Merge ~ahasenack/ubuntu/+source/squid:eoan-squid-4.8-merge into ubuntu/+source/squid:debian/sid
- Git
- lp:~ahasenack/ubuntu/+source/squid
- eoan-squid-4.8-merge
- Merge into debian/sid
Status: | Merged |
---|---|
Approved by: | Andreas Hasenack |
Approved revision: | 7e4b4430883e3d77ee87247bca3ab01e29b2b322 |
Merge reported by: | Andreas Hasenack |
Merged at revision: | 7e4b4430883e3d77ee87247bca3ab01e29b2b322 |
Proposed branch: | ~ahasenack/ubuntu/+source/squid:eoan-squid-4.8-merge |
Merge into: | ubuntu/+source/squid:debian/sid |
Diff against target: |
581 lines (+434/-29) 9 files modified
debian/changelog (+264/-0) debian/control (+3/-2) debian/patches/90-cf.data.ubuntu.patch (+16/-0) debian/patches/99-ubuntu-ssl-cert-snakeoil.patch (+22/-0) debian/patches/more-gcc-9-fixes.patch (+56/-0) debian/patches/series (+3/-0) debian/rules (+7/-2) debian/tests/test-squid.py (+30/-25) debian/usr.sbin.squid (+33/-0) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Christian Ehrhardt (community) | Approve | ||
Canonical Server | Pending | ||
Review via email: mp+370732@code.launchpad.net |
Commit message
Description of the change
Merge from debian 4.8-2
Bileto: https:/
PPA: https:/
sudo add-apt-repository ppa:ci-
Debian wrapped the zz_apparmor DEP8 test in a conditional and I couldn't understand exactly what is happening there. This dep8 test started failing for them as soon as they added our (disabled by default) apparmor profile to the package. I think the reason it's failing is because debian is using lxc for these tests, whereas we use lxd, and our lxd setup allows this confinement. It's not clear to me, so for now I decided to essentially force that test to run in our case, by replacing the conditional with "True".
I did a few runs with the test as-is from debian, with their conditional, and in our case the test still ran, but since I'm not fully understanding what is going on, I thought it better to really force the run in the ubuntu case. I added a question to debian's commit which introduced this change (https:/
The recent gcc9 patch to fix build issues was merged upstream, so should disappear soon from the package.
d/rules' -Wno-format-
d/NEWS, and d/rules' -latomic changes were submitted to salsa but got no response yet:
https:/
https:/
Andreas Hasenack (ahasenack) wrote : | # |
Andreas Hasenack (ahasenack) wrote : | # |
squid ppc64el build failed without the d/rules delta, so that is to be kept. The upstream bug is still open even.
Christian Ehrhardt (paelzer) wrote : | # |
yes on all drops
yes on retained Delta - that just is Ubuntu special customization e.g. maas
yes on changelog
yes on tests
Christian Ehrhardt (paelzer) wrote : | # |
shouldn't the conditional be true for us?
if os.path.
with:
in Container:
root@e:~# apt install squid3
root@e:~# ll /etc/apparmor.
-rw-r--r-- 1 root root 2462 Jul 19 12:01 /etc/apparmor.
So can't we just keep the conditional and get the tests running without added Delta?
Christian Ehrhardt (paelzer) wrote : | # |
+1 with the rest.
I'll set approved in case the apparmor change is something obvious that I miss.
Otherwise lets discuss about the apparmor delta ...
Andreas Hasenack (ahasenack) wrote : | # |
> shouldn't the conditional be true for us?
>
> if os.path.
>
> with:
> self.aa_profile = "usr.sbin.squid"
> self.aa_abs_profile = "/etc/apparmor.
>
> in Container:
> root@e:~# apt install squid3
> root@e:~# ll /etc/apparmor.
> -rw-r--r-- 1 root root 2462 Jul 19 12:01 /etc/apparmor.
>
>
> So can't we just keep the conditional and get the tests running without added
> Delta?
One would think this is how it would work in Debian, but alas, apparently not. I'm not sure why this change was needed in debian. The explanation doesn't seem to match what I see in their ci.debian.net log, where the dep8 tests are run in lxc (not lxd) and apparently enabling an apparmor profile in an lxc guest doesn't work out of the box.
Why this check for the file is enough to skip the test in debian I did not understand. Since I didn't understand it, I thought it best to make clear that in ubuntu we want that to run always.
- 90ead55... by Andreas Hasenack
-
* Added:
- d/t/test-squid.py: test_zz_apparmor(): bail early if securityfs isn't
mounted
Andreas Hasenack (ahasenack) wrote : | # |
Salsa PR to fix this properly in debian:
https:/
I'll pull that into my branch, and hopefully it will be accepted soon in debian, so we know it's a delta we can drop later.
Andreas Hasenack (ahasenack) wrote : | # |
I pulled in the change I submitted to debian, and will kick a new round of dep8 tests in our infrastructure.
Andreas Hasenack (ahasenack) wrote : | # |
I kept the last change as two commits, for easier review: one reverts the debian change, and the other adds the new check. Were it just one commit, most of it would be indentation changes.
- 7e4b443... by Andreas Hasenack
-
changelog
Andreas Hasenack (ahasenack) wrote : | # |
I changed my mind and squashed the mentioned two commits, sorry.
Andreas Hasenack (ahasenack) wrote : | # |
https:/
DEP8 passed with the new test, please take another quick look at the change (90ead55)
Christian Ehrhardt (paelzer) wrote : | # |
Tests ok
We discussed the test cahnges - those are good now - ok
It looks like more diff zhan it is due to the indent change.
Thanks for submitting that to Debian as well.
+1
Andreas Hasenack (ahasenack) wrote : | # |
Thanks!
Tagging and uploading 7e4b4430883e3d7
$ git push pkg upload/4.8-1ubuntu1
Enumerating objects: 72, done.
Counting objects: 100% (72/72), done.
Delta compression using up to 2 threads
Compressing objects: 100% (61/61), done.
Writing objects: 100% (62/62), 13.62 KiB | 929.00 KiB/s, done.
Total 62 (delta 39), reused 4 (delta 1)
To ssh://git.
* [new tag] upload/4.8-1ubuntu1 -> upload/4.8-1ubuntu1
$ dput ubuntu ../squid_
Checking signature on .changes
gpg: ../squid_
Checking signature on .dsc
gpg: ../squid_
Package includes an .orig.tar.gz file although the debian revision suggests
that it might not be required. Multiple uploads of the .orig.tar.gz may be
rejected by the upload queue management software.
Uploading to ubuntu (via ftp to upload.ubuntu.com):
Uploading squid_4.
Uploading squid_4.
Uploading squid_4.
Uploading squid_4.
Uploading squid_4.
Successfully uploaded packages.
Andreas Hasenack (ahasenack) wrote : | # |
This migrated.
Preview Diff
1 | diff --git a/debian/NEWS.debian b/debian/NEWS |
2 | similarity index 100% |
3 | rename from debian/NEWS.debian |
4 | rename to debian/NEWS |
5 | diff --git a/debian/changelog b/debian/changelog |
6 | index 7c1c5cd..94f69c6 100644 |
7 | --- a/debian/changelog |
8 | +++ b/debian/changelog |
9 | @@ -1,3 +1,57 @@ |
10 | +squid (4.8-1ubuntu1) eoan; urgency=medium |
11 | + |
12 | + * Merge with Debian unstable. Remaining changes: |
13 | + - Use snakeoil certificates. |
14 | + - Add an example refresh pattern for debs. |
15 | + - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy, |
16 | + squidguard |
17 | + - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if |
18 | + building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of |
19 | + -O2 and that triggers a format-truncation error on pcon.cc. See |
20 | + See https://bugs.squid-cache.org/show_bug.cgi?id=4875 |
21 | + - d/rules: Only use -latomic with the intended architectures, instead of |
22 | + all of them. This matches what was suggested in |
23 | + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5 |
24 | + - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that |
25 | + dh_installchangelogs can pick it up. dh_installchangelogs handles |
26 | + d/NEWS or d/<package>.NEWS, but not NEWS.debian. |
27 | + - debian/patches/more-gcc-9-fixes.patch: switch to xstrncpy in |
28 | + lib/smblib/smblib-util.c. (LP #1835831) |
29 | + * Dropped: |
30 | + - d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs. |
31 | + Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP #1794553) |
32 | + [Fixed upstream] |
33 | + - debian/patches/413.patch: Fix gcc-9 build issues with upstream merged |
34 | + patch |
35 | + [Fixed upstream] |
36 | + - SECURITY UPDATE: incorrect digest auth parameter parsing |
37 | + + debian/patches/CVE-2019-12525.patch: check length in |
38 | + src/auth/digest/Config.cc. |
39 | + + CVE-2019-12525 |
40 | + [Fixed upstream] |
41 | + - SECURITY UPDATE: buffer overflow in basic auth decoding |
42 | + + debian/patches/CVE-2019-12527.patch: switch to SBuf in |
43 | + src/HttpHeader.cc, src/HttpHeader.h, src/cache_manager.cc, |
44 | + src/clients/FtpGateway.cc. |
45 | + + CVE-2019-12527 |
46 | + [Fixed upstream] |
47 | + - SECURITY UPDATE: basic auth uudecode length issue |
48 | + + debian/patches/CVE-2019-12529.patch: replace uudecode with libnettle |
49 | + base64 decoder in lib/Makefile.*, src/auth/basic/Config.cc, |
50 | + include/uudecode.h, lib/uudecode.c. |
51 | + + CVE-2019-12529 |
52 | + [Fixed upstream] |
53 | + - SECURITY UPDATE: XSS issues in cachemgr.cgi |
54 | + + debian/patches/CVE-2019-13345.patch: properly escape values in |
55 | + tools/cachemgr.cc. |
56 | + + CVE-2019-13345 |
57 | + [Fixed upstream] |
58 | + * Added: |
59 | + - d/t/test-squid.py: test_zz_apparmor(): bail early if securityfs isn't |
60 | + mounted |
61 | + |
62 | + -- Andreas Hasenack <andreas@canonical.com> Wed, 24 Jul 2019 16:38:59 -0300 |
63 | + |
64 | squid (4.8-1) unstable; urgency=high |
65 | |
66 | [ Amos Jeffries <amosjeffries@squid-cache.org> ] |
67 | @@ -16,6 +70,86 @@ squid (4.8-1) unstable; urgency=high |
68 | |
69 | -- Luigi Gangitano <luigi@debian.org> Thu, 18 Jul 2019 22:28:15 +0200 |
70 | |
71 | +squid (4.6-2ubuntu4) eoan; urgency=medium |
72 | + |
73 | + * Fix gcc-9 issues (LP: #1835831) |
74 | + - Remove -Wno-sizeof-pointer-memaccess -Wno-stringop-truncation |
75 | + - debian/patches/more-gcc-9-fixes.patch: switch to xstrncpy in |
76 | + lib/smblib/smblib-util.c. |
77 | + * SECURITY UPDATE: incorrect digest auth parameter parsing |
78 | + - debian/patches/CVE-2019-12525.patch: check length in |
79 | + src/auth/digest/Config.cc. |
80 | + - CVE-2019-12525 |
81 | + * SECURITY UPDATE: buffer overflow in basic auth decoding |
82 | + - debian/patches/CVE-2019-12527.patch: switch to SBuf in |
83 | + src/HttpHeader.cc, src/HttpHeader.h, src/cache_manager.cc, |
84 | + src/clients/FtpGateway.cc. |
85 | + - CVE-2019-12527 |
86 | + * SECURITY UPDATE: basic auth uudecode length issue |
87 | + - debian/patches/CVE-2019-12529.patch: replace uudecode with libnettle |
88 | + base64 decoder in lib/Makefile.*, src/auth/basic/Config.cc, |
89 | + include/uudecode.h, lib/uudecode.c. |
90 | + - CVE-2019-12529 |
91 | + * SECURITY UPDATE: XSS issues in cachemgr.cgi |
92 | + - debian/patches/CVE-2019-13345.patch: properly escape values in |
93 | + tools/cachemgr.cc. |
94 | + - CVE-2019-13345 |
95 | + |
96 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 19 Jul 2019 08:01:58 -0400 |
97 | + |
98 | +squid (4.6-2ubuntu3) eoan; urgency=medium |
99 | + |
100 | + * Override newly added gcc-9 flags: |
101 | + -Wno-sizeof-pointer-memaccess -Wno-stringop-truncation |
102 | + NOTE: Overriding those flags is a possible security |
103 | + asked for info on the gcc-9 issue bug tracker: |
104 | + https://github.com/squid-cache/squid/pull/413#issuecomment-511314076 |
105 | + |
106 | + -- Gianfranco Costamagna <locutusofborg@debian.org> Mon, 15 Jul 2019 10:21:47 +0200 |
107 | + |
108 | +squid (4.6-2ubuntu2) eoan; urgency=medium |
109 | + |
110 | + * Fix gcc-9 build issues with upstream merged patch |
111 | + |
112 | + -- Gianfranco Costamagna <locutusofborg@debian.org> Sun, 14 Jul 2019 14:41:16 +0200 |
113 | + |
114 | +squid (4.6-2ubuntu1) eoan; urgency=medium |
115 | + |
116 | + * Merge with Debian unstable. Remaining changes: |
117 | + - Use snakeoil certificates. |
118 | + - Add an example refresh pattern for debs. |
119 | + - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy, |
120 | + squidguard |
121 | + - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if |
122 | + building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of |
123 | + -O2 and that triggers a format-truncation error on pcon.cc. See |
124 | + See https://bugs.squid-cache.org/show_bug.cgi?id=4875 |
125 | + - d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs. |
126 | + Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP #1794553) |
127 | + [Added Applied-Upstream header] |
128 | + - d/rules: Only use -latomic with the intended architectures, instead of |
129 | + all of them. This matches what was suggested in |
130 | + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5 |
131 | + - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that |
132 | + dh_installchangelogs can pick it up. dh_installchangelogs handles |
133 | + d/NEWS or d/<package>.NEWS, but not NEWS.debian. |
134 | + * Dropped: |
135 | + - d/squid.tmpfile: add tmpfiles configuration to handle /var/run/squid |
136 | + at boot. Thanks to Luigi Gangitano <luigi@debian.org> (LP #1816006) |
137 | + [Fixed in 4.5-2] |
138 | + - d/p/fix-uninitialized-var.patch: Workaround gcc's maybe-unitialized |
139 | + error in parse_time_t, triggered on ppc64el due to the build using -O3 |
140 | + in that architecture. |
141 | + [Fixed upstream] |
142 | + - Add disabled by default AppArmor profile. |
143 | + [Added by Debian in 4.6-2] |
144 | + - d/usr.sbin.squid: fix the apparmor profile (LP #1796189): |
145 | + + allow net_admin capability |
146 | + + add attach_disconnected flag |
147 | + [Fixed in 4.6-2] |
148 | + |
149 | + -- Andreas Hasenack <andreas@canonical.com> Sat, 18 May 2019 14:39:09 -0300 |
150 | + |
151 | squid (4.6-2) unstable; urgency=high |
152 | |
153 | [ Andreas Hasenack <andreas@canonical.com> ] |
154 | @@ -76,6 +210,57 @@ squid (4.5-1) unstable; urgency=medium |
155 | |
156 | -- Luigi Gangitano <luigi@debian.org> Wed, 20 Feb 2019 11:57:15 +0100 |
157 | |
158 | +squid (4.4-1ubuntu2) disco; urgency=medium |
159 | + |
160 | + * d/squid.tmpfile: add tmpfiles configuration to handle /var/run/squid |
161 | + at boot. Thanks to Luigi Gangitano <luigi@debian.org> (LP: #1816006) |
162 | + |
163 | + -- Andreas Hasenack <andreas@canonical.com> Wed, 27 Feb 2019 08:54:45 -0300 |
164 | + |
165 | +squid (4.4-1ubuntu1) disco; urgency=medium |
166 | + |
167 | + * Merge with Debian unstable. Remaining changes: |
168 | + - Use snakeoil certificates. |
169 | + - Add an example refresh pattern for debs. |
170 | + - Add disabled by default AppArmor profile. |
171 | + - d/p/fix-uninitialized-var.patch: Workaround gcc's maybe-unitialized |
172 | + error in parse_time_t, triggered on ppc64el due to the build using -O3 |
173 | + in that architecture. |
174 | + - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if |
175 | + building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of |
176 | + -O2 and that triggers a format-truncation error on pcon.cc. See |
177 | + See https://bugs.squid-cache.org/show_bug.cgi?id=4875 |
178 | + - d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs. |
179 | + Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP #1794553) |
180 | + * Drop: |
181 | + - d/rules: enable cdbs parallel build |
182 | + [Fixed in 4.2-1] |
183 | + - d/t/test-squid.py: fix apparmor profile filename |
184 | + [Fixed in 4.2-1] |
185 | + - d/t/test-squid.py: fix the process name. The PID points at the parent. |
186 | + [Fixed in 4.2-1] |
187 | + - d/t/upstream-test-suite: also make libmem.la, needed by the tests. |
188 | + [Fixed in 4.2-1] |
189 | + - d/t/0003-installed-binary-for-debian-ci.patch: use the squid |
190 | + binary from the system, instead of the one from the source tree. |
191 | + [Fixed in 4.2-1] |
192 | + - d/t/upstream-test-suite: drop the sed line, since patch |
193 | + 0003-installed-binary-for-debian-ci.patch is doing this work now. |
194 | + (https://salsa.debian.org/squid-team/squid/commit/ad4372b444ba8b1587839) |
195 | + [Fixed in 4.2-1] |
196 | + * Added changes: |
197 | + - d/rules: Only use -latomic with the intended architectures, instead of |
198 | + all of them. This matches what was suggested in |
199 | + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5 |
200 | + - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that |
201 | + dh_installchangelogs can pick it up. dh_installchangelogs handles |
202 | + d/NEWS or d/<package>.NEWS, but not NEWS.debian. |
203 | + - d/usr.sbin.squid: fix the apparmor profile (LP: #1796189): |
204 | + + allow net_admin capability |
205 | + + add attach_disconnected flag |
206 | + |
207 | + -- Andreas Hasenack <andreas@canonical.com> Mon, 19 Nov 2018 10:51:18 -0200 |
208 | + |
209 | squid (4.4-1) unstable; urgency=high |
210 | |
211 | * Urgency high due to security fixes |
212 | @@ -140,6 +325,85 @@ squid (4.2-1) unstable; urgency=high |
213 | |
214 | -- Luigi Gangitano <luigi@debian.org> Wed, 22 Aug 2018 13:57:15 +0200 |
215 | |
216 | +squid (4.1-1ubuntu3) cosmic; urgency=medium |
217 | + |
218 | + * d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs. |
219 | + Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP: #1794553) |
220 | + |
221 | + -- Andreas Hasenack <andreas@canonical.com> Tue, 09 Oct 2018 14:00:36 -0300 |
222 | + |
223 | +squid (4.1-1ubuntu2) cosmic; urgency=medium |
224 | + |
225 | + * d/usr.sbin.squid: Update apparmor profile to grant read access to squid |
226 | + binary (LP: #1792728) |
227 | + |
228 | + -- Simon Deziel <simon@sdeziel.info> Sat, 15 Sep 2018 13:55:32 -0400 |
229 | + |
230 | +squid (4.1-1ubuntu1) cosmic; urgency=medium |
231 | + |
232 | + * Merged with Debian unstable (LP: #1780944, LP: #1097032, LP: #16669). |
233 | + Remaining changes: |
234 | + - Use snakeoil certificates. |
235 | + [Updated to use the correct config setting names] |
236 | + - Add an example refresh pattern for debs. |
237 | + [Improved the refresh patterns based on the configuration from |
238 | + squid-deb-proxy package] |
239 | + - Add disabled by default AppArmor profile. |
240 | + [Updated to include the ssl_certs abstraction and suggestions on how to |
241 | + deal with the snakeoil private key and other keys in /etc/ssl.] |
242 | + * Dropped changes: |
243 | + - Add additional dep8 tests. |
244 | + [Adopted in 4.0.21-1~exp5, albeit a stripped down version] |
245 | + - Correct attribution and add explanatory note in d/NEWS.debian. |
246 | + [That particular upgrade path has happened long ago.] |
247 | + - Drop wrong short-circuiting of various invocations; we always want to |
248 | + call the debhelper block. |
249 | + [This was for the transitional squid3 package, and that transition has |
250 | + already happened.] |
251 | + - Revert "Set pidfile for systemd's sysv-generator" from Debian. |
252 | + [Not needed anymore since we have a native systemd service file |
253 | + and no longer rely on the generator.] |
254 | + - Enable autoreconf. This is no longer required for the security updates, |
255 | + but is needed for the seddery of test-suite/Makefile.am in |
256 | + d/t/upstream-test-suite. |
257 | + [Replaced by patch 0003-installed-binary-for-debian-ci.patch] |
258 | + - Adjust seddery for upstream test squid binary location. |
259 | + [sed no longer necessary since patch, |
260 | + 0003-installed-binary-for-debian-ci.patch, will be dropped |
261 | + entirely.] |
262 | + - Drop Conflicts/Replaces of squid against squid3. In Ubuntu, the migration |
263 | + happened in Xenial, so no upgrade path still requires this code. This |
264 | + reduces upgrade ordering difficulty. |
265 | + [Again we have a migration, but this time from squid3 to squid, so we |
266 | + need this]. |
267 | + - GCC7 FTBFS fixes (LP: #1712668): |
268 | + + d/rules: don't error when hitting the "deprecated" and |
269 | + "format-truncation" gcc7 warnings. Upstream 3.5.27 has fixes for these, |
270 | + but one in Format.cc that affects 32bit builds was deemed too intrusive |
271 | + for the 3.5 stable series and is only in squid 4.x |
272 | + [No longer needed with squid 4.x] |
273 | + - Do not force gcc-6 |
274 | + [It was a temporary workaround in Debian that got dropped] |
275 | + * Added changes: |
276 | + - d/rules: enable cdbs parallel build |
277 | + - d/t/test-squid.py: fix apparmor profile filename |
278 | + - d/t/test-squid.py: fix the process name. The PID points at the parent. |
279 | + - d/t/upstream-test-suite: also make libmem.la, needed by the tests. |
280 | + - d/t/0003-installed-binary-for-debian-ci.patch: use the squid |
281 | + binary from the system, instead of the one from the source tree. |
282 | + - d/p/fix-uninitialized-var.patch: Workaround gcc's maybe-unitialized |
283 | + error in parse_time_t, triggered on ppc64el due to the build using -O3 |
284 | + in that architecture. |
285 | + - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if |
286 | + building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of |
287 | + -O2 and that triggers a format-truncation error on pcon.cc. See |
288 | + See https://bugs.squid-cache.org/show_bug.cgi?id=4875 |
289 | + - d/t/upstream-test-suite: drop the sed line, since patch |
290 | + 0003-installed-binary-for-debian-ci.patch is doing this work now. |
291 | + (https://salsa.debian.org/squid-team/squid/commit/ad4372b444ba8b1587839) |
292 | + |
293 | + -- Andreas Hasenack <andreas@canonical.com> Thu, 16 Aug 2018 12:33:17 -0300 |
294 | + |
295 | squid (4.1-1) unstable; urgency=high |
296 | |
297 | * New Upstream Release (Closes: #896120) |
298 | diff --git a/debian/control b/debian/control |
299 | index 34d22f3..35ac025 100644 |
300 | --- a/debian/control |
301 | +++ b/debian/control |
302 | @@ -1,7 +1,8 @@ |
303 | Source: squid |
304 | Section: web |
305 | Priority: optional |
306 | -Maintainer: Luigi Gangitano <luigi@debian.org> |
307 | +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> |
308 | +XSBC-Original-Maintainer: Luigi Gangitano <luigi@debian.org> |
309 | Uploaders: Santiago Garcia Mantinan <manty@debian.org> |
310 | Homepage: http://www.squid-cache.org |
311 | Standards-Version: 4.4.0 |
312 | @@ -42,7 +43,7 @@ Description: Transitional package |
313 | Package: squid |
314 | Architecture: any |
315 | Pre-Depends: adduser |
316 | -Depends: ${shlibs:Depends}, ${misc:Depends}, netbase, logrotate (>= 3.5.4-1), squid-common (>= ${source:Version}), lsb-base, libdbi-perl |
317 | +Depends: ${shlibs:Depends}, ${misc:Depends}, netbase, logrotate (>= 3.5.4-1), squid-common (>= ${source:Version}), lsb-base, libdbi-perl, ssl-cert |
318 | Suggests: squidclient, squid-cgi, squid-purge, resolvconf (>= 0.40), smbclient, ufw, winbind, apparmor |
319 | Recommends: libcap2-bin [linux-any], ca-certificates |
320 | Conflicts: squid3 (<< ${binary:Version}) |
321 | diff --git a/debian/patches/90-cf.data.ubuntu.patch b/debian/patches/90-cf.data.ubuntu.patch |
322 | new file mode 100644 |
323 | index 0000000..9dfa5b4 |
324 | --- /dev/null |
325 | +++ b/debian/patches/90-cf.data.ubuntu.patch |
326 | @@ -0,0 +1,16 @@ |
327 | +--- a/src/cf.data.pre |
328 | ++++ b/src/cf.data.pre |
329 | +@@ -5859,6 +5862,12 @@ NOCOMMENT_START |
330 | + refresh_pattern ^ftp: 1440 20% 10080 |
331 | + refresh_pattern ^gopher: 1440 0% 1440 |
332 | + refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 |
333 | ++refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims |
334 | ++refresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-ims |
335 | ++refresh_pattern \/InRelease$ 0 0% 0 refresh-ims |
336 | ++refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims |
337 | ++# example pattern for deb packages |
338 | ++#refresh_pattern (\.deb|\.udeb)$ 129600 100% 129600 |
339 | + refresh_pattern . 0 20% 4320 |
340 | + NOCOMMENT_END |
341 | + DOC_END |
342 | + |
343 | diff --git a/debian/patches/99-ubuntu-ssl-cert-snakeoil.patch b/debian/patches/99-ubuntu-ssl-cert-snakeoil.patch |
344 | new file mode 100644 |
345 | index 0000000..40b5306 |
346 | --- /dev/null |
347 | +++ b/debian/patches/99-ubuntu-ssl-cert-snakeoil.patch |
348 | @@ -0,0 +1,22 @@ |
349 | +--- a/src/cf.data.pre |
350 | ++++ b/src/cf.data.pre |
351 | +@@ -3516,6 +3516,19 @@ |
352 | + reference a PEM file containing both the certificate |
353 | + and private key. |
354 | + |
355 | ++ Notes: |
356 | ++ |
357 | ++ On Debian/Ubuntu systems a default snakeoil certificate is |
358 | ++ available in /etc/ssl and users can set: |
359 | ++ |
360 | ++ sslcert=/etc/ssl/certs/ssl-cert-snakeoil.pem |
361 | ++ |
362 | ++ and |
363 | ++ |
364 | ++ sslkey=/etc/ssl/private/ssl-cert-snakeoil.key |
365 | ++ |
366 | ++ for testing. |
367 | ++ |
368 | + sslcipher=... The list of valid SSL ciphers to use when connecting |
369 | + to this peer. |
370 | + |
371 | diff --git a/debian/patches/more-gcc-9-fixes.patch b/debian/patches/more-gcc-9-fixes.patch |
372 | new file mode 100644 |
373 | index 0000000..4bd2c91 |
374 | --- /dev/null |
375 | +++ b/debian/patches/more-gcc-9-fixes.patch |
376 | @@ -0,0 +1,56 @@ |
377 | +From fb8cded9380893d02e3eacf125f66802cde45c4d Mon Sep 17 00:00:00 2001 |
378 | +From: Amos Jeffries <squid3@treenet.co.nz> |
379 | +Date: Thu, 18 Jul 2019 14:26:20 +1200 |
380 | +Subject: [PATCH] Bug 4969: GCC-9 build failure: stringop-truncation and others |
381 | + |
382 | +GCC-9 with Squid use of -Werror makes these warning hard |
383 | +errors which can no longer be ignored. We are thus forced |
384 | +to alter this third-party code when built for Squid. |
385 | + |
386 | +Truncation of these strings is fine. Rather than suppress |
387 | +GCC warnings switch to xstrncpy() which has similar |
388 | +behaviour but guarantees c-string terminator exists within |
389 | +the copied range limit (removing need for two -1 hacks). |
390 | + |
391 | +This change will add terminators on path and device_type |
392 | +values in the rare case of overly long configured values. |
393 | +It is not clear what ancient Domain Controllers would do |
394 | +when handed un-terminated c-string in those cases, but is |
395 | +unlikely to be good. |
396 | +--- |
397 | + lib/smblib/smblib-util.c | 8 ++++---- |
398 | + 1 file changed, 4 insertions(+), 4 deletions(-) |
399 | + |
400 | +diff --git a/lib/smblib/smblib-util.c b/lib/smblib/smblib-util.c |
401 | +index 10e6220b7f..fcff357eed 100644 |
402 | +--- a/lib/smblib/smblib-util.c |
403 | ++++ b/lib/smblib/smblib-util.c |
404 | +@@ -401,7 +401,7 @@ int SMB_Negotiate(SMB_Handle_Type Con_Handle, const char *Prots[]) |
405 | + |
406 | + p = (SMB_Hdr(pkt) + SMB_negrLM_buf_offset + Con_Handle -> Encrypt_Key_Len); |
407 | + |
408 | +- strncpy(p, Con_Handle -> Svr_PDom, sizeof(Con_Handle -> Svr_PDom) - 1); |
409 | ++ xstrncpy(p, Con_Handle -> Svr_PDom, sizeof(Con_Handle -> Svr_PDom)); |
410 | + |
411 | + break; |
412 | + |
413 | +@@ -424,7 +424,7 @@ int SMB_Negotiate(SMB_Handle_Type Con_Handle, const char *Prots[]) |
414 | + |
415 | + p = (SMB_Hdr(pkt) + SMB_negrLM_buf_offset + Con_Handle -> Encrypt_Key_Len); |
416 | + |
417 | +- strncpy(p, Con_Handle -> Svr_PDom, sizeof(Con_Handle -> Svr_PDom) - 1); |
418 | ++ xstrncpy(p, Con_Handle -> Svr_PDom, sizeof(Con_Handle -> Svr_PDom)); |
419 | + |
420 | + break; |
421 | + |
422 | +@@ -538,8 +538,8 @@ SMB_Tree_Handle SMB_TreeConnect(SMB_Handle_Type Con_Handle, |
423 | + |
424 | + tree -> next = tree -> prev = NULL; |
425 | + tree -> con = Con_Handle; |
426 | +- strncpy(tree -> path, path, sizeof(tree -> path)); |
427 | +- strncpy(tree -> device_type, device, sizeof(tree -> device_type)); |
428 | ++ xstrncpy(tree -> path, path, sizeof(tree -> path)); |
429 | ++ xstrncpy(tree -> device_type, device, sizeof(tree -> device_type)); |
430 | + |
431 | + /* Now plug in the values ... */ |
432 | + |
433 | diff --git a/debian/patches/series b/debian/patches/series |
434 | index 6bff1ed..9847088 100644 |
435 | --- a/debian/patches/series |
436 | +++ b/debian/patches/series |
437 | @@ -1,3 +1,6 @@ |
438 | 0001-Default-configuration-file-for-debian.patch |
439 | 0002-Change-default-file-locations-for-debian.patch |
440 | 0003-installed-binary-for-debian-ci.patch |
441 | +90-cf.data.ubuntu.patch |
442 | +99-ubuntu-ssl-cert-snakeoil.patch |
443 | +more-gcc-9-fixes.patch |
444 | diff --git a/debian/rules b/debian/rules |
445 | index 1bf39d7..fac4ec7 100755 |
446 | --- a/debian/rules |
447 | +++ b/debian/rules |
448 | @@ -3,12 +3,17 @@ |
449 | export DEB_BUILD_MAINT_OPTIONS = hardening=+all |
450 | export DEB_CFLAGS_MAINT_APPEND = -Wall |
451 | |
452 | -DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed -latomic |
453 | +DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed |
454 | ifneq (,$(filter $(DEB_HOST_ARCH), armel m68k mips mipsel powerpc powerpcspe sh4)) |
455 | DEB_LDFLAGS_MAINT_APPEND += -latomic |
456 | endif |
457 | export DEB_LDFLAGS_MAINT_APPEND |
458 | - |
459 | +# On ppc64el, dpkg-buildflags sets -O3 instead of the usual |
460 | +# -O2. This makes gcc emit a format-truncation error on |
461 | +# pconn.cc. See https://bugs.squid-cache.org/show_bug.cgi?id=4875 |
462 | +ifeq ($(shell dpkg-architecture -qDEB_HOST_ARCH),ppc64el) |
463 | + export DEB_CXXFLAGS_MAINT_APPEND = -Wno-format-truncation |
464 | +endif |
465 | export DEB_BUILD_PARALLEL = yes |
466 | include /usr/share/dpkg/buildflags.mk |
467 | -include /usr/share/dpkg/buildtools.mk |
468 | diff --git a/debian/tests/test-squid.py b/debian/tests/test-squid.py |
469 | index 98136d1..e7a8044 100644 |
470 | --- a/debian/tests/test-squid.py |
471 | +++ b/debian/tests/test-squid.py |
472 | @@ -183,35 +183,40 @@ Welcome to the world of Gopher and enjoy! |
473 | def test_zz_apparmor(self): |
474 | '''Test apparmor''' |
475 | |
476 | - # if 'apparmor-utils' was not installed before 'squid' package |
477 | - # then dh_apparmor tool will not install the profile |
478 | - if os.path.exists(self.aa_abs_profile): |
479 | - # Currently while we have a profile, it is shipped disabled by default. |
480 | - # Verify that. |
481 | - ret, report = check_apparmor(self.aa_abs_profile, is_running=False) |
482 | - expected = 1 |
483 | - result = 'Got exit code %d, expected %d\n' % (ret, expected) |
484 | - self.assertEquals(ret, expected, result + report) |
485 | + # Currently while we have a profile, it is shipped disabled by default. |
486 | + # Verify that. |
487 | + ret, report = check_apparmor(self.aa_abs_profile, is_running=False) |
488 | + expected = 1 |
489 | + result = 'Got exit code %d, expected %d\n' % (ret, expected) |
490 | + self.assertEquals(ret, expected, result + report) |
491 | |
492 | - # Verify it is syntactically correct |
493 | - ret, report = cmd(['apparmor_parser', '-p', self.aa_abs_profile]) |
494 | - expected = 0 |
495 | - result = 'Got exit code %d, expected %d\n' % (ret, expected) |
496 | - self.assertEquals(ret, expected, result + report) |
497 | + # Verify it is syntactically correct |
498 | + ret, report = cmd(['apparmor_parser', '-p', self.aa_abs_profile]) |
499 | + expected = 0 |
500 | + result = 'Got exit code %d, expected %d\n' % (ret, expected) |
501 | + self.assertEquals(ret, expected, result + report) |
502 | + |
503 | + # The remaining tests try to actually load a profile |
504 | + # skip them if securityfs isn't mounted (i.e., we are in a lxc container) |
505 | + ret, _ = _aa_status() |
506 | + # from the manpage: |
507 | + # 3 if the apparmor control files aren't available under /sys/kernel/security/. |
508 | + if ret == 3: |
509 | + return True |
510 | |
511 | - # Verify it loads ok |
512 | - ret, report = cmd(['aa-enforce', self.aa_abs_profile]) |
513 | - expected = 0 |
514 | - result = 'Got exit code %d, expected %d\n' % (ret, expected) |
515 | - self.assertEquals(ret, expected, result + report) |
516 | + # Verify it loads ok |
517 | + ret, report = cmd(['aa-enforce', self.aa_abs_profile]) |
518 | + expected = 0 |
519 | + result = 'Got exit code %d, expected %d\n' % (ret, expected) |
520 | + self.assertEquals(ret, expected, result + report) |
521 | |
522 | - self._stop() |
523 | - self._start() |
524 | + self._stop() |
525 | + self._start() |
526 | |
527 | - ret, report = check_apparmor(self.aa_abs_profile, is_running=True) |
528 | - expected = 1 |
529 | - result = 'Got exit code %d, expected %d\n' % (ret, expected) |
530 | - self.assertEquals(ret, expected, result + report) |
531 | + ret, report = check_apparmor(self.aa_abs_profile, is_running=True) |
532 | + expected = 1 |
533 | + result = 'Got exit code %d, expected %d\n' % (ret, expected) |
534 | + self.assertEquals(ret, expected, result + report) |
535 | |
536 | |
537 | # http://www.chiark.greenend.org.uk/ucgi/~cjwatson/blosxom/2009-07-02-python-sigpipe.html |
538 | diff --git a/debian/usr.sbin.squid b/debian/usr.sbin.squid |
539 | index 6f5c814..3a26150 100644 |
540 | --- a/debian/usr.sbin.squid |
541 | +++ b/debian/usr.sbin.squid |
542 | @@ -48,6 +48,39 @@ |
543 | # squid-langpack |
544 | /usr/share/squid-langpack/** r, |
545 | |
546 | + # maas-proxy |
547 | + /var/lib/maas/maas-proxy.conf r, |
548 | + /var/log/maas/proxy/** rw, |
549 | + /var/spool/maas-proxy/ r, |
550 | + /var/spool/maas-proxy/** rwk, |
551 | + |
552 | + # squid-deb-proxy |
553 | + /etc/squid-deb-proxy/** r, |
554 | + /{,var/}run/squid-deb-proxy.pid rwk, |
555 | + /var/cache/squid-deb-proxy/ r, |
556 | + /var/cache/squid-deb-proxy/** rwk, |
557 | + /var/log/squid-deb-proxy/* rw, |
558 | + |
559 | + # squidguard |
560 | + /usr/bin/squidGuard Cx -> squidguard, |
561 | + profile squidguard { |
562 | + #include <abstractions/base> |
563 | + |
564 | + /etc/squid/squidGuard.conf r, |
565 | + /var/log/squid{,3}/squidGuard.log w, |
566 | + /var/lib/squidguard/** rw, |
567 | + |
568 | + # squidguard by default uses /var/log/squid as its logdir, however, we |
569 | + # don't want it to access squid's logs, only its own. Explicitly deny |
570 | + # access to squid's files but allow all others since the user may specify |
571 | + # anything for the squidGurad 'log' directive. |
572 | + /var/log/squid{,3}/* rw, |
573 | + audit deny /var/log/squid{,3}/{access,cache,store}.log* rw, |
574 | + |
575 | + # Site-specific additions and overrides. See local/README for details. |
576 | + #include <local/usr.sbin.squid> |
577 | + } |
578 | + |
579 | # Site-specific additions and overrides. See local/README for details. |
580 | #include <local/usr.sbin.squid> |
581 | } |
Left a ppc64el build running on https:/ /launchpad. net/~ahasenack/ +archive/ ubuntu/ squid-ppc64el/ +packages, where I reverted that d/rules delta for ppc64el builds, will see tomorrow if that worked or not. If the build failed, we keep the delta. If it worked, we drop it.