- Add a patch to fix cross-compilation
- Fix the following CVEs:
- SQUID-2019:6 (CVE-2019-13345), Jul 12, 2019
Fixed from 4.8
Multiple Cross-Site Scripting issues in cachemgr.cgi
- SQUID-2019:5 (CVE-2019-12527), Jul 12, 2019
Fixed from 4.8
Heap Overflow issue in HTTP Basic Authentication processing
- SQUID-2019:3 (CVE-2019-12525), Jul 12, 2019
Fixed from 4.8
Denial of Service in HTTP Digest Authentication processing
- SQUID-2019:2 (CVE-2019-12529), Jul 12, 2019
Fixed from 4.8
Denial of Service in HTTP Basic Authentication processing
- SQUID-2019:1 (CVE-2019-12824), Jul 12, 2019
Fixed from 4.8
Denial of Service issue in cachemgr.cgi
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since 4b0f891211
squid tries to find if latomic is needed through:
AC_SEARCH_LIBS([__atomic_load_8],[atomic],[ATOMICLIB="-latomic"],[])
However, this can fails on:
configure:21147: /home/fabrice/buildroot/output/host/bin/arc-buildroot-linux-gnu-g++ -o conftest -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -matomic -Os -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -g conftest.cpp -latomic >&5
conftest.cpp:55:6: error: new declaration 'char __atomic_load_8()' ambiguates built-in declaration 'long long unsigned int __atomic_load_8(const volatile void*, int)' [-fpermissive]
char __atomic_load_8 ();
^~~~~~~~~~~~~~~
conftest.cpp: In function 'int main()':
conftest.cpp:59:25: error: too few arguments to function 'long long unsigned int __atomic_load_8(const volatile void*, int)'
return __atomic_load_8 ();
So add -latomic to LIBS if BR2_TOOLCHAIN_HAS_LIBATOMIC is set
Fixes:
- http://autobuild.buildroot.org/results/13082cea836a12ac8bf85cbdb53a56a5d30c70b1
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
gnu atomics has been removed since version 3.5.27:
ddd4edb743
So remove squid_cv_gnu_atomics handling
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes SQUID-2018_4:
Due to incorrect input handling, Squid is vulnerable to a Cross-Site
Scripting vulnerability when generating HTTPS response messages about TLS
errors.
For more details, see the advisory:
http://www.squid-cache.org/Advisories/SQUID-2018_4.txt
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Drop get_certificate test avoidance patch; upstream made the test cross
compile friendly in commit 958ae827cabf (Fix cross-compile issues with
SSL_get_certificate())
Drop the patch adding <time.h>; the code does not call time() anymore.
Restore netfilter support under musl libc. Squid build fine with current
musl version.
Cc: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes build error
TextException.cc: In function 'std::ostream& CurrentException(std::ostream&)':
TextException.cc:64:9: error: 'current_exception' is not a member of 'std'
if (std::current_exception()) {
using this defconfig
BR2_arm=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_CUSTOM=y
BR2_TOOLCHAIN_EXTERNAL_DOWNLOAD=y
BR2_TOOLCHAIN_EXTERNAL_URL="http://autobuild.buildroot.org/toolchains/tarballs/armv5-ctng-linux-gnueabi.tar.xz"
BR2_TOOLCHAIN_EXTERNAL_CUSTOM_PREFIX="armv5-ctng-linux-gnueabi"
BR2_TOOLCHAIN_EXTERNAL_GCC_4_8=y
BR2_TOOLCHAIN_EXTERNAL_HEADERS_3_12=y
BR2_TOOLCHAIN_EXTERNAL_CUSTOM_GLIBC=y
BR2_TOOLCHAIN_EXTERNAL_CXX=y
BR2_PACKAGE_GNUTLS=y
BR2_PACKAGE_OPENSSL=y
BR2_PACKAGE_LIBKRB5=y
According to http://www.squid-cache.org/Versions/v4/RELEASENOTES.html#ss1.1
squid-4.2 depends on C++11, but adding -std=c++11 did not fix the build
error.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Tested-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Reviewed-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The test doesn't make sense. It just exits without any error if the
binary doesn't exist, which is silly.
Signed-off-by: Carlos Santos <casantos@datacom.ind.br>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes the following security issues:
SQUID-2018:1 Due to incorrect pointer handling Squid is vulnerable to denial
of service attack when processing ESI responses.
http://www.squid-cache.org/Advisories/SQUID-2018_1.txt
SQUID-2018:2 Due to incorrect pointer handling Squid is vulnerable to
denial of service attack when processing ESI responses or downloading
intermediate CA certificates.
http://www.squid-cache.org/Advisories/SQUID-2018_2.txt
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit fixes the warnings reported by check-package on the help
text of all package Config.in files, related to the formatting of the
help text: should start with a tab, then 2 spaces, then at most 62
characters.
The vast majority of warnings fixed were caused by too long lines. A
few warnings were related to spaces being used instead of a tab to
indent the help text.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
As all librt and libpthread functions are integrated into
libc for a while, workaround no longer required.
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Acked-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
We want to use SPDX identifier for license strings as much as possible.
SPDX short identifier for GPLv2/GPLv2+ is GPL-2.0/GPL-2.0+.
This change is done by using following command.
find . -name "*.mk" | xargs sed -ri '/LICENSE( )?[\+:]?=/s/\<GPLv2\>/GPL-2.0/g'
Signed-off-by: Rahul Bedarkar <rahulbedarkar89@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes:
* Mitigate DoS attacks that use client-initiated SSL/TLS renegotiation.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
CVE-2016-4553 - Cache Poisoning issue in HTTP Request handling
CVE-2016-4554 - Header Smuggling issue in HTTP Request processing
CVE-2016-4555 - Multiple Denial of Service issues in ESI Response
processing (client_side_request.cc)
CVE-2016-4556 - Multiple Denial of Service issues in ESI Response
processing (Esi.cc)
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes:
SQUID-2016:5 (CVE-2016-4051) - Buffer overflow in cachemgr.cgi
SQUID-2016:6 (CVE-2016-4052) - Multiple issues in ESI processing.
CVE-2016-4053 & CVE-2016-4054 which are part of SQUID-2016:6.
Switch to xz-compressed tarball as well.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Now that the libcap package has a patch that makes it build with
kernel headers < 3.0 (which was needed for the host variant of
libcap), there is no longer a need to have a dependency on headers >=
3.0 for the target variant of libcap.
All reverse dependencies of libcap are handled in this commit, except
lxc, which will be handled in a separate commit since it needs some
special solution.
The build of all those packages has been tested with a toolchain that
uses kernel headers 2.6.32, which is the oldest that our default glibc
version accepts to use.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
SQUID-2016:2 - Multiple Denial of Service issues in HTTP Response
processing.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
squid can use the __sync built-ins when available, but uses an
AC_TRY_RUN autoconf tests to check their availability, which isn't
compatible with cross-compilation. Due to this, squid.mk is already
hinting the configure script about this by passing
squid_cv_gnu_atomics=yes/no depending on the availability of atomic
operations.
So far, squid.mk was assuming that BR2_ARCH_HAS_ATOMICS &&
BR2_ARCH_IS_64 was needed, since 8 bytes __sync built-ins are
used. However, this was a bit too restrictive, since certain 32 bits
architectures (ARM, x86) do provide 8 bytes __sync built-ins.
So, instead of using BR2_ARCH_HAS_ATOMICS, we now rely on
BR2_TOOLCHAIN_HAS_SYNC_4 and BR2_TOOLCHAIN_HAS_SYNC_8, since both 4
bytes and 8 bytes __sync built-ins are tested by the autoconf test.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Switch to bz2 tarball since there doesn't seem to be an xz release this
time around.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
'echo -n' is not a POSIX construct (no flag support), we shoud use
'printf', especially in init script.
This patch was generated by the following command line:
git grep -l 'echo -n' -- `git ls-files | grep -v 'patch'` | xargs sed -i 's/echo -n/printf/'
Signed-off-by: Maxime Hadjinlian <maxime.hadjinlian@gmail.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
A new --without-gnutls option has been added to configure, so let's use
it in order to enable or disable gnutls support in squid.
Related:
http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.6-RELEASENOTES.html#ss4.1
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
