765e06107d
pkgsrc changes: clean up PKG_OPTIONS and enable several backends default. Quote from release announce: This release is a security release resolving several issues found in the prior Squid releases. The major changes to be aware of: * SQUID-2020:1 Improper Input Validation issues in HTTP Request processing (CVE-2020-8449, CVE-2020-8450) This issue allows attackers to perform denial of service on the proxy and all clients using it. This issue potentially allows attackers to bypass security access controls in systems between client and proxy. This issue potentially allows remote code execution under the proxy low-privilege level. While restricted, it does have access to a wide range of information about the network structure and other clients using the proxy. This issue is limited to Squid acting as a reverse-proxy. Some effects also require allow_direct permissions. See the advisory for updated patches: <http://www.squid-cache.org/Advisories/SQUID-2020_1.txt> Please note that NTLM is a deprecated authentication mechanism. All users of this tool are advised to plan migration to Negotiate/Kerberos authentication. * SQUID-2020:2 Information Disclosure issue in FTP Gateway. (CVE-2019-12528) Certain FTP server responses can result in Squid revealing random amounts of memory content from heap. When Squid mempools feature is enabled the leak is limited to lines in FTP directory listings, possibly from other clients. When mempools is disabled the information may be anything from the heap area including information from other processes on the machine. See the advisory for more details: <http://www.squid-cache.org/Advisories/SQUID-2020_2.txt> * SQUID-2020:3 Buffer Overflow issue in ext_lm_group_acl helper. (CVE-2020-8517) This problem is limited to installations using the ext_lm_group_acl binary (previously shipped as mswin_check_lm_group). Due to incorrect input validation the NTLM authentication credentials parser in ext_lm_group_acl may write to memory outside the credentials buffer. On systems with memory access protections this can result in the the helper process being terminated unexpectedly. Resulting in Squid process also terminating and a denial of service for all clients using the proxy. See the advisory for more details: <http://www.squid-cache.org/Advisories/SQUID-2020_3.txt> * Bug 5008: SIGBUS in PagePool::level() with custom rock slot size This shows up as SMP Squids crashing on arm64 with a SIGBUS error. The issues was incorrect memory alignment with certain cache sizes. This Squid release now forces alignment of the critical rock page details. * Bug 4735: Truncated chunked responses cached as whole This bug shows up as clients getting the cached truncated response objects until the cache object expires or is force removed. In absence of partial-object caching this Squid release treats incomplete responses as non-cacheable and prevents the chunked encoding terminator chunk being delivered to the active client(s). * Fix server_cert_fingerprint on cert validator-reported errors This bug shows up as a server_cert_fingerprint ACL mismatch when sslproxy_cert_error directive was applied to validation errors reported by the certificate validator, because the ACL could not find the server certificate. All users of Squid are urged to upgrade as soon as possible.
242 lines
6.9 KiB
Makefile
242 lines
6.9 KiB
Makefile
# $NetBSD: options.mk,v 1.3 2020/02/04 03:03:48 taca Exp $
|
|
|
|
PKG_OPTIONS_VAR= PKG_OPTIONS.squid4
|
|
PKG_SUPPORTED_OPTIONS= ecap esi inet6 snmp squid-backend-aufs \
|
|
squid-backend-diskd squid-backend-rock \
|
|
squid-backend-ufs squid-unlinkd \
|
|
squid-kerberos-helper squid-ldap-helper \
|
|
squid-pam-helper
|
|
PKG_OPTIONS_REQUIRED_GROUPS= ssl
|
|
PKG_OPTIONS_GROUP.ssl= openssl gnutls
|
|
PKG_OPTIONS_LEGACY_OPTS+= diskd:squid-backend-diskd \
|
|
null:squid-backend-null ufs:squid-backend-ufs \
|
|
linux-netfilter:squid-netfilter \
|
|
ipf-transparent:squid-ipf \
|
|
pf-transparent:squid-pf unlinkd:squid-unlinkd \
|
|
arp-acl:squid-arp-acl \
|
|
pam-helper:squid-pam-helper
|
|
|
|
PLIST_VARS+= ba_LDAP ba_NCSA ba_PAM ba_getpwnam
|
|
PLIST_VARS+= da_LDAP da_file diskd
|
|
PLIST_VARS+= eacl_LDAP_group eacl_file_userip eacl_unix_group
|
|
PLIST_VARS+= openssl ta_kerberos unlinkd
|
|
|
|
PKG_SUGGESTED_OPTIONS= inet6 esi openssl snmp squid-backend-aufs \
|
|
squid-backend-diskd squid-backend-ufs \
|
|
squid-pam-helper squid-unlinkd
|
|
|
|
.include "../../mk/bsd.prefs.mk"
|
|
|
|
.if ${OPSYS} == "Linux"
|
|
PKG_SUPPORTED_OPTIONS+= squid-netfilter
|
|
.endif
|
|
|
|
# some release of NetBSD lacks <ipl.h> header of IP Filter 4.x
|
|
.if ${OPSYS} != "NetBSD" || ${OS_VERSION:M[01].*} || exists(/usr/include/netinet/ipl.h)
|
|
PKG_SUPPORTED_OPTIONS+= squid-ipf
|
|
.endif
|
|
|
|
.if ${OPSYS} == "FreeBSD" || ${OPSYS} == "NetBSD" || ${OPSYS} == "OpenBSD" || \
|
|
${OPSYS} == "Darwin" || ${OPSYS} == "DragonFly"
|
|
PKG_SUPPORTED_OPTIONS+= squid-pf
|
|
.endif
|
|
|
|
.if (${OPSYS} == "NetBSD") && \
|
|
!empty(PKG_SUPPORTED_OPTIONS:Msquid-ipf)
|
|
PKG_SUGGESTED_OPTIONS+= squid-ipf
|
|
.endif
|
|
|
|
PKG_SUGGESTED_OPTIONS.OpenBSD+= squid-pf
|
|
|
|
PKG_SUPPORTED_OPTIONS.Darwin+= squid-ipfw
|
|
PKG_SUGGESTED_OPTIONS.Darwin+= squid-ipfw
|
|
|
|
# limited platform support squid-arp-acl
|
|
.if ${OPSYS} == "FreeBSD" || ${OPSYS} == "NetBSD" || ${OPSYS} == "OpenBSD" || ${OPSYS} == "Linux" || ${OPSYS} == "SunOS"
|
|
PKG_SUPPORTED_OPTIONS+= squid-arp-acl
|
|
.endif
|
|
|
|
.include "../../mk/bsd.options.mk"
|
|
|
|
# Note: NIS helper cannot be build; it requires crypt.h header file.
|
|
SQUID_BASIC_AUTH_HELPERS?= DB NCSA PAM fake getpwnam
|
|
SQUID_DIGEST_AUTH_HELPERS?= file
|
|
SQUID_NTLM_AUTH_HELPERS?= SMB_LM fake
|
|
SQUID_EXTERNAL_ACL_HELPERS?= file_userip unix_group
|
|
|
|
# squid's code has preference as:
|
|
# squid-ipf > squid-pf > squid-netfilter
|
|
# So, options.mk introduce preference as:
|
|
# squid-netfilter > squid-pf > squid-ipf
|
|
.if !empty(PKG_OPTIONS:Msquid-netfilter)
|
|
CONFIGURE_ARGS+= --enable-linux-netfilter
|
|
.elif !empty(PKG_OPTIONS:Msquid-pf)
|
|
CONFIGURE_ARGS+= --enable-pf-transparent
|
|
. if ${OPSYS} == "NetBSD"
|
|
CONFIGURE_ARGS+= --with-nat-devpf
|
|
. endif
|
|
.elif !empty(PKG_OPTIONS:Msquid-ipf)
|
|
CONFIGURE_ARGS+= --enable-ipf-transparent
|
|
.elif !empty(PKG_OPTIONS:Msquid-ipfw)
|
|
CONFIGURE_ARGS+= --enable-ipfw-transparent
|
|
.endif
|
|
|
|
.if !empty(PKG_OPTIONS:Msquid-arp-acl)
|
|
CONFIGURE_ARGS+= --enable-arp-acl
|
|
.endif
|
|
|
|
.if !empty(PKG_OPTIONS:Mecap)
|
|
CONFIGURE_ARGS+= --enable-ecap
|
|
USE_TOOLS+= pkg-config
|
|
CHECK_WRKREF_SKIP+= sbin/squid
|
|
USE_LANGUAGES+= c++11
|
|
.include "../../www/libecap/buildlink3.mk"
|
|
.else
|
|
CONFIGURE_ARGS+= --disable-ecap
|
|
.endif
|
|
|
|
.if !empty(PKG_OPTIONS:Mesi)
|
|
CONFIGURE_ARGS+= --enable-esi
|
|
.include "../../textproc/expat/buildlink3.mk"
|
|
.else
|
|
CONFIGURE_ARGS+= --disable-esi
|
|
.endif
|
|
|
|
.if !empty(PKG_SUPPORTED_OPTIONS:Minet6) && empty(PKG_OPTIONS:Minet6)
|
|
CONFIGURE_ARGS+= --disable-ipv6
|
|
.endif
|
|
|
|
.if !empty(PKG_OPTIONS:Msquid-kerberos-helper)
|
|
.include "../../mk/krb5.buildlink3.mk"
|
|
CONFIGURE_ENV+= ac_cv_path_krb5_config=${KRB5_CONFIG:Q}
|
|
SQUID_NEGOTIATE_AUTH_HELPERS+= kerberos
|
|
.else
|
|
CONFIGURE_ENV+= ac_cv_path_krb5_config=no
|
|
CONFIGURE_ARGS+= --without-mit-krb5
|
|
CONFIGURE_ARGS+= --without-heimdal-krb5
|
|
.endif
|
|
|
|
.if !empty(PKG_OPTIONS:Msquid-ldap-helper)
|
|
.include "../../databases/openldap-client/buildlink3.mk"
|
|
SQUID_BASIC_AUTH_HELPERS+= LDAP
|
|
SQUID_DIGEST_AUTH_HELPERS+= LDAP
|
|
SQUID_EXTERNAL_ACL_HELPERS+= LDAP_group
|
|
.endif
|
|
|
|
.if !empty(PKG_OPTIONS:Msquid-pam-helper)
|
|
. include "../../mk/pam.buildlink3.mk"
|
|
SQUID_BASIC_AUTH_HELPERS+= PAM
|
|
.endif
|
|
|
|
.if !empty(PKG_OPTIONS:Msnmp)
|
|
CONFIGURE_ARGS+= --enable-snmp
|
|
.else
|
|
CONFIGURE_ARGS+= --disable-snmp
|
|
.endif
|
|
|
|
.if !empty(PKG_OPTIONS:Mopenssl)
|
|
CONFIGURE_ARGS+= --with-openssl=${SSLBASE:Q}
|
|
CONFIGURE_ARGS+= --enable-ssl-crtd --without-gnutls
|
|
. include "../../security/openssl/buildlink3.mk"
|
|
PLIST.openssl= yes
|
|
.endif
|
|
|
|
.if !empty(PKG_OPTIONS:Mgnutls)
|
|
CONFIGURE_ARGS+= --with-gnutls=${PREFIX:Q}
|
|
CONFIGURE_ARGS+= --without-openssl
|
|
. include "../../security/gnutls/buildlink3.mk"
|
|
.endif
|
|
|
|
.if !empty(PKG_OPTIONS:Msquid-backend-aufs)
|
|
SQUID_BACKENDS+= aufs
|
|
. include "../../mk/pthread.buildlink3.mk"
|
|
.endif
|
|
|
|
.if !empty(PKG_OPTIONS:Msquid-backend-diskd)
|
|
SQUID_BACKENDS+= diskd
|
|
PLIST.diskd= yes
|
|
.endif
|
|
|
|
.if !empty(PKG_OPTIONS:Msquid-backend-rock)
|
|
SQUID_BACKENDS+= rock
|
|
.endif
|
|
|
|
.if !empty(PKG_OPTIONS:Msquid-backend-ufs)
|
|
SQUID_BACKENDS+= ufs
|
|
.endif
|
|
|
|
.if !empty(PKG_OPTIONS:Msquid-unlinkd)
|
|
PLIST.unlinkd= yes
|
|
.else
|
|
CONFIGURE_ARGS+= --disable-unlinkd
|
|
.endif
|
|
|
|
.if empty(SQUID_BASIC_AUTH_HELPERS)
|
|
CONFIGURE_ARGS+= --disable-auth-basic
|
|
.else
|
|
CONFIGURE_ARGS+= --enable-auth-basic=${SQUID_BASIC_AUTH_HELPERS:Q}
|
|
. for i in ${SQUID_BASIC_AUTH_HELPERS}
|
|
PLIST.ba_${i}= yes
|
|
. endfor
|
|
.PHONY: squid-enable-helper-basic_auth
|
|
pre-configure: squid-enable-helper-basic_auth
|
|
squid-enable-helper-basic_auth:
|
|
. for i in ${SQUID_BASIC_AUTH_HELPERS}
|
|
# ${ECHO} "exit 0" > ${WRKSRC}/src/auth/basic/${i}/config.test
|
|
. endfor
|
|
.endif
|
|
|
|
.if empty(SQUID_DIGEST_AUTH_HELPERS)
|
|
CONFIGURE_ARGS+= --disable-auth-digest
|
|
.else
|
|
CONFIGURE_ARGS+= --enable-auth-digest=${SQUID_DIGEST_AUTH_HELPERS:Q}
|
|
. for i in ${SQUID_DIGEST_AUTH_HELPERS}
|
|
PLIST.da_${i}= yes
|
|
. endfor
|
|
pre-configure:
|
|
. for i in ${SQUID_DIGEST_AUTH_HELPERS}
|
|
# ${ECHO} "exit 0" > ${WRKSRC}/src/auth/digest/${i}/config.test
|
|
. endfor
|
|
.endif
|
|
|
|
.if empty(SQUID_NEGOTIATE_AUTH_HELPERS)
|
|
CONFIGURE_ARGS+= --disable-auth-negotiate
|
|
.else
|
|
CONFIGURE_ARGS+= --enable-auth-negotiate=${SQUID_NEGOTIATE_AUTH_HELPERS:Q}
|
|
. for i in ${SQUID_NEGOTIATE_AUTH_HELPERS}
|
|
PLIST.ta_${i}= yes
|
|
. endfor
|
|
.PHONY: squid-enable-helper-negotiate_auth
|
|
pre-configure: squid-enable-helper-negotiate_auth
|
|
squid-enable-helper-negotiate_auth:
|
|
. for i in ${SQUID_NEGOTIATE_AUTH_HELPERS}
|
|
# ${ECHO} "exit 0" > ${WRKSRC}/src/auth/negotiate/${i}/config.test
|
|
. endfor
|
|
.endif
|
|
|
|
.if empty(SQUID_NTLM_AUTH_HELPERS)
|
|
CONFIGURE_ARGS+= --disable-auth-ntlm
|
|
.else
|
|
CONFIGURE_ARGS+= --enable-auth-ntlm=${SQUID_NTLM_AUTH_HELPERS:Q}
|
|
.PHONY: squid-enable-helper-ntlm_auth
|
|
pre-configure: squid-enable-helper-ntlm_auth
|
|
squid-enable-helper-ntlm_auth:
|
|
. for i in ${SQUID_NTLM_AUTH_HELPERS}
|
|
# ${ECHO} "exit 0" > ${WRKSRC}/src/auth/ntlm/${i}/config.test
|
|
. endfor
|
|
.endif
|
|
|
|
.if empty(SQUID_EXTERNAL_ACL_HELPERS)
|
|
CONFIGURE_ARGS+= --disable-external-acl-helpers
|
|
.else
|
|
CONFIGURE_ARGS+= --enable-external-acl-helpers=${SQUID_EXTERNAL_ACL_HELPERS:Q}
|
|
. for i in ${SQUID_EXTERNAL_ACL_HELPERS}
|
|
PLIST.eacl_${i}= yes
|
|
. endfor
|
|
.PHONY: squid-enable-helper-external_acl
|
|
pre-configure: squid-enable-helper-external_acl
|
|
squid-enable-helper-external_acl:
|
|
. for i in ${SQUID_EXTERNAL_ACL_HELPERS}
|
|
# ${ECHO} "exit 0" > ${WRKSRC}/src/acl/external/${i}/config.test
|
|
. endfor
|
|
.endif
|