Copied from
ubuntu xenial in
c42-backport-staging
by H.-Dirk Schmitt
Changelog
squid3 (3.5.23-1ubuntu1~ubuntu16.04.1~c42.ppa1) xenial; urgency=medium
* No-change backport to xenial
squid3 (3.5.23-1ubuntu1) zesty; urgency=medium
* Merge from Debian (LP: #1644538). Remaining changes:
- Add additional dep8 tests.
- Use snakeoil certificates.
- Add an example refresh pattern for debs.
- Add disabled by default AppArmor profile.
- Revert "Set pidfile for systemd's sysv-generator" from Debian.
- Drop wrong short-circuiting of various invocations; we always want to
call the debhelper block.
- Add missing Pre-Depends on adduser.
- Enable autoreconf. This is no longer required for the security updates,
but is needed for the seddery of test-suite/Makefile.am in
d/t/upstream-test-suite.
* Drop changes (adopted in Debian):
- Run sarg-reports if present before rotating logs.
- Add lsb-release build dep.
* Drop changes that no longer make a functional difference in Ubuntu, but may
still be relevant to send to Debian:
- d/squid3.postinst: don't try to stop squid3 again.
- d/squid3.postrm: don't rm -f conffiles in purge.
- Drop squid3 dependencies on ${shlib:Depends} and lsb-base.
- Drop creation of /etc/squid.
* Drop unnecessary changes:
- Add executable bits to d/squid.preinst.
* Drop changes relating to the upgrade path from prior to Xenial, so no
longer required:
- /var/spool/squid3 upgrade path handling.
- Conffile upgrade path handling.
- Remove redundant version-guarded restart code from squid postinst.
- Clean up apparmor links for usr.sbin.squid3 on upgrade.
- Attempt to migrate /var/log/squid3 -> /var/log/squid on upgrade.
- Add Breaks on older ufw to fix upgrade path.
- Use Breaks instead of Conflicts. Instead, drop the Conflicts/Replaces
entirely (see below).
* Drop security fixes: all included in 3.5.23 upstream.
* Drop Conflicts/Replaces of squid against squid3. In Ubuntu, the migration
happened in Xenial, so no upgrade path still requires this code. This
reduces upgrade ordering difficulty.
* Fix failing autopkgtests:
- Adjust Python module dependencies.
- Correctly handle the squid3 -> squid rename.
- Adjust seddery for upstream test squid binary location.
* Drop dependency on init-system-helpers. This was introduced in LP 1432683.
Since we no longer ship an upstart job, it is no longer required.
* Correct attribution and add explanatory note in d/NEWS.debian.
squid3 (3.5.23-1) unstable; urgency=high
[ Amos Jeffries <email address hidden> ]
* New Upstream Release (Closes: #793473, #822952)
- Fixes security issue SQUID-2016:10 (CVE-2016-10003) (Closes: #848491)
- Fixes security issue SQUID-2016:11 (CVE-2016-10002) (Closes: #848493)
* debian/patches/
- Remove patch included upstream
* debian/tests/
- Use package build-deps when testing so the make commands will work
squid3 (3.5.22-1) unstable; urgency=medium
[ Amos Jeffries <email address hidden> ]
* New Upstream Release
* debian/patches
- Add upstream patch to fix adaptation crashes
* debian/{control, rules, squid.postinst}
- Accept patch to remove setuid from pinger (Closes: #822992)
[ Luigi Gangitano ]
* debian/compat
- Bump to debhelper compatibility level 10
* debian/{control,tests/}
- Add DEP-8 autopkgtest for upstream test suite, thanks to
Santiago Ruano Rincan (Closes: #829141)
* debian/rules
- Avoid linking with unneeded libraries, thanks to Yuriy M. Kaminskiyi
(Closes: #822998)
squid3 (3.5.19-1) unstable; urgency=high
[ Amos Jeffries <email address hidden> ]
* New Upstream Release (Closes: #823968)
- Fixes security issue SQUID-2016:7 (CVE-2016-4553)
- Fixes security issue SQUID-2016:8 (CVE-2016-4554)
- Fixes security issue SQUID-2016:9 (CVE-2016-4555, CVE-2016-4556)
* debian/control
- Bumped Standards-Version to 3.9.8, no change needed
* debian/rules
- Send hardening CPPFLAGS to custom build tools
squid3 (3.5.17-1) unstable; urgency=high
[ Amos Jeffries <email address hidden> ]
* New Upstream Release
- Fixes security issue SQUID-2016:5 (CVE-2016-4051)
- Fixes security issue SQUID-2016:6 (CVE-2016-4052, CVE-2016-4053,
CVE-2016-4054)
squid3 (3.5.16-1) unstable; urgency=high
[ Amos Jeffries <email address hidden> ]
* New Upstream Release
- Fixes security issue SQUID-2016:3 (CVE-2016-3947) (Closes: #819783)
- Fixes security issue SQUID-2016:4 (CVE-2016-3948) (Closes: #819784)
* debian/patches/
- Remove patch included upstream
squid3 (3.5.15-1) unstable; urgency=high
[ Amos Jeffries <email address hidden> ]
* New Upstream Release
- Fixes security issues SQUID-2016:2
(CVE-2016-2569, CVE-2016-2570, CVE-2016-2571)
(Closes: #816011)
* debian/patches/03-upstream-bug4447.patch
- add upstream patch for their bug #4447
[ Robie Basak <email address hidden> ]
* debian/control
- Add lsb-release build dep. This is required for the --enable-build-info
line in debian/rules to work correctly.
* debian/squid.logrotate
- Run sarg-reports if present before rotating logs.
[ Luigi Gangitano <email address hidden> ]
* debian/control
- Bumped Standards-Version to 3.9.7, no change needed
squid3 (3.5.14-1) unstable; urgency=medium
[ Amos Jeffries <email address hidden> ]
* New Upstream Release (Closes: #812038)
* debian/control
- add Depends libdbi-perl (Closes: #807512)
- Fixed lintian complaint about squid3 package description
- Fixed Vcs-Git Header pointing anonscm.debian.org
* debian/rules
- build ext_time_quota_acl helper (LP: #1391159)
* debian/squid.install
- add missing helper man pages
squid3 (3.5.12-1ubuntu9) zesty; urgency=medium
* SECURITY UPDATE: cookie data leak via If-Not-Modified HTTP conditional
- debian/patches/CVE-2016-10002.patch: properly handle combination of
If-Match and a Cache Hit in src/LogTags.h, src/client_side.cc,
src/client_side_reply.cc, src/client_side_reply.h.
- CVE-2016-10002
* SECURITY UPDATE: incorrect HTTP Request header comparison
- debian/patches/CVE-2016-10003.patch: don't share private responses
with collapsed client in src/client_side_reply.cc.
- CVE-2016-10003
squid3 (3.5.12-1ubuntu8) yakkety; urgency=medium
* SECURITY UPDATE: denial of service via pinger and ICMPv6 packet
- debian/patches/CVE-2016-3947.patch: fix sizes in src/icmp/Icmp6.cc.
- CVE-2016-3947
* SECURITY UPDATE: denial of service and possible code execution via
seeding manager reporter with crafted data
- debian/patches/CVE-2016-4051.patch: use dynamic MemBuf for internal
content generation in tools/cachemgr.cc, src/tests/stub_cbdata.cc,
src/tests/stub_mem.cc, tools/Makefile.am.
- CVE-2016-4051
* SECURITY UPDATE: denial of service or arbitrary code execution via
crafted ESI responses
- debian/patches/CVE-2016-4052.patch: perform bounds checking and
remove asserts in src/esi/Esi.cc.
- CVE-2016-4052
- CVE-2016-4053
- CVE-2016-4054
* SECURITY UPDATE: cache-poisoning attacks via an HTTP request with an
absolute-URI
- debian/patches/CVE-2016-4553.patch: properly handle condition in
src/client_side.cc
- CVE-2016-4553
* SECURITY UPDATE: same-origin bypass and cache-poisoning attack via
crafted HTTP host header
- debian/patches/CVE-2016-4554.patch: properly handle whitespace in
src/mime_header.cc.
- CVE-2016-4554
* SECURITY UPDATE: denial of service via ESI responses
- debian/patches/CVE-2016-4555.patch: fix segfaults in
src/client_side_request.cc, src/esi/Context.h, src/esi/Esi.cc.
- CVE-2016-4555
- CVE-2016-4556
* debian/rules: include autoreconf.mk.
* debian/control: add dh-autoreconf to BuildDepends.
-- <email address hidden> (H.-Dirk Schmitt) Sat, 11 Mar 2017 07:54:18 +0100