diff -u -r -N squid-3.3.6/acinclude/lib-checks.m4 squid-3.3.7/acinclude/lib-checks.m4 --- squid-3.3.6/acinclude/lib-checks.m4 2013-07-01 16:02:11.000000000 +1200 +++ squid-3.3.7/acinclude/lib-checks.m4 2013-07-11 18:08:06.000000000 +1200 @@ -159,6 +159,37 @@ SQUID_STATE_ROLLBACK(check_SSL_get_certificate) ]) +dnl Checks whether the SSL_CTX_new and similar functions require +dnl a const 'SSL_METHOD *' argument +AC_DEFUN([SQUID_CHECK_OPENSSL_CONST_SSL_METHOD],[ + AH_TEMPLATE(SQUID_USE_CONST_SSL_METHOD, "Define to 1 if the SSL_CTX_new and similar openSSL API functions require 'const SSL_METHOD *'") + SQUID_STATE_SAVE(check_const_SSL_METHOD) + AC_MSG_CHECKING(whether SSL_CTX_new and similar openSSL API functions require 'const SSL_METHOD *'") + + AC_COMPILE_IFELSE([ + AC_LANG_PROGRAM( + [ + #include + #include + ], + [ + const SSL_METHOD *method = NULL; + SSL_CTX *sslContext = SSL_CTX_new(method); + return (sslContext != NULL); + ]) + ], + [ + AC_DEFINE(SQUID_USE_CONST_SSL_METHOD, 1) + AC_MSG_RESULT([yes]) + ], + [ + AC_MSG_RESULT([no]) + ], + []) + +SQUID_STATE_ROLLBACK(check_const_SSL_METHOD) +] +) dnl Try to handle TXT_DB related problems: dnl 1) The type of TXT_DB::data member changed in openSSL-1.0.1 version @@ -167,11 +198,13 @@ AC_DEFUN([SQUID_CHECK_OPENSSL_TXTDB],[ AH_TEMPLATE(SQUID_SSLTXTDB_PSTRINGDATA, "Define to 1 if the TXT_DB uses OPENSSL_PSTRING data member") + AH_TEMPLATE(SQUID_STACKOF_PSTRINGDATA_HACK, "Define to 1 to use squid workaround for buggy versions of sk_OPENSSL_PSTRING_value") AH_TEMPLATE(SQUID_USE_SSLLHASH_HACK, "Define to 1 to use squid workaround for openssl IMPLEMENT_LHASH_* type conversion errors") SQUID_STATE_SAVE(check_TXTDB) LIBS="$LIBS $SSLLIB" + squid_cv_check_openssl_pstring="no" AC_MSG_CHECKING(whether the TXT_DB use OPENSSL_PSTRING data member) AC_COMPILE_IFELSE([ AC_LANG_PROGRAM( @@ -187,12 +220,36 @@ [ AC_DEFINE(SQUID_SSLTXTDB_PSTRINGDATA, 1) AC_MSG_RESULT([yes]) + squid_cv_check_openssl_pstring="yes" ], [ AC_MSG_RESULT([no]) ], []) + if test x"$squid_cv_check_openssl_pstring" = "xyes"; then + AC_MSG_CHECKING(whether the squid workaround for buggy versions of sk_OPENSSL_PSTRING_value should used) + AC_COMPILE_IFELSE([ + AC_LANG_PROGRAM( + [ + #include + ], + [ + TXT_DB *db = NULL; + const char ** current_row = ((const char **)sk_OPENSSL_PSTRING_value(db->data, 0)); + return (current_row != NULL); + ]) + ], + [ + AC_MSG_RESULT([no]) + ], + [ + AC_DEFINE(SQUID_STACKOF_PSTRINGDATA_HACK, 1) + AC_MSG_RESULT([yes]) + ], + []) + fi + AC_MSG_CHECKING(whether the workaround for OpenSSL IMPLEMENT_LHASH_ macros should used) AC_COMPILE_IFELSE([ AC_LANG_PROGRAM( diff -u -r -N squid-3.3.6/ChangeLog squid-3.3.7/ChangeLog --- squid-3.3.6/ChangeLog 2013-07-01 16:02:11.000000000 +1200 +++ squid-3.3.7/ChangeLog 2013-07-11 18:08:06.000000000 +1200 @@ -1,4 +1,10 @@ +Changes to squid-3.3.7 (11 Jul 2013): + + - Bug 3297: Fix openSSL related build failures + - Fix build on FreeBSD 9.x platform with clang + - Protect against buffer overrun in DNS query generation + Changes to squid-3.3.6 (01 Jul 2013): - Bug 3854: pt1: compile errors on AIX @@ -104,6 +110,13 @@ - ... and many compile error fixes - ... and a very large amount of code polish for faster compilation +Changes to squid-3.2.12 (11 Jul 2013): + + - Protect against buffer overrun in DNS query generation + - Avoid !closing assertions when helpers call comm_read during reconfigure. + - Fix several minor memory leaks during reconfigure + - Remove origin_tries limiter on forwarding and permit large max_forward_tries values + Changes to squid-3.2.11 (30 Apr 2013): - Regression Bug 3839: build error: src/tools.h: No such file or directory diff -u -r -N squid-3.3.6/configure squid-3.3.7/configure --- squid-3.3.6/configure 2013-07-01 16:03:25.000000000 +1200 +++ squid-3.3.7/configure 2013-07-11 18:09:14.000000000 +1200 @@ -1,7 +1,7 @@ #! /bin/sh # From configure.ac Revision. # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.68 for Squid Web Proxy 3.3.6. +# Generated by GNU Autoconf 2.68 for Squid Web Proxy 3.3.7. # # Report bugs to . # @@ -575,8 +575,8 @@ # Identity of this package. PACKAGE_NAME='Squid Web Proxy' PACKAGE_TARNAME='squid' -PACKAGE_VERSION='3.3.6' -PACKAGE_STRING='Squid Web Proxy 3.3.6' +PACKAGE_VERSION='3.3.7' +PACKAGE_STRING='Squid Web Proxy 3.3.7' PACKAGE_BUGREPORT='http://bugs.squid-cache.org/' PACKAGE_URL='' @@ -1570,7 +1570,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures Squid Web Proxy 3.3.6 to adapt to many kinds of systems. +\`configure' configures Squid Web Proxy 3.3.7 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1640,7 +1640,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of Squid Web Proxy 3.3.6:";; + short | recursive ) echo "Configuration of Squid Web Proxy 3.3.7:";; esac cat <<\_ACEOF @@ -2014,7 +2014,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -Squid Web Proxy configure 3.3.6 +Squid Web Proxy configure 3.3.7 generated by GNU Autoconf 2.68 Copyright (C) 2010 Free Software Foundation, Inc. @@ -3110,7 +3110,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by Squid Web Proxy $as_me 3.3.6, which was +It was created by Squid Web Proxy $as_me 3.3.7, which was generated by GNU Autoconf 2.68. Invocation command line was $ $0 $@ @@ -3929,7 +3929,7 @@ # Define the identity of the package. PACKAGE='squid' - VERSION='3.3.6' + VERSION='3.3.7' cat >>confdefs.h <<_ACEOF @@ -4337,6 +4337,7 @@ + # ============================================================================ # http://www.gnu.org/software/autoconf-archive/ax_cxx_compile_stdcxx_0x.html # ============================================================================ @@ -18598,7 +18599,8 @@ fi -if test "x$squid_host_os" = "xmingw"; then +case "$squid_host_os" in +mingw) # Extract the first word of "psapi.dll", so it can be a program name with args. set dummy psapi.dll; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 @@ -18655,7 +18657,16 @@ fi MINGW_LIBS="-lmingwex" -fi + ;; +freebsd) + # FreeBSD places local libraries and packages in /usr/local + CFLAGS="$CFLAGS -I/usr/local/include" + CXXFLAGS="$CXXFLAGS -I/usr/local/include" + LDFLAGS="$LDFLAGS -L/usr/local/lib -Wl,-R/usr/local/lib" + ;; +*) + ;; +esac cat >>confdefs.h <<_ACEOF @@ -18791,12 +18802,6 @@ mingw) SQUID_CFLAGS="$squid_cv_cc_option_wall -Wpointer-arith -Wwrite-strings -Wcomments" ;; - freebsd) - # FreeBSD places local libraries and packages in /usr/local - CFLAGS="$CFLAGS -I/usr/local/include" - CXXFLAGS="$CXXFLAGS -I/usr/local/include" - LDFLAGS="$LDFLAGS -L/usr/local/lib -Wl,-R/usr/local/lib" - ;; *) SQUID_CFLAGS="$squid_cv_cc_option_wall -Wpointer-arith -Wwrite-strings -Wmissing-prototypes -Wmissing-declarations -Wcomments" ;; @@ -21177,6 +21182,91 @@ +# save state, key is check_const_SSL_METHOD +check_const_SSL_METHOD_CFLAGS="${CFLAGS}" +check_const_SSL_METHOD_CXXFLAGS="${CXXFLAGS}" +check_const_SSL_METHOD_LDFLAGS="${LDFLAGS}" +check_const_SSL_METHOD_LIBS="${LIBS}" +check_const_SSL_METHOD_CC="${CC}" +check_const_SSL_METHOD_CXX="${CXX}" +check_const_SSL_METHOD_squid_saved_vars="" +for squid_util_var_tosave in $check_const_SSL_METHOD_squid_saved_vars +do + squid_util_var_tosave2="check_const_SSL_METHOD_${squid_util_var_tosave}" + eval "${squid_util_var_tosave2}=\"${squid_util_var_tosave}\"" +done + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether SSL_CTX_new and similar openSSL API functions require 'const SSL_METHOD *'\"" >&5 +$as_echo_n "checking whether SSL_CTX_new and similar openSSL API functions require 'const SSL_METHOD *'\"... " >&6; } + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + + + #include + #include + +int +main () +{ + + const SSL_METHOD *method = NULL; + SSL_CTX *sslContext = SSL_CTX_new(method); + return (sslContext != NULL); + + ; + return 0; +} + +_ACEOF +if ac_fn_cxx_try_compile "$LINENO"; then : + + $as_echo "#define SQUID_USE_CONST_SSL_METHOD 1" >>confdefs.h + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +else + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + + +# rollback state, key is check_const_SSL_METHOD +CFLAGS="${check_const_SSL_METHOD_CFLAGS}" +CXXFLAGS="${check_const_SSL_METHOD_CXXFLAGS}" +LDFLAGS="${check_const_SSL_METHOD_LDFLAGS}" +LIBS="${check_const_SSL_METHOD_LIBS}" +CC="${check_const_SSL_METHOD_CC}" +CXX="${check_const_SSL_METHOD_CXX}" +for squid_util_var_tosave in $check_const_SSL_METHOD_squid_saved_vars +do + squid_util_var_tosave2="\$check_const_SSL_METHOD_${squid_util_var_tosave}" + eval "$squid_util_var_tosave=\"${squid_util_var_tosave2}\"" +done + +# commit state, key is check_const_SSL_METHOD +unset check_const_SSL_METHOD_CFLAGS +unset check_const_SSL_METHOD_CXXFLAGS +unset check_const_SSL_METHOD_LDFLAGS +unset check_const_SSL_METHOD_LIBS +unset check_const_SSL_METHOD_CC +unset check_const_SSL_METHOD_CXX +for squid_util_var_tosave in $check_const_SSL_METHOD_squid_saved_vars +do + unset ${squid_util_var_tosave} +done + + + + + + + + # save state, key is check_TXTDB @@ -21195,6 +21285,7 @@ LIBS="$LIBS $SSLLIB" + squid_cv_check_openssl_pstring="no" { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the TXT_DB use OPENSSL_PSTRING data member" >&5 $as_echo_n "checking whether the TXT_DB use OPENSSL_PSTRING data member... " >&6; } cat confdefs.h - <<_ACEOF >conftest.$ac_ext @@ -21222,6 +21313,7 @@ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } + squid_cv_check_openssl_pstring="yes" else @@ -21231,6 +21323,44 @@ fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + if test x"$squid_cv_check_openssl_pstring" = "xyes"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the squid workaround for buggy versions of sk_OPENSSL_PSTRING_value should used" >&5 +$as_echo_n "checking whether the squid workaround for buggy versions of sk_OPENSSL_PSTRING_value should used... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + + + #include + +int +main () +{ + + TXT_DB *db = NULL; + const char ** current_row = ((const char **)sk_OPENSSL_PSTRING_value(db->data, 0)); + return (current_row != NULL); + + ; + return 0; +} + +_ACEOF +if ac_fn_cxx_try_compile "$LINENO"; then : + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +else + + $as_echo "#define SQUID_STACKOF_PSTRINGDATA_HACK 1" >>confdefs.h + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + fi + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the workaround for OpenSSL IMPLEMENT_LHASH_ macros should used" >&5 $as_echo_n "checking whether the workaround for OpenSSL IMPLEMENT_LHASH_ macros should used... " >&6; } cat confdefs.h - <<_ACEOF >conftest.$ac_ext @@ -31680,7 +31810,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by Squid Web Proxy $as_me 3.3.6, which was +This file was extended by Squid Web Proxy $as_me 3.3.7, which was generated by GNU Autoconf 2.68. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -31746,7 +31876,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -Squid Web Proxy config.status 3.3.6 +Squid Web Proxy config.status 3.3.7 configured by $0, generated by GNU Autoconf 2.68, with options \\"\$ac_cs_config\\" diff -u -r -N squid-3.3.6/configure.ac squid-3.3.7/configure.ac --- squid-3.3.6/configure.ac 2013-07-01 16:03:25.000000000 +1200 +++ squid-3.3.7/configure.ac 2013-07-11 18:09:14.000000000 +1200 @@ -1,4 +1,4 @@ -AC_INIT([Squid Web Proxy],[3.3.6],[http://bugs.squid-cache.org/],[squid]) +AC_INIT([Squid Web Proxy],[3.3.7],[http://bugs.squid-cache.org/],[squid]) AC_PREREQ(2.61) AC_CONFIG_HEADERS([include/autoconf.h]) AC_CONFIG_AUX_DIR(cfgaux) @@ -185,7 +185,8 @@ [test "x$squid_host_os" = "xmingw" -o "x$squid_host_os" = "xcygwin"]) AM_CONDITIONAL(USE_IPC_WIN32,[test "x$squid_host_os" = "xmingw"]) -if test "x$squid_host_os" = "xmingw"; then +case "$squid_host_os" in +mingw) AC_PATH_PROG(WIN32_PSAPI, psapi.dll, none) CFLAGS="$CFLAGS -mthreads" CXXFLAGS="$CXXFLAGS -mthreads" @@ -198,7 +199,16 @@ fi MINGW_LIBS="-lmingwex" AC_SUBST(MINGW_LIBS) -fi + ;; +freebsd) + # FreeBSD places local libraries and packages in /usr/local + CFLAGS="$CFLAGS -I/usr/local/include" + CXXFLAGS="$CXXFLAGS -I/usr/local/include" + LDFLAGS="$LDFLAGS -L/usr/local/lib -Wl,-R/usr/local/lib" + ;; +*) + ;; +esac dnl Substitutions AC_DEFINE_UNQUOTED(CONFIG_HOST_TYPE, "$host",[Host type from configure]) @@ -319,12 +329,6 @@ dnl TODO: check if the problem will be present in any other newer MinGW release. SQUID_CFLAGS="$squid_cv_cc_option_wall -Wpointer-arith -Wwrite-strings -Wcomments" ;; - freebsd) - # FreeBSD places local libraries and packages in /usr/local - CFLAGS="$CFLAGS -I/usr/local/include" - CXXFLAGS="$CXXFLAGS -I/usr/local/include" - LDFLAGS="$LDFLAGS -L/usr/local/lib -Wl,-R/usr/local/lib" - ;; *) SQUID_CFLAGS="$squid_cv_cc_option_wall -Wpointer-arith -Wwrite-strings -Wmissing-prototypes -Wmissing-declarations -Wcomments" ;; @@ -1262,6 +1266,7 @@ if test "x$with_openssl" = "xyes"; then SQUID_CHECK_OPENSSL_GETCERTIFICATE_WORKS +SQUID_CHECK_OPENSSL_CONST_SSL_METHOD SQUID_CHECK_OPENSSL_TXTDB fi diff -u -r -N squid-3.3.6/helpers/basic_auth/DB/basic_db_auth.8 squid-3.3.7/helpers/basic_auth/DB/basic_db_auth.8 --- squid-3.3.6/helpers/basic_auth/DB/basic_db_auth.8 2013-07-01 16:28:41.000000000 +1200 +++ squid-3.3.7/helpers/basic_auth/DB/basic_db_auth.8 2013-07-11 18:34:17.000000000 +1200 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "BASIC_DB_AUTH 1" -.TH BASIC_DB_AUTH 1 "2013-06-30" "perl v5.10.1" "User Contributed Perl Documentation" +.TH BASIC_DB_AUTH 1 "2013-07-11" "perl v5.10.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.3.6/helpers/external_acl/SQL_session/ext_sql_session_acl.8 squid-3.3.7/helpers/external_acl/SQL_session/ext_sql_session_acl.8 --- squid-3.3.6/helpers/external_acl/SQL_session/ext_sql_session_acl.8 2013-07-01 16:28:43.000000000 +1200 +++ squid-3.3.7/helpers/external_acl/SQL_session/ext_sql_session_acl.8 2013-07-11 18:34:19.000000000 +1200 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "EXT_SQL_SESSION_ACL 1" -.TH EXT_SQL_SESSION_ACL 1 "2013-06-30" "perl v5.10.1" "User Contributed Perl Documentation" +.TH EXT_SQL_SESSION_ACL 1 "2013-07-11" "perl v5.10.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.3.6/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 squid-3.3.7/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 --- squid-3.3.6/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 2013-07-01 16:28:43.000000000 +1200 +++ squid-3.3.7/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 2013-07-11 18:34:20.000000000 +1200 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "EXT_WBINFO_GROUP_ACL.PL.IN 1" -.TH EXT_WBINFO_GROUP_ACL.PL.IN 1 "2013-06-30" "perl v5.10.1" "User Contributed Perl Documentation" +.TH EXT_WBINFO_GROUP_ACL.PL.IN 1 "2013-07-11" "perl v5.10.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.3.6/helpers/log_daemon/DB/log_db_daemon.8 squid-3.3.7/helpers/log_daemon/DB/log_db_daemon.8 --- squid-3.3.6/helpers/log_daemon/DB/log_db_daemon.8 2013-07-01 16:28:43.000000000 +1200 +++ squid-3.3.7/helpers/log_daemon/DB/log_db_daemon.8 2013-07-11 18:34:20.000000000 +1200 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "LOG_DB_DAEMON 1" -.TH LOG_DB_DAEMON 1 "2013-06-30" "perl v5.10.1" "User Contributed Perl Documentation" +.TH LOG_DB_DAEMON 1 "2013-07-11" "perl v5.10.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.3.6/include/autoconf.h.in squid-3.3.7/include/autoconf.h.in --- squid-3.3.6/include/autoconf.h.in 2013-07-01 16:02:37.000000000 +1200 +++ squid-3.3.7/include/autoconf.h.in 2013-07-11 18:08:28.000000000 +1200 @@ -1214,12 +1214,20 @@ /* "Define to 1 if the TXT_DB uses OPENSSL_PSTRING data member" */ #undef SQUID_SSLTXTDB_PSTRINGDATA +/* "Define to 1 to use squid workaround for buggy versions of + sk_OPENSSL_PSTRING_value" */ +#undef SQUID_STACKOF_PSTRINGDATA_HACK + /* TCP receive buffer size */ #undef SQUID_TCP_SO_RCVBUF /* TCP send buffer size */ #undef SQUID_TCP_SO_SNDBUF +/* "Define to 1 if the SSL_CTX_new and similar openSSL API functions require + 'const SSL_METHOD *'" */ +#undef SQUID_USE_CONST_SSL_METHOD + /* "Define to 1 to use squid workaround for SSL_get_certificate" */ #undef SQUID_USE_SSLGETCERTIFICATE_HACK diff -u -r -N squid-3.3.6/include/version.h squid-3.3.7/include/version.h --- squid-3.3.6/include/version.h 2013-07-01 16:03:25.000000000 +1200 +++ squid-3.3.7/include/version.h 2013-07-11 18:09:14.000000000 +1200 @@ -7,7 +7,7 @@ */ #ifndef SQUID_RELEASE_TIME -#define SQUID_RELEASE_TIME 1372651329 +#define SQUID_RELEASE_TIME 1373522872 #endif #ifndef APP_SHORTNAME diff -u -r -N squid-3.3.6/RELEASENOTES.html squid-3.3.7/RELEASENOTES.html --- squid-3.3.6/RELEASENOTES.html 2013-07-01 16:28:50.000000000 +1200 +++ squid-3.3.7/RELEASENOTES.html 2013-07-11 18:34:27.000000000 +1200 @@ -2,10 +2,10 @@ - Squid 3.3.6 release notes + Squid 3.3.7 release notes -

Squid 3.3.6 release notes

+

Squid 3.3.7 release notes

Squid Developers

@@ -56,7 +56,7 @@

1. Notice

-

The Squid Team are pleased to announce the release of Squid-3.3.6.

+

The Squid Team are pleased to announce the release of Squid-3.3.7.

This new release is available for download from http://www.squid-cache.org/Versions/v3/3.3/ or the mirrors.

diff -u -r -N squid-3.3.6/src/dns_internal.cc squid-3.3.7/src/dns_internal.cc --- squid-3.3.6/src/dns_internal.cc 2013-07-01 16:02:11.000000000 +1200 +++ squid-3.3.7/src/dns_internal.cc 2013-07-11 18:08:06.000000000 +1200 @@ -1667,23 +1667,29 @@ void idnsALookup(const char *name, IDNSCB * callback, void *data) { - unsigned int i; - int nd = 0; - idns_query *q; + size_t nameLength = strlen(name); + + // Prevent buffer overflow on q->name + if (nameLength > NS_MAXDNAME) { + debugs(23, DBG_IMPORTANT, "SECURITY ALERT: DNS name too long to perform lookup: '" << name << "'. see access.log for details."); + callback(data, NULL, 0, "Internal error"); + return; + } if (idnsCachedLookup(name, callback, data)) return; - q = cbdataAlloc(idns_query); + idns_query *q = cbdataAlloc(idns_query); // idns_query is POD so no constructors are called after allocation q->xact_id.change(); q->query_id = idnsQueryID(); - for (i = 0; i < strlen(name); ++i) + int nd = 0; + for (unsigned int i = 0; i < nameLength; ++i) if (name[i] == '.') ++nd; - if (Config.onoff.res_defnames && npc > 0 && name[strlen(name)-1] != '.') { + if (Config.onoff.res_defnames && npc > 0 && name[nameLength-1] != '.') { q->do_searchpath = 1; } else { q->do_searchpath = 0; diff -u -r -N squid-3.3.6/src/ssl/certificate_db.cc squid-3.3.7/src/ssl/certificate_db.cc --- squid-3.3.6/src/ssl/certificate_db.cc 2013-07-01 16:02:11.000000000 +1200 +++ squid-3.3.7/src/ssl/certificate_db.cc 2013-07-11 18:08:06.000000000 +1200 @@ -167,7 +167,11 @@ #if SQUID_SSLTXTDB_PSTRINGDATA for (int i = 0; i < sk_OPENSSL_PSTRING_num(db->data); ++i) { +#if SQUID_STACKOF_PSTRINGDATA_HACK + const char ** current_row = ((const char **)sk_value(CHECKED_STACK_OF(OPENSSL_PSTRING, db->data), i)); +#else const char ** current_row = ((const char **)sk_OPENSSL_PSTRING_value(db->data, i)); +#endif #else for (int i = 0; i < sk_num(db->data); ++i) { const char ** current_row = ((const char **)sk_value(db->data, i)); @@ -180,8 +184,7 @@ } #define countof(arr) (sizeof(arr)/sizeof(*arr)) -void Ssl::CertificateDb::sq_TXT_DB_delete_row(TXT_DB *db, int idx) -{ +void Ssl::CertificateDb::sq_TXT_DB_delete_row(TXT_DB *db, int idx) { char **rrow; #if SQUID_SSLTXTDB_PSTRINGDATA rrow = (char **)sk_OPENSSL_PSTRING_delete(db->data, idx); @@ -209,29 +212,25 @@ } } -unsigned long Ssl::CertificateDb::index_serial_hash(const char **a) -{ +unsigned long Ssl::CertificateDb::index_serial_hash(const char **a) { const char *n = a[Ssl::CertificateDb::cnlSerial]; while (*n == '0') ++n; return lh_strhash(n); } -int Ssl::CertificateDb::index_serial_cmp(const char **a, const char **b) -{ +int Ssl::CertificateDb::index_serial_cmp(const char **a, const char **b) { const char *aa, *bb; for (aa = a[Ssl::CertificateDb::cnlSerial]; *aa == '0'; ++aa); for (bb = b[Ssl::CertificateDb::cnlSerial]; *bb == '0'; ++bb); return strcmp(aa, bb); } -unsigned long Ssl::CertificateDb::index_name_hash(const char **a) -{ +unsigned long Ssl::CertificateDb::index_name_hash(const char **a) { return(lh_strhash(a[Ssl::CertificateDb::cnlName])); } -int Ssl::CertificateDb::index_name_cmp(const char **a, const char **b) -{ +int Ssl::CertificateDb::index_name_cmp(const char **a, const char **b) { return(strcmp(a[Ssl::CertificateDb::cnlName], b[CertificateDb::cnlName])); } @@ -248,23 +247,20 @@ max_db_size(aMax_db_size), fs_block_size(aFs_block_size), dbLock(db_full), - enabled_disk_store(true) -{ + enabled_disk_store(true) { if (db_path.empty() && !max_db_size) enabled_disk_store = false; else if ((db_path.empty() && max_db_size) || (!db_path.empty() && !max_db_size)) throw std::runtime_error("ssl_crtd is missing the required parameter. There should be -s and -M parameters together."); } -bool Ssl::CertificateDb::find(std::string const & host_name, Ssl::X509_Pointer & cert, Ssl::EVP_PKEY_Pointer & pkey) -{ +bool Ssl::CertificateDb::find(std::string const & host_name, Ssl::X509_Pointer & cert, Ssl::EVP_PKEY_Pointer & pkey) { const Locker locker(dbLock, Here); load(); return pure_find(host_name, cert, pkey); } -bool Ssl::CertificateDb::purgeCert(std::string const & key) -{ +bool Ssl::CertificateDb::purgeCert(std::string const & key) { const Locker locker(dbLock, Here); load(); if (!db) @@ -277,8 +273,7 @@ return true; } -bool Ssl::CertificateDb::addCertAndPrivateKey(Ssl::X509_Pointer & cert, Ssl::EVP_PKEY_Pointer & pkey, std::string const & useName) -{ +bool Ssl::CertificateDb::addCertAndPrivateKey(Ssl::X509_Pointer & cert, Ssl::EVP_PKEY_Pointer & pkey, std::string const & useName) { const Locker locker(dbLock, Here); load(); if (!db || !cert || !pkey) @@ -363,8 +358,7 @@ return true; } -void Ssl::CertificateDb::create(std::string const & db_path) -{ +void Ssl::CertificateDb::create(std::string const & db_path) { if (db_path == "") throw std::runtime_error("Path to db is empty"); std::string db_full(db_path + "/" + db_file); @@ -387,14 +381,12 @@ throw std::runtime_error("Cannot open " + db_full + " to open"); } -void Ssl::CertificateDb::check(std::string const & db_path, size_t max_db_size) -{ +void Ssl::CertificateDb::check(std::string const & db_path, size_t max_db_size) { CertificateDb db(db_path, max_db_size, 0); db.load(); } -bool Ssl::CertificateDb::pure_find(std::string const & host_name, Ssl::X509_Pointer & cert, Ssl::EVP_PKEY_Pointer & pkey) -{ +bool Ssl::CertificateDb::pure_find(std::string const & host_name, Ssl::X509_Pointer & cert, Ssl::EVP_PKEY_Pointer & pkey) { if (!db) return false; @@ -416,23 +408,19 @@ return true; } -size_t Ssl::CertificateDb::size() const -{ +size_t Ssl::CertificateDb::size() const { return readSize(); } -void Ssl::CertificateDb::addSize(std::string const & filename) -{ +void Ssl::CertificateDb::addSize(std::string const & filename) { writeSize(readSize() + getFileSize(filename)); } -void Ssl::CertificateDb::subSize(std::string const & filename) -{ +void Ssl::CertificateDb::subSize(std::string const & filename) { writeSize(readSize() - getFileSize(filename)); } -size_t Ssl::CertificateDb::readSize() const -{ +size_t Ssl::CertificateDb::readSize() const { std::ifstream size_file(size_full.c_str()); if (!size_file && enabled_disk_store) throw std::runtime_error("cannot open for reading: " + size_full); @@ -442,24 +430,21 @@ return db_size; } -void Ssl::CertificateDb::writeSize(size_t db_size) -{ +void Ssl::CertificateDb::writeSize(size_t db_size) { std::ofstream size_file(size_full.c_str()); if (!size_file && enabled_disk_store) throw std::runtime_error("cannot write \"" + size_full + "\" file"); size_file << db_size; } -size_t Ssl::CertificateDb::getFileSize(std::string const & filename) -{ +size_t Ssl::CertificateDb::getFileSize(std::string const & filename) { std::ifstream file(filename.c_str(), std::ios::binary); file.seekg(0, std::ios_base::end); size_t file_size = file.tellg(); return ((file_size + fs_block_size - 1) / fs_block_size) * fs_block_size; } -void Ssl::CertificateDb::load() -{ +void Ssl::CertificateDb::load() { // Load db from file. Ssl::BIO_Pointer in(BIO_new(BIO_s_file())); if (!in || BIO_read_filename(in.get(), db_full.c_str()) <= 0) @@ -483,8 +468,7 @@ db.reset(temp_db.release()); } -void Ssl::CertificateDb::save() -{ +void Ssl::CertificateDb::save() { if (!db) throw std::runtime_error("The certificates database is not loaded");; @@ -498,8 +482,7 @@ } // Normally defined in defines.h file -void Ssl::CertificateDb::deleteRow(const char **row, int rowIndex) -{ +void Ssl::CertificateDb::deleteRow(const char **row, int rowIndex) { const std::string filename(cert_full + "/" + row[cnlSerial] + ".pem"); sq_TXT_DB_delete_row(db.get(), rowIndex); @@ -509,15 +492,18 @@ throw std::runtime_error("Failed to remove certficate file " + filename + " from db"); } -bool Ssl::CertificateDb::deleteInvalidCertificate() -{ +bool Ssl::CertificateDb::deleteInvalidCertificate() { if (!db) return false; bool removed_one = false; #if SQUID_SSLTXTDB_PSTRINGDATA for (int i = 0; i < sk_OPENSSL_PSTRING_num(db.get()->data); ++i) { +#if SQUID_STACKOF_PSTRINGDATA_HACK + const char ** current_row = ((const char **)sk_value(CHECKED_STACK_OF(OPENSSL_PSTRING, db.get()->data), i)); +#else const char ** current_row = ((const char **)sk_OPENSSL_PSTRING_value(db.get()->data, i)); +#endif #else for (int i = 0; i < sk_num(db.get()->data); ++i) { const char ** current_row = ((const char **)sk_value(db.get()->data, i)); @@ -535,8 +521,7 @@ return true; } -bool Ssl::CertificateDb::deleteOldestCertificate() -{ +bool Ssl::CertificateDb::deleteOldestCertificate() { if (!db) return false; @@ -548,7 +533,11 @@ return false; #if SQUID_SSLTXTDB_PSTRINGDATA +#if SQUID_STACKOF_PSTRINGDATA_HACK + const char **row = ((const char **)sk_value(CHECKED_STACK_OF(OPENSSL_PSTRING, db.get()->data), 0)); +#else const char **row = (const char **)sk_OPENSSL_PSTRING_value(db.get()->data, 0); +#endif #else const char **row = (const char **)sk_value(db.get()->data, 0); #endif @@ -558,14 +547,17 @@ return true; } -bool Ssl::CertificateDb::deleteByHostname(std::string const & host) -{ +bool Ssl::CertificateDb::deleteByHostname(std::string const & host) { if (!db) return false; #if SQUID_SSLTXTDB_PSTRINGDATA for (int i = 0; i < sk_OPENSSL_PSTRING_num(db.get()->data); ++i) { +#if SQUID_STACKOF_PSTRINGDATA_HACK + const char ** current_row = ((const char **)sk_value(CHECKED_STACK_OF(OPENSSL_PSTRING, db.get()->data), i)); +#else const char ** current_row = ((const char **)sk_OPENSSL_PSTRING_value(db.get()->data, i)); +#endif #else for (int i = 0; i < sk_num(db.get()->data); ++i) { const char ** current_row = ((const char **)sk_value(db.get()->data, i)); @@ -578,7 +570,6 @@ return false; } -bool Ssl::CertificateDb::IsEnabledDiskStore() const -{ +bool Ssl::CertificateDb::IsEnabledDiskStore() const { return enabled_disk_store; } diff -u -r -N squid-3.3.6/src/ssl/gadgets.h squid-3.3.7/src/ssl/gadgets.h --- squid-3.3.6/src/ssl/gadgets.h 2013-07-01 16:02:11.000000000 +1200 +++ squid-3.3.7/src/ssl/gadgets.h 2013-07-11 18:08:06.000000000 +1200 @@ -26,10 +26,10 @@ because they are used by ssl_crtd. */ -#if OPENSSL_VERSION_NUMBER < 0x00909000L -typedef SSL_METHOD * ContextMethod; -#else +#if SQUID_USE_CONST_SSL_METHOD typedef const SSL_METHOD * ContextMethod; +#else +typedef SSL_METHOD * ContextMethod; #endif /** diff -u -r -N squid-3.3.6/src/ssl/support.cc squid-3.3.7/src/ssl/support.cc --- squid-3.3.6/src/ssl/support.cc 2013-07-01 16:02:11.000000000 +1200 +++ squid-3.3.7/src/ssl/support.cc 2013-07-11 18:08:06.000000000 +1200 @@ -940,12 +940,8 @@ sslCreateClientContext(const char *certfile, const char *keyfile, int version, const char *cipher, const char *options, const char *flags, const char *CAfile, const char *CApath, const char *CRLfile) { int ssl_error; -#if OPENSSL_VERSION_NUMBER < 0x00909000L - SSL_METHOD *method; -#else - const SSL_METHOD *method; -#endif - SSL_CTX *sslContext; + Ssl::ContextMethod method; + SSL_CTX * sslContext; long fl = Ssl::parse_flags(flags); ssl_initialize();