Merge ~ahasenack/ubuntu/+source/squid:eoan-squid-4.8-merge into ubuntu/+source/squid:debian/sid

Proposed by Andreas Hasenack on 2019-07-29
Status: Merged
Approved by: Andreas Hasenack on 2019-08-01
Approved revision: 7e4b4430883e3d77ee87247bca3ab01e29b2b322
Merge reported by: Andreas Hasenack
Merged at revision: 7e4b4430883e3d77ee87247bca3ab01e29b2b322
Proposed branch: ~ahasenack/ubuntu/+source/squid:eoan-squid-4.8-merge
Merge into: ubuntu/+source/squid:debian/sid
Diff against target: 581 lines (+434/-29)
9 files modified
debian/changelog (+264/-0)
debian/control (+3/-2)
debian/patches/90-cf.data.ubuntu.patch (+16/-0)
debian/patches/99-ubuntu-ssl-cert-snakeoil.patch (+22/-0)
debian/patches/more-gcc-9-fixes.patch (+56/-0)
debian/patches/series (+3/-0)
debian/rules (+7/-2)
debian/tests/test-squid.py (+30/-25)
debian/usr.sbin.squid (+33/-0)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  2019-07-29 Approve on 2019-08-01
Canonical Server Team 2019-07-29 Pending
Review via email: mp+370732@code.launchpad.net

Description of the change

Merge from debian 4.8-2

Bileto: https://bileto.ubuntu.com/#/ticket/3765
PPA: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3765/+packages
sudo add-apt-repository ppa:ci-train-ppa-service/3765 -y -u

Debian wrapped the zz_apparmor DEP8 test in a conditional and I couldn't understand exactly what is happening there. This dep8 test started failing for them as soon as they added our (disabled by default) apparmor profile to the package. I think the reason it's failing is because debian is using lxc for these tests, whereas we use lxd, and our lxd setup allows this confinement. It's not clear to me, so for now I decided to essentially force that test to run in our case, by replacing the conditional with "True".

I did a few runs with the test as-is from debian, with their conditional, and in our case the test still ran, but since I'm not fully understanding what is going on, I thought it better to really force the run in the ubuntu case. I added a question to debian's commit which introduced this change (https://salsa.debian.org/squid-team/squid/commit/e36148f6798499afa70baf811c6b668ebe072eb4)

The recent gcc9 patch to fix build issues was merged upstream, so should disappear soon from the package.

d/rules' -Wno-format-truncation addition: haven't tested yet if that is still needed for ppc64el. I'm trying to bring up a ppc64 instance in canonistack to verify.

d/NEWS, and d/rules' -latomic changes were submitted to salsa but got no response yet:
https://salsa.debian.org/squid-team/squid/merge_requests/7
https://salsa.debian.org/squid-team/squid/merge_requests/6

To post a comment you must log in.
Andreas Hasenack (ahasenack) wrote :

Left a ppc64el build running on https://launchpad.net/~ahasenack/+archive/ubuntu/squid-ppc64el/+packages, where I reverted that d/rules delta for ppc64el builds, will see tomorrow if that worked or not. If the build failed, we keep the delta. If it worked, we drop it.

Andreas Hasenack (ahasenack) wrote :

squid ppc64el build failed without the d/rules delta, so that is to be kept. The upstream bug is still open even.

Christian Ehrhardt  (paelzer) wrote :

yes on all drops
yes on retained Delta - that just is Ubuntu special customization e.g. maas
yes on changelog
yes on tests

Christian Ehrhardt  (paelzer) wrote :

shouldn't the conditional be true for us?

if os.path.exists(self.aa_abs_profile):

with:
        self.aa_profile = "usr.sbin.squid"
        self.aa_abs_profile = "/etc/apparmor.d/%s" % self.aa_profile

in Container:
root@e:~# apt install squid3
root@e:~# ll /etc/apparmor.d/usr.sbin.squid
-rw-r--r-- 1 root root 2462 Jul 19 12:01 /etc/apparmor.d/usr.sbin.squid

So can't we just keep the conditional and get the tests running without added Delta?

review: Needs Information
Christian Ehrhardt  (paelzer) wrote :

+1 with the rest.
I'll set approved in case the apparmor change is something obvious that I miss.
Otherwise lets discuss about the apparmor delta ...

review: Approve
Andreas Hasenack (ahasenack) wrote :

> shouldn't the conditional be true for us?
>
> if os.path.exists(self.aa_abs_profile):
>
> with:
> self.aa_profile = "usr.sbin.squid"
> self.aa_abs_profile = "/etc/apparmor.d/%s" % self.aa_profile
>
> in Container:
> root@e:~# apt install squid3
> root@e:~# ll /etc/apparmor.d/usr.sbin.squid
> -rw-r--r-- 1 root root 2462 Jul 19 12:01 /etc/apparmor.d/usr.sbin.squid
>
>
> So can't we just keep the conditional and get the tests running without added
> Delta?

One would think this is how it would work in Debian, but alas, apparently not. I'm not sure why this change was needed in debian. The explanation doesn't seem to match what I see in their ci.debian.net log, where the dep8 tests are run in lxc (not lxd) and apparently enabling an apparmor profile in an lxc guest doesn't work out of the box.

Why this check for the file is enough to skip the test in debian I did not understand. Since I didn't understand it, I thought it best to make clear that in ubuntu we want that to run always.

90ead55... by Andreas Hasenack on 2019-07-30

  * Added:
    - d/t/test-squid.py: test_zz_apparmor(): bail early if securityfs isn't
      mounted

Andreas Hasenack (ahasenack) wrote :

Salsa PR to fix this properly in debian:

https://salsa.debian.org/squid-team/squid/merge_requests/9

I'll pull that into my branch, and hopefully it will be accepted soon in debian, so we know it's a delta we can drop later.

Andreas Hasenack (ahasenack) wrote :

I pulled in the change I submitted to debian, and will kick a new round of dep8 tests in our infrastructure.

Andreas Hasenack (ahasenack) wrote :

I kept the last change as two commits, for easier review: one reverts the debian change, and the other adds the new check. Were it just one commit, most of it would be indentation changes.

7e4b443... by Andreas Hasenack on 2019-07-31

changelog

Andreas Hasenack (ahasenack) wrote :

I changed my mind and squashed the mentioned two commits, sorry.

Andreas Hasenack (ahasenack) wrote :

https://bileto.ubuntu.com/#/ticket/3765

DEP8 passed with the new test, please take another quick look at the change (90ead55)

Christian Ehrhardt  (paelzer) wrote :

Tests ok
We discussed the test cahnges - those are good now - ok
  It looks like more diff zhan it is due to the indent change.

Thanks for submitting that to Debian as well.

+1

review: Approve
Andreas Hasenack (ahasenack) wrote :

Thanks!

Tagging and uploading 7e4b4430883e3d77ee87247bca3ab01e29b2b322

$ git push pkg upload/4.8-1ubuntu1
Enumerating objects: 72, done.
Counting objects: 100% (72/72), done.
Delta compression using up to 2 threads
Compressing objects: 100% (61/61), done.
Writing objects: 100% (62/62), 13.62 KiB | 929.00 KiB/s, done.
Total 62 (delta 39), reused 4 (delta 1)
To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/squid
 * [new tag] upload/4.8-1ubuntu1 -> upload/4.8-1ubuntu1

$ dput ubuntu ../squid_4.8-1ubuntu1_source.changes
Checking signature on .changes
gpg: ../squid_4.8-1ubuntu1_source.changes: Valid signature from AC983EB5BF6BCBA9
Checking signature on .dsc
gpg: ../squid_4.8-1ubuntu1.dsc: Valid signature from AC983EB5BF6BCBA9
Package includes an .orig.tar.gz file although the debian revision suggests
that it might not be required. Multiple uploads of the .orig.tar.gz may be
rejected by the upload queue management software.
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading squid_4.8-1ubuntu1.dsc: done.
  Uploading squid_4.8.orig.tar.gz: done.
  Uploading squid_4.8-1ubuntu1.debian.tar.xz: done.
  Uploading squid_4.8-1ubuntu1_source.buildinfo: done.
  Uploading squid_4.8-1ubuntu1_source.changes: done.
Successfully uploaded packages.

Andreas Hasenack (ahasenack) wrote :

This migrated.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/NEWS.debian b/debian/NEWS
2similarity index 100%
3rename from debian/NEWS.debian
4rename to debian/NEWS
5diff --git a/debian/changelog b/debian/changelog
6index 7c1c5cd..94f69c6 100644
7--- a/debian/changelog
8+++ b/debian/changelog
9@@ -1,3 +1,57 @@
10+squid (4.8-1ubuntu1) eoan; urgency=medium
11+
12+ * Merge with Debian unstable. Remaining changes:
13+ - Use snakeoil certificates.
14+ - Add an example refresh pattern for debs.
15+ - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy,
16+ squidguard
17+ - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if
18+ building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of
19+ -O2 and that triggers a format-truncation error on pcon.cc. See
20+ See https://bugs.squid-cache.org/show_bug.cgi?id=4875
21+ - d/rules: Only use -latomic with the intended architectures, instead of
22+ all of them. This matches what was suggested in
23+ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5
24+ - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that
25+ dh_installchangelogs can pick it up. dh_installchangelogs handles
26+ d/NEWS or d/<package>.NEWS, but not NEWS.debian.
27+ - debian/patches/more-gcc-9-fixes.patch: switch to xstrncpy in
28+ lib/smblib/smblib-util.c. (LP #1835831)
29+ * Dropped:
30+ - d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs.
31+ Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP #1794553)
32+ [Fixed upstream]
33+ - debian/patches/413.patch: Fix gcc-9 build issues with upstream merged
34+ patch
35+ [Fixed upstream]
36+ - SECURITY UPDATE: incorrect digest auth parameter parsing
37+ + debian/patches/CVE-2019-12525.patch: check length in
38+ src/auth/digest/Config.cc.
39+ + CVE-2019-12525
40+ [Fixed upstream]
41+ - SECURITY UPDATE: buffer overflow in basic auth decoding
42+ + debian/patches/CVE-2019-12527.patch: switch to SBuf in
43+ src/HttpHeader.cc, src/HttpHeader.h, src/cache_manager.cc,
44+ src/clients/FtpGateway.cc.
45+ + CVE-2019-12527
46+ [Fixed upstream]
47+ - SECURITY UPDATE: basic auth uudecode length issue
48+ + debian/patches/CVE-2019-12529.patch: replace uudecode with libnettle
49+ base64 decoder in lib/Makefile.*, src/auth/basic/Config.cc,
50+ include/uudecode.h, lib/uudecode.c.
51+ + CVE-2019-12529
52+ [Fixed upstream]
53+ - SECURITY UPDATE: XSS issues in cachemgr.cgi
54+ + debian/patches/CVE-2019-13345.patch: properly escape values in
55+ tools/cachemgr.cc.
56+ + CVE-2019-13345
57+ [Fixed upstream]
58+ * Added:
59+ - d/t/test-squid.py: test_zz_apparmor(): bail early if securityfs isn't
60+ mounted
61+
62+ -- Andreas Hasenack <andreas@canonical.com> Wed, 24 Jul 2019 16:38:59 -0300
63+
64 squid (4.8-1) unstable; urgency=high
65
66 [ Amos Jeffries <amosjeffries@squid-cache.org> ]
67@@ -16,6 +70,86 @@ squid (4.8-1) unstable; urgency=high
68
69 -- Luigi Gangitano <luigi@debian.org> Thu, 18 Jul 2019 22:28:15 +0200
70
71+squid (4.6-2ubuntu4) eoan; urgency=medium
72+
73+ * Fix gcc-9 issues (LP: #1835831)
74+ - Remove -Wno-sizeof-pointer-memaccess -Wno-stringop-truncation
75+ - debian/patches/more-gcc-9-fixes.patch: switch to xstrncpy in
76+ lib/smblib/smblib-util.c.
77+ * SECURITY UPDATE: incorrect digest auth parameter parsing
78+ - debian/patches/CVE-2019-12525.patch: check length in
79+ src/auth/digest/Config.cc.
80+ - CVE-2019-12525
81+ * SECURITY UPDATE: buffer overflow in basic auth decoding
82+ - debian/patches/CVE-2019-12527.patch: switch to SBuf in
83+ src/HttpHeader.cc, src/HttpHeader.h, src/cache_manager.cc,
84+ src/clients/FtpGateway.cc.
85+ - CVE-2019-12527
86+ * SECURITY UPDATE: basic auth uudecode length issue
87+ - debian/patches/CVE-2019-12529.patch: replace uudecode with libnettle
88+ base64 decoder in lib/Makefile.*, src/auth/basic/Config.cc,
89+ include/uudecode.h, lib/uudecode.c.
90+ - CVE-2019-12529
91+ * SECURITY UPDATE: XSS issues in cachemgr.cgi
92+ - debian/patches/CVE-2019-13345.patch: properly escape values in
93+ tools/cachemgr.cc.
94+ - CVE-2019-13345
95+
96+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 19 Jul 2019 08:01:58 -0400
97+
98+squid (4.6-2ubuntu3) eoan; urgency=medium
99+
100+ * Override newly added gcc-9 flags:
101+ -Wno-sizeof-pointer-memaccess -Wno-stringop-truncation
102+ NOTE: Overriding those flags is a possible security
103+ asked for info on the gcc-9 issue bug tracker:
104+ https://github.com/squid-cache/squid/pull/413#issuecomment-511314076
105+
106+ -- Gianfranco Costamagna <locutusofborg@debian.org> Mon, 15 Jul 2019 10:21:47 +0200
107+
108+squid (4.6-2ubuntu2) eoan; urgency=medium
109+
110+ * Fix gcc-9 build issues with upstream merged patch
111+
112+ -- Gianfranco Costamagna <locutusofborg@debian.org> Sun, 14 Jul 2019 14:41:16 +0200
113+
114+squid (4.6-2ubuntu1) eoan; urgency=medium
115+
116+ * Merge with Debian unstable. Remaining changes:
117+ - Use snakeoil certificates.
118+ - Add an example refresh pattern for debs.
119+ - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy,
120+ squidguard
121+ - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if
122+ building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of
123+ -O2 and that triggers a format-truncation error on pcon.cc. See
124+ See https://bugs.squid-cache.org/show_bug.cgi?id=4875
125+ - d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs.
126+ Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP #1794553)
127+ [Added Applied-Upstream header]
128+ - d/rules: Only use -latomic with the intended architectures, instead of
129+ all of them. This matches what was suggested in
130+ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5
131+ - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that
132+ dh_installchangelogs can pick it up. dh_installchangelogs handles
133+ d/NEWS or d/<package>.NEWS, but not NEWS.debian.
134+ * Dropped:
135+ - d/squid.tmpfile: add tmpfiles configuration to handle /var/run/squid
136+ at boot. Thanks to Luigi Gangitano <luigi@debian.org> (LP #1816006)
137+ [Fixed in 4.5-2]
138+ - d/p/fix-uninitialized-var.patch: Workaround gcc's maybe-unitialized
139+ error in parse_time_t, triggered on ppc64el due to the build using -O3
140+ in that architecture.
141+ [Fixed upstream]
142+ - Add disabled by default AppArmor profile.
143+ [Added by Debian in 4.6-2]
144+ - d/usr.sbin.squid: fix the apparmor profile (LP #1796189):
145+ + allow net_admin capability
146+ + add attach_disconnected flag
147+ [Fixed in 4.6-2]
148+
149+ -- Andreas Hasenack <andreas@canonical.com> Sat, 18 May 2019 14:39:09 -0300
150+
151 squid (4.6-2) unstable; urgency=high
152
153 [ Andreas Hasenack <andreas@canonical.com> ]
154@@ -76,6 +210,57 @@ squid (4.5-1) unstable; urgency=medium
155
156 -- Luigi Gangitano <luigi@debian.org> Wed, 20 Feb 2019 11:57:15 +0100
157
158+squid (4.4-1ubuntu2) disco; urgency=medium
159+
160+ * d/squid.tmpfile: add tmpfiles configuration to handle /var/run/squid
161+ at boot. Thanks to Luigi Gangitano <luigi@debian.org> (LP: #1816006)
162+
163+ -- Andreas Hasenack <andreas@canonical.com> Wed, 27 Feb 2019 08:54:45 -0300
164+
165+squid (4.4-1ubuntu1) disco; urgency=medium
166+
167+ * Merge with Debian unstable. Remaining changes:
168+ - Use snakeoil certificates.
169+ - Add an example refresh pattern for debs.
170+ - Add disabled by default AppArmor profile.
171+ - d/p/fix-uninitialized-var.patch: Workaround gcc's maybe-unitialized
172+ error in parse_time_t, triggered on ppc64el due to the build using -O3
173+ in that architecture.
174+ - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if
175+ building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of
176+ -O2 and that triggers a format-truncation error on pcon.cc. See
177+ See https://bugs.squid-cache.org/show_bug.cgi?id=4875
178+ - d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs.
179+ Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP #1794553)
180+ * Drop:
181+ - d/rules: enable cdbs parallel build
182+ [Fixed in 4.2-1]
183+ - d/t/test-squid.py: fix apparmor profile filename
184+ [Fixed in 4.2-1]
185+ - d/t/test-squid.py: fix the process name. The PID points at the parent.
186+ [Fixed in 4.2-1]
187+ - d/t/upstream-test-suite: also make libmem.la, needed by the tests.
188+ [Fixed in 4.2-1]
189+ - d/t/0003-installed-binary-for-debian-ci.patch: use the squid
190+ binary from the system, instead of the one from the source tree.
191+ [Fixed in 4.2-1]
192+ - d/t/upstream-test-suite: drop the sed line, since patch
193+ 0003-installed-binary-for-debian-ci.patch is doing this work now.
194+ (https://salsa.debian.org/squid-team/squid/commit/ad4372b444ba8b1587839)
195+ [Fixed in 4.2-1]
196+ * Added changes:
197+ - d/rules: Only use -latomic with the intended architectures, instead of
198+ all of them. This matches what was suggested in
199+ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5
200+ - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that
201+ dh_installchangelogs can pick it up. dh_installchangelogs handles
202+ d/NEWS or d/<package>.NEWS, but not NEWS.debian.
203+ - d/usr.sbin.squid: fix the apparmor profile (LP: #1796189):
204+ + allow net_admin capability
205+ + add attach_disconnected flag
206+
207+ -- Andreas Hasenack <andreas@canonical.com> Mon, 19 Nov 2018 10:51:18 -0200
208+
209 squid (4.4-1) unstable; urgency=high
210
211 * Urgency high due to security fixes
212@@ -140,6 +325,85 @@ squid (4.2-1) unstable; urgency=high
213
214 -- Luigi Gangitano <luigi@debian.org> Wed, 22 Aug 2018 13:57:15 +0200
215
216+squid (4.1-1ubuntu3) cosmic; urgency=medium
217+
218+ * d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs.
219+ Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP: #1794553)
220+
221+ -- Andreas Hasenack <andreas@canonical.com> Tue, 09 Oct 2018 14:00:36 -0300
222+
223+squid (4.1-1ubuntu2) cosmic; urgency=medium
224+
225+ * d/usr.sbin.squid: Update apparmor profile to grant read access to squid
226+ binary (LP: #1792728)
227+
228+ -- Simon Deziel <simon@sdeziel.info> Sat, 15 Sep 2018 13:55:32 -0400
229+
230+squid (4.1-1ubuntu1) cosmic; urgency=medium
231+
232+ * Merged with Debian unstable (LP: #1780944, LP: #1097032, LP: #16669).
233+ Remaining changes:
234+ - Use snakeoil certificates.
235+ [Updated to use the correct config setting names]
236+ - Add an example refresh pattern for debs.
237+ [Improved the refresh patterns based on the configuration from
238+ squid-deb-proxy package]
239+ - Add disabled by default AppArmor profile.
240+ [Updated to include the ssl_certs abstraction and suggestions on how to
241+ deal with the snakeoil private key and other keys in /etc/ssl.]
242+ * Dropped changes:
243+ - Add additional dep8 tests.
244+ [Adopted in 4.0.21-1~exp5, albeit a stripped down version]
245+ - Correct attribution and add explanatory note in d/NEWS.debian.
246+ [That particular upgrade path has happened long ago.]
247+ - Drop wrong short-circuiting of various invocations; we always want to
248+ call the debhelper block.
249+ [This was for the transitional squid3 package, and that transition has
250+ already happened.]
251+ - Revert "Set pidfile for systemd's sysv-generator" from Debian.
252+ [Not needed anymore since we have a native systemd service file
253+ and no longer rely on the generator.]
254+ - Enable autoreconf. This is no longer required for the security updates,
255+ but is needed for the seddery of test-suite/Makefile.am in
256+ d/t/upstream-test-suite.
257+ [Replaced by patch 0003-installed-binary-for-debian-ci.patch]
258+ - Adjust seddery for upstream test squid binary location.
259+ [sed no longer necessary since patch,
260+ 0003-installed-binary-for-debian-ci.patch, will be dropped
261+ entirely.]
262+ - Drop Conflicts/Replaces of squid against squid3. In Ubuntu, the migration
263+ happened in Xenial, so no upgrade path still requires this code. This
264+ reduces upgrade ordering difficulty.
265+ [Again we have a migration, but this time from squid3 to squid, so we
266+ need this].
267+ - GCC7 FTBFS fixes (LP: #1712668):
268+ + d/rules: don't error when hitting the "deprecated" and
269+ "format-truncation" gcc7 warnings. Upstream 3.5.27 has fixes for these,
270+ but one in Format.cc that affects 32bit builds was deemed too intrusive
271+ for the 3.5 stable series and is only in squid 4.x
272+ [No longer needed with squid 4.x]
273+ - Do not force gcc-6
274+ [It was a temporary workaround in Debian that got dropped]
275+ * Added changes:
276+ - d/rules: enable cdbs parallel build
277+ - d/t/test-squid.py: fix apparmor profile filename
278+ - d/t/test-squid.py: fix the process name. The PID points at the parent.
279+ - d/t/upstream-test-suite: also make libmem.la, needed by the tests.
280+ - d/t/0003-installed-binary-for-debian-ci.patch: use the squid
281+ binary from the system, instead of the one from the source tree.
282+ - d/p/fix-uninitialized-var.patch: Workaround gcc's maybe-unitialized
283+ error in parse_time_t, triggered on ppc64el due to the build using -O3
284+ in that architecture.
285+ - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if
286+ building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of
287+ -O2 and that triggers a format-truncation error on pcon.cc. See
288+ See https://bugs.squid-cache.org/show_bug.cgi?id=4875
289+ - d/t/upstream-test-suite: drop the sed line, since patch
290+ 0003-installed-binary-for-debian-ci.patch is doing this work now.
291+ (https://salsa.debian.org/squid-team/squid/commit/ad4372b444ba8b1587839)
292+
293+ -- Andreas Hasenack <andreas@canonical.com> Thu, 16 Aug 2018 12:33:17 -0300
294+
295 squid (4.1-1) unstable; urgency=high
296
297 * New Upstream Release (Closes: #896120)
298diff --git a/debian/control b/debian/control
299index 34d22f3..35ac025 100644
300--- a/debian/control
301+++ b/debian/control
302@@ -1,7 +1,8 @@
303 Source: squid
304 Section: web
305 Priority: optional
306-Maintainer: Luigi Gangitano <luigi@debian.org>
307+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
308+XSBC-Original-Maintainer: Luigi Gangitano <luigi@debian.org>
309 Uploaders: Santiago Garcia Mantinan <manty@debian.org>
310 Homepage: http://www.squid-cache.org
311 Standards-Version: 4.4.0
312@@ -42,7 +43,7 @@ Description: Transitional package
313 Package: squid
314 Architecture: any
315 Pre-Depends: adduser
316-Depends: ${shlibs:Depends}, ${misc:Depends}, netbase, logrotate (>= 3.5.4-1), squid-common (>= ${source:Version}), lsb-base, libdbi-perl
317+Depends: ${shlibs:Depends}, ${misc:Depends}, netbase, logrotate (>= 3.5.4-1), squid-common (>= ${source:Version}), lsb-base, libdbi-perl, ssl-cert
318 Suggests: squidclient, squid-cgi, squid-purge, resolvconf (>= 0.40), smbclient, ufw, winbind, apparmor
319 Recommends: libcap2-bin [linux-any], ca-certificates
320 Conflicts: squid3 (<< ${binary:Version})
321diff --git a/debian/patches/90-cf.data.ubuntu.patch b/debian/patches/90-cf.data.ubuntu.patch
322new file mode 100644
323index 0000000..9dfa5b4
324--- /dev/null
325+++ b/debian/patches/90-cf.data.ubuntu.patch
326@@ -0,0 +1,16 @@
327+--- a/src/cf.data.pre
328++++ b/src/cf.data.pre
329+@@ -5859,6 +5862,12 @@ NOCOMMENT_START
330+ refresh_pattern ^ftp: 1440 20% 10080
331+ refresh_pattern ^gopher: 1440 0% 1440
332+ refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
333++refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
334++refresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-ims
335++refresh_pattern \/InRelease$ 0 0% 0 refresh-ims
336++refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
337++# example pattern for deb packages
338++#refresh_pattern (\.deb|\.udeb)$ 129600 100% 129600
339+ refresh_pattern . 0 20% 4320
340+ NOCOMMENT_END
341+ DOC_END
342+
343diff --git a/debian/patches/99-ubuntu-ssl-cert-snakeoil.patch b/debian/patches/99-ubuntu-ssl-cert-snakeoil.patch
344new file mode 100644
345index 0000000..40b5306
346--- /dev/null
347+++ b/debian/patches/99-ubuntu-ssl-cert-snakeoil.patch
348@@ -0,0 +1,22 @@
349+--- a/src/cf.data.pre
350++++ b/src/cf.data.pre
351+@@ -3516,6 +3516,19 @@
352+ reference a PEM file containing both the certificate
353+ and private key.
354+
355++ Notes:
356++
357++ On Debian/Ubuntu systems a default snakeoil certificate is
358++ available in /etc/ssl and users can set:
359++
360++ sslcert=/etc/ssl/certs/ssl-cert-snakeoil.pem
361++
362++ and
363++
364++ sslkey=/etc/ssl/private/ssl-cert-snakeoil.key
365++
366++ for testing.
367++
368+ sslcipher=... The list of valid SSL ciphers to use when connecting
369+ to this peer.
370+
371diff --git a/debian/patches/more-gcc-9-fixes.patch b/debian/patches/more-gcc-9-fixes.patch
372new file mode 100644
373index 0000000..4bd2c91
374--- /dev/null
375+++ b/debian/patches/more-gcc-9-fixes.patch
376@@ -0,0 +1,56 @@
377+From fb8cded9380893d02e3eacf125f66802cde45c4d Mon Sep 17 00:00:00 2001
378+From: Amos Jeffries <squid3@treenet.co.nz>
379+Date: Thu, 18 Jul 2019 14:26:20 +1200
380+Subject: [PATCH] Bug 4969: GCC-9 build failure: stringop-truncation and others
381+
382+GCC-9 with Squid use of -Werror makes these warning hard
383+errors which can no longer be ignored. We are thus forced
384+to alter this third-party code when built for Squid.
385+
386+Truncation of these strings is fine. Rather than suppress
387+GCC warnings switch to xstrncpy() which has similar
388+behaviour but guarantees c-string terminator exists within
389+the copied range limit (removing need for two -1 hacks).
390+
391+This change will add terminators on path and device_type
392+values in the rare case of overly long configured values.
393+It is not clear what ancient Domain Controllers would do
394+when handed un-terminated c-string in those cases, but is
395+unlikely to be good.
396+---
397+ lib/smblib/smblib-util.c | 8 ++++----
398+ 1 file changed, 4 insertions(+), 4 deletions(-)
399+
400+diff --git a/lib/smblib/smblib-util.c b/lib/smblib/smblib-util.c
401+index 10e6220b7f..fcff357eed 100644
402+--- a/lib/smblib/smblib-util.c
403++++ b/lib/smblib/smblib-util.c
404+@@ -401,7 +401,7 @@ int SMB_Negotiate(SMB_Handle_Type Con_Handle, const char *Prots[])
405+
406+ p = (SMB_Hdr(pkt) + SMB_negrLM_buf_offset + Con_Handle -> Encrypt_Key_Len);
407+
408+- strncpy(p, Con_Handle -> Svr_PDom, sizeof(Con_Handle -> Svr_PDom) - 1);
409++ xstrncpy(p, Con_Handle -> Svr_PDom, sizeof(Con_Handle -> Svr_PDom));
410+
411+ break;
412+
413+@@ -424,7 +424,7 @@ int SMB_Negotiate(SMB_Handle_Type Con_Handle, const char *Prots[])
414+
415+ p = (SMB_Hdr(pkt) + SMB_negrLM_buf_offset + Con_Handle -> Encrypt_Key_Len);
416+
417+- strncpy(p, Con_Handle -> Svr_PDom, sizeof(Con_Handle -> Svr_PDom) - 1);
418++ xstrncpy(p, Con_Handle -> Svr_PDom, sizeof(Con_Handle -> Svr_PDom));
419+
420+ break;
421+
422+@@ -538,8 +538,8 @@ SMB_Tree_Handle SMB_TreeConnect(SMB_Handle_Type Con_Handle,
423+
424+ tree -> next = tree -> prev = NULL;
425+ tree -> con = Con_Handle;
426+- strncpy(tree -> path, path, sizeof(tree -> path));
427+- strncpy(tree -> device_type, device, sizeof(tree -> device_type));
428++ xstrncpy(tree -> path, path, sizeof(tree -> path));
429++ xstrncpy(tree -> device_type, device, sizeof(tree -> device_type));
430+
431+ /* Now plug in the values ... */
432+
433diff --git a/debian/patches/series b/debian/patches/series
434index 6bff1ed..9847088 100644
435--- a/debian/patches/series
436+++ b/debian/patches/series
437@@ -1,3 +1,6 @@
438 0001-Default-configuration-file-for-debian.patch
439 0002-Change-default-file-locations-for-debian.patch
440 0003-installed-binary-for-debian-ci.patch
441+90-cf.data.ubuntu.patch
442+99-ubuntu-ssl-cert-snakeoil.patch
443+more-gcc-9-fixes.patch
444diff --git a/debian/rules b/debian/rules
445index 1bf39d7..fac4ec7 100755
446--- a/debian/rules
447+++ b/debian/rules
448@@ -3,12 +3,17 @@
449 export DEB_BUILD_MAINT_OPTIONS = hardening=+all
450 export DEB_CFLAGS_MAINT_APPEND = -Wall
451
452-DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed -latomic
453+DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed
454 ifneq (,$(filter $(DEB_HOST_ARCH), armel m68k mips mipsel powerpc powerpcspe sh4))
455 DEB_LDFLAGS_MAINT_APPEND += -latomic
456 endif
457 export DEB_LDFLAGS_MAINT_APPEND
458-
459+# On ppc64el, dpkg-buildflags sets -O3 instead of the usual
460+# -O2. This makes gcc emit a format-truncation error on
461+# pconn.cc. See https://bugs.squid-cache.org/show_bug.cgi?id=4875
462+ifeq ($(shell dpkg-architecture -qDEB_HOST_ARCH),ppc64el)
463+ export DEB_CXXFLAGS_MAINT_APPEND = -Wno-format-truncation
464+endif
465 export DEB_BUILD_PARALLEL = yes
466 include /usr/share/dpkg/buildflags.mk
467 -include /usr/share/dpkg/buildtools.mk
468diff --git a/debian/tests/test-squid.py b/debian/tests/test-squid.py
469index 98136d1..e7a8044 100644
470--- a/debian/tests/test-squid.py
471+++ b/debian/tests/test-squid.py
472@@ -183,35 +183,40 @@ Welcome to the world of Gopher and enjoy!
473 def test_zz_apparmor(self):
474 '''Test apparmor'''
475
476- # if 'apparmor-utils' was not installed before 'squid' package
477- # then dh_apparmor tool will not install the profile
478- if os.path.exists(self.aa_abs_profile):
479- # Currently while we have a profile, it is shipped disabled by default.
480- # Verify that.
481- ret, report = check_apparmor(self.aa_abs_profile, is_running=False)
482- expected = 1
483- result = 'Got exit code %d, expected %d\n' % (ret, expected)
484- self.assertEquals(ret, expected, result + report)
485+ # Currently while we have a profile, it is shipped disabled by default.
486+ # Verify that.
487+ ret, report = check_apparmor(self.aa_abs_profile, is_running=False)
488+ expected = 1
489+ result = 'Got exit code %d, expected %d\n' % (ret, expected)
490+ self.assertEquals(ret, expected, result + report)
491
492- # Verify it is syntactically correct
493- ret, report = cmd(['apparmor_parser', '-p', self.aa_abs_profile])
494- expected = 0
495- result = 'Got exit code %d, expected %d\n' % (ret, expected)
496- self.assertEquals(ret, expected, result + report)
497+ # Verify it is syntactically correct
498+ ret, report = cmd(['apparmor_parser', '-p', self.aa_abs_profile])
499+ expected = 0
500+ result = 'Got exit code %d, expected %d\n' % (ret, expected)
501+ self.assertEquals(ret, expected, result + report)
502+
503+ # The remaining tests try to actually load a profile
504+ # skip them if securityfs isn't mounted (i.e., we are in a lxc container)
505+ ret, _ = _aa_status()
506+ # from the manpage:
507+ # 3 if the apparmor control files aren't available under /sys/kernel/security/.
508+ if ret == 3:
509+ return True
510
511- # Verify it loads ok
512- ret, report = cmd(['aa-enforce', self.aa_abs_profile])
513- expected = 0
514- result = 'Got exit code %d, expected %d\n' % (ret, expected)
515- self.assertEquals(ret, expected, result + report)
516+ # Verify it loads ok
517+ ret, report = cmd(['aa-enforce', self.aa_abs_profile])
518+ expected = 0
519+ result = 'Got exit code %d, expected %d\n' % (ret, expected)
520+ self.assertEquals(ret, expected, result + report)
521
522- self._stop()
523- self._start()
524+ self._stop()
525+ self._start()
526
527- ret, report = check_apparmor(self.aa_abs_profile, is_running=True)
528- expected = 1
529- result = 'Got exit code %d, expected %d\n' % (ret, expected)
530- self.assertEquals(ret, expected, result + report)
531+ ret, report = check_apparmor(self.aa_abs_profile, is_running=True)
532+ expected = 1
533+ result = 'Got exit code %d, expected %d\n' % (ret, expected)
534+ self.assertEquals(ret, expected, result + report)
535
536
537 # http://www.chiark.greenend.org.uk/ucgi/~cjwatson/blosxom/2009-07-02-python-sigpipe.html
538diff --git a/debian/usr.sbin.squid b/debian/usr.sbin.squid
539index 6f5c814..3a26150 100644
540--- a/debian/usr.sbin.squid
541+++ b/debian/usr.sbin.squid
542@@ -48,6 +48,39 @@
543 # squid-langpack
544 /usr/share/squid-langpack/** r,
545
546+ # maas-proxy
547+ /var/lib/maas/maas-proxy.conf r,
548+ /var/log/maas/proxy/** rw,
549+ /var/spool/maas-proxy/ r,
550+ /var/spool/maas-proxy/** rwk,
551+
552+ # squid-deb-proxy
553+ /etc/squid-deb-proxy/** r,
554+ /{,var/}run/squid-deb-proxy.pid rwk,
555+ /var/cache/squid-deb-proxy/ r,
556+ /var/cache/squid-deb-proxy/** rwk,
557+ /var/log/squid-deb-proxy/* rw,
558+
559+ # squidguard
560+ /usr/bin/squidGuard Cx -> squidguard,
561+ profile squidguard {
562+ #include <abstractions/base>
563+
564+ /etc/squid/squidGuard.conf r,
565+ /var/log/squid{,3}/squidGuard.log w,
566+ /var/lib/squidguard/** rw,
567+
568+ # squidguard by default uses /var/log/squid as its logdir, however, we
569+ # don't want it to access squid's logs, only its own. Explicitly deny
570+ # access to squid's files but allow all others since the user may specify
571+ # anything for the squidGurad 'log' directive.
572+ /var/log/squid{,3}/* rw,
573+ audit deny /var/log/squid{,3}/{access,cache,store}.log* rw,
574+
575+ # Site-specific additions and overrides. See local/README for details.
576+ #include <local/usr.sbin.squid>
577+ }
578+
579 # Site-specific additions and overrides. See local/README for details.
580 #include <local/usr.sbin.squid>
581 }

Subscribers

People subscribed via source and target branches