summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJackie Huang <jackie.huang@windriver.com>2016-07-19 04:17:37 -0400
committerJoe MacDonald <joe_macdonald@mentor.com>2016-08-05 09:06:50 -0400
commit03b76ca4b07957793a8c5bb11a2104344ae15910 (patch)
treed944dc331fdcc03d91a043eff1e6c390a9523079
parentfa2c10caebb42b3bcd83668129e65206bc443079 (diff)
downloadmeta-openembedded-03b76ca4b07957793a8c5bb11a2104344ae15910.tar.gz
squid: upgrade to 3.5.20
* Remove the blacklist since the issue is gone with new version * Remove two CVE patches which have been fixed: - CVE-2016-3947 and CVE-2016-4553 * Rebased the patch for ptest. Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
-rw-r--r--meta-networking/recipes-daemons/squid/files/CVE-2016-3947.patch48
-rw-r--r--meta-networking/recipes-daemons/squid/files/CVE-2016-4553.patch51
-rw-r--r--meta-networking/recipes-daemons/squid/files/squid-use-serial-tests-config-needed-by-ptest.patch18
-rw-r--r--meta-networking/recipes-daemons/squid/squid_3.5.20.bb (renamed from meta-networking/recipes-daemons/squid/squid_3.5.7.bb)11
4 files changed, 12 insertions, 116 deletions
diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2016-3947.patch b/meta-networking/recipes-daemons/squid/files/CVE-2016-3947.patch
deleted file mode 100644
index c83e6ab51..000000000
--- a/meta-networking/recipes-daemons/squid/files/CVE-2016-3947.patch
+++ /dev/null
@@ -1,48 +0,0 @@
1From 0fe108ecb2bbdf684f159950eaa55d22f07c4008 Mon Sep 17 00:00:00 2001
2From: Catalin Enache <catalin.enache@windriver.com>
3Date: Wed, 20 Apr 2016 15:17:18 +0300
4Subject: [PATCH] pinger: Fix buffer overflow in Icmp6::Recv
5
6Upstream-Status: Backport
7CVE: CVE-2016-3947
8
9Author: Yuriy M. Kaminskiy <yumkam@gmail.com>
10Committer: Amos Jeffries <squid3@treenet.co.nz
11Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
12---
13 src/icmp/Icmp6.cc | 5 ++---
14 1 file changed, 2 insertions(+), 3 deletions(-)
15
16diff --git a/src/icmp/Icmp6.cc b/src/icmp/Icmp6.cc
17index 794a51a..ee84b80 100644
18--- a/src/icmp/Icmp6.cc
19+++ b/src/icmp/Icmp6.cc
20@@ -256,7 +256,7 @@ Icmp6::Recv(void)
21 #define ip6_hops // HOPS!!! (can it be true??)
22
23 ip = (struct ip6_hdr *) pkt;
24- pkt += sizeof(ip6_hdr);
25+ NP: echo size needs to +sizeof(ip6_hdr);
26
27 debugs(42, DBG_CRITICAL, HERE << "ip6_nxt=" << ip->ip6_nxt <<
28 ", ip6_plen=" << ip->ip6_plen <<
29@@ -267,7 +267,6 @@ Icmp6::Recv(void)
30 */
31
32 icmp6header = (struct icmp6_hdr *) pkt;
33- pkt += sizeof(icmp6_hdr);
34
35 if (icmp6header->icmp6_type != ICMP6_ECHO_REPLY) {
36
37@@ -292,7 +291,7 @@ Icmp6::Recv(void)
38 return;
39 }
40
41- echo = (icmpEchoData *) pkt;
42+ echo = (icmpEchoData *) (pkt + sizeof(icmp6_hdr));
43
44 preply.opcode = echo->opcode;
45
46--
472.7.4
48
diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2016-4553.patch b/meta-networking/recipes-daemons/squid/files/CVE-2016-4553.patch
deleted file mode 100644
index 497ace444..000000000
--- a/meta-networking/recipes-daemons/squid/files/CVE-2016-4553.patch
+++ /dev/null
@@ -1,51 +0,0 @@
1From 41ccaa04bb445f52bdb671ef6fbf994634b6efbe Mon Sep 17 00:00:00 2001
2From: Catalin Enache <catalin.enache@windriver.com>
3Date: Mon, 23 May 2016 12:47:39 +0300
4Subject: [PATCH] Bug 4501: HTTP/1.1: normalize Host header
5
6Upstream-Status: Backport
7CVE: CVE-2016-4553
8
9When absolute-URI is provided Host header should be ignored. However some
10code still uses Host directly so normalize it using the URL authority
11value before doing any further request processing.
12
13For now preserve the case where Host is completely absent. That matters
14to the CVE-2009-0801 protection.
15
16This also has the desirable side effect of removing multiple or duplicate
17Host header entries, and invalid port values.
18
19Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
20---
21 src/client_side.cc | 14 ++++++++++++++
22 1 file changed, 14 insertions(+)
23
24diff --git a/src/client_side.cc b/src/client_side.cc
25index 8c41c21..36a27de 100644
26--- a/src/client_side.cc
27+++ b/src/client_side.cc
28@@ -2652,6 +2652,20 @@ clientProcessRequest(ConnStateData *conn, HttpParser *hp, ClientSocketContext *c
29 clientProcessRequestFinished(conn, request);
30 return;
31 }
32+
33+ // when absolute-URI is provided Host header should be ignored. However
34+ // some code still uses Host directly so normalize it.
35+ // For now preserve the case where Host is completely absent. That matters.
36+ if (request->header.has(HDR_HOST)) {
37+ const char *host = request->header.getStr(HDR_HOST);
38+ SBuf authority(request->GetHost());
39+ if (request->port != urlDefaultPort(request->url.getScheme()))
40+ authority.appendf(":%d", request->port);
41+ debugs(33, 5, "URL domain " << authority << " overrides header Host: " << host);
42+ // URL authority overrides Host header
43+ request->header.delById(HDR_HOST);
44+ request->header.putStr(HDR_HOST, authority.c_str());
45+ }
46 }
47
48 // Some blobs below are still HTTP-specific, but we would have to rewrite
49--
502.7.4
51
diff --git a/meta-networking/recipes-daemons/squid/files/squid-use-serial-tests-config-needed-by-ptest.patch b/meta-networking/recipes-daemons/squid/files/squid-use-serial-tests-config-needed-by-ptest.patch
index 9e2ceab88..01ec59622 100644
--- a/meta-networking/recipes-daemons/squid/files/squid-use-serial-tests-config-needed-by-ptest.patch
+++ b/meta-networking/recipes-daemons/squid/files/squid-use-serial-tests-config-needed-by-ptest.patch
@@ -1,6 +1,6 @@
1From 2192fdbc90b0ff2d5408e8763df200620870deea Mon Sep 17 00:00:00 2001 1From bd58d3672bc267824000f34a37561c7ab2bd571f Mon Sep 17 00:00:00 2001
2From: Jackie Huang <jackie.huang@windriver.com> 2From: Jackie Huang <jackie.huang@windriver.com>
3Date: Mon, 13 Oct 2014 01:32:37 -0700 3Date: Tue, 19 Jul 2016 01:56:23 -0400
4Subject: [PATCH] squid: use serial-tests config needed by ptest 4Subject: [PATCH] squid: use serial-tests config needed by ptest
5 5
6ptest needs buildtest-TESTS and runtest-TESTS targets. 6ptest needs buildtest-TESTS and runtest-TESTS targets.
@@ -10,22 +10,22 @@ Upstream-Status: Inappropriate [default automake behavior incompatible with ptes
10 10
11Signed-off-by: Jackie Huang <jackie.huang@windriver.com> 11Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
12--- 12---
13 configure.ac | 2 +- 13 configure.ac | 2 +-
14 1 files changed, 1 insertions(+), 1 deletions(-) 14 1 file changed, 1 insertion(+), 1 deletion(-)
15 15
16diff --git a/configure.ac b/configure.ac 16diff --git a/configure.ac b/configure.ac
17index 6f7171f..ab9b93e 100644 17index 05ad027..e324b93 100644
18--- a/configure.ac 18--- a/configure.ac
19+++ b/configure.ac 19+++ b/configure.ac
20@@ -3,7 +3,7 @@ AC_PREREQ(2.61) 20@@ -10,7 +10,7 @@ AC_PREREQ(2.61)
21 AC_CONFIG_HEADERS([include/autoconf.h]) 21 AC_CONFIG_HEADERS([include/autoconf.h])
22 AC_CONFIG_AUX_DIR(cfgaux) 22 AC_CONFIG_AUX_DIR(cfgaux)
23 AC_CONFIG_SRCDIR([src/main.cc]) 23 AC_CONFIG_SRCDIR([src/main.cc])
24-AM_INIT_AUTOMAKE([tar-ustar nostdinc]) 24-AM_INIT_AUTOMAKE([tar-ustar nostdinc subdir-objects])
25+AM_INIT_AUTOMAKE([tar-ustar nostdinc serial-tests]) 25+AM_INIT_AUTOMAKE([tar-ustar nostdinc subdir-objects serial-tests])
26 AC_REVISION($Revision$)dnl 26 AC_REVISION($Revision$)dnl
27 AC_PREFIX_DEFAULT(/usr/local/squid) 27 AC_PREFIX_DEFAULT(/usr/local/squid)
28 AM_MAINTAINER_MODE 28 AM_MAINTAINER_MODE
29-- 29--
301.7.1 302.8.1
31 31
diff --git a/meta-networking/recipes-daemons/squid/squid_3.5.7.bb b/meta-networking/recipes-daemons/squid/squid_3.5.20.bb
index b571e29a3..f26aebe2f 100644
--- a/meta-networking/recipes-daemons/squid/squid_3.5.7.bb
+++ b/meta-networking/recipes-daemons/squid/squid_3.5.20.bb
@@ -19,15 +19,13 @@ SRC_URI = "http://www.squid-cache.org/Versions/v${MAJ_VER}/${MIN_VER}/${BPN}-${P
19 file://squid-use-serial-tests-config-needed-by-ptest.patch \ 19 file://squid-use-serial-tests-config-needed-by-ptest.patch \
20 file://run-ptest \ 20 file://run-ptest \
21 file://volatiles.03_squid \ 21 file://volatiles.03_squid \
22 file://CVE-2016-3947.patch \
23 file://CVE-2016-4553.patch \
24" 22"
25 23
26LIC_FILES_CHKSUM = "file://COPYING;md5=c492e2d6d32ec5c1aad0e0609a141ce9 \ 24LIC_FILES_CHKSUM = "file://COPYING;md5=c492e2d6d32ec5c1aad0e0609a141ce9 \
27 file://errors/COPYRIGHT;md5=0fed8f1462f6fdbc62bb431bcb618f46 \ 25 file://errors/COPYRIGHT;md5=0d98c4448c368d146f31a970bb0ced21 \
28 " 26 "
29SRC_URI[md5sum] = "06e43abc67aedcc3903a2780de20a3ed" 27SRC_URI[md5sum] = "6a29d7dfc544205001f7a75c6996dc60"
30SRC_URI[sha256sum] = "b7dcec8c5cb7f5687aff4256a7522f670c310a350cc9e9c0f29f3fd9cf88d017" 28SRC_URI[sha256sum] = "5a114f8f7f44b5ae3c9b77d7b81aef13fe69e7f530855213d551f48b157cb5f1"
31 29
32DEPENDS = "libtool krb5 openldap db cyrus-sasl" 30DEPENDS = "libtool krb5 openldap db cyrus-sasl"
33 31
@@ -75,6 +73,3 @@ FILES_${PN}-doc += "${datadir}/*.txt"
75 73
76RDEPENDS_${PN} += "perl" 74RDEPENDS_${PN} += "perl"
77RDEPENDS_${PN}-ptest += "make" 75RDEPENDS_${PN}-ptest += "make"
78
79# http://errors.yoctoproject.org/Errors/Details/35128/
80PNBLACKLIST[squid] ?= "BROKEN: sysroots/qemuarm/usr/include/linux/in.h:28:16: error: redeclaration of 'IPPROTO_IP'"