From 1615a7f18aceb6272f0632c540d3940692355242 Mon Sep 17 00:00:00 2001
From: Francesco Chemolli <5175948+kinkie@users.noreply.github.com>
Date: Mon, 7 Oct 2024 08:13:17 +0000
Subject: [PATCH 1/2] Fix validation of Digest auth header parameters (#1906)

Insufficient validation of Digest authentication parameters resulted in
a DigestCalcHA1() call that dereferenced a nil pointer.

This bug was discovered and detailed by Joshua Rogers at
https://megamansec.github.io/Squid-Security-Audit/ where it was filed as
"strlen(NULL) Crash Using Digest Authentication".
---
 src/auth/digest/Config.cc | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/src/auth/digest/Config.cc b/src/auth/digest/Config.cc
index f39d43cba75..0fd32330cff 100644
--- a/src/auth/digest/Config.cc
+++ b/src/auth/digest/Config.cc
@@ -966,13 +966,19 @@ Auth::Digest::Config::decode(char const *proxy_auth, const HttpRequest *request,
             return rv;
         }
     } else {
-        /* cnonce and nc both require qop */
-        if (digest_request->cnonce || digest_request->nc[0] != '\0') {
-            debugs(29, 2, "missing qop!");
-            rv = authDigestLogUsername(username, digest_request, aRequestRealm);
-            safe_free(username);
-            return rv;
-        }
+        /* RFC7616 section 3.3, qop:
+         *  "MUST be used by all implementations"
+         *
+         * RFC7616 section 3.4, qop:
+         *  "value MUST be one of the alternatives the server
+         *   indicated it supports in the WWW-Authenticate header field"
+         *
+         * Squid sends qop=auth, reject buggy or outdated clients.
+        */
+        debugs(29, 2, "missing qop!");
+        rv = authDigestLogUsername(username, digest_request, aRequestRealm);
+        safe_free(username);
+        return rv;
     }
 
     /** below nonce state dependent **/

From 2847a11a38cfae8594d60272a983d2c3dcc85800 Mon Sep 17 00:00:00 2001
From: Francesco Chemolli <kinkie@squid-cache.org>
Date: Wed, 9 Oct 2024 14:16:55 +0000
Subject: [PATCH 2/2] Prep for v6.12

---
 ChangeLog | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index f0286f4c3c2..e0f4fa5424a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+Changes in squid-6.12 (12 Oct 2024)
+	- Fix validation of Digest auth header parameters
+	- Fix build with libtool v2.4 + automake v1.17
+	- Use git to extract default build-info when enabled
+	- ... and a minor source-maintenance portability fix
+
 Changes in squid-6.11 (15 Sep 2024)
 	- Fix Kerberos detection when cross-compiling
 	- Improve robustness of DNS code on reconfigure