import squid-4.15-10.module+el8.10.0+22554+81f6c10d.5

SOURCES/squid-4.15-dns-obey-ttl-set-to-zero.patch

@@ -0,0 +1,61 @@
+diff --git a/src/ipcache.cc b/src/ipcache.cc
+index ea32021..6012f1f 100644
+--- a/src/ipcache.cc
++++ b/src/ipcache.cc
+@@ -103,6 +103,7 @@ public:
+     } flags;
+ 
+     int age() const; ///< time passed since request_time or -1 if unknown
++    void updateTtl(const unsigned int rrTtl);
+ };
+ 
+ /// \ingroup IPCacheInternal
+@@ -338,7 +339,6 @@ ipcacheParse(ipcache_entry *i, const rfc1035_rr * answers, int nr, const char *e
+     int k;
+     int j = 0;
+     int na = 0;
+-    int ttl = 0;
+     const char *name = (const char *)i->hash.key;
+     int cname_found = 0;
+ 
+@@ -436,8 +436,8 @@ ipcacheParse(ipcache_entry *i, const rfc1035_rr * answers, int nr, const char *e
+             debugs(14, 3, name << " #" << j << " " << i->addrs.in_addrs[j] );
+             ++j;
+         }
+-        if (ttl == 0 || (int) answers[k].ttl < ttl)
+-            ttl = answers[k].ttl;
++
++        i->updateTtl(answers[k].ttl);
+     }
+ 
+     assert(j == na);
+@@ -447,17 +447,21 @@ ipcacheParse(ipcache_entry *i, const rfc1035_rr * answers, int nr, const char *e
+     else
+         i->addrs.count = 255;
+ 
+-    if (ttl > Config.positiveDnsTtl)
+-        ttl = Config.positiveDnsTtl;
+-
+-    if (ttl < Config.negativeDnsTtl)
+-        ttl = Config.negativeDnsTtl;
+-
+-    i->expires = squid_curtime + ttl;
+-
+     i->flags.negcached = false;
+ }
+ 
++void
++ipcache_entry::updateTtl(const unsigned int rrTtl)
++{
++    const time_t ttl = std::min(std::max(
++                                    Config.negativeDnsTtl, // smallest value allowed
++                                    static_cast<time_t>(rrTtl)),
++                                Config.positiveDnsTtl); // largest value allowed
++    const time_t rrExpires = squid_curtime + ttl;
++    if (rrExpires < expires)
++        expires = rrExpires;
++}
++
+ /// \ingroup IPCacheInternal
+ static void
+ ipcacheHandleReply(void *data, const rfc1035_rr * answers, int na, const char *error_message)

SPECS/squid.spec

@@ -2,7 +2,7 @@
 
 Name:     squid
 Version:  4.15
-Release:  10%{?dist}.3
+Release:  10%{?dist}.5
 Summary:  The Squid proxy caching server
 Epoch:    7
 # See CREDITS for breakdown of non GPLv2+ code
@@ -40,6 +40,8 @@ Patch208: squid-4.11-convert-ipv4.patch
 Patch209: squid-4.15-ftp-filename-extraction.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2076717
 Patch210: squid-4.15-halfclosed.patch
+# https://issues.redhat.com/browse/RHEL-66120
+Patch211: squid-4.15-dns-obey-ttl-set-to-zero.patch
 
 # Security fixes
 # https://bugzilla.redhat.com/show_bug.cgi?id=1941506
@@ -106,7 +108,7 @@ BuildRequires: systemd-devel
 
 %description
 Squid is a high-performance proxy caching server for Web clients,
-supporting FTP, gopher, and HTTP data objects. Unlike traditional
+supporting FTP and HTTP data objects. Unlike traditional
 caching software, Squid handles all requests in a single,
 non-blocking, I/O-driven process. Squid keeps meta data and especially
 hot objects cached in RAM, caches DNS lookups, supports non-blocking
@@ -134,6 +136,7 @@ lookup program (dnsserver), a program for retrieving FTP data
 %patch208 -p1 -b .convert-ipv4
 %patch209 -p1 -b .ftp-fn-extraction
 %patch210 -p1 -b .halfclosed
+%patch211 -p1 -b .dns-obey-ttl-set-to-zero
 
 # Security patches
 %patch300 -p1 -b .CVE-2021-28116
@@ -367,6 +370,12 @@ fi
 
 
 %changelog
+* Fri Nov 22 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-10.5
+- Resolves: RHEL-66120 - squid caches DNS entries despite having TTL set to 0
+
+* Mon Nov 18 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-10.4
+- Resolves: RHEL-67870 - Remove gopher mention from spec file
+
 * Wed Nov 13 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-10.3
 - Resolves: RHEL-22593 - CVE-2024-23638 squid:4/squid: vulnerable to
   a Denial of Service attack against Cache Manager error responses