Fix vulnerabilities, support SELinux, and update to shoal 1.02
Squid 6.6 contains fixes for several security vulnerabilities. Unfortunately, it also has a bug related to collapsed forwarding, so it is not usable for frontier-squid. To quickly address the vulnerabilities, the security fixes from Squid 6 are backported to frontier-squid-5.9-2. The fixes are for:
- https://megamansec.github.io/Squid-Security-Audit/digest-overflow.html
- https://github.com/squid-cache/squid/security/advisories/GHSA-j83v-w3p4-5cqh
- https://megamansec.github.io/Squid-Security-Audit/ssl-bufferunderread.html
- https://megamansec.github.io/Squid-Security-Audit/ftp-assert.html
- https://megamansec.github.io/Squid-Security-Audit/datetime-overflow.html
- https://megamansec.github.io/Squid-Security-Audit/xff-stackoverflow.html
Two vulnerabilities are addressed by disabling Gopher and TRACE requests in the squid.conf.proto
file:
- https://megamansec.github.io/Squid-Security-Audit/gopher-nullpointer.html
- https://megamansec.github.io/Squid-Security-Audit/trace-uaf.html
In addition, support for SELinux is improved by requiring /sbin/restorecon
and running it on the log directory, as well as the cache directory. This change resolves issue #210 for frontier-squid5 (it will need to be ported to frontier-squid6 later). Also, shoal
is updated to version 1.0.2, which ensures the correct setting of external_ip
and resolves issue #209.