2 files changed, 52 insertions, 0 deletions
diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2016-4553.patch b/meta-networking/recipes-daemons/squid/files/CVE-2016-4553.patch
new file mode 100644
index 000000000..497ace444
--- /dev/null
+++ b/meta-networking/recipes-daemons/squid/files/CVE-2016-4553.patch
@@ -0,0 +1,51 @@
+From 41ccaa04bb445f52bdb671ef6fbf994634b6efbe Mon Sep 17 00:00:00 2001
+From: Catalin Enache <catalin.enache@windriver.com>
+Date: Mon, 23 May 2016 12:47:39 +0300
+Subject: [PATCH] Bug 4501: HTTP/1.1: normalize Host header
+Upstream-Status: Backport
+CVE: CVE-2016-4553
+When absolute-URI is provided Host header should be ignored. However some
+code still uses Host directly so normalize it using the URL authority
+value before doing any further request processing.
+For now preserve the case where Host is completely absent. That matters
+to the CVE-2009-0801 protection.
+This also has the desirable side effect of removing multiple or duplicate
+Host header entries, and invalid port values.
+Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
+---
+ src/client_side.cc | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+diff --git a/src/client_side.cc b/src/client_side.cc
+index 8c41c21..36a27de 100644
+--- a/src/client_side.cc
+++ b/src/client_side.cc
+@@ -2652,6 +2652,20 @@ clientProcessRequest(ConnStateData *conn, HttpParser *hp, ClientSocketContext *c
+             clientProcessRequestFinished(conn, request);
+             return;
+         }
+
+        // when absolute-URI is provided Host header should be ignored. However
+        // some code still uses Host directly so normalize it.
+        // For now preserve the case where Host is completely absent. That matters.
+        if (request->header.has(HDR_HOST)) {
+            const char *host = request->header.getStr(HDR_HOST);
+            SBuf authority(request->GetHost());
+            if (request->port != urlDefaultPort(request->url.getScheme()))
+                authority.appendf(":%d", request->port);
+            debugs(33, 5, "URL domain " << authority << " overrides header Host: " << host);
+            // URL authority overrides Host header
+            request->header.delById(HDR_HOST);
+            request->header.putStr(HDR_HOST, authority.c_str());
+        }
+     }
+ 
+     // Some blobs below are still HTTP-specific, but we would have to rewrite
+-- 
+2.7.4
diff --git a/meta-networking/recipes-daemons/squid/squid_3.5.7.bb b/meta-networking/recipes-daemons/squid/squid_3.5.7.bb
index e35aad7cf..93f69c1a1 100644
--- a/meta-networking/recipes-daemons/squid/squid_3.5.7.bb
+++ b/meta-networking/recipes-daemons/squid/squid_3.5.7.bb
@@ -20,6 +20,7 @@ SRC_URI = "http://www.squid-cache.org/Versions/v${MAJ_VER}/${MIN_VER}/${BPN}-${P
           file://run-ptest \
           file://volatiles.03_squid \
           file://CVE-2016-3947.patch \
+           file://CVE-2016-4553.patch \
 "
 LIC_FILES_CHKSUM = "file://COPYING;md5=c492e2d6d32ec5c1aad0e0609a141ce9 \

diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2016-4553.patch b/meta-networking/recipes-daemons/squid/files/CVE-2016-4553.patch new file mode 100644 index 000000000..497ace444 --- /dev/null +++ b/meta-networking/recipes-daemons/squid/files/CVE-2016-4553.patch
@@ -0,0 +1,51 @@
		1	From 41ccaa04bb445f52bdb671ef6fbf994634b6efbe Mon Sep 17 00:00:00 2001
		2	From: Catalin Enache <catalin.enache@windriver.com>
		3	Date: Mon, 23 May 2016 12:47:39 +0300
		4	Subject: [PATCH] Bug 4501: HTTP/1.1: normalize Host header
		5
		6	Upstream-Status: Backport
		7	CVE: CVE-2016-4553
		8
		9	When absolute-URI is provided Host header should be ignored. However some
		10	code still uses Host directly so normalize it using the URL authority
		11	value before doing any further request processing.
		12
		13	For now preserve the case where Host is completely absent. That matters
		14	to the CVE-2009-0801 protection.
		15
		16	This also has the desirable side effect of removing multiple or duplicate
		17	Host header entries, and invalid port values.
		18
		19	Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
		20	---
		21	src/client_side.cc \| 14 ++++++++++++++
		22	1 file changed, 14 insertions(+)
		23
		24	diff --git a/src/client_side.cc b/src/client_side.cc
		25	index 8c41c21..36a27de 100644
		26	--- a/src/client_side.cc
		27	+++ b/src/client_side.cc
		28	@@ -2652,6 +2652,20 @@ clientProcessRequest(ConnStateData conn, HttpParser hp, ClientSocketContext *c
		29	clientProcessRequestFinished(conn, request);
		30	return;
		31	}
		32	+
		33	+ // when absolute-URI is provided Host header should be ignored. However
		34	+ // some code still uses Host directly so normalize it.
		35	+ // For now preserve the case where Host is completely absent. That matters.
		36	+ if (request->header.has(HDR_HOST)) {
		37	+ const char *host = request->header.getStr(HDR_HOST);
		38	+ SBuf authority(request->GetHost());
		39	+ if (request->port != urlDefaultPort(request->url.getScheme()))
		40	+ authority.appendf(":%d", request->port);
		41	+ debugs(33, 5, "URL domain " << authority << " overrides header Host: " << host);
		42	+ // URL authority overrides Host header
		43	+ request->header.delById(HDR_HOST);
		44	+ request->header.putStr(HDR_HOST, authority.c_str());
		45	+ }
		46	}
		47
		48	// Some blobs below are still HTTP-specific, but we would have to rewrite
		49	--
		50	2.7.4
		51


diff --git a/meta-networking/recipes-daemons/squid/squid_3.5.7.bb b/meta-networking/recipes-daemons/squid/squid_3.5.7.bb index e35aad7cf..93f69c1a1 100644 --- a/meta-networking/recipes-daemons/squid/squid_3.5.7.bb +++ b/meta-networking/recipes-daemons/squid/squid_3.5.7.bb
@@ -20,6 +20,7 @@ SRC_URI = "http://www.squid-cache.org/Versions/v${MAJ_VER}/${MIN_VER}/${BPN}-${P
20	file://run-ptest \	20	file://run-ptest \
21	file://volatiles.03_squid \	21	file://volatiles.03_squid \
22	file://CVE-2016-3947.patch \	22	file://CVE-2016-3947.patch \
		23	file://CVE-2016-4553.patch \
23	"	24	"
24		25
25	LIC_FILES_CHKSUM = "file://COPYING;md5=c492e2d6d32ec5c1aad0e0609a141ce9 \	26	LIC_FILES_CHKSUM = "file://COPYING;md5=c492e2d6d32ec5c1aad0e0609a141ce9 \