-
squid3 (3.5.12-1ubuntu7.16) xenial-security; urgency=medium
* SECURITY UPDATE: HTTP Request Smuggling issue
- debian/patches/CVE-2020-25097.patch: Add slash prefix to path-
rootless or path-noscheme URLs in src/url.cc.
- CVE-2020-25097
-- Marc Deslauriers <email address hidden> Thu, 25 Mar 2021 12:46:49 -0400
-
squid3 (3.5.12-1ubuntu7.15) xenial-security; urgency=medium
* SECURITY UPDATE: Request Smuggling and Poisoning issue
- debian/patches/CVE-2020-15049.patch: validate Content-Length value
prefix in src/http/ContentLengthInterpreter.cc,
src/http/ContentLengthInterpreter.h.
- CVE-2020-15049
* SECURITY UPDATE: HTTP Request Smuggling issue
- debian/patches/CVE-2020-15810.patch: enforce token characters for
field-name in src/HttpHeader.cc.
- CVE-2020-15810
* SECURITY UPDATE: HTTP Request Splitting issue
- debian/patches/CVE-2020-15811-pre.patch: validate Content-Length
header values in src/HttpHeader.cc, src/HttpHeaderTools.cc,
src/HttpHeaderTools.h, src/http/ContentLengthInterpreter.cc,
src/http/ContentLengthInterpreter.h, src/http/Makefile.am.
- debian/patches/CVE-2020-15811.patch: Improve Transfer-Encoding
handling in src/HttpHeader.cc, src/HttpHeader.h, src/client_side.cc,
src/http.cc.
- CVE-2020-15811
* SECURITY UPDATE: DoS via peer crafted Cache Digest response message
- debian/patches/CVE-2020-24606.patch: fix livelocking in
peerDigestHandleReply in src/peer_digest.cc.
- CVE-2020-24606
* Enable the test suite
- debian/rules: enable test suite
- debian/patches/enable-the-test-suite.patch: fix FTBFS.
- debian/patches/fix-stub-comm-test.patch: fix FTBFS.
-- Marc Deslauriers <email address hidden> Wed, 16 Sep 2020 11:34:11 -0400
-
squid3 (3.5.12-1ubuntu7.14) xenial; urgency=medium
* d/squid.resolvconf: Invoke "systemctl reload --no-block" if we are
using systemd. This prevents squid from blocking if the reload
action is being issued indirectly because of another
service (e.g., because dnsmasq has been restarted), which may
cause a deadlock and prevent the whole transaction to
complete. (LP: #1761096)
-- Sergio Durigan Junior <email address hidden> Fri, 04 Sep 2020 08:31:36 -0400
-
squid3 (3.5.12-1ubuntu7.13) xenial-security; urgency=medium
* SECURITY REGRESSION: regression when parsing icap and ecap protocols
(LP: #1890265)
- debian/patches/CVE-2019-12523-bug965012.patch
* Thanks to Markus Koschany for the regression fix!
-- Marc Deslauriers <email address hidden> Wed, 26 Aug 2020 06:46:39 -0400
-
squid3 (3.5.12-1ubuntu7.12) xenial-security; urgency=medium
* SECURITY UPDATE: Multiple Issues in HTTP Request processing
- debian/patches/CVE-2019-12520.patch: properly handle userinfo in
src/url.cc.
- CVE-2019-12520
- CVE-2019-12524
* SECURITY UPDATE: Multiple issues in URI processing
- debian/patches/CVE-2019-12526.patch: replace patch with the one from
Debian to get backported functions.
- debian/patches/CVE-2019-12523.patch: update URI parser to use SBuf
parsing APIs.
- CVE-2019-12523
- CVE-2019-18676
* Thanks to Markus Koschany for the backports this update is based on.
-- Marc Deslauriers <email address hidden> Thu, 30 Jul 2020 07:01:11 -0400
-
squid3 (3.5.12-1ubuntu7.11) xenial-security; urgency=medium
* SECURITY UPDATE: multiple ESI issues
- debian/patches/CVE-2019-12519_12521.patch: convert parse exceptions
into 500 status response in src/esi/Context.h, src/esi/Esi.cc,
src/esi/Esi.h, src/esi/Expression.cc.
- CVE-2019-12519
- CVE-2019-12521
* SECURITY UPDATE: hostname parameter mishandling in cachemgr.cgi
- debian/patches/CVE-2019-18860.patch: add validation for hostname
parameter in src/base/CharacterSet.cc, tools/Makefile.am,
tools/cachemgr.cc.
- CVE-2019-18860
* SECURITY UPDATE: Digest Authentication nonce replay issue
- debian/patches/CVE-2020-11945.patch: fix auth digest refcount integer
overflow in src/auth/digest/Config.cc.
- CVE-2020-11945
-- Marc Deslauriers <email address hidden> Thu, 07 May 2020 10:05:12 -0400
-
squid3 (3.5.12-1ubuntu7.10) xenial-security; urgency=medium
* SECURITY UPDATE: info disclosure via FTP server
- debian/patches/CVE-2019-12528.patch: fix FTP buffers handling in
src/clients/FtpGateway.cc.
- CVE-2019-12528
* SECURITY UPDATE: incorrect input validation and buffer management
- debian/patches/CVE-2020-84xx-1.patch: ignore malformed Host header in
intercept and reverse proxy mode in src/client_side.cc.
- debian/patches/CVE-2020-84xx-2.patch: fix request URL generation in
reverse proxy configurations in src/client_side.cc.
- debian/patches/CVE-2020-84xx-3.patch: fix security patch in
src/client_side.cc.
- CVE-2020-8449
- CVE-2020-8450
* SECURITY UPDATE: DoS in NTLM authentication
- debian/patches/CVE-2020-8517.patch: improved username handling in
helpers/external_acl/LM_group/ext_lm_group_acl.cc.
- CVE-2020-8517
-- Marc Deslauriers <email address hidden> Wed, 19 Feb 2020 13:06:13 -0500
-
squid3 (3.5.12-1ubuntu7.9) xenial-security; urgency=medium
* SECURITY UPDATE: Heap Overflow issue in URN processing
- debian/patches/CVE-2019-12526.patch: fix URN response handling in
src/urn.cc.
- CVE-2019-12526
* SECURITY UPDATE: CSRF issue in HTTP Request processing
- debian/patches/CVE-2019-18677.patch: prevent truncation for large
origin-relative domains in src/URL.h, src/internal.cc, src/url.cc.
- CVE-2019-18677
* SECURITY UPDATE: HTTP Request Splitting in HTTP message processing
- debian/patches/CVE-2019-18678.patch: server MUST reject messages with
BWS after field-name in src/HttpHeader.cc, src/HttpHeader.h.
- CVE-2019-18678
- CVE-2019-18679
-- Marc Deslauriers <email address hidden> Wed, 20 Nov 2019 07:11:17 -0500
-
squid3 (3.5.12-1ubuntu7.8) xenial-security; urgency=medium
* SECURITY UPDATE: incorrect digest auth parameter parsing
- debian/patches/CVE-2019-12525.patch: check length in
src/auth/digest/Config.cc.
- CVE-2019-12525
* SECURITY UPDATE: basic auth uudecode length issue
- debian/patches/CVE-2019-12529.patch: replace uudecode with libnettle
base64 decoder in lib/Makefile.*, src/auth/basic/Config.cc,
include/uudecode.h, lib/uudecode.c.
- CVE-2019-12529
-- Marc Deslauriers <email address hidden> Tue, 16 Jul 2019 14:49:40 -0400
-
squid3 (3.5.12-1ubuntu7.7) xenial-security; urgency=medium
* SECURITY UPDATE: DoS via SNMP memory leak
- debian/patches/CVE-2018-19132.patch: fix leak in src/snmp_core.cc.
- CVE-2018-19132
* SECURITY UPDATE: XSS issues in cachemgr.cgi
- debian/patches/CVE-2019-13345.patch: properly escape values in
tools/cachemgr.cc.
- CVE-2019-13345
-- Marc Deslauriers <email address hidden> Thu, 11 Jul 2019 13:03:44 -0400
-
squid3 (3.5.12-1ubuntu7.6) xenial; urgency=medium
* d/squid.rc: fix regexp for catching FATAL errors (LP: #1738412)
* d/t/test-squid.py: in xenial, initscript, apparmor profile, pidfile and
process are named squid, not squid3. Get rid of the multiple distro
logic since these tests will be only run on xenial.
* d/t/control: drop uneeded dependency on python-unit.
* d/t/squid: use a shorter shutdown timeout for the tests, so they
run faster
-- Andreas Hasenack <email address hidden> Wed, 31 Oct 2018 09:22:14 -0300
-
squid3 (3.5.12-1ubuntu7.5) xenial-security; urgency=medium
* SECURITY UPDATE: various denial of service issues
- debian/patches/CVE-2016-25xx-1.patch: better handling of huge
response headers in src/http.cc.
- debian/patches/CVE-2016-25xx-2.patch: throw instead of asserting on
some String overflows in src/SquidString.h, src/StrList.cc,
src/String.cc, src/clients/Client.cc, src/clients/Client.h,
src/clients/FtpClient.cc, src/http.cc.
- debian/patches/CVE-2016-25xx-3.patch: fix assertion in custom ESI
parser in src/esi/CustomParser.cc, src/esi/CustomParser.h.
- debian/patches/CVE-2016-25xx-4.patch: fix assertion in
src/FwdState.cc, src/FwdState.h, src/clients/Client.h, src/comm.cc,
src/comm.h, src/http.cc.
- CVE-2016-2569
- CVE-2016-2570
- CVE-2016-2571
* SECURITY UPDATE: denial of service via crafted HTTP response
- debian/patches/CVE-2016-3948.patch: convert Vary handling to SBuf in
src/HttpRequest.cc, src/HttpRequest.h, src/MemObject.cc,
src/MemObject.h, src/MemStore.cc, src/StoreMetaVary.cc,
src/client_side.cc, src/client_side_reply.cc, src/http.cc,
src/http.h, src/store.cc, src/store_key_md5.cc,
src/store_swapmeta.cc, src/tests/stub_MemObject.cc,
src/tests/stub_http.cc.
- CVE-2016-3948
* SECURITY UPDATE: denial of service in ESI Response processing
- debian/patches/CVE-2018-1000024.patch: make sure endofName never
exceeds tagEnd in src/esi/CustomParser.cc.
- CVE-2018-1000024
* SECURITY UPDATE: denial of service in in HTTP Message processing
- debian/patches/CVE-2018-1000027.patch: fix indirect IP logging for
transactions without a client connection in
src/client_side_request.cc.
- CVE-2018-1000027
-- Marc Deslauriers <email address hidden> Thu, 01 Feb 2018 09:56:31 -0500
-
squid3 (3.5.12-1ubuntu7.4) xenial; urgency=medium
* debian/patches/passive-ftp-segfault-1560429.patch: Fix for segfault
when ftp passive mode is not available. Closes: #793473, LP:
#1560429.
-- Andreas Hasenack <email address hidden> Fri, 07 Jul 2017 09:39:40 -0300
-
squid3 (3.5.12-1ubuntu7.3) xenial-security; urgency=medium
* SECURITY UPDATE: cookie data leak via If-Not-Modified HTTP conditional
- debian/patches/CVE-2016-10002.patch: properly handle combination of
If-Match and a Cache Hit in src/LogTags.h, src/client_side.cc,
src/client_side_reply.cc, src/client_side_reply.h.
- CVE-2016-10002
* SECURITY UPDATE: incorrect HTTP Request header comparison
- debian/patches/CVE-2016-10003.patch: don't share private responses
with collapsed client in src/client_side_reply.cc.
- CVE-2016-10003
-- Marc Deslauriers <email address hidden> Fri, 03 Feb 2017 14:09:18 -0500
-
squid3 (3.5.12-1ubuntu7.2) xenial-security; urgency=medium
* SECURITY UPDATE: denial of service via pinger and ICMPv6 packet
- debian/patches/CVE-2016-3947.patch: fix sizes in src/icmp/Icmp6.cc.
- CVE-2016-3947
* SECURITY UPDATE: denial of service and possible code execution via
seeding manager reporter with crafted data
- debian/patches/CVE-2016-4051.patch: use dynamic MemBuf for internal
content generation in tools/cachemgr.cc, src/tests/stub_cbdata.cc,
src/tests/stub_mem.cc, tools/Makefile.am.
- CVE-2016-4051
* SECURITY UPDATE: denial of service or arbitrary code execution via
crafted ESI responses
- debian/patches/CVE-2016-4052.patch: perform bounds checking and
remove asserts in src/esi/Esi.cc.
- CVE-2016-4052
- CVE-2016-4053
- CVE-2016-4054
* SECURITY UPDATE: cache-poisoning attacks via an HTTP request with an
absolute-URI
- debian/patches/CVE-2016-4553.patch: properly handle condition in
src/client_side.cc
- CVE-2016-4553
* SECURITY UPDATE: same-origin bypass and cache-poisoning attack via
crafted HTTP host header
- debian/patches/CVE-2016-4554.patch: properly handle whitespace in
src/mime_header.cc.
- CVE-2016-4554
* SECURITY UPDATE: denial of service via ESI responses
- debian/patches/CVE-2016-4555.patch: fix segfaults in
src/client_side_request.cc, src/esi/Context.h, src/esi/Esi.cc.
- CVE-2016-4555
- CVE-2016-4556
* debian/rules: include autoreconf.mk.
* debian/control: add dh-autoreconf to BuildDepends.
-- Marc Deslauriers <email address hidden> Wed, 08 Jun 2016 08:06:59 -0400
-
squid3 (3.5.12-1ubuntu7.1) xenial; urgency=medium
* Add Breaks on older ufw to fix upgrade path (LP: #1571174).
-- Robie Basak <email address hidden> Thu, 12 May 2016 11:03:06 +0000
-
squid3 (3.5.12-1ubuntu7) xenial; urgency=medium
* Update apparmor profile to be correct for maas-proxy.
-- LaMont Jones <email address hidden> Tue, 12 Apr 2016 13:05:00 -0600
-
squid3 (3.5.12-1ubuntu6) xenial; urgency=medium
* Attempt to migrate /var/log/squid3 -> /var/log/squid on upgrade.
* Update apparmor profile for s/squid3/squid/ and /dev/shm access.
-- Adam Conrad <email address hidden> Sun, 03 Apr 2016 21:34:50 -0600
-
squid3 (3.5.12-1ubuntu5) xenial; urgency=medium
* Use versioned Breaks/Replaces instead of an unversioned Conflicts, to
further clean up the upgrade ordering.
-- Steve Langasek <email address hidden> Fri, 01 Apr 2016 21:05:38 +0000
-
squid3 (3.5.12-1ubuntu4) xenial; urgency=medium
* Remove redundant version-guarded restart code from squid postinst, which
doesn't do the right thing on Ubuntu upgrades.
* Remove duplicated conffile handling from the squid3 dummy package with
extreme prejudice. The conffile moving absolutely *must* be done
exclusively in the squid package; trying to do it in the squid3 package
causes pristine conffiles to be silently overwritten with any
locally-modified version from the squid3 package, with hilarious effect.
* Adjust squid.{pre,post}inst to trick dpkg-maintscript-helper into
believing we had a previously installed version of this package even if
we did not, which appears to be a requirement for mv_conffile to DTRT.
This is certainly a dpkg bug that needs to be filed.
* Move all Ubuntu-specific dpkg-maintscript-helper delta into
debian/squid.maintscript for clarity/sanity. Among other things,
this uncovers a bug where we're trying to call both mv_conffile and
rm_conffile for /etc/init.d/squid3.
* debian/squid3.{pre,post}inst: drop wrong short-circuiting of various
invocations; we always want to call the debhelper block.
* debian/squid3.postinst: don't try to stop squid3 again, this is
redundant.
* debian/squid3.postrm: don't rm -f conffiles in purge when dpkg already
handles these.
* Add missing pre-depends on adduser
* Anchor the Conflicts/Replaces to the version of the package that
introduced the name change in Ubuntu, to avoid upgrade ordering problems
later.
* Include upgrade migration handling for /var/spool/squid3 ->
/var/spool/squid. This won't work if /var/spool/squid3 is a mount point,
so fail gracefully, but leaving two full squid cache directories around
after upgrade is a nuisance.
* Remove empty /etc/squid3 dir on upgrade.
* Clean up apparmor links for usr.sbin.squid3 on upgrade. We don't migrate
these apparmor settings over, so at least don't leave stale links behind.
-- Steve Langasek <email address hidden> Thu, 31 Mar 2016 19:01:47 -0700
-
squid3 (3.5.12-1ubuntu3) xenial; urgency=medium
* Revert last postinst change as it's buggy.
* Remove /etc/init.d/squid3 from preinst on upgrade.
-- Stéphane Graber <email address hidden> Tue, 29 Mar 2016 22:46:16 -0400
-
squid3 (3.5.12-1ubuntu2) xenial; urgency=medium
* debian/squid.postinst: Fix dist-upgrade of squid by detecting service
name (/etc/init.d/squid vs. squid3).
squid3 (3.5.12-1ubuntu1) xenial; urgency=medium
* Merge from Debian (LP: #1473691). Remaining changes:
- Add dep8 tests.
- Use snakeoil certificates.
- Run sarg-reports if present before rotating logs
- debian/patches/90-cf.data.ubuntu.dpatch: add an example refresh
pattern for debs.
- Add disabled by default AppArmor profile. Versioned dependency on
init-system-helpers (>> 1.22ubuntu5) to ensure we have the
apparmor-profile-load script at boot time.
* Drop changes:
- No longer needed:
+ Upstart job.
+ Dependency package for squid -> squid3: depcrecated; the transitional package now runs the other way.
+ Fix perl & pod2man config.tests.
+ fix-logical-not-parentheses-warning.patch.
+ fix-pod2name-pipe-failure.patch.
+ --disable-strict-error-checking to fix FTBFS.
- NEWS.Debian: no longer relevant.
- Hardening options: deprecated.
- Add patch to show distribution: fixed in Debian (but see
lsb-release B-D).
- Enable parallel build: makes no difference to build time.
- Force -O2 to work around build failure with -O3: presumed no
longer needed.
- Fixed upstream:
+ CVE-2014-3609.patch: confirmed fixed since 3.4.7 from upstream
advisory.
+ Fix various ICMP handling issues in Squid pinger: confirmed
fixed since 3.4.7 from upstream advisory.
+ fix-caching-vary-header.patch.
+ netfilter_fix.patch.
* Drop Testsuite: header from dep8 tests: no longer required since
dpkg-source >= 1.17.11 does it.
* Revert "Set pidfile for systemd's sysv-generator" from Debian.
systemd races the squid daemon for pidfile creation, causing systemd
to consider the service start to have failed. Work around for now by
not telling systemd to use the pidfile.
* Add lsb-release build dep. This is required for the
--enable-build-info line in debian/rules to work correctly.
* Correctly rename conffiles migrated by Debian from squid3 to squid.
* Remove conffile for old upstart job Ubuntu delta.
* Rename Apparmor profile conffile.
* Drop old transitional Apparmor code no longer required.
* Adjust AppArmor profile for squid3->squid rename.
* Drop versioned AppArmor dependency (transitional; no longer
required).
squid3 (3.5.12-1) unstable; urgency=medium
[ Amos Jeffries <email address hidden> ]
* New Upstream Release
* debian/squid.postinst
- remove unneeded config edits for manager ACL (Closes: #801564)
* debian/patches/
- add upstream patch to cleanup FATAL log messages
[ Mathieu Parent ]
* Fix FATAL parsing before start/reload/restart (Closes: #800341)
* Set pidfile for systemd's sysv-generator (Closes: #800341)
squid3 (3.5.10-1) unstable; urgency=high
[ Amos Jeffries <email address hidden> ]
* New Upstream Release (Closes: #799923, #800876)
* debian/squid.rc
- Grok pid_filename from squid.conf (Closes: #520736)
- Update SELinux context when creating directories (Closes: #798827)
[ Luigi Gangitano <email address hidden> ]
- Urgency high due to regression fix for CVE-2015-5400.
squid3 (3.5.7-1) unstable; urgency=medium
[ Amos Jeffries <email address hidden> ]
* New upstream release (Closes: #789602, #793400, #253777)
* debian/rules
- Add BUILDCXXFLAGS to use hardening flags during build
* debian/squid.links
- Add symlink for squid3.8 man(8) page to resolve lintian issue
* debian/squid.postinst
- Remove unnecessary 'squid -z' (Closes: #794639)
[ Luigi Gangitano <email address hidden> ]
* Rebuild using GCC-5 (Closes: #794536)
* debian/squid.postinst
- Check for squid3 initscript before we try to execute it
* debian/squid.rc
- Set working directory to /var/run/squid
squid3 (3.5.6-1) unstable; urgency=medium
[ Amos Jeffries <email address hidden> ]
* New upstream release (Closes: #760303)
- Fixed upstream macro issue that fail to pass reproducible builds test
- Fixes CVE-2015-5400: Improper Protection of Alternate Path
(Closes: #793128)
* Removed deprecated MSNT and MSNT-multi-domain authentication helpers
* Transition squid3 to squid
- Renamed squid3 package to squid (Closes: #521053, #565555, #672156)
(Closes: #294431, #569575, #714334, #279840, #576423, #779127)
- Renamed squid3-common package to squid-common
- Renamed squid3-dbg package to squid-dbg
- Add dummy transitional package squid3
* debian/patches/
- Removed patches included upstream and refresh others
* debian/squid3-cgi.dirs
- Removed old unused packaging file
* debian/control
- Add dependency on libgnutls28-dev for squidclient HTTPS support
[ Luigi Gangitano <email address hidden> ]
* debian/control
- Changed dependency on libecap3-dev (Closes: #789774)
- Made squid-common conflict and replace squid3-common
- Fixed dependencies and sections of transitional packages
* {NEWS,README}.Debian
- Added information on package name migration
squid3 (3.4.8-6) unstable; urgency=medium
[ Luigi Gangitano <email address hidden> ]
* debian/patches/31-squid-3.4-13199.patch
- Added upstream patch fixing excessive CPU usage (Closes: #776461)
* debian/patches/32-squid-3.4-13210.patch
- Added upstream patch fixing excessive CPU and memory usage in
NTLM and Negotiate authentication helpers (Closes: #776463)
* debian/patches/33-squid-3.4-13211.patch
- Added upstream patch fixing a possible replay vulnerability on Digest
authentication (Closes: #776464)
* debian/patches/34-squid-3.4-13213.patch
- Added upstream patch fixing incorrect security permissions for
TOS/DiffServ packet marking (Closes: #776468)
* debian/patches/35-squid-3.4-13203.patch
- Added upstream patch fixing squidclient unable to connect to host with
both IPv4 and IPv6 addresses (Closes: #742425)
squid3 (3.4.8-5) unstable; urgency=medium
[ Luigi Gangitano <email address hidden> ]
* debian/squid3.{pre,post}inst
- Moved ACL manager fix to postinst (Closes: #773032)
squid3 (3.4.8-4) unstable; urgency=medium
[ Luigi Gangitano <email address hidden> ]
* debian/squid3.preinst
- Revert changes on abort-upgrade
squid3 (3.4.8-3) unstable; urgency=medium
[ Amos Jeffries <email address hidden> ]
* debian/squid3.preinst
- Remove obsolete manager ACL definition from squid.conf
when upgrading squid3 package (Closes: #768170)
[ Luigi Gangitano <email address hidden> ]
* debian/squid3.preinst
- Fix configuration file only if needed and match any uncommented line
squid3 (3.4.8-2) unstable; urgency=medium
[ Santiago Garcia Mantinan <email address hidden> ]
* Add patch to remove bashisms from cert_tool
* Add manual page for squid-purge
* Create run_dir needed for SMP with several workers to run. This
fixes #710126 (Closes: #732183, #760400)
* Use CONFIG instead of sq (Closes: #763867)
* Remove find_cache_type and use grepconf (both functions were =).
* Allow find_cache_dir and grepconf to have whitespace in the beginning
(Closes: #761209)
* Add config check before reload/restart, thanks Freddy (Closes: #728222)
[ Amos Jeffries <email address hidden> ]
* debian/squid3.postinst
- update grepconf to support SMP macros and sub-config files
when locating cache_dir and effective user/group
* debian/squid3.rc
- remove special handling for obsolete COSS cache type
- change grepconf to support SMP macros and sub-config files
* debian/rules
- add distribution details to squid -v display output
this obsoletes the Ubuntu fix-distribution.patch
* debian/control
- bumped libecap dependency version to 0.2.0-2
* debian/squid3.resolvconf
- added check on /usr availability before squid3 restart (Closes: #765476)
[ Luigi Gangitano <email address hidden> ]
* debian/squid3.rc
- Change config check to config parse on start/reload/restart
* debian/control
- Fixed XS-Vcs-Git Header pointing anonscm.debian.org
squid3 (3.4.8-1) unstable; urgency=high
* Urgency high due to security fixes
[ Amos Jeffries <email address hidden> ]
* New upstream release (Closes: #737008)
- Fixes CVE-2014-6270: off by one in snmp subsystem (Closes: #761002)
- Fixes CVE-2014-CVE-2014-7141 and CVE-214-7142 (Closes: #760999)
+ pinger remote DoS vulnerabilities
- Fixes CVE-2014-0128: Denial of Service in SSL-Bump (Closes: #741312)
* debian/patches/
- remove CVE-2014-3609.patch included upstream
- remove 17-pod2man-check.patch obsoleted by new version
- add upstream patch 21-squid-3.4-13176-memoryleak.patch:
memory leak in external_acl_type helper with cache=0 or ttl=0
* debian/rules
- add --disable-arch-native to build with portable CPU support
* debian/control
- libecap API support is specific to version 0.2.0
- use nettle for crypto library
* debian/watch
- updated watch pattern for upstream major series
* debian/rules
- Remove obsolete --enable-underscores (Closes: #693905)
[ Luigi Gangitano <email address hidden> ]
* debian/patches/
- refreshed all patches to match 3.4.8
* debian/control
- Added dependency for missing intepreter ksh
- Bumped Standard-Version to 3.9.6, no change needed
- Added XS-Vcs-Git Header pointing to Alioth repository
squid3 (3.3.8-1.2) unstable; urgency=high
* Non-maintainer upload by the Security Team.
* Add CVE-2014-3609.patch patch.
CVE-2014-3609: Denial of Service in Range header processing.
Ignore Range headers with unidentifiable byte-range values. If squid is
unable to determine the byte value for ranges, treat the header as
invalid. (Closes: #759509)
squid3 (3.3.8-1.1) unstable; urgency=low
* Non-maintainer upload.
* Fix "FTBFS: cp: cannot stat
'/«PKGBUILDDIR»/debian/tmp/usr/share/man/man8/basic_db_auth.8': No
such file or directory":
new patch 17-pod2man-check.patch:
fix config.test files' check for perl and pod2man
(Closes: #725599)
-- Ryan Harper <email address hidden> Mon, 28 Mar 2016 11:20:35 -0500
-
squid3 (3.5.12-1ubuntu1) xenial; urgency=medium
* Merge from Debian (LP: #1473691). Remaining changes:
- Add dep8 tests.
- Use snakeoil certificates.
- Run sarg-reports if present before rotating logs
- debian/patches/90-cf.data.ubuntu.dpatch: add an example refresh
pattern for debs.
- Add disabled by default AppArmor profile. Versioned dependency on
init-system-helpers (>> 1.22ubuntu5) to ensure we have the
apparmor-profile-load script at boot time.
* Drop changes:
- No longer needed:
+ Upstart job.
+ Dependency package for squid -> squid3: depcrecated; the transitional package now runs the other way.
+ Fix perl & pod2man config.tests.
+ fix-logical-not-parentheses-warning.patch.
+ fix-pod2name-pipe-failure.patch.
+ --disable-strict-error-checking to fix FTBFS.
- NEWS.Debian: no longer relevant.
- Hardening options: deprecated.
- Add patch to show distribution: fixed in Debian (but see
lsb-release B-D).
- Enable parallel build: makes no difference to build time.
- Force -O2 to work around build failure with -O3: presumed no
longer needed.
- Fixed upstream:
+ CVE-2014-3609.patch: confirmed fixed since 3.4.7 from upstream
advisory.
+ Fix various ICMP handling issues in Squid pinger: confirmed
fixed since 3.4.7 from upstream advisory.
+ fix-caching-vary-header.patch.
+ netfilter_fix.patch.
* Drop Testsuite: header from dep8 tests: no longer required since
dpkg-source >= 1.17.11 does it.
* Revert "Set pidfile for systemd's sysv-generator" from Debian.
systemd races the squid daemon for pidfile creation, causing systemd
to consider the service start to have failed. Work around for now by
not telling systemd to use the pidfile.
* Add lsb-release build dep. This is required for the
--enable-build-info line in debian/rules to work correctly.
* Correctly rename conffiles migrated by Debian from squid3 to squid.
* Remove conffile for old upstart job Ubuntu delta.
* Rename Apparmor profile conffile.
* Drop old transitional Apparmor code no longer required.
* Adjust AppArmor profile for squid3->squid rename.
* Drop versioned AppArmor dependency (transitional; no longer
required).
squid3 (3.5.12-1) unstable; urgency=medium
[ Amos Jeffries <email address hidden> ]
* New Upstream Release
* debian/squid.postinst
- remove unneeded config edits for manager ACL (Closes: #801564)
* debian/patches/
- add upstream patch to cleanup FATAL log messages
[ Mathieu Parent ]
* Fix FATAL parsing before start/reload/restart (Closes: #800341)
* Set pidfile for systemd's sysv-generator (Closes: #800341)
squid3 (3.5.10-1) unstable; urgency=high
[ Amos Jeffries <email address hidden> ]
* New Upstream Release (Closes: #799923, #800876)
* debian/squid.rc
- Grok pid_filename from squid.conf (Closes: #520736)
- Update SELinux context when creating directories (Closes: #798827)
[ Luigi Gangitano <email address hidden> ]
- Urgency high due to regression fix for CVE-2015-5400.
squid3 (3.5.7-1) unstable; urgency=medium
[ Amos Jeffries <email address hidden> ]
* New upstream release (Closes: #789602, #793400, #253777)
* debian/rules
- Add BUILDCXXFLAGS to use hardening flags during build
* debian/squid.links
- Add symlink for squid3.8 man(8) page to resolve lintian issue
* debian/squid.postinst
- Remove unnecessary 'squid -z' (Closes: #794639)
[ Luigi Gangitano <email address hidden> ]
* Rebuild using GCC-5 (Closes: #794536)
* debian/squid.postinst
- Check for squid3 initscript before we try to execute it
* debian/squid.rc
- Set working directory to /var/run/squid
squid3 (3.5.6-1) unstable; urgency=medium
[ Amos Jeffries <email address hidden> ]
* New upstream release (Closes: #760303)
- Fixed upstream macro issue that fail to pass reproducible builds test
- Fixes CVE-2015-5400: Improper Protection of Alternate Path
(Closes: #793128)
* Removed deprecated MSNT and MSNT-multi-domain authentication helpers
* Transition squid3 to squid
- Renamed squid3 package to squid (Closes: #521053, #565555, #672156)
(Closes: #294431, #569575, #714334, #279840, #576423, #779127)
- Renamed squid3-common package to squid-common
- Renamed squid3-dbg package to squid-dbg
- Add dummy transitional package squid3
* debian/patches/
- Removed patches included upstream and refresh others
* debian/squid3-cgi.dirs
- Removed old unused packaging file
* debian/control
- Add dependency on libgnutls28-dev for squidclient HTTPS support
[ Luigi Gangitano <email address hidden> ]
* debian/control
- Changed dependency on libecap3-dev (Closes: #789774)
- Made squid-common conflict and replace squid3-common
- Fixed dependencies and sections of transitional packages
* {NEWS,README}.Debian
- Added information on package name migration
squid3 (3.4.8-6) unstable; urgency=medium
[ Luigi Gangitano <email address hidden> ]
* debian/patches/31-squid-3.4-13199.patch
- Added upstream patch fixing excessive CPU usage (Closes: #776461)
* debian/patches/32-squid-3.4-13210.patch
- Added upstream patch fixing excessive CPU and memory usage in
NTLM and Negotiate authentication helpers (Closes: #776463)
* debian/patches/33-squid-3.4-13211.patch
- Added upstream patch fixing a possible replay vulnerability on Digest
authentication (Closes: #776464)
* debian/patches/34-squid-3.4-13213.patch
- Added upstream patch fixing incorrect security permissions for
TOS/DiffServ packet marking (Closes: #776468)
* debian/patches/35-squid-3.4-13203.patch
- Added upstream patch fixing squidclient unable to connect to host with
both IPv4 and IPv6 addresses (Closes: #742425)
squid3 (3.4.8-5) unstable; urgency=medium
[ Luigi Gangitano <email address hidden> ]
* debian/squid3.{pre,post}inst
- Moved ACL manager fix to postinst (Closes: #773032)
squid3 (3.4.8-4) unstable; urgency=medium
[ Luigi Gangitano <email address hidden> ]
* debian/squid3.preinst
- Revert changes on abort-upgrade
squid3 (3.4.8-3) unstable; urgency=medium
[ Amos Jeffries <email address hidden> ]
* debian/squid3.preinst
- Remove obsolete manager ACL definition from squid.conf
when upgrading squid3 package (Closes: #768170)
[ Luigi Gangitano <email address hidden> ]
* debian/squid3.preinst
- Fix configuration file only if needed and match any uncommented line
squid3 (3.4.8-2) unstable; urgency=medium
[ Santiago Garcia Mantinan <email address hidden> ]
* Add patch to remove bashisms from cert_tool
* Add manual page for squid-purge
* Create run_dir needed for SMP with several workers to run. This
fixes #710126 (Closes: #732183, #760400)
* Use CONFIG instead of sq (Closes: #763867)
* Remove find_cache_type and use grepconf (both functions were =).
* Allow find_cache_dir and grepconf to have whitespace in the beginning
(Closes: #761209)
* Add config check before reload/restart, thanks Freddy (Closes: #728222)
[ Amos Jeffries <email address hidden> ]
* debian/squid3.postinst
- update grepconf to support SMP macros and sub-config files
when locating cache_dir and effective user/group
* debian/squid3.rc
- remove special handling for obsolete COSS cache type
- change grepconf to support SMP macros and sub-config files
* debian/rules
- add distribution details to squid -v display output
this obsoletes the Ubuntu fix-distribution.patch
* debian/control
- bumped libecap dependency version to 0.2.0-2
* debian/squid3.resolvconf
- added check on /usr availability before squid3 restart (Closes: #765476)
[ Luigi Gangitano <email address hidden> ]
* debian/squid3.rc
- Change config check to config parse on start/reload/restart
* debian/control
- Fixed XS-Vcs-Git Header pointing anonscm.debian.org
squid3 (3.4.8-1) unstable; urgency=high
* Urgency high due to security fixes
[ Amos Jeffries <email address hidden> ]
* New upstream release (Closes: #737008)
- Fixes CVE-2014-6270: off by one in snmp subsystem (Closes: #761002)
- Fixes CVE-2014-CVE-2014-7141 and CVE-214-7142 (Closes: #760999)
+ pinger remote DoS vulnerabilities
- Fixes CVE-2014-0128: Denial of Service in SSL-Bump (Closes: #741312)
* debian/patches/
- remove CVE-2014-3609.patch included upstream
- remove 17-pod2man-check.patch obsoleted by new version
- add upstream patch 21-squid-3.4-13176-memoryleak.patch:
memory leak in external_acl_type helper with cache=0 or ttl=0
* debian/rules
- add --disable-arch-native to build with portable CPU support
* debian/control
- libecap API support is specific to version 0.2.0
- use nettle for crypto library
* debian/watch
- updated watch pattern for upstream major series
* debian/rules
- Remove obsolete --enable-underscores (Closes: #693905)
[ Luigi Gangitano <email address hidden> ]
* debian/patches/
- refreshed all patches to match 3.4.8
* debian/control
- Added dependency for missing intepreter ksh
- Bumped Standard-Version to 3.9.6, no change needed
- Added XS-Vcs-Git Header pointing to Alioth repository
squid3 (3.3.8-1.2) unstable; urgency=high
* Non-maintainer upload by the Security Team.
* Add CVE-2014-3609.patch patch.
CVE-2014-3609: Denial of Service in Range header processing.
Ignore Range headers with unidentifiable byte-range values. If squid is
unable to determine the byte value for ranges, treat the header as
invalid. (Closes: #759509)
squid3 (3.3.8-1.1) unstable; urgency=low
* Non-maintainer upload.
* Fix "FTBFS: cp: cannot stat
'/«PKGBUILDDIR»/debian/tmp/usr/share/man/man8/basic_db_auth.8': No
such file or directory":
new patch 17-pod2man-check.patch:
fix config.test files' check for perl and pod2man
(Closes: #725599)
-- Robie Basak <email address hidden> Thu, 25 Feb 2016 11:42:03 +0000
-
squid3 (3.3.8-1ubuntu17) xenial; urgency=medium
* --disable-strict-error-checking to fix FTBFS due to auto_ptr defined
in unique pointer headers. (LP: #1521234).
-- Dimitri John Ledkov <email address hidden> Mon, 30 Nov 2015 15:32:14 +0000
-
squid3 (3.3.8-1ubuntu16) wily; urgency=medium
[ Tiago Stürmer Daitx ]
* d/patches/fix-logical-not-parentheses-warning.patch: Fix warning for
logical-not-parentheses which caused squid to FTBFS. (LP: #1496924)
* d/patches/netfilter_fix.patch: Backported from Squid Bug #4323.
(LP: #1496223)
* d/patches/fix-pod2name-pipe-failure.patch: Add --name parameter to
pod2man (LP: #1501566)
* roll back build-dependency to libecap2-dev, this version of squid3 is not
compatible with libecap3 and libecap3 transition has been rolled back for
wily.
-- Steve Langasek <email address hidden> Fri, 09 Oct 2015 00:29:47 +0000
