Merge ~athos-ribeiro/ubuntu/+source/squid:merge-lp2055179-noble into ubuntu/+source/squid:debian/sid
- Git
- lp:~athos-ribeiro/ubuntu/+source/squid
- merge-lp2055179-noble
- Merge into debian/sid
Proposed by
Athos Ribeiro
Status: | Merged | ||||
---|---|---|---|---|---|
Approved by: | git-ubuntu bot | ||||
Approved revision: | not available | ||||
Merge reported by: | git-ubuntu bot | ||||
Merged at revision: | c2873d2ba629580937b7d5fc5f04811c95929957 | ||||
Proposed branch: | ~athos-ribeiro/ubuntu/+source/squid:merge-lp2055179-noble | ||||
Merge into: | ubuntu/+source/squid:debian/sid | ||||
Diff against target: |
1483 lines (+1244/-4) 12 files modified
debian/NEWS (+7/-0) debian/changelog (+988/-0) debian/control (+3/-2) debian/patches/0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch (+65/-0) debian/patches/0010-Fix-Werror-sign-compare-on-GCC-13.patch (+24/-0) debian/patches/90-cf.data.ubuntu.patch (+21/-0) debian/patches/99-ubuntu-ssl-cert-snakeoil.patch (+28/-0) debian/patches/series (+4/-0) debian/rules (+19/-2) debian/source_squid.py (+54/-0) debian/tests/upstream-test-suite (+4/-0) debian/usr.sbin.squid (+27/-0) |
||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
git-ubuntu bot | Approve | ||
Andreas Hasenack | Approve | ||
Canonical Server Reporter | Pending | ||
Canonical Server packageset reviewers | Pending | ||
Review via email: mp+461373@code.launchpad.net |
Commit message
Description of the change
To post a comment you must log in.
Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote : | # |
Revision history for this message
Andreas Hasenack (ahasenack) wrote : | # |
- range-diff ok
- dropped delta (CVE) ok
- new debian changes ok
- upstream changes ok
Do you remember what happened to these simpler bits of delta wrt debian? I checked salsa and the bug tracker, but didn't see the d/rules ones about the build time tests at least. I saw an abandoned PR from you in salsa, I guess due to not being answered.
In any case, all good, +1 to upload.
review:
Approve
Revision history for this message
git-ubuntu bot (git-ubuntu-bot) wrote : | # |
Approvers: athos-ribeiro, ahasenack
Uploaders: athos-ribeiro, ahasenack
MP auto-approved
review:
Approve
Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote : | # |
> Do you remember what happened to these simpler bits of delta wrt debian?
Not really. I will re-assess and forward the relevant ones again after our feature freeze.
Thanks, Andreas. Uploaded!
Preview Diff
[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1 | diff --git a/debian/NEWS b/debian/NEWS |
2 | index 1ac410c..83136fb 100644 |
3 | --- a/debian/NEWS |
4 | +++ b/debian/NEWS |
5 | @@ -37,6 +37,13 @@ squid (4.13-2) unstable; urgency=high |
6 | |
7 | -- Santiago Garcia Mantinan <manty@debian.org> Sun, 07 Feb 2021 01:43:37 +0100 |
8 | |
9 | +squid (4.13-1ubuntu2) groovy; urgency=medium |
10 | + |
11 | + Disable the NIS basic authentication helper, as it no longer builds with |
12 | + glibc 2.32. |
13 | + |
14 | + -- Andreas Hasenack <andreas@canonical.com> Thu, 17 Sep 2020 18:17:53 -0300 |
15 | + |
16 | squid (4.1-1) unstable; urgency=medium |
17 | |
18 | Starting from this release support for systemd init has been added to the |
19 | diff --git a/debian/changelog b/debian/changelog |
20 | index 8e615c1..a964870 100644 |
21 | --- a/debian/changelog |
22 | +++ b/debian/changelog |
23 | @@ -1,3 +1,38 @@ |
24 | +squid (6.6-1ubuntu1) noble; urgency=medium |
25 | + |
26 | + * Merge with Debian unstable (LP: #2055179). Remaining changes: |
27 | + - d/usr.sbin.squid: Add sections for squid-deb-proxy and |
28 | + squidguard |
29 | + - d/p/90-cf.data.ubuntu.patch: Add refresh patterns for deb |
30 | + packaging |
31 | + - Use snakeoil certificates: |
32 | + + d/control: add ssl-cert to dependencies |
33 | + + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl |
34 | + to the default config file |
35 | + - d/NEWS: drop the NIS basic auth helper (LP #1895694) |
36 | + - d/p/0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch: |
37 | + Fix FTBFS due to -Werror=alloc-size-larger-than on GCC 12. |
38 | + - d/rules: halt build upon test failures. |
39 | + - d/rules: do not include additional configuration files during |
40 | + build time tests. This would lead to test failures due to missing |
41 | + paths. |
42 | + - d/t/upstream-test-suite: use installed squid binary for |
43 | + autopkgtest config file checks. |
44 | + - d/p/0010-Fix-Werror-sign-compare-on-GCC-13.patch: fix comparison |
45 | + between signed and unsigned values. |
46 | + - d/rules: disable LTO related compilation errors for ppc64el builds. |
47 | + - d/source_squid.py, d/squid-common.install: Add apport hook |
48 | + (LP #676141) |
49 | + * Dropped changes: |
50 | + - SECURITY UPDATE: denial of service in HTTP request parsing |
51 | + - debian/patches/CVE-2023-50269.patch: limit x-forwarded-for hops and log |
52 | + limit as error when exceeded in src/ClientRequestContext.h, |
53 | + src/client_side_request.cc. |
54 | + - CVE-2023-50269 |
55 | + [ Fixed upstream in 6.6 ] |
56 | + |
57 | + -- Athos Ribeiro <athos.ribeiro@canonical.com> Tue, 27 Feb 2024 12:25:05 -0300 |
58 | + |
59 | squid (6.6-1) unstable; urgency=high |
60 | |
61 | [ Amos Jeffries <amosjeffries@squid-cache.org> ] |
62 | @@ -16,6 +51,79 @@ squid (6.6-1) unstable; urgency=high |
63 | |
64 | -- Luigi Gangitano <luigi@debian.org> Thu, 18 Jan 2024 13:04:20 +0100 |
65 | |
66 | +squid (6.5-1ubuntu3) noble; urgency=medium |
67 | + |
68 | + * SECURITY UPDATE: denial of service in HTTP request parsing |
69 | + - debian/patches/CVE-2023-50269.patch: limit x-forwarded-for hops and log |
70 | + limit as error when exceeded in src/ClientRequestContext.h, |
71 | + src/client_side_request.cc. |
72 | + - CVE-2023-50269 |
73 | + |
74 | + -- Evan Caville <evan.caville@canonical.com> Thu, 25 Jan 2024 15:41:32 +1000 |
75 | + |
76 | +squid (6.5-1ubuntu2) noble; urgency=medium |
77 | + |
78 | + * d/source_squid.py, d/rules: Add apport hook |
79 | + (LP: #676141) |
80 | + |
81 | + -- Bryce Harrington <bryce@canonical.com> Thu, 18 Jan 2024 15:13:36 -0800 |
82 | + |
83 | +squid (6.5-1ubuntu1) noble; urgency=medium |
84 | + |
85 | + * Merge with Debian unstable (LP: #2040426). Remaining changes: |
86 | + - d/usr.sbin.squid: Add sections for squid-deb-proxy and |
87 | + squidguard |
88 | + - d/p/90-cf.data.ubuntu.patch: Add refresh patterns for deb |
89 | + packaging |
90 | + - Use snakeoil certificates: |
91 | + + d/control: add ssl-cert to dependencies |
92 | + + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl |
93 | + to the default config file |
94 | + - d/NEWS: drop the NIS basic auth helper (LP #1895694) |
95 | + - d/p/0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch: |
96 | + Fix FTBFS due to -Werror=alloc-size-larger-than on GCC 12. |
97 | + - d/rules: halt build upon test failures. |
98 | + - d/rules: do not include additional configuration files during |
99 | + build time tests. This would lead to test failures due to missing |
100 | + paths. |
101 | + - d/t/upstream-test-suite: use installed squid binary for |
102 | + autopkgtest config file checks. |
103 | + - d/p/0010-Fix-Werror-sign-compare-on-GCC-13.patch: fix comparison |
104 | + between signed and unsigned values. |
105 | + - d/rules: disable LTO related compilation errors for ppc64el builds. |
106 | + * Dropped changes: |
107 | + - d/t/upstream-test-suite: make missing targets for squid 6. |
108 | + [ Fixed in Debian in 6.5-1 ] |
109 | + - d/p/0011-Fix-ftp-support.patch: Fix pure virtual call in |
110 | + Ftp::Client constructor leading to problems in FTP support. |
111 | + [ Fixed upstream in 6.2 ] |
112 | + - SECURITY UPDATE: DoS against certificate validation |
113 | + + debian/patches/CVE-2023-46724.patch: fix validation of certificates |
114 | + with CN=* in src/anyp/Uri.cc. |
115 | + + CVE-2023-46724 |
116 | + [ Fixed in Debian in 6.5-1 ] |
117 | + - SECURITY UPDATE: HTTP request smuggling, caused by chunked decoder |
118 | + lenience |
119 | + + debian/patches/CVE-2023-46846.patch: improve HTTP chunked encoding |
120 | + compliance in src/http/one/Parser.cc, src/http/one/Parser.h, |
121 | + src/http/one/TeChunkedParser.cc, src/parser/Tokenizer.cc, |
122 | + src/parser/Tokenizer.h. |
123 | + + CVE-2023-46846 |
124 | + [ Fixed in Debian in 6.5-1 ] |
125 | + - SECURITY UPDATE: DoS via HTTP Digest Authentication |
126 | + + debian/patches/CVE-2023-46847.patch: fix stack buffer overflow when |
127 | + parsing Digest Authorization in src/auth/digest/Config.cc. |
128 | + + CVE-2023-46847 |
129 | + [ Fixed in Debian in 6.5-1 ] |
130 | + - SECURITY UPDATE: DoS via ftp:// URLs |
131 | + + debian/patches/CVE-2023-46848.patch: fix userinfo percent-encoding in |
132 | + src/acl/external/eDirectory_userip/ext_edirectory_userip_acl.cc, |
133 | + src/anyp/Uri.cc. |
134 | + + CVE-2023-46848 |
135 | + [ Fixed in Debian in 6.5-1 ] |
136 | + |
137 | + -- Athos Ribeiro <athos.ribeiro@canonical.com> Tue, 12 Dec 2023 12:05:40 -0300 |
138 | + |
139 | squid (6.5-1) unstable; urgency=high |
140 | |
141 | [ Amos Jeffries <amosjeffries@squid-cache.org> ] |
142 | @@ -43,6 +151,70 @@ squid (6.3-1) unstable; urgency=medium |
143 | |
144 | -- Luigi Gangitano <luigi@debian.org> Thu, 28 Sep 2023 16:04:20 +0200 |
145 | |
146 | +squid (6.1-2ubuntu2) noble; urgency=medium |
147 | + |
148 | + * SECURITY UPDATE: DoS against certificate validation |
149 | + - debian/patches/CVE-2023-46724.patch: fix validation of certificates |
150 | + with CN=* in src/anyp/Uri.cc. |
151 | + - CVE-2023-46724 |
152 | + * SECURITY UPDATE: HTTP request smuggling, caused by chunked decoder |
153 | + lenience |
154 | + - debian/patches/CVE-2023-46846.patch: improve HTTP chunked encoding |
155 | + compliance in src/http/one/Parser.cc, src/http/one/Parser.h, |
156 | + src/http/one/TeChunkedParser.cc, src/parser/Tokenizer.cc, |
157 | + src/parser/Tokenizer.h. |
158 | + - CVE-2023-46846 |
159 | + * SECURITY UPDATE: DoS via HTTP Digest Authentication |
160 | + - debian/patches/CVE-2023-46847.patch: fix stack buffer overflow when |
161 | + parsing Digest Authorization in src/auth/digest/Config.cc. |
162 | + - CVE-2023-46847 |
163 | + * SECURITY UPDATE: DoS via ftp:// URLs |
164 | + - debian/patches/CVE-2023-46848.patch: fix userinfo percent-encoding in |
165 | + src/acl/external/eDirectory_userip/ext_edirectory_userip_acl.cc, |
166 | + src/anyp/Uri.cc. |
167 | + - CVE-2023-46848 |
168 | + |
169 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 13 Nov 2023 08:41:30 -0500 |
170 | + |
171 | +squid (6.1-2ubuntu1) mantic; urgency=medium |
172 | + |
173 | + * Merge with Debian unstable (LP: #2018110). Remaining changes: |
174 | + - d/usr.sbin.squid: Add sections for squid-deb-proxy and |
175 | + squidguard |
176 | + - d/p/90-cf.data.ubuntu.patch: Add refresh patterns for deb |
177 | + packaging |
178 | + - Use snakeoil certificates: |
179 | + + d/control: add ssl-cert to dependencies |
180 | + + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl |
181 | + to the default config file |
182 | + - d/rules, d/NEWS: drop the NIS basic auth helper (LP #1895694) |
183 | + - d/p/0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch: |
184 | + Fix FTBFS due to -Werror=alloc-size-larger-than on GCC 12. |
185 | + - d/rules: halt build upon test failures. |
186 | + - d/rules: do not include additional configuration files during |
187 | + build time tests. This would lead to test failures due to missing |
188 | + paths. |
189 | + - d/t/upstream-test-suite: use installed squid binary for |
190 | + autopkgtest config file checks. |
191 | + * Drop changes: |
192 | + - d/p/fix-max-pkt-sz-for-icmpEchoData-padding.patch: Adjust |
193 | + MAX_PKT{4,6}_SZ to account for icmpEchoData padding, fixing FTBFS |
194 | + with GCC 11 (LP #1939352). |
195 | + [ Applied upstream in 6.0.1 ] |
196 | + - d/p/series: do not rely on installed binaries for build time tests. |
197 | + [ Applied in 6.1-1 ] |
198 | + - d/rules: disable LTO related compilation errors for s390x builds. |
199 | + [ Fixed in 6.1-1 ] |
200 | + * New changes: |
201 | + - d/p/0010-Fix-Werror-sign-compare-on-GCC-13.patch: fix comparison |
202 | + between signed and unsigned values. |
203 | + - d/p/0011-Fix-ftp-support.patch: Fix pure virtual call in |
204 | + Ftp::Client constructor leading to problems in FTP support. |
205 | + - d/rules: disable LTO related compilation errors for ppc64el builds. |
206 | + - d/t/upstream-test-suite: make missing targets for squid 6. |
207 | + |
208 | + -- Athos Ribeiro <athos.ribeiro@canonical.com> Tue, 15 Aug 2023 21:51:44 -0300 |
209 | + |
210 | squid (6.1-2) unstable; urgency=low |
211 | |
212 | [ Amos Jeffries <amosjeffries@squid-cache.org> ] |
213 | @@ -80,6 +252,61 @@ squid (5.7-2) unstable; urgency=medium |
214 | |
215 | -- Santiago Garcia Mantinan <manty@debian.org> Fri, 28 Apr 2023 08:35:27 +0200 |
216 | |
217 | +squid (5.7-1ubuntu3) lunar; urgency=medium |
218 | + |
219 | + * d/rules: |
220 | + - Re-enable LTO for s390x builds. (LP: #2011494) |
221 | + - Disable LTO related compilation errors for s390x builds. |
222 | + |
223 | + -- Athos Ribeiro <athos.ribeiro@canonical.com> Mon, 13 Mar 2023 21:54:07 -0300 |
224 | + |
225 | +squid (5.7-1ubuntu2) lunar; urgency=medium |
226 | + |
227 | + * Make builds fail when upstream test suite fails (LP: #2004050): |
228 | + - d/p/series: do not rely on installed binaries for build time tests. |
229 | + - d/rules: halt build upon test failures. |
230 | + - d/rules: do not include additional configuration files during |
231 | + build time tests. This would lead to test failures due to missing |
232 | + paths. |
233 | + - d/t/upstream-test-suite: use installed squid binary for |
234 | + autopkgtest config file checks. |
235 | + - d/rules: disable LTO for s390x builds. |
236 | + |
237 | + -- Athos Ribeiro <athos.ribeiro@canonical.com> Fri, 27 Jan 2023 11:06:05 -0300 |
238 | + |
239 | +squid (5.7-1ubuntu1) lunar; urgency=medium |
240 | + |
241 | + * Merge with Debian unstable (LP: #1993446). Remaining changes: |
242 | + - d/usr.sbin.squid: Add sections for squid-deb-proxy and |
243 | + squidguard |
244 | + - d/p/90-cf.data.ubuntu.patch: Add refresh patterns for deb |
245 | + packaging |
246 | + - Use snakeoil certificates: |
247 | + + d/control: add ssl-cert to dependencies |
248 | + + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl |
249 | + to the default config file |
250 | + - d/rules, d/NEWS: drop the NIS basic auth helper (LP #1895694) |
251 | + - d/p/fix-max-pkt-sz-for-icmpEchoData-padding.patch: Adjust |
252 | + MAX_PKT{4,6}_SZ to account for icmpEchoData padding, fixing FTBFS |
253 | + with GCC 11 (LP #1939352). |
254 | + - d/p/0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch: |
255 | + Fix FTBFS due to -Werror=alloc-size-larger-than on GCC 12. |
256 | + * Drop changes: |
257 | + - d/t/upstream-test-suite: Also export DEB_*_MAINT_APPEND variables |
258 | + here. (LP #1988217) |
259 | + [ Not necessary anymore. ] |
260 | + - SECURITY UPDATE: Exposure of Sensitive Information in Cache Manager |
261 | + - debian/patches/CVE-2022-41317.patch: fix typo in ACL in |
262 | + src/cf.data.pre. |
263 | + - CVE-2022-41317 |
264 | + [ Incorporated upstream. ] |
265 | + - SECURITY UPDATE: Buffer Over Read in SSPI and SMB Authentication |
266 | + - debian/patches/CVE-2022-41318.patch: improve checks in |
267 | + lib/ntlmauth/ntlmauth.cc. |
268 | + [ Incorporated upstream. ] |
269 | + |
270 | + -- Sergio Durigan Junior <sergio.durigan@canonical.com> Tue, 03 Jan 2023 17:39:52 -0500 |
271 | + |
272 | squid (5.7-1) unstable; urgency=medium |
273 | |
274 | * Urgency high due to security fixes |
275 | @@ -119,6 +346,78 @@ squid (5.7-1) unstable; urgency=medium |
276 | |
277 | -- Luigi Gangitano <luigi@debian.org> Tue, 4 Oct 2022 11:04:20 +0200 |
278 | |
279 | +squid (5.6-1ubuntu4) lunar; urgency=medium |
280 | + |
281 | + * No-change rebuild against libldap-2 |
282 | + |
283 | + -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 15 Dec 2022 19:56:14 +0000 |
284 | + |
285 | +squid (5.6-1ubuntu3) kinetic; urgency=medium |
286 | + |
287 | + * SECURITY UPDATE: Exposure of Sensitive Information in Cache Manager |
288 | + - debian/patches/CVE-2022-41317.patch: fix typo in ACL in |
289 | + src/cf.data.pre. |
290 | + - CVE-2022-41317 |
291 | + * SECURITY UPDATE: Buffer Over Read in SSPI and SMB Authentication |
292 | + - debian/patches/CVE-2022-41318.patch: improve checks in |
293 | + lib/ntlmauth/ntlmauth.cc. |
294 | + - CVE-2022-41318 |
295 | + |
296 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 23 Sep 2022 08:02:41 -0400 |
297 | + |
298 | +squid (5.6-1ubuntu2) kinetic; urgency=medium |
299 | + |
300 | + * d/t/upstream-test-suite: Also export DEB_*_MAINT_APPEND variables |
301 | + here. (LP: #1988217) |
302 | + |
303 | + -- Sergio Durigan Junior <sergio.durigan@canonical.com> Tue, 30 Aug 2022 19:32:59 -0400 |
304 | + |
305 | +squid (5.6-1ubuntu1) kinetic; urgency=medium |
306 | + |
307 | + * Merge with Debian unstable (LP: #1971325). Remaining changes: |
308 | + - d/usr.sbin.squid: Add sections for squid-deb-proxy and |
309 | + squidguard |
310 | + - d/p/90-cf.data.ubuntu.patch: Add refresh patterns for deb |
311 | + packaging |
312 | + - Use snakeoil certificates: |
313 | + + d/control: add ssl-cert to dependencies |
314 | + + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl |
315 | + to the default config file |
316 | + - d/rules, d/NEWS: drop the NIS basic auth helper (LP #1895694) |
317 | + - Fix FTBFS with GCC 11 (LP #1939352) |
318 | + + d/p/fix-max-pkt-sz-for-icmpEchoData-padding.patch: Fix |
319 | + MAX_PKT{4,6}_SZ to account for icmpEchoData padding. |
320 | + * Drop changes: |
321 | + - Fix FTBFS with OpenSSL 3.0 (LP #1946205). The following new |
322 | + patches have been added: |
323 | + + d/p/openssl3-Declaration-of-CRYPTO_EX_dup-changed-again-in-3.0.patch. |
324 | + + d/p/openssl3-Detect-and-default-enable-OpenSSL-3.patch. |
325 | + + d/p/openssl3-Fix-EVP_PKEY_get0_RSA-is-deprecated.patch. |
326 | + + d/p/openssl3-Initial-DH-conversion-to-EVP_PKEY.patch. |
327 | + + d/p/openssl3-Refactor-Ssl-createSslPrivateKey.patch. |
328 | + + d/p/openssl3-Remove-stale-TODO-and-comment.patch. |
329 | + + d/p/openssl3-SSL_OP_-macro-definitions-changed-in-3.0.patch. |
330 | + + d/p/openssl3-Switch-to-BN_rand.patch. |
331 | + + d/p/openssl3-TODO-Upgrade-API-calls-verifying-loaded-DH-params-fi.patch. |
332 | + + d/p/openssl3-Tweak-RSA-key-generator.patch. |
333 | + + d/p/openssl3-Update-ECDH-key-settings.patch. |
334 | + + d/p/openssl3-Update-license-disclaimer.patch. |
335 | + [ Incorporated by Debian. ] |
336 | + - SECURITY UPDATE: Denial of Service in Gopher Processing |
337 | + + debian/patches/CVE-2021-46784.patch: improve handling of Gopher |
338 | + responses in src/gopher.cc. |
339 | + [ Incorporated by upstream. ] |
340 | + - Fix FTBFS with GCC 11 (LP #1939352) |
341 | + + d/p/workaround-gcc11-wstringop-overread-bug.patch: Workaround |
342 | + GCC 11 -Wstringop-overread bug. |
343 | + [ Not needed anymore. ] |
344 | + * Add changes: |
345 | + - d/p/0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch: |
346 | + Fix FTBFS due to -Werror=alloc-size-larger-than on GCC 12. |
347 | + [ Forwarded upstream ] |
348 | + |
349 | + -- Sergio Durigan Junior <sergio.durigan@canonical.com> Thu, 11 Aug 2022 17:13:45 -0400 |
350 | + |
351 | squid (5.6-1) unstable; urgency=high |
352 | |
353 | * Urgency high due to security fixes |
354 | @@ -159,6 +458,87 @@ squid (5.5-1) unstable; urgency=medium |
355 | |
356 | -- Luigi Gangitano <luigi@debian.org> Fri, 15 Apr 2022 14:39:54 +0200 |
357 | |
358 | +squid (5.2-1ubuntu5) kinetic; urgency=medium |
359 | + |
360 | + * SECURITY UPDATE: Denial of Service in Gopher Processing |
361 | + - debian/patches/CVE-2021-46784.patch: improve handling of Gopher |
362 | + responses in src/gopher.cc. |
363 | + - CVE-2021-46784 |
364 | + |
365 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 21 Jun 2022 13:38:17 -0400 |
366 | + |
367 | +squid (5.2-1ubuntu4) jammy; urgency=medium |
368 | + |
369 | + * Do not enable openssl as a default. This hinders packaging since we ship |
370 | + squid in two different flavours (gnutls and openssl). Drop |
371 | + d/p/openssl3-Detect-and-default-enable-OpenSSL-3.patch. (LP: #1968200) |
372 | + |
373 | + -- Athos Ribeiro <athos.ribeiro@canonical.com> Tue, 12 Apr 2022 23:41:41 -0300 |
374 | + |
375 | +squid (5.2-1ubuntu3) jammy; urgency=medium |
376 | + |
377 | + * Fix FTBFS with OpenSSL 3.0 (LP: #1946205). The following new |
378 | + patches have been added: |
379 | + - d/p/openssl3-Declaration-of-CRYPTO_EX_dup-changed-again-in-3.0.patch. |
380 | + - d/p/openssl3-Detect-and-default-enable-OpenSSL-3.patch. |
381 | + - d/p/openssl3-Fix-EVP_PKEY_get0_RSA-is-deprecated.patch. |
382 | + - d/p/openssl3-Initial-DH-conversion-to-EVP_PKEY.patch. |
383 | + - d/p/openssl3-Refactor-Ssl-createSslPrivateKey.patch. |
384 | + - d/p/openssl3-Remove-stale-TODO-and-comment.patch. |
385 | + - d/p/openssl3-SSL_OP_-macro-definitions-changed-in-3.0.patch. |
386 | + - d/p/openssl3-Switch-to-BN_rand.patch. |
387 | + - d/p/openssl3-TODO-Upgrade-API-calls-verifying-loaded-DH-params-fi.patch. |
388 | + - d/p/openssl3-Tweak-RSA-key-generator.patch. |
389 | + - d/p/openssl3-Update-ECDH-key-settings.patch. |
390 | + - d/p/openssl3-Update-license-disclaimer.patch. |
391 | + |
392 | + -- Sergio Durigan Junior <sergio.durigan@canonical.com> Tue, 08 Feb 2022 17:15:20 -0500 |
393 | + |
394 | +squid (5.2-1ubuntu2) jammy; urgency=medium |
395 | + |
396 | + * No-change rebuild against libssl3 |
397 | + |
398 | + -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 09 Dec 2021 00:19:10 +0000 |
399 | + |
400 | +squid (5.2-1ubuntu1) jammy; urgency=medium |
401 | + |
402 | + * Merge with Debian unstable (LP: #1946903). Remaining changes: |
403 | + - d/usr.sbin.squid: Add sections for squid-deb-proxy and |
404 | + squidguard |
405 | + - d/p/90-cf.data.ubuntu.patch: Add refresh patterns for deb |
406 | + packaging |
407 | + - Use snakeoil certificates: |
408 | + + d/control: add ssl-cert to dependencies |
409 | + + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl |
410 | + to the default config file |
411 | + - d/rules, d/NEWS: drop the NIS basic auth helper (LP #1895694) |
412 | + - Fix FTBFS with GCC 11 (LP #1939352) |
413 | + + d/p/expand-max-pkt-sz-accomodate-icmphdr.patch: Expand |
414 | + MAX_PKT{4,6}_SZ to accomodate for icmp{,6_}hdr. |
415 | + + d/p/workaround-gcc11-wstringop-overread-bug.patch: Workaround |
416 | + GCC 11 -Wstringop-overread bug. |
417 | + * Dropped changes: |
418 | + - d/p/0008-Fix-free-nonheap-object-warning-error-on-snmp_core.c.patch: |
419 | + Fix call to free on nonheap-object in snmpCreateOidFromStr |
420 | + [ Incorporated by upstream. ] |
421 | + - Fix failure to build on RISC-V (LP #1934891) |
422 | + [ Incorporated by upstream. ] |
423 | + - SECURITY UPDATE: information disclosure via OOB read in WCCP protocol |
424 | + + debian/patches/CVE-2021-28116.patch: validate packets better in |
425 | + src/wccp2.cc. |
426 | + + CVE-2021-28116 |
427 | + [ Incorporated by upstream. ] |
428 | + - Fix FTBFS with GCC 11 (LP #1939352) |
429 | + + d/p/replace-cbdata-offset-hack-with-offsetof.patch: Replace |
430 | + cbdata::Offset hack with offsetof(). |
431 | + + d/p/add-missing-limits-include-connmark.patch: Add missing |
432 | + <limits> include to src/acl/ConnMark.cc. |
433 | + [ Incorporated by upstream. This is a partial drop; the other |
434 | + two patches that compose this fix are still present in this |
435 | + release. ] |
436 | + |
437 | + -- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 01 Nov 2021 18:19:59 -0400 |
438 | + |
439 | squid (5.2-1) unstable; urgency=medium |
440 | |
441 | [ Amos Jeffries <amosjeffries@squid-cache.org> ] |
442 | @@ -199,6 +579,58 @@ squid (5.1-2) unstable; urgency=medium |
443 | |
444 | -- Luigi Gangitano <luigi@debian.org> Fri, 17 Sep 2021 09:27:54 +0200 |
445 | |
446 | +squid (4.13-10ubuntu5) impish; urgency=medium |
447 | + |
448 | + * SECURITY UPDATE: information disclosure via OOB read in WCCP protocol |
449 | + - debian/patches/CVE-2021-28116.patch: validate packets better in |
450 | + src/wccp2.cc. |
451 | + - CVE-2021-28116 |
452 | + |
453 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 04 Oct 2021 08:20:07 -0400 |
454 | + |
455 | +squid (4.13-10ubuntu4) impish; urgency=medium |
456 | + |
457 | + * Fix FTBFS with GCC 11 (LP: #1939352) |
458 | + - d/p/add-missing-limits-include-connmark.patch: Add missing |
459 | + <limits> include to src/acl/ConnMark.cc. |
460 | + - d/p/fix-max-pkt-sz-for-icmpEchoData-padding.patch.patch: Expand |
461 | + MAX_PKT{4,6}_SZ to accomodate for icmp{,6_}hdr. |
462 | + - d/p/replace-cbdata-offset-hack-with-offsetof.patch: Replace |
463 | + cbdata::Offset hack with offsetof(). |
464 | + - d/p/workaround-gcc11-wstringop-overread-bug.patch: Workaround |
465 | + GCC 11 -Wstringop-overread bug. |
466 | + |
467 | + -- Sergio Durigan Junior <sergio.durigan@canonical.com> Fri, 20 Aug 2021 00:19:41 -0400 |
468 | + |
469 | +squid (4.13-10ubuntu3) impish; urgency=medium |
470 | + |
471 | + * Fix failure to build on RISC-V (LP: #1934891) |
472 | + |
473 | + -- Heinrich Schuchardt <heinrich.schuchardt@canonical.com> Wed, 07 Jul 2021 14:11:51 +0200 |
474 | + |
475 | +squid (4.13-10ubuntu2) impish; urgency=medium |
476 | + |
477 | + * No-change rebuild due to OpenLDAP soname bump. |
478 | + |
479 | + -- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 21 Jun 2021 18:09:05 -0400 |
480 | + |
481 | +squid (4.13-10ubuntu1) impish; urgency=medium |
482 | + |
483 | + * Merge with Debian unstable. Remaining changes: |
484 | + - d/usr.sbin.squid: Add sections for squid-deb-proxy and |
485 | + squidguard |
486 | + - d/p/90-cf.data.ubuntu.patch: Add refresh patterns for deb |
487 | + packaging |
488 | + - Use snakeoil certificates: |
489 | + + d/control: add ssl-cert to dependencies |
490 | + + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl |
491 | + to the default config file |
492 | + - d/rules, d/NEWS: drop the NIS basic auth helper (LP: #1895694) |
493 | + - d/p/0008-Fix-free-nonheap-object-warning-error-on-snmp_core.c.patch: |
494 | + Fix call to free on nonheap-object in snmpCreateOidFromStr |
495 | + |
496 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 04 Jun 2021 12:49:43 -0400 |
497 | + |
498 | squid (4.13-10) unstable; urgency=medium |
499 | |
500 | [ Francisco Vilmar Cardoso Ruviaro ] |
501 | @@ -217,6 +649,29 @@ squid (4.13-10) unstable; urgency=medium |
502 | |
503 | -- Santiago Garcia Mantinan <manty@debian.org> Fri, 28 May 2021 12:28:20 +0200 |
504 | |
505 | +squid (4.13-9ubuntu1) impish; urgency=medium |
506 | + |
507 | + * Merge with Debian unstable. Remaining changes: |
508 | + - d/usr.sbin.squid: Add sections for squid-deb-proxy and |
509 | + squidguard |
510 | + - d/p/90-cf.data.ubuntu.patch: Add refresh patterns for deb |
511 | + packaging |
512 | + - Use snakeoil certificates: |
513 | + + d/control: add ssl-cert to dependencies |
514 | + + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl |
515 | + to the default config file |
516 | + - d/rules, d/NEWS: drop the NIS basic auth helper (LP: #1895694) |
517 | + - d/p/0008-Fix-free-nonheap-object-warning-error-on-snmp_core.c.patch: |
518 | + Fix call to free on nonheap-object in snmpCreateOidFromStr |
519 | + * Drop changes: |
520 | + - debian/patches/CVE-2020-25097.patch: Add slash prefix to path- |
521 | + rootless or path-noscheme URLs in src/anyp/Uri.cc. |
522 | + [Included in 4.13-8] |
523 | + - d/usr.sbin.squid: Add section for maas-proxy |
524 | + [maas-proxy is no longer shipped as a deb package] |
525 | + |
526 | + -- Athos Ribeiro <athos.ribeiro@canonical.com> Tue, 18 May 2021 10:51:16 -0300 |
527 | + |
528 | squid (4.13-9) unstable; urgency=medium |
529 | |
530 | * Clarify on NEWS and scripts that we no longer remove logs on purge. |
531 | @@ -277,6 +732,46 @@ squid (4.13-2) unstable; urgency=high |
532 | |
533 | -- Santiago Garcia Mantinan <manty@debian.org> Sun, 07 Feb 2021 01:39:45 +0100 |
534 | |
535 | +squid (4.13-1ubuntu4) hirsute; urgency=medium |
536 | + |
537 | + * d/p/0008-Fix-free-nonheap-object-warning-error-on-snmp_core.c.patch: |
538 | + Fix FTBFS on Hirsute s390x when compiling with GCC 10.2.0. |
539 | + |
540 | + -- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 05 Apr 2021 12:00:02 -0400 |
541 | + |
542 | +squid (4.13-1ubuntu3) hirsute; urgency=medium |
543 | + |
544 | + * SECURITY UPDATE: HTTP Request Smuggling issue |
545 | + - debian/patches/CVE-2020-25097.patch: Add slash prefix to path- |
546 | + rootless or path-noscheme URLs in src/anyp/Uri.cc. |
547 | + - CVE-2020-25097 |
548 | + |
549 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 25 Mar 2021 12:38:06 -0400 |
550 | + |
551 | +squid (4.13-1ubuntu2) groovy; urgency=medium |
552 | + |
553 | + * d/rules, d/NEWS: drop the NIS basic auth helper (LP: #1895694) |
554 | + |
555 | + -- Andreas Hasenack <andreas@canonical.com> Thu, 17 Sep 2020 18:19:42 -0300 |
556 | + |
557 | +squid (4.13-1ubuntu1) groovy; urgency=medium |
558 | + |
559 | + * Merge with Debian unstable. Remaining changes: |
560 | + - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy |
561 | + squidguard |
562 | + - d/p/90-cf.data.ubuntu.patch: Add an example refresh pattern |
563 | + for debs. |
564 | + - Use snakeoil certificates: |
565 | + + d/control: add ssl-cert to dependencies |
566 | + + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl |
567 | + to the default config file |
568 | + * Dropped changes: |
569 | + - d/p/0007-WCCP-Fix-GCC-10-Wstringop-truncation-failures.patch: |
570 | + Fix GCC-10 build failure due to -Wstringop-truncation warning. |
571 | + [ Accepted upstream. ] |
572 | + |
573 | + -- Sergio Durigan Junior <sergio.durigan@canonical.com> Tue, 25 Aug 2020 15:01:58 -0400 |
574 | + |
575 | squid (4.13-1) unstable; urgency=high |
576 | |
577 | [ Amos Jeffries <amosjeffries@squid-cache.org> ] |
578 | @@ -289,6 +784,43 @@ squid (4.13-1) unstable; urgency=high |
579 | |
580 | -- Luigi Gangitano <luigi@debian.org> Mon, 24 Aug 2020 17:27:54 +0200 |
581 | |
582 | +squid (4.12-1ubuntu1) groovy; urgency=medium |
583 | + |
584 | + * Merge with Debian unstable. Remaining changes: |
585 | + - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy |
586 | + squidguard |
587 | + - d/p/90-cf.data.ubuntu.patch: Add an example refresh pattern |
588 | + for debs. |
589 | + - Use snakeoil certificates: |
590 | + + d/control: add ssl-cert to dependencies |
591 | + + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl |
592 | + to the default config file |
593 | + * Dropped changes, not needed anymore: |
594 | + - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround |
595 | + if building for ppc64el. On that arch, dpkg-buildflags sets -O3 |
596 | + instead of -O2 and that triggers a format-truncation error on |
597 | + pcon.cc. See https://bugs.squid-cache.org/show_bug.cgi?id=4875. |
598 | + [ Dropped because the build now passes on ppc64el ] |
599 | + * Dropped changes, incorporated by Debian: |
600 | + - Don't restart squid by hand on postinst script |
601 | + + d/squid.postinst: When installing/upgrading squid, the service |
602 | + is being restarted manually in the postinst script, which can |
603 | + break installations that have the squid apparmor enabled because |
604 | + it will try to restart the service before reloading the apparmor |
605 | + profile. There is no reason to restart squid manually, since the |
606 | + restart will be automatically performed later. |
607 | + - Drop conffile check for squid < 2.7 |
608 | + + d/squid.postinst: squid 2.7 is long, long gone, so it should be |
609 | + safe to drop the postinst code to make sure that |
610 | + /etc/squid/squid.conf was properly upgraded. |
611 | + - d/tests/test-squid.py: Adjust 'pidfile' variable to reflect fact |
612 | + that we now store the pidfile under '/run/squid/'. |
613 | + * Added changes: |
614 | + - d/p/0007-WCCP-Fix-GCC-10-Wstringop-truncation-failures.patch: |
615 | + Fix GCC-10 build failure due to -Wstringop-truncation warning. |
616 | + |
617 | + -- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 10 Aug 2020 11:20:46 -0400 |
618 | + |
619 | squid (4.12-1) unstable; urgency=high |
620 | |
621 | [ Sergio Durigan Junior <sergiodj@debian.org> ] |
622 | @@ -324,6 +856,63 @@ squid (4.12-1) unstable; urgency=high |
623 | |
624 | -- Luigi Gangitano <luigi@debian.org> Wed, 1 Jul 2020 10:52:54 +0200 |
625 | |
626 | +squid (4.11-5ubuntu3) groovy; urgency=medium |
627 | + |
628 | + * No change rebuild against new libnettle8 and libhogweed6 ABI. |
629 | + |
630 | + -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 29 Jun 2020 22:38:13 +0100 |
631 | + |
632 | +squid (4.11-5ubuntu2) groovy; urgency=medium |
633 | + |
634 | + * d/tests/test-squid.py: Adjust 'pidfile' variable to reflect fact |
635 | + that we now store the pidfile under '/run/squid/'. |
636 | + |
637 | + -- Sergio Durigan Junior <sergio.durigan@canonical.com> Wed, 20 May 2020 10:32:32 -0400 |
638 | + |
639 | +squid (4.11-5ubuntu1) groovy; urgency=medium |
640 | + |
641 | + * Merge with Debian unstable. Remaining changes: |
642 | + - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy, |
643 | + squidguard |
644 | + - d/p/90-cf.data.ubuntu.patch: Add an example refresh pattern for |
645 | + debs. |
646 | + - Use snakeoil certificates: |
647 | + + d/control: add ssl-cert to dependencies |
648 | + + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl to the |
649 | + default config file |
650 | + - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if |
651 | + building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead |
652 | + of -O2 and that triggers a format-truncation error on pcon.cc. See See |
653 | + https://bugs.squid-cache.org/show_bug.cgi?id=4875 |
654 | + * Dropped: |
655 | + - d/p/drop-sysctl_h.patch: no longer include sysctl.h as it was |
656 | + deprecated in glibc 2.30 (LP #1843325) |
657 | + [ In 4.11-4 ] |
658 | + - SECURITY UPDATE: multiple ESI issues |
659 | + + debian/patches/CVE-2019-12519_12521.patch: convert parse exceptions |
660 | + into 500 status response in src/esi/Context.h, src/esi/Esi.cc, |
661 | + src/esi/Esi.h, src/esi/Expression.cc. |
662 | + + CVE-2019-12519 |
663 | + [ In 4.11-4 ] |
664 | + - SECURITY UPDATE: Digest Authentication nonce replay issue |
665 | + + debian/patches/CVE-2020-11945.patch: fix auth digest refcount integer |
666 | + overflow in src/auth/digest/Config.cc. |
667 | + [ In 4.11-4 ] |
668 | + * Added: |
669 | + - Don't restart squid by hand on postinst script |
670 | + + d/squid.postinst: When installing/upgrading squid, the service |
671 | + is being restarted manually in the postinst script, which can |
672 | + break installations that have the squid apparmor enabled because |
673 | + it will try to restart the service before reloading the apparmor |
674 | + profile. There is no reason to restart squid manually, since the |
675 | + restart will be automatically performed later. |
676 | + - Drop conffile check for squid < 2.7 |
677 | + + d/squid.postinst: squid 2.7 is long, long gone, so it should be |
678 | + safe to drop the postinst code to make sure that |
679 | + /etc/squid/squid.conf was properly upgraded. |
680 | + |
681 | + -- Sergio Durigan Junior <sergio.durigan@canonical.com> Tue, 19 May 2020 14:43:04 -0400 |
682 | + |
683 | squid (4.11-5) unstable; urgency=medium |
684 | |
685 | [ Sergio Durigan Junior <sergiodj@debian.org> ] |
686 | @@ -402,6 +991,64 @@ squid (4.11-1) unstable; urgency=high |
687 | |
688 | -- Luigi Gangitano <luigi@debian.org> Thu, 23 Apr 2020 19:34:54 +0200 |
689 | |
690 | +squid (4.10-1ubuntu2) groovy; urgency=medium |
691 | + |
692 | + * SECURITY UPDATE: multiple ESI issues |
693 | + - debian/patches/CVE-2019-12519_12521.patch: convert parse exceptions |
694 | + into 500 status response in src/esi/Context.h, src/esi/Esi.cc, |
695 | + src/esi/Esi.h, src/esi/Expression.cc. |
696 | + - CVE-2019-12519 |
697 | + - CVE-2019-12521 |
698 | + * SECURITY UPDATE: Digest Authentication nonce replay issue |
699 | + - debian/patches/CVE-2020-11945.patch: fix auth digest refcount integer |
700 | + overflow in src/auth/digest/Config.cc. |
701 | + - CVE-2020-11945 |
702 | + |
703 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 13 May 2020 09:51:10 -0400 |
704 | + |
705 | +squid (4.10-1ubuntu1) focal; urgency=medium |
706 | + |
707 | + * Merge with Debian unstable. Remaining changes: |
708 | + - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy, |
709 | + squidguard |
710 | + - d/p/90-cf.data.ubuntu.patch: Add an example refresh pattern for debs. |
711 | + - Use snakeoil certificates: |
712 | + + d/control: add ssl-cert to dependencies |
713 | + + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl |
714 | + to the default config file |
715 | + - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if |
716 | + building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of |
717 | + -O2 and that triggers a format-truncation error on pcon.cc. See |
718 | + See https://bugs.squid-cache.org/show_bug.cgi?id=4875 |
719 | + - d/p/drop-sysctl_h.patch: no longer include sysctl.h as it was |
720 | + deprecated in glibc 2.30 (LP #1843325) |
721 | + * Dropped: |
722 | + - d/t/control, d/t/test-squid.py: remove gopher tests, as pygopherd is |
723 | + no longer available in Focal (LP: #1858827) |
724 | + [In 4.10-1, undocumented] |
725 | + - d/t/test-squid.py, d/t/squid: switch to python3 |
726 | + [In 4.10-1, undocumented] |
727 | + - d/t/control: depend on python3-minimal |
728 | + [In 4.10-1, undocumented] |
729 | + - SECURITY UPDATE: info disclosure via FTP server |
730 | + + debian/patches/CVE-2019-12528.patch: fix FTP buffers handling in |
731 | + src/clients/FtpGateway.cc. |
732 | + + CVE-2019-12528 |
733 | + [Fixed upstream] |
734 | + - SECURITY UPDATE: incorrect input validation and buffer management |
735 | + + debian/patches/CVE-2020-84xx.patch: fix request URL generation in |
736 | + reverse proxy configurations in src/client_side.cc. |
737 | + + CVE-2020-8449 |
738 | + + CVE-2020-8450 |
739 | + [Fixed upstream] |
740 | + - SECURITY UPDATE: DoS in NTLM authentication |
741 | + + debian/patches/CVE-2020-8517.patch: improved username handling in |
742 | + src/acl/external/LM_group/ext_lm_group_acl.cc. |
743 | + + CVE-2020-8517 |
744 | + [Fixed upstream] |
745 | + |
746 | + -- Andreas Hasenack <andreas@canonical.com> Tue, 25 Feb 2020 15:37:55 -0300 |
747 | + |
748 | squid (4.10-1) unstable; urgency=high |
749 | |
750 | [ Amos Jeffries <amosjeffries@squid-cache.org> ] |
751 | @@ -423,6 +1070,70 @@ squid (4.10-1) unstable; urgency=high |
752 | |
753 | -- Luigi Gangitano <luigi@debian.org> Tue, 10 Feb 2020 14:12:54 +0100 |
754 | |
755 | +squid (4.9-2ubuntu4) focal; urgency=medium |
756 | + |
757 | + * SECURITY UPDATE: info disclosure via FTP server |
758 | + - debian/patches/CVE-2019-12528.patch: fix FTP buffers handling in |
759 | + src/clients/FtpGateway.cc. |
760 | + - CVE-2019-12528 |
761 | + * SECURITY UPDATE: incorrect input validation and buffer management |
762 | + - debian/patches/CVE-2020-84xx.patch: fix request URL generation in |
763 | + reverse proxy configurations in src/client_side.cc. |
764 | + - CVE-2020-8449 |
765 | + - CVE-2020-8450 |
766 | + * SECURITY UPDATE: DoS in NTLM authentication |
767 | + - debian/patches/CVE-2020-8517.patch: improved username handling in |
768 | + src/acl/external/LM_group/ext_lm_group_acl.cc. |
769 | + - CVE-2020-8517 |
770 | + |
771 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 19 Feb 2020 12:43:05 -0500 |
772 | + |
773 | +squid (4.9-2ubuntu3) focal; urgency=medium |
774 | + |
775 | + * No-change rebuild with fixed binutils on arm64. |
776 | + |
777 | + -- Matthias Klose <doko@ubuntu.com> Sat, 08 Feb 2020 11:20:19 +0000 |
778 | + |
779 | +squid (4.9-2ubuntu2) focal; urgency=medium |
780 | + |
781 | + * d/t/control, d/t/test-squid.py: remove gopher tests, as pygopherd is |
782 | + no longer available in Focal (LP: #1858827) |
783 | + * d/t/test-squid.py, d/t/squid: switch to python3 |
784 | + * d/t/control: depend on python3-minimal |
785 | + |
786 | + -- Andreas Hasenack <andreas@canonical.com> Wed, 08 Jan 2020 15:52:32 -0300 |
787 | + |
788 | +squid (4.9-2ubuntu1) focal; urgency=medium |
789 | + |
790 | + * Merge with Debian unstable. Remaining changes: |
791 | + - Use snakeoil certificates. |
792 | + - Add an example refresh pattern for debs. |
793 | + - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy, |
794 | + squidguard |
795 | + - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if |
796 | + building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of |
797 | + -O2 and that triggers a format-truncation error on pcon.cc. See |
798 | + See https://bugs.squid-cache.org/show_bug.cgi?id=4875 |
799 | + - d/p/drop-sysctl_h.patch: no longer include sysctl.h as it was |
800 | + deprecated in glibc 2.30 (LP #1843325) |
801 | + * Dropped: |
802 | + - d/rules: Only use -latomic with the intended architectures, instead of |
803 | + all of them. This matches what was suggested in |
804 | + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5 |
805 | + [Fixed upstream] |
806 | + - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that |
807 | + dh_installchangelogs can pick it up. dh_installchangelogs handles |
808 | + d/NEWS or d/<package>.NEWS, but not NEWS.debian. |
809 | + [Fixed upstream] |
810 | + - debian/patches/more-gcc-9-fixes.patch: switch to xstrncpy in |
811 | + lib/smblib/smblib-util.c. (LP #1835831) |
812 | + [Fixed upstream] |
813 | + - d/t/test-squid.py: test_zz_apparmor(): bail early if securityfs isn't |
814 | + mounted |
815 | + [Fixed upstream] |
816 | + |
817 | + -- Lucas Kanashiro <lucas.kanashiro@canonical.com> Thu, 14 Nov 2019 16:33:10 -0300 |
818 | + |
819 | squid (4.9-2) unstable; urgency=medium |
820 | |
821 | [ Andreas Hasenack <andreas@canonical.com> ] |
822 | @@ -479,6 +1190,73 @@ squid (4.9-1) unstable; urgency=high |
823 | |
824 | -- Luigi Gangitano <luigi@debian.org> Sun, 10 Nov 2019 20:28:15 +0100 |
825 | |
826 | +squid (4.8-1ubuntu3) focal; urgency=medium |
827 | + |
828 | + * No-change rebuild against libnettle7 |
829 | + |
830 | + -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 31 Oct 2019 22:15:39 +0000 |
831 | + |
832 | +squid (4.8-1ubuntu2) eoan; urgency=medium |
833 | + |
834 | + * d/p/drop-sysctl_h.patch: no longer include sysctl.h as it was |
835 | + deprecated in glibc 2.30 (LP: #1843325) |
836 | + |
837 | + -- Andreas Hasenack <andreas@canonical.com> Mon, 09 Sep 2019 17:31:45 -0300 |
838 | + |
839 | +squid (4.8-1ubuntu1) eoan; urgency=medium |
840 | + |
841 | + * Merge with Debian unstable. Remaining changes: |
842 | + - Use snakeoil certificates. |
843 | + - Add an example refresh pattern for debs. |
844 | + - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy, |
845 | + squidguard |
846 | + - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if |
847 | + building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of |
848 | + -O2 and that triggers a format-truncation error on pcon.cc. See |
849 | + See https://bugs.squid-cache.org/show_bug.cgi?id=4875 |
850 | + - d/rules: Only use -latomic with the intended architectures, instead of |
851 | + all of them. This matches what was suggested in |
852 | + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5 |
853 | + - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that |
854 | + dh_installchangelogs can pick it up. dh_installchangelogs handles |
855 | + d/NEWS or d/<package>.NEWS, but not NEWS.debian. |
856 | + - debian/patches/more-gcc-9-fixes.patch: switch to xstrncpy in |
857 | + lib/smblib/smblib-util.c. (LP #1835831) |
858 | + * Dropped: |
859 | + - d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs. |
860 | + Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP #1794553) |
861 | + [Fixed upstream] |
862 | + - debian/patches/413.patch: Fix gcc-9 build issues with upstream merged |
863 | + patch |
864 | + [Fixed upstream] |
865 | + - SECURITY UPDATE: incorrect digest auth parameter parsing |
866 | + + debian/patches/CVE-2019-12525.patch: check length in |
867 | + src/auth/digest/Config.cc. |
868 | + + CVE-2019-12525 |
869 | + [Fixed upstream] |
870 | + - SECURITY UPDATE: buffer overflow in basic auth decoding |
871 | + + debian/patches/CVE-2019-12527.patch: switch to SBuf in |
872 | + src/HttpHeader.cc, src/HttpHeader.h, src/cache_manager.cc, |
873 | + src/clients/FtpGateway.cc. |
874 | + + CVE-2019-12527 |
875 | + [Fixed upstream] |
876 | + - SECURITY UPDATE: basic auth uudecode length issue |
877 | + + debian/patches/CVE-2019-12529.patch: replace uudecode with libnettle |
878 | + base64 decoder in lib/Makefile.*, src/auth/basic/Config.cc, |
879 | + include/uudecode.h, lib/uudecode.c. |
880 | + + CVE-2019-12529 |
881 | + [Fixed upstream] |
882 | + - SECURITY UPDATE: XSS issues in cachemgr.cgi |
883 | + + debian/patches/CVE-2019-13345.patch: properly escape values in |
884 | + tools/cachemgr.cc. |
885 | + + CVE-2019-13345 |
886 | + [Fixed upstream] |
887 | + * Added: |
888 | + - d/t/test-squid.py: test_zz_apparmor(): bail early if securityfs isn't |
889 | + mounted |
890 | + |
891 | + -- Andreas Hasenack <andreas@canonical.com> Wed, 24 Jul 2019 16:38:59 -0300 |
892 | + |
893 | squid (4.8-1) unstable; urgency=high |
894 | |
895 | [ Amos Jeffries <amosjeffries@squid-cache.org> ] |
896 | @@ -497,6 +1275,86 @@ squid (4.8-1) unstable; urgency=high |
897 | |
898 | -- Luigi Gangitano <luigi@debian.org> Thu, 18 Jul 2019 22:28:15 +0200 |
899 | |
900 | +squid (4.6-2ubuntu4) eoan; urgency=medium |
901 | + |
902 | + * Fix gcc-9 issues (LP: #1835831) |
903 | + - Remove -Wno-sizeof-pointer-memaccess -Wno-stringop-truncation |
904 | + - debian/patches/more-gcc-9-fixes.patch: switch to xstrncpy in |
905 | + lib/smblib/smblib-util.c. |
906 | + * SECURITY UPDATE: incorrect digest auth parameter parsing |
907 | + - debian/patches/CVE-2019-12525.patch: check length in |
908 | + src/auth/digest/Config.cc. |
909 | + - CVE-2019-12525 |
910 | + * SECURITY UPDATE: buffer overflow in basic auth decoding |
911 | + - debian/patches/CVE-2019-12527.patch: switch to SBuf in |
912 | + src/HttpHeader.cc, src/HttpHeader.h, src/cache_manager.cc, |
913 | + src/clients/FtpGateway.cc. |
914 | + - CVE-2019-12527 |
915 | + * SECURITY UPDATE: basic auth uudecode length issue |
916 | + - debian/patches/CVE-2019-12529.patch: replace uudecode with libnettle |
917 | + base64 decoder in lib/Makefile.*, src/auth/basic/Config.cc, |
918 | + include/uudecode.h, lib/uudecode.c. |
919 | + - CVE-2019-12529 |
920 | + * SECURITY UPDATE: XSS issues in cachemgr.cgi |
921 | + - debian/patches/CVE-2019-13345.patch: properly escape values in |
922 | + tools/cachemgr.cc. |
923 | + - CVE-2019-13345 |
924 | + |
925 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 19 Jul 2019 08:01:58 -0400 |
926 | + |
927 | +squid (4.6-2ubuntu3) eoan; urgency=medium |
928 | + |
929 | + * Override newly added gcc-9 flags: |
930 | + -Wno-sizeof-pointer-memaccess -Wno-stringop-truncation |
931 | + NOTE: Overriding those flags is a possible security |
932 | + asked for info on the gcc-9 issue bug tracker: |
933 | + https://github.com/squid-cache/squid/pull/413#issuecomment-511314076 |
934 | + |
935 | + -- Gianfranco Costamagna <locutusofborg@debian.org> Mon, 15 Jul 2019 10:21:47 +0200 |
936 | + |
937 | +squid (4.6-2ubuntu2) eoan; urgency=medium |
938 | + |
939 | + * Fix gcc-9 build issues with upstream merged patch |
940 | + |
941 | + -- Gianfranco Costamagna <locutusofborg@debian.org> Sun, 14 Jul 2019 14:41:16 +0200 |
942 | + |
943 | +squid (4.6-2ubuntu1) eoan; urgency=medium |
944 | + |
945 | + * Merge with Debian unstable. Remaining changes: |
946 | + - Use snakeoil certificates. |
947 | + - Add an example refresh pattern for debs. |
948 | + - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy, |
949 | + squidguard |
950 | + - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if |
951 | + building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of |
952 | + -O2 and that triggers a format-truncation error on pcon.cc. See |
953 | + See https://bugs.squid-cache.org/show_bug.cgi?id=4875 |
954 | + - d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs. |
955 | + Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP #1794553) |
956 | + [Added Applied-Upstream header] |
957 | + - d/rules: Only use -latomic with the intended architectures, instead of |
958 | + all of them. This matches what was suggested in |
959 | + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5 |
960 | + - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that |
961 | + dh_installchangelogs can pick it up. dh_installchangelogs handles |
962 | + d/NEWS or d/<package>.NEWS, but not NEWS.debian. |
963 | + * Dropped: |
964 | + - d/squid.tmpfile: add tmpfiles configuration to handle /var/run/squid |
965 | + at boot. Thanks to Luigi Gangitano <luigi@debian.org> (LP #1816006) |
966 | + [Fixed in 4.5-2] |
967 | + - d/p/fix-uninitialized-var.patch: Workaround gcc's maybe-unitialized |
968 | + error in parse_time_t, triggered on ppc64el due to the build using -O3 |
969 | + in that architecture. |
970 | + [Fixed upstream] |
971 | + - Add disabled by default AppArmor profile. |
972 | + [Added by Debian in 4.6-2] |
973 | + - d/usr.sbin.squid: fix the apparmor profile (LP #1796189): |
974 | + + allow net_admin capability |
975 | + + add attach_disconnected flag |
976 | + [Fixed in 4.6-2] |
977 | + |
978 | + -- Andreas Hasenack <andreas@canonical.com> Sat, 18 May 2019 14:39:09 -0300 |
979 | + |
980 | squid (4.6-2) unstable; urgency=high |
981 | |
982 | [ Andreas Hasenack <andreas@canonical.com> ] |
983 | @@ -557,6 +1415,57 @@ squid (4.5-1) unstable; urgency=medium |
984 | |
985 | -- Luigi Gangitano <luigi@debian.org> Wed, 20 Feb 2019 11:57:15 +0100 |
986 | |
987 | +squid (4.4-1ubuntu2) disco; urgency=medium |
988 | + |
989 | + * d/squid.tmpfile: add tmpfiles configuration to handle /var/run/squid |
990 | + at boot. Thanks to Luigi Gangitano <luigi@debian.org> (LP: #1816006) |
991 | + |
992 | + -- Andreas Hasenack <andreas@canonical.com> Wed, 27 Feb 2019 08:54:45 -0300 |
993 | + |
994 | +squid (4.4-1ubuntu1) disco; urgency=medium |
995 | + |
996 | + * Merge with Debian unstable. Remaining changes: |
997 | + - Use snakeoil certificates. |
998 | + - Add an example refresh pattern for debs. |
999 | + - Add disabled by default AppArmor profile. |
1000 | + - d/p/fix-uninitialized-var.patch: Workaround gcc's maybe-unitialized |
1001 | + error in parse_time_t, triggered on ppc64el due to the build using -O3 |
1002 | + in that architecture. |
1003 | + - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if |
1004 | + building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of |
1005 | + -O2 and that triggers a format-truncation error on pcon.cc. See |
1006 | + See https://bugs.squid-cache.org/show_bug.cgi?id=4875 |
1007 | + - d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs. |
1008 | + Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP #1794553) |
1009 | + * Drop: |
1010 | + - d/rules: enable cdbs parallel build |
1011 | + [Fixed in 4.2-1] |
1012 | + - d/t/test-squid.py: fix apparmor profile filename |
1013 | + [Fixed in 4.2-1] |
1014 | + - d/t/test-squid.py: fix the process name. The PID points at the parent. |
1015 | + [Fixed in 4.2-1] |
1016 | + - d/t/upstream-test-suite: also make libmem.la, needed by the tests. |
1017 | + [Fixed in 4.2-1] |
1018 | + - d/t/0003-installed-binary-for-debian-ci.patch: use the squid |
1019 | + binary from the system, instead of the one from the source tree. |
1020 | + [Fixed in 4.2-1] |
1021 | + - d/t/upstream-test-suite: drop the sed line, since patch |
1022 | + 0003-installed-binary-for-debian-ci.patch is doing this work now. |
1023 | + (https://salsa.debian.org/squid-team/squid/commit/ad4372b444ba8b1587839) |
1024 | + [Fixed in 4.2-1] |
1025 | + * Added changes: |
1026 | + - d/rules: Only use -latomic with the intended architectures, instead of |
1027 | + all of them. This matches what was suggested in |
1028 | + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5 |
1029 | + - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that |
1030 | + dh_installchangelogs can pick it up. dh_installchangelogs handles |
1031 | + d/NEWS or d/<package>.NEWS, but not NEWS.debian. |
1032 | + - d/usr.sbin.squid: fix the apparmor profile (LP: #1796189): |
1033 | + + allow net_admin capability |
1034 | + + add attach_disconnected flag |
1035 | + |
1036 | + -- Andreas Hasenack <andreas@canonical.com> Mon, 19 Nov 2018 10:51:18 -0200 |
1037 | + |
1038 | squid (4.4-1) unstable; urgency=high |
1039 | |
1040 | * Urgency high due to security fixes |
1041 | @@ -621,6 +1530,85 @@ squid (4.2-1) unstable; urgency=high |
1042 | |
1043 | -- Luigi Gangitano <luigi@debian.org> Wed, 22 Aug 2018 13:57:15 +0200 |
1044 | |
1045 | +squid (4.1-1ubuntu3) cosmic; urgency=medium |
1046 | + |
1047 | + * d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs. |
1048 | + Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP: #1794553) |
1049 | + |
1050 | + -- Andreas Hasenack <andreas@canonical.com> Tue, 09 Oct 2018 14:00:36 -0300 |
1051 | + |
1052 | +squid (4.1-1ubuntu2) cosmic; urgency=medium |
1053 | + |
1054 | + * d/usr.sbin.squid: Update apparmor profile to grant read access to squid |
1055 | + binary (LP: #1792728) |
1056 | + |
1057 | + -- Simon Deziel <simon@sdeziel.info> Sat, 15 Sep 2018 13:55:32 -0400 |
1058 | + |
1059 | +squid (4.1-1ubuntu1) cosmic; urgency=medium |
1060 | + |
1061 | + * Merged with Debian unstable (LP: #1780944, LP: #1097032, LP: #16669). |
1062 | + Remaining changes: |
1063 | + - Use snakeoil certificates. |
1064 | + [Updated to use the correct config setting names] |
1065 | + - Add an example refresh pattern for debs. |
1066 | + [Improved the refresh patterns based on the configuration from |
1067 | + squid-deb-proxy package] |
1068 | + - Add disabled by default AppArmor profile. |
1069 | + [Updated to include the ssl_certs abstraction and suggestions on how to |
1070 | + deal with the snakeoil private key and other keys in /etc/ssl.] |
1071 | + * Dropped changes: |
1072 | + - Add additional dep8 tests. |
1073 | + [Adopted in 4.0.21-1~exp5, albeit a stripped down version] |
1074 | + - Correct attribution and add explanatory note in d/NEWS.debian. |
1075 | + [That particular upgrade path has happened long ago.] |
1076 | + - Drop wrong short-circuiting of various invocations; we always want to |
1077 | + call the debhelper block. |
1078 | + [This was for the transitional squid3 package, and that transition has |
1079 | + already happened.] |
1080 | + - Revert "Set pidfile for systemd's sysv-generator" from Debian. |
1081 | + [Not needed anymore since we have a native systemd service file |
1082 | + and no longer rely on the generator.] |
1083 | + - Enable autoreconf. This is no longer required for the security updates, |
1084 | + but is needed for the seddery of test-suite/Makefile.am in |
1085 | + d/t/upstream-test-suite. |
1086 | + [Replaced by patch 0003-installed-binary-for-debian-ci.patch] |
1087 | + - Adjust seddery for upstream test squid binary location. |
1088 | + [sed no longer necessary since patch, |
1089 | + 0003-installed-binary-for-debian-ci.patch, will be dropped |
1090 | + entirely.] |
1091 | + - Drop Conflicts/Replaces of squid against squid3. In Ubuntu, the migration |
1092 | + happened in Xenial, so no upgrade path still requires this code. This |
1093 | + reduces upgrade ordering difficulty. |
1094 | + [Again we have a migration, but this time from squid3 to squid, so we |
1095 | + need this]. |
1096 | + - GCC7 FTBFS fixes (LP: #1712668): |
1097 | + + d/rules: don't error when hitting the "deprecated" and |
1098 | + "format-truncation" gcc7 warnings. Upstream 3.5.27 has fixes for these, |
1099 | + but one in Format.cc that affects 32bit builds was deemed too intrusive |
1100 | + for the 3.5 stable series and is only in squid 4.x |
1101 | + [No longer needed with squid 4.x] |
1102 | + - Do not force gcc-6 |
1103 | + [It was a temporary workaround in Debian that got dropped] |
1104 | + * Added changes: |
1105 | + - d/rules: enable cdbs parallel build |
1106 | + - d/t/test-squid.py: fix apparmor profile filename |
1107 | + - d/t/test-squid.py: fix the process name. The PID points at the parent. |
1108 | + - d/t/upstream-test-suite: also make libmem.la, needed by the tests. |
1109 | + - d/t/0003-installed-binary-for-debian-ci.patch: use the squid |
1110 | + binary from the system, instead of the one from the source tree. |
1111 | + - d/p/fix-uninitialized-var.patch: Workaround gcc's maybe-unitialized |
1112 | + error in parse_time_t, triggered on ppc64el due to the build using -O3 |
1113 | + in that architecture. |
1114 | + - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if |
1115 | + building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of |
1116 | + -O2 and that triggers a format-truncation error on pcon.cc. See |
1117 | + See https://bugs.squid-cache.org/show_bug.cgi?id=4875 |
1118 | + - d/t/upstream-test-suite: drop the sed line, since patch |
1119 | + 0003-installed-binary-for-debian-ci.patch is doing this work now. |
1120 | + (https://salsa.debian.org/squid-team/squid/commit/ad4372b444ba8b1587839) |
1121 | + |
1122 | + -- Andreas Hasenack <andreas@canonical.com> Thu, 16 Aug 2018 12:33:17 -0300 |
1123 | + |
1124 | squid (4.1-1) unstable; urgency=high |
1125 | |
1126 | * New Upstream Release (Closes: #896120) |
1127 | diff --git a/debian/control b/debian/control |
1128 | index 844041f..f1a830f 100644 |
1129 | --- a/debian/control |
1130 | +++ b/debian/control |
1131 | @@ -1,7 +1,8 @@ |
1132 | Source: squid |
1133 | Section: web |
1134 | Priority: optional |
1135 | -Maintainer: Luigi Gangitano <luigi@debian.org> |
1136 | +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> |
1137 | +XSBC-Original-Maintainer: Luigi Gangitano <luigi@debian.org> |
1138 | Uploaders: Santiago Garcia Mantinan <manty@debian.org> |
1139 | Homepage: http://www.squid-cache.org |
1140 | Standards-Version: 4.6.2 |
1141 | @@ -35,7 +36,7 @@ Build-Depends: ed |
1142 | Package: squid |
1143 | Architecture: any |
1144 | Pre-Depends: ${misc:Pre-Depends}, adduser |
1145 | -Depends: ${shlibs:Depends}, ${misc:Depends}, netbase, logrotate (>= 3.5.4-1), squid-common (>= ${source:Version}), lsb-base, libdbi-perl |
1146 | +Depends: ${shlibs:Depends}, ${misc:Depends}, netbase, logrotate (>= 3.5.4-1), squid-common (>= ${source:Version}), lsb-base, libdbi-perl, ssl-cert |
1147 | Suggests: squidclient, squid-cgi, squid-purge, resolvconf (>= 0.40), smbclient, ufw, winbind, apparmor |
1148 | Recommends: libcap2-bin [linux-any], ca-certificates |
1149 | Conflicts: squid-openssl |
1150 | diff --git a/debian/patches/0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch b/debian/patches/0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch |
1151 | new file mode 100644 |
1152 | index 0000000..d3b3efc |
1153 | --- /dev/null |
1154 | +++ b/debian/patches/0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch |
1155 | @@ -0,0 +1,65 @@ |
1156 | +From: Sergio Durigan Junior <sergio.durigan@canonical.com> |
1157 | +Date: Tue, 9 Aug 2022 17:49:23 -0400 |
1158 | +Subject: Fix -Werror=alloc-size-larger-than on GCC 12 |
1159 | + |
1160 | +Author: Sergio Durigan Junior <sergiodj@ubuntu.com> |
1161 | +Forwarded: yes, https://github.com/squid-cache/squid/pull/1118 |
1162 | +--- |
1163 | + src/SquidConfig.h | 2 +- |
1164 | + src/pconn.cc | 2 +- |
1165 | + src/pconn.h | 2 +- |
1166 | + src/store/Disks.cc | 2 +- |
1167 | + 4 files changed, 4 insertions(+), 4 deletions(-) |
1168 | + |
1169 | +diff --git a/src/SquidConfig.h b/src/SquidConfig.h |
1170 | +index feabdf1..6b3cca5 100644 |
1171 | +--- a/src/SquidConfig.h |
1172 | ++++ b/src/SquidConfig.h |
1173 | +@@ -61,7 +61,7 @@ public: |
1174 | + ~DiskConfig() { delete[] swapDirs; } |
1175 | + |
1176 | + RefCount<SwapDir> *swapDirs = nullptr; |
1177 | +- int n_allocated = 0; |
1178 | ++ unsigned int n_allocated = 0; |
1179 | + int n_configured = 0; |
1180 | + /// number of disk processes required to support all cache_dirs |
1181 | + int n_strands = 0; |
1182 | +diff --git a/src/pconn.cc b/src/pconn.cc |
1183 | +index 62e5411..d30726d 100644 |
1184 | +--- a/src/pconn.cc |
1185 | ++++ b/src/pconn.cc |
1186 | +@@ -167,7 +167,7 @@ IdleConnList::clearHandlers(const Comm::ConnectionPointer &conn) |
1187 | + void |
1188 | + IdleConnList::push(const Comm::ConnectionPointer &conn) |
1189 | + { |
1190 | +- if (size_ == capacity_) { |
1191 | ++ if ((unsigned int) size_ == capacity_) { |
1192 | + debugs(48, 3, "growing idle Connection array"); |
1193 | + capacity_ <<= 1; |
1194 | + const Comm::ConnectionPointer *oldList = theList_; |
1195 | +diff --git a/src/pconn.h b/src/pconn.h |
1196 | +index 85e44e5..b8f07d9 100644 |
1197 | +--- a/src/pconn.h |
1198 | ++++ b/src/pconn.h |
1199 | +@@ -80,7 +80,7 @@ private: |
1200 | + Comm::ConnectionPointer *theList_; |
1201 | + |
1202 | + /// Number of entries theList can currently hold without re-allocating (capacity). |
1203 | +- int capacity_; |
1204 | ++ unsigned int capacity_; |
1205 | + ///< Number of in-use entries in theList |
1206 | + int size_; |
1207 | + |
1208 | +diff --git a/src/store/Disks.cc b/src/store/Disks.cc |
1209 | +index 4e8710a..f9c3171 100644 |
1210 | +--- a/src/store/Disks.cc |
1211 | ++++ b/src/store/Disks.cc |
1212 | +@@ -685,7 +685,7 @@ allocate_new_swapdir(Store::DiskConfig *swap) |
1213 | + swap.swapDirs = new SwapDir::Pointer[swap.n_allocated]; |
1214 | + } |
1215 | + |
1216 | +- if (swap.n_allocated == swap.n_configured) { |
1217 | ++ if (swap.n_allocated == (size_t) swap.n_configured) { |
1218 | + swap.n_allocated <<= 1; |
1219 | + const auto tmp = new SwapDir::Pointer[swap.n_allocated]; |
1220 | + for (int i = 0; i < swap.n_configured; ++i) { |
1221 | diff --git a/debian/patches/0010-Fix-Werror-sign-compare-on-GCC-13.patch b/debian/patches/0010-Fix-Werror-sign-compare-on-GCC-13.patch |
1222 | new file mode 100644 |
1223 | index 0000000..64975b8 |
1224 | --- /dev/null |
1225 | +++ b/debian/patches/0010-Fix-Werror-sign-compare-on-GCC-13.patch |
1226 | @@ -0,0 +1,24 @@ |
1227 | +Description: Fix -Werror=sign-compare |
1228 | + This is a consequence of |
1229 | + d/p/0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch on GCC 13. Once |
1230 | + that patch is dropped, this patch can most likely be dropped as well (even in |
1231 | + case 0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch is accepted |
1232 | + upstream, since the issue being fixed here will also need a fix upstream). |
1233 | + See https://github.com/squid-cache/squid/pull/1118#discussion_r941969015 for |
1234 | + further reference. |
1235 | +Author: Athos Ribeiro <athos.ribeiro@canonical.com> |
1236 | +Forwarded: not-needed |
1237 | +Last-Update: 2023-08-10 |
1238 | +--- |
1239 | +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ |
1240 | +--- a/src/store/Disks.cc |
1241 | ++++ b/src/store/Disks.cc |
1242 | +@@ -57,7 +57,7 @@ |
1243 | + SwapDirByIndex(const int i) |
1244 | + { |
1245 | + assert(i >= 0); |
1246 | +- assert(i < Config.cacheSwap.n_allocated); |
1247 | ++ assert((size_t) i < Config.cacheSwap.n_allocated); |
1248 | + const auto sd = INDEXSD(i); |
1249 | + assert(sd); |
1250 | + return *sd; |
1251 | diff --git a/debian/patches/90-cf.data.ubuntu.patch b/debian/patches/90-cf.data.ubuntu.patch |
1252 | new file mode 100644 |
1253 | index 0000000..efd7265 |
1254 | --- /dev/null |
1255 | +++ b/debian/patches/90-cf.data.ubuntu.patch |
1256 | @@ -0,0 +1,21 @@ |
1257 | +Description: Add refresh patterns for deb packaging |
1258 | + |
1259 | +Reviewed-By: Sergio Durigan Junior <sergio.durigan@canonical.com> |
1260 | +Last-Updated: 2021-05-11 |
1261 | +Forwarded: https://salsa.debian.org/squid-team/squid/-/merge_requests/15 |
1262 | + |
1263 | +--- a/src/cf.data.pre |
1264 | ++++ b/src/cf.data.pre |
1265 | +@@ -6552,6 +6552,12 @@ |
1266 | + # |
1267 | + refresh_pattern ^ftp: 1440 20% 10080 |
1268 | + refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 |
1269 | ++refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims |
1270 | ++refresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-ims |
1271 | ++refresh_pattern \/InRelease$ 0 0% 0 refresh-ims |
1272 | ++refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims |
1273 | ++# example pattern for deb packages |
1274 | ++#refresh_pattern (\.deb|\.udeb)$ 129600 100% 129600 |
1275 | + refresh_pattern . 0 20% 4320 |
1276 | + CONFIG_END |
1277 | + DOC_END |
1278 | diff --git a/debian/patches/99-ubuntu-ssl-cert-snakeoil.patch b/debian/patches/99-ubuntu-ssl-cert-snakeoil.patch |
1279 | new file mode 100644 |
1280 | index 0000000..ad38cdf |
1281 | --- /dev/null |
1282 | +++ b/debian/patches/99-ubuntu-ssl-cert-snakeoil.patch |
1283 | @@ -0,0 +1,28 @@ |
1284 | +Description: Add notice about Debian/Ubuntu's snakeoil certificate |
1285 | +Reviewed-By: Sergio Durigan Junior <sergiodj@ubuntu.com> |
1286 | +Forwarded: not-needed |
1287 | + |
1288 | +Index: squid/src/cf.data.pre |
1289 | +=================================================================== |
1290 | +--- squid.orig/src/cf.data.pre 2022-07-18 07:49:02.052257318 -0400 |
1291 | ++++ squid/src/cf.data.pre 2022-07-18 07:51:17.843207049 -0400 |
1292 | +@@ -3742,6 +3742,19 @@ |
1293 | + A client X.509 certificate to use when connecting to |
1294 | + this peer. |
1295 | + |
1296 | ++ Notes: |
1297 | ++ |
1298 | ++ On Debian/Ubuntu systems a default snakeoil certificate is |
1299 | ++ available in /etc/ssl and users can set: |
1300 | ++ |
1301 | ++ sslcert=/etc/ssl/certs/ssl-cert-snakeoil.pem |
1302 | ++ |
1303 | ++ and |
1304 | ++ |
1305 | ++ sslkey=/etc/ssl/private/ssl-cert-snakeoil.key |
1306 | ++ |
1307 | ++ for testing. |
1308 | ++ |
1309 | + sslkey=/path/to/ssl/key |
1310 | + The private key corresponding to sslcert above. |
1311 | + |
1312 | diff --git a/debian/patches/series b/debian/patches/series |
1313 | index 2612869..868b3c8 100644 |
1314 | --- a/debian/patches/series |
1315 | +++ b/debian/patches/series |
1316 | @@ -2,3 +2,7 @@ |
1317 | 0002-Change-default-file-locations-for-debian.patch |
1318 | 0005-Use-RuntimeDirectory-to-create-run-squid.patch |
1319 | 0006-upstream-807ae4df2164defbb5f59b99282e24010b4a0b85.patch |
1320 | +90-cf.data.ubuntu.patch |
1321 | +99-ubuntu-ssl-cert-snakeoil.patch |
1322 | +0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch |
1323 | +0010-Fix-Werror-sign-compare-on-GCC-13.patch |
1324 | diff --git a/debian/rules b/debian/rules |
1325 | index 59dce4e..8c6860a 100755 |
1326 | --- a/debian/rules |
1327 | +++ b/debian/rules |
1328 | @@ -4,6 +4,11 @@ export DEB_BUILD_MAINT_OPTIONS = hardening=+all |
1329 | export DEB_CFLAGS_MAINT_APPEND = -Wno-error=deprecated-declarations |
1330 | export DEB_CXXFLAGS_MAINT_APPEND = -Wno-error=deprecated-declarations |
1331 | |
1332 | +ifeq ($(DEB_HOST_ARCH), ppc64el) |
1333 | + DEB_CFLAGS_MAINT_APPEND += -Wno-error=maybe-uninitialized |
1334 | + DEB_CXXFLAGS_MAINT_APPEND += -Wno-error=maybe-uninitialized |
1335 | +endif |
1336 | + |
1337 | ifneq (,$(filter $(DEB_HOST_ARCH), armel m68k mips mipsel powerpc powerpcspe sh4)) |
1338 | DEB_LDFLAGS_MAINT_APPEND += -latomic |
1339 | endif |
1340 | @@ -89,9 +94,17 @@ override_dh_auto_build: |
1341 | dh_auto_build |
1342 | cd debian/build-openssl && dh_auto_build |
1343 | |
1344 | +execute_before_dh_auto_test: |
1345 | + # Do not include additional configuration files during tests. This would lead to failures due to missing paths. |
1346 | + sed -i 's|^\(include /etc/squid/conf\.d/\*\.conf\)|# \1|' src/squid.conf.default debian/build-openssl/src/squid.conf.default |
1347 | + |
1348 | override_dh_auto_test: |
1349 | - -dh_auto_test |
1350 | - -cd debian/build-openssl && dh_auto_test |
1351 | + dh_auto_test |
1352 | + cd debian/build-openssl && dh_auto_test |
1353 | + |
1354 | +execute_after_dh_auto_test: |
1355 | + # Restore configuration file to its previous state. |
1356 | + sed -i 's|^# \(include /etc/squid/conf\.d/\*\.conf\)|\1|' src/squid.conf.default debian/build-openssl/src/squid.conf.default |
1357 | |
1358 | override_dh_auto_install: |
1359 | dh_auto_install |
1360 | @@ -152,6 +165,10 @@ execute_after_dh_auto_install: |
1361 | dh_apparmor --profile-name=usr.sbin.squid -psquid |
1362 | |
1363 | override_dh_install: |
1364 | + # Apport hook |
1365 | + dh_install -psquid-common debian/source_squid.py \ |
1366 | + usr/share/apport/package-hooks/ |
1367 | + |
1368 | dh_install -psquid -psquid-common -psquidclient -psquid-cgi -psquid-purge \ |
1369 | --sourcedir=$(INSTALLDIR) |
1370 | dh_install -psquid-openssl \ |
1371 | diff --git a/debian/source_squid.py b/debian/source_squid.py |
1372 | new file mode 100644 |
1373 | index 0000000..c23e6da |
1374 | --- /dev/null |
1375 | +++ b/debian/source_squid.py |
1376 | @@ -0,0 +1,54 @@ |
1377 | +#!/usr/bin/python3 |
1378 | + |
1379 | +''' |
1380 | +Apport package hook for Squid |
1381 | + |
1382 | +Copyright (C) 2022 Canonical Ltd. |
1383 | +Author: Bryce Harrington <bryce@canonical.com> |
1384 | + |
1385 | +This program is free software; you can redistribute it and/or modify it |
1386 | +under the terms of the GNU General Public License as published by the |
1387 | +Free Software Foundation; either version 2 of the License, or (at your |
1388 | +option) any later version. See http://www.gnu.org/copyleft/gpl.html for |
1389 | +the full text of the license. |
1390 | +''' |
1391 | + |
1392 | +import os.path |
1393 | +from apport.hookutils import attach_file_if_exists |
1394 | + |
1395 | + |
1396 | +def add_info(report, ui=None): |
1397 | + '''Attaches squid-specific information to the Apport bug report.''' |
1398 | + def _add_file(report, filepath): |
1399 | + filename = os.path.basename(filepath) |
1400 | + attach_file_if_exists(report, filepath, key=filename) |
1401 | + |
1402 | + # Configs |
1403 | + _add_file(report, '/etc/squid/squid.conf') |
1404 | + _add_file(report, '/etc/squid/squid.d/debian.conf') |
1405 | + |
1406 | + if ui is None: |
1407 | + return |
1408 | + |
1409 | + # Logs |
1410 | + response = ui.yesno( |
1411 | + "The contents of your Squid cache.log and access.log files " |
1412 | + "may help developers diagnose your bug more quickly. " |
1413 | + "However, they may contain sensitive " "information. " |
1414 | + "Do you want to include them in your bug report?" |
1415 | + ) |
1416 | + if response is None: |
1417 | + # user cancelled |
1418 | + raise StopIteration |
1419 | + if response is True: |
1420 | + # Attach files |
1421 | + _add_file(report, '/var/log/squid/access.log') |
1422 | + _add_file(report, '/var/log/squid/cache.log') |
1423 | + |
1424 | + |
1425 | +### DEBUGGING ### |
1426 | +if __name__ == '__main__': |
1427 | + report = {} |
1428 | + add_info(report, None) |
1429 | + for key in report: |
1430 | + print(f'[{key}]\n{report[key]}') |
1431 | diff --git a/debian/tests/upstream-test-suite b/debian/tests/upstream-test-suite |
1432 | index a801bcb..fdd377a 100644 |
1433 | --- a/debian/tests/upstream-test-suite |
1434 | +++ b/debian/tests/upstream-test-suite |
1435 | @@ -2,6 +2,10 @@ |
1436 | set -e |
1437 | |
1438 | dpkg-source --before-build `pwd` |
1439 | + |
1440 | +# Use installed squid binary |
1441 | +sed -i 's|\$(top_builddir)/src/squid -k parse|/usr/sbin/squid -k parse|' test-suite/Makefile.am test-suite/Makefile.in |
1442 | + |
1443 | dh_update_autotools_config |
1444 | dh_autoreconf |
1445 | dh_auto_configure -- ${DEB_CONFIGURE_EXTRA_FLAGS} --with-gnutls |
1446 | diff --git a/debian/usr.sbin.squid b/debian/usr.sbin.squid |
1447 | index d01bcd0..a34487a 100644 |
1448 | --- a/debian/usr.sbin.squid |
1449 | +++ b/debian/usr.sbin.squid |
1450 | @@ -51,6 +51,33 @@ |
1451 | # squid-langpack |
1452 | /usr/share/squid-langpack/** r, |
1453 | |
1454 | + # squid-deb-proxy |
1455 | + /etc/squid-deb-proxy/** r, |
1456 | + /{,var/}run/squid-deb-proxy.pid rwk, |
1457 | + /var/cache/squid-deb-proxy/ r, |
1458 | + /var/cache/squid-deb-proxy/** rwk, |
1459 | + /var/log/squid-deb-proxy/* rw, |
1460 | + |
1461 | + # squidguard |
1462 | + /usr/bin/squidGuard Cx -> squidguard, |
1463 | + profile squidguard { |
1464 | + #include <abstractions/base> |
1465 | + |
1466 | + /etc/squid/squidGuard.conf r, |
1467 | + /var/log/squid{,3}/squidGuard.log w, |
1468 | + /var/lib/squidguard/** rw, |
1469 | + |
1470 | + # squidguard by default uses /var/log/squid as its logdir, however, we |
1471 | + # don't want it to access squid's logs, only its own. Explicitly deny |
1472 | + # access to squid's files but allow all others since the user may specify |
1473 | + # anything for the squidGurad 'log' directive. |
1474 | + /var/log/squid{,3}/* rw, |
1475 | + audit deny /var/log/squid{,3}/{access,cache,store}.log* rw, |
1476 | + |
1477 | + # Site-specific additions and overrides. See local/README for details. |
1478 | + #include <local/usr.sbin.squid> |
1479 | + } |
1480 | + |
1481 | # Site-specific additions and overrides. See local/README for details. |
1482 | #include <local/usr.sbin.squid> |
1483 | } |
Second merge for the nn cycle.
PPA: https:/ /launchpad. net/~athos- ribeiro/ +archive/ ubuntu/ squid66- merge/+ packages
DEP8 test suite PPA run: pending.