diff -u -r -N squid-6.5/ChangeLog squid-6.6/ChangeLog
--- squid-6.5/ChangeLog 2023-11-06 16:41:43.000000000 +1300
+++ squid-6.6/ChangeLog 2023-12-07 14:36:15.000000000 +1300
@@ -1,3 +1,16 @@
+Changes in squid-6.6 (5 Dec 2023):
+
+ - Bug 5328: Fix ESI build with libxml2 v2.12.0
+ - Bug 5319: QOS Netfilter MARK preservation is always disabled
+ - Bug 5318: peer_digest.cc:399: "fetch->pd && receivedData.data"
+ - Bug 5317: FATAL attempt to read data from memory
+ - Bug 5154: Do not open IPv6 sockets when IPv6 is disabled
+ - FTP: Ignore credentials with a NUL-prefixed username
+ - log_db_daemon: Fix DSN construction
+ - Limit the number of allowed X-Forwarded-For hops
+ - Do not update StoreEntry expiration after errorAppendEntry()
+ - improve handling of response sending errors
+
Changes in squid-6.5 (5 Nov 2023):
- Bug 5309: frequent "lowestOffset () <= target_offset" assertion
diff -u -r -N squid-6.5/configure squid-6.6/configure
--- squid-6.5/configure 2023-11-06 17:32:33.000000000 +1300
+++ squid-6.6/configure 2023-12-07 16:28:45.000000000 +1300
@@ -1,7 +1,7 @@
#! /bin/sh
# From configure.ac Revision.
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.71 for Squid Web Proxy 6.5.
+# Generated by GNU Autoconf 2.71 for Squid Web Proxy 6.6.
#
# Report bugs to
@@ -59,7 +59,7 @@
The Squid Team are pleased to announce the release of Squid-6.5 for testing.
+The Squid Team are pleased to announce the release of Squid-6.6 for testing.
This new release is available for download from http://www.squid-cache.org/Versions/v6/ or the mirrors.
diff -u -r -N squid-6.5/include/version.h squid-6.6/include/version.h --- squid-6.5/include/version.h 2023-11-06 17:32:33.000000000 +1300 +++ squid-6.6/include/version.h 2023-12-07 16:28:45.000000000 +1300 @@ -10,7 +10,7 @@ #define SQUID_VERSION_H #ifndef SQUID_RELEASE_TIME -#define SQUID_RELEASE_TIME 1699245141 +#define SQUID_RELEASE_TIME 1701919714 #endif /* diff -u -r -N squid-6.5/RELEASENOTES.html squid-6.6/RELEASENOTES.html --- squid-6.5/RELEASENOTES.html 2023-11-06 17:36:30.000000000 +1300 +++ squid-6.6/RELEASENOTES.html 2023-12-07 16:33:16.000000000 +1300 @@ -3,10 +3,10 @@ -@@ -59,7 +59,7 @@
The Squid Team are pleased to announce the release of Squid-6.5 for testing.
+The Squid Team are pleased to announce the release of Squid-6.6 for testing.
This new release is available for download from http://www.squid-cache.org/Versions/v6/ or the mirrors.
diff -u -r -N squid-6.5/src/acl/external/delayer/ext_delayer_acl.8 squid-6.6/src/acl/external/delayer/ext_delayer_acl.8 --- squid-6.5/src/acl/external/delayer/ext_delayer_acl.8 2023-11-06 17:36:35.000000000 +1300 +++ squid-6.6/src/acl/external/delayer/ext_delayer_acl.8 2023-12-07 16:33:19.000000000 +1300 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "EXT_DELAYER_ACL 8" -.TH EXT_DELAYER_ACL 8 "2023-11-06" "perl v5.36.0" "User Contributed Perl Documentation" +.TH EXT_DELAYER_ACL 8 "2023-12-07" "perl v5.36.0" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-6.5/src/acl/external/kerberos_sid_group/ext_kerberos_sid_group_acl.8 squid-6.6/src/acl/external/kerberos_sid_group/ext_kerberos_sid_group_acl.8 --- squid-6.5/src/acl/external/kerberos_sid_group/ext_kerberos_sid_group_acl.8 2023-11-06 17:36:35.000000000 +1300 +++ squid-6.6/src/acl/external/kerberos_sid_group/ext_kerberos_sid_group_acl.8 2023-12-07 16:33:19.000000000 +1300 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "EXT_KERBEROS_SID_GROUP_ACL 8" -.TH EXT_KERBEROS_SID_GROUP_ACL 8 "2023-11-06" "perl v5.36.0" "User Contributed Perl Documentation" +.TH EXT_KERBEROS_SID_GROUP_ACL 8 "2023-12-07" "perl v5.36.0" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-6.5/src/acl/external/SQL_session/ext_sql_session_acl.8 squid-6.6/src/acl/external/SQL_session/ext_sql_session_acl.8 --- squid-6.5/src/acl/external/SQL_session/ext_sql_session_acl.8 2023-11-06 17:36:35.000000000 +1300 +++ squid-6.6/src/acl/external/SQL_session/ext_sql_session_acl.8 2023-12-07 16:33:19.000000000 +1300 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "EXT_SQL_SESSION_ACL 8" -.TH EXT_SQL_SESSION_ACL 8 "2023-11-06" "perl v5.36.0" "User Contributed Perl Documentation" +.TH EXT_SQL_SESSION_ACL 8 "2023-12-07" "perl v5.36.0" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-6.5/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 squid-6.6/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 --- squid-6.5/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 2023-11-06 17:36:35.000000000 +1300 +++ squid-6.6/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 2023-12-07 16:33:20.000000000 +1300 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "EXT_WBINFO_GROUP_ACL 8" -.TH EXT_WBINFO_GROUP_ACL 8 "2023-11-06" "perl v5.36.0" "User Contributed Perl Documentation" +.TH EXT_WBINFO_GROUP_ACL 8 "2023-12-07" "perl v5.36.0" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-6.5/src/auth/basic/DB/basic_db_auth.8 squid-6.6/src/auth/basic/DB/basic_db_auth.8 --- squid-6.5/src/auth/basic/DB/basic_db_auth.8 2023-11-06 17:36:36.000000000 +1300 +++ squid-6.6/src/auth/basic/DB/basic_db_auth.8 2023-12-07 16:33:21.000000000 +1300 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "BASIC_DB_AUTH 8" -.TH BASIC_DB_AUTH 8 "2023-11-06" "perl v5.36.0" "User Contributed Perl Documentation" +.TH BASIC_DB_AUTH 8 "2023-12-07" "perl v5.36.0" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-6.5/src/auth/basic/POP3/basic_pop3_auth.8 squid-6.6/src/auth/basic/POP3/basic_pop3_auth.8 --- squid-6.5/src/auth/basic/POP3/basic_pop3_auth.8 2023-11-06 17:36:36.000000000 +1300 +++ squid-6.6/src/auth/basic/POP3/basic_pop3_auth.8 2023-12-07 16:33:21.000000000 +1300 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "BASIC_POP3_AUTH 8" -.TH BASIC_POP3_AUTH 8 "2023-11-06" "perl v5.36.0" "User Contributed Perl Documentation" +.TH BASIC_POP3_AUTH 8 "2023-12-07" "perl v5.36.0" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-6.5/src/cache_manager.cc squid-6.6/src/cache_manager.cc --- squid-6.5/src/cache_manager.cc 2023-11-06 16:41:43.000000000 +1300 +++ squid-6.6/src/cache_manager.cc 2023-12-07 14:36:15.000000000 +1300 @@ -332,7 +332,6 @@ err->url = xstrdup(entry->url()); err->detailError(new ExceptionErrorDetail(Here().id())); errorAppendEntry(entry, err); - entry->expires = squid_curtime; return; } diff -u -r -N squid-6.5/src/ClientRequestContext.h squid-6.6/src/ClientRequestContext.h --- squid-6.5/src/ClientRequestContext.h 2023-11-06 16:41:43.000000000 +1300 +++ squid-6.6/src/ClientRequestContext.h 2023-12-07 14:36:15.000000000 +1300 @@ -78,8 +78,13 @@ #if USE_OPENSSL bool sslBumpCheckDone = false; #endif - ErrorState *error = nullptr; ///< saved error page for centralized/delayed processing + bool readNextRequest = false; ///< whether Squid should read after error handling + ErrorState *error = nullptr; ///< saved error page for centralized/delayed processing + +#if FOLLOW_X_FORWARDED_FOR + size_t currentXffHopNumber = 0; ///< number of X-Forwarded-For header values processed so far +#endif }; #endif /* SQUID_CLIENTREQUESTCONTEXT_H */ diff -u -r -N squid-6.5/src/clients/FtpGateway.cc squid-6.6/src/clients/FtpGateway.cc --- squid-6.5/src/clients/FtpGateway.cc 2023-11-06 16:41:43.000000000 +1300 +++ squid-6.6/src/clients/FtpGateway.cc 2023-12-07 14:36:15.000000000 +1300 @@ -402,6 +402,12 @@ if (login.isEmpty()) return; + if (!login[0]) { + debugs(9, 2, "WARNING: Ignoring FTP credentials that start with a NUL character"); + // TODO: Either support credentials with NUL characters (in any position) or ban all of them. + return; + } + const SBuf::size_type colonPos = login.find(':'); /* If there was a username part with at least one character use it. @@ -1042,9 +1048,8 @@ /* Test URL login syntax. Overrides any headers received. */ loginParser(request->url.userInfo(), true); - /* name is missing. that's fatal. */ - if (!user[0]) - fatal("FTP login parsing destroyed username info"); + // XXX: We we keep default "anonymous" instead of properly supporting empty usernames. + Assure(user[0]); /* name + password == success */ if (password[0]) diff -u -r -N squid-6.5/src/client_side_request.cc squid-6.6/src/client_side_request.cc --- squid-6.5/src/client_side_request.cc 2023-11-06 16:41:43.000000000 +1300 +++ squid-6.6/src/client_side_request.cc 2023-12-07 14:36:15.000000000 +1300 @@ -74,6 +74,11 @@ #endif #if FOLLOW_X_FORWARDED_FOR + +#if !defined(SQUID_X_FORWARDED_FOR_HOP_MAX) +#define SQUID_X_FORWARDED_FOR_HOP_MAX 64 +#endif + static void clientFollowXForwardedForCheck(Acl::Answer answer, void *data); #endif /* FOLLOW_X_FORWARDED_FOR */ @@ -438,8 +443,16 @@ /* override the default src_addr tested if we have to go deeper than one level into XFF */ Filled(calloutContext->acl_checklist)->src_addr = request->indirect_client_addr; } - calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data); - return; + if (++calloutContext->currentXffHopNumber < SQUID_X_FORWARDED_FOR_HOP_MAX) { + calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data); + return; + } + const auto headerName = Http::HeaderLookupTable.lookup(Http::HdrType::X_FORWARDED_FOR).name; + debugs(28, DBG_CRITICAL, "ERROR: Ignoring trailing " << headerName << " addresses" << + Debug::Extra << "addresses allowed by follow_x_forwarded_for: " << calloutContext->currentXffHopNumber << + Debug::Extra << "last/accepted address: " << request->indirect_client_addr << + Debug::Extra << "ignored trailing addresses: " << request->x_forwarded_for_iterator); + // fall through to resume clientAccessCheck() processing } } diff -u -r -N squid-6.5/src/comm.cc squid-6.6/src/comm.cc --- squid-6.5/src/comm.cc 2023-11-06 16:41:43.000000000 +1300 +++ squid-6.6/src/comm.cc 2023-12-07 14:36:15.000000000 +1300 @@ -364,6 +364,12 @@ /* Create socket for accepting new connections. */ ++ statCounter.syscalls.sock.sockets; + if (!Ip::EnableIpv6 && addr.isIPv6()) { + debugs(50, 2, "refusing to open an IPv6 socket when IPv6 support is disabled: " << addr); + errno = ENOTSUP; + return -1; + } + /* Setup the socket addrinfo details for use */ addr.getAddrInfo(AI); AI->ai_socktype = sock_type; diff -u -r -N squid-6.5/src/esi/Libxml2Parser.cc squid-6.6/src/esi/Libxml2Parser.cc --- squid-6.5/src/esi/Libxml2Parser.cc 2023-11-06 16:41:43.000000000 +1300 +++ squid-6.6/src/esi/Libxml2Parser.cc 2023-12-07 14:36:15.000000000 +1300 @@ -144,7 +144,7 @@ char const * ESILibxml2Parser::errorString() const { - xmlErrorPtr error = xmlGetLastError(); + const auto error = xmlGetLastError(); if (error == nullptr) return nullptr; diff -u -r -N squid-6.5/src/http/url_rewriters/LFS/url_lfs_rewrite.8 squid-6.6/src/http/url_rewriters/LFS/url_lfs_rewrite.8 --- squid-6.5/src/http/url_rewriters/LFS/url_lfs_rewrite.8 2023-11-06 17:36:37.000000000 +1300 +++ squid-6.6/src/http/url_rewriters/LFS/url_lfs_rewrite.8 2023-12-07 16:33:22.000000000 +1300 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "URL_LFS_REWRITE 8" -.TH URL_LFS_REWRITE 8 "2023-11-06" "perl v5.36.0" "User Contributed Perl Documentation" +.TH URL_LFS_REWRITE 8 "2023-12-07" "perl v5.36.0" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-6.5/src/ip/Address.cc squid-6.6/src/ip/Address.cc --- squid-6.5/src/ip/Address.cc 2023-11-06 16:41:43.000000000 +1300 +++ squid-6.6/src/ip/Address.cc 2023-12-07 14:36:15.000000000 +1300 @@ -623,7 +623,7 @@ && dst->ai_protocol == 0) dst->ai_protocol = IPPROTO_UDP; - if (force == AF_INET6 || (force == AF_UNSPEC && Ip::EnableIpv6 && isIPv6()) ) { + if (force == AF_INET6 || (force == AF_UNSPEC && isIPv6()) ) { dst->ai_addr = (struct sockaddr*)new sockaddr_in6; memset(dst->ai_addr,0,sizeof(struct sockaddr_in6)); diff -u -r -N squid-6.5/src/ip/Intercept.cc squid-6.6/src/ip/Intercept.cc --- squid-6.5/src/ip/Intercept.cc 2023-11-06 16:41:43.000000000 +1300 +++ squid-6.6/src/ip/Intercept.cc 2023-12-07 14:36:15.000000000 +1300 @@ -15,6 +15,7 @@ #include "comm/Connection.h" #include "fde.h" #include "ip/Intercept.h" +#include "ip/tools.h" #include "src/tools.h" #include