Merge ~athos-ribeiro/ubuntu/+source/squid:merge-lp2040426-noble into ubuntu/+source/squid:debian/sid
- Git
- lp:~athos-ribeiro/ubuntu/+source/squid
- merge-lp2040426-noble
- Merge into debian/sid
Status: | Merged | ||||
---|---|---|---|---|---|
Approved by: | git-ubuntu bot | ||||
Approved revision: | not available | ||||
Merge reported by: | git-ubuntu bot | ||||
Merged at revision: | 947b36b6397935ec323a778f5eace4aec547197d | ||||
Proposed branch: | ~athos-ribeiro/ubuntu/+source/squid:merge-lp2040426-noble | ||||
Merge into: | ubuntu/+source/squid:debian/sid | ||||
Diff against target: |
1353 lines (+1134/-4) 11 files modified
debian/NEWS (+7/-0) debian/changelog (+936/-0) debian/control (+3/-2) debian/patches/0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch (+65/-0) debian/patches/0010-Fix-Werror-sign-compare-on-GCC-13.patch (+24/-0) debian/patches/90-cf.data.ubuntu.patch (+21/-0) debian/patches/99-ubuntu-ssl-cert-snakeoil.patch (+28/-0) debian/patches/series (+4/-0) debian/rules (+15/-2) debian/tests/upstream-test-suite (+4/-0) debian/usr.sbin.squid (+27/-0) |
||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
git-ubuntu bot | Approve | ||
Andreas Hasenack | Approve | ||
Canonical Server Reporter | Pending | ||
Review via email: mp+457346@code.launchpad.net |
Commit message
Description of the change
Merge for nn cycle.
PPA: https:/
autopkgtest results for the PPA above:
- squid/6.
+ ✅ squid on noble for amd64 @ 12.12.23 20:09:02 Log️ 🗒️
+ ✅ squid on noble for arm64 @ 12.12.23 20:20:45 Log️ 🗒️
+ ✅ squid on noble for ppc64el @ 12.12.23 20:11:40 Log️ 🗒️
+ ✅ squid on noble for s390x @ 12.12.23 20:14:07 Log️ 🗒️
Athos Ribeiro (athos-ribeiro) : | # |
git-ubuntu bot (git-ubuntu-bot) wrote : | # |
Approvers: athos-ribeiro, ahasenack
Uploaders: athos-ribeiro, ahasenack
MP auto-approved
Athos Ribeiro (athos-ribeiro) wrote : | # |
Thanks, Andreas.
Uploaded. I will follow-up with forwarding those changes to Debian!
Uploading to ubuntu (via ftp to upload.ubuntu.com):
Uploading squid_6.
Uploading squid_6.
Uploading squid_6.
Uploading squid_6.
Uploading squid_6.
Uploading squid_6.
Successfully uploaded packages.
Preview Diff
1 | diff --git a/debian/NEWS b/debian/NEWS |
2 | index 1ac410c..83136fb 100644 |
3 | --- a/debian/NEWS |
4 | +++ b/debian/NEWS |
5 | @@ -37,6 +37,13 @@ squid (4.13-2) unstable; urgency=high |
6 | |
7 | -- Santiago Garcia Mantinan <manty@debian.org> Sun, 07 Feb 2021 01:43:37 +0100 |
8 | |
9 | +squid (4.13-1ubuntu2) groovy; urgency=medium |
10 | + |
11 | + Disable the NIS basic authentication helper, as it no longer builds with |
12 | + glibc 2.32. |
13 | + |
14 | + -- Andreas Hasenack <andreas@canonical.com> Thu, 17 Sep 2020 18:17:53 -0300 |
15 | + |
16 | squid (4.1-1) unstable; urgency=medium |
17 | |
18 | Starting from this release support for systemd init has been added to the |
19 | diff --git a/debian/changelog b/debian/changelog |
20 | index 1b0a0d0..1eb4efa 100644 |
21 | --- a/debian/changelog |
22 | +++ b/debian/changelog |
23 | @@ -1,3 +1,59 @@ |
24 | +squid (6.5-1ubuntu1) noble; urgency=medium |
25 | + |
26 | + * Merge with Debian unstable (LP: #2040426). Remaining changes: |
27 | + - d/usr.sbin.squid: Add sections for squid-deb-proxy and |
28 | + squidguard |
29 | + - d/p/90-cf.data.ubuntu.patch: Add refresh patterns for deb |
30 | + packaging |
31 | + - Use snakeoil certificates: |
32 | + + d/control: add ssl-cert to dependencies |
33 | + + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl |
34 | + to the default config file |
35 | + - d/NEWS: drop the NIS basic auth helper (LP #1895694) |
36 | + - d/p/0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch: |
37 | + Fix FTBFS due to -Werror=alloc-size-larger-than on GCC 12. |
38 | + - d/rules: halt build upon test failures. |
39 | + - d/rules: do not include additional configuration files during |
40 | + build time tests. This would lead to test failures due to missing |
41 | + paths. |
42 | + - d/t/upstream-test-suite: use installed squid binary for |
43 | + autopkgtest config file checks. |
44 | + - d/p/0010-Fix-Werror-sign-compare-on-GCC-13.patch: fix comparison |
45 | + between signed and unsigned values. |
46 | + - d/rules: disable LTO related compilation errors for ppc64el builds. |
47 | + * Dropped changes: |
48 | + - d/t/upstream-test-suite: make missing targets for squid 6. |
49 | + [ Fixed in Debian in 6.5-1 ] |
50 | + - d/p/0011-Fix-ftp-support.patch: Fix pure virtual call in |
51 | + Ftp::Client constructor leading to problems in FTP support. |
52 | + [ Fixed upstream in 6.2 ] |
53 | + - SECURITY UPDATE: DoS against certificate validation |
54 | + + debian/patches/CVE-2023-46724.patch: fix validation of certificates |
55 | + with CN=* in src/anyp/Uri.cc. |
56 | + + CVE-2023-46724 |
57 | + [ Fixed in Debian in 6.5-1 ] |
58 | + - SECURITY UPDATE: HTTP request smuggling, caused by chunked decoder |
59 | + lenience |
60 | + + debian/patches/CVE-2023-46846.patch: improve HTTP chunked encoding |
61 | + compliance in src/http/one/Parser.cc, src/http/one/Parser.h, |
62 | + src/http/one/TeChunkedParser.cc, src/parser/Tokenizer.cc, |
63 | + src/parser/Tokenizer.h. |
64 | + + CVE-2023-46846 |
65 | + [ Fixed in Debian in 6.5-1 ] |
66 | + - SECURITY UPDATE: DoS via HTTP Digest Authentication |
67 | + + debian/patches/CVE-2023-46847.patch: fix stack buffer overflow when |
68 | + parsing Digest Authorization in src/auth/digest/Config.cc. |
69 | + + CVE-2023-46847 |
70 | + [ Fixed in Debian in 6.5-1 ] |
71 | + - SECURITY UPDATE: DoS via ftp:// URLs |
72 | + + debian/patches/CVE-2023-46848.patch: fix userinfo percent-encoding in |
73 | + src/acl/external/eDirectory_userip/ext_edirectory_userip_acl.cc, |
74 | + src/anyp/Uri.cc. |
75 | + + CVE-2023-46848 |
76 | + [ Fixed in Debian in 6.5-1 ] |
77 | + |
78 | + -- Athos Ribeiro <athos.ribeiro@canonical.com> Tue, 12 Dec 2023 12:05:40 -0300 |
79 | + |
80 | squid (6.5-1) unstable; urgency=high |
81 | |
82 | [ Amos Jeffries <amosjeffries@squid-cache.org> ] |
83 | @@ -25,6 +81,70 @@ squid (6.3-1) unstable; urgency=medium |
84 | |
85 | -- Luigi Gangitano <luigi@debian.org> Thu, 28 Sep 2023 16:04:20 +0200 |
86 | |
87 | +squid (6.1-2ubuntu2) noble; urgency=medium |
88 | + |
89 | + * SECURITY UPDATE: DoS against certificate validation |
90 | + - debian/patches/CVE-2023-46724.patch: fix validation of certificates |
91 | + with CN=* in src/anyp/Uri.cc. |
92 | + - CVE-2023-46724 |
93 | + * SECURITY UPDATE: HTTP request smuggling, caused by chunked decoder |
94 | + lenience |
95 | + - debian/patches/CVE-2023-46846.patch: improve HTTP chunked encoding |
96 | + compliance in src/http/one/Parser.cc, src/http/one/Parser.h, |
97 | + src/http/one/TeChunkedParser.cc, src/parser/Tokenizer.cc, |
98 | + src/parser/Tokenizer.h. |
99 | + - CVE-2023-46846 |
100 | + * SECURITY UPDATE: DoS via HTTP Digest Authentication |
101 | + - debian/patches/CVE-2023-46847.patch: fix stack buffer overflow when |
102 | + parsing Digest Authorization in src/auth/digest/Config.cc. |
103 | + - CVE-2023-46847 |
104 | + * SECURITY UPDATE: DoS via ftp:// URLs |
105 | + - debian/patches/CVE-2023-46848.patch: fix userinfo percent-encoding in |
106 | + src/acl/external/eDirectory_userip/ext_edirectory_userip_acl.cc, |
107 | + src/anyp/Uri.cc. |
108 | + - CVE-2023-46848 |
109 | + |
110 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 13 Nov 2023 08:41:30 -0500 |
111 | + |
112 | +squid (6.1-2ubuntu1) mantic; urgency=medium |
113 | + |
114 | + * Merge with Debian unstable (LP: #2018110). Remaining changes: |
115 | + - d/usr.sbin.squid: Add sections for squid-deb-proxy and |
116 | + squidguard |
117 | + - d/p/90-cf.data.ubuntu.patch: Add refresh patterns for deb |
118 | + packaging |
119 | + - Use snakeoil certificates: |
120 | + + d/control: add ssl-cert to dependencies |
121 | + + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl |
122 | + to the default config file |
123 | + - d/rules, d/NEWS: drop the NIS basic auth helper (LP #1895694) |
124 | + - d/p/0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch: |
125 | + Fix FTBFS due to -Werror=alloc-size-larger-than on GCC 12. |
126 | + - d/rules: halt build upon test failures. |
127 | + - d/rules: do not include additional configuration files during |
128 | + build time tests. This would lead to test failures due to missing |
129 | + paths. |
130 | + - d/t/upstream-test-suite: use installed squid binary for |
131 | + autopkgtest config file checks. |
132 | + * Drop changes: |
133 | + - d/p/fix-max-pkt-sz-for-icmpEchoData-padding.patch: Adjust |
134 | + MAX_PKT{4,6}_SZ to account for icmpEchoData padding, fixing FTBFS |
135 | + with GCC 11 (LP #1939352). |
136 | + [ Applied upstream in 6.0.1 ] |
137 | + - d/p/series: do not rely on installed binaries for build time tests. |
138 | + [ Applied in 6.1-1 ] |
139 | + - d/rules: disable LTO related compilation errors for s390x builds. |
140 | + [ Fixed in 6.1-1 ] |
141 | + * New changes: |
142 | + - d/p/0010-Fix-Werror-sign-compare-on-GCC-13.patch: fix comparison |
143 | + between signed and unsigned values. |
144 | + - d/p/0011-Fix-ftp-support.patch: Fix pure virtual call in |
145 | + Ftp::Client constructor leading to problems in FTP support. |
146 | + - d/rules: disable LTO related compilation errors for ppc64el builds. |
147 | + - d/t/upstream-test-suite: make missing targets for squid 6. |
148 | + |
149 | + -- Athos Ribeiro <athos.ribeiro@canonical.com> Tue, 15 Aug 2023 21:51:44 -0300 |
150 | + |
151 | squid (6.1-2) unstable; urgency=low |
152 | |
153 | [ Amos Jeffries <amosjeffries@squid-cache.org> ] |
154 | @@ -62,6 +182,61 @@ squid (5.7-2) unstable; urgency=medium |
155 | |
156 | -- Santiago Garcia Mantinan <manty@debian.org> Fri, 28 Apr 2023 08:35:27 +0200 |
157 | |
158 | +squid (5.7-1ubuntu3) lunar; urgency=medium |
159 | + |
160 | + * d/rules: |
161 | + - Re-enable LTO for s390x builds. (LP: #2011494) |
162 | + - Disable LTO related compilation errors for s390x builds. |
163 | + |
164 | + -- Athos Ribeiro <athos.ribeiro@canonical.com> Mon, 13 Mar 2023 21:54:07 -0300 |
165 | + |
166 | +squid (5.7-1ubuntu2) lunar; urgency=medium |
167 | + |
168 | + * Make builds fail when upstream test suite fails (LP: #2004050): |
169 | + - d/p/series: do not rely on installed binaries for build time tests. |
170 | + - d/rules: halt build upon test failures. |
171 | + - d/rules: do not include additional configuration files during |
172 | + build time tests. This would lead to test failures due to missing |
173 | + paths. |
174 | + - d/t/upstream-test-suite: use installed squid binary for |
175 | + autopkgtest config file checks. |
176 | + - d/rules: disable LTO for s390x builds. |
177 | + |
178 | + -- Athos Ribeiro <athos.ribeiro@canonical.com> Fri, 27 Jan 2023 11:06:05 -0300 |
179 | + |
180 | +squid (5.7-1ubuntu1) lunar; urgency=medium |
181 | + |
182 | + * Merge with Debian unstable (LP: #1993446). Remaining changes: |
183 | + - d/usr.sbin.squid: Add sections for squid-deb-proxy and |
184 | + squidguard |
185 | + - d/p/90-cf.data.ubuntu.patch: Add refresh patterns for deb |
186 | + packaging |
187 | + - Use snakeoil certificates: |
188 | + + d/control: add ssl-cert to dependencies |
189 | + + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl |
190 | + to the default config file |
191 | + - d/rules, d/NEWS: drop the NIS basic auth helper (LP #1895694) |
192 | + - d/p/fix-max-pkt-sz-for-icmpEchoData-padding.patch: Adjust |
193 | + MAX_PKT{4,6}_SZ to account for icmpEchoData padding, fixing FTBFS |
194 | + with GCC 11 (LP #1939352). |
195 | + - d/p/0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch: |
196 | + Fix FTBFS due to -Werror=alloc-size-larger-than on GCC 12. |
197 | + * Drop changes: |
198 | + - d/t/upstream-test-suite: Also export DEB_*_MAINT_APPEND variables |
199 | + here. (LP #1988217) |
200 | + [ Not necessary anymore. ] |
201 | + - SECURITY UPDATE: Exposure of Sensitive Information in Cache Manager |
202 | + - debian/patches/CVE-2022-41317.patch: fix typo in ACL in |
203 | + src/cf.data.pre. |
204 | + - CVE-2022-41317 |
205 | + [ Incorporated upstream. ] |
206 | + - SECURITY UPDATE: Buffer Over Read in SSPI and SMB Authentication |
207 | + - debian/patches/CVE-2022-41318.patch: improve checks in |
208 | + lib/ntlmauth/ntlmauth.cc. |
209 | + [ Incorporated upstream. ] |
210 | + |
211 | + -- Sergio Durigan Junior <sergio.durigan@canonical.com> Tue, 03 Jan 2023 17:39:52 -0500 |
212 | + |
213 | squid (5.7-1) unstable; urgency=medium |
214 | |
215 | * Urgency high due to security fixes |
216 | @@ -101,6 +276,78 @@ squid (5.7-1) unstable; urgency=medium |
217 | |
218 | -- Luigi Gangitano <luigi@debian.org> Tue, 4 Oct 2022 11:04:20 +0200 |
219 | |
220 | +squid (5.6-1ubuntu4) lunar; urgency=medium |
221 | + |
222 | + * No-change rebuild against libldap-2 |
223 | + |
224 | + -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 15 Dec 2022 19:56:14 +0000 |
225 | + |
226 | +squid (5.6-1ubuntu3) kinetic; urgency=medium |
227 | + |
228 | + * SECURITY UPDATE: Exposure of Sensitive Information in Cache Manager |
229 | + - debian/patches/CVE-2022-41317.patch: fix typo in ACL in |
230 | + src/cf.data.pre. |
231 | + - CVE-2022-41317 |
232 | + * SECURITY UPDATE: Buffer Over Read in SSPI and SMB Authentication |
233 | + - debian/patches/CVE-2022-41318.patch: improve checks in |
234 | + lib/ntlmauth/ntlmauth.cc. |
235 | + - CVE-2022-41318 |
236 | + |
237 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 23 Sep 2022 08:02:41 -0400 |
238 | + |
239 | +squid (5.6-1ubuntu2) kinetic; urgency=medium |
240 | + |
241 | + * d/t/upstream-test-suite: Also export DEB_*_MAINT_APPEND variables |
242 | + here. (LP: #1988217) |
243 | + |
244 | + -- Sergio Durigan Junior <sergio.durigan@canonical.com> Tue, 30 Aug 2022 19:32:59 -0400 |
245 | + |
246 | +squid (5.6-1ubuntu1) kinetic; urgency=medium |
247 | + |
248 | + * Merge with Debian unstable (LP: #1971325). Remaining changes: |
249 | + - d/usr.sbin.squid: Add sections for squid-deb-proxy and |
250 | + squidguard |
251 | + - d/p/90-cf.data.ubuntu.patch: Add refresh patterns for deb |
252 | + packaging |
253 | + - Use snakeoil certificates: |
254 | + + d/control: add ssl-cert to dependencies |
255 | + + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl |
256 | + to the default config file |
257 | + - d/rules, d/NEWS: drop the NIS basic auth helper (LP #1895694) |
258 | + - Fix FTBFS with GCC 11 (LP #1939352) |
259 | + + d/p/fix-max-pkt-sz-for-icmpEchoData-padding.patch: Fix |
260 | + MAX_PKT{4,6}_SZ to account for icmpEchoData padding. |
261 | + * Drop changes: |
262 | + - Fix FTBFS with OpenSSL 3.0 (LP #1946205). The following new |
263 | + patches have been added: |
264 | + + d/p/openssl3-Declaration-of-CRYPTO_EX_dup-changed-again-in-3.0.patch. |
265 | + + d/p/openssl3-Detect-and-default-enable-OpenSSL-3.patch. |
266 | + + d/p/openssl3-Fix-EVP_PKEY_get0_RSA-is-deprecated.patch. |
267 | + + d/p/openssl3-Initial-DH-conversion-to-EVP_PKEY.patch. |
268 | + + d/p/openssl3-Refactor-Ssl-createSslPrivateKey.patch. |
269 | + + d/p/openssl3-Remove-stale-TODO-and-comment.patch. |
270 | + + d/p/openssl3-SSL_OP_-macro-definitions-changed-in-3.0.patch. |
271 | + + d/p/openssl3-Switch-to-BN_rand.patch. |
272 | + + d/p/openssl3-TODO-Upgrade-API-calls-verifying-loaded-DH-params-fi.patch. |
273 | + + d/p/openssl3-Tweak-RSA-key-generator.patch. |
274 | + + d/p/openssl3-Update-ECDH-key-settings.patch. |
275 | + + d/p/openssl3-Update-license-disclaimer.patch. |
276 | + [ Incorporated by Debian. ] |
277 | + - SECURITY UPDATE: Denial of Service in Gopher Processing |
278 | + + debian/patches/CVE-2021-46784.patch: improve handling of Gopher |
279 | + responses in src/gopher.cc. |
280 | + [ Incorporated by upstream. ] |
281 | + - Fix FTBFS with GCC 11 (LP #1939352) |
282 | + + d/p/workaround-gcc11-wstringop-overread-bug.patch: Workaround |
283 | + GCC 11 -Wstringop-overread bug. |
284 | + [ Not needed anymore. ] |
285 | + * Add changes: |
286 | + - d/p/0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch: |
287 | + Fix FTBFS due to -Werror=alloc-size-larger-than on GCC 12. |
288 | + [ Forwarded upstream ] |
289 | + |
290 | + -- Sergio Durigan Junior <sergio.durigan@canonical.com> Thu, 11 Aug 2022 17:13:45 -0400 |
291 | + |
292 | squid (5.6-1) unstable; urgency=high |
293 | |
294 | * Urgency high due to security fixes |
295 | @@ -141,6 +388,87 @@ squid (5.5-1) unstable; urgency=medium |
296 | |
297 | -- Luigi Gangitano <luigi@debian.org> Fri, 15 Apr 2022 14:39:54 +0200 |
298 | |
299 | +squid (5.2-1ubuntu5) kinetic; urgency=medium |
300 | + |
301 | + * SECURITY UPDATE: Denial of Service in Gopher Processing |
302 | + - debian/patches/CVE-2021-46784.patch: improve handling of Gopher |
303 | + responses in src/gopher.cc. |
304 | + - CVE-2021-46784 |
305 | + |
306 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 21 Jun 2022 13:38:17 -0400 |
307 | + |
308 | +squid (5.2-1ubuntu4) jammy; urgency=medium |
309 | + |
310 | + * Do not enable openssl as a default. This hinders packaging since we ship |
311 | + squid in two different flavours (gnutls and openssl). Drop |
312 | + d/p/openssl3-Detect-and-default-enable-OpenSSL-3.patch. (LP: #1968200) |
313 | + |
314 | + -- Athos Ribeiro <athos.ribeiro@canonical.com> Tue, 12 Apr 2022 23:41:41 -0300 |
315 | + |
316 | +squid (5.2-1ubuntu3) jammy; urgency=medium |
317 | + |
318 | + * Fix FTBFS with OpenSSL 3.0 (LP: #1946205). The following new |
319 | + patches have been added: |
320 | + - d/p/openssl3-Declaration-of-CRYPTO_EX_dup-changed-again-in-3.0.patch. |
321 | + - d/p/openssl3-Detect-and-default-enable-OpenSSL-3.patch. |
322 | + - d/p/openssl3-Fix-EVP_PKEY_get0_RSA-is-deprecated.patch. |
323 | + - d/p/openssl3-Initial-DH-conversion-to-EVP_PKEY.patch. |
324 | + - d/p/openssl3-Refactor-Ssl-createSslPrivateKey.patch. |
325 | + - d/p/openssl3-Remove-stale-TODO-and-comment.patch. |
326 | + - d/p/openssl3-SSL_OP_-macro-definitions-changed-in-3.0.patch. |
327 | + - d/p/openssl3-Switch-to-BN_rand.patch. |
328 | + - d/p/openssl3-TODO-Upgrade-API-calls-verifying-loaded-DH-params-fi.patch. |
329 | + - d/p/openssl3-Tweak-RSA-key-generator.patch. |
330 | + - d/p/openssl3-Update-ECDH-key-settings.patch. |
331 | + - d/p/openssl3-Update-license-disclaimer.patch. |
332 | + |
333 | + -- Sergio Durigan Junior <sergio.durigan@canonical.com> Tue, 08 Feb 2022 17:15:20 -0500 |
334 | + |
335 | +squid (5.2-1ubuntu2) jammy; urgency=medium |
336 | + |
337 | + * No-change rebuild against libssl3 |
338 | + |
339 | + -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 09 Dec 2021 00:19:10 +0000 |
340 | + |
341 | +squid (5.2-1ubuntu1) jammy; urgency=medium |
342 | + |
343 | + * Merge with Debian unstable (LP: #1946903). Remaining changes: |
344 | + - d/usr.sbin.squid: Add sections for squid-deb-proxy and |
345 | + squidguard |
346 | + - d/p/90-cf.data.ubuntu.patch: Add refresh patterns for deb |
347 | + packaging |
348 | + - Use snakeoil certificates: |
349 | + + d/control: add ssl-cert to dependencies |
350 | + + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl |
351 | + to the default config file |
352 | + - d/rules, d/NEWS: drop the NIS basic auth helper (LP #1895694) |
353 | + - Fix FTBFS with GCC 11 (LP #1939352) |
354 | + + d/p/expand-max-pkt-sz-accomodate-icmphdr.patch: Expand |
355 | + MAX_PKT{4,6}_SZ to accomodate for icmp{,6_}hdr. |
356 | + + d/p/workaround-gcc11-wstringop-overread-bug.patch: Workaround |
357 | + GCC 11 -Wstringop-overread bug. |
358 | + * Dropped changes: |
359 | + - d/p/0008-Fix-free-nonheap-object-warning-error-on-snmp_core.c.patch: |
360 | + Fix call to free on nonheap-object in snmpCreateOidFromStr |
361 | + [ Incorporated by upstream. ] |
362 | + - Fix failure to build on RISC-V (LP #1934891) |
363 | + [ Incorporated by upstream. ] |
364 | + - SECURITY UPDATE: information disclosure via OOB read in WCCP protocol |
365 | + + debian/patches/CVE-2021-28116.patch: validate packets better in |
366 | + src/wccp2.cc. |
367 | + + CVE-2021-28116 |
368 | + [ Incorporated by upstream. ] |
369 | + - Fix FTBFS with GCC 11 (LP #1939352) |
370 | + + d/p/replace-cbdata-offset-hack-with-offsetof.patch: Replace |
371 | + cbdata::Offset hack with offsetof(). |
372 | + + d/p/add-missing-limits-include-connmark.patch: Add missing |
373 | + <limits> include to src/acl/ConnMark.cc. |
374 | + [ Incorporated by upstream. This is a partial drop; the other |
375 | + two patches that compose this fix are still present in this |
376 | + release. ] |
377 | + |
378 | + -- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 01 Nov 2021 18:19:59 -0400 |
379 | + |
380 | squid (5.2-1) unstable; urgency=medium |
381 | |
382 | [ Amos Jeffries <amosjeffries@squid-cache.org> ] |
383 | @@ -181,6 +509,58 @@ squid (5.1-2) unstable; urgency=medium |
384 | |
385 | -- Luigi Gangitano <luigi@debian.org> Fri, 17 Sep 2021 09:27:54 +0200 |
386 | |
387 | +squid (4.13-10ubuntu5) impish; urgency=medium |
388 | + |
389 | + * SECURITY UPDATE: information disclosure via OOB read in WCCP protocol |
390 | + - debian/patches/CVE-2021-28116.patch: validate packets better in |
391 | + src/wccp2.cc. |
392 | + - CVE-2021-28116 |
393 | + |
394 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 04 Oct 2021 08:20:07 -0400 |
395 | + |
396 | +squid (4.13-10ubuntu4) impish; urgency=medium |
397 | + |
398 | + * Fix FTBFS with GCC 11 (LP: #1939352) |
399 | + - d/p/add-missing-limits-include-connmark.patch: Add missing |
400 | + <limits> include to src/acl/ConnMark.cc. |
401 | + - d/p/fix-max-pkt-sz-for-icmpEchoData-padding.patch.patch: Expand |
402 | + MAX_PKT{4,6}_SZ to accomodate for icmp{,6_}hdr. |
403 | + - d/p/replace-cbdata-offset-hack-with-offsetof.patch: Replace |
404 | + cbdata::Offset hack with offsetof(). |
405 | + - d/p/workaround-gcc11-wstringop-overread-bug.patch: Workaround |
406 | + GCC 11 -Wstringop-overread bug. |
407 | + |
408 | + -- Sergio Durigan Junior <sergio.durigan@canonical.com> Fri, 20 Aug 2021 00:19:41 -0400 |
409 | + |
410 | +squid (4.13-10ubuntu3) impish; urgency=medium |
411 | + |
412 | + * Fix failure to build on RISC-V (LP: #1934891) |
413 | + |
414 | + -- Heinrich Schuchardt <heinrich.schuchardt@canonical.com> Wed, 07 Jul 2021 14:11:51 +0200 |
415 | + |
416 | +squid (4.13-10ubuntu2) impish; urgency=medium |
417 | + |
418 | + * No-change rebuild due to OpenLDAP soname bump. |
419 | + |
420 | + -- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 21 Jun 2021 18:09:05 -0400 |
421 | + |
422 | +squid (4.13-10ubuntu1) impish; urgency=medium |
423 | + |
424 | + * Merge with Debian unstable. Remaining changes: |
425 | + - d/usr.sbin.squid: Add sections for squid-deb-proxy and |
426 | + squidguard |
427 | + - d/p/90-cf.data.ubuntu.patch: Add refresh patterns for deb |
428 | + packaging |
429 | + - Use snakeoil certificates: |
430 | + + d/control: add ssl-cert to dependencies |
431 | + + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl |
432 | + to the default config file |
433 | + - d/rules, d/NEWS: drop the NIS basic auth helper (LP: #1895694) |
434 | + - d/p/0008-Fix-free-nonheap-object-warning-error-on-snmp_core.c.patch: |
435 | + Fix call to free on nonheap-object in snmpCreateOidFromStr |
436 | + |
437 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 04 Jun 2021 12:49:43 -0400 |
438 | + |
439 | squid (4.13-10) unstable; urgency=medium |
440 | |
441 | [ Francisco Vilmar Cardoso Ruviaro ] |
442 | @@ -199,6 +579,29 @@ squid (4.13-10) unstable; urgency=medium |
443 | |
444 | -- Santiago Garcia Mantinan <manty@debian.org> Fri, 28 May 2021 12:28:20 +0200 |
445 | |
446 | +squid (4.13-9ubuntu1) impish; urgency=medium |
447 | + |
448 | + * Merge with Debian unstable. Remaining changes: |
449 | + - d/usr.sbin.squid: Add sections for squid-deb-proxy and |
450 | + squidguard |
451 | + - d/p/90-cf.data.ubuntu.patch: Add refresh patterns for deb |
452 | + packaging |
453 | + - Use snakeoil certificates: |
454 | + + d/control: add ssl-cert to dependencies |
455 | + + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl |
456 | + to the default config file |
457 | + - d/rules, d/NEWS: drop the NIS basic auth helper (LP: #1895694) |
458 | + - d/p/0008-Fix-free-nonheap-object-warning-error-on-snmp_core.c.patch: |
459 | + Fix call to free on nonheap-object in snmpCreateOidFromStr |
460 | + * Drop changes: |
461 | + - debian/patches/CVE-2020-25097.patch: Add slash prefix to path- |
462 | + rootless or path-noscheme URLs in src/anyp/Uri.cc. |
463 | + [Included in 4.13-8] |
464 | + - d/usr.sbin.squid: Add section for maas-proxy |
465 | + [maas-proxy is no longer shipped as a deb package] |
466 | + |
467 | + -- Athos Ribeiro <athos.ribeiro@canonical.com> Tue, 18 May 2021 10:51:16 -0300 |
468 | + |
469 | squid (4.13-9) unstable; urgency=medium |
470 | |
471 | * Clarify on NEWS and scripts that we no longer remove logs on purge. |
472 | @@ -259,6 +662,46 @@ squid (4.13-2) unstable; urgency=high |
473 | |
474 | -- Santiago Garcia Mantinan <manty@debian.org> Sun, 07 Feb 2021 01:39:45 +0100 |
475 | |
476 | +squid (4.13-1ubuntu4) hirsute; urgency=medium |
477 | + |
478 | + * d/p/0008-Fix-free-nonheap-object-warning-error-on-snmp_core.c.patch: |
479 | + Fix FTBFS on Hirsute s390x when compiling with GCC 10.2.0. |
480 | + |
481 | + -- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 05 Apr 2021 12:00:02 -0400 |
482 | + |
483 | +squid (4.13-1ubuntu3) hirsute; urgency=medium |
484 | + |
485 | + * SECURITY UPDATE: HTTP Request Smuggling issue |
486 | + - debian/patches/CVE-2020-25097.patch: Add slash prefix to path- |
487 | + rootless or path-noscheme URLs in src/anyp/Uri.cc. |
488 | + - CVE-2020-25097 |
489 | + |
490 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 25 Mar 2021 12:38:06 -0400 |
491 | + |
492 | +squid (4.13-1ubuntu2) groovy; urgency=medium |
493 | + |
494 | + * d/rules, d/NEWS: drop the NIS basic auth helper (LP: #1895694) |
495 | + |
496 | + -- Andreas Hasenack <andreas@canonical.com> Thu, 17 Sep 2020 18:19:42 -0300 |
497 | + |
498 | +squid (4.13-1ubuntu1) groovy; urgency=medium |
499 | + |
500 | + * Merge with Debian unstable. Remaining changes: |
501 | + - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy |
502 | + squidguard |
503 | + - d/p/90-cf.data.ubuntu.patch: Add an example refresh pattern |
504 | + for debs. |
505 | + - Use snakeoil certificates: |
506 | + + d/control: add ssl-cert to dependencies |
507 | + + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl |
508 | + to the default config file |
509 | + * Dropped changes: |
510 | + - d/p/0007-WCCP-Fix-GCC-10-Wstringop-truncation-failures.patch: |
511 | + Fix GCC-10 build failure due to -Wstringop-truncation warning. |
512 | + [ Accepted upstream. ] |
513 | + |
514 | + -- Sergio Durigan Junior <sergio.durigan@canonical.com> Tue, 25 Aug 2020 15:01:58 -0400 |
515 | + |
516 | squid (4.13-1) unstable; urgency=high |
517 | |
518 | [ Amos Jeffries <amosjeffries@squid-cache.org> ] |
519 | @@ -271,6 +714,43 @@ squid (4.13-1) unstable; urgency=high |
520 | |
521 | -- Luigi Gangitano <luigi@debian.org> Mon, 24 Aug 2020 17:27:54 +0200 |
522 | |
523 | +squid (4.12-1ubuntu1) groovy; urgency=medium |
524 | + |
525 | + * Merge with Debian unstable. Remaining changes: |
526 | + - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy |
527 | + squidguard |
528 | + - d/p/90-cf.data.ubuntu.patch: Add an example refresh pattern |
529 | + for debs. |
530 | + - Use snakeoil certificates: |
531 | + + d/control: add ssl-cert to dependencies |
532 | + + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl |
533 | + to the default config file |
534 | + * Dropped changes, not needed anymore: |
535 | + - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround |
536 | + if building for ppc64el. On that arch, dpkg-buildflags sets -O3 |
537 | + instead of -O2 and that triggers a format-truncation error on |
538 | + pcon.cc. See https://bugs.squid-cache.org/show_bug.cgi?id=4875. |
539 | + [ Dropped because the build now passes on ppc64el ] |
540 | + * Dropped changes, incorporated by Debian: |
541 | + - Don't restart squid by hand on postinst script |
542 | + + d/squid.postinst: When installing/upgrading squid, the service |
543 | + is being restarted manually in the postinst script, which can |
544 | + break installations that have the squid apparmor enabled because |
545 | + it will try to restart the service before reloading the apparmor |
546 | + profile. There is no reason to restart squid manually, since the |
547 | + restart will be automatically performed later. |
548 | + - Drop conffile check for squid < 2.7 |
549 | + + d/squid.postinst: squid 2.7 is long, long gone, so it should be |
550 | + safe to drop the postinst code to make sure that |
551 | + /etc/squid/squid.conf was properly upgraded. |
552 | + - d/tests/test-squid.py: Adjust 'pidfile' variable to reflect fact |
553 | + that we now store the pidfile under '/run/squid/'. |
554 | + * Added changes: |
555 | + - d/p/0007-WCCP-Fix-GCC-10-Wstringop-truncation-failures.patch: |
556 | + Fix GCC-10 build failure due to -Wstringop-truncation warning. |
557 | + |
558 | + -- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 10 Aug 2020 11:20:46 -0400 |
559 | + |
560 | squid (4.12-1) unstable; urgency=high |
561 | |
562 | [ Sergio Durigan Junior <sergiodj@debian.org> ] |
563 | @@ -306,6 +786,63 @@ squid (4.12-1) unstable; urgency=high |
564 | |
565 | -- Luigi Gangitano <luigi@debian.org> Wed, 1 Jul 2020 10:52:54 +0200 |
566 | |
567 | +squid (4.11-5ubuntu3) groovy; urgency=medium |
568 | + |
569 | + * No change rebuild against new libnettle8 and libhogweed6 ABI. |
570 | + |
571 | + -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 29 Jun 2020 22:38:13 +0100 |
572 | + |
573 | +squid (4.11-5ubuntu2) groovy; urgency=medium |
574 | + |
575 | + * d/tests/test-squid.py: Adjust 'pidfile' variable to reflect fact |
576 | + that we now store the pidfile under '/run/squid/'. |
577 | + |
578 | + -- Sergio Durigan Junior <sergio.durigan@canonical.com> Wed, 20 May 2020 10:32:32 -0400 |
579 | + |
580 | +squid (4.11-5ubuntu1) groovy; urgency=medium |
581 | + |
582 | + * Merge with Debian unstable. Remaining changes: |
583 | + - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy, |
584 | + squidguard |
585 | + - d/p/90-cf.data.ubuntu.patch: Add an example refresh pattern for |
586 | + debs. |
587 | + - Use snakeoil certificates: |
588 | + + d/control: add ssl-cert to dependencies |
589 | + + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl to the |
590 | + default config file |
591 | + - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if |
592 | + building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead |
593 | + of -O2 and that triggers a format-truncation error on pcon.cc. See See |
594 | + https://bugs.squid-cache.org/show_bug.cgi?id=4875 |
595 | + * Dropped: |
596 | + - d/p/drop-sysctl_h.patch: no longer include sysctl.h as it was |
597 | + deprecated in glibc 2.30 (LP #1843325) |
598 | + [ In 4.11-4 ] |
599 | + - SECURITY UPDATE: multiple ESI issues |
600 | + + debian/patches/CVE-2019-12519_12521.patch: convert parse exceptions |
601 | + into 500 status response in src/esi/Context.h, src/esi/Esi.cc, |
602 | + src/esi/Esi.h, src/esi/Expression.cc. |
603 | + + CVE-2019-12519 |
604 | + [ In 4.11-4 ] |
605 | + - SECURITY UPDATE: Digest Authentication nonce replay issue |
606 | + + debian/patches/CVE-2020-11945.patch: fix auth digest refcount integer |
607 | + overflow in src/auth/digest/Config.cc. |
608 | + [ In 4.11-4 ] |
609 | + * Added: |
610 | + - Don't restart squid by hand on postinst script |
611 | + + d/squid.postinst: When installing/upgrading squid, the service |
612 | + is being restarted manually in the postinst script, which can |
613 | + break installations that have the squid apparmor enabled because |
614 | + it will try to restart the service before reloading the apparmor |
615 | + profile. There is no reason to restart squid manually, since the |
616 | + restart will be automatically performed later. |
617 | + - Drop conffile check for squid < 2.7 |
618 | + + d/squid.postinst: squid 2.7 is long, long gone, so it should be |
619 | + safe to drop the postinst code to make sure that |
620 | + /etc/squid/squid.conf was properly upgraded. |
621 | + |
622 | + -- Sergio Durigan Junior <sergio.durigan@canonical.com> Tue, 19 May 2020 14:43:04 -0400 |
623 | + |
624 | squid (4.11-5) unstable; urgency=medium |
625 | |
626 | [ Sergio Durigan Junior <sergiodj@debian.org> ] |
627 | @@ -384,6 +921,64 @@ squid (4.11-1) unstable; urgency=high |
628 | |
629 | -- Luigi Gangitano <luigi@debian.org> Thu, 23 Apr 2020 19:34:54 +0200 |
630 | |
631 | +squid (4.10-1ubuntu2) groovy; urgency=medium |
632 | + |
633 | + * SECURITY UPDATE: multiple ESI issues |
634 | + - debian/patches/CVE-2019-12519_12521.patch: convert parse exceptions |
635 | + into 500 status response in src/esi/Context.h, src/esi/Esi.cc, |
636 | + src/esi/Esi.h, src/esi/Expression.cc. |
637 | + - CVE-2019-12519 |
638 | + - CVE-2019-12521 |
639 | + * SECURITY UPDATE: Digest Authentication nonce replay issue |
640 | + - debian/patches/CVE-2020-11945.patch: fix auth digest refcount integer |
641 | + overflow in src/auth/digest/Config.cc. |
642 | + - CVE-2020-11945 |
643 | + |
644 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 13 May 2020 09:51:10 -0400 |
645 | + |
646 | +squid (4.10-1ubuntu1) focal; urgency=medium |
647 | + |
648 | + * Merge with Debian unstable. Remaining changes: |
649 | + - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy, |
650 | + squidguard |
651 | + - d/p/90-cf.data.ubuntu.patch: Add an example refresh pattern for debs. |
652 | + - Use snakeoil certificates: |
653 | + + d/control: add ssl-cert to dependencies |
654 | + + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl |
655 | + to the default config file |
656 | + - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if |
657 | + building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of |
658 | + -O2 and that triggers a format-truncation error on pcon.cc. See |
659 | + See https://bugs.squid-cache.org/show_bug.cgi?id=4875 |
660 | + - d/p/drop-sysctl_h.patch: no longer include sysctl.h as it was |
661 | + deprecated in glibc 2.30 (LP #1843325) |
662 | + * Dropped: |
663 | + - d/t/control, d/t/test-squid.py: remove gopher tests, as pygopherd is |
664 | + no longer available in Focal (LP: #1858827) |
665 | + [In 4.10-1, undocumented] |
666 | + - d/t/test-squid.py, d/t/squid: switch to python3 |
667 | + [In 4.10-1, undocumented] |
668 | + - d/t/control: depend on python3-minimal |
669 | + [In 4.10-1, undocumented] |
670 | + - SECURITY UPDATE: info disclosure via FTP server |
671 | + + debian/patches/CVE-2019-12528.patch: fix FTP buffers handling in |
672 | + src/clients/FtpGateway.cc. |
673 | + + CVE-2019-12528 |
674 | + [Fixed upstream] |
675 | + - SECURITY UPDATE: incorrect input validation and buffer management |
676 | + + debian/patches/CVE-2020-84xx.patch: fix request URL generation in |
677 | + reverse proxy configurations in src/client_side.cc. |
678 | + + CVE-2020-8449 |
679 | + + CVE-2020-8450 |
680 | + [Fixed upstream] |
681 | + - SECURITY UPDATE: DoS in NTLM authentication |
682 | + + debian/patches/CVE-2020-8517.patch: improved username handling in |
683 | + src/acl/external/LM_group/ext_lm_group_acl.cc. |
684 | + + CVE-2020-8517 |
685 | + [Fixed upstream] |
686 | + |
687 | + -- Andreas Hasenack <andreas@canonical.com> Tue, 25 Feb 2020 15:37:55 -0300 |
688 | + |
689 | squid (4.10-1) unstable; urgency=high |
690 | |
691 | [ Amos Jeffries <amosjeffries@squid-cache.org> ] |
692 | @@ -405,6 +1000,70 @@ squid (4.10-1) unstable; urgency=high |
693 | |
694 | -- Luigi Gangitano <luigi@debian.org> Tue, 10 Feb 2020 14:12:54 +0100 |
695 | |
696 | +squid (4.9-2ubuntu4) focal; urgency=medium |
697 | + |
698 | + * SECURITY UPDATE: info disclosure via FTP server |
699 | + - debian/patches/CVE-2019-12528.patch: fix FTP buffers handling in |
700 | + src/clients/FtpGateway.cc. |
701 | + - CVE-2019-12528 |
702 | + * SECURITY UPDATE: incorrect input validation and buffer management |
703 | + - debian/patches/CVE-2020-84xx.patch: fix request URL generation in |
704 | + reverse proxy configurations in src/client_side.cc. |
705 | + - CVE-2020-8449 |
706 | + - CVE-2020-8450 |
707 | + * SECURITY UPDATE: DoS in NTLM authentication |
708 | + - debian/patches/CVE-2020-8517.patch: improved username handling in |
709 | + src/acl/external/LM_group/ext_lm_group_acl.cc. |
710 | + - CVE-2020-8517 |
711 | + |
712 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 19 Feb 2020 12:43:05 -0500 |
713 | + |
714 | +squid (4.9-2ubuntu3) focal; urgency=medium |
715 | + |
716 | + * No-change rebuild with fixed binutils on arm64. |
717 | + |
718 | + -- Matthias Klose <doko@ubuntu.com> Sat, 08 Feb 2020 11:20:19 +0000 |
719 | + |
720 | +squid (4.9-2ubuntu2) focal; urgency=medium |
721 | + |
722 | + * d/t/control, d/t/test-squid.py: remove gopher tests, as pygopherd is |
723 | + no longer available in Focal (LP: #1858827) |
724 | + * d/t/test-squid.py, d/t/squid: switch to python3 |
725 | + * d/t/control: depend on python3-minimal |
726 | + |
727 | + -- Andreas Hasenack <andreas@canonical.com> Wed, 08 Jan 2020 15:52:32 -0300 |
728 | + |
729 | +squid (4.9-2ubuntu1) focal; urgency=medium |
730 | + |
731 | + * Merge with Debian unstable. Remaining changes: |
732 | + - Use snakeoil certificates. |
733 | + - Add an example refresh pattern for debs. |
734 | + - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy, |
735 | + squidguard |
736 | + - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if |
737 | + building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of |
738 | + -O2 and that triggers a format-truncation error on pcon.cc. See |
739 | + See https://bugs.squid-cache.org/show_bug.cgi?id=4875 |
740 | + - d/p/drop-sysctl_h.patch: no longer include sysctl.h as it was |
741 | + deprecated in glibc 2.30 (LP #1843325) |
742 | + * Dropped: |
743 | + - d/rules: Only use -latomic with the intended architectures, instead of |
744 | + all of them. This matches what was suggested in |
745 | + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5 |
746 | + [Fixed upstream] |
747 | + - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that |
748 | + dh_installchangelogs can pick it up. dh_installchangelogs handles |
749 | + d/NEWS or d/<package>.NEWS, but not NEWS.debian. |
750 | + [Fixed upstream] |
751 | + - debian/patches/more-gcc-9-fixes.patch: switch to xstrncpy in |
752 | + lib/smblib/smblib-util.c. (LP #1835831) |
753 | + [Fixed upstream] |
754 | + - d/t/test-squid.py: test_zz_apparmor(): bail early if securityfs isn't |
755 | + mounted |
756 | + [Fixed upstream] |
757 | + |
758 | + -- Lucas Kanashiro <lucas.kanashiro@canonical.com> Thu, 14 Nov 2019 16:33:10 -0300 |
759 | + |
760 | squid (4.9-2) unstable; urgency=medium |
761 | |
762 | [ Andreas Hasenack <andreas@canonical.com> ] |
763 | @@ -461,6 +1120,73 @@ squid (4.9-1) unstable; urgency=high |
764 | |
765 | -- Luigi Gangitano <luigi@debian.org> Sun, 10 Nov 2019 20:28:15 +0100 |
766 | |
767 | +squid (4.8-1ubuntu3) focal; urgency=medium |
768 | + |
769 | + * No-change rebuild against libnettle7 |
770 | + |
771 | + -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 31 Oct 2019 22:15:39 +0000 |
772 | + |
773 | +squid (4.8-1ubuntu2) eoan; urgency=medium |
774 | + |
775 | + * d/p/drop-sysctl_h.patch: no longer include sysctl.h as it was |
776 | + deprecated in glibc 2.30 (LP: #1843325) |
777 | + |
778 | + -- Andreas Hasenack <andreas@canonical.com> Mon, 09 Sep 2019 17:31:45 -0300 |
779 | + |
780 | +squid (4.8-1ubuntu1) eoan; urgency=medium |
781 | + |
782 | + * Merge with Debian unstable. Remaining changes: |
783 | + - Use snakeoil certificates. |
784 | + - Add an example refresh pattern for debs. |
785 | + - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy, |
786 | + squidguard |
787 | + - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if |
788 | + building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of |
789 | + -O2 and that triggers a format-truncation error on pcon.cc. See |
790 | + See https://bugs.squid-cache.org/show_bug.cgi?id=4875 |
791 | + - d/rules: Only use -latomic with the intended architectures, instead of |
792 | + all of them. This matches what was suggested in |
793 | + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5 |
794 | + - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that |
795 | + dh_installchangelogs can pick it up. dh_installchangelogs handles |
796 | + d/NEWS or d/<package>.NEWS, but not NEWS.debian. |
797 | + - debian/patches/more-gcc-9-fixes.patch: switch to xstrncpy in |
798 | + lib/smblib/smblib-util.c. (LP #1835831) |
799 | + * Dropped: |
800 | + - d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs. |
801 | + Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP #1794553) |
802 | + [Fixed upstream] |
803 | + - debian/patches/413.patch: Fix gcc-9 build issues with upstream merged |
804 | + patch |
805 | + [Fixed upstream] |
806 | + - SECURITY UPDATE: incorrect digest auth parameter parsing |
807 | + + debian/patches/CVE-2019-12525.patch: check length in |
808 | + src/auth/digest/Config.cc. |
809 | + + CVE-2019-12525 |
810 | + [Fixed upstream] |
811 | + - SECURITY UPDATE: buffer overflow in basic auth decoding |
812 | + + debian/patches/CVE-2019-12527.patch: switch to SBuf in |
813 | + src/HttpHeader.cc, src/HttpHeader.h, src/cache_manager.cc, |
814 | + src/clients/FtpGateway.cc. |
815 | + + CVE-2019-12527 |
816 | + [Fixed upstream] |
817 | + - SECURITY UPDATE: basic auth uudecode length issue |
818 | + + debian/patches/CVE-2019-12529.patch: replace uudecode with libnettle |
819 | + base64 decoder in lib/Makefile.*, src/auth/basic/Config.cc, |
820 | + include/uudecode.h, lib/uudecode.c. |
821 | + + CVE-2019-12529 |
822 | + [Fixed upstream] |
823 | + - SECURITY UPDATE: XSS issues in cachemgr.cgi |
824 | + + debian/patches/CVE-2019-13345.patch: properly escape values in |
825 | + tools/cachemgr.cc. |
826 | + + CVE-2019-13345 |
827 | + [Fixed upstream] |
828 | + * Added: |
829 | + - d/t/test-squid.py: test_zz_apparmor(): bail early if securityfs isn't |
830 | + mounted |
831 | + |
832 | + -- Andreas Hasenack <andreas@canonical.com> Wed, 24 Jul 2019 16:38:59 -0300 |
833 | + |
834 | squid (4.8-1) unstable; urgency=high |
835 | |
836 | [ Amos Jeffries <amosjeffries@squid-cache.org> ] |
837 | @@ -479,6 +1205,86 @@ squid (4.8-1) unstable; urgency=high |
838 | |
839 | -- Luigi Gangitano <luigi@debian.org> Thu, 18 Jul 2019 22:28:15 +0200 |
840 | |
841 | +squid (4.6-2ubuntu4) eoan; urgency=medium |
842 | + |
843 | + * Fix gcc-9 issues (LP: #1835831) |
844 | + - Remove -Wno-sizeof-pointer-memaccess -Wno-stringop-truncation |
845 | + - debian/patches/more-gcc-9-fixes.patch: switch to xstrncpy in |
846 | + lib/smblib/smblib-util.c. |
847 | + * SECURITY UPDATE: incorrect digest auth parameter parsing |
848 | + - debian/patches/CVE-2019-12525.patch: check length in |
849 | + src/auth/digest/Config.cc. |
850 | + - CVE-2019-12525 |
851 | + * SECURITY UPDATE: buffer overflow in basic auth decoding |
852 | + - debian/patches/CVE-2019-12527.patch: switch to SBuf in |
853 | + src/HttpHeader.cc, src/HttpHeader.h, src/cache_manager.cc, |
854 | + src/clients/FtpGateway.cc. |
855 | + - CVE-2019-12527 |
856 | + * SECURITY UPDATE: basic auth uudecode length issue |
857 | + - debian/patches/CVE-2019-12529.patch: replace uudecode with libnettle |
858 | + base64 decoder in lib/Makefile.*, src/auth/basic/Config.cc, |
859 | + include/uudecode.h, lib/uudecode.c. |
860 | + - CVE-2019-12529 |
861 | + * SECURITY UPDATE: XSS issues in cachemgr.cgi |
862 | + - debian/patches/CVE-2019-13345.patch: properly escape values in |
863 | + tools/cachemgr.cc. |
864 | + - CVE-2019-13345 |
865 | + |
866 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 19 Jul 2019 08:01:58 -0400 |
867 | + |
868 | +squid (4.6-2ubuntu3) eoan; urgency=medium |
869 | + |
870 | + * Override newly added gcc-9 flags: |
871 | + -Wno-sizeof-pointer-memaccess -Wno-stringop-truncation |
872 | + NOTE: Overriding those flags is a possible security |
873 | + asked for info on the gcc-9 issue bug tracker: |
874 | + https://github.com/squid-cache/squid/pull/413#issuecomment-511314076 |
875 | + |
876 | + -- Gianfranco Costamagna <locutusofborg@debian.org> Mon, 15 Jul 2019 10:21:47 +0200 |
877 | + |
878 | +squid (4.6-2ubuntu2) eoan; urgency=medium |
879 | + |
880 | + * Fix gcc-9 build issues with upstream merged patch |
881 | + |
882 | + -- Gianfranco Costamagna <locutusofborg@debian.org> Sun, 14 Jul 2019 14:41:16 +0200 |
883 | + |
884 | +squid (4.6-2ubuntu1) eoan; urgency=medium |
885 | + |
886 | + * Merge with Debian unstable. Remaining changes: |
887 | + - Use snakeoil certificates. |
888 | + - Add an example refresh pattern for debs. |
889 | + - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy, |
890 | + squidguard |
891 | + - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if |
892 | + building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of |
893 | + -O2 and that triggers a format-truncation error on pcon.cc. See |
894 | + See https://bugs.squid-cache.org/show_bug.cgi?id=4875 |
895 | + - d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs. |
896 | + Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP #1794553) |
897 | + [Added Applied-Upstream header] |
898 | + - d/rules: Only use -latomic with the intended architectures, instead of |
899 | + all of them. This matches what was suggested in |
900 | + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5 |
901 | + - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that |
902 | + dh_installchangelogs can pick it up. dh_installchangelogs handles |
903 | + d/NEWS or d/<package>.NEWS, but not NEWS.debian. |
904 | + * Dropped: |
905 | + - d/squid.tmpfile: add tmpfiles configuration to handle /var/run/squid |
906 | + at boot. Thanks to Luigi Gangitano <luigi@debian.org> (LP #1816006) |
907 | + [Fixed in 4.5-2] |
908 | + - d/p/fix-uninitialized-var.patch: Workaround gcc's maybe-unitialized |
909 | + error in parse_time_t, triggered on ppc64el due to the build using -O3 |
910 | + in that architecture. |
911 | + [Fixed upstream] |
912 | + - Add disabled by default AppArmor profile. |
913 | + [Added by Debian in 4.6-2] |
914 | + - d/usr.sbin.squid: fix the apparmor profile (LP #1796189): |
915 | + + allow net_admin capability |
916 | + + add attach_disconnected flag |
917 | + [Fixed in 4.6-2] |
918 | + |
919 | + -- Andreas Hasenack <andreas@canonical.com> Sat, 18 May 2019 14:39:09 -0300 |
920 | + |
921 | squid (4.6-2) unstable; urgency=high |
922 | |
923 | [ Andreas Hasenack <andreas@canonical.com> ] |
924 | @@ -539,6 +1345,57 @@ squid (4.5-1) unstable; urgency=medium |
925 | |
926 | -- Luigi Gangitano <luigi@debian.org> Wed, 20 Feb 2019 11:57:15 +0100 |
927 | |
928 | +squid (4.4-1ubuntu2) disco; urgency=medium |
929 | + |
930 | + * d/squid.tmpfile: add tmpfiles configuration to handle /var/run/squid |
931 | + at boot. Thanks to Luigi Gangitano <luigi@debian.org> (LP: #1816006) |
932 | + |
933 | + -- Andreas Hasenack <andreas@canonical.com> Wed, 27 Feb 2019 08:54:45 -0300 |
934 | + |
935 | +squid (4.4-1ubuntu1) disco; urgency=medium |
936 | + |
937 | + * Merge with Debian unstable. Remaining changes: |
938 | + - Use snakeoil certificates. |
939 | + - Add an example refresh pattern for debs. |
940 | + - Add disabled by default AppArmor profile. |
941 | + - d/p/fix-uninitialized-var.patch: Workaround gcc's maybe-unitialized |
942 | + error in parse_time_t, triggered on ppc64el due to the build using -O3 |
943 | + in that architecture. |
944 | + - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if |
945 | + building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of |
946 | + -O2 and that triggers a format-truncation error on pcon.cc. See |
947 | + See https://bugs.squid-cache.org/show_bug.cgi?id=4875 |
948 | + - d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs. |
949 | + Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP #1794553) |
950 | + * Drop: |
951 | + - d/rules: enable cdbs parallel build |
952 | + [Fixed in 4.2-1] |
953 | + - d/t/test-squid.py: fix apparmor profile filename |
954 | + [Fixed in 4.2-1] |
955 | + - d/t/test-squid.py: fix the process name. The PID points at the parent. |
956 | + [Fixed in 4.2-1] |
957 | + - d/t/upstream-test-suite: also make libmem.la, needed by the tests. |
958 | + [Fixed in 4.2-1] |
959 | + - d/t/0003-installed-binary-for-debian-ci.patch: use the squid |
960 | + binary from the system, instead of the one from the source tree. |
961 | + [Fixed in 4.2-1] |
962 | + - d/t/upstream-test-suite: drop the sed line, since patch |
963 | + 0003-installed-binary-for-debian-ci.patch is doing this work now. |
964 | + (https://salsa.debian.org/squid-team/squid/commit/ad4372b444ba8b1587839) |
965 | + [Fixed in 4.2-1] |
966 | + * Added changes: |
967 | + - d/rules: Only use -latomic with the intended architectures, instead of |
968 | + all of them. This matches what was suggested in |
969 | + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5 |
970 | + - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that |
971 | + dh_installchangelogs can pick it up. dh_installchangelogs handles |
972 | + d/NEWS or d/<package>.NEWS, but not NEWS.debian. |
973 | + - d/usr.sbin.squid: fix the apparmor profile (LP: #1796189): |
974 | + + allow net_admin capability |
975 | + + add attach_disconnected flag |
976 | + |
977 | + -- Andreas Hasenack <andreas@canonical.com> Mon, 19 Nov 2018 10:51:18 -0200 |
978 | + |
979 | squid (4.4-1) unstable; urgency=high |
980 | |
981 | * Urgency high due to security fixes |
982 | @@ -603,6 +1460,85 @@ squid (4.2-1) unstable; urgency=high |
983 | |
984 | -- Luigi Gangitano <luigi@debian.org> Wed, 22 Aug 2018 13:57:15 +0200 |
985 | |
986 | +squid (4.1-1ubuntu3) cosmic; urgency=medium |
987 | + |
988 | + * d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs. |
989 | + Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP: #1794553) |
990 | + |
991 | + -- Andreas Hasenack <andreas@canonical.com> Tue, 09 Oct 2018 14:00:36 -0300 |
992 | + |
993 | +squid (4.1-1ubuntu2) cosmic; urgency=medium |
994 | + |
995 | + * d/usr.sbin.squid: Update apparmor profile to grant read access to squid |
996 | + binary (LP: #1792728) |
997 | + |
998 | + -- Simon Deziel <simon@sdeziel.info> Sat, 15 Sep 2018 13:55:32 -0400 |
999 | + |
1000 | +squid (4.1-1ubuntu1) cosmic; urgency=medium |
1001 | + |
1002 | + * Merged with Debian unstable (LP: #1780944, LP: #1097032, LP: #16669). |
1003 | + Remaining changes: |
1004 | + - Use snakeoil certificates. |
1005 | + [Updated to use the correct config setting names] |
1006 | + - Add an example refresh pattern for debs. |
1007 | + [Improved the refresh patterns based on the configuration from |
1008 | + squid-deb-proxy package] |
1009 | + - Add disabled by default AppArmor profile. |
1010 | + [Updated to include the ssl_certs abstraction and suggestions on how to |
1011 | + deal with the snakeoil private key and other keys in /etc/ssl.] |
1012 | + * Dropped changes: |
1013 | + - Add additional dep8 tests. |
1014 | + [Adopted in 4.0.21-1~exp5, albeit a stripped down version] |
1015 | + - Correct attribution and add explanatory note in d/NEWS.debian. |
1016 | + [That particular upgrade path has happened long ago.] |
1017 | + - Drop wrong short-circuiting of various invocations; we always want to |
1018 | + call the debhelper block. |
1019 | + [This was for the transitional squid3 package, and that transition has |
1020 | + already happened.] |
1021 | + - Revert "Set pidfile for systemd's sysv-generator" from Debian. |
1022 | + [Not needed anymore since we have a native systemd service file |
1023 | + and no longer rely on the generator.] |
1024 | + - Enable autoreconf. This is no longer required for the security updates, |
1025 | + but is needed for the seddery of test-suite/Makefile.am in |
1026 | + d/t/upstream-test-suite. |
1027 | + [Replaced by patch 0003-installed-binary-for-debian-ci.patch] |
1028 | + - Adjust seddery for upstream test squid binary location. |
1029 | + [sed no longer necessary since patch, |
1030 | + 0003-installed-binary-for-debian-ci.patch, will be dropped |
1031 | + entirely.] |
1032 | + - Drop Conflicts/Replaces of squid against squid3. In Ubuntu, the migration |
1033 | + happened in Xenial, so no upgrade path still requires this code. This |
1034 | + reduces upgrade ordering difficulty. |
1035 | + [Again we have a migration, but this time from squid3 to squid, so we |
1036 | + need this]. |
1037 | + - GCC7 FTBFS fixes (LP: #1712668): |
1038 | + + d/rules: don't error when hitting the "deprecated" and |
1039 | + "format-truncation" gcc7 warnings. Upstream 3.5.27 has fixes for these, |
1040 | + but one in Format.cc that affects 32bit builds was deemed too intrusive |
1041 | + for the 3.5 stable series and is only in squid 4.x |
1042 | + [No longer needed with squid 4.x] |
1043 | + - Do not force gcc-6 |
1044 | + [It was a temporary workaround in Debian that got dropped] |
1045 | + * Added changes: |
1046 | + - d/rules: enable cdbs parallel build |
1047 | + - d/t/test-squid.py: fix apparmor profile filename |
1048 | + - d/t/test-squid.py: fix the process name. The PID points at the parent. |
1049 | + - d/t/upstream-test-suite: also make libmem.la, needed by the tests. |
1050 | + - d/t/0003-installed-binary-for-debian-ci.patch: use the squid |
1051 | + binary from the system, instead of the one from the source tree. |
1052 | + - d/p/fix-uninitialized-var.patch: Workaround gcc's maybe-unitialized |
1053 | + error in parse_time_t, triggered on ppc64el due to the build using -O3 |
1054 | + in that architecture. |
1055 | + - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if |
1056 | + building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of |
1057 | + -O2 and that triggers a format-truncation error on pcon.cc. See |
1058 | + See https://bugs.squid-cache.org/show_bug.cgi?id=4875 |
1059 | + - d/t/upstream-test-suite: drop the sed line, since patch |
1060 | + 0003-installed-binary-for-debian-ci.patch is doing this work now. |
1061 | + (https://salsa.debian.org/squid-team/squid/commit/ad4372b444ba8b1587839) |
1062 | + |
1063 | + -- Andreas Hasenack <andreas@canonical.com> Thu, 16 Aug 2018 12:33:17 -0300 |
1064 | + |
1065 | squid (4.1-1) unstable; urgency=high |
1066 | |
1067 | * New Upstream Release (Closes: #896120) |
1068 | diff --git a/debian/control b/debian/control |
1069 | index 844041f..f1a830f 100644 |
1070 | --- a/debian/control |
1071 | +++ b/debian/control |
1072 | @@ -1,7 +1,8 @@ |
1073 | Source: squid |
1074 | Section: web |
1075 | Priority: optional |
1076 | -Maintainer: Luigi Gangitano <luigi@debian.org> |
1077 | +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> |
1078 | +XSBC-Original-Maintainer: Luigi Gangitano <luigi@debian.org> |
1079 | Uploaders: Santiago Garcia Mantinan <manty@debian.org> |
1080 | Homepage: http://www.squid-cache.org |
1081 | Standards-Version: 4.6.2 |
1082 | @@ -35,7 +36,7 @@ Build-Depends: ed |
1083 | Package: squid |
1084 | Architecture: any |
1085 | Pre-Depends: ${misc:Pre-Depends}, adduser |
1086 | -Depends: ${shlibs:Depends}, ${misc:Depends}, netbase, logrotate (>= 3.5.4-1), squid-common (>= ${source:Version}), lsb-base, libdbi-perl |
1087 | +Depends: ${shlibs:Depends}, ${misc:Depends}, netbase, logrotate (>= 3.5.4-1), squid-common (>= ${source:Version}), lsb-base, libdbi-perl, ssl-cert |
1088 | Suggests: squidclient, squid-cgi, squid-purge, resolvconf (>= 0.40), smbclient, ufw, winbind, apparmor |
1089 | Recommends: libcap2-bin [linux-any], ca-certificates |
1090 | Conflicts: squid-openssl |
1091 | diff --git a/debian/patches/0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch b/debian/patches/0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch |
1092 | new file mode 100644 |
1093 | index 0000000..d3b3efc |
1094 | --- /dev/null |
1095 | +++ b/debian/patches/0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch |
1096 | @@ -0,0 +1,65 @@ |
1097 | +From: Sergio Durigan Junior <sergio.durigan@canonical.com> |
1098 | +Date: Tue, 9 Aug 2022 17:49:23 -0400 |
1099 | +Subject: Fix -Werror=alloc-size-larger-than on GCC 12 |
1100 | + |
1101 | +Author: Sergio Durigan Junior <sergiodj@ubuntu.com> |
1102 | +Forwarded: yes, https://github.com/squid-cache/squid/pull/1118 |
1103 | +--- |
1104 | + src/SquidConfig.h | 2 +- |
1105 | + src/pconn.cc | 2 +- |
1106 | + src/pconn.h | 2 +- |
1107 | + src/store/Disks.cc | 2 +- |
1108 | + 4 files changed, 4 insertions(+), 4 deletions(-) |
1109 | + |
1110 | +diff --git a/src/SquidConfig.h b/src/SquidConfig.h |
1111 | +index feabdf1..6b3cca5 100644 |
1112 | +--- a/src/SquidConfig.h |
1113 | ++++ b/src/SquidConfig.h |
1114 | +@@ -61,7 +61,7 @@ public: |
1115 | + ~DiskConfig() { delete[] swapDirs; } |
1116 | + |
1117 | + RefCount<SwapDir> *swapDirs = nullptr; |
1118 | +- int n_allocated = 0; |
1119 | ++ unsigned int n_allocated = 0; |
1120 | + int n_configured = 0; |
1121 | + /// number of disk processes required to support all cache_dirs |
1122 | + int n_strands = 0; |
1123 | +diff --git a/src/pconn.cc b/src/pconn.cc |
1124 | +index 62e5411..d30726d 100644 |
1125 | +--- a/src/pconn.cc |
1126 | ++++ b/src/pconn.cc |
1127 | +@@ -167,7 +167,7 @@ IdleConnList::clearHandlers(const Comm::ConnectionPointer &conn) |
1128 | + void |
1129 | + IdleConnList::push(const Comm::ConnectionPointer &conn) |
1130 | + { |
1131 | +- if (size_ == capacity_) { |
1132 | ++ if ((unsigned int) size_ == capacity_) { |
1133 | + debugs(48, 3, "growing idle Connection array"); |
1134 | + capacity_ <<= 1; |
1135 | + const Comm::ConnectionPointer *oldList = theList_; |
1136 | +diff --git a/src/pconn.h b/src/pconn.h |
1137 | +index 85e44e5..b8f07d9 100644 |
1138 | +--- a/src/pconn.h |
1139 | ++++ b/src/pconn.h |
1140 | +@@ -80,7 +80,7 @@ private: |
1141 | + Comm::ConnectionPointer *theList_; |
1142 | + |
1143 | + /// Number of entries theList can currently hold without re-allocating (capacity). |
1144 | +- int capacity_; |
1145 | ++ unsigned int capacity_; |
1146 | + ///< Number of in-use entries in theList |
1147 | + int size_; |
1148 | + |
1149 | +diff --git a/src/store/Disks.cc b/src/store/Disks.cc |
1150 | +index 4e8710a..f9c3171 100644 |
1151 | +--- a/src/store/Disks.cc |
1152 | ++++ b/src/store/Disks.cc |
1153 | +@@ -685,7 +685,7 @@ allocate_new_swapdir(Store::DiskConfig *swap) |
1154 | + swap.swapDirs = new SwapDir::Pointer[swap.n_allocated]; |
1155 | + } |
1156 | + |
1157 | +- if (swap.n_allocated == swap.n_configured) { |
1158 | ++ if (swap.n_allocated == (size_t) swap.n_configured) { |
1159 | + swap.n_allocated <<= 1; |
1160 | + const auto tmp = new SwapDir::Pointer[swap.n_allocated]; |
1161 | + for (int i = 0; i < swap.n_configured; ++i) { |
1162 | diff --git a/debian/patches/0010-Fix-Werror-sign-compare-on-GCC-13.patch b/debian/patches/0010-Fix-Werror-sign-compare-on-GCC-13.patch |
1163 | new file mode 100644 |
1164 | index 0000000..64975b8 |
1165 | --- /dev/null |
1166 | +++ b/debian/patches/0010-Fix-Werror-sign-compare-on-GCC-13.patch |
1167 | @@ -0,0 +1,24 @@ |
1168 | +Description: Fix -Werror=sign-compare |
1169 | + This is a consequence of |
1170 | + d/p/0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch on GCC 13. Once |
1171 | + that patch is dropped, this patch can most likely be dropped as well (even in |
1172 | + case 0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch is accepted |
1173 | + upstream, since the issue being fixed here will also need a fix upstream). |
1174 | + See https://github.com/squid-cache/squid/pull/1118#discussion_r941969015 for |
1175 | + further reference. |
1176 | +Author: Athos Ribeiro <athos.ribeiro@canonical.com> |
1177 | +Forwarded: not-needed |
1178 | +Last-Update: 2023-08-10 |
1179 | +--- |
1180 | +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ |
1181 | +--- a/src/store/Disks.cc |
1182 | ++++ b/src/store/Disks.cc |
1183 | +@@ -57,7 +57,7 @@ |
1184 | + SwapDirByIndex(const int i) |
1185 | + { |
1186 | + assert(i >= 0); |
1187 | +- assert(i < Config.cacheSwap.n_allocated); |
1188 | ++ assert((size_t) i < Config.cacheSwap.n_allocated); |
1189 | + const auto sd = INDEXSD(i); |
1190 | + assert(sd); |
1191 | + return *sd; |
1192 | diff --git a/debian/patches/90-cf.data.ubuntu.patch b/debian/patches/90-cf.data.ubuntu.patch |
1193 | new file mode 100644 |
1194 | index 0000000..efd7265 |
1195 | --- /dev/null |
1196 | +++ b/debian/patches/90-cf.data.ubuntu.patch |
1197 | @@ -0,0 +1,21 @@ |
1198 | +Description: Add refresh patterns for deb packaging |
1199 | + |
1200 | +Reviewed-By: Sergio Durigan Junior <sergio.durigan@canonical.com> |
1201 | +Last-Updated: 2021-05-11 |
1202 | +Forwarded: https://salsa.debian.org/squid-team/squid/-/merge_requests/15 |
1203 | + |
1204 | +--- a/src/cf.data.pre |
1205 | ++++ b/src/cf.data.pre |
1206 | +@@ -6552,6 +6552,12 @@ |
1207 | + # |
1208 | + refresh_pattern ^ftp: 1440 20% 10080 |
1209 | + refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 |
1210 | ++refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims |
1211 | ++refresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-ims |
1212 | ++refresh_pattern \/InRelease$ 0 0% 0 refresh-ims |
1213 | ++refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims |
1214 | ++# example pattern for deb packages |
1215 | ++#refresh_pattern (\.deb|\.udeb)$ 129600 100% 129600 |
1216 | + refresh_pattern . 0 20% 4320 |
1217 | + CONFIG_END |
1218 | + DOC_END |
1219 | diff --git a/debian/patches/99-ubuntu-ssl-cert-snakeoil.patch b/debian/patches/99-ubuntu-ssl-cert-snakeoil.patch |
1220 | new file mode 100644 |
1221 | index 0000000..ad38cdf |
1222 | --- /dev/null |
1223 | +++ b/debian/patches/99-ubuntu-ssl-cert-snakeoil.patch |
1224 | @@ -0,0 +1,28 @@ |
1225 | +Description: Add notice about Debian/Ubuntu's snakeoil certificate |
1226 | +Reviewed-By: Sergio Durigan Junior <sergiodj@ubuntu.com> |
1227 | +Forwarded: not-needed |
1228 | + |
1229 | +Index: squid/src/cf.data.pre |
1230 | +=================================================================== |
1231 | +--- squid.orig/src/cf.data.pre 2022-07-18 07:49:02.052257318 -0400 |
1232 | ++++ squid/src/cf.data.pre 2022-07-18 07:51:17.843207049 -0400 |
1233 | +@@ -3742,6 +3742,19 @@ |
1234 | + A client X.509 certificate to use when connecting to |
1235 | + this peer. |
1236 | + |
1237 | ++ Notes: |
1238 | ++ |
1239 | ++ On Debian/Ubuntu systems a default snakeoil certificate is |
1240 | ++ available in /etc/ssl and users can set: |
1241 | ++ |
1242 | ++ sslcert=/etc/ssl/certs/ssl-cert-snakeoil.pem |
1243 | ++ |
1244 | ++ and |
1245 | ++ |
1246 | ++ sslkey=/etc/ssl/private/ssl-cert-snakeoil.key |
1247 | ++ |
1248 | ++ for testing. |
1249 | ++ |
1250 | + sslkey=/path/to/ssl/key |
1251 | + The private key corresponding to sslcert above. |
1252 | + |
1253 | diff --git a/debian/patches/series b/debian/patches/series |
1254 | index 2612869..868b3c8 100644 |
1255 | --- a/debian/patches/series |
1256 | +++ b/debian/patches/series |
1257 | @@ -2,3 +2,7 @@ |
1258 | 0002-Change-default-file-locations-for-debian.patch |
1259 | 0005-Use-RuntimeDirectory-to-create-run-squid.patch |
1260 | 0006-upstream-807ae4df2164defbb5f59b99282e24010b4a0b85.patch |
1261 | +90-cf.data.ubuntu.patch |
1262 | +99-ubuntu-ssl-cert-snakeoil.patch |
1263 | +0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch |
1264 | +0010-Fix-Werror-sign-compare-on-GCC-13.patch |
1265 | diff --git a/debian/rules b/debian/rules |
1266 | index 59dce4e..df1c1f5 100755 |
1267 | --- a/debian/rules |
1268 | +++ b/debian/rules |
1269 | @@ -4,6 +4,11 @@ export DEB_BUILD_MAINT_OPTIONS = hardening=+all |
1270 | export DEB_CFLAGS_MAINT_APPEND = -Wno-error=deprecated-declarations |
1271 | export DEB_CXXFLAGS_MAINT_APPEND = -Wno-error=deprecated-declarations |
1272 | |
1273 | +ifeq ($(DEB_HOST_ARCH), ppc64el) |
1274 | + DEB_CFLAGS_MAINT_APPEND += -Wno-error=maybe-uninitialized |
1275 | + DEB_CXXFLAGS_MAINT_APPEND += -Wno-error=maybe-uninitialized |
1276 | +endif |
1277 | + |
1278 | ifneq (,$(filter $(DEB_HOST_ARCH), armel m68k mips mipsel powerpc powerpcspe sh4)) |
1279 | DEB_LDFLAGS_MAINT_APPEND += -latomic |
1280 | endif |
1281 | @@ -89,9 +94,17 @@ override_dh_auto_build: |
1282 | dh_auto_build |
1283 | cd debian/build-openssl && dh_auto_build |
1284 | |
1285 | +execute_before_dh_auto_test: |
1286 | + # Do not include additional configuration files during tests. This would lead to failures due to missing paths. |
1287 | + sed -i 's|^\(include /etc/squid/conf\.d/\*\.conf\)|# \1|' src/squid.conf.default debian/build-openssl/src/squid.conf.default |
1288 | + |
1289 | override_dh_auto_test: |
1290 | - -dh_auto_test |
1291 | - -cd debian/build-openssl && dh_auto_test |
1292 | + dh_auto_test |
1293 | + cd debian/build-openssl && dh_auto_test |
1294 | + |
1295 | +execute_after_dh_auto_test: |
1296 | + # Restore configuration file to its previous state. |
1297 | + sed -i 's|^# \(include /etc/squid/conf\.d/\*\.conf\)|\1|' src/squid.conf.default debian/build-openssl/src/squid.conf.default |
1298 | |
1299 | override_dh_auto_install: |
1300 | dh_auto_install |
1301 | diff --git a/debian/tests/upstream-test-suite b/debian/tests/upstream-test-suite |
1302 | index a801bcb..fdd377a 100644 |
1303 | --- a/debian/tests/upstream-test-suite |
1304 | +++ b/debian/tests/upstream-test-suite |
1305 | @@ -2,6 +2,10 @@ |
1306 | set -e |
1307 | |
1308 | dpkg-source --before-build `pwd` |
1309 | + |
1310 | +# Use installed squid binary |
1311 | +sed -i 's|\$(top_builddir)/src/squid -k parse|/usr/sbin/squid -k parse|' test-suite/Makefile.am test-suite/Makefile.in |
1312 | + |
1313 | dh_update_autotools_config |
1314 | dh_autoreconf |
1315 | dh_auto_configure -- ${DEB_CONFIGURE_EXTRA_FLAGS} --with-gnutls |
1316 | diff --git a/debian/usr.sbin.squid b/debian/usr.sbin.squid |
1317 | index d01bcd0..a34487a 100644 |
1318 | --- a/debian/usr.sbin.squid |
1319 | +++ b/debian/usr.sbin.squid |
1320 | @@ -51,6 +51,33 @@ |
1321 | # squid-langpack |
1322 | /usr/share/squid-langpack/** r, |
1323 | |
1324 | + # squid-deb-proxy |
1325 | + /etc/squid-deb-proxy/** r, |
1326 | + /{,var/}run/squid-deb-proxy.pid rwk, |
1327 | + /var/cache/squid-deb-proxy/ r, |
1328 | + /var/cache/squid-deb-proxy/** rwk, |
1329 | + /var/log/squid-deb-proxy/* rw, |
1330 | + |
1331 | + # squidguard |
1332 | + /usr/bin/squidGuard Cx -> squidguard, |
1333 | + profile squidguard { |
1334 | + #include <abstractions/base> |
1335 | + |
1336 | + /etc/squid/squidGuard.conf r, |
1337 | + /var/log/squid{,3}/squidGuard.log w, |
1338 | + /var/lib/squidguard/** rw, |
1339 | + |
1340 | + # squidguard by default uses /var/log/squid as its logdir, however, we |
1341 | + # don't want it to access squid's logs, only its own. Explicitly deny |
1342 | + # access to squid's files but allow all others since the user may specify |
1343 | + # anything for the squidGurad 'log' directive. |
1344 | + /var/log/squid{,3}/* rw, |
1345 | + audit deny /var/log/squid{,3}/{access,cache,store}.log* rw, |
1346 | + |
1347 | + # Site-specific additions and overrides. See local/README for details. |
1348 | + #include <local/usr.sbin.squid> |
1349 | + } |
1350 | + |
1351 | # Site-specific additions and overrides. See local/README for details. |
1352 | #include <local/usr.sbin.squid> |
1353 | } |
Thanks, +1
range-diff looks sane, and all changes documented in d/changelog can be seen in range-diff.
I also didn't spot problematic changes in upstream release notes or in debian since our last merge.
This sounds like it could be submitted to debian. I checked salsa and BTS and found no mention of it: .1da7bd64bc 100755 dh_auto_ build: build-openssl && dh_auto_build
index 59dce4e5e8.
--- a/debian/rules
+++ b/debian/rules
@@ -90,8 +90,8 @@ override_
cd debian/
override_ dh_auto_ test: build-openssl && dh_auto_test build-openssl && dh_auto_test
- -dh_auto_test
- -cd debian/
+ dh_auto_test
+ cd debian/
override_ dh_auto_ install:
dh_auto_ install
I suppose this also needs b283e3a3ff6c668 1499c40a83dbd10 eeab2ae319 and 0f9dcf23a199170 3833679d33279b6 a821c595bb
+1 regardless