All of lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH 1/2] squid: bump version to 3.5.27
@ 2018-01-22 15:13 Peter Korsgaard
  2018-01-22 15:13 ` [Buildroot] [PATCH 2/2] squid: add upstream post-3.5.27 security patches Peter Korsgaard
  0 siblings, 1 reply; 4+ messages in thread
From: Peter Korsgaard @ 2018-01-22 15:13 UTC (permalink / raw)
  To: buildroot

And add a hash for the license files.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/squid/squid.hash | 8 +++++---
 package/squid/squid.mk   | 2 +-
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/package/squid/squid.hash b/package/squid/squid.hash
index 91ba9e6fc4..8787cb25ef 100644
--- a/package/squid/squid.hash
+++ b/package/squid/squid.hash
@@ -1,3 +1,5 @@
-# From http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.26.tar.xz.asc
-md5 510e2c84773879c00d0e7ced997864d9  squid-3.5.26.tar.xz
-sha1 51a664217957b35de8b7fae180b9f93a759a4204  squid-3.5.26.tar.xz
+# From http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.27.tar.xz.asc
+md5 39ef8199675d48a314b540f92c00c545 squid-3.5.27.tar.xz
+sha1 1e69c96d13cd49844da3bcf33a0b428fbe7b6f77 squid-3.5.27.tar.xz
+# Locally calculated
+sha256 58f5d05257af1fb964fde20e134d660fac9afa86b6fd8c70d63ead63068378fa COPYING
diff --git a/package/squid/squid.mk b/package/squid/squid.mk
index d334d14c88..8ade55ee37 100644
--- a/package/squid/squid.mk
+++ b/package/squid/squid.mk
@@ -5,7 +5,7 @@
 ################################################################################
 
 SQUID_VERSION_MAJOR = 3.5
-SQUID_VERSION = $(SQUID_VERSION_MAJOR).26
+SQUID_VERSION = $(SQUID_VERSION_MAJOR).27
 SQUID_SOURCE = squid-$(SQUID_VERSION).tar.xz
 SQUID_SITE = http://www.squid-cache.org/Versions/v3/$(SQUID_VERSION_MAJOR)
 SQUID_LICENSE = GPL-2.0+
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [Buildroot] [PATCH 2/2] squid: add upstream post-3.5.27 security patches
  2018-01-22 15:13 [Buildroot] [PATCH 1/2] squid: bump version to 3.5.27 Peter Korsgaard
@ 2018-01-22 15:13 ` Peter Korsgaard
  2018-01-22 16:08   ` Baruch Siach
  0 siblings, 1 reply; 4+ messages in thread
From: Peter Korsgaard @ 2018-01-22 15:13 UTC (permalink / raw)
  To: buildroot

Fixes the following security issues:

SQUID-2018:1 Due to incorrect pointer handling Squid is vulnerable to denial
of service attack when processing ESI responses.

http://www.squid-cache.org/Advisories/SQUID-2018_1.txt

SQUID-2018:2  Due to incorrect pointer handling Squid is vulnerable to
denial of service attack when processing ESI responses or downloading
intermediate CA certificates.

http://www.squid-cache.org/Advisories/SQUID-2018_2.txt

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/squid/squid.hash | 2 ++
 package/squid/squid.mk   | 3 +++
 2 files changed, 5 insertions(+)

diff --git a/package/squid/squid.hash b/package/squid/squid.hash
index 8787cb25ef..89955eb4ad 100644
--- a/package/squid/squid.hash
+++ b/package/squid/squid.hash
@@ -3,3 +3,5 @@ md5 39ef8199675d48a314b540f92c00c545 squid-3.5.27.tar.xz
 sha1 1e69c96d13cd49844da3bcf33a0b428fbe7b6f77 squid-3.5.27.tar.xz
 # Locally calculated
 sha256 58f5d05257af1fb964fde20e134d660fac9afa86b6fd8c70d63ead63068378fa COPYING
+sha256 a85bac80f9bf0b389a0b0fe24630eda59a4fbaf6a1b398ba2f57d5799662fb6e eb2db98a676321b814fc4a51c4fb7928a8bb45d9.patch
+sha256 78a44073ebd68c9c8c05bb590690ba57b5eaf6ee0465a06fcad82dba65612f60 8232b83d3fa47a1399f155cb829db829369fbae9.patch
diff --git a/package/squid/squid.mk b/package/squid/squid.mk
index 8ade55ee37..b088766470 100644
--- a/package/squid/squid.mk
+++ b/package/squid/squid.mk
@@ -12,6 +12,9 @@ SQUID_LICENSE = GPL-2.0+
 SQUID_LICENSE_FILES = COPYING
 # For 0001-assume-get-certificate-ok.patch
 SQUID_AUTORECONF = YES
+SQUID_PATCH = \
+	https://github.com/squid-cache/squid/commit/eb2db98a676321b814fc4a51c4fb7928a8bb45d9.patch \
+	https://github.com/squid-cache/squid/commit/8232b83d3fa47a1399f155cb829db829369fbae9.patch
 SQUID_DEPENDENCIES = libcap host-libcap host-pkgconf \
 	$(if $(BR2_PACKAGE_LIBNETFILTER_CONNTRACK),libnetfilter_conntrack)
 SQUID_CONF_ENV = \
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [Buildroot] [PATCH 2/2] squid: add upstream post-3.5.27 security patches
  2018-01-22 15:13 ` [Buildroot] [PATCH 2/2] squid: add upstream post-3.5.27 security patches Peter Korsgaard
@ 2018-01-22 16:08   ` Baruch Siach
  2018-01-22 16:57     ` Peter Korsgaard
  0 siblings, 1 reply; 4+ messages in thread
From: Baruch Siach @ 2018-01-22 16:08 UTC (permalink / raw)
  To: buildroot

Hi Peter,

On Mon, Jan 22, 2018 at 04:13:39PM +0100, Peter Korsgaard wrote:
> --- a/package/squid/squid.mk
> +++ b/package/squid/squid.mk
> @@ -12,6 +12,9 @@ SQUID_LICENSE = GPL-2.0+
>  SQUID_LICENSE_FILES = COPYING
>  # For 0001-assume-get-certificate-ok.patch
>  SQUID_AUTORECONF = YES
> +SQUID_PATCH = \
> +	https://github.com/squid-cache/squid/commit/eb2db98a676321b814fc4a51c4fb7928a8bb45d9.patch \
> +	https://github.com/squid-cache/squid/commit/8232b83d3fa47a1399f155cb829db829369fbae9.patch

Didn't we stop fetching patches from github because they might break the hash 
in the future? See for example commit bbbe00ea35dd2133 (trinity: don't 
download patches from Github).

>  SQUID_DEPENDENCIES = libcap host-libcap host-pkgconf \
>  	$(if $(BR2_PACKAGE_LIBNETFILTER_CONNTRACK),libnetfilter_conntrack)
>  SQUID_CONF_ENV = \

baruch

-- 
     http://baruch.siach.name/blog/                  ~. .~   Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
   - baruch at tkos.co.il - tel: +972.2.679.5364, http://www.tkos.co.il -

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [Buildroot] [PATCH 2/2] squid: add upstream post-3.5.27 security patches
  2018-01-22 16:08   ` Baruch Siach
@ 2018-01-22 16:57     ` Peter Korsgaard
  0 siblings, 0 replies; 4+ messages in thread
From: Peter Korsgaard @ 2018-01-22 16:57 UTC (permalink / raw)
  To: buildroot

>>>>> "Baruch" == Baruch Siach <baruch@tkos.co.il> writes:

 > Hi Peter,
 > On Mon, Jan 22, 2018 at 04:13:39PM +0100, Peter Korsgaard wrote:
 >> --- a/package/squid/squid.mk
 >> +++ b/package/squid/squid.mk
 >> @@ -12,6 +12,9 @@ SQUID_LICENSE = GPL-2.0+
 >> SQUID_LICENSE_FILES = COPYING
 >> # For 0001-assume-get-certificate-ok.patch
 >> SQUID_AUTORECONF = YES
 >> +SQUID_PATCH = \
 >> +	https://github.com/squid-cache/squid/commit/eb2db98a676321b814fc4a51c4fb7928a8bb45d9.patch \
 >> +	https://github.com/squid-cache/squid/commit/8232b83d3fa47a1399f155cb829db829369fbae9.patch

 > Didn't we stop fetching patches from github because they might break the hash 
 > in the future? See for example commit bbbe00ea35dd2133 (trinity: don't 
 > download patches from Github).

Hmm, correct - I'll include them in package/squid and resend, thanks!

-- 
Bye, Peter Korsgaard

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-01-22 16:57 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-01-22 15:13 [Buildroot] [PATCH 1/2] squid: bump version to 3.5.27 Peter Korsgaard
2018-01-22 15:13 ` [Buildroot] [PATCH 2/2] squid: add upstream post-3.5.27 security patches Peter Korsgaard
2018-01-22 16:08   ` Baruch Siach
2018-01-22 16:57     ` Peter Korsgaard

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.