diff -u -r -N squid-3.5.9/ChangeLog squid-3.5.10/ChangeLog --- squid-3.5.9/ChangeLog 2015-09-17 06:06:28.000000000 -0700 +++ squid-3.5.10/ChangeLog 2015-10-01 07:52:11.000000000 -0700 @@ -1,3 +1,17 @@ +Changes to squid-3.5.10 (01 Oct 2015): + + - Regression Fix cache_peer login=PASS(THRU) after CVE-2015-5400 + - Regression Bug 4326: base64 binary encoder rejects data beginning with nil byte + - Bug 4323: Netfilter broken cross-includes with Linux 4.2 + - Bug 4328: %un format code does not work for external ACLs in credentials-fetching rules + - Bug 4208: more than one port in wccp2_service_info line causes error + - Bug 4304: PeerConnector.cc:743 "!callback" assertion. + - Bug 4330: Do not use SSL_METHOD::put_cipher_by_char to determine size of SSL hello ciphers + - Relicense ntlm_fake_auth.pl to GPLv2+ + - Relicense smb_lm auth helper to GPLv2+ + - Relicense SSPI helper to GPLv2+ + - ... and several minor performance optimizations + Changes to squid-3.5.9 (17 Sep 2015): - Regression Bug 3618: ntlm_smb_lm_auth rejects correct passwords diff -u -r -N squid-3.5.9/compat/os/linux.h squid-3.5.10/compat/os/linux.h --- squid-3.5.9/compat/os/linux.h 2015-09-17 06:06:28.000000000 -0700 +++ squid-3.5.10/compat/os/linux.h 2015-10-01 07:52:11.000000000 -0700 @@ -30,6 +30,21 @@ #endif /* + * Netfilter header madness. (see Bug 4323) + * + * Netfilter have a history of defining their own versions of network protocol + * primitives without sufficient protection against the POSIX defines which are + * aways present in Linux. + * + * netinet/in.h must be included before any other sys header in order to properly + * activate include guards in the kernel maintainers added + * to workaround it. + */ +#if HAVE_NETINET_IN_H +#include +#endif + +/* * sys/capability.h is only needed in Linux apparently. * * HACK: LIBCAP_BROKEN Ugly glue to get around linux header madness colliding with glibc diff -u -r -N squid-3.5.9/configure squid-3.5.10/configure --- squid-3.5.9/configure 2015-09-17 06:08:35.000000000 -0700 +++ squid-3.5.10/configure 2015-10-01 07:54:26.000000000 -0700 @@ -1,7 +1,7 @@ #! /bin/sh # From configure.ac Revision. # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for Squid Web Proxy 3.5.9. +# Generated by GNU Autoconf 2.69 for Squid Web Proxy 3.5.10. # # Report bugs to . # @@ -595,8 +595,8 @@ # Identity of this package. PACKAGE_NAME='Squid Web Proxy' PACKAGE_TARNAME='squid' -PACKAGE_VERSION='3.5.9' -PACKAGE_STRING='Squid Web Proxy 3.5.9' +PACKAGE_VERSION='3.5.10' +PACKAGE_STRING='Squid Web Proxy 3.5.10' PACKAGE_BUGREPORT='http://bugs.squid-cache.org/' PACKAGE_URL='' @@ -1633,7 +1633,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures Squid Web Proxy 3.5.9 to adapt to many kinds of systems. +\`configure' configures Squid Web Proxy 3.5.10 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1704,7 +1704,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of Squid Web Proxy 3.5.9:";; + short | recursive ) echo "Configuration of Squid Web Proxy 3.5.10:";; esac cat <<\_ACEOF @@ -2111,7 +2111,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -Squid Web Proxy configure 3.5.9 +Squid Web Proxy configure 3.5.10 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -3215,7 +3215,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by Squid Web Proxy $as_me 3.5.9, which was +It was created by Squid Web Proxy $as_me 3.5.10, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -4082,7 +4082,7 @@ # Define the identity of the package. PACKAGE='squid' - VERSION='3.5.9' + VERSION='3.5.10' cat >>confdefs.h <<_ACEOF @@ -41041,7 +41041,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by Squid Web Proxy $as_me 3.5.9, which was +This file was extended by Squid Web Proxy $as_me 3.5.10, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -41107,7 +41107,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -Squid Web Proxy config.status 3.5.9 +Squid Web Proxy config.status 3.5.10 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -u -r -N squid-3.5.9/configure.ac squid-3.5.10/configure.ac --- squid-3.5.9/configure.ac 2015-09-17 06:08:35.000000000 -0700 +++ squid-3.5.10/configure.ac 2015-10-01 07:54:26.000000000 -0700 @@ -5,7 +5,7 @@ ## Please see the COPYING and CONTRIBUTORS files for details. ## -AC_INIT([Squid Web Proxy],[3.5.9],[http://bugs.squid-cache.org/],[squid]) +AC_INIT([Squid Web Proxy],[3.5.10],[http://bugs.squid-cache.org/],[squid]) AC_PREREQ(2.61) AC_CONFIG_HEADERS([include/autoconf.h]) AC_CONFIG_AUX_DIR(cfgaux) diff -u -r -N squid-3.5.9/CONTRIBUTORS squid-3.5.10/CONTRIBUTORS --- squid-3.5.9/CONTRIBUTORS 2015-09-17 06:06:28.000000000 -0700 +++ squid-3.5.10/CONTRIBUTORS 2015-10-01 07:52:11.000000000 -0700 @@ -1,5 +1,6 @@ -Special thanks go to people who have volunteered their time, effort, -and ideas to make this software available. +This file contains a list of Squid contributors: people and organizations that +have volunteered their time, effort, code, and ideas to make Squid software. +Thank you! Adam Ciarcinski Adrian Chadd @@ -19,6 +20,7 @@ Alexis Robert Alex Rousskov Alex Rousskov + Alex Wu Alin Nastac Alter Amos Jeffries @@ -26,6 +28,7 @@ Amos Anatoli Andrea Gagliardi + Andre Albsmeier Andreas Jaeger Andreas Lamprecht Andres Kroonmaa @@ -78,6 +81,7 @@ Christoph Lechleitner Christos Tsantilas Christos Tsantilas + Chudy Fernandez Cloyce Clytie Siddall Colin Coe @@ -186,9 +190,11 @@ Jan Klemkow Jan Niehusmann Jan Sievers + Javad Kouhi Jean-Francois Micouleau Jean-Gabriel Dick Jean-Philippe Menil + Jeff Licquia Jens-S. V?ckler Jeremy Allison Jerry Murdock @@ -205,6 +211,7 @@ Joerg Lehrke Johnathan Conley John Dilley + John M Cooper John Saunders John Xue Jonathan Larmour @@ -212,6 +219,7 @@ Jon Kinred Jon Thackray Jorge Ivan Burgos Aguilar + Jose Luis Godoy Jose-Marcio Martins da Cruz Joshua Root Joshua Root @@ -230,11 +238,13 @@ Leeann Bent Leonid Evdokimov libit + Lubos Uhliarik Luigi Gangitano Luis Daniel Lucio Quiroz Lukas B??gelei Luke Howard Lutz Donnerhacke + Manuel Meitinger Manu Garg Marcello Romani Marcin Wisnicki @@ -302,8 +312,12 @@ Olivier W. OpenSolaris Project Oskar Pearson + Patrick Welche + Paulo Matias Paul Z + Pavel Simerda Pavel Timofeev + Pavel Timofeev Pawel Worach Pedro Lineu Orso Pedro Ribeiro @@ -399,6 +413,7 @@ Tony Lorimer Tsantilas Christos Unknown + Unknown - Debian Project Unknown FreeBSD Contributor Unknown - NetBSD Project Various diff -u -r -N squid-3.5.9/CREDITS squid-3.5.10/CREDITS --- squid-3.5.9/CREDITS 2015-09-17 06:06:28.000000000 -0700 +++ squid-3.5.10/CREDITS 2015-10-01 07:52:11.000000000 -0700 @@ -1006,7 +1006,7 @@ Bill Welliver 1999 * Distributed freely under the terms of the GNU General Public License, - * version 2. See the file COPYING for licensing details + * version 2 or later. See the file COPYING for licensing details * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of @@ -1373,7 +1373,7 @@ # (C) 2000 Francesco Chemolli # Distributed freely under the terms of the GNU General Public License, -# version 2. For the licensing terms, see the file COPYING that +# version 2 or later. For the licensing terms, see the file COPYING that # came with Squid. ============================================================================== @@ -1382,7 +1382,7 @@ * (C) 2000 Francesco Chemolli * Distributed freely under the terms of the GNU General Public License, - * version 2. See the file COPYING for licensing details + * version 2 or later. See the file COPYING for licensing details * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of diff -u -r -N squid-3.5.9/doc/release-notes/release-3.5.html squid-3.5.10/doc/release-notes/release-3.5.html --- squid-3.5.9/doc/release-notes/release-3.5.html 2015-09-17 06:59:10.000000000 -0700 +++ squid-3.5.10/doc/release-notes/release-3.5.html 2015-10-01 08:35:35.000000000 -0700 @@ -2,10 +2,10 @@ - Squid 3.5.9 release notes + Squid 3.5.10 release notes -

Squid 3.5.9 release notes

+

Squid 3.5.10 release notes

Squid Developers

@@ -63,7 +63,7 @@

1. Notice

-

The Squid Team are pleased to announce the release of Squid-3.5.9.

+

The Squid Team are pleased to announce the release of Squid-3.5.10.

This new release is available for download from http://www.squid-cache.org/Versions/v3/3.5/ or the mirrors.

diff -u -r -N squid-3.5.9/helpers/basic_auth/DB/basic_db_auth.8 squid-3.5.10/helpers/basic_auth/DB/basic_db_auth.8 --- squid-3.5.9/helpers/basic_auth/DB/basic_db_auth.8 2015-09-17 06:59:14.000000000 -0700 +++ squid-3.5.10/helpers/basic_auth/DB/basic_db_auth.8 2015-10-01 08:35:38.000000000 -0700 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "BASIC_DB_AUTH 8" -.TH BASIC_DB_AUTH 8 "2015-09-17" "perl v5.20.2" "User Contributed Perl Documentation" +.TH BASIC_DB_AUTH 8 "2015-10-01" "perl v5.20.2" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.5.9/helpers/basic_auth/MSNT-multi-domain/basic_msnt_multi_domain_auth.8 squid-3.5.10/helpers/basic_auth/MSNT-multi-domain/basic_msnt_multi_domain_auth.8 --- squid-3.5.9/helpers/basic_auth/MSNT-multi-domain/basic_msnt_multi_domain_auth.8 2015-09-17 06:59:19.000000000 -0700 +++ squid-3.5.10/helpers/basic_auth/MSNT-multi-domain/basic_msnt_multi_domain_auth.8 2015-10-01 08:35:42.000000000 -0700 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "BASIC_MSNT_MULTI_DOMAIN_AUTH 1" -.TH BASIC_MSNT_MULTI_DOMAIN_AUTH 1 "2015-09-17" "perl v5.20.2" "User Contributed Perl Documentation" +.TH BASIC_MSNT_MULTI_DOMAIN_AUTH 1 "2015-10-01" "perl v5.20.2" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.5.9/helpers/basic_auth/POP3/basic_pop3_auth.8 squid-3.5.10/helpers/basic_auth/POP3/basic_pop3_auth.8 --- squid-3.5.9/helpers/basic_auth/POP3/basic_pop3_auth.8 2015-09-17 06:59:24.000000000 -0700 +++ squid-3.5.10/helpers/basic_auth/POP3/basic_pop3_auth.8 2015-10-01 08:35:45.000000000 -0700 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "BASIC_POP3_AUTH 8" -.TH BASIC_POP3_AUTH 8 "2015-09-17" "perl v5.20.2" "User Contributed Perl Documentation" +.TH BASIC_POP3_AUTH 8 "2015-10-01" "perl v5.20.2" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.5.9/helpers/basic_auth/SSPI/basic_sspi_auth.cc squid-3.5.10/helpers/basic_auth/SSPI/basic_sspi_auth.cc --- squid-3.5.9/helpers/basic_auth/SSPI/basic_sspi_auth.cc 2015-09-17 06:06:28.000000000 -0700 +++ squid-3.5.10/helpers/basic_auth/SSPI/basic_sspi_auth.cc 2015-10-01 07:52:11.000000000 -0700 @@ -20,7 +20,7 @@ Bill Welliver 1999 * Distributed freely under the terms of the GNU General Public License, - * version 2. See the file COPYING for licensing details + * version 2 or later. See the file COPYING for licensing details * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of diff -u -r -N squid-3.5.9/helpers/basic_auth/SSPI/valid.cc squid-3.5.10/helpers/basic_auth/SSPI/valid.cc --- squid-3.5.9/helpers/basic_auth/SSPI/valid.cc 2015-09-17 06:06:28.000000000 -0700 +++ squid-3.5.10/helpers/basic_auth/SSPI/valid.cc 2015-10-01 07:52:11.000000000 -0700 @@ -22,7 +22,7 @@ Bill Welliver 1999 * Distributed freely under the terms of the GNU General Public License, - * version 2. See the file COPYING for licensing details + * version 2 or later. See the file COPYING for licensing details * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of diff -u -r -N squid-3.5.9/helpers/basic_auth/SSPI/valid.h squid-3.5.10/helpers/basic_auth/SSPI/valid.h --- squid-3.5.9/helpers/basic_auth/SSPI/valid.h 2015-09-17 06:06:28.000000000 -0700 +++ squid-3.5.10/helpers/basic_auth/SSPI/valid.h 2015-10-01 07:52:11.000000000 -0700 @@ -21,7 +21,7 @@ Bill Welliver 1999 * Distributed freely under the terms of the GNU General Public License, - * version 2. See the file COPYING for licensing details + * version 2 or later. See the file COPYING for licensing details * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of diff -u -r -N squid-3.5.9/helpers/external_acl/delayer/ext_delayer_acl.8 squid-3.5.10/helpers/external_acl/delayer/ext_delayer_acl.8 --- squid-3.5.9/helpers/external_acl/delayer/ext_delayer_acl.8 2015-09-17 06:59:41.000000000 -0700 +++ squid-3.5.10/helpers/external_acl/delayer/ext_delayer_acl.8 2015-10-01 08:35:56.000000000 -0700 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "EXT_DELAYER_ACL 8" -.TH EXT_DELAYER_ACL 8 "2015-09-17" "perl v5.20.2" "User Contributed Perl Documentation" +.TH EXT_DELAYER_ACL 8 "2015-10-01" "perl v5.20.2" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.5.9/helpers/external_acl/SQL_session/ext_sql_session_acl.8 squid-3.5.10/helpers/external_acl/SQL_session/ext_sql_session_acl.8 --- squid-3.5.9/helpers/external_acl/SQL_session/ext_sql_session_acl.8 2015-09-17 06:59:50.000000000 -0700 +++ squid-3.5.10/helpers/external_acl/SQL_session/ext_sql_session_acl.8 2015-10-01 08:36:04.000000000 -0700 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "EXT_SQL_SESSION_ACL 8" -.TH EXT_SQL_SESSION_ACL 8 "2015-09-17" "perl v5.20.2" "User Contributed Perl Documentation" +.TH EXT_SQL_SESSION_ACL 8 "2015-10-01" "perl v5.20.2" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.5.9/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 squid-3.5.10/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 --- squid-3.5.9/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 2015-09-17 06:59:54.000000000 -0700 +++ squid-3.5.10/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 2015-10-01 08:36:07.000000000 -0700 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "EXT_WBINFO_GROUP_ACL 8" -.TH EXT_WBINFO_GROUP_ACL 8 "2015-09-17" "perl v5.20.2" "User Contributed Perl Documentation" +.TH EXT_WBINFO_GROUP_ACL 8 "2015-10-01" "perl v5.20.2" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.5.9/helpers/log_daemon/DB/log_db_daemon.8 squid-3.5.10/helpers/log_daemon/DB/log_db_daemon.8 --- squid-3.5.9/helpers/log_daemon/DB/log_db_daemon.8 2015-09-17 06:59:57.000000000 -0700 +++ squid-3.5.10/helpers/log_daemon/DB/log_db_daemon.8 2015-10-01 08:36:09.000000000 -0700 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "LOG_DB_DAEMON 8" -.TH LOG_DB_DAEMON 8 "2015-09-17" "perl v5.20.2" "User Contributed Perl Documentation" +.TH LOG_DB_DAEMON 8 "2015-10-01" "perl v5.20.2" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.5.9/helpers/ntlm_auth/fake/ntlm_fake_auth.pl.in squid-3.5.10/helpers/ntlm_auth/fake/ntlm_fake_auth.pl.in --- squid-3.5.9/helpers/ntlm_auth/fake/ntlm_fake_auth.pl.in 2015-09-17 06:06:28.000000000 -0700 +++ squid-3.5.10/helpers/ntlm_auth/fake/ntlm_fake_auth.pl.in 2015-10-01 07:52:11.000000000 -0700 @@ -9,7 +9,7 @@ # # (C) 2000 Francesco Chemolli # Distributed freely under the terms of the GNU General Public License, -# version 2. For the licensing terms, see the file COPYING that +# version 2 or later. For the licensing terms, see the file COPYING that # came with Squid. # # This is a dummy NTLM authentication module for Squid. diff -u -r -N squid-3.5.9/helpers/ntlm_auth/smb_lm/ntlm_smb_lm_auth.cc squid-3.5.10/helpers/ntlm_auth/smb_lm/ntlm_smb_lm_auth.cc --- squid-3.5.9/helpers/ntlm_auth/smb_lm/ntlm_smb_lm_auth.cc 2015-09-17 06:06:28.000000000 -0700 +++ squid-3.5.10/helpers/ntlm_auth/smb_lm/ntlm_smb_lm_auth.cc 2015-10-01 07:52:11.000000000 -0700 @@ -9,7 +9,7 @@ /* * (C) 2000 Francesco Chemolli * Distributed freely under the terms of the GNU General Public License, - * version 2. See the file COPYING for licensing details + * version 2 or later. See the file COPYING for licensing details * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of diff -u -r -N squid-3.5.9/helpers/storeid_rewrite/file/storeid_file_rewrite.8 squid-3.5.10/helpers/storeid_rewrite/file/storeid_file_rewrite.8 --- squid-3.5.9/helpers/storeid_rewrite/file/storeid_file_rewrite.8 2015-09-17 07:00:12.000000000 -0700 +++ squid-3.5.10/helpers/storeid_rewrite/file/storeid_file_rewrite.8 2015-10-01 08:36:21.000000000 -0700 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "STOREID_FILE_REWRITE 8" -.TH STOREID_FILE_REWRITE 8 "2015-09-17" "perl v5.20.2" "User Contributed Perl Documentation" +.TH STOREID_FILE_REWRITE 8 "2015-10-01" "perl v5.20.2" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.5.9/include/hash.h squid-3.5.10/include/hash.h --- squid-3.5.9/include/hash.h 2015-09-17 06:06:28.000000000 -0700 +++ squid-3.5.10/include/hash.h 2015-10-01 07:52:11.000000000 -0700 @@ -12,15 +12,16 @@ typedef void HASHFREE(void *); typedef int HASHCMP(const void *, const void *); typedef unsigned int HASHHASH(const void *, unsigned int); -typedef struct _hash_link hash_link; -typedef struct _hash_table hash_table; -struct _hash_link { +class hash_link { +public: + hash_link() : key(NULL), next(NULL) {} void *key; hash_link *next; }; -struct _hash_table { +class hash_table { +public: hash_link **buckets; HASHCMP *cmp; HASHHASH *hash; diff -u -r -N squid-3.5.9/include/MemPool.h squid-3.5.10/include/MemPool.h --- squid-3.5.9/include/MemPool.h 2015-09-17 06:06:28.000000000 -0700 +++ squid-3.5.10/include/MemPool.h 2015-10-01 07:52:11.000000000 -0700 @@ -319,7 +319,8 @@ void \ CLASS::operator delete (void *address) \ { \ - Pool().freeOne(address); \ + if (address) \ + Pool().freeOne(address); \ } /// \ingroup MemPoolsAPI diff -u -r -N squid-3.5.9/include/version.h squid-3.5.10/include/version.h --- squid-3.5.9/include/version.h 2015-09-17 06:08:36.000000000 -0700 +++ squid-3.5.10/include/version.h 2015-10-01 07:54:27.000000000 -0700 @@ -7,7 +7,7 @@ */ #ifndef SQUID_RELEASE_TIME -#define SQUID_RELEASE_TIME 1442495171 +#define SQUID_RELEASE_TIME 1443711114 #endif /* diff -u -r -N squid-3.5.9/lib/base64.c squid-3.5.10/lib/base64.c --- squid-3.5.9/lib/base64.c 2015-09-17 06:06:28.000000000 -0700 +++ squid-3.5.10/lib/base64.c 2015-10-01 07:52:11.000000000 -0700 @@ -149,7 +149,7 @@ int char_count = 0; int out_cnt = 0; - if (!data || !*data || !result || result_size < 1 || data_size < 1) + if (!data || !result || result_size < 1 || data_size < 1) return 0; if (!base64_initialized) diff -u -r -N squid-3.5.9/RELEASENOTES.html squid-3.5.10/RELEASENOTES.html --- squid-3.5.9/RELEASENOTES.html 2015-09-17 06:59:10.000000000 -0700 +++ squid-3.5.10/RELEASENOTES.html 2015-10-01 08:35:35.000000000 -0700 @@ -2,10 +2,10 @@ - Squid 3.5.9 release notes + Squid 3.5.10 release notes -

Squid 3.5.9 release notes

+

Squid 3.5.10 release notes

Squid Developers

@@ -63,7 +63,7 @@

1. Notice

-

The Squid Team are pleased to announce the release of Squid-3.5.9.

+

The Squid Team are pleased to announce the release of Squid-3.5.10.

This new release is available for download from http://www.squid-cache.org/Versions/v3/3.5/ or the mirrors.

diff -u -r -N squid-3.5.9/src/external_acl.cc squid-3.5.10/src/external_acl.cc --- squid-3.5.9/src/external_acl.cc 2015-09-17 06:06:28.000000000 -0700 +++ squid-3.5.10/src/external_acl.cc 2015-10-01 07:52:11.000000000 -0700 @@ -1104,8 +1104,14 @@ case Format::LFT_USER_NAME: /* find the first available name from various sources */ #if USE_AUTH + // if this ACL line was the cause of credentials fetch + // they may not already be in the checklist + if (!ch->auth_user_request && ch->request) + ch->auth_user_request = ch->request->auth_user_request; + if (ch->auth_user_request != NULL) str = ch->auth_user_request->username(); + if ((!str || !*str) && (request->extacl_user.size() > 0 && request->extacl_user[0] != '-')) str = request->extacl_user.termedBuf(); diff -u -r -N squid-3.5.9/src/ipc/SharedListen.cc squid-3.5.10/src/ipc/SharedListen.cc --- squid-3.5.9/src/ipc/SharedListen.cc 2015-09-17 06:06:28.000000000 -0700 +++ squid-3.5.10/src/ipc/SharedListen.cc 2015-10-01 07:52:11.000000000 -0700 @@ -21,6 +21,7 @@ #include "ipc/TypedMsgHdr.h" #include "tools.h" +#include #include /// holds information necessary to handle JoinListen response @@ -35,6 +36,10 @@ typedef std::map SharedListenRequestMap; static SharedListenRequestMap TheSharedListenRequestMap; +/// accumulates delayed requests until they are ready to be sent, in FIFO order +typedef std::list DelayedSharedListenRequests; +static DelayedSharedListenRequests TheDelayedRequests; + static int AddToMap(const PendingOpenRequest &por) { @@ -106,31 +111,59 @@ hdrMsg.putFd(fd); } -void Ipc::JoinSharedListen(const OpenListenerParams ¶ms, - AsyncCall::Pointer &callback) +static void +SendSharedListenRequest(const PendingOpenRequest &por) { - PendingOpenRequest por; - por.params = params; - por.callback = callback; - - SharedListenRequest request; + Ipc::SharedListenRequest request; request.requestorId = KidIdentifier; request.params = por.params; request.mapId = AddToMap(por); - debugs(54, 3, HERE << "getting listening FD for " << request.params.addr << + debugs(54, 3, "getting listening FD for " << request.params.addr << " mapId=" << request.mapId); - TypedMsgHdr message; + Ipc::TypedMsgHdr message; request.pack(message); SendMessage(Ipc::Port::CoordinatorAddr(), message); } +static void +kickDelayedRequest() +{ + if (TheDelayedRequests.empty()) + return; // no pending requests to resume + + debugs(54, 3, "resuming with " << TheSharedListenRequestMap.size() << + " active + " << TheDelayedRequests.size() << " delayed requests"); + + SendSharedListenRequest(*TheDelayedRequests.begin()); + TheDelayedRequests.pop_front(); +} + +void +Ipc::JoinSharedListen(const OpenListenerParams ¶ms, AsyncCall::Pointer &cb) +{ + PendingOpenRequest por; + por.params = params; + por.callback = cb; + + const DelayedSharedListenRequests::size_type concurrencyLimit = 1; + if (TheSharedListenRequestMap.size() >= concurrencyLimit) { + debugs(54, 3, "waiting for " << TheSharedListenRequestMap.size() << + " active + " << TheDelayedRequests.size() << " delayed requests"); + TheDelayedRequests.push_back(por); + } else { + SendSharedListenRequest(por); + } +} + void Ipc::SharedListenJoined(const SharedListenResponse &response) { // Dont debugs c fully since only FD is filled right now. - debugs(54, 3, HERE << "got listening FD " << response.fd << " errNo=" << - response.errNo << " mapId=" << response.mapId); + debugs(54, 3, "got listening FD " << response.fd << " errNo=" << + response.errNo << " mapId=" << response.mapId << " with " << + TheSharedListenRequestMap.size() << " active + " << + TheDelayedRequests.size() << " delayed requests"); Must(TheSharedListenRequestMap.find(response.mapId) != TheSharedListenRequestMap.end()); PendingOpenRequest por = TheSharedListenRequestMap[response.mapId]; @@ -158,5 +191,7 @@ cbd->errNo = response.errNo; cbd->handlerSubscription = por.params.handlerSubscription; ScheduleCallHere(por.callback); + + kickDelayedRequest(); } diff -u -r -N squid-3.5.9/src/ssl/bio.cc squid-3.5.10/src/ssl/bio.cc --- squid-3.5.9/src/ssl/bio.cc 2015-09-17 06:06:28.000000000 -0700 +++ squid-3.5.10/src/ssl/bio.cc 2015-10-01 07:52:11.000000000 -0700 @@ -1010,9 +1010,8 @@ ciphers += 2; if (ciphersLen) { const SSL_METHOD *method = SSLv3_method(); - const int cs = method->put_cipher_by_char(NULL, NULL); - assert(cs > 0); - for (size_t i = 0; i < ciphersLen; i += cs) { + for (size_t i = 0; i < ciphersLen; i += 2) { + // each cipher in v3/tls HELLO message is of size 2 const SSL_CIPHER *c = method->get_cipher_by_char((ciphers + i)); if (c != NULL) { if (!clientRequestedCiphers.empty()) @@ -1108,9 +1107,7 @@ if (ciphersLen) { const SSL_METHOD *method = SSLv23_method(); - int cs = method->put_cipher_by_char(NULL, NULL); - assert(cs > 0); - for (unsigned int i = 0; i < ciphersLen; i += cs) { + for (unsigned int i = 0; i < ciphersLen; i += 3) { // The v2 hello messages cipher has 3 bytes. // The v2 cipher has the first byte not null // Because we are going to sent only v3 message we diff -u -r -N squid-3.5.9/src/ssl/PeerConnector.cc squid-3.5.10/src/ssl/PeerConnector.cc --- squid-3.5.9/src/ssl/PeerConnector.cc 2015-09-17 06:06:28.000000000 -0700 +++ squid-3.5.10/src/ssl/PeerConnector.cc 2015-10-01 07:52:11.000000000 -0700 @@ -370,7 +370,17 @@ Ssl::PeerConnector::cbCheckForPeekAndSpliceDone(allow_t answer, void *data) { Ssl::PeerConnector *peerConnect = (Ssl::PeerConnector *) data; - peerConnect->checkForPeekAndSpliceDone((Ssl::BumpMode)answer.kind); + // Use job calls to add done() checks and other job logic/protections. + CallJobHere1(83, 7, CbcPointer(peerConnect), Ssl::PeerConnector, checkForPeekAndSpliceDone, answer); +} + +void +Ssl::PeerConnector::checkForPeekAndSpliceDone(allow_t answer) +{ + const Ssl::BumpMode finalAction = (answer.code == ACCESS_ALLOWED) ? + static_cast(answer.kind): + checkForPeekAndSpliceGuess(); + checkForPeekAndSpliceMatched(finalAction); } void @@ -404,7 +414,7 @@ } void -Ssl::PeerConnector::checkForPeekAndSpliceDone(Ssl::BumpMode const action) +Ssl::PeerConnector::checkForPeekAndSpliceMatched(const Ssl::BumpMode action) { SSL *ssl = fd_table[serverConn->fd].ssl; BIO *b = SSL_get_rbio(ssl); @@ -437,6 +447,23 @@ } } +Ssl::BumpMode +Ssl::PeerConnector::checkForPeekAndSpliceGuess() const +{ + if (const ConnStateData *csd = request->clientConnectionManager.valid()) { + const Ssl::BumpMode currentMode = csd->sslBumpMode; + if (currentMode == Ssl::bumpStare) { + debugs(83,5, "default to bumping after staring"); + return Ssl::bumpBump; + } + debugs(83,5, "default to splicing after " << currentMode); + } else { + debugs(83,3, "default to splicing due to missing info"); + } + + return Ssl::bumpSplice; +} + void Ssl::PeerConnector::sslCrtvdHandleReplyWrapper(void *data, Ssl::CertValidationResponse const &validationResponse) { @@ -609,7 +636,7 @@ if (srvBio->bumpMode() == Ssl::bumpPeek && (resumingSession = srvBio->resumingSession())) { // we currently splice all resumed sessions unconditionally if (const bool spliceResumed = true) { - checkForPeekAndSpliceDone(Ssl::bumpSplice); + checkForPeekAndSpliceMatched(Ssl::bumpSplice); return; } // else fall through to find a matching ssl_bump action (with limited info) } @@ -744,7 +771,13 @@ { // XXX: unregister fd-closure monitoring and CommSetSelect interest, if any AsyncJob::swanSong(); - assert(!callback); // paranoid: we have not left the caller waiting + if (callback != NULL) { // paranoid: we have left the caller waiting + debugs(83, DBG_IMPORTANT, "BUG: Unexpected state while connecting to a cache_peer or origin server"); + ErrorState *anErr = new ErrorState(ERR_GATEWAY_FAILURE, Http::scInternalServerError, request.getRaw()); + bail(anErr); + assert(!callback); + return; + } } const char * diff -u -r -N squid-3.5.9/src/ssl/PeerConnector.h squid-3.5.10/src/ssl/PeerConnector.h --- squid-3.5.9/src/ssl/PeerConnector.h 2015-09-17 06:06:28.000000000 -0700 +++ squid-3.5.10/src/ssl/PeerConnector.h 2015-10-01 07:52:11.000000000 -0700 @@ -126,8 +126,13 @@ void checkForPeekAndSplice(); /// Callback function for ssl_bump acl check in step3 SSL bump step. + void checkForPeekAndSpliceDone(allow_t answer); + /// Handles the final bumping decision. - void checkForPeekAndSpliceDone(Ssl::BumpMode const); + void checkForPeekAndSpliceMatched(const Ssl::BumpMode finalMode); + + /// Guesses the final bumping decision when no ssl_bump rules match. + Ssl::BumpMode checkForPeekAndSpliceGuess() const; /// Called when the SSL negotiation step aborted because data needs to /// be transferred to/from SSL server or on error. In the first case diff -u -r -N squid-3.5.9/src/store.cc squid-3.5.10/src/store.cc --- squid-3.5.9/src/store.cc 2015-09-17 06:06:28.000000000 -0700 +++ squid-3.5.10/src/store.cc 2015-10-01 07:52:11.000000000 -0700 @@ -144,25 +144,6 @@ fatal("Store::unlink on invalid Store\n"); } -void * -StoreEntry::operator new (size_t bytecount) -{ - assert (bytecount == sizeof (StoreEntry)); - - if (!pool) { - pool = memPoolCreate ("StoreEntry", bytecount); - pool->setChunkSize(2048 * 1024); - } - - return pool->alloc(); -} - -void -StoreEntry::operator delete (void *address) -{ - pool->freeOne(address); -} - void StoreEntry::makePublic() { diff -u -r -N squid-3.5.9/src/Store.h squid-3.5.10/src/Store.h --- squid-3.5.9/src/Store.h 2015-09-17 06:06:28.000000000 -0700 +++ squid-3.5.10/src/Store.h 2015-10-01 07:52:11.000000000 -0700 @@ -50,6 +50,8 @@ */ class StoreEntry : public hash_link { +public: + MEMPROXY_CLASS(StoreEntry); public: static DeferredRead::DeferrableRead DeferReader; @@ -184,8 +186,6 @@ return false; }; - void *operator new(size_t byteCount); - void operator delete(void *address); void setReleaseFlag(); #if USE_SQUID_ESI @@ -242,6 +242,8 @@ bool hasOneOfEtags(const String &reqETags, const bool allowWeakMatch) const; }; +MEMPROXY_CLASS_INLINE(StoreEntry); + std::ostream &operator <<(std::ostream &os, const StoreEntry &e); /// \ingroup StoreAPI diff -u -r -N squid-3.5.9/src/tests/stub_store.cc squid-3.5.10/src/tests/stub_store.cc --- squid-3.5.9/src/tests/stub_store.cc 2015-09-17 06:06:28.000000000 -0700 +++ squid-3.5.10/src/tests/stub_store.cc 2015-10-01 07:52:11.000000000 -0700 @@ -81,12 +81,6 @@ void StoreEntry::getPublicByRequestMethod(StoreClient * aClient, HttpRequest * request, const HttpRequestMethod& method) STUB void StoreEntry::getPublicByRequest(StoreClient * aClient, HttpRequest * request) STUB void StoreEntry::getPublic(StoreClient * aClient, const char *uri, const HttpRequestMethod& method) STUB -void *StoreEntry::operator new(size_t byteCount) -{ - STUB - return new StoreEntry(); -} -void StoreEntry::operator delete(void *address) STUB void StoreEntry::setReleaseFlag() STUB //#if USE_SQUID_ESI //ESIElement::Pointer StoreEntry::cachedESITree STUB_RETVAL(NULL) diff -u -r -N squid-3.5.9/src/tunnel.cc squid-3.5.10/src/tunnel.cc --- squid-3.5.9/src/tunnel.cc 2015-09-17 06:06:28.000000000 -0700 +++ squid-3.5.10/src/tunnel.cc 2015-10-01 07:52:11.000000000 -0700 @@ -112,7 +112,7 @@ /// Sends "502 Bad Gateway" error response to the client, /// if it is waiting for Squid CONNECT response, closing connections. - void informUserOfPeerError(const char *errMsg); + void informUserOfPeerError(const char *errMsg, size_t); class Connection { @@ -390,20 +390,36 @@ } void -TunnelStateData::informUserOfPeerError(const char *errMsg) +TunnelStateData::informUserOfPeerError(const char *errMsg, const size_t sz) { server.len = 0; + + if (logTag_ptr) + *logTag_ptr = LOG_TCP_TUNNEL; + if (!clientExpectsConnectResponse()) { // closing the connection is the best we can do here debugs(50, 3, server.conn << " closing on error: " << errMsg); server.conn->close(); return; } - ErrorState *err = new ErrorState(ERR_CONNECT_FAIL, Http::scBadGateway, request.getRaw()); - err->callback = tunnelErrorComplete; - err->callback_data = this; - *status_ptr = Http::scBadGateway; - errorSend(http->getConn()->clientConnection, err); + + // if we have no reply suitable to relay, use 502 Bad Gateway + if (!sz || sz > static_cast(connectRespBuf->contentSize())) { + ErrorState *err = new ErrorState(ERR_CONNECT_FAIL, Http::scBadGateway, request.getRaw()); + *status_ptr = Http::scBadGateway; + err->callback = tunnelErrorComplete; + err->callback_data = this; + errorSend(http->getConn()->clientConnection, err); + return; + } + + // if we need to send back the server response. write its headers to the client + server.len = sz; + memcpy(server.buf, connectRespBuf->content(), server.len); + copy(server.len, server, client, TunnelStateData::WriteClientDone); + // then close the server FD to prevent any relayed keep-alive causing CVE-2015-5400 + server.closeIfOpen(); } /* Read from client side and queue it for writing to the server */ @@ -437,7 +453,7 @@ const bool parsed = rep.parse(connectRespBuf, eof, &parseErr); if (!parsed) { if (parseErr > 0) { // unrecoverable parsing error - informUserOfPeerError("malformed CONNECT response from peer"); + informUserOfPeerError("malformed CONNECT response from peer", 0); return; } @@ -446,7 +462,7 @@ assert(!parseErr); if (!connectRespBuf->hasSpace()) { - informUserOfPeerError("huge CONNECT response from peer"); + informUserOfPeerError("huge CONNECT response from peer", 0); return; } @@ -458,10 +474,16 @@ // CONNECT response was successfully parsed *status_ptr = rep.sline.status(); + // we need to relay the 401/407 responses when login=PASS(THRU) + const char *pwd = server.conn->getPeer()->login; + const bool relay = pwd && (strcmp(pwd, "PASS") != 0 || strcmp(pwd, "PASSTHRU") != 0) && + (*status_ptr == Http::scProxyAuthenticationRequired || + *status_ptr == Http::scUnauthorized); + // bail if we did not get an HTTP 200 (Connection Established) response if (rep.sline.status() != Http::scOkay) { // if we ever decide to reuse the peer connection, we must extract the error response first - informUserOfPeerError("unsupported CONNECT response status code"); + informUserOfPeerError("unsupported CONNECT response status code", (relay ? rep.hdr_sz : 0)); return; } diff -u -r -N squid-3.5.9/src/wccp2.cc squid-3.5.10/src/wccp2.cc --- squid-3.5.9/src/wccp2.cc 2015-09-17 06:06:28.000000000 -0700 +++ squid-3.5.10/src/wccp2.cc 2015-10-01 07:52:11.000000000 -0700 @@ -2238,12 +2238,19 @@ int i = 0; char *tmp = options; + static char copy[10]; while (size_t len = strcspn(tmp, ",")) { if (i >= WCCP2_NUMPORTS) { fatalf("parse_wccp2_service_ports: too many ports (maximum: 8) in list '%s'\n", options); } - int p = xatoi(tmp); + if (len > 6) { // 6 because "65535," + fatalf("parse_wccp2_service_ports: port value '%s' isn't valid (1..65535)\n", tmp); + } + + memcpy(copy, tmp, len); + copy[len] = '\0'; + int p = xatoi(copy); if (p < 1 || p > 65535) { fatalf("parse_wccp2_service_ports: port value '%s' isn't valid (1..65535)\n", tmp);