diff options
| -rw-r--r-- | lang/golang/golang-package.mk | 14 | ||||
| -rw-r--r-- | lang/golang/golang/Makefile | 4 | ||||
| -rw-r--r-- | lang/python/python3/Makefile | 2 | ||||
| -rw-r--r-- | lang/python/python3/patches/020-ssl-module-emulate-tls-methods.patch | 223 | ||||
| -rw-r--r-- | lang/python/python3/patches/021-openssl-deprecated.patch | 63 | ||||
| -rw-r--r-- | net/tinyproxy/Makefile | 26 | ||||
| -rw-r--r-- | net/tinyproxy/files/tinyproxy.init | 94 | ||||
| -rw-r--r-- | net/tinyproxy/patches/010-no-docs-and-tests.patch | 86 | ||||
| -rw-r--r-- | net/tinyproxy/patches/020-config_and_pid-path.patch | 31 | ||||
| -rw-r--r-- | net/tinyproxy/patches/030-allow_bind_in_transparent_mode.patch | 22 | ||||
| -rw-r--r-- | net/tinyproxy/patches/120-fix_INET6.patch | 4 | ||||
| -rw-r--r-- | net/tinyproxy/patches/CVE-2012-3505-tiniproxy-randomized-hashmaps.patch | 101 | ||||
| -rw-r--r-- | net/tinyproxy/patches/CVE-2012-3505-tinyproxy-limit-headers.patch | 44 |
13 files changed, 386 insertions, 328 deletions
diff --git a/lang/golang/golang-package.mk b/lang/golang/golang-package.mk index 235585b20..2d558565c 100644 --- a/lang/golang/golang-package.mk +++ b/lang/golang/golang-package.mk @@ -120,10 +120,22 @@ GO_PKG_BUILD_BIN_DIR:=$(GO_PKG_BUILD_DIR)/bin$(if $(GO_HOST_TARGET_DIFFERENT),/$ GO_PKG_BUILD_DEPENDS_SRC:=$(STAGING_DIR)$(GO_PKG_PATH)/src -ifeq ($(CONFIG_PKG_ASLR_PIE),y) +ifdef CONFIG_PKG_ASLR_PIE_ALL ifeq ($(strip $(PKG_ASLR_PIE)),1) ifeq ($(GO_TARGET_PIE_SUPPORTED),1) GO_PKG_ENABLE_PIE:=1 + else + $(warning PIE buildmode is not supported for $(GO_OS)/$(GO_ARCH)) + endif + endif +endif + +ifdef CONFIG_PKG_ASLR_PIE_REGULAR + ifeq ($(strip $(PKG_ASLR_PIE_REGULAR)),1) + ifeq ($(GO_TARGET_PIE_SUPPORTED),1) + GO_PKG_ENABLE_PIE:=1 + else + $(warning PIE buildmode is not supported for $(GO_OS)/$(GO_ARCH)) endif endif endif diff --git a/lang/golang/golang/Makefile b/lang/golang/golang/Makefile index 8bfb8260f..ca27eae94 100644 --- a/lang/golang/golang/Makefile +++ b/lang/golang/golang/Makefile @@ -92,10 +92,12 @@ BOOTSTRAP_UNPACK:=$(HOST_TAR) -C $(BOOTSTRAP_BUILD_DIR) --strip-components=1 -xz RSTRIP:=: STRIP:=: -ifeq ($(CONFIG_PKG_ASLR_PIE),y) +ifdef CONFIG_PKG_ASLR_PIE_ALL ifeq ($(GO_TARGET_PIE_SUPPORTED),1) PKG_GO_ENABLE_PIE:=1 PKG_GO_INSTALL_SUFFIX:=$(GO_TARGET_PIE_INSTALL_SUFFIX) + else + $(warning PIE buildmode is not supported for $(GO_OS)/$(GO_ARCH)) endif endif diff --git a/lang/python/python3/Makefile b/lang/python/python3/Makefile index 8f9e4a182..e91771ce4 100644 --- a/lang/python/python3/Makefile +++ b/lang/python/python3/Makefile @@ -14,7 +14,7 @@ PYTHON_VERSION:=$(PYTHON3_VERSION) PYTHON_VERSION_MICRO:=$(PYTHON3_VERSION_MICRO) PKG_NAME:=python3 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_VERSION:=$(PYTHON_VERSION).$(PYTHON_VERSION_MICRO) PKG_SOURCE:=Python-$(PKG_VERSION).tar.xz diff --git a/lang/python/python3/patches/020-ssl-module-emulate-tls-methods.patch b/lang/python/python3/patches/020-ssl-module-emulate-tls-methods.patch new file mode 100644 index 000000000..1edd215d1 --- /dev/null +++ b/lang/python/python3/patches/020-ssl-module-emulate-tls-methods.patch @@ -0,0 +1,223 @@ +From 991f0176e188227647bf4c993d8da81cf794b3ae Mon Sep 17 00:00:00 2001 +From: Christian Heimes <christian@python.org> +Date: Sun, 25 Feb 2018 20:03:07 +0100 +Subject: [PATCH] bpo-30008: SSL module: emulate tls methods + +OpenSSL 1.1 compatility: emulate version specific TLS methods with +SSL_CTX_set_min/max_proto_version(). +--- + .../2018-02-25-20-05-51.bpo-30008.6Bmyhr.rst | 4 + + Modules/_ssl.c | 134 ++++++++++++++---- + 2 files changed, 108 insertions(+), 30 deletions(-) + create mode 100644 Misc/NEWS.d/next/Library/2018-02-25-20-05-51.bpo-30008.6Bmyhr.rst + +diff --git a/Misc/NEWS.d/next/Library/2018-02-25-20-05-51.bpo-30008.6Bmyhr.rst b/Misc/NEWS.d/next/Library/2018-02-25-20-05-51.bpo-30008.6Bmyhr.rst +new file mode 100644 +index 000000000000..e0a08464a1e1 +--- /dev/null ++++ b/Misc/NEWS.d/next/Library/2018-02-25-20-05-51.bpo-30008.6Bmyhr.rst +@@ -0,0 +1,4 @@ ++The ssl module no longer uses function that are deprecated since OpenSSL ++1.1.0. The version specific TLS methods are emulated with TLS_method() plus ++SSL_CTX_set_min/max_proto_version(). Pseudo random numbers are generated ++with RAND_bytes(). +diff --git a/Modules/_ssl.c b/Modules/_ssl.c +index f50823e6947a..827026e3bf5c 100644 +--- a/Modules/_ssl.c ++++ b/Modules/_ssl.c +@@ -45,14 +45,6 @@ static PySocketModule_APIObject PySocketModule; + #include <sys/poll.h> + #endif + +-/* Don't warn about deprecated functions */ +-#ifdef __GNUC__ +-#pragma GCC diagnostic ignored "-Wdeprecated-declarations" +-#endif +-#ifdef __clang__ +-#pragma clang diagnostic ignored "-Wdeprecated-declarations" +-#endif +- + /* Include OpenSSL header files */ + #include "openssl/rsa.h" + #include "openssl/crypto.h" +@@ -205,6 +197,7 @@ static void _PySSLFixErrno(void) { + #ifndef PY_OPENSSL_1_1_API + /* OpenSSL 1.1 API shims for OpenSSL < 1.1.0 and LibreSSL < 2.7.0 */ + ++#define ASN1_STRING_get0_data ASN1_STRING_data + #define TLS_method SSLv23_method + #define TLS_client_method SSLv23_client_method + #define TLS_server_method SSLv23_server_method +@@ -896,7 +889,7 @@ _ssl_configure_hostname(PySSLSocket *self, const char* server_hostname) + goto error; + } + } else { +- if (!X509_VERIFY_PARAM_set1_ip(param, ASN1_STRING_data(ip), ++ if (!X509_VERIFY_PARAM_set1_ip(param, ASN1_STRING_get0_data(ip), + ASN1_STRING_length(ip))) { + _setSSLError(NULL, 0, __FILE__, __LINE__); + goto error; +@@ -1372,8 +1365,9 @@ _get_peer_alt_names (X509 *certificate) { + goto fail; + } + PyTuple_SET_ITEM(t, 0, v); +- v = PyUnicode_FromStringAndSize((char *)ASN1_STRING_data(as), +- ASN1_STRING_length(as)); ++ v = PyUnicode_FromStringAndSize( ++ (char *)ASN1_STRING_get0_data(as), ++ ASN1_STRING_length(as)); + if (v == NULL) { + Py_DECREF(t); + goto fail; +@@ -3031,44 +3025,124 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version) + long options; + SSL_CTX *ctx = NULL; + X509_VERIFY_PARAM *params; +- int result; ++ int result = 0; + #if defined(SSL_MODE_RELEASE_BUFFERS) + unsigned long libver; + #endif + + PySSL_BEGIN_ALLOW_THREADS +- if (proto_version == PY_SSL_VERSION_TLS1) ++ switch (proto_version) { ++#if OPENSSL_VERSION_NUMBER <= 0x10100000L ++ /* OpenSSL < 1.1.0 or not LibreSSL ++ * Use old-style methods for OpenSSL 1.0.2 ++ */ ++#if defined(SSL2_VERSION) && !defined(OPENSSL_NO_SSL2) ++ case PY_SSL_VERSION_SSL2: ++ ctx = SSL_CTX_new(SSLv2_method()); ++ break; ++#endif ++#if defined(SSL3_VERSION) && !defined(OPENSSL_NO_SSL3) ++ case PY_SSL_VERSION_SSL3: ++ ctx = SSL_CTX_new(SSLv3_method()); ++ break; ++#endif ++#if defined(TLS1_VERSION) && !defined(OPENSSL_NO_TLS1) ++ case PY_SSL_VERSION_TLS1: + ctx = SSL_CTX_new(TLSv1_method()); +-#if HAVE_TLSv1_2 +- else if (proto_version == PY_SSL_VERSION_TLS1_1) ++ break; ++#endif ++#if defined(TLS1_1_VERSION) && !defined(OPENSSL_NO_TLS1_1) ++ case PY_SSL_VERSION_TLS1_1: + ctx = SSL_CTX_new(TLSv1_1_method()); +- else if (proto_version == PY_SSL_VERSION_TLS1_2) ++ break; ++#endif ++#if defined(TLS1_2_VERSION) && !defined(OPENSSL_NO_TLS1_2) ++ case PY_SSL_VERSION_TLS1_2: + ctx = SSL_CTX_new(TLSv1_2_method()); ++ break; + #endif +-#ifndef OPENSSL_NO_SSL3 +- else if (proto_version == PY_SSL_VERSION_SSL3) +- ctx = SSL_CTX_new(SSLv3_method()); ++#else ++ /* OpenSSL >= 1.1 or LibreSSL ++ * create context with TLS_method for all protocols ++ * no SSLv2_method in OpenSSL 1.1. ++ */ ++#if defined(SSL3_VERSION) && !defined(OPENSSL_NO_SSL3) ++ case PY_SSL_VERSION_SSL3: ++ ctx = SSL_CTX_new(TLS_method()); ++ if (ctx != NULL) { ++ /* OpenSSL 1.1.0 sets SSL_OP_NO_SSLv3 for TLS_method by default */ ++ SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3); ++ if (!SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION)) ++ result = -2; ++ if (!SSL_CTX_set_max_proto_version(ctx, SSL3_VERSION)) ++ result = -2; ++ } ++ break; + #endif +-#ifndef OPENSSL_NO_SSL2 +- else if (proto_version == PY_SSL_VERSION_SSL2) +- ctx = SSL_CTX_new(SSLv2_method()); ++#if defined(TLS1_VERSION) && !defined(OPENSSL_NO_TLS1) ++ case PY_SSL_VERSION_TLS1: ++ ctx = SSL_CTX_new(TLS_method()); ++ if (ctx != NULL) { ++ SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1); ++ if (!SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION)) ++ result = -2; ++ if (!SSL_CTX_set_max_proto_version(ctx, TLS1_VERSION)) ++ result = -2; ++ } ++ break; ++#endif ++#if defined(TLS1_1_VERSION) && !defined(OPENSSL_NO_TLS1_1) ++ case PY_SSL_VERSION_TLS1_1: ++ ctx = SSL_CTX_new(TLS_method()); ++ if (ctx != NULL) { ++ SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1_1); ++ if (!SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION)) ++ result = -2; ++ if (!SSL_CTX_set_max_proto_version(ctx, TLS1_1_VERSION)) ++ result = -2; ++ } ++ break; ++#endif ++#if defined(TLS1_2_VERSION) && !defined(OPENSSL_NO_TLS1_2) ++ case PY_SSL_VERSION_TLS1_2: ++ ctx = SSL_CTX_new(TLS_method()); ++ if (ctx != NULL) { ++ SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1_2); ++ if (!SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION)) ++ result = -2; ++ if (!SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION)) ++ result = -2; ++ } ++ break; + #endif +- else if (proto_version == PY_SSL_VERSION_TLS) /* SSLv23 */ ++#endif /* OpenSSL >= 1.1 */ ++ case PY_SSL_VERSION_TLS: ++ /* SSLv23 */ + ctx = SSL_CTX_new(TLS_method()); +- else if (proto_version == PY_SSL_VERSION_TLS_CLIENT) ++ break; ++ case PY_SSL_VERSION_TLS_CLIENT: + ctx = SSL_CTX_new(TLS_client_method()); +- else if (proto_version == PY_SSL_VERSION_TLS_SERVER) ++ break; ++ case PY_SSL_VERSION_TLS_SERVER: + ctx = SSL_CTX_new(TLS_server_method()); +- else +- proto_version = -1; ++ break; ++ default: ++ result = -1; ++ break; ++ } + PySSL_END_ALLOW_THREADS + +- if (proto_version == -1) { ++ if (result == -1) { + PyErr_SetString(PyExc_ValueError, + "invalid protocol version"); + return NULL; + } +- if (ctx == NULL) { ++ else if (result == -2) { ++ PyErr_SetString(PyExc_ValueError, ++ "protocol configuration error"); ++ return NULL; ++ } ++ else if (ctx == NULL) { + _setSSLError(NULL, 0, __FILE__, __LINE__); + return NULL; + } +@@ -5241,7 +5315,7 @@ PySSL_RAND(int len, int pseudo) + if (bytes == NULL) + return NULL; + if (pseudo) { +- ok = RAND_pseudo_bytes((unsigned char*)PyBytes_AS_STRING(bytes), len); ++ ok = (_PyOS_URandom((unsigned char*)PyBytes_AS_STRING(bytes), len) == 0 ? 1 : 0); + if (ok == 0 || ok == 1) + return Py_BuildValue("NO", bytes, ok == 1 ? Py_True : Py_False); + } diff --git a/lang/python/python3/patches/021-openssl-deprecated.patch b/lang/python/python3/patches/021-openssl-deprecated.patch new file mode 100644 index 000000000..f73ce80c3 --- /dev/null +++ b/lang/python/python3/patches/021-openssl-deprecated.patch @@ -0,0 +1,63 @@ +--- a/Modules/_ssl.c ++++ b/Modules/_ssl.c +@@ -201,6 +202,11 @@ static void _PySSLFixErrno(void) { + #define TLS_method SSLv23_method + #define TLS_client_method SSLv23_client_method + #define TLS_server_method SSLv23_server_method ++#define X509_getm_notBefore X509_get_notBefore ++#define X509_getm_notAfter X509_get_notAfter ++#define OpenSSL_version_num SSLeay ++#define OpenSSL_version SSLeay_version ++#define OPENSSL_VERSION SSLEAY_VERSION + + static int X509_NAME_ENTRY_set(const X509_NAME_ENTRY *ne) + { +@@ -1677,7 +1683,7 @@ _decode_certificate(X509 *certificate) { + Py_DECREF(sn_obj); + + (void) BIO_reset(biobuf); +- notBefore = X509_get_notBefore(certificate); ++ notBefore = X509_getm_notBefore(certificate); + ASN1_TIME_print(biobuf, notBefore); + len = BIO_gets(biobuf, buf, sizeof(buf)-1); + if (len < 0) { +@@ -1694,7 +1700,7 @@ _decode_certificate(X509 *certificate) { + Py_DECREF(pnotBefore); + + (void) BIO_reset(biobuf); +- notAfter = X509_get_notAfter(certificate); ++ notAfter = X509_getm_notAfter(certificate); + ASN1_TIME_print(biobuf, notAfter); + len = BIO_gets(biobuf, buf, sizeof(buf)-1); + if (len < 0) { +@@ -3235,7 +3241,7 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version) + conservative and assume it wasn't fixed until release. We do this check + at runtime to avoid problems from the dynamic linker. + See #25672 for more on this. */ +- libver = SSLeay(); ++ libver = OpenSSL_version_num(); + if (!(libver >= 0x10001000UL && libver < 0x1000108fUL) && + !(libver >= 0x10000000UL && libver < 0x100000dfUL)) { + SSL_CTX_set_mode(self->ctx, SSL_MODE_RELEASE_BUFFERS); +@@ -6403,10 +6409,10 @@ PyInit__ssl(void) + return NULL; + + /* OpenSSL version */ +- /* SSLeay() gives us the version of the library linked against, ++ /* OpenSSL_version_num() gives us the version of the library linked against, + which could be different from the headers version. + */ +- libver = SSLeay(); ++ libver = OpenSSL_version_num(); + r = PyLong_FromUnsignedLong(libver); + if (r == NULL) + return NULL; +@@ -6416,7 +6422,7 @@ PyInit__ssl(void) + r = Py_BuildValue("IIIII", major, minor, fix, patch, status); + if (r == NULL || PyModule_AddObject(m, "OPENSSL_VERSION_INFO", r)) + return NULL; +- r = PyUnicode_FromString(SSLeay_version(SSLEAY_VERSION)); ++ r = PyUnicode_FromString(OpenSSL_version(OPENSSL_VERSION)); + if (r == NULL || PyModule_AddObject(m, "OPENSSL_VERSION", r)) + return NULL; + diff --git a/net/tinyproxy/Makefile b/net/tinyproxy/Makefile index 7400ac9de..1b5f83ef2 100644 --- a/net/tinyproxy/Makefile +++ b/net/tinyproxy/Makefile @@ -8,17 +8,20 @@ include $(TOPDIR)/rules.mk PKG_NAME:=tinyproxy -PKG_VERSION:=1.8.3 -PKG_RELEASE:=3 +PKG_VERSION:=1.10.0 +PKG_RELEASE:=1 -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 -PKG_SOURCE_URL:=http://www.banu.com/pub/tinyproxy/1.8/ -PKG_HASH:=be559b54eb4772a703ad35239d1cb59d32f7cf8a739966742622d57df88b896e -PKG_MAINTAINER:=Jo-Philipp Wich <jo@mein.io> +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz +PKG_SOURCE_URL:=https://github.com/tinyproxy/tinyproxy/releases/download/$(PKG_VERSION) +PKG_HASH:=59be87689c415ba0d9c9bc6babbdd3df3b372d60b21e526b118d722dbc995682 +PKG_MAINTAINER:=Jo-Philipp Wich <jo@mein.io> +PKG_LICENSE:=GPL-2.0-or-later +PKG_LICENSE_FILES:=COPYING PKG_CPE_ID:=cpe:/a:banu:tinyproxy PKG_INSTALL:=1 +PKG_BUILD_PARALLEL:=1 include $(INCLUDE_DIR)/package.mk @@ -27,21 +30,18 @@ define Package/tinyproxy SECTION:=net CATEGORY:=Network TITLE:=Tinyproxy is a lightweight HTTP and HTTPS proxy - URL:=http://tinyproxy.sourceforge.net/ + URL:=https://tinyproxy.github.io/ endef define Package/tinyproxy/conffiles /etc/config/tinyproxy endef -CONFIGURE_ARGS+= \ - --enable-filter \ - --enable-transparent \ - --disable-regexcheck \ +CONFIGURE_VARS += ac_cv_path_A2X=no define Package/tinyproxy/install - $(INSTALL_DIR) $(1)/usr/sbin - $(CP) $(PKG_INSTALL_DIR)/usr/sbin/tinyproxy $(1)/usr/sbin/ + $(INSTALL_DIR) $(1)/usr/bin + $(CP) $(PKG_INSTALL_DIR)/usr/bin/tinyproxy $(1)/usr/bin/ $(INSTALL_DIR) $(1)/usr/share/tinyproxy $(CP) $(PKG_INSTALL_DIR)/usr/share/tinyproxy/*.html $(1)/usr/share/tinyproxy/ $(INSTALL_DIR) $(1)/etc/config diff --git a/net/tinyproxy/files/tinyproxy.init b/net/tinyproxy/files/tinyproxy.init index 046783073..3c1a48fc5 100644 --- a/net/tinyproxy/files/tinyproxy.init +++ b/net/tinyproxy/files/tinyproxy.init @@ -6,8 +6,9 @@ START=50 CFGFILE=/var/etc/tinyproxy.conf section_enabled() { + local enabled config_get_bool enabled "$1" 'enabled' 0 - [ $enabled -gt 0 ] + [ "$enabled" -gt 0 ] } start() { @@ -22,55 +23,58 @@ stop() { start_proxy() { section_enabled "$1" || return 1 - mkdir -m0755 -p /var/etc - echo '### AUTOGENERATED CONFIGURATION' > $CFGFILE - echo '### DO NOT EDIT' >> $CFGFILE - echo '### SEE /etc/config/tinyproxy INSTEAD' >> $CFGFILE - echo '' >> $CFGFILE + mkdir -p /var/etc + chmod 0755 /var/etc + { + echo '### AUTOGENERATED CONFIGURATION' + echo '### DO NOT EDIT' + echo '### SEE /etc/config/tinyproxy INSTEAD' + echo '' - proxy_atom "$1" User >> $CFGFILE - proxy_atom "$1" Group >> $CFGFILE - proxy_atom "$1" Port 8888 >> $CFGFILE - proxy_atom "$1" Listen >> $CFGFILE - proxy_atom "$1" Bind >> $CFGFILE - proxy_atom "$1" Timeout >> $CFGFILE + proxy_atom "$1" User + proxy_atom "$1" Group + proxy_atom "$1" Port 8888 + proxy_atom "$1" Listen + proxy_atom "$1" Bind + proxy_atom "$1" Timeout - proxy_string "$1" ErrorFile_400 "ErrorFile 400" >> $CFGFILE - proxy_string "$1" ErrorFile_403 "ErrorFile 403" >> $CFGFILE - proxy_string "$1" ErrorFile_404 "ErrorFile 404" >> $CFGFILE - proxy_string "$1" ErrorFile_408 "ErrorFile 408" >> $CFGFILE - proxy_string "$1" ErrorFile_503 "ErrorFile 503" >> $CFGFILE + proxy_string "$1" ErrorFile_400 "ErrorFile 400" + proxy_string "$1" ErrorFile_403 "ErrorFile 403" + proxy_string "$1" ErrorFile_404 "ErrorFile 404" + proxy_string "$1" ErrorFile_408 "ErrorFile 408" + proxy_string "$1" ErrorFile_503 "ErrorFile 503" - proxy_string "$1" DefaultErrorFile >> $CFGFILE - proxy_string "$1" StatHost StatHost 127.0.0.1 >> $CFGFILE - proxy_string "$1" StatFile >> $CFGFILE - proxy_string "$1" LogFile >> $CFGFILE + proxy_string "$1" DefaultErrorFile + proxy_string "$1" StatHost StatHost 127.0.0.1 + proxy_string "$1" StatFile + proxy_string "$1" LogFile - proxy_flag "$1" Syslog >> $CFGFILE + proxy_flag "$1" Syslog - proxy_atom "$1" LogLevel >> $CFGFILE + proxy_atom "$1" LogLevel - proxy_flag "$1" XTinyproxy >> $CFGFILE + proxy_flag "$1" XTinyproxy - proxy_atom "$1" MaxClients >> $CFGFILE - proxy_atom "$1" MinSpareServers >> $CFGFILE - proxy_atom "$1" MaxSpareServers >> $CFGFILE - proxy_atom "$1" StartServers >> $CFGFILE - proxy_atom "$1" MaxRequestsPerChild >> $CFGFILE - proxy_list "$1" Allow >> $CFGFILE + proxy_atom "$1" MaxClients + proxy_atom "$1" MinSpareServers + proxy_atom "$1" MaxSpareServers + proxy_atom "$1" StartServers + proxy_atom "$1" MaxRequestsPerChild + proxy_list "$1" Allow - proxy_string "$1" ViaProxyName >> $CFGFILE - proxy_string "$1" Filter >> $CFGFILE + proxy_string "$1" ViaProxyName + proxy_string "$1" Filter - proxy_flag "$1" FilterURLs >> $CFGFILE - proxy_flag "$1" FilterExtended >> $CFGFILE - proxy_flag "$1" FilterCaseSensitive >> $CFGFILE - proxy_flag "$1" FilterDefaultDeny Yes No >> $CFGFILE + proxy_flag "$1" FilterURLs + proxy_flag "$1" FilterExtended + proxy_flag "$1" FilterCaseSensitive + proxy_flag "$1" FilterDefaultDeny Yes No - proxy_list "$1" Anonymous '"' >> $CFGFILE - proxy_list "$1" ConnectPort >> $CFGFILE + proxy_list "$1" Anonymous '"' + proxy_list "$1" ConnectPort config_foreach write_upstream upstream + } > "$CFGFILE" service_start /usr/sbin/tinyproxy -c "$CFGFILE" } @@ -85,11 +89,11 @@ write_upstream() { config_get target "$1" target [ -n "$target" ] && target=' "'"$target"'"' - [ "$type" == "proxy" -a -n "$via" ] && \ - echo "upstream $via$target" >> $CFGFILE + [ "$type" = "proxy" ] && [ -n "$via" ] && \ + echo "upstream $via$target" - [ "$type" == "reject" -a -n "$target" ] && \ - echo "no upstream$target" >> $CFGFILE + [ "$type" = "reject" ] && [ -n "$target" ] && \ + echo "no upstream$target" } proxy_atom() { @@ -111,9 +115,9 @@ proxy_string() { config_get _value "$SECTION" "$OPTION" [ -z "$_value" ] && _value="$DEFAULT" [ -n "$_value" ] && echo "${ALIAS:-${OPTION}} "'"'"$_value"'"' - [ -n "$_value" -a "$OPTION" = "LogFile" ] && { - touch $_value - chmod 666 $_value + [ -n "$_value" ] && [ "$OPTION" = "LogFile" ] && { + touch "$_value" + chmod 666 "$_value" } } diff --git a/net/tinyproxy/patches/010-no-docs-and-tests.patch b/net/tinyproxy/patches/010-no-docs-and-tests.patch deleted file mode 100644 index cbb0dd196..000000000 --- a/net/tinyproxy/patches/010-no-docs-and-tests.patch +++ /dev/null @@ -1,86 +0,0 @@ ---- a/configure -+++ b/configure -@@ -6815,59 +6815,8 @@ fi - - - --# Check for asciidoc --# Extract the first word of "a2x", so it can be a program name with args. --set dummy a2x; ac_word=$2 --{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 --$as_echo_n "checking for $ac_word... " >&6; } --if test "${ac_cv_path_A2X+set}" = set; then : -- $as_echo_n "(cached) " >&6 --else -- case $A2X in -- [\\/]* | ?:[\\/]*) -- ac_cv_path_A2X="$A2X" # Let the user override the test with a path. -- ;; -- *) -- as_save_IFS=$IFS; IFS=$PATH_SEPARATOR --for as_dir in $PATH --do -- IFS=$as_save_IFS -- test -z "$as_dir" && as_dir=. -- for ac_exec_ext in '' $ac_executable_extensions; do -- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then -- ac_cv_path_A2X="$as_dir/$ac_word$ac_exec_ext" -- $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 -- break 2 -- fi --done -- done --IFS=$as_save_IFS -- -- test -z "$ac_cv_path_A2X" && ac_cv_path_A2X="no" -- ;; --esac --fi --A2X=$ac_cv_path_A2X --if test -n "$A2X"; then -- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $A2X" >&5 --$as_echo "$A2X" >&6; } --else -- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 --$as_echo "no" >&6; } --fi -- -- -- if test "x$A2X" != "xno"; then -- HAVE_A2X_TRUE= -- HAVE_A2X_FALSE='#' --else - HAVE_A2X_TRUE='#' - HAVE_A2X_FALSE= --fi -- --if test x"$A2X" = x"no"; then -- as_fn_error $? "Test for asciidoc failed. See the file 'INSTALL' for help." "$LINENO" 5 --fi - - ac_config_files="$ac_config_files Makefile src/Makefile data/Makefile data/templates/Makefile etc/Makefile docs/Makefile docs/man5/Makefile docs/man5/tinyproxy.conf.txt docs/man8/Makefile docs/man8/tinyproxy.txt m4macros/Makefile tests/Makefile tests/scripts/Makefile" - ---- a/Makefile.am -+++ b/Makefile.am -@@ -2,9 +2,7 @@ SUBDIRS = \ - src \ - data \ - etc \ -- docs \ - m4macros \ -- tests - - # tools want this on a single line - ACLOCAL_AMFLAGS = -I m4macros ---- a/Makefile.in -+++ b/Makefile.in -@@ -222,9 +222,7 @@ SUBDIRS = \ - src \ - data \ - etc \ -- docs \ - m4macros \ -- tests - - - # tools want this on a single line diff --git a/net/tinyproxy/patches/020-config_and_pid-path.patch b/net/tinyproxy/patches/020-config_and_pid-path.patch index 3ab7482a4..839f5fb89 100644 --- a/net/tinyproxy/patches/020-config_and_pid-path.patch +++ b/net/tinyproxy/patches/020-config_and_pid-path.patch @@ -1,13 +1,20 @@ ---- a/src/main.c -+++ b/src/main.c -@@ -326,8 +326,8 @@ static void initialize_config_defaults ( - conf->errorpages = NULL; - conf->stathost = safestrdup (TINYPROXY_STATHOST); - conf->idletimeout = MAX_IDLE_TIME; -- conf->logf_name = safestrdup (LOCALSTATEDIR "/log/tinyproxy/tinyproxy.log"); -- conf->pidpath = safestrdup (LOCALSTATEDIR "/run/tinyproxy/tinyproxy.pid"); -+ conf->logf_name = safestrdup (LOCALSTATEDIR "/log/tinyproxy.log"); -+ conf->pidpath = safestrdup (LOCALSTATEDIR "/tinyproxy.pid"); - } +--- a/etc/tinyproxy.conf.in ++++ b/etc/tinyproxy.conf.in +@@ -93,7 +93,7 @@ StatFile "@pkgdatadir@/stats.html" + # exclusive. If neither Syslog nor LogFile are specified, output goes + # to stdout. + # +-#LogFile "@localstatedir@/log/tinyproxy/tinyproxy.log" ++LogFile "@localstatedir@/log/tinyproxy.log" - /** + # + # Syslog: Tell tinyproxy to use syslog instead of a logfile. This +@@ -124,7 +124,7 @@ LogLevel Info + # can be used for signalling purposes. + # If not specified, no pidfile will be written. + # +-#PidFile "@localstatedir@/run/tinyproxy/tinyproxy.pid" ++PidFile "@localstatedir@/tinyproxy.pid" + + # + # XTinyproxy: Tell Tinyproxy to include the X-Tinyproxy header, which diff --git a/net/tinyproxy/patches/030-allow_bind_in_transparent_mode.patch b/net/tinyproxy/patches/030-allow_bind_in_transparent_mode.patch deleted file mode 100644 index 68d89db4d..000000000 --- a/net/tinyproxy/patches/030-allow_bind_in_transparent_mode.patch +++ /dev/null @@ -1,22 +0,0 @@ ---- a/src/conf.c -+++ b/src/conf.c -@@ -865,7 +865,6 @@ static HANDLE_FUNC (handle_deny) - - static HANDLE_FUNC (handle_bind) - { --#ifndef TRANSPARENT_PROXY - int r = set_string_arg (&conf->bind_address, line, &match[2]); - - if (r) -@@ -873,11 +872,6 @@ static HANDLE_FUNC (handle_bind) - log_message (LOG_INFO, - "Outgoing connections bound to IP %s", conf->bind_address); - return 0; --#else -- fprintf (stderr, -- "\"Bind\" cannot be used with transparent support enabled.\n"); -- return 1; --#endif - } - - static HANDLE_FUNC (handle_listen) diff --git a/net/tinyproxy/patches/120-fix_INET6.patch b/net/tinyproxy/patches/120-fix_INET6.patch index 1c2683551..041354885 100644 --- a/net/tinyproxy/patches/120-fix_INET6.patch +++ b/net/tinyproxy/patches/120-fix_INET6.patch @@ -10,7 +10,7 @@ { struct addrinfo hints, *res, *ressave; -@@ -48,7 +47,7 @@ bind_socket (int sockfd, const char *add +@@ -48,7 +47,7 @@ bind_socket (int sockfd, const char *addr, int family) assert (addr != NULL && strlen (addr) != 0); memset (&hints, 0, sizeof (struct addrinfo)); @@ -19,7 +19,7 @@ hints.ai_socktype = SOCK_STREAM; /* The local port it not important */ -@@ -106,14 +105,12 @@ int opensock (const char *host, int port +@@ -112,14 +111,12 @@ int opensock (const char *host, int port, const char *bind_to) /* Bind to the specified address */ if (bind_to) { diff --git a/net/tinyproxy/patches/CVE-2012-3505-tiniproxy-randomized-hashmaps.patch b/net/tinyproxy/patches/CVE-2012-3505-tiniproxy-randomized-hashmaps.patch deleted file mode 100644 index 4737b8ba3..000000000 --- a/net/tinyproxy/patches/CVE-2012-3505-tiniproxy-randomized-hashmaps.patch +++ /dev/null @@ -1,101 +0,0 @@ ---- a/src/child.c -+++ b/src/child.c -@@ -20,6 +20,9 @@ - * processing incoming connections. - */ - -+#include <stdlib.h> -+#include <time.h> -+ - #include "main.h" - - #include "child.h" -@@ -196,6 +199,7 @@ static void child_main (struct child_s * - } - - ptr->connects = 0; -+ srand(time(NULL)); - - while (!config.quit) { - ptr->status = T_WAITING; ---- a/src/hashmap.c -+++ b/src/hashmap.c -@@ -25,6 +25,8 @@ - * don't try to free the data, or realloc the memory. :) - */ - -+#include <stdlib.h> -+ - #include "main.h" - - #include "hashmap.h" -@@ -50,6 +52,7 @@ struct hashbucket_s { - }; - - struct hashmap_s { -+ uint32_t seed; - unsigned int size; - hashmap_iter end_iterator; - -@@ -65,7 +68,7 @@ struct hashmap_s { - * - * If any of the arguments are invalid a negative number is returned. - */ --static int hashfunc (const char *key, unsigned int size) -+static int hashfunc (const char *key, unsigned int size, uint32_t seed) - { - uint32_t hash; - -@@ -74,7 +77,7 @@ static int hashfunc (const char *key, un - if (size == 0) - return -ERANGE; - -- for (hash = tolower (*key++); *key != '\0'; key++) { -+ for (hash = seed; *key != '\0'; key++) { - uint32_t bit = (hash & 1) ? (1 << (sizeof (uint32_t) - 1)) : 0; - - hash >>= 1; -@@ -104,6 +107,7 @@ hashmap_t hashmap_create (unsigned int n - if (!ptr) - return NULL; - -+ ptr->seed = (uint32_t)rand(); - ptr->size = nbuckets; - ptr->buckets = (struct hashbucket_s *) safecalloc (nbuckets, - sizeof (struct -@@ -201,7 +205,7 @@ hashmap_insert (hashmap_t map, const cha - if (!data || len < 1) - return -ERANGE; - -- hash = hashfunc (key, map->size); -+ hash = hashfunc (key, map->size, map->seed); - if (hash < 0) - return hash; - -@@ -382,7 +386,7 @@ ssize_t hashmap_search (hashmap_t map, c - if (map == NULL || key == NULL) - return -EINVAL; - -- hash = hashfunc (key, map->size); -+ hash = hashfunc (key, map->size, map->seed); - if (hash < 0) - return hash; - -@@ -416,7 +420,7 @@ ssize_t hashmap_entry_by_key (hashmap_t - if (!map || !key || !data) - return -EINVAL; - -- hash = hashfunc (key, map->size); -+ hash = hashfunc (key, map->size, map->seed); - if (hash < 0) - return hash; - -@@ -451,7 +455,7 @@ ssize_t hashmap_remove (hashmap_t map, c - if (map == NULL || key == NULL) - return -EINVAL; - -- hash = hashfunc (key, map->size); -+ hash = hashfunc (key, map->size, map->seed); - if (hash < 0) - return hash; - diff --git a/net/tinyproxy/patches/CVE-2012-3505-tinyproxy-limit-headers.patch b/net/tinyproxy/patches/CVE-2012-3505-tinyproxy-limit-headers.patch deleted file mode 100644 index b8023ab2a..000000000 --- a/net/tinyproxy/patches/CVE-2012-3505-tinyproxy-limit-headers.patch +++ /dev/null @@ -1,44 +0,0 @@ ---- a/src/reqs.c -+++ b/src/reqs.c -@@ -610,6 +610,11 @@ add_header_to_connection (hashmap_t hash - return hashmap_insert (hashofheaders, header, sep, len); - } - -+/* define max number of headers. big enough to handle legitimate cases, -+ * but limited to avoid DoS -+ */ -+#define MAX_HEADERS 10000 -+ - /* - * Read all the headers from the stream - */ -@@ -617,6 +622,7 @@ static int get_all_headers (int fd, hash - { - char *line = NULL; - char *header = NULL; -+ int count; - char *tmp; - ssize_t linelen; - ssize_t len = 0; -@@ -625,7 +631,7 @@ static int get_all_headers (int fd, hash - assert (fd >= 0); - assert (hashofheaders != NULL); - -- for (;;) { -+ for (count = 0; count < MAX_HEADERS; count++) { - if ((linelen = readline (fd, &line)) <= 0) { - safefree (header); - safefree (line); -@@ -691,6 +697,12 @@ static int get_all_headers (int fd, hash - - safefree (line); - } -+ -+ /* if we get there, this is we reached MAX_HEADERS count. -+ bail out with error */ -+ safefree (header); -+ safefree (line); -+ return -1; - } - - /* |