diff -u -r -N squid-6.4/ChangeLog squid-6.5/ChangeLog
--- squid-6.4/ChangeLog 2023-10-21 11:40:41.000000000 +1300
+++ squid-6.5/ChangeLog 2023-11-06 16:41:43.000000000 +1300
@@ -1,3 +1,11 @@
+Changes in squid-6.5 (5 Nov 2023):
+
+ - Bug 5309: frequent "lowestOffset () <= target_offset" assertion
+ - Bug 4977: Remove mem_hdr::freeDataUpto() assertion
+ - Fix handling of expanding HTTP header values
+ - Fix RFC 1123 date parsing
+ - Gracefully shutdown when helper process startup fails
+
Changes in squid-6.4 (22 Oct 2023):
- Regression: Restore support for legacy cache_object cache manager requests
diff -u -r -N squid-6.4/configure squid-6.5/configure
--- squid-6.4/configure 2023-10-22 01:43:00.000000000 +1300
+++ squid-6.5/configure 2023-11-06 17:32:33.000000000 +1300
@@ -1,7 +1,7 @@
#! /bin/sh
# From configure.ac Revision.
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.71 for Squid Web Proxy 6.4.
+# Generated by GNU Autoconf 2.71 for Squid Web Proxy 6.5.
#
# Report bugs to
@@ -59,7 +59,7 @@
The Squid Team are pleased to announce the release of Squid-6.4 for testing.
+The Squid Team are pleased to announce the release of Squid-6.5 for testing.
This new release is available for download from http://www.squid-cache.org/Versions/v6/ or the mirrors.
diff -u -r -N squid-6.4/include/version.h squid-6.5/include/version.h --- squid-6.4/include/version.h 2023-10-22 01:43:00.000000000 +1300 +++ squid-6.5/include/version.h 2023-11-06 17:32:33.000000000 +1300 @@ -10,7 +10,7 @@ #define SQUID_VERSION_H #ifndef SQUID_RELEASE_TIME -#define SQUID_RELEASE_TIME 1697892169 +#define SQUID_RELEASE_TIME 1699245141 #endif /* diff -u -r -N squid-6.4/RELEASENOTES.html squid-6.5/RELEASENOTES.html --- squid-6.4/RELEASENOTES.html 2023-10-22 01:47:10.000000000 +1300 +++ squid-6.5/RELEASENOTES.html 2023-11-06 17:36:30.000000000 +1300 @@ -3,10 +3,10 @@ -@@ -59,7 +59,7 @@
The Squid Team are pleased to announce the release of Squid-6.4 for testing.
+The Squid Team are pleased to announce the release of Squid-6.5 for testing.
This new release is available for download from http://www.squid-cache.org/Versions/v6/ or the mirrors.
diff -u -r -N squid-6.4/scripts/update-contributors.pl squid-6.5/scripts/update-contributors.pl --- squid-6.4/scripts/update-contributors.pl 2023-10-21 11:40:41.000000000 +1300 +++ squid-6.5/scripts/update-contributors.pl 2023-11-06 16:41:43.000000000 +1300 @@ -9,6 +9,7 @@ use strict; use warnings; +use Getopt::Long; # Reads (presumed to be previously vetted) CONTRIBUTORS file. # Reads untrusted CONTIBUTORS-like new input (without the preamble). @@ -26,6 +27,16 @@ my $SkippedEmptyLines = 0; my $SkippedBadLines = 0; +# Brief display by default. +# Use --quiet for no output +# Use -v or --verbose for more details, repeating them for even more details. +my $VerboseOutput = 1; + +GetOptions( + 'quiet' => sub { $VerboseOutput = 0 }, + 'verbose+' => \$VerboseOutput, 'v+' => \$VerboseOutput, + ) or die("$0: Bad command line arguments\n"); + my @VettedContributors = (); my @NewContributors = (); my %Problems = (); @@ -269,14 +280,16 @@ die(ref($c)) unless ref($c) eq 'HASH'; if (&isManuallyExcluded($c)) { - ¬eProblem("Skipping banned entry: %s\n", $c->{raw}); + ¬eProblem("Skipping banned entry: %s\n", $c->{raw}) if ($VerboseOutput > 0); ++$SkippedBanned; next; } if (my ($vettedC) = grep { &similarToVetted($c, $_) } @VettedContributors) { - ¬eProblem("Skipping already vetted:\n %s\n %s\n", $vettedC->{raw}, $c->{raw}) - unless &contributorToString($vettedC) eq &contributorToString($c); + if ($VerboseOutput > 1) { + ¬eProblem("Skipping already vetted:\n %s\n %s\n", $vettedC->{raw}, $c->{raw}) + unless &contributorToString($vettedC) eq &contributorToString($c); + } ++$SkippedAlreadyVetted; next; } @@ -292,8 +305,10 @@ while (@NewContributors) { my $c = pop @NewContributors; if (my ($otherC) = grep { &worseThan($c, $_) } (@VettedContributors, @NewContributors, @ngContributors)) { - ¬eProblem("Skipping very similar:\n %s\n %s\n", $otherC->{raw}, $c->{raw}) - unless &contributorToString($otherC) eq &contributorToString($c); + if ($VerboseOutput > 0) { + ¬eProblem("Skipping very similar:\n %s\n %s\n", $otherC->{raw}, $c->{raw}) + unless &contributorToString($otherC) eq &contributorToString($c); + } ++$SkippedNewDuplicates; next; } @@ -341,20 +356,27 @@ &printContributors(); - # TODO: Disable this debugging-like dump (by default). Or just remove? - printf(STDERR "Vetted lines in: %4d\n", $VettedLinesIn); - printf(STDERR "Updated lines out: %4d\n", $LinesOut); - printf(STDERR "\n"); - printf(STDERR "New lines in: %4d\n", $NewLinesIn); - printf(STDERR "Skipped empty lines: %4d\n", $SkippedEmptyLines); - printf(STDERR "Skipped banned: %4d\n", $SkippedBanned); - printf(STDERR "Skipped similar: %4d\n", $SkippedAlreadyVetted); - printf(STDERR "Skipped duplicates: %4d\n", $SkippedNewDuplicates); - printf(STDERR "Skipped bad lines: %4d\n", $SkippedBadLines); - printf(STDERR "\n"); - printf(STDERR "Vetted contributors: %3d\n", scalar @VettedContributors); - printf(STDERR "New contributors: %3d\n", scalar @NewContributors); - printf(STDERR "Contributors out: %3d\n", @VettedContributors + @NewContributors); + if ($VerboseOutput > 1) { + printf(STDERR "Vetted lines in: %4d\n", $VettedLinesIn); + printf(STDERR "Updated lines out: %4d\n", $LinesOut); + printf(STDERR "\n"); + } + if ($VerboseOutput > 2) { + printf(STDERR "New lines in: %4d\n", $NewLinesIn); + printf(STDERR "Skipped empty lines: %4d\n", $SkippedEmptyLines) unless ($SkippedEmptyLines == 0); + printf(STDERR "Skipped duplicates: %4d\n", $SkippedNewDuplicates) unless ($SkippedNewDuplicates == 0); + } + if ($VerboseOutput > 1) { + printf(STDERR "Skipped banned: %4d\n", $SkippedBanned) unless ($SkippedBanned == 0); + printf(STDERR "Skipped similar: %4d\n", $SkippedAlreadyVetted) unless ($SkippedAlreadyVetted == 0); + } + if ($VerboseOutput > 0) { + printf(STDERR "Skipped bad lines: %4d\n", $SkippedBadLines) unless ($SkippedBadLines == 0); + printf(STDERR "\n"); + printf(STDERR "Vetted contributors: %3d\n", scalar @VettedContributors) if ($VerboseOutput > 1); + printf(STDERR "New contributors: %3d\n", scalar @NewContributors) unless (scalar @NewContributors == 0); + printf(STDERR "Contributors out: %3d\n", @VettedContributors + @NewContributors) if ($VerboseOutput > 1); + } return 0; } diff -u -r -N squid-6.4/src/acl/external/delayer/ext_delayer_acl.8 squid-6.5/src/acl/external/delayer/ext_delayer_acl.8 --- squid-6.4/src/acl/external/delayer/ext_delayer_acl.8 2023-10-22 01:47:13.000000000 +1300 +++ squid-6.5/src/acl/external/delayer/ext_delayer_acl.8 2023-11-06 17:36:35.000000000 +1300 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "EXT_DELAYER_ACL 8" -.TH EXT_DELAYER_ACL 8 "2023-10-21" "perl v5.36.0" "User Contributed Perl Documentation" +.TH EXT_DELAYER_ACL 8 "2023-11-06" "perl v5.36.0" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-6.4/src/acl/external/kerberos_sid_group/ext_kerberos_sid_group_acl.8 squid-6.5/src/acl/external/kerberos_sid_group/ext_kerberos_sid_group_acl.8 --- squid-6.4/src/acl/external/kerberos_sid_group/ext_kerberos_sid_group_acl.8 2023-10-22 01:47:13.000000000 +1300 +++ squid-6.5/src/acl/external/kerberos_sid_group/ext_kerberos_sid_group_acl.8 2023-11-06 17:36:35.000000000 +1300 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "EXT_KERBEROS_SID_GROUP_ACL 8" -.TH EXT_KERBEROS_SID_GROUP_ACL 8 "2023-10-21" "perl v5.36.0" "User Contributed Perl Documentation" +.TH EXT_KERBEROS_SID_GROUP_ACL 8 "2023-11-06" "perl v5.36.0" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-6.4/src/acl/external/SQL_session/ext_sql_session_acl.8 squid-6.5/src/acl/external/SQL_session/ext_sql_session_acl.8 --- squid-6.4/src/acl/external/SQL_session/ext_sql_session_acl.8 2023-10-22 01:47:14.000000000 +1300 +++ squid-6.5/src/acl/external/SQL_session/ext_sql_session_acl.8 2023-11-06 17:36:35.000000000 +1300 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "EXT_SQL_SESSION_ACL 8" -.TH EXT_SQL_SESSION_ACL 8 "2023-10-21" "perl v5.36.0" "User Contributed Perl Documentation" +.TH EXT_SQL_SESSION_ACL 8 "2023-11-06" "perl v5.36.0" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-6.4/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 squid-6.5/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 --- squid-6.4/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 2023-10-22 01:47:14.000000000 +1300 +++ squid-6.5/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 2023-11-06 17:36:35.000000000 +1300 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "EXT_WBINFO_GROUP_ACL 8" -.TH EXT_WBINFO_GROUP_ACL 8 "2023-10-21" "perl v5.36.0" "User Contributed Perl Documentation" +.TH EXT_WBINFO_GROUP_ACL 8 "2023-11-06" "perl v5.36.0" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-6.4/src/auth/basic/DB/basic_db_auth.8 squid-6.5/src/auth/basic/DB/basic_db_auth.8 --- squid-6.4/src/auth/basic/DB/basic_db_auth.8 2023-10-22 01:47:15.000000000 +1300 +++ squid-6.5/src/auth/basic/DB/basic_db_auth.8 2023-11-06 17:36:36.000000000 +1300 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "BASIC_DB_AUTH 8" -.TH BASIC_DB_AUTH 8 "2023-10-21" "perl v5.36.0" "User Contributed Perl Documentation" +.TH BASIC_DB_AUTH 8 "2023-11-06" "perl v5.36.0" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-6.4/src/auth/basic/POP3/basic_pop3_auth.8 squid-6.5/src/auth/basic/POP3/basic_pop3_auth.8 --- squid-6.4/src/auth/basic/POP3/basic_pop3_auth.8 2023-10-22 01:47:15.000000000 +1300 +++ squid-6.5/src/auth/basic/POP3/basic_pop3_auth.8 2023-11-06 17:36:36.000000000 +1300 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "BASIC_POP3_AUTH 8" -.TH BASIC_POP3_AUTH 8 "2023-10-21" "perl v5.36.0" "User Contributed Perl Documentation" +.TH BASIC_POP3_AUTH 8 "2023-11-06" "perl v5.36.0" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-6.4/src/cache_cf.cc squid-6.5/src/cache_cf.cc --- squid-6.4/src/cache_cf.cc 2023-10-21 11:40:41.000000000 +1300 +++ squid-6.5/src/cache_cf.cc 2023-11-06 16:41:43.000000000 +1300 @@ -1007,6 +1007,18 @@ (uint32_t)Config.maxRequestBufferSize, (uint32_t)Config.maxRequestHeaderSize); } + // Warn about the dangers of exceeding String limits when manipulating HTTP + // headers. Technically, we do not concatenate _requests_, so we could relax + // their check, but we keep the two checks the same for simplicity sake. + const auto safeRawHeaderValueSizeMax = (String::SizeMaxXXX()+1)/3; + // TODO: static_assert(safeRawHeaderValueSizeMax >= 64*1024); // no WARNINGs for default settings + if (Config.maxRequestHeaderSize > safeRawHeaderValueSizeMax) + debugs(3, DBG_CRITICAL, "WARNING: Increasing request_header_max_size beyond " << safeRawHeaderValueSizeMax << + " bytes makes Squid more vulnerable to denial-of-service attacks; configured value: " << Config.maxRequestHeaderSize << " bytes"); + if (Config.maxReplyHeaderSize > safeRawHeaderValueSizeMax) + debugs(3, DBG_CRITICAL, "WARNING: Increasing reply_header_max_size beyond " << safeRawHeaderValueSizeMax << + " bytes makes Squid more vulnerable to denial-of-service attacks; configured value: " << Config.maxReplyHeaderSize << " bytes"); + /* * Disable client side request pipelining if client_persistent_connections OFF. * Waste of resources queueing any pipelined requests when the first will close the connection. diff -u -r -N squid-6.4/src/cf.data.pre squid-6.5/src/cf.data.pre --- squid-6.4/src/cf.data.pre 2023-10-21 11:40:41.000000000 +1300 +++ squid-6.5/src/cf.data.pre 2023-11-06 16:41:43.000000000 +1300 @@ -6753,11 +6753,14 @@ DEFAULT: 64 KB LOC: Config.maxRequestHeaderSize DOC_START - This specifies the maximum size for HTTP headers in a request. - Request headers are usually relatively small (about 512 bytes). - Placing a limit on the request header size will catch certain - bugs (for example with persistent connections) and possibly - buffer-overflow or denial-of-service attacks. + This directives limits the header size of a received HTTP request + (including request-line). Increasing this limit beyond its 64 KB default + exposes certain old Squid code to various denial-of-service attacks. This + limit also applies to received FTP commands. + + This limit has no direct affect on Squid memory consumption. + + Squid does not check this limit when sending requests. DOC_END NAME: reply_header_max_size @@ -6766,11 +6769,14 @@ DEFAULT: 64 KB LOC: Config.maxReplyHeaderSize DOC_START - This specifies the maximum size for HTTP headers in a reply. - Reply headers are usually relatively small (about 512 bytes). - Placing a limit on the reply header size will catch certain - bugs (for example with persistent connections) and possibly - buffer-overflow or denial-of-service attacks. + This directives limits the header size of a received HTTP response + (including status-line). Increasing this limit beyond its 64 KB default + exposes certain old Squid code to various denial-of-service attacks. This + limit also applies to FTP command responses. + + Squid also checks this limit when loading hit responses from disk cache. + + Squid does not check this limit when sending responses. DOC_END NAME: request_body_max_size diff -u -r -N squid-6.4/src/http/url_rewriters/LFS/url_lfs_rewrite.8 squid-6.5/src/http/url_rewriters/LFS/url_lfs_rewrite.8 --- squid-6.4/src/http/url_rewriters/LFS/url_lfs_rewrite.8 2023-10-22 01:47:16.000000000 +1300 +++ squid-6.5/src/http/url_rewriters/LFS/url_lfs_rewrite.8 2023-11-06 17:36:37.000000000 +1300 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "URL_LFS_REWRITE 8" -.TH URL_LFS_REWRITE 8 "2023-10-21" "perl v5.36.0" "User Contributed Perl Documentation" +.TH URL_LFS_REWRITE 8 "2023-11-06" "perl v5.36.0" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-6.4/src/http.cc squid-6.5/src/http.cc --- squid-6.4/src/http.cc 2023-10-21 11:40:41.000000000 +1300 +++ squid-6.5/src/http.cc 2023-11-06 16:41:43.000000000 +1300 @@ -1900,8 +1900,9 @@ String strFwd = hdr_in->getList(Http::HdrType::X_FORWARDED_FOR); - // if we cannot double strFwd size, then it grew past 50% of the limit - if (!strFwd.canGrowBy(strFwd.size())) { + // Detect unreasonably long header values. And paranoidly check String + // limits: a String ought to accommodate two reasonable-length values. + if (strFwd.size() > 32*1024 || !strFwd.canGrowBy(strFwd.size())) { // There is probably a forwarding loop with Via detection disabled. // If we do nothing, String will assert on overflow soon. // TODO: Terminate all transactions with huge XFF? diff -u -r -N squid-6.4/src/ipc.cc squid-6.5/src/ipc.cc --- squid-6.4/src/ipc.cc 2023-10-21 11:40:41.000000000 +1300 +++ squid-6.5/src/ipc.cc 2023-11-06 16:41:43.000000000 +1300 @@ -22,6 +22,11 @@ #include