diff -Nru squid-4.8/debian/changelog squid-4.8/debian/changelog --- squid-4.8/debian/changelog 2020-02-19 17:47:31.000000000 +0000 +++ squid-4.8/debian/changelog 2020-05-07 13:25:08.000000000 +0000 @@ -1,3 +1,23 @@ +squid (4.8-1ubuntu2.3) eoan-security; urgency=medium + + * SECURITY UPDATE: multiple ESI issues + - debian/patches/CVE-2019-12519_12521.patch: convert parse exceptions + into 500 status response in src/esi/Context.h, src/esi/Esi.cc, + src/esi/Esi.h, src/esi/Expression.cc. + - CVE-2019-12519 + - CVE-2019-12521 + * SECURITY UPDATE: hostname parameter mishandling in cachemgr.cgi + - debian/patches/CVE-2019-18860.patch: add validation for hostname + parameter in src/base/CharacterSet.cc, tools/Makefile.am, + tools/cachemgr.cc. + - CVE-2019-18860 + * SECURITY UPDATE: Digest Authentication nonce replay issue + - debian/patches/CVE-2020-11945.patch: fix auth digest refcount integer + overflow in src/auth/digest/Config.cc. + - CVE-2020-11945 + + -- Marc Deslauriers Thu, 07 May 2020 09:25:08 -0400 + squid (4.8-1ubuntu2.2) eoan-security; urgency=medium * SECURITY UPDATE: info disclosure via FTP server diff -Nru squid-4.8/debian/patches/CVE-2019-12519_12521.patch squid-4.8/debian/patches/CVE-2019-12519_12521.patch --- squid-4.8/debian/patches/CVE-2019-12519_12521.patch 1970-01-01 00:00:00.000000000 +0000 +++ squid-4.8/debian/patches/CVE-2019-12519_12521.patch 2020-05-07 13:24:52.000000000 +0000 @@ -0,0 +1,296 @@ +commit fdd4123629320aa1ee4c3481bb392437c90d188d +Author: Amos Jeffries +Date: 2019-05-20 11:23:13 +0000 + + ESI: convert parse exceptions into 500 status response (#411) + + Produce a valid HTTP 500 status reply and continue operations when + ESI parser throws an exception. This will prevent incomplete ESI + responses reaching clients on server errors. Such responses might + have been cacheable and thus corrupted, albeit corrupted consistently + and at source by the reverse-proxy delivering them. + + ESI: throw on large stack recursions (#408) + + This reduces the impact on concurrent clients to only those + accessing the malformed resource. + + Depending on what type of recursion is being performed the + resource may appear to the client with missing segments, or + not at all. + +diff --git a/src/esi/Context.h b/src/esi/Context.h +index f3281a1..1b08cfb 100644 +--- a/src/esi/Context.h ++++ b/src/esi/Context.h +@@ -12,6 +12,7 @@ + #include "clientStream.h" + #include "err_type.h" + #include "esi/Element.h" ++#include "esi/Esi.h" + #include "esi/Parser.h" + #include "http/forward.h" + #include "http/StatusCode.h" +@@ -113,7 +114,7 @@ public: + { + + public: +- ESIElement::Pointer stack[10]; /* a stack of esi elements that are open */ ++ ESIElement::Pointer stack[ESI_STACK_DEPTH_LIMIT]; /* a stack of esi elements that are open */ + int stackdepth; /* self explanatory */ + ESIParser::Pointer theParser; + ESIElement::Pointer top(); +diff --git a/src/esi/Esi.cc b/src/esi/Esi.cc +index cc662c4..e41d593 100644 +--- a/src/esi/Esi.cc ++++ b/src/esi/Esi.cc +@@ -29,6 +29,7 @@ + #include "esi/Expression.h" + #include "esi/Segment.h" + #include "esi/VarState.h" ++#include "FadingCounter.h" + #include "fatal.h" + #include "http/Stream.h" + #include "HttpHdrSc.h" +@@ -930,13 +931,18 @@ void + ESIContext::addStackElement (ESIElement::Pointer element) + { + /* Put on the stack to allow skipping of 'invalid' markup */ +- assert (parserState.stackdepth <11); ++ ++ // throw an error if the stack location would be invalid ++ if (parserState.stackdepth >= ESI_STACK_DEPTH_LIMIT) ++ throw Esi::Error("ESI Too many nested elements"); ++ if (parserState.stackdepth < 0) ++ throw Esi::Error("ESI elements stack error, probable error in ESI template"); ++ + assert (!failed()); + debugs(86, 5, "ESIContext::addStackElement: About to add ESI Node " << element.getRaw()); + + if (!parserState.top()->addElement(element)) { +- debugs(86, DBG_IMPORTANT, "ESIContext::addStackElement: failed to add esi node, probable error in ESI template"); +- flags.error = 1; ++ throw Esi::Error("ESIContext::addStackElement failed, probable error in ESI template"); + } else { + /* added ok, push onto the stack */ + parserState.stack[parserState.stackdepth] = element; +@@ -1188,13 +1194,10 @@ ESIContext::addLiteral (const char *s, int len) + assert (len); + debugs(86, 5, "literal length is " << len); + /* give a literal to the current element */ +- assert (parserState.stackdepth <11); + ESIElement::Pointer element (new esiLiteral (this, s, len)); + +- if (!parserState.top()->addElement(element)) { +- debugs(86, DBG_IMPORTANT, "ESIContext::addLiteral: failed to add esi node, probable error in ESI template"); +- flags.error = 1; +- } ++ if (!parserState.top()->addElement(element)) ++ throw Esi::Error("ESIContext::addLiteral failed, probable error in ESI template"); + } + + void +@@ -1256,8 +1259,24 @@ ESIContext::parse() + + PROF_start(esiParsing); + +- while (buffered.getRaw() && !flags.error) +- parseOneBuffer(); ++ try { ++ while (buffered.getRaw() && !flags.error) ++ parseOneBuffer(); ++ ++ } catch (Esi::ErrorDetail &errMsg) { // FIXME: non-const for c_str() ++ // level-2: these are protocol/syntax errors from upstream ++ debugs(86, 2, "WARNING: ESI syntax error: " << errMsg); ++ setError(); ++ setErrorMessage(errMsg.c_str()); ++ ++ } catch (...) { ++ // DBG_IMPORTANT because these are local issues the admin needs to fix ++ static FadingCounter logEntries; // TODO: set horizon less than infinity ++ if (logEntries.count(1) < 100) ++ debugs(86, DBG_IMPORTANT, "ERROR: ESI parser: " << CurrentException); ++ setError(); ++ setErrorMessage("ESI parser error"); ++ } + + PROF_stop(esiParsing); + +diff --git a/src/esi/Esi.h b/src/esi/Esi.h +index 180b2c4..6fd5aac 100644 +--- a/src/esi/Esi.h ++++ b/src/esi/Esi.h +@@ -10,6 +10,11 @@ + #define SQUID_ESI_H + + #include "clientStream.h" ++#include "sbuf/SBuf.h" ++ ++#if !defined(ESI_STACK_DEPTH_LIMIT) ++#define ESI_STACK_DEPTH_LIMIT 20 ++#endif + + /* ESI.c */ + extern CSR esiStreamRead; +@@ -18,5 +23,14 @@ extern CSD esiStreamDetach; + extern CSS esiStreamStatus; + int esiEnableProcessing (HttpReply *); + ++namespace Esi ++{ ++ ++typedef SBuf ErrorDetail; ++/// prepare an Esi::ErrorDetail for throw on ESI parser internal errors ++inline Esi::ErrorDetail Error(const char *msg) { return ErrorDetail(msg); } ++ ++} // namespace Esi ++ + #endif /* SQUID_ESI_H */ + +diff --git a/src/esi/Expression.cc b/src/esi/Expression.cc +index 2b5b762..8519b03 100644 +--- a/src/esi/Expression.cc ++++ b/src/esi/Expression.cc +@@ -10,6 +10,7 @@ + + #include "squid.h" + #include "Debug.h" ++#include "esi/Esi.h" + #include "esi/Expression.h" + #include "profiler/Profiler.h" + +@@ -97,6 +98,17 @@ stackpop(stackmember * s, int *depth) + cleanmember(&s[*depth]); + } + ++static void ++stackpush(stackmember *stack, stackmember &item, int *depth) ++{ ++ if (*depth < 0) ++ throw Esi::Error("ESIExpression stack has negative size"); ++ if (*depth >= ESI_STACK_DEPTH_LIMIT) ++ throw Esi::Error("ESIExpression stack is full, cannot push"); ++ ++ stack[(*depth)++] = item; ++} ++ + static evaluate evalnegate; + static evaluate evalliteral; + static evaluate evalor; +@@ -208,6 +220,11 @@ evalnegate(stackmember * stack, int *depth, int whereAmI, stackmember * candidat + /* invalid stack */ + return 1; + ++ if (whereAmI < 0) ++ throw Esi::Error("negate expression location too small"); ++ if (*depth >= ESI_STACK_DEPTH_LIMIT) ++ throw Esi::Error("negate expression too complex"); ++ + if (stack[whereAmI + 1].valuetype != ESI_EXPR_EXPR) + /* invalid operand */ + return 1; +@@ -280,7 +297,7 @@ evalor(stackmember * stack, int *depth, int whereAmI, stackmember * candidate) + + srv.precedence = 1; + +- stack[(*depth)++] = srv; ++ stackpush(stack, srv, depth); + + /* we're out of way, try adding now */ + if (!addmember(stack, depth, candidate)) +@@ -327,7 +344,7 @@ evaland(stackmember * stack, int *depth, int whereAmI, stackmember * candidate) + + srv.precedence = 1; + +- stack[(*depth)++] = srv; ++ stackpush(stack, srv, depth); + + /* we're out of way, try adding now */ + if (!addmember(stack, depth, candidate)) +@@ -373,7 +390,7 @@ evallesseq(stackmember * stack, int *depth, int whereAmI, stackmember * candidat + + srv.precedence = 1; + +- stack[(*depth)++] = srv; ++ stackpush(stack, srv, depth); + + /* we're out of way, try adding now */ + if (!addmember(stack, depth, candidate)) +@@ -421,7 +438,7 @@ evallessthan(stackmember * stack, int *depth, int whereAmI, stackmember * candid + + srv.precedence = 1; + +- stack[(*depth)++] = srv; ++ stackpush(stack, srv, depth); + + /* we're out of way, try adding now */ + if (!addmember(stack, depth, candidate)) +@@ -469,7 +486,7 @@ evalmoreeq(stackmember * stack, int *depth, int whereAmI, stackmember * candidat + + srv.precedence = 1; + +- stack[(*depth)++] = srv; ++ stackpush(stack, srv, depth); + + /* we're out of way, try adding now */ + if (!addmember(stack, depth, candidate)) +@@ -517,7 +534,7 @@ evalmorethan(stackmember * stack, int *depth, int whereAmI, stackmember * candid + + srv.precedence = 1; + +- stack[(*depth)++] = srv; ++ stackpush(stack, srv, depth); + + /* we're out of way, try adding now */ + if (!addmember(stack, depth, candidate)) +@@ -566,7 +583,7 @@ evalequals(stackmember * stack, int *depth, int whereAmI, + + srv.precedence = 1; + +- stack[(*depth)++] = srv; ++ stackpush(stack, srv, depth); + + /* we're out of way, try adding now */ + if (!addmember(stack, depth, candidate)) +@@ -613,7 +630,7 @@ evalnotequals(stackmember * stack, int *depth, int whereAmI, stackmember * candi + + srv.precedence = 1; + +- stack[(*depth)++] = srv; ++ stackpush(stack, srv, depth); + + /* we're out of way, try adding now */ + if (!addmember(stack, depth, candidate)) +@@ -953,6 +970,9 @@ addmember(stackmember * stack, int *stackdepth, stackmember * candidate) + /* !(!(a==b))) is why thats safe */ + /* strictly less than until we unwind */ + ++ if (*stackdepth >= ESI_STACK_DEPTH_LIMIT) ++ throw Esi::Error("ESI expression too complex to add member"); ++ + if (candidate->precedence < stack[*stackdepth - 1].precedence || + candidate->precedence < stack[*stackdepth - 2].precedence) { + /* must be an operator */ +@@ -968,10 +988,10 @@ addmember(stackmember * stack, int *stackdepth, stackmember * candidate) + return 0; + } + } else { +- stack[(*stackdepth)++] = *candidate; ++ stackpush(stack, *candidate, stackdepth); + } + } else if (candidate->valuetype != ESI_EXPR_INVALID) +- stack[(*stackdepth)++] = *candidate; ++ stackpush(stack, *candidate, stackdepth); + + return 1; + } +@@ -979,7 +999,7 @@ addmember(stackmember * stack, int *stackdepth, stackmember * candidate) + int + ESIExpression::Evaluate(char const *s) + { +- stackmember stack[20]; ++ stackmember stack[ESI_STACK_DEPTH_LIMIT]; + int stackdepth = 0; + char const *end; + PROF_start(esiExpressionEval); diff -Nru squid-4.8/debian/patches/CVE-2019-18860.patch squid-4.8/debian/patches/CVE-2019-18860.patch --- squid-4.8/debian/patches/CVE-2019-18860.patch 1970-01-01 00:00:00.000000000 +0000 +++ squid-4.8/debian/patches/CVE-2019-18860.patch 2020-05-07 13:25:08.000000000 +0000 @@ -0,0 +1,213 @@ +Backport of: + +From 5a90b4ce64c346ba7f317a278ba601091d9de076 Mon Sep 17 00:00:00 2001 +From: aaron-costello <56684862+aaron-costello@users.noreply.github.com> +Date: Sun, 3 Nov 2019 16:22:22 +0000 +Subject: [PATCH] cachemgr.cgi: Add validation for hostname parameter (#504) + +Prevention of HTML/invalid chars in host param +--- + src/base/CharacterSet.cc | 2 +- + tools/Makefile.am | 8 ++++++-- + tools/cachemgr.cc | 28 +++++++++++++++++++++++++--- + 3 files changed, 32 insertions(+), 6 deletions(-) + +--- a/src/base/CharacterSet.cc ++++ b/src/base/CharacterSet.cc +@@ -7,7 +7,7 @@ + */ + + #include "squid.h" +-#include "CharacterSet.h" ++#include "base/CharacterSet.h" + + #include + #include +--- a/tools/Makefile.am ++++ b/tools/Makefile.am +@@ -37,6 +37,9 @@ stub_debug.cc: $(top_srcdir)/src/tests/s + Here.cc: $(top_srcdir)/src/base/Here.cc + cp $(top_srcdir)/src/base/Here.cc $@ + ++CharacterSet.cc: $(top_srcdir)/src/base/CharacterSet.cc ++ cp $(top_srcdir)/src/base/CharacterSet.cc $@ ++ + MemBuf.cc: $(top_srcdir)/src/MemBuf.cc + cp $(top_srcdir)/src/MemBuf.cc $@ + +@@ -48,7 +51,7 @@ stub_cbdata.cc: $(top_srcdir)/src/tests/ + + stub_libmem.cc: $(top_srcdir)/src/tests/stub_libmem.cc STUB.h + cp $(top_srcdir)/src/tests/stub_libmem.cc $@ +- ++ + STUB.h: $(top_srcdir)/src/tests/STUB.h + cp $(top_srcdir)/src/tests/STUB.h $@ + +@@ -57,7 +60,7 @@ STUB.h: $(top_srcdir)/src/tests/STUB.h + # globals.cc is needed by test_tools.cc. + # Neither of these should be disted from here. + TESTSOURCES= test_tools.cc +-CLEANFILES += test_tools.cc Here.cc MemBuf.cc stub_debug.cc time.cc stub_cbdata.cc stub_libmem.cc STUB.h ++CLEANFILES += test_tools.cc Here.cc CharacterSet.cc MemBuf.cc stub_debug.cc time.cc stub_cbdata.cc stub_libmem.cc STUB.h + + ## Test Scripts + EXTRA_DIST += helper-ok-dying.pl helper-ok.pl +@@ -69,6 +72,7 @@ DEFAULT_CACHEMGR_CONFIG = $(sysconfdir)/ + libexec_PROGRAMS = cachemgr$(CGIEXT) + + cachemgr__CGIEXT__SOURCES = cachemgr.cc \ ++ CharacterSet.cc \ + Here.cc \ + MemBuf.cc \ + stub_cbdata.cc \ +--- a/tools/cachemgr.cc ++++ b/tools/cachemgr.cc +@@ -8,6 +8,7 @@ + + #include "squid.h" + #include "base64.h" ++#include "base/CharacterSet.h" + #include "getfullhostname.h" + #include "html_quote.h" + #include "ip/Address.h" +@@ -215,6 +216,21 @@ xstrtok(char **str, char del) + return ""; + } + ++bool ++hostname_check(const char *uri) ++{ ++ static CharacterSet hostChars = CharacterSet("host",".:[]_") + ++ CharacterSet::ALPHA + CharacterSet::DIGIT; ++ ++ const auto limit = strlen(uri); ++ for (size_t i = 0; i < limit; i++) { ++ if (!hostChars[uri[i]]) { ++ return false; ++ } ++ } ++ return true; ++} ++ + static void + print_trailer(void) + { +@@ -807,9 +823,15 @@ process_request(cachemgr_request * req) + } else if ((S = req->hostname)) + (void) 0; + else { +- snprintf(buf, sizeof(buf), "Unknown host: %s\n", req->hostname); +- error_html(buf); +- return 1; ++ if (hostname_check(req->hostname)) { ++ snprintf(buf, sizeof(buf), "Unknown Host: %s\n", req->hostname); ++ error_html(buf); ++ return 1; ++ } else { ++ snprintf(buf, sizeof(buf), "%s\n", "Invalid Hostname"); ++ error_html(buf); ++ return 1; ++ } + } + + S.port(req->port); +--- a/tools/Makefile.in ++++ b/tools/Makefile.in +@@ -166,6 +166,7 @@ CONFIG_CLEAN_VPATH_FILES = + am__installdirs = "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(man8dir)" + PROGRAMS = $(libexec_PROGRAMS) + am_cachemgr__CGIEXT__OBJECTS = cachemgr__CGIEXT_-cachemgr.$(OBJEXT) \ ++ cachemgr__CGIEXT_-CharacterSet.$(OBJEXT) \ + cachemgr__CGIEXT_-Here.$(OBJEXT) \ + cachemgr__CGIEXT_-MemBuf.$(OBJEXT) \ + cachemgr__CGIEXT_-stub_cbdata.$(OBJEXT) \ +@@ -207,7 +208,8 @@ am__v_at_1 = + DEFAULT_INCLUDES = + depcomp = $(SHELL) $(top_srcdir)/cfgaux/depcomp + am__maybe_remake_depfiles = depfiles +-am__depfiles_remade = ./$(DEPDIR)/cachemgr__CGIEXT_-Here.Po \ ++am__depfiles_remade = ./$(DEPDIR)/cachemgr__CGIEXT_-CharacterSet.Po \ ++ ./$(DEPDIR)/cachemgr__CGIEXT_-Here.Po \ + ./$(DEPDIR)/cachemgr__CGIEXT_-MemBuf.Po \ + ./$(DEPDIR)/cachemgr__CGIEXT_-cachemgr.Po \ + ./$(DEPDIR)/cachemgr__CGIEXT_-stub_cbdata.Po \ +@@ -781,8 +783,9 @@ DEFAULT_ICON_DIR = $(datadir)/icons + DEFAULT_ERROR_DIR = $(datadir)/errors + AM_CFLAGS = $(SQUID_CFLAGS) + AM_CXXFLAGS = $(SQUID_CXXFLAGS) +-CLEANFILES = test_tools.cc Here.cc MemBuf.cc stub_debug.cc time.cc \ +- stub_cbdata.cc stub_libmem.cc STUB.h cachemgr.cgi.8 ++CLEANFILES = test_tools.cc Here.cc CharacterSet.cc MemBuf.cc \ ++ stub_debug.cc time.cc stub_cbdata.cc stub_libmem.cc STUB.h \ ++ cachemgr.cgi.8 + AM_CPPFLAGS = -I$(top_srcdir) -I$(top_srcdir)/include \ + -I$(top_srcdir)/lib -I$(top_srcdir)/src \ + -I$(top_builddir)/include $(LIBCPPUNIT_CFLAGS) $(KRB5INCS) \ +@@ -822,6 +825,7 @@ SUBSTITUTE = sed "\ + TESTSOURCES = test_tools.cc + DEFAULT_CACHEMGR_CONFIG = $(sysconfdir)/cachemgr.conf + cachemgr__CGIEXT__SOURCES = cachemgr.cc \ ++ CharacterSet.cc \ + Here.cc \ + MemBuf.cc \ + stub_cbdata.cc \ +@@ -935,6 +939,7 @@ mostlyclean-compile: + distclean-compile: + -rm -f *.tab.c + ++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cachemgr__CGIEXT_-CharacterSet.Po@am__quote@ # am--include-marker + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cachemgr__CGIEXT_-Here.Po@am__quote@ # am--include-marker + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cachemgr__CGIEXT_-MemBuf.Po@am__quote@ # am--include-marker + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cachemgr__CGIEXT_-cachemgr.Po@am__quote@ # am--include-marker +@@ -988,6 +993,20 @@ cachemgr__CGIEXT_-cachemgr.obj: cachemgr + @AMDEP_TRUE@@am__fastdepCXX_FALSE@ DEPDIR=$(DEPDIR) $(CXXDEPMODE) $(depcomp) @AMDEPBACKSLASH@ + @am__fastdepCXX_FALSE@ $(AM_V_CXX@am__nodep@)$(CXX) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(cachemgr__CGIEXT__CXXFLAGS) $(CXXFLAGS) -c -o cachemgr__CGIEXT_-cachemgr.obj `if test -f 'cachemgr.cc'; then $(CYGPATH_W) 'cachemgr.cc'; else $(CYGPATH_W) '$(srcdir)/cachemgr.cc'; fi` + ++cachemgr__CGIEXT_-CharacterSet.o: CharacterSet.cc ++@am__fastdepCXX_TRUE@ $(AM_V_CXX)$(CXX) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(cachemgr__CGIEXT__CXXFLAGS) $(CXXFLAGS) -MT cachemgr__CGIEXT_-CharacterSet.o -MD -MP -MF $(DEPDIR)/cachemgr__CGIEXT_-CharacterSet.Tpo -c -o cachemgr__CGIEXT_-CharacterSet.o `test -f 'CharacterSet.cc' || echo '$(srcdir)/'`CharacterSet.cc ++@am__fastdepCXX_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/cachemgr__CGIEXT_-CharacterSet.Tpo $(DEPDIR)/cachemgr__CGIEXT_-CharacterSet.Po ++@AMDEP_TRUE@@am__fastdepCXX_FALSE@ $(AM_V_CXX)source='CharacterSet.cc' object='cachemgr__CGIEXT_-CharacterSet.o' libtool=no @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCXX_FALSE@ DEPDIR=$(DEPDIR) $(CXXDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCXX_FALSE@ $(AM_V_CXX@am__nodep@)$(CXX) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(cachemgr__CGIEXT__CXXFLAGS) $(CXXFLAGS) -c -o cachemgr__CGIEXT_-CharacterSet.o `test -f 'CharacterSet.cc' || echo '$(srcdir)/'`CharacterSet.cc ++ ++cachemgr__CGIEXT_-CharacterSet.obj: CharacterSet.cc ++@am__fastdepCXX_TRUE@ $(AM_V_CXX)$(CXX) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(cachemgr__CGIEXT__CXXFLAGS) $(CXXFLAGS) -MT cachemgr__CGIEXT_-CharacterSet.obj -MD -MP -MF $(DEPDIR)/cachemgr__CGIEXT_-CharacterSet.Tpo -c -o cachemgr__CGIEXT_-CharacterSet.obj `if test -f 'CharacterSet.cc'; then $(CYGPATH_W) 'CharacterSet.cc'; else $(CYGPATH_W) '$(srcdir)/CharacterSet.cc'; fi` ++@am__fastdepCXX_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/cachemgr__CGIEXT_-CharacterSet.Tpo $(DEPDIR)/cachemgr__CGIEXT_-CharacterSet.Po ++@AMDEP_TRUE@@am__fastdepCXX_FALSE@ $(AM_V_CXX)source='CharacterSet.cc' object='cachemgr__CGIEXT_-CharacterSet.obj' libtool=no @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCXX_FALSE@ DEPDIR=$(DEPDIR) $(CXXDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCXX_FALSE@ $(AM_V_CXX@am__nodep@)$(CXX) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(cachemgr__CGIEXT__CXXFLAGS) $(CXXFLAGS) -c -o cachemgr__CGIEXT_-CharacterSet.obj `if test -f 'CharacterSet.cc'; then $(CYGPATH_W) 'CharacterSet.cc'; else $(CYGPATH_W) '$(srcdir)/CharacterSet.cc'; fi` ++ + cachemgr__CGIEXT_-Here.o: Here.cc + @am__fastdepCXX_TRUE@ $(AM_V_CXX)$(CXX) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(cachemgr__CGIEXT__CXXFLAGS) $(CXXFLAGS) -MT cachemgr__CGIEXT_-Here.o -MD -MP -MF $(DEPDIR)/cachemgr__CGIEXT_-Here.Tpo -c -o cachemgr__CGIEXT_-Here.o `test -f 'Here.cc' || echo '$(srcdir)/'`Here.cc + @am__fastdepCXX_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/cachemgr__CGIEXT_-Here.Tpo $(DEPDIR)/cachemgr__CGIEXT_-Here.Po +@@ -1499,7 +1518,8 @@ clean-am: clean-checkPROGRAMS clean-gene + clean-libtool mostlyclean-am + + distclean: distclean-recursive +- -rm -f ./$(DEPDIR)/cachemgr__CGIEXT_-Here.Po ++ -rm -f ./$(DEPDIR)/cachemgr__CGIEXT_-CharacterSet.Po ++ -rm -f ./$(DEPDIR)/cachemgr__CGIEXT_-Here.Po + -rm -f ./$(DEPDIR)/cachemgr__CGIEXT_-MemBuf.Po + -rm -f ./$(DEPDIR)/cachemgr__CGIEXT_-cachemgr.Po + -rm -f ./$(DEPDIR)/cachemgr__CGIEXT_-stub_cbdata.Po +@@ -1552,7 +1572,8 @@ install-ps-am: + installcheck-am: + + maintainer-clean: maintainer-clean-recursive +- -rm -f ./$(DEPDIR)/cachemgr__CGIEXT_-Here.Po ++ -rm -f ./$(DEPDIR)/cachemgr__CGIEXT_-CharacterSet.Po ++ -rm -f ./$(DEPDIR)/cachemgr__CGIEXT_-Here.Po + -rm -f ./$(DEPDIR)/cachemgr__CGIEXT_-MemBuf.Po + -rm -f ./$(DEPDIR)/cachemgr__CGIEXT_-cachemgr.Po + -rm -f ./$(DEPDIR)/cachemgr__CGIEXT_-stub_cbdata.Po +@@ -1615,6 +1636,9 @@ stub_debug.cc: $(top_srcdir)/src/tests/s + Here.cc: $(top_srcdir)/src/base/Here.cc + cp $(top_srcdir)/src/base/Here.cc $@ + ++CharacterSet.cc: $(top_srcdir)/src/base/CharacterSet.cc ++ cp $(top_srcdir)/src/base/CharacterSet.cc $@ ++ + MemBuf.cc: $(top_srcdir)/src/MemBuf.cc + cp $(top_srcdir)/src/MemBuf.cc $@ + diff -Nru squid-4.8/debian/patches/CVE-2020-11945.patch squid-4.8/debian/patches/CVE-2020-11945.patch --- squid-4.8/debian/patches/CVE-2020-11945.patch 1970-01-01 00:00:00.000000000 +0000 +++ squid-4.8/debian/patches/CVE-2020-11945.patch 2020-05-07 13:25:06.000000000 +0000 @@ -0,0 +1,59 @@ +commit eeebf0f37a72a2de08348e85ae34b02c34e9a811 +Author: desbma-s1n <62935004+desbma-s1n@users.noreply.github.com> +Date: 2020-04-02 11:16:45 +0000 + + Fix auth digest refcount integer overflow (#585) + + This fixes a possible overflow of the nonce reference counter in the + digest authentication scheme, found by security researchers + @synacktiv. + + It changes `references` to be an 64 bits unsigned integer. This makes + overflowing the counter impossible in practice. + +--- a/src/auth/digest/Config.cc ++++ b/src/auth/digest/Config.cc +@@ -94,9 +94,6 @@ static void authenticateDigestNonceDelet + static void authenticateDigestNonceSetup(void); + static void authDigestNonceEncode(digest_nonce_h * nonce); + static void authDigestNonceLink(digest_nonce_h * nonce); +-#if NOT_USED +-static int authDigestNonceLinks(digest_nonce_h * nonce); +-#endif + static void authDigestNonceUserUnlink(digest_nonce_h * nonce); + + static void +@@ -287,21 +284,10 @@ authDigestNonceLink(digest_nonce_h * non + { + assert(nonce != NULL); + ++nonce->references; ++ assert(nonce->references != 0); // no overflows + debugs(29, 9, "nonce '" << nonce << "' now at '" << nonce->references << "'."); + } + +-#if NOT_USED +-static int +-authDigestNonceLinks(digest_nonce_h * nonce) +-{ +- if (!nonce) +- return -1; +- +- return nonce->references; +-} +- +-#endif +- + void + authDigestNonceUnlink(digest_nonce_h * nonce) + { +--- a/src/auth/digest/Config.h ++++ b/src/auth/digest/Config.h +@@ -44,7 +44,7 @@ struct _digest_nonce_h : public hash_lin + /* number of uses we've seen of this nonce */ + unsigned long nc; + /* reference count */ +- short references; ++ uint64_t references; + /* the auth_user this nonce has been tied to */ + Auth::Digest::User *user; + /* has this nonce been invalidated ? */ diff -Nru squid-4.8/debian/patches/series squid-4.8/debian/patches/series --- squid-4.8/debian/patches/series 2020-02-19 17:47:25.000000000 +0000 +++ squid-4.8/debian/patches/series 2020-05-07 13:25:02.000000000 +0000 @@ -13,3 +13,6 @@ CVE-2020-84xx-1.patch CVE-2020-84xx-2.patch CVE-2020-8517.patch +CVE-2019-12519_12521.patch +CVE-2019-18860.patch +CVE-2020-11945.patch