cv_gnu_atomics=yes/no depending on the availability of atomic
operations.
So far, squid.mk was assuming that BR2_ARCH_HAS_ATOMICS &&
BR2_ARCH_IS_64 was needed, since 8 bytes __sync built-ins are
used. However, this was a bit too restrictive, since certain 32 bits
architectures (ARM, x86) do provide 8 bytes __sync built-ins.
So, instead of using BR2_ARCH_HAS_ATOMICS, we now rely on
BR2_TOOLCHAIN_HAS_SYNC_4 and BR2_TOOLCHAIN_HAS_SYNC_8, since both 4
bytes and 8 bytes __sync built-ins are tested by the autoconf test.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Switch to bz2 tarball since there doesn't seem to be an xz release this
time around.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
'echo -n' is not a POSIX construct (no flag support), we shoud use
'printf', especially in init script.
This patch was generated by the following command line:
git grep -l 'echo -n' -- `git ls-files | grep -v 'patch'` | xargs sed -i 's/echo -n/printf/'
Signed-off-by: Maxime Hadjinlian <maxime.hadjinlian@gmail.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
squid comes with a .service file, but does not install it.
[Thomas: use relative path for symlink instead of absolute path.]
Signed-off-by: Alex Suykov <alex.suykov@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Squid 3.5.x deprecated the use of HOSTCXX & friends in favour of
BUILDCXX and BUILDCXXFLAGS.
When they are not specified BUILDCXXFLAGS takes flags from target
CXXFLAGS which specifies C11 standard and which older vesions of gcc
don't understand, thus causing breakage.
cf_gen hasn't got any C11 features so it's not required. Fixes:
http://autobuild.buildroot.net/results/816/8162e4ec941e7642248373be47cca99113a648e8/
Also drop ACLOCAL and AUTOMAKE trickery from e27ccbab since it's no
longer required.
And fix a typo in the hash file pointing to an improper hash file
upstream.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
