Ubuntu
squid package

Merge ~ahasenack/ubuntu/+source/squid:groovy-squid-411-merge into ubuntu/+source/squid:debian/sid

  1. Git
  2. lp:~ahasenack/ubuntu/+source/squid
  3. groovy-squid-411-merge
  4. Merge into debian/sid
Proposed by Andreas Hasenack
Status: Work in progress
Proposed branch: ~ahasenack/ubuntu/+source/squid:groovy-squid-411-merge
Merge into: ubuntu/+source/squid:debian/sid
Diff against target: 600 lines (+487/-3)
7 files modified
debian/changelog (+405/-0)
debian/control (+3/-2)
debian/patches/90-cf.data.ubuntu.patch (+16/-0)
debian/patches/99-ubuntu-ssl-cert-snakeoil.patch (+22/-0)
debian/patches/series (+2/-0)
debian/rules (+6/-1)
debian/usr.sbin.squid (+33/-0)
Reviewer Review Type Date Requested Status
Canonical Server packageset reviewers Pending
Canonical Server Pending
Review via email: mp+383337@code.launchpad.net

Description of the change

Merge with debian updating the version to 4.11. One delta dropped, fixed upstream via a configure check now.

PPA building at https://launchpad.net/~ahasenack/+archive/ubuntu/squid-411

I'll run dep8 tests manually.

To post a comment you must log in.
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Squid is failing to start due to this apparmor deny:
[ 7271.822230] audit: type=1400 audit(1588602033.905:516): apparmor="DENIED" operation="open" namespace="root//lxd-autopkgtest-lxd-sljvrl_<var-snap-lxd-common-lxd>" profile="/usr/sbin/squid" name="/proc/sys/kernel/random/boot_id" pid=289530 comm="squid" requested_mask="r" denied_mask="r" fsuid=1000000 ouid=1000000

which results in:
2020/05/04 14:20:34 kid1| WARNING: failed to send start-up notification to systemd
    sd_notify() error: (13) Permission denied

and
# time systemctl start squid
Job for squid.service failed because a timeout was exceeded.
See "systemctl status squid.service" and "journalctl -xe" for details.

real 2m6.317s
user 0m0.014s
sys 0m0.011s

Reply
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

squid 4.11 needs this apparmor fix: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564

Reply

Unmerged commits

295e295... by Andreas Hasenack

update-maintainer

3ad585a... by Andreas Hasenack

reconstruct-changelog

641b60e... by Andreas Hasenack

merge-changelogs

c194989... by Andreas Hasenack

  * Dropped:
    - d/p/drop-sysctl_h.patch: no longer include sysctl.h as it was
      deprecated in glibc 2.30 (LP #1843325)
      [Fixed upstream]

421f449... by Andreas Hasenack

    - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if
      building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of
      -O2 and that triggers a format-truncation error on pcon.cc. See
      See https://bugs.squid-cache.org/show_bug.cgi?id=4875

4341d25... by Andreas Hasenack

    - Use snakeoil certificates:
      + d/control: add ssl-cert to dependencies
      + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl
        to the default config file

9e916eb... by Andreas Hasenack

    - d/p/90-cf.data.ubuntu.patch: Add an example refresh pattern for debs.

0e01664... by Andreas Hasenack

    - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy,
      squidguard

6e86b18... by Luigi Gangitano

Import patches-unapplied version 4.11-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: e470747ee20ca1acfeda911b9cb864d2581468ac

New changelog entries:
  [ Amos Jeffries <email address hidden> ]
  * Add libsystemd-dev dependency on Linux (Closes: 958708)
    - fixes systemd timeout failure during install
  [ Luigi Gangitano <email address hidden> ]
  * debian/rules
    - Removed --as-needed flag

e470747... by Luigi Gangitano

Import patches-unapplied version 4.11-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: ff469a97f1208dbb63c40f7478b11f6d23804613

New changelog entries:
  * Urgency high due to security fixes
  [ Amos Jeffries <email address hidden> ]
  * New Upstream Release (Closes: #957840, #929574, #910337)
    - Fixes security issue SQUID-2019:12 (CVE-2019-12519, CVE-2019-12521)
    - Fixes security issue SQUID-2020:4 (CVE-2020-11945)
  * debian/squid3.{maintscript,postinst,postrm,preinst,rc}
    - Remove unused and obsolete scripts
  * debian/squid.{postrm,preinst}
    - Remove obsolete script logic
  * debian/squid-common.postinst
    - Remove obsolete script
  * debian/changelog
    - Add missing historic CVE references
  * debian/patches/
    - Add upstream fix for missing Debug::Extra in systemd builds

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 7ed2f2a..b66a61b 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,24 @@
6+squid (4.11-2ubuntu1) groovy; urgency=medium
7+
8+ * Merge with Debian unstable. Remaining changes:
9+ - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy,
10+ squidguard
11+ - d/p/90-cf.data.ubuntu.patch: Add an example refresh pattern for debs.
12+ - Use snakeoil certificates:
13+ + d/control: add ssl-cert to dependencies
14+ + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl
15+ to the default config file
16+ - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if
17+ building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of
18+ -O2 and that triggers a format-truncation error on pcon.cc. See
19+ See https://bugs.squid-cache.org/show_bug.cgi?id=4875
20+ * Dropped:
21+ - d/p/drop-sysctl_h.patch: no longer include sysctl.h as it was
22+ deprecated in glibc 2.30 (LP #1843325)
23+ [Fixed upstream]
24+
25+ -- Andreas Hasenack <andreas@canonical.com> Mon, 04 May 2020 10:02:31 -0300
26+
27 squid (4.11-2) unstable; urgency=high
28
29 [ Amos Jeffries <amosjeffries@squid-cache.org> ]
30@@ -36,6 +57,49 @@ squid (4.11-1) unstable; urgency=high
31
32 -- Luigi Gangitano <luigi@debian.org> Thu, 23 Apr 2020 19:34:54 +0200
33
34+squid (4.10-1ubuntu1) focal; urgency=medium
35+
36+ * Merge with Debian unstable. Remaining changes:
37+ - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy,
38+ squidguard
39+ - d/p/90-cf.data.ubuntu.patch: Add an example refresh pattern for debs.
40+ - Use snakeoil certificates:
41+ + d/control: add ssl-cert to dependencies
42+ + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl
43+ to the default config file
44+ - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if
45+ building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of
46+ -O2 and that triggers a format-truncation error on pcon.cc. See
47+ See https://bugs.squid-cache.org/show_bug.cgi?id=4875
48+ - d/p/drop-sysctl_h.patch: no longer include sysctl.h as it was
49+ deprecated in glibc 2.30 (LP #1843325)
50+ * Dropped:
51+ - d/t/control, d/t/test-squid.py: remove gopher tests, as pygopherd is
52+ no longer available in Focal (LP: #1858827)
53+ [In 4.10-1, undocumented]
54+ - d/t/test-squid.py, d/t/squid: switch to python3
55+ [In 4.10-1, undocumented]
56+ - d/t/control: depend on python3-minimal
57+ [In 4.10-1, undocumented]
58+ - SECURITY UPDATE: info disclosure via FTP server
59+ + debian/patches/CVE-2019-12528.patch: fix FTP buffers handling in
60+ src/clients/FtpGateway.cc.
61+ + CVE-2019-12528
62+ [Fixed upstream]
63+ - SECURITY UPDATE: incorrect input validation and buffer management
64+ + debian/patches/CVE-2020-84xx.patch: fix request URL generation in
65+ reverse proxy configurations in src/client_side.cc.
66+ + CVE-2020-8449
67+ + CVE-2020-8450
68+ [Fixed upstream]
69+ - SECURITY UPDATE: DoS in NTLM authentication
70+ + debian/patches/CVE-2020-8517.patch: improved username handling in
71+ src/acl/external/LM_group/ext_lm_group_acl.cc.
72+ + CVE-2020-8517
73+ [Fixed upstream]
74+
75+ -- Andreas Hasenack <andreas@canonical.com> Tue, 25 Feb 2020 15:37:55 -0300
76+
77 squid (4.10-1) unstable; urgency=high
78
79 [ Amos Jeffries <amosjeffries@squid-cache.org> ]
80@@ -57,6 +121,70 @@ squid (4.10-1) unstable; urgency=high
81
82 -- Luigi Gangitano <luigi@debian.org> Tue, 10 Feb 2020 14:12:54 +0100
83
84+squid (4.9-2ubuntu4) focal; urgency=medium
85+
86+ * SECURITY UPDATE: info disclosure via FTP server
87+ - debian/patches/CVE-2019-12528.patch: fix FTP buffers handling in
88+ src/clients/FtpGateway.cc.
89+ - CVE-2019-12528
90+ * SECURITY UPDATE: incorrect input validation and buffer management
91+ - debian/patches/CVE-2020-84xx.patch: fix request URL generation in
92+ reverse proxy configurations in src/client_side.cc.
93+ - CVE-2020-8449
94+ - CVE-2020-8450
95+ * SECURITY UPDATE: DoS in NTLM authentication
96+ - debian/patches/CVE-2020-8517.patch: improved username handling in
97+ src/acl/external/LM_group/ext_lm_group_acl.cc.
98+ - CVE-2020-8517
99+
100+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 19 Feb 2020 12:43:05 -0500
101+
102+squid (4.9-2ubuntu3) focal; urgency=medium
103+
104+ * No-change rebuild with fixed binutils on arm64.
105+
106+ -- Matthias Klose <doko@ubuntu.com> Sat, 08 Feb 2020 11:20:19 +0000
107+
108+squid (4.9-2ubuntu2) focal; urgency=medium
109+
110+ * d/t/control, d/t/test-squid.py: remove gopher tests, as pygopherd is
111+ no longer available in Focal (LP: #1858827)
112+ * d/t/test-squid.py, d/t/squid: switch to python3
113+ * d/t/control: depend on python3-minimal
114+
115+ -- Andreas Hasenack <andreas@canonical.com> Wed, 08 Jan 2020 15:52:32 -0300
116+
117+squid (4.9-2ubuntu1) focal; urgency=medium
118+
119+ * Merge with Debian unstable. Remaining changes:
120+ - Use snakeoil certificates.
121+ - Add an example refresh pattern for debs.
122+ - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy,
123+ squidguard
124+ - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if
125+ building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of
126+ -O2 and that triggers a format-truncation error on pcon.cc. See
127+ See https://bugs.squid-cache.org/show_bug.cgi?id=4875
128+ - d/p/drop-sysctl_h.patch: no longer include sysctl.h as it was
129+ deprecated in glibc 2.30 (LP #1843325)
130+ * Dropped:
131+ - d/rules: Only use -latomic with the intended architectures, instead of
132+ all of them. This matches what was suggested in
133+ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5
134+ [Fixed upstream]
135+ - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that
136+ dh_installchangelogs can pick it up. dh_installchangelogs handles
137+ d/NEWS or d/<package>.NEWS, but not NEWS.debian.
138+ [Fixed upstream]
139+ - debian/patches/more-gcc-9-fixes.patch: switch to xstrncpy in
140+ lib/smblib/smblib-util.c. (LP #1835831)
141+ [Fixed upstream]
142+ - d/t/test-squid.py: test_zz_apparmor(): bail early if securityfs isn't
143+ mounted
144+ [Fixed upstream]
145+
146+ -- Lucas Kanashiro <lucas.kanashiro@canonical.com> Thu, 14 Nov 2019 16:33:10 -0300
147+
148 squid (4.9-2) unstable; urgency=medium
149
150 [ Andreas Hasenack <andreas@canonical.com> ]
151@@ -113,6 +241,73 @@ squid (4.9-1) unstable; urgency=high
152
153 -- Luigi Gangitano <luigi@debian.org> Sun, 10 Nov 2019 20:28:15 +0100
154
155+squid (4.8-1ubuntu3) focal; urgency=medium
156+
157+ * No-change rebuild against libnettle7
158+
159+ -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 31 Oct 2019 22:15:39 +0000
160+
161+squid (4.8-1ubuntu2) eoan; urgency=medium
162+
163+ * d/p/drop-sysctl_h.patch: no longer include sysctl.h as it was
164+ deprecated in glibc 2.30 (LP: #1843325)
165+
166+ -- Andreas Hasenack <andreas@canonical.com> Mon, 09 Sep 2019 17:31:45 -0300
167+
168+squid (4.8-1ubuntu1) eoan; urgency=medium
169+
170+ * Merge with Debian unstable. Remaining changes:
171+ - Use snakeoil certificates.
172+ - Add an example refresh pattern for debs.
173+ - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy,
174+ squidguard
175+ - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if
176+ building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of
177+ -O2 and that triggers a format-truncation error on pcon.cc. See
178+ See https://bugs.squid-cache.org/show_bug.cgi?id=4875
179+ - d/rules: Only use -latomic with the intended architectures, instead of
180+ all of them. This matches what was suggested in
181+ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5
182+ - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that
183+ dh_installchangelogs can pick it up. dh_installchangelogs handles
184+ d/NEWS or d/<package>.NEWS, but not NEWS.debian.
185+ - debian/patches/more-gcc-9-fixes.patch: switch to xstrncpy in
186+ lib/smblib/smblib-util.c. (LP #1835831)
187+ * Dropped:
188+ - d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs.
189+ Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP #1794553)
190+ [Fixed upstream]
191+ - debian/patches/413.patch: Fix gcc-9 build issues with upstream merged
192+ patch
193+ [Fixed upstream]
194+ - SECURITY UPDATE: incorrect digest auth parameter parsing
195+ + debian/patches/CVE-2019-12525.patch: check length in
196+ src/auth/digest/Config.cc.
197+ + CVE-2019-12525
198+ [Fixed upstream]
199+ - SECURITY UPDATE: buffer overflow in basic auth decoding
200+ + debian/patches/CVE-2019-12527.patch: switch to SBuf in
201+ src/HttpHeader.cc, src/HttpHeader.h, src/cache_manager.cc,
202+ src/clients/FtpGateway.cc.
203+ + CVE-2019-12527
204+ [Fixed upstream]
205+ - SECURITY UPDATE: basic auth uudecode length issue
206+ + debian/patches/CVE-2019-12529.patch: replace uudecode with libnettle
207+ base64 decoder in lib/Makefile.*, src/auth/basic/Config.cc,
208+ include/uudecode.h, lib/uudecode.c.
209+ + CVE-2019-12529
210+ [Fixed upstream]
211+ - SECURITY UPDATE: XSS issues in cachemgr.cgi
212+ + debian/patches/CVE-2019-13345.patch: properly escape values in
213+ tools/cachemgr.cc.
214+ + CVE-2019-13345
215+ [Fixed upstream]
216+ * Added:
217+ - d/t/test-squid.py: test_zz_apparmor(): bail early if securityfs isn't
218+ mounted
219+
220+ -- Andreas Hasenack <andreas@canonical.com> Wed, 24 Jul 2019 16:38:59 -0300
221+
222 squid (4.8-1) unstable; urgency=high
223
224 [ Amos Jeffries <amosjeffries@squid-cache.org> ]
225@@ -131,6 +326,86 @@ squid (4.8-1) unstable; urgency=high
226
227 -- Luigi Gangitano <luigi@debian.org> Thu, 18 Jul 2019 22:28:15 +0200
228
229+squid (4.6-2ubuntu4) eoan; urgency=medium
230+
231+ * Fix gcc-9 issues (LP: #1835831)
232+ - Remove -Wno-sizeof-pointer-memaccess -Wno-stringop-truncation
233+ - debian/patches/more-gcc-9-fixes.patch: switch to xstrncpy in
234+ lib/smblib/smblib-util.c.
235+ * SECURITY UPDATE: incorrect digest auth parameter parsing
236+ - debian/patches/CVE-2019-12525.patch: check length in
237+ src/auth/digest/Config.cc.
238+ - CVE-2019-12525
239+ * SECURITY UPDATE: buffer overflow in basic auth decoding
240+ - debian/patches/CVE-2019-12527.patch: switch to SBuf in
241+ src/HttpHeader.cc, src/HttpHeader.h, src/cache_manager.cc,
242+ src/clients/FtpGateway.cc.
243+ - CVE-2019-12527
244+ * SECURITY UPDATE: basic auth uudecode length issue
245+ - debian/patches/CVE-2019-12529.patch: replace uudecode with libnettle
246+ base64 decoder in lib/Makefile.*, src/auth/basic/Config.cc,
247+ include/uudecode.h, lib/uudecode.c.
248+ - CVE-2019-12529
249+ * SECURITY UPDATE: XSS issues in cachemgr.cgi
250+ - debian/patches/CVE-2019-13345.patch: properly escape values in
251+ tools/cachemgr.cc.
252+ - CVE-2019-13345
253+
254+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 19 Jul 2019 08:01:58 -0400
255+
256+squid (4.6-2ubuntu3) eoan; urgency=medium
257+
258+ * Override newly added gcc-9 flags:
259+ -Wno-sizeof-pointer-memaccess -Wno-stringop-truncation
260+ NOTE: Overriding those flags is a possible security
261+ asked for info on the gcc-9 issue bug tracker:
262+ https://github.com/squid-cache/squid/pull/413#issuecomment-511314076
263+
264+ -- Gianfranco Costamagna <locutusofborg@debian.org> Mon, 15 Jul 2019 10:21:47 +0200
265+
266+squid (4.6-2ubuntu2) eoan; urgency=medium
267+
268+ * Fix gcc-9 build issues with upstream merged patch
269+
270+ -- Gianfranco Costamagna <locutusofborg@debian.org> Sun, 14 Jul 2019 14:41:16 +0200
271+
272+squid (4.6-2ubuntu1) eoan; urgency=medium
273+
274+ * Merge with Debian unstable. Remaining changes:
275+ - Use snakeoil certificates.
276+ - Add an example refresh pattern for debs.
277+ - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy,
278+ squidguard
279+ - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if
280+ building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of
281+ -O2 and that triggers a format-truncation error on pcon.cc. See
282+ See https://bugs.squid-cache.org/show_bug.cgi?id=4875
283+ - d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs.
284+ Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP #1794553)
285+ [Added Applied-Upstream header]
286+ - d/rules: Only use -latomic with the intended architectures, instead of
287+ all of them. This matches what was suggested in
288+ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5
289+ - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that
290+ dh_installchangelogs can pick it up. dh_installchangelogs handles
291+ d/NEWS or d/<package>.NEWS, but not NEWS.debian.
292+ * Dropped:
293+ - d/squid.tmpfile: add tmpfiles configuration to handle /var/run/squid
294+ at boot. Thanks to Luigi Gangitano <luigi@debian.org> (LP #1816006)
295+ [Fixed in 4.5-2]
296+ - d/p/fix-uninitialized-var.patch: Workaround gcc's maybe-unitialized
297+ error in parse_time_t, triggered on ppc64el due to the build using -O3
298+ in that architecture.
299+ [Fixed upstream]
300+ - Add disabled by default AppArmor profile.
301+ [Added by Debian in 4.6-2]
302+ - d/usr.sbin.squid: fix the apparmor profile (LP #1796189):
303+ + allow net_admin capability
304+ + add attach_disconnected flag
305+ [Fixed in 4.6-2]
306+
307+ -- Andreas Hasenack <andreas@canonical.com> Sat, 18 May 2019 14:39:09 -0300
308+
309 squid (4.6-2) unstable; urgency=high
310
311 [ Andreas Hasenack <andreas@canonical.com> ]
312@@ -191,6 +466,57 @@ squid (4.5-1) unstable; urgency=medium
313
314 -- Luigi Gangitano <luigi@debian.org> Wed, 20 Feb 2019 11:57:15 +0100
315
316+squid (4.4-1ubuntu2) disco; urgency=medium
317+
318+ * d/squid.tmpfile: add tmpfiles configuration to handle /var/run/squid
319+ at boot. Thanks to Luigi Gangitano <luigi@debian.org> (LP: #1816006)
320+
321+ -- Andreas Hasenack <andreas@canonical.com> Wed, 27 Feb 2019 08:54:45 -0300
322+
323+squid (4.4-1ubuntu1) disco; urgency=medium
324+
325+ * Merge with Debian unstable. Remaining changes:
326+ - Use snakeoil certificates.
327+ - Add an example refresh pattern for debs.
328+ - Add disabled by default AppArmor profile.
329+ - d/p/fix-uninitialized-var.patch: Workaround gcc's maybe-unitialized
330+ error in parse_time_t, triggered on ppc64el due to the build using -O3
331+ in that architecture.
332+ - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if
333+ building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of
334+ -O2 and that triggers a format-truncation error on pcon.cc. See
335+ See https://bugs.squid-cache.org/show_bug.cgi?id=4875
336+ - d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs.
337+ Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP #1794553)
338+ * Drop:
339+ - d/rules: enable cdbs parallel build
340+ [Fixed in 4.2-1]
341+ - d/t/test-squid.py: fix apparmor profile filename
342+ [Fixed in 4.2-1]
343+ - d/t/test-squid.py: fix the process name. The PID points at the parent.
344+ [Fixed in 4.2-1]
345+ - d/t/upstream-test-suite: also make libmem.la, needed by the tests.
346+ [Fixed in 4.2-1]
347+ - d/t/0003-installed-binary-for-debian-ci.patch: use the squid
348+ binary from the system, instead of the one from the source tree.
349+ [Fixed in 4.2-1]
350+ - d/t/upstream-test-suite: drop the sed line, since patch
351+ 0003-installed-binary-for-debian-ci.patch is doing this work now.
352+ (https://salsa.debian.org/squid-team/squid/commit/ad4372b444ba8b1587839)
353+ [Fixed in 4.2-1]
354+ * Added changes:
355+ - d/rules: Only use -latomic with the intended architectures, instead of
356+ all of them. This matches what was suggested in
357+ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5
358+ - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that
359+ dh_installchangelogs can pick it up. dh_installchangelogs handles
360+ d/NEWS or d/<package>.NEWS, but not NEWS.debian.
361+ - d/usr.sbin.squid: fix the apparmor profile (LP: #1796189):
362+ + allow net_admin capability
363+ + add attach_disconnected flag
364+
365+ -- Andreas Hasenack <andreas@canonical.com> Mon, 19 Nov 2018 10:51:18 -0200
366+
367 squid (4.4-1) unstable; urgency=high
368
369 * Urgency high due to security fixes
370@@ -255,6 +581,85 @@ squid (4.2-1) unstable; urgency=high
371
372 -- Luigi Gangitano <luigi@debian.org> Wed, 22 Aug 2018 13:57:15 +0200
373
374+squid (4.1-1ubuntu3) cosmic; urgency=medium
375+
376+ * d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs.
377+ Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP: #1794553)
378+
379+ -- Andreas Hasenack <andreas@canonical.com> Tue, 09 Oct 2018 14:00:36 -0300
380+
381+squid (4.1-1ubuntu2) cosmic; urgency=medium
382+
383+ * d/usr.sbin.squid: Update apparmor profile to grant read access to squid
384+ binary (LP: #1792728)
385+
386+ -- Simon Deziel <simon@sdeziel.info> Sat, 15 Sep 2018 13:55:32 -0400
387+
388+squid (4.1-1ubuntu1) cosmic; urgency=medium
389+
390+ * Merged with Debian unstable (LP: #1780944, LP: #1097032, LP: #16669).
391+ Remaining changes:
392+ - Use snakeoil certificates.
393+ [Updated to use the correct config setting names]
394+ - Add an example refresh pattern for debs.
395+ [Improved the refresh patterns based on the configuration from
396+ squid-deb-proxy package]
397+ - Add disabled by default AppArmor profile.
398+ [Updated to include the ssl_certs abstraction and suggestions on how to
399+ deal with the snakeoil private key and other keys in /etc/ssl.]
400+ * Dropped changes:
401+ - Add additional dep8 tests.
402+ [Adopted in 4.0.21-1~exp5, albeit a stripped down version]
403+ - Correct attribution and add explanatory note in d/NEWS.debian.
404+ [That particular upgrade path has happened long ago.]
405+ - Drop wrong short-circuiting of various invocations; we always want to
406+ call the debhelper block.
407+ [This was for the transitional squid3 package, and that transition has
408+ already happened.]
409+ - Revert "Set pidfile for systemd's sysv-generator" from Debian.
410+ [Not needed anymore since we have a native systemd service file
411+ and no longer rely on the generator.]
412+ - Enable autoreconf. This is no longer required for the security updates,
413+ but is needed for the seddery of test-suite/Makefile.am in
414+ d/t/upstream-test-suite.
415+ [Replaced by patch 0003-installed-binary-for-debian-ci.patch]
416+ - Adjust seddery for upstream test squid binary location.
417+ [sed no longer necessary since patch,
418+ 0003-installed-binary-for-debian-ci.patch, will be dropped
419+ entirely.]
420+ - Drop Conflicts/Replaces of squid against squid3. In Ubuntu, the migration
421+ happened in Xenial, so no upgrade path still requires this code. This
422+ reduces upgrade ordering difficulty.
423+ [Again we have a migration, but this time from squid3 to squid, so we
424+ need this].
425+ - GCC7 FTBFS fixes (LP: #1712668):
426+ + d/rules: don't error when hitting the "deprecated" and
427+ "format-truncation" gcc7 warnings. Upstream 3.5.27 has fixes for these,
428+ but one in Format.cc that affects 32bit builds was deemed too intrusive
429+ for the 3.5 stable series and is only in squid 4.x
430+ [No longer needed with squid 4.x]
431+ - Do not force gcc-6
432+ [It was a temporary workaround in Debian that got dropped]
433+ * Added changes:
434+ - d/rules: enable cdbs parallel build
435+ - d/t/test-squid.py: fix apparmor profile filename
436+ - d/t/test-squid.py: fix the process name. The PID points at the parent.
437+ - d/t/upstream-test-suite: also make libmem.la, needed by the tests.
438+ - d/t/0003-installed-binary-for-debian-ci.patch: use the squid
439+ binary from the system, instead of the one from the source tree.
440+ - d/p/fix-uninitialized-var.patch: Workaround gcc's maybe-unitialized
441+ error in parse_time_t, triggered on ppc64el due to the build using -O3
442+ in that architecture.
443+ - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if
444+ building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of
445+ -O2 and that triggers a format-truncation error on pcon.cc. See
446+ See https://bugs.squid-cache.org/show_bug.cgi?id=4875
447+ - d/t/upstream-test-suite: drop the sed line, since patch
448+ 0003-installed-binary-for-debian-ci.patch is doing this work now.
449+ (https://salsa.debian.org/squid-team/squid/commit/ad4372b444ba8b1587839)
450+
451+ -- Andreas Hasenack <andreas@canonical.com> Thu, 16 Aug 2018 12:33:17 -0300
452+
453 squid (4.1-1) unstable; urgency=high
454
455 * New Upstream Release (Closes: #896120)
456diff --git a/debian/control b/debian/control
457index 76e396e..4e90675 100644
458--- a/debian/control
459+++ b/debian/control
460@@ -1,7 +1,8 @@
461 Source: squid
462 Section: web
463 Priority: optional
464-Maintainer: Luigi Gangitano <luigi@debian.org>
465+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
466+XSBC-Original-Maintainer: Luigi Gangitano <luigi@debian.org>
467 Uploaders: Santiago Garcia Mantinan <manty@debian.org>
468 Homepage: http://www.squid-cache.org
469 Standards-Version: 4.5.0
470@@ -31,7 +32,7 @@ Build-Depends: ed, libltdl-dev, pkg-config
471 Package: squid
472 Architecture: any
473 Pre-Depends: adduser
474-Depends: ${shlibs:Depends}, ${misc:Depends}, netbase, logrotate (>= 3.5.4-1), squid-common (>= ${source:Version}), lsb-base, libdbi-perl
475+Depends: ${shlibs:Depends}, ${misc:Depends}, netbase, logrotate (>= 3.5.4-1), squid-common (>= ${source:Version}), lsb-base, libdbi-perl, ssl-cert
476 Suggests: squidclient, squid-cgi, squid-purge, resolvconf (>= 0.40), smbclient, ufw, winbind, apparmor
477 Recommends: libcap2-bin [linux-any], ca-certificates
478 Provides: squid3
479diff --git a/debian/patches/90-cf.data.ubuntu.patch b/debian/patches/90-cf.data.ubuntu.patch
480new file mode 100644
481index 0000000..9dfa5b4
482--- /dev/null
483+++ b/debian/patches/90-cf.data.ubuntu.patch
484@@ -0,0 +1,16 @@
485+--- a/src/cf.data.pre
486++++ b/src/cf.data.pre
487+@@ -5859,6 +5862,12 @@ NOCOMMENT_START
488+ refresh_pattern ^ftp: 1440 20% 10080
489+ refresh_pattern ^gopher: 1440 0% 1440
490+ refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
491++refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
492++refresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-ims
493++refresh_pattern \/InRelease$ 0 0% 0 refresh-ims
494++refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
495++# example pattern for deb packages
496++#refresh_pattern (\.deb|\.udeb)$ 129600 100% 129600
497+ refresh_pattern . 0 20% 4320
498+ NOCOMMENT_END
499+ DOC_END
500+
501diff --git a/debian/patches/99-ubuntu-ssl-cert-snakeoil.patch b/debian/patches/99-ubuntu-ssl-cert-snakeoil.patch
502new file mode 100644
503index 0000000..40b5306
504--- /dev/null
505+++ b/debian/patches/99-ubuntu-ssl-cert-snakeoil.patch
506@@ -0,0 +1,22 @@
507+--- a/src/cf.data.pre
508++++ b/src/cf.data.pre
509+@@ -3516,6 +3516,19 @@
510+ reference a PEM file containing both the certificate
511+ and private key.
512+
513++ Notes:
514++
515++ On Debian/Ubuntu systems a default snakeoil certificate is
516++ available in /etc/ssl and users can set:
517++
518++ sslcert=/etc/ssl/certs/ssl-cert-snakeoil.pem
519++
520++ and
521++
522++ sslkey=/etc/ssl/private/ssl-cert-snakeoil.key
523++
524++ for testing.
525++
526+ sslcipher=... The list of valid SSL ciphers to use when connecting
527+ to this peer.
528+
529diff --git a/debian/patches/series b/debian/patches/series
530index 3d19dd9..2f4d2e6 100644
531--- a/debian/patches/series
532+++ b/debian/patches/series
533@@ -2,3 +2,5 @@
534 0002-Change-default-file-locations-for-debian.patch
535 0003-installed-binary-for-debian-ci.patch
536 0004-upstream-bug5041.patch
537+90-cf.data.ubuntu.patch
538+99-ubuntu-ssl-cert-snakeoil.patch
539diff --git a/debian/rules b/debian/rules
540index cdcbc24..86cb59e 100755
541--- a/debian/rules
542+++ b/debian/rules
543@@ -7,7 +7,12 @@ ifneq (,$(filter $(DEB_HOST_ARCH), armel m68k mips mipsel powerpc powerpcspe sh4
544 DEB_LDFLAGS_MAINT_APPEND += -latomic
545 endif
546 export DEB_LDFLAGS_MAINT_APPEND
547-
548+# On ppc64el, dpkg-buildflags sets -O3 instead of the usual
549+# -O2. This makes gcc emit a format-truncation error on
550+# pconn.cc. See https://bugs.squid-cache.org/show_bug.cgi?id=4875
551+ifeq ($(shell dpkg-architecture -qDEB_HOST_ARCH),ppc64el)
552+ export DEB_CXXFLAGS_MAINT_APPEND = -Wno-format-truncation
553+endif
554 export DEB_BUILD_PARALLEL = yes
555 include /usr/share/dpkg/buildflags.mk
556 -include /usr/share/dpkg/buildtools.mk
557diff --git a/debian/usr.sbin.squid b/debian/usr.sbin.squid
558index 6f5c814..3a26150 100644
559--- a/debian/usr.sbin.squid
560+++ b/debian/usr.sbin.squid
561@@ -48,6 +48,39 @@
562 # squid-langpack
563 /usr/share/squid-langpack/** r,
564
565+ # maas-proxy
566+ /var/lib/maas/maas-proxy.conf r,
567+ /var/log/maas/proxy/** rw,
568+ /var/spool/maas-proxy/ r,
569+ /var/spool/maas-proxy/** rwk,
570+
571+ # squid-deb-proxy
572+ /etc/squid-deb-proxy/** r,
573+ /{,var/}run/squid-deb-proxy.pid rwk,
574+ /var/cache/squid-deb-proxy/ r,
575+ /var/cache/squid-deb-proxy/** rwk,
576+ /var/log/squid-deb-proxy/* rw,
577+
578+ # squidguard
579+ /usr/bin/squidGuard Cx -> squidguard,
580+ profile squidguard {
581+ #include <abstractions/base>
582+
583+ /etc/squid/squidGuard.conf r,
584+ /var/log/squid{,3}/squidGuard.log w,
585+ /var/lib/squidguard/** rw,
586+
587+ # squidguard by default uses /var/log/squid as its logdir, however, we
588+ # don't want it to access squid's logs, only its own. Explicitly deny
589+ # access to squid's files but allow all others since the user may specify
590+ # anything for the squidGurad 'log' directive.
591+ /var/log/squid{,3}/* rw,
592+ audit deny /var/log/squid{,3}/{access,cache,store}.log* rw,
593+
594+ # Site-specific additions and overrides. See local/README for details.
595+ #include <local/usr.sbin.squid>
596+ }
597+
598 # Site-specific additions and overrides. See local/README for details.
599 #include <local/usr.sbin.squid>
600 }

Subscribers

People subscribed via source and target branches