Merge ~ahasenack/ubuntu/+source/squid:groovy-squid-411-merge into ubuntu/+source/squid:debian/sid
- Git
- lp:~ahasenack/ubuntu/+source/squid
- groovy-squid-411-merge
- Merge into debian/sid
Status: | Work in progress |
---|---|
Proposed branch: | ~ahasenack/ubuntu/+source/squid:groovy-squid-411-merge |
Merge into: | ubuntu/+source/squid:debian/sid |
Diff against target: |
600 lines (+487/-3) 7 files modified
debian/changelog (+405/-0) debian/control (+3/-2) debian/patches/90-cf.data.ubuntu.patch (+16/-0) debian/patches/99-ubuntu-ssl-cert-snakeoil.patch (+22/-0) debian/patches/series (+2/-0) debian/rules (+6/-1) debian/usr.sbin.squid (+33/-0) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Canonical Server packageset reviewers | Pending | ||
Canonical Server | Pending | ||
Review via email: mp+383337@code.launchpad.net |
Commit message
Description of the change
Merge with debian updating the version to 4.11. One delta dropped, fixed upstream via a configure check now.
PPA building at https:/
I'll run dep8 tests manually.
Andreas Hasenack (ahasenack) wrote : | # |
squid 4.11 needs this apparmor fix: https:/
Unmerged commits
- 295e295... by Andreas Hasenack
-
update-maintainer
- 3ad585a... by Andreas Hasenack
-
reconstruct-
changelog - 641b60e... by Andreas Hasenack
-
merge-changelogs
- c194989... by Andreas Hasenack
-
* Dropped:
- d/p/drop-sysctl_ h.patch: no longer include sysctl.h as it was
deprecated in glibc 2.30 (LP #1843325)
[Fixed upstream] - 421f449... by Andreas Hasenack
-
- d/rules: Add -Wno-format-
truncation to CXXFLAGS as a workaround if
building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of
-O2 and that triggers a format-truncation error on pcon.cc. See
See https://bugs.squid- cache.org/ show_bug. cgi?id= 4875 - 4341d25... by Andreas Hasenack
-
- Use snakeoil certificates:
+ d/control: add ssl-cert to dependencies
+ d/p/99-ubuntu- ssl-cert- snakeoil. patch: add a note about ssl
to the default config file - 9e916eb... by Andreas Hasenack
-
- d/p/90-
cf.data. ubuntu. patch: Add an example refresh pattern for debs. - 0e01664... by Andreas Hasenack
-
- d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy,
squidguard - 6e86b18... by Luigi Gangitano
-
Import patches-unapplied version 4.11-2 to debian/sid
Imported using git-ubuntu import.
Changelog parent: e470747ee20ca1a
cfeda911b9cb864 d2581468ac New changelog entries:
[ Amos Jeffries <email address hidden> ]
* Add libsystemd-dev dependency on Linux (Closes: 958708)
- fixes systemd timeout failure during install
[ Luigi Gangitano <email address hidden> ]
* debian/rules
- Removed --as-needed flag - e470747... by Luigi Gangitano
-
Import patches-unapplied version 4.11-1 to debian/sid
Imported using git-ubuntu import.
Changelog parent: ff469a97f1208db
b63c40f7478b11f 6d23804613 New changelog entries:
* Urgency high due to security fixes
[ Amos Jeffries <email address hidden> ]
* New Upstream Release (Closes: #957840, #929574, #910337)
- Fixes security issue SQUID-2019:12 (CVE-2019-12519, CVE-2019-12521)
- Fixes security issue SQUID-2020:4 (CVE-2020-11945)
* debian/squid3. {maintscript, postinst, postrm, preinst, rc}
- Remove unused and obsolete scripts
* debian/squid.{ postrm, preinst}
- Remove obsolete script logic
* debian/squid-common. postinst
- Remove obsolete script
* debian/changelog
- Add missing historic CVE references
* debian/patches/
- Add upstream fix for missing Debug::Extra in systemd builds
Preview Diff
1 | diff --git a/debian/changelog b/debian/changelog |
2 | index 7ed2f2a..b66a61b 100644 |
3 | --- a/debian/changelog |
4 | +++ b/debian/changelog |
5 | @@ -1,3 +1,24 @@ |
6 | +squid (4.11-2ubuntu1) groovy; urgency=medium |
7 | + |
8 | + * Merge with Debian unstable. Remaining changes: |
9 | + - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy, |
10 | + squidguard |
11 | + - d/p/90-cf.data.ubuntu.patch: Add an example refresh pattern for debs. |
12 | + - Use snakeoil certificates: |
13 | + + d/control: add ssl-cert to dependencies |
14 | + + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl |
15 | + to the default config file |
16 | + - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if |
17 | + building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of |
18 | + -O2 and that triggers a format-truncation error on pcon.cc. See |
19 | + See https://bugs.squid-cache.org/show_bug.cgi?id=4875 |
20 | + * Dropped: |
21 | + - d/p/drop-sysctl_h.patch: no longer include sysctl.h as it was |
22 | + deprecated in glibc 2.30 (LP #1843325) |
23 | + [Fixed upstream] |
24 | + |
25 | + -- Andreas Hasenack <andreas@canonical.com> Mon, 04 May 2020 10:02:31 -0300 |
26 | + |
27 | squid (4.11-2) unstable; urgency=high |
28 | |
29 | [ Amos Jeffries <amosjeffries@squid-cache.org> ] |
30 | @@ -36,6 +57,49 @@ squid (4.11-1) unstable; urgency=high |
31 | |
32 | -- Luigi Gangitano <luigi@debian.org> Thu, 23 Apr 2020 19:34:54 +0200 |
33 | |
34 | +squid (4.10-1ubuntu1) focal; urgency=medium |
35 | + |
36 | + * Merge with Debian unstable. Remaining changes: |
37 | + - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy, |
38 | + squidguard |
39 | + - d/p/90-cf.data.ubuntu.patch: Add an example refresh pattern for debs. |
40 | + - Use snakeoil certificates: |
41 | + + d/control: add ssl-cert to dependencies |
42 | + + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl |
43 | + to the default config file |
44 | + - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if |
45 | + building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of |
46 | + -O2 and that triggers a format-truncation error on pcon.cc. See |
47 | + See https://bugs.squid-cache.org/show_bug.cgi?id=4875 |
48 | + - d/p/drop-sysctl_h.patch: no longer include sysctl.h as it was |
49 | + deprecated in glibc 2.30 (LP #1843325) |
50 | + * Dropped: |
51 | + - d/t/control, d/t/test-squid.py: remove gopher tests, as pygopherd is |
52 | + no longer available in Focal (LP: #1858827) |
53 | + [In 4.10-1, undocumented] |
54 | + - d/t/test-squid.py, d/t/squid: switch to python3 |
55 | + [In 4.10-1, undocumented] |
56 | + - d/t/control: depend on python3-minimal |
57 | + [In 4.10-1, undocumented] |
58 | + - SECURITY UPDATE: info disclosure via FTP server |
59 | + + debian/patches/CVE-2019-12528.patch: fix FTP buffers handling in |
60 | + src/clients/FtpGateway.cc. |
61 | + + CVE-2019-12528 |
62 | + [Fixed upstream] |
63 | + - SECURITY UPDATE: incorrect input validation and buffer management |
64 | + + debian/patches/CVE-2020-84xx.patch: fix request URL generation in |
65 | + reverse proxy configurations in src/client_side.cc. |
66 | + + CVE-2020-8449 |
67 | + + CVE-2020-8450 |
68 | + [Fixed upstream] |
69 | + - SECURITY UPDATE: DoS in NTLM authentication |
70 | + + debian/patches/CVE-2020-8517.patch: improved username handling in |
71 | + src/acl/external/LM_group/ext_lm_group_acl.cc. |
72 | + + CVE-2020-8517 |
73 | + [Fixed upstream] |
74 | + |
75 | + -- Andreas Hasenack <andreas@canonical.com> Tue, 25 Feb 2020 15:37:55 -0300 |
76 | + |
77 | squid (4.10-1) unstable; urgency=high |
78 | |
79 | [ Amos Jeffries <amosjeffries@squid-cache.org> ] |
80 | @@ -57,6 +121,70 @@ squid (4.10-1) unstable; urgency=high |
81 | |
82 | -- Luigi Gangitano <luigi@debian.org> Tue, 10 Feb 2020 14:12:54 +0100 |
83 | |
84 | +squid (4.9-2ubuntu4) focal; urgency=medium |
85 | + |
86 | + * SECURITY UPDATE: info disclosure via FTP server |
87 | + - debian/patches/CVE-2019-12528.patch: fix FTP buffers handling in |
88 | + src/clients/FtpGateway.cc. |
89 | + - CVE-2019-12528 |
90 | + * SECURITY UPDATE: incorrect input validation and buffer management |
91 | + - debian/patches/CVE-2020-84xx.patch: fix request URL generation in |
92 | + reverse proxy configurations in src/client_side.cc. |
93 | + - CVE-2020-8449 |
94 | + - CVE-2020-8450 |
95 | + * SECURITY UPDATE: DoS in NTLM authentication |
96 | + - debian/patches/CVE-2020-8517.patch: improved username handling in |
97 | + src/acl/external/LM_group/ext_lm_group_acl.cc. |
98 | + - CVE-2020-8517 |
99 | + |
100 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 19 Feb 2020 12:43:05 -0500 |
101 | + |
102 | +squid (4.9-2ubuntu3) focal; urgency=medium |
103 | + |
104 | + * No-change rebuild with fixed binutils on arm64. |
105 | + |
106 | + -- Matthias Klose <doko@ubuntu.com> Sat, 08 Feb 2020 11:20:19 +0000 |
107 | + |
108 | +squid (4.9-2ubuntu2) focal; urgency=medium |
109 | + |
110 | + * d/t/control, d/t/test-squid.py: remove gopher tests, as pygopherd is |
111 | + no longer available in Focal (LP: #1858827) |
112 | + * d/t/test-squid.py, d/t/squid: switch to python3 |
113 | + * d/t/control: depend on python3-minimal |
114 | + |
115 | + -- Andreas Hasenack <andreas@canonical.com> Wed, 08 Jan 2020 15:52:32 -0300 |
116 | + |
117 | +squid (4.9-2ubuntu1) focal; urgency=medium |
118 | + |
119 | + * Merge with Debian unstable. Remaining changes: |
120 | + - Use snakeoil certificates. |
121 | + - Add an example refresh pattern for debs. |
122 | + - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy, |
123 | + squidguard |
124 | + - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if |
125 | + building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of |
126 | + -O2 and that triggers a format-truncation error on pcon.cc. See |
127 | + See https://bugs.squid-cache.org/show_bug.cgi?id=4875 |
128 | + - d/p/drop-sysctl_h.patch: no longer include sysctl.h as it was |
129 | + deprecated in glibc 2.30 (LP #1843325) |
130 | + * Dropped: |
131 | + - d/rules: Only use -latomic with the intended architectures, instead of |
132 | + all of them. This matches what was suggested in |
133 | + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5 |
134 | + [Fixed upstream] |
135 | + - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that |
136 | + dh_installchangelogs can pick it up. dh_installchangelogs handles |
137 | + d/NEWS or d/<package>.NEWS, but not NEWS.debian. |
138 | + [Fixed upstream] |
139 | + - debian/patches/more-gcc-9-fixes.patch: switch to xstrncpy in |
140 | + lib/smblib/smblib-util.c. (LP #1835831) |
141 | + [Fixed upstream] |
142 | + - d/t/test-squid.py: test_zz_apparmor(): bail early if securityfs isn't |
143 | + mounted |
144 | + [Fixed upstream] |
145 | + |
146 | + -- Lucas Kanashiro <lucas.kanashiro@canonical.com> Thu, 14 Nov 2019 16:33:10 -0300 |
147 | + |
148 | squid (4.9-2) unstable; urgency=medium |
149 | |
150 | [ Andreas Hasenack <andreas@canonical.com> ] |
151 | @@ -113,6 +241,73 @@ squid (4.9-1) unstable; urgency=high |
152 | |
153 | -- Luigi Gangitano <luigi@debian.org> Sun, 10 Nov 2019 20:28:15 +0100 |
154 | |
155 | +squid (4.8-1ubuntu3) focal; urgency=medium |
156 | + |
157 | + * No-change rebuild against libnettle7 |
158 | + |
159 | + -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 31 Oct 2019 22:15:39 +0000 |
160 | + |
161 | +squid (4.8-1ubuntu2) eoan; urgency=medium |
162 | + |
163 | + * d/p/drop-sysctl_h.patch: no longer include sysctl.h as it was |
164 | + deprecated in glibc 2.30 (LP: #1843325) |
165 | + |
166 | + -- Andreas Hasenack <andreas@canonical.com> Mon, 09 Sep 2019 17:31:45 -0300 |
167 | + |
168 | +squid (4.8-1ubuntu1) eoan; urgency=medium |
169 | + |
170 | + * Merge with Debian unstable. Remaining changes: |
171 | + - Use snakeoil certificates. |
172 | + - Add an example refresh pattern for debs. |
173 | + - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy, |
174 | + squidguard |
175 | + - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if |
176 | + building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of |
177 | + -O2 and that triggers a format-truncation error on pcon.cc. See |
178 | + See https://bugs.squid-cache.org/show_bug.cgi?id=4875 |
179 | + - d/rules: Only use -latomic with the intended architectures, instead of |
180 | + all of them. This matches what was suggested in |
181 | + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5 |
182 | + - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that |
183 | + dh_installchangelogs can pick it up. dh_installchangelogs handles |
184 | + d/NEWS or d/<package>.NEWS, but not NEWS.debian. |
185 | + - debian/patches/more-gcc-9-fixes.patch: switch to xstrncpy in |
186 | + lib/smblib/smblib-util.c. (LP #1835831) |
187 | + * Dropped: |
188 | + - d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs. |
189 | + Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP #1794553) |
190 | + [Fixed upstream] |
191 | + - debian/patches/413.patch: Fix gcc-9 build issues with upstream merged |
192 | + patch |
193 | + [Fixed upstream] |
194 | + - SECURITY UPDATE: incorrect digest auth parameter parsing |
195 | + + debian/patches/CVE-2019-12525.patch: check length in |
196 | + src/auth/digest/Config.cc. |
197 | + + CVE-2019-12525 |
198 | + [Fixed upstream] |
199 | + - SECURITY UPDATE: buffer overflow in basic auth decoding |
200 | + + debian/patches/CVE-2019-12527.patch: switch to SBuf in |
201 | + src/HttpHeader.cc, src/HttpHeader.h, src/cache_manager.cc, |
202 | + src/clients/FtpGateway.cc. |
203 | + + CVE-2019-12527 |
204 | + [Fixed upstream] |
205 | + - SECURITY UPDATE: basic auth uudecode length issue |
206 | + + debian/patches/CVE-2019-12529.patch: replace uudecode with libnettle |
207 | + base64 decoder in lib/Makefile.*, src/auth/basic/Config.cc, |
208 | + include/uudecode.h, lib/uudecode.c. |
209 | + + CVE-2019-12529 |
210 | + [Fixed upstream] |
211 | + - SECURITY UPDATE: XSS issues in cachemgr.cgi |
212 | + + debian/patches/CVE-2019-13345.patch: properly escape values in |
213 | + tools/cachemgr.cc. |
214 | + + CVE-2019-13345 |
215 | + [Fixed upstream] |
216 | + * Added: |
217 | + - d/t/test-squid.py: test_zz_apparmor(): bail early if securityfs isn't |
218 | + mounted |
219 | + |
220 | + -- Andreas Hasenack <andreas@canonical.com> Wed, 24 Jul 2019 16:38:59 -0300 |
221 | + |
222 | squid (4.8-1) unstable; urgency=high |
223 | |
224 | [ Amos Jeffries <amosjeffries@squid-cache.org> ] |
225 | @@ -131,6 +326,86 @@ squid (4.8-1) unstable; urgency=high |
226 | |
227 | -- Luigi Gangitano <luigi@debian.org> Thu, 18 Jul 2019 22:28:15 +0200 |
228 | |
229 | +squid (4.6-2ubuntu4) eoan; urgency=medium |
230 | + |
231 | + * Fix gcc-9 issues (LP: #1835831) |
232 | + - Remove -Wno-sizeof-pointer-memaccess -Wno-stringop-truncation |
233 | + - debian/patches/more-gcc-9-fixes.patch: switch to xstrncpy in |
234 | + lib/smblib/smblib-util.c. |
235 | + * SECURITY UPDATE: incorrect digest auth parameter parsing |
236 | + - debian/patches/CVE-2019-12525.patch: check length in |
237 | + src/auth/digest/Config.cc. |
238 | + - CVE-2019-12525 |
239 | + * SECURITY UPDATE: buffer overflow in basic auth decoding |
240 | + - debian/patches/CVE-2019-12527.patch: switch to SBuf in |
241 | + src/HttpHeader.cc, src/HttpHeader.h, src/cache_manager.cc, |
242 | + src/clients/FtpGateway.cc. |
243 | + - CVE-2019-12527 |
244 | + * SECURITY UPDATE: basic auth uudecode length issue |
245 | + - debian/patches/CVE-2019-12529.patch: replace uudecode with libnettle |
246 | + base64 decoder in lib/Makefile.*, src/auth/basic/Config.cc, |
247 | + include/uudecode.h, lib/uudecode.c. |
248 | + - CVE-2019-12529 |
249 | + * SECURITY UPDATE: XSS issues in cachemgr.cgi |
250 | + - debian/patches/CVE-2019-13345.patch: properly escape values in |
251 | + tools/cachemgr.cc. |
252 | + - CVE-2019-13345 |
253 | + |
254 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 19 Jul 2019 08:01:58 -0400 |
255 | + |
256 | +squid (4.6-2ubuntu3) eoan; urgency=medium |
257 | + |
258 | + * Override newly added gcc-9 flags: |
259 | + -Wno-sizeof-pointer-memaccess -Wno-stringop-truncation |
260 | + NOTE: Overriding those flags is a possible security |
261 | + asked for info on the gcc-9 issue bug tracker: |
262 | + https://github.com/squid-cache/squid/pull/413#issuecomment-511314076 |
263 | + |
264 | + -- Gianfranco Costamagna <locutusofborg@debian.org> Mon, 15 Jul 2019 10:21:47 +0200 |
265 | + |
266 | +squid (4.6-2ubuntu2) eoan; urgency=medium |
267 | + |
268 | + * Fix gcc-9 build issues with upstream merged patch |
269 | + |
270 | + -- Gianfranco Costamagna <locutusofborg@debian.org> Sun, 14 Jul 2019 14:41:16 +0200 |
271 | + |
272 | +squid (4.6-2ubuntu1) eoan; urgency=medium |
273 | + |
274 | + * Merge with Debian unstable. Remaining changes: |
275 | + - Use snakeoil certificates. |
276 | + - Add an example refresh pattern for debs. |
277 | + - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy, |
278 | + squidguard |
279 | + - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if |
280 | + building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of |
281 | + -O2 and that triggers a format-truncation error on pcon.cc. See |
282 | + See https://bugs.squid-cache.org/show_bug.cgi?id=4875 |
283 | + - d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs. |
284 | + Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP #1794553) |
285 | + [Added Applied-Upstream header] |
286 | + - d/rules: Only use -latomic with the intended architectures, instead of |
287 | + all of them. This matches what was suggested in |
288 | + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5 |
289 | + - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that |
290 | + dh_installchangelogs can pick it up. dh_installchangelogs handles |
291 | + d/NEWS or d/<package>.NEWS, but not NEWS.debian. |
292 | + * Dropped: |
293 | + - d/squid.tmpfile: add tmpfiles configuration to handle /var/run/squid |
294 | + at boot. Thanks to Luigi Gangitano <luigi@debian.org> (LP #1816006) |
295 | + [Fixed in 4.5-2] |
296 | + - d/p/fix-uninitialized-var.patch: Workaround gcc's maybe-unitialized |
297 | + error in parse_time_t, triggered on ppc64el due to the build using -O3 |
298 | + in that architecture. |
299 | + [Fixed upstream] |
300 | + - Add disabled by default AppArmor profile. |
301 | + [Added by Debian in 4.6-2] |
302 | + - d/usr.sbin.squid: fix the apparmor profile (LP #1796189): |
303 | + + allow net_admin capability |
304 | + + add attach_disconnected flag |
305 | + [Fixed in 4.6-2] |
306 | + |
307 | + -- Andreas Hasenack <andreas@canonical.com> Sat, 18 May 2019 14:39:09 -0300 |
308 | + |
309 | squid (4.6-2) unstable; urgency=high |
310 | |
311 | [ Andreas Hasenack <andreas@canonical.com> ] |
312 | @@ -191,6 +466,57 @@ squid (4.5-1) unstable; urgency=medium |
313 | |
314 | -- Luigi Gangitano <luigi@debian.org> Wed, 20 Feb 2019 11:57:15 +0100 |
315 | |
316 | +squid (4.4-1ubuntu2) disco; urgency=medium |
317 | + |
318 | + * d/squid.tmpfile: add tmpfiles configuration to handle /var/run/squid |
319 | + at boot. Thanks to Luigi Gangitano <luigi@debian.org> (LP: #1816006) |
320 | + |
321 | + -- Andreas Hasenack <andreas@canonical.com> Wed, 27 Feb 2019 08:54:45 -0300 |
322 | + |
323 | +squid (4.4-1ubuntu1) disco; urgency=medium |
324 | + |
325 | + * Merge with Debian unstable. Remaining changes: |
326 | + - Use snakeoil certificates. |
327 | + - Add an example refresh pattern for debs. |
328 | + - Add disabled by default AppArmor profile. |
329 | + - d/p/fix-uninitialized-var.patch: Workaround gcc's maybe-unitialized |
330 | + error in parse_time_t, triggered on ppc64el due to the build using -O3 |
331 | + in that architecture. |
332 | + - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if |
333 | + building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of |
334 | + -O2 and that triggers a format-truncation error on pcon.cc. See |
335 | + See https://bugs.squid-cache.org/show_bug.cgi?id=4875 |
336 | + - d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs. |
337 | + Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP #1794553) |
338 | + * Drop: |
339 | + - d/rules: enable cdbs parallel build |
340 | + [Fixed in 4.2-1] |
341 | + - d/t/test-squid.py: fix apparmor profile filename |
342 | + [Fixed in 4.2-1] |
343 | + - d/t/test-squid.py: fix the process name. The PID points at the parent. |
344 | + [Fixed in 4.2-1] |
345 | + - d/t/upstream-test-suite: also make libmem.la, needed by the tests. |
346 | + [Fixed in 4.2-1] |
347 | + - d/t/0003-installed-binary-for-debian-ci.patch: use the squid |
348 | + binary from the system, instead of the one from the source tree. |
349 | + [Fixed in 4.2-1] |
350 | + - d/t/upstream-test-suite: drop the sed line, since patch |
351 | + 0003-installed-binary-for-debian-ci.patch is doing this work now. |
352 | + (https://salsa.debian.org/squid-team/squid/commit/ad4372b444ba8b1587839) |
353 | + [Fixed in 4.2-1] |
354 | + * Added changes: |
355 | + - d/rules: Only use -latomic with the intended architectures, instead of |
356 | + all of them. This matches what was suggested in |
357 | + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5 |
358 | + - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that |
359 | + dh_installchangelogs can pick it up. dh_installchangelogs handles |
360 | + d/NEWS or d/<package>.NEWS, but not NEWS.debian. |
361 | + - d/usr.sbin.squid: fix the apparmor profile (LP: #1796189): |
362 | + + allow net_admin capability |
363 | + + add attach_disconnected flag |
364 | + |
365 | + -- Andreas Hasenack <andreas@canonical.com> Mon, 19 Nov 2018 10:51:18 -0200 |
366 | + |
367 | squid (4.4-1) unstable; urgency=high |
368 | |
369 | * Urgency high due to security fixes |
370 | @@ -255,6 +581,85 @@ squid (4.2-1) unstable; urgency=high |
371 | |
372 | -- Luigi Gangitano <luigi@debian.org> Wed, 22 Aug 2018 13:57:15 +0200 |
373 | |
374 | +squid (4.1-1ubuntu3) cosmic; urgency=medium |
375 | + |
376 | + * d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs. |
377 | + Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP: #1794553) |
378 | + |
379 | + -- Andreas Hasenack <andreas@canonical.com> Tue, 09 Oct 2018 14:00:36 -0300 |
380 | + |
381 | +squid (4.1-1ubuntu2) cosmic; urgency=medium |
382 | + |
383 | + * d/usr.sbin.squid: Update apparmor profile to grant read access to squid |
384 | + binary (LP: #1792728) |
385 | + |
386 | + -- Simon Deziel <simon@sdeziel.info> Sat, 15 Sep 2018 13:55:32 -0400 |
387 | + |
388 | +squid (4.1-1ubuntu1) cosmic; urgency=medium |
389 | + |
390 | + * Merged with Debian unstable (LP: #1780944, LP: #1097032, LP: #16669). |
391 | + Remaining changes: |
392 | + - Use snakeoil certificates. |
393 | + [Updated to use the correct config setting names] |
394 | + - Add an example refresh pattern for debs. |
395 | + [Improved the refresh patterns based on the configuration from |
396 | + squid-deb-proxy package] |
397 | + - Add disabled by default AppArmor profile. |
398 | + [Updated to include the ssl_certs abstraction and suggestions on how to |
399 | + deal with the snakeoil private key and other keys in /etc/ssl.] |
400 | + * Dropped changes: |
401 | + - Add additional dep8 tests. |
402 | + [Adopted in 4.0.21-1~exp5, albeit a stripped down version] |
403 | + - Correct attribution and add explanatory note in d/NEWS.debian. |
404 | + [That particular upgrade path has happened long ago.] |
405 | + - Drop wrong short-circuiting of various invocations; we always want to |
406 | + call the debhelper block. |
407 | + [This was for the transitional squid3 package, and that transition has |
408 | + already happened.] |
409 | + - Revert "Set pidfile for systemd's sysv-generator" from Debian. |
410 | + [Not needed anymore since we have a native systemd service file |
411 | + and no longer rely on the generator.] |
412 | + - Enable autoreconf. This is no longer required for the security updates, |
413 | + but is needed for the seddery of test-suite/Makefile.am in |
414 | + d/t/upstream-test-suite. |
415 | + [Replaced by patch 0003-installed-binary-for-debian-ci.patch] |
416 | + - Adjust seddery for upstream test squid binary location. |
417 | + [sed no longer necessary since patch, |
418 | + 0003-installed-binary-for-debian-ci.patch, will be dropped |
419 | + entirely.] |
420 | + - Drop Conflicts/Replaces of squid against squid3. In Ubuntu, the migration |
421 | + happened in Xenial, so no upgrade path still requires this code. This |
422 | + reduces upgrade ordering difficulty. |
423 | + [Again we have a migration, but this time from squid3 to squid, so we |
424 | + need this]. |
425 | + - GCC7 FTBFS fixes (LP: #1712668): |
426 | + + d/rules: don't error when hitting the "deprecated" and |
427 | + "format-truncation" gcc7 warnings. Upstream 3.5.27 has fixes for these, |
428 | + but one in Format.cc that affects 32bit builds was deemed too intrusive |
429 | + for the 3.5 stable series and is only in squid 4.x |
430 | + [No longer needed with squid 4.x] |
431 | + - Do not force gcc-6 |
432 | + [It was a temporary workaround in Debian that got dropped] |
433 | + * Added changes: |
434 | + - d/rules: enable cdbs parallel build |
435 | + - d/t/test-squid.py: fix apparmor profile filename |
436 | + - d/t/test-squid.py: fix the process name. The PID points at the parent. |
437 | + - d/t/upstream-test-suite: also make libmem.la, needed by the tests. |
438 | + - d/t/0003-installed-binary-for-debian-ci.patch: use the squid |
439 | + binary from the system, instead of the one from the source tree. |
440 | + - d/p/fix-uninitialized-var.patch: Workaround gcc's maybe-unitialized |
441 | + error in parse_time_t, triggered on ppc64el due to the build using -O3 |
442 | + in that architecture. |
443 | + - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if |
444 | + building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of |
445 | + -O2 and that triggers a format-truncation error on pcon.cc. See |
446 | + See https://bugs.squid-cache.org/show_bug.cgi?id=4875 |
447 | + - d/t/upstream-test-suite: drop the sed line, since patch |
448 | + 0003-installed-binary-for-debian-ci.patch is doing this work now. |
449 | + (https://salsa.debian.org/squid-team/squid/commit/ad4372b444ba8b1587839) |
450 | + |
451 | + -- Andreas Hasenack <andreas@canonical.com> Thu, 16 Aug 2018 12:33:17 -0300 |
452 | + |
453 | squid (4.1-1) unstable; urgency=high |
454 | |
455 | * New Upstream Release (Closes: #896120) |
456 | diff --git a/debian/control b/debian/control |
457 | index 76e396e..4e90675 100644 |
458 | --- a/debian/control |
459 | +++ b/debian/control |
460 | @@ -1,7 +1,8 @@ |
461 | Source: squid |
462 | Section: web |
463 | Priority: optional |
464 | -Maintainer: Luigi Gangitano <luigi@debian.org> |
465 | +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> |
466 | +XSBC-Original-Maintainer: Luigi Gangitano <luigi@debian.org> |
467 | Uploaders: Santiago Garcia Mantinan <manty@debian.org> |
468 | Homepage: http://www.squid-cache.org |
469 | Standards-Version: 4.5.0 |
470 | @@ -31,7 +32,7 @@ Build-Depends: ed, libltdl-dev, pkg-config |
471 | Package: squid |
472 | Architecture: any |
473 | Pre-Depends: adduser |
474 | -Depends: ${shlibs:Depends}, ${misc:Depends}, netbase, logrotate (>= 3.5.4-1), squid-common (>= ${source:Version}), lsb-base, libdbi-perl |
475 | +Depends: ${shlibs:Depends}, ${misc:Depends}, netbase, logrotate (>= 3.5.4-1), squid-common (>= ${source:Version}), lsb-base, libdbi-perl, ssl-cert |
476 | Suggests: squidclient, squid-cgi, squid-purge, resolvconf (>= 0.40), smbclient, ufw, winbind, apparmor |
477 | Recommends: libcap2-bin [linux-any], ca-certificates |
478 | Provides: squid3 |
479 | diff --git a/debian/patches/90-cf.data.ubuntu.patch b/debian/patches/90-cf.data.ubuntu.patch |
480 | new file mode 100644 |
481 | index 0000000..9dfa5b4 |
482 | --- /dev/null |
483 | +++ b/debian/patches/90-cf.data.ubuntu.patch |
484 | @@ -0,0 +1,16 @@ |
485 | +--- a/src/cf.data.pre |
486 | ++++ b/src/cf.data.pre |
487 | +@@ -5859,6 +5862,12 @@ NOCOMMENT_START |
488 | + refresh_pattern ^ftp: 1440 20% 10080 |
489 | + refresh_pattern ^gopher: 1440 0% 1440 |
490 | + refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 |
491 | ++refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims |
492 | ++refresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-ims |
493 | ++refresh_pattern \/InRelease$ 0 0% 0 refresh-ims |
494 | ++refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims |
495 | ++# example pattern for deb packages |
496 | ++#refresh_pattern (\.deb|\.udeb)$ 129600 100% 129600 |
497 | + refresh_pattern . 0 20% 4320 |
498 | + NOCOMMENT_END |
499 | + DOC_END |
500 | + |
501 | diff --git a/debian/patches/99-ubuntu-ssl-cert-snakeoil.patch b/debian/patches/99-ubuntu-ssl-cert-snakeoil.patch |
502 | new file mode 100644 |
503 | index 0000000..40b5306 |
504 | --- /dev/null |
505 | +++ b/debian/patches/99-ubuntu-ssl-cert-snakeoil.patch |
506 | @@ -0,0 +1,22 @@ |
507 | +--- a/src/cf.data.pre |
508 | ++++ b/src/cf.data.pre |
509 | +@@ -3516,6 +3516,19 @@ |
510 | + reference a PEM file containing both the certificate |
511 | + and private key. |
512 | + |
513 | ++ Notes: |
514 | ++ |
515 | ++ On Debian/Ubuntu systems a default snakeoil certificate is |
516 | ++ available in /etc/ssl and users can set: |
517 | ++ |
518 | ++ sslcert=/etc/ssl/certs/ssl-cert-snakeoil.pem |
519 | ++ |
520 | ++ and |
521 | ++ |
522 | ++ sslkey=/etc/ssl/private/ssl-cert-snakeoil.key |
523 | ++ |
524 | ++ for testing. |
525 | ++ |
526 | + sslcipher=... The list of valid SSL ciphers to use when connecting |
527 | + to this peer. |
528 | + |
529 | diff --git a/debian/patches/series b/debian/patches/series |
530 | index 3d19dd9..2f4d2e6 100644 |
531 | --- a/debian/patches/series |
532 | +++ b/debian/patches/series |
533 | @@ -2,3 +2,5 @@ |
534 | 0002-Change-default-file-locations-for-debian.patch |
535 | 0003-installed-binary-for-debian-ci.patch |
536 | 0004-upstream-bug5041.patch |
537 | +90-cf.data.ubuntu.patch |
538 | +99-ubuntu-ssl-cert-snakeoil.patch |
539 | diff --git a/debian/rules b/debian/rules |
540 | index cdcbc24..86cb59e 100755 |
541 | --- a/debian/rules |
542 | +++ b/debian/rules |
543 | @@ -7,7 +7,12 @@ ifneq (,$(filter $(DEB_HOST_ARCH), armel m68k mips mipsel powerpc powerpcspe sh4 |
544 | DEB_LDFLAGS_MAINT_APPEND += -latomic |
545 | endif |
546 | export DEB_LDFLAGS_MAINT_APPEND |
547 | - |
548 | +# On ppc64el, dpkg-buildflags sets -O3 instead of the usual |
549 | +# -O2. This makes gcc emit a format-truncation error on |
550 | +# pconn.cc. See https://bugs.squid-cache.org/show_bug.cgi?id=4875 |
551 | +ifeq ($(shell dpkg-architecture -qDEB_HOST_ARCH),ppc64el) |
552 | + export DEB_CXXFLAGS_MAINT_APPEND = -Wno-format-truncation |
553 | +endif |
554 | export DEB_BUILD_PARALLEL = yes |
555 | include /usr/share/dpkg/buildflags.mk |
556 | -include /usr/share/dpkg/buildtools.mk |
557 | diff --git a/debian/usr.sbin.squid b/debian/usr.sbin.squid |
558 | index 6f5c814..3a26150 100644 |
559 | --- a/debian/usr.sbin.squid |
560 | +++ b/debian/usr.sbin.squid |
561 | @@ -48,6 +48,39 @@ |
562 | # squid-langpack |
563 | /usr/share/squid-langpack/** r, |
564 | |
565 | + # maas-proxy |
566 | + /var/lib/maas/maas-proxy.conf r, |
567 | + /var/log/maas/proxy/** rw, |
568 | + /var/spool/maas-proxy/ r, |
569 | + /var/spool/maas-proxy/** rwk, |
570 | + |
571 | + # squid-deb-proxy |
572 | + /etc/squid-deb-proxy/** r, |
573 | + /{,var/}run/squid-deb-proxy.pid rwk, |
574 | + /var/cache/squid-deb-proxy/ r, |
575 | + /var/cache/squid-deb-proxy/** rwk, |
576 | + /var/log/squid-deb-proxy/* rw, |
577 | + |
578 | + # squidguard |
579 | + /usr/bin/squidGuard Cx -> squidguard, |
580 | + profile squidguard { |
581 | + #include <abstractions/base> |
582 | + |
583 | + /etc/squid/squidGuard.conf r, |
584 | + /var/log/squid{,3}/squidGuard.log w, |
585 | + /var/lib/squidguard/** rw, |
586 | + |
587 | + # squidguard by default uses /var/log/squid as its logdir, however, we |
588 | + # don't want it to access squid's logs, only its own. Explicitly deny |
589 | + # access to squid's files but allow all others since the user may specify |
590 | + # anything for the squidGurad 'log' directive. |
591 | + /var/log/squid{,3}/* rw, |
592 | + audit deny /var/log/squid{,3}/{access,cache,store}.log* rw, |
593 | + |
594 | + # Site-specific additions and overrides. See local/README for details. |
595 | + #include <local/usr.sbin.squid> |
596 | + } |
597 | + |
598 | # Site-specific additions and overrides. See local/README for details. |
599 | #include <local/usr.sbin.squid> |
600 | } |
Squid is failing to start due to this apparmor deny: 3.905:516) : apparmor="DENIED" operation="open" namespace= "root// lxd-autopkgtest -lxd-sljvrl_ <var-snap- lxd-common- lxd>" profile= "/usr/sbin/ squid" name="/ proc/sys/ kernel/ random/ boot_id" pid=289530 comm="squid" requested_mask="r" denied_mask="r" fsuid=1000000 ouid=1000000
[ 7271.822230] audit: type=1400 audit(158860203
which results in:
2020/05/04 14:20:34 kid1| WARNING: failed to send start-up notification to systemd
sd_notify() error: (13) Permission denied
and
# time systemctl start squid
Job for squid.service failed because a timeout was exceeded.
See "systemctl status squid.service" and "journalctl -xe" for details.
real 2m6.317s
user 0m0.014s
sys 0m0.011s