diff options
author | Jackie Huang <jackie.huang@windriver.com> | 2016-07-19 04:17:37 -0400 |
---|---|---|
committer | Joe MacDonald <joe_macdonald@mentor.com> | 2016-08-05 09:06:50 -0400 |
commit | 03b76ca4b07957793a8c5bb11a2104344ae15910 (patch) | |
tree | d944dc331fdcc03d91a043eff1e6c390a9523079 /meta-networking | |
parent | fa2c10caebb42b3bcd83668129e65206bc443079 (diff) | |
download | meta-openembedded-03b76ca4b07957793a8c5bb11a2104344ae15910.tar.gz |
squid: upgrade to 3.5.20
* Remove the blacklist since the issue is gone with new version
* Remove two CVE patches which have been fixed:
- CVE-2016-3947 and CVE-2016-4553
* Rebased the patch for ptest.
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Diffstat (limited to 'meta-networking')
-rw-r--r-- | meta-networking/recipes-daemons/squid/files/CVE-2016-3947.patch | 48 | ||||
-rw-r--r-- | meta-networking/recipes-daemons/squid/files/CVE-2016-4553.patch | 51 | ||||
-rw-r--r-- | meta-networking/recipes-daemons/squid/files/squid-use-serial-tests-config-needed-by-ptest.patch | 18 | ||||
-rw-r--r-- | meta-networking/recipes-daemons/squid/squid_3.5.20.bb (renamed from meta-networking/recipes-daemons/squid/squid_3.5.7.bb) | 11 |
4 files changed, 12 insertions, 116 deletions
diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2016-3947.patch b/meta-networking/recipes-daemons/squid/files/CVE-2016-3947.patch deleted file mode 100644 index c83e6ab51..000000000 --- a/meta-networking/recipes-daemons/squid/files/CVE-2016-3947.patch +++ /dev/null | |||
@@ -1,48 +0,0 @@ | |||
1 | From 0fe108ecb2bbdf684f159950eaa55d22f07c4008 Mon Sep 17 00:00:00 2001 | ||
2 | From: Catalin Enache <catalin.enache@windriver.com> | ||
3 | Date: Wed, 20 Apr 2016 15:17:18 +0300 | ||
4 | Subject: [PATCH] pinger: Fix buffer overflow in Icmp6::Recv | ||
5 | |||
6 | Upstream-Status: Backport | ||
7 | CVE: CVE-2016-3947 | ||
8 | |||
9 | Author: Yuriy M. Kaminskiy <yumkam@gmail.com> | ||
10 | Committer: Amos Jeffries <squid3@treenet.co.nz | ||
11 | Signed-off-by: Catalin Enache <catalin.enache@windriver.com> | ||
12 | --- | ||
13 | src/icmp/Icmp6.cc | 5 ++--- | ||
14 | 1 file changed, 2 insertions(+), 3 deletions(-) | ||
15 | |||
16 | diff --git a/src/icmp/Icmp6.cc b/src/icmp/Icmp6.cc | ||
17 | index 794a51a..ee84b80 100644 | ||
18 | --- a/src/icmp/Icmp6.cc | ||
19 | +++ b/src/icmp/Icmp6.cc | ||
20 | @@ -256,7 +256,7 @@ Icmp6::Recv(void) | ||
21 | #define ip6_hops // HOPS!!! (can it be true??) | ||
22 | |||
23 | ip = (struct ip6_hdr *) pkt; | ||
24 | - pkt += sizeof(ip6_hdr); | ||
25 | + NP: echo size needs to +sizeof(ip6_hdr); | ||
26 | |||
27 | debugs(42, DBG_CRITICAL, HERE << "ip6_nxt=" << ip->ip6_nxt << | ||
28 | ", ip6_plen=" << ip->ip6_plen << | ||
29 | @@ -267,7 +267,6 @@ Icmp6::Recv(void) | ||
30 | */ | ||
31 | |||
32 | icmp6header = (struct icmp6_hdr *) pkt; | ||
33 | - pkt += sizeof(icmp6_hdr); | ||
34 | |||
35 | if (icmp6header->icmp6_type != ICMP6_ECHO_REPLY) { | ||
36 | |||
37 | @@ -292,7 +291,7 @@ Icmp6::Recv(void) | ||
38 | return; | ||
39 | } | ||
40 | |||
41 | - echo = (icmpEchoData *) pkt; | ||
42 | + echo = (icmpEchoData *) (pkt + sizeof(icmp6_hdr)); | ||
43 | |||
44 | preply.opcode = echo->opcode; | ||
45 | |||
46 | -- | ||
47 | 2.7.4 | ||
48 | |||
diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2016-4553.patch b/meta-networking/recipes-daemons/squid/files/CVE-2016-4553.patch deleted file mode 100644 index 497ace444..000000000 --- a/meta-networking/recipes-daemons/squid/files/CVE-2016-4553.patch +++ /dev/null | |||
@@ -1,51 +0,0 @@ | |||
1 | From 41ccaa04bb445f52bdb671ef6fbf994634b6efbe Mon Sep 17 00:00:00 2001 | ||
2 | From: Catalin Enache <catalin.enache@windriver.com> | ||
3 | Date: Mon, 23 May 2016 12:47:39 +0300 | ||
4 | Subject: [PATCH] Bug 4501: HTTP/1.1: normalize Host header | ||
5 | |||
6 | Upstream-Status: Backport | ||
7 | CVE: CVE-2016-4553 | ||
8 | |||
9 | When absolute-URI is provided Host header should be ignored. However some | ||
10 | code still uses Host directly so normalize it using the URL authority | ||
11 | value before doing any further request processing. | ||
12 | |||
13 | For now preserve the case where Host is completely absent. That matters | ||
14 | to the CVE-2009-0801 protection. | ||
15 | |||
16 | This also has the desirable side effect of removing multiple or duplicate | ||
17 | Host header entries, and invalid port values. | ||
18 | |||
19 | Signed-off-by: Catalin Enache <catalin.enache@windriver.com> | ||
20 | --- | ||
21 | src/client_side.cc | 14 ++++++++++++++ | ||
22 | 1 file changed, 14 insertions(+) | ||
23 | |||
24 | diff --git a/src/client_side.cc b/src/client_side.cc | ||
25 | index 8c41c21..36a27de 100644 | ||
26 | --- a/src/client_side.cc | ||
27 | +++ b/src/client_side.cc | ||
28 | @@ -2652,6 +2652,20 @@ clientProcessRequest(ConnStateData *conn, HttpParser *hp, ClientSocketContext *c | ||
29 | clientProcessRequestFinished(conn, request); | ||
30 | return; | ||
31 | } | ||
32 | + | ||
33 | + // when absolute-URI is provided Host header should be ignored. However | ||
34 | + // some code still uses Host directly so normalize it. | ||
35 | + // For now preserve the case where Host is completely absent. That matters. | ||
36 | + if (request->header.has(HDR_HOST)) { | ||
37 | + const char *host = request->header.getStr(HDR_HOST); | ||
38 | + SBuf authority(request->GetHost()); | ||
39 | + if (request->port != urlDefaultPort(request->url.getScheme())) | ||
40 | + authority.appendf(":%d", request->port); | ||
41 | + debugs(33, 5, "URL domain " << authority << " overrides header Host: " << host); | ||
42 | + // URL authority overrides Host header | ||
43 | + request->header.delById(HDR_HOST); | ||
44 | + request->header.putStr(HDR_HOST, authority.c_str()); | ||
45 | + } | ||
46 | } | ||
47 | |||
48 | // Some blobs below are still HTTP-specific, but we would have to rewrite | ||
49 | -- | ||
50 | 2.7.4 | ||
51 | |||
diff --git a/meta-networking/recipes-daemons/squid/files/squid-use-serial-tests-config-needed-by-ptest.patch b/meta-networking/recipes-daemons/squid/files/squid-use-serial-tests-config-needed-by-ptest.patch index 9e2ceab88..01ec59622 100644 --- a/meta-networking/recipes-daemons/squid/files/squid-use-serial-tests-config-needed-by-ptest.patch +++ b/meta-networking/recipes-daemons/squid/files/squid-use-serial-tests-config-needed-by-ptest.patch | |||
@@ -1,6 +1,6 @@ | |||
1 | From 2192fdbc90b0ff2d5408e8763df200620870deea Mon Sep 17 00:00:00 2001 | 1 | From bd58d3672bc267824000f34a37561c7ab2bd571f Mon Sep 17 00:00:00 2001 |
2 | From: Jackie Huang <jackie.huang@windriver.com> | 2 | From: Jackie Huang <jackie.huang@windriver.com> |
3 | Date: Mon, 13 Oct 2014 01:32:37 -0700 | 3 | Date: Tue, 19 Jul 2016 01:56:23 -0400 |
4 | Subject: [PATCH] squid: use serial-tests config needed by ptest | 4 | Subject: [PATCH] squid: use serial-tests config needed by ptest |
5 | 5 | ||
6 | ptest needs buildtest-TESTS and runtest-TESTS targets. | 6 | ptest needs buildtest-TESTS and runtest-TESTS targets. |
@@ -10,22 +10,22 @@ Upstream-Status: Inappropriate [default automake behavior incompatible with ptes | |||
10 | 10 | ||
11 | Signed-off-by: Jackie Huang <jackie.huang@windriver.com> | 11 | Signed-off-by: Jackie Huang <jackie.huang@windriver.com> |
12 | --- | 12 | --- |
13 | configure.ac | 2 +- | 13 | configure.ac | 2 +- |
14 | 1 files changed, 1 insertions(+), 1 deletions(-) | 14 | 1 file changed, 1 insertion(+), 1 deletion(-) |
15 | 15 | ||
16 | diff --git a/configure.ac b/configure.ac | 16 | diff --git a/configure.ac b/configure.ac |
17 | index 6f7171f..ab9b93e 100644 | 17 | index 05ad027..e324b93 100644 |
18 | --- a/configure.ac | 18 | --- a/configure.ac |
19 | +++ b/configure.ac | 19 | +++ b/configure.ac |
20 | @@ -3,7 +3,7 @@ AC_PREREQ(2.61) | 20 | @@ -10,7 +10,7 @@ AC_PREREQ(2.61) |
21 | AC_CONFIG_HEADERS([include/autoconf.h]) | 21 | AC_CONFIG_HEADERS([include/autoconf.h]) |
22 | AC_CONFIG_AUX_DIR(cfgaux) | 22 | AC_CONFIG_AUX_DIR(cfgaux) |
23 | AC_CONFIG_SRCDIR([src/main.cc]) | 23 | AC_CONFIG_SRCDIR([src/main.cc]) |
24 | -AM_INIT_AUTOMAKE([tar-ustar nostdinc]) | 24 | -AM_INIT_AUTOMAKE([tar-ustar nostdinc subdir-objects]) |
25 | +AM_INIT_AUTOMAKE([tar-ustar nostdinc serial-tests]) | 25 | +AM_INIT_AUTOMAKE([tar-ustar nostdinc subdir-objects serial-tests]) |
26 | AC_REVISION($Revision$)dnl | 26 | AC_REVISION($Revision$)dnl |
27 | AC_PREFIX_DEFAULT(/usr/local/squid) | 27 | AC_PREFIX_DEFAULT(/usr/local/squid) |
28 | AM_MAINTAINER_MODE | 28 | AM_MAINTAINER_MODE |
29 | -- | 29 | -- |
30 | 1.7.1 | 30 | 2.8.1 |
31 | 31 | ||
diff --git a/meta-networking/recipes-daemons/squid/squid_3.5.7.bb b/meta-networking/recipes-daemons/squid/squid_3.5.20.bb index b571e29a3..f26aebe2f 100644 --- a/meta-networking/recipes-daemons/squid/squid_3.5.7.bb +++ b/meta-networking/recipes-daemons/squid/squid_3.5.20.bb | |||
@@ -19,15 +19,13 @@ SRC_URI = "http://www.squid-cache.org/Versions/v${MAJ_VER}/${MIN_VER}/${BPN}-${P | |||
19 | file://squid-use-serial-tests-config-needed-by-ptest.patch \ | 19 | file://squid-use-serial-tests-config-needed-by-ptest.patch \ |
20 | file://run-ptest \ | 20 | file://run-ptest \ |
21 | file://volatiles.03_squid \ | 21 | file://volatiles.03_squid \ |
22 | file://CVE-2016-3947.patch \ | ||
23 | file://CVE-2016-4553.patch \ | ||
24 | " | 22 | " |
25 | 23 | ||
26 | LIC_FILES_CHKSUM = "file://COPYING;md5=c492e2d6d32ec5c1aad0e0609a141ce9 \ | 24 | LIC_FILES_CHKSUM = "file://COPYING;md5=c492e2d6d32ec5c1aad0e0609a141ce9 \ |
27 | file://errors/COPYRIGHT;md5=0fed8f1462f6fdbc62bb431bcb618f46 \ | 25 | file://errors/COPYRIGHT;md5=0d98c4448c368d146f31a970bb0ced21 \ |
28 | " | 26 | " |
29 | SRC_URI[md5sum] = "06e43abc67aedcc3903a2780de20a3ed" | 27 | SRC_URI[md5sum] = "6a29d7dfc544205001f7a75c6996dc60" |
30 | SRC_URI[sha256sum] = "b7dcec8c5cb7f5687aff4256a7522f670c310a350cc9e9c0f29f3fd9cf88d017" | 28 | SRC_URI[sha256sum] = "5a114f8f7f44b5ae3c9b77d7b81aef13fe69e7f530855213d551f48b157cb5f1" |
31 | 29 | ||
32 | DEPENDS = "libtool krb5 openldap db cyrus-sasl" | 30 | DEPENDS = "libtool krb5 openldap db cyrus-sasl" |
33 | 31 | ||
@@ -75,6 +73,3 @@ FILES_${PN}-doc += "${datadir}/*.txt" | |||
75 | 73 | ||
76 | RDEPENDS_${PN} += "perl" | 74 | RDEPENDS_${PN} += "perl" |
77 | RDEPENDS_${PN}-ptest += "make" | 75 | RDEPENDS_${PN}-ptest += "make" |
78 | |||
79 | # http://errors.yoctoproject.org/Errors/Details/35128/ | ||
80 | PNBLACKLIST[squid] ?= "BROKEN: sysroots/qemuarm/usr/include/linux/in.h:28:16: error: redeclaration of 'IPPROTO_IP'" | ||