squid: upgrade to 3.5.20

* Remove the blacklist since the issue is gone with new version * Remove two CVE patches which have been fixed: - CVE-2016-3947 and CVE-2016-4553 * Rebased the patch for ptest. Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
author: Jackie Huang <jackie.huang@windriver.com> 2016-07-19 04:17:37 -0400
committer: Joe MacDonald <joe_macdonald@mentor.com> 2016-08-05 09:06:50 -0400
commit: 03b76ca4b07957793a8c5bb11a2104344ae15910 (patch)
tree: d944dc331fdcc03d91a043eff1e6c390a9523079
parent: fa2c10caebb42b3bcd83668129e65206bc443079 (diff)
download: meta-openembedded-03b76ca4b07957793a8c5bb11a2104344ae15910.tar.gz
4 files changed, 12 insertions, 116 deletions
diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2016-3947.patch b/meta-networking/recipes-daemons/squid/files/CVE-2016-3947.patch
deleted file mode 100644
index c83e6ab51..000000000
--- a/meta-networking/recipes-daemons/squid/files/CVE-2016-3947.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 0fe108ecb2bbdf684f159950eaa55d22f07c4008 Mon Sep 17 00:00:00 2001
-From: Catalin Enache <catalin.enache@windriver.com>
-Date: Wed, 20 Apr 2016 15:17:18 +0300
-Subject: [PATCH] pinger: Fix buffer overflow in Icmp6::Recv
-Upstream-Status: Backport
-CVE: CVE-2016-3947
-Author: Yuriy M. Kaminskiy <yumkam@gmail.com>
-Committer: Amos Jeffries <squid3@treenet.co.nz
-Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
---
- src/icmp/Icmp6.cc | 5 ++---
- 1 file changed, 2 insertions(+), 3 deletions(-)
-diff --git a/src/icmp/Icmp6.cc b/src/icmp/Icmp6.cc
-index 794a51a..ee84b80 100644
--- a/src/icmp/Icmp6.cc
-+++ b/src/icmp/Icmp6.cc
-@@ -256,7 +256,7 @@ Icmp6::Recv(void)
-     #define ip6_hops    // HOPS!!!  (can it be true??)
- 
-         ip = (struct ip6_hdr *) pkt;
-        pkt += sizeof(ip6_hdr);
-+        NP: echo size needs to +sizeof(ip6_hdr);
- 
-     debugs(42, DBG_CRITICAL, HERE << "ip6_nxt=" << ip->ip6_nxt <<
-             ", ip6_plen=" << ip->ip6_plen <<
-@@ -267,7 +267,6 @@ Icmp6::Recv(void)
-     */
- 
-     icmp6header = (struct icmp6_hdr *) pkt;
-    pkt += sizeof(icmp6_hdr);
- 
-     if (icmp6header->icmp6_type != ICMP6_ECHO_REPLY) {
- 
-@@ -292,7 +291,7 @@ Icmp6::Recv(void)
-         return;
-     }
- 
-    echo = (icmpEchoData *) pkt;
-+    echo = (icmpEchoData *) (pkt + sizeof(icmp6_hdr));
- 
-     preply.opcode = echo->opcode;
- 
-- 
-2.7.4
diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2016-4553.patch b/meta-networking/recipes-daemons/squid/files/CVE-2016-4553.patch
deleted file mode 100644
index 497ace444..000000000
--- a/meta-networking/recipes-daemons/squid/files/CVE-2016-4553.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From 41ccaa04bb445f52bdb671ef6fbf994634b6efbe Mon Sep 17 00:00:00 2001
-From: Catalin Enache <catalin.enache@windriver.com>
-Date: Mon, 23 May 2016 12:47:39 +0300
-Subject: [PATCH] Bug 4501: HTTP/1.1: normalize Host header
-Upstream-Status: Backport
-CVE: CVE-2016-4553
-When absolute-URI is provided Host header should be ignored. However some
-code still uses Host directly so normalize it using the URL authority
-value before doing any further request processing.
-For now preserve the case where Host is completely absent. That matters
-to the CVE-2009-0801 protection.
-This also has the desirable side effect of removing multiple or duplicate
-Host header entries, and invalid port values.
-Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
---
- src/client_side.cc | 14 ++++++++++++++
- 1 file changed, 14 insertions(+)
-diff --git a/src/client_side.cc b/src/client_side.cc
-index 8c41c21..36a27de 100644
--- a/src/client_side.cc
-+++ b/src/client_side.cc
-@@ -2652,6 +2652,20 @@ clientProcessRequest(ConnStateData *conn, HttpParser *hp, ClientSocketContext *c
-             clientProcessRequestFinished(conn, request);
-             return;
-         }
-+
-+        // when absolute-URI is provided Host header should be ignored. However
-+        // some code still uses Host directly so normalize it.
-+        // For now preserve the case where Host is completely absent. That matters.
-+        if (request->header.has(HDR_HOST)) {
-+            const char *host = request->header.getStr(HDR_HOST);
-+            SBuf authority(request->GetHost());
-+            if (request->port != urlDefaultPort(request->url.getScheme()))
-+                authority.appendf(":%d", request->port);
-+            debugs(33, 5, "URL domain " << authority << " overrides header Host: " << host);
-+            // URL authority overrides Host header
-+            request->header.delById(HDR_HOST);
-+            request->header.putStr(HDR_HOST, authority.c_str());
-+        }
-     }
- 
-     // Some blobs below are still HTTP-specific, but we would have to rewrite
-- 
-2.7.4
diff --git a/meta-networking/recipes-daemons/squid/files/squid-use-serial-tests-config-needed-by-ptest.patch b/meta-networking/recipes-daemons/squid/files/squid-use-serial-tests-config-needed-by-ptest.patch
index 9e2ceab88..01ec59622 100644
--- a/meta-networking/recipes-daemons/squid/files/squid-use-serial-tests-config-needed-by-ptest.patch
+++ b/meta-networking/recipes-daemons/squid/files/squid-use-serial-tests-config-needed-by-ptest.patch
@@ -1,6 +1,6 @@
-From 2192fdbc90b0ff2d5408e8763df200620870deea Mon Sep 17 00:00:00 2001
+From bd58d3672bc267824000f34a37561c7ab2bd571f Mon Sep 17 00:00:00 2001
 From: Jackie Huang <jackie.huang@windriver.com>
-Date: Mon, 13 Oct 2014 01:32:37 -0700
+Date: Tue, 19 Jul 2016 01:56:23 -0400
 Subject: [PATCH] squid: use serial-tests config needed by ptest
 ptest needs buildtest-TESTS and runtest-TESTS targets.
@@ -10,22 +10,22 @@ Upstream-Status: Inappropriate [default automake behavior incompatible with ptes
 Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
 ---
- configure.ac |    2 +-
+ configure.ac | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
+ 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/configure.ac b/configure.ac
-index 6f7171f..ab9b93e 100644
+index 05ad027..e324b93 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -3,7 +3,7 @@ AC_PREREQ(2.61)
+@@ -10,7 +10,7 @@ AC_PREREQ(2.61)
 AC_CONFIG_HEADERS([include/autoconf.h])
 AC_CONFIG_AUX_DIR(cfgaux)
 AC_CONFIG_SRCDIR([src/main.cc])
-AM_INIT_AUTOMAKE([tar-ustar nostdinc])
+-AM_INIT_AUTOMAKE([tar-ustar nostdinc subdir-objects])
-+AM_INIT_AUTOMAKE([tar-ustar nostdinc serial-tests])
+AM_INIT_AUTOMAKE([tar-ustar nostdinc subdir-objects serial-tests])
 AC_REVISION($Revision$)dnl
 AC_PREFIX_DEFAULT(/usr/local/squid)
 AM_MAINTAINER_MODE
 -- 
-1.7.1
+2.8.1
diff --git a/meta-networking/recipes-daemons/squid/squid_3.5.7.bb b/meta-networking/recipes-daemons/squid/squid_3.5.20.bb
index b571e29a3..f26aebe2f 100644
--- a/meta-networking/recipes-daemons/squid/squid_3.5.7.bb
+++ b/meta-networking/recipes-daemons/squid/squid_3.5.20.bb
@@ -19,15 +19,13 @@ SRC_URI = "http://www.squid-cache.org/Versions/v${MAJ_VER}/${MIN_VER}/${BPN}-${P
           file://squid-use-serial-tests-config-needed-by-ptest.patch \
           file://run-ptest \
           file://volatiles.03_squid \
-           file://CVE-2016-3947.patch \
-           file://CVE-2016-4553.patch \
 "
 LIC_FILES_CHKSUM = "file://COPYING;md5=c492e2d6d32ec5c1aad0e0609a141ce9 \
-                    file://errors/COPYRIGHT;md5=0fed8f1462f6fdbc62bb431bcb618f46 \
+                    file://errors/COPYRIGHT;md5=0d98c4448c368d146f31a970bb0ced21 \
                   "
-SRC_URI[md5sum] = "06e43abc67aedcc3903a2780de20a3ed"
+SRC_URI[md5sum] = "6a29d7dfc544205001f7a75c6996dc60"
-SRC_URI[sha256sum] = "b7dcec8c5cb7f5687aff4256a7522f670c310a350cc9e9c0f29f3fd9cf88d017"
+SRC_URI[sha256sum] = "5a114f8f7f44b5ae3c9b77d7b81aef13fe69e7f530855213d551f48b157cb5f1"
 DEPENDS = "libtool krb5 openldap db cyrus-sasl"
@@ -75,6 +73,3 @@ FILES_${PN}-doc += "${datadir}/*.txt"
 RDEPENDS_${PN} += "perl"
 RDEPENDS_${PN}-ptest += "make"
-# http://errors.yoctoproject.org/Errors/Details/35128/
-PNBLACKLIST[squid] ?= "BROKEN: sysroots/qemuarm/usr/include/linux/in.h:28:16: error: redeclaration of 'IPPROTO_IP'"
author	Jackie Huang <jackie.huang@windriver.com>	2016-07-19 04:17:37 -0400
committer	Joe MacDonald <joe_macdonald@mentor.com>	2016-08-05 09:06:50 -0400
commit	03b76ca4b07957793a8c5bb11a2104344ae15910 (patch)
tree	d944dc331fdcc03d91a043eff1e6c390a9523079
parent	fa2c10caebb42b3bcd83668129e65206bc443079 (diff)
download	meta-openembedded-03b76ca4b07957793a8c5bb11a2104344ae15910.tar.gz

diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2016-3947.patch b/meta-networking/recipes-daemons/squid/files/CVE-2016-3947.patch deleted file mode 100644 index c83e6ab51..000000000 --- a/meta-networking/recipes-daemons/squid/files/CVE-2016-3947.patch +++ /dev/null
@@ -1,48 +0,0 @@
1	From 0fe108ecb2bbdf684f159950eaa55d22f07c4008 Mon Sep 17 00:00:00 2001
2	From: Catalin Enache <catalin.enache@windriver.com>
3	Date: Wed, 20 Apr 2016 15:17:18 +0300
4	Subject: [PATCH] pinger: Fix buffer overflow in Icmp6::Recv
5
6	Upstream-Status: Backport
7	CVE: CVE-2016-3947
8
9	Author: Yuriy M. Kaminskiy <yumkam@gmail.com>
10	Committer: Amos Jeffries <squid3@treenet.co.nz
11	Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
12	---
13	src/icmp/Icmp6.cc \| 5 ++---
14	1 file changed, 2 insertions(+), 3 deletions(-)
15
16	diff --git a/src/icmp/Icmp6.cc b/src/icmp/Icmp6.cc
17	index 794a51a..ee84b80 100644
18	--- a/src/icmp/Icmp6.cc
19	+++ b/src/icmp/Icmp6.cc
20	@@ -256,7 +256,7 @@ Icmp6::Recv(void)
21	#define ip6_hops // HOPS!!! (can it be true??)
22
23	ip = (struct ip6_hdr *) pkt;
24	- pkt += sizeof(ip6_hdr);
25	+ NP: echo size needs to +sizeof(ip6_hdr);
26
27	debugs(42, DBG_CRITICAL, HERE << "ip6_nxt=" << ip->ip6_nxt <<
28	", ip6_plen=" << ip->ip6_plen <<
29	@@ -267,7 +267,6 @@ Icmp6::Recv(void)
30	*/
31
32	icmp6header = (struct icmp6_hdr *) pkt;
33	- pkt += sizeof(icmp6_hdr);
34
35	if (icmp6header->icmp6_type != ICMP6_ECHO_REPLY) {
36
37	@@ -292,7 +291,7 @@ Icmp6::Recv(void)
38	return;
39	}
40
41	- echo = (icmpEchoData *) pkt;
42	+ echo = (icmpEchoData *) (pkt + sizeof(icmp6_hdr));
43
44	preply.opcode = echo->opcode;
45
46	--
47	2.7.4
48


diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2016-4553.patch b/meta-networking/recipes-daemons/squid/files/CVE-2016-4553.patch deleted file mode 100644 index 497ace444..000000000 --- a/meta-networking/recipes-daemons/squid/files/CVE-2016-4553.patch +++ /dev/null
@@ -1,51 +0,0 @@
1	From 41ccaa04bb445f52bdb671ef6fbf994634b6efbe Mon Sep 17 00:00:00 2001
2	From: Catalin Enache <catalin.enache@windriver.com>
3	Date: Mon, 23 May 2016 12:47:39 +0300
4	Subject: [PATCH] Bug 4501: HTTP/1.1: normalize Host header
5
6	Upstream-Status: Backport
7	CVE: CVE-2016-4553
8
9	When absolute-URI is provided Host header should be ignored. However some
10	code still uses Host directly so normalize it using the URL authority
11	value before doing any further request processing.
12
13	For now preserve the case where Host is completely absent. That matters
14	to the CVE-2009-0801 protection.
15
16	This also has the desirable side effect of removing multiple or duplicate
17	Host header entries, and invalid port values.
18
19	Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
20	---
21	src/client_side.cc \| 14 ++++++++++++++
22	1 file changed, 14 insertions(+)
23
24	diff --git a/src/client_side.cc b/src/client_side.cc
25	index 8c41c21..36a27de 100644
26	--- a/src/client_side.cc
27	+++ b/src/client_side.cc
28	@@ -2652,6 +2652,20 @@ clientProcessRequest(ConnStateData conn, HttpParser hp, ClientSocketContext *c
29	clientProcessRequestFinished(conn, request);
30	return;
31	}
32	+
33	+ // when absolute-URI is provided Host header should be ignored. However
34	+ // some code still uses Host directly so normalize it.
35	+ // For now preserve the case where Host is completely absent. That matters.
36	+ if (request->header.has(HDR_HOST)) {
37	+ const char *host = request->header.getStr(HDR_HOST);
38	+ SBuf authority(request->GetHost());
39	+ if (request->port != urlDefaultPort(request->url.getScheme()))
40	+ authority.appendf(":%d", request->port);
41	+ debugs(33, 5, "URL domain " << authority << " overrides header Host: " << host);
42	+ // URL authority overrides Host header
43	+ request->header.delById(HDR_HOST);
44	+ request->header.putStr(HDR_HOST, authority.c_str());
45	+ }
46	}
47
48	// Some blobs below are still HTTP-specific, but we would have to rewrite
49	--
50	2.7.4
51


diff --git a/meta-networking/recipes-daemons/squid/files/squid-use-serial-tests-config-needed-by-ptest.patch b/meta-networking/recipes-daemons/squid/files/squid-use-serial-tests-config-needed-by-ptest.patch index 9e2ceab88..01ec59622 100644 --- a/meta-networking/recipes-daemons/squid/files/squid-use-serial-tests-config-needed-by-ptest.patch +++ b/meta-networking/recipes-daemons/squid/files/squid-use-serial-tests-config-needed-by-ptest.patch
@@ -1,6 +1,6 @@
1	From 2192fdbc90b0ff2d5408e8763df200620870deea Mon Sep 17 00:00:00 2001	1	From bd58d3672bc267824000f34a37561c7ab2bd571f Mon Sep 17 00:00:00 2001
2	From: Jackie Huang <jackie.huang@windriver.com>	2	From: Jackie Huang <jackie.huang@windriver.com>
3	Date: Mon, 13 Oct 2014 01:32:37 -0700	3	Date: Tue, 19 Jul 2016 01:56:23 -0400
4	Subject: [PATCH] squid: use serial-tests config needed by ptest	4	Subject: [PATCH] squid: use serial-tests config needed by ptest
5		5
6	ptest needs buildtest-TESTS and runtest-TESTS targets.	6	ptest needs buildtest-TESTS and runtest-TESTS targets.
@@ -10,22 +10,22 @@ Upstream-Status: Inappropriate [default automake behavior incompatible with ptes
10		10
11	Signed-off-by: Jackie Huang <jackie.huang@windriver.com>	11	Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
12	---	12	---
13	configure.ac \| 2 +-	13	configure.ac \| 2 +-
14	1 files changed, 1 insertions(+), 1 deletions(-)	14	1 file changed, 1 insertion(+), 1 deletion(-)
15		15
16	diff --git a/configure.ac b/configure.ac	16	diff --git a/configure.ac b/configure.ac
17	index 6f7171f..ab9b93e 100644	17	index 05ad027..e324b93 100644
18	--- a/configure.ac	18	--- a/configure.ac
19	+++ b/configure.ac	19	+++ b/configure.ac
20	@@ -3,7 +3,7 @@ AC_PREREQ(2.61)	20	@@ -10,7 +10,7 @@ AC_PREREQ(2.61)
21	AC_CONFIG_HEADERS([include/autoconf.h])	21	AC_CONFIG_HEADERS([include/autoconf.h])
22	AC_CONFIG_AUX_DIR(cfgaux)	22	AC_CONFIG_AUX_DIR(cfgaux)
23	AC_CONFIG_SRCDIR([src/main.cc])	23	AC_CONFIG_SRCDIR([src/main.cc])
24	-AM_INIT_AUTOMAKE([tar-ustar nostdinc])	24	-AM_INIT_AUTOMAKE([tar-ustar nostdinc subdir-objects])
25	+AM_INIT_AUTOMAKE([tar-ustar nostdinc serial-tests])	25	+AM_INIT_AUTOMAKE([tar-ustar nostdinc subdir-objects serial-tests])
26	AC_REVISION($Revision$)dnl	26	AC_REVISION($Revision$)dnl
27	AC_PREFIX_DEFAULT(/usr/local/squid)	27	AC_PREFIX_DEFAULT(/usr/local/squid)
28	AM_MAINTAINER_MODE	28	AM_MAINTAINER_MODE
29	--	29	--
30	1.7.1	30	2.8.1
31		31


diff --git a/meta-networking/recipes-daemons/squid/squid_3.5.7.bb b/meta-networking/recipes-daemons/squid/squid_3.5.20.bb index b571e29a3..f26aebe2f 100644 --- a/meta-networking/recipes-daemons/squid/squid_3.5.7.bb +++ b/meta-networking/recipes-daemons/squid/squid_3.5.20.bb
@@ -19,15 +19,13 @@ SRC_URI = "http://www.squid-cache.org/Versions/v${MAJ_VER}/${MIN_VER}/${BPN}-${P
19	file://squid-use-serial-tests-config-needed-by-ptest.patch \	19	file://squid-use-serial-tests-config-needed-by-ptest.patch \
20	file://run-ptest \	20	file://run-ptest \
21	file://volatiles.03_squid \	21	file://volatiles.03_squid \
22	file://CVE-2016-3947.patch \
23	file://CVE-2016-4553.patch \
24	"	22	"
25		23
26	LIC_FILES_CHKSUM = "file://COPYING;md5=c492e2d6d32ec5c1aad0e0609a141ce9 \	24	LIC_FILES_CHKSUM = "file://COPYING;md5=c492e2d6d32ec5c1aad0e0609a141ce9 \
27	file://errors/COPYRIGHT;md5=0fed8f1462f6fdbc62bb431bcb618f46 \	25	file://errors/COPYRIGHT;md5=0d98c4448c368d146f31a970bb0ced21 \
28	"	26	"
29	SRC_URI[md5sum] = "06e43abc67aedcc3903a2780de20a3ed"	27	SRC_URI[md5sum] = "6a29d7dfc544205001f7a75c6996dc60"
30	SRC_URI[sha256sum] = "b7dcec8c5cb7f5687aff4256a7522f670c310a350cc9e9c0f29f3fd9cf88d017"	28	SRC_URI[sha256sum] = "5a114f8f7f44b5ae3c9b77d7b81aef13fe69e7f530855213d551f48b157cb5f1"
31		29
32	DEPENDS = "libtool krb5 openldap db cyrus-sasl"	30	DEPENDS = "libtool krb5 openldap db cyrus-sasl"
33		31
@@ -75,6 +73,3 @@ FILES_${PN}-doc += "${datadir}/*.txt"
75		73
76	RDEPENDS_${PN} += "perl"	74	RDEPENDS_${PN} += "perl"
77	RDEPENDS_${PN}-ptest += "make"	75	RDEPENDS_${PN}-ptest += "make"
78
79	# http://errors.yoctoproject.org/Errors/Details/35128/
80	PNBLACKLIST[squid] ?= "BROKEN: sysroots/qemuarm/usr/include/linux/in.h:28:16: error: redeclaration of 'IPPROTO_IP'"