Ubuntu
squid package

Merge ~athos-ribeiro/ubuntu/+source/squid:merge-lp2055179-noble into ubuntu/+source/squid:debian/sid

Proposed by Athos Ribeiro on 2024-02-27

Status:

Merged

Approved by:

git-ubuntu bot on 2024-02-27

Approved revision:

not available

Merge reported by:

git-ubuntu bot

Merged at revision:

c2873d2ba629580937b7d5fc5f04811c95929957

Proposed branch:

~athos-ribeiro/ubuntu/+source/squid:merge-lp2055179-noble

Merge into:

ubuntu/+source/squid:debian/sid

Diff against target:

1483 lines (+1244/-4)

12 files modified

debian/NEWS (+7/-0)
debian/changelog (+988/-0)
debian/control (+3/-2)
debian/patches/0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch (+65/-0)
debian/patches/0010-Fix-Werror-sign-compare-on-GCC-13.patch (+24/-0)
debian/patches/90-cf.data.ubuntu.patch (+21/-0)
debian/patches/99-ubuntu-ssl-cert-snakeoil.patch (+28/-0)
debian/patches/series (+4/-0)
debian/rules (+19/-2)
debian/source_squid.py (+54/-0)
debian/tests/upstream-test-suite (+4/-0)
debian/usr.sbin.squid (+27/-0)

Undecided

Fix Released

Link a bug report

Reviewer	Date Requested	Status
git-ubuntu bot		Approve on 2024-02-27
Andreas Hasenack	2024-02-27	Approve on 2024-02-27
Canonical Server Reporter	2024-02-27	Pending
Canonical Server packageset reviewers	2024-02-27	Pending
Review via email: mp+461373@code.launchpad.net

Revision history for this message

Athos Ribeiro (athos-ribeiro) wrote on 2024-02-27:

Second merge for the nn cycle.

PPA: https://launchpad.net/~athos-ribeiro/+archive/ubuntu/squid66-merge/+packages

DEP8 test suite PPA run: pending.

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2024-02-27:

- range-diff ok
- dropped delta (CVE) ok
- new debian changes ok
- upstream changes ok

Do you remember what happened to these simpler bits of delta wrt debian? I checked salsa and the bug tracker, but didn't see the d/rules ones about the build time tests at least. I saw an abandoned PR from you in salsa, I guess due to not being answered.

In any case, all good, +1 to upload.

review: Approve

Revision history for this message

git-ubuntu bot (git-ubuntu-bot) wrote on 2024-02-27:

Approvers: athos-ribeiro, ahasenack
Uploaders: athos-ribeiro, ahasenack
MP auto-approved

review: Approve

Revision history for this message

Athos Ribeiro (athos-ribeiro) wrote on 2024-02-27:

> Do you remember what happened to these simpler bits of delta wrt debian?

Not really. I will re-assess and forward the relevant ones again after our feature freeze.

Thanks, Andreas. Uploaded!

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Athos Ribeiro

git-ubuntu developers

Ubuntu
squid package

Merge ~athos-ribeiro/ubuntu/+source/squid:merge-lp2055179-noble into ubuntu/+source/squid:debian/sid

Commit message

Description of the change

Preview Diff

Subscribers

 diff --git a/debian/NEWS b/debian/NEWS
 index 1ac410c..83136fb 100644
 --- a/debian/NEWS
 +++ b/debian/NEWS
@@ -37,6 +37,13 @@ squid (4.13-2) unstable; urgency=high
   -- Santiago Garcia Mantinan <manty@debian.org>  Sun, 07 Feb 2021 01:43:37 +0100
++squid (4.13-1ubuntu2) groovy; urgency=medium
++
++  Disable the NIS basic authentication helper, as it no longer builds with
++  glibc 2.32.
++
++ -- Andreas Hasenack <andreas@canonical.com>  Thu, 17 Sep 2020 18:17:53 -0300
++
  squid (4.1-1) unstable; urgency=medium
    Starting from this release support for systemd init has been added to the
 diff --git a/debian/changelog b/debian/changelog
 index 8e615c1..a964870 100644
 --- a/debian/changelog
 +++ b/debian/changelog
@@ -1,3 +1,38 @@
++squid (6.6-1ubuntu1) noble; urgency=medium
++
++  * Merge with Debian unstable (LP: #2055179). Remaining changes:
++    - d/usr.sbin.squid: Add sections for squid-deb-proxy and
++      squidguard
++    - d/p/90-cf.data.ubuntu.patch: Add refresh patterns for deb
++      packaging
++    - Use snakeoil certificates:
++      + d/control: add ssl-cert to dependencies
++      + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl
++        to the default config file
++    - d/NEWS: drop the NIS basic auth helper (LP #1895694)
++    - d/p/0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch:
++      Fix FTBFS due to -Werror=alloc-size-larger-than on GCC 12.
++    - d/rules: halt build upon test failures.
++    - d/rules: do not include additional configuration files during
++      build time tests. This would lead to test failures due to missing
++      paths.
++    - d/t/upstream-test-suite: use installed squid binary for
++      autopkgtest config file checks.
++    - d/p/0010-Fix-Werror-sign-compare-on-GCC-13.patch: fix comparison
++      between signed and unsigned values.
++    - d/rules: disable LTO related compilation errors for ppc64el builds.
++    - d/source_squid.py, d/squid-common.install: Add apport hook
++      (LP #676141)
++  * Dropped changes:
++    - SECURITY UPDATE: denial of service in HTTP request parsing
++      - debian/patches/CVE-2023-50269.patch: limit x-forwarded-for hops and log
++        limit as error when exceeded in src/ClientRequestContext.h,
++        src/client_side_request.cc.
++      - CVE-2023-50269
++      [ Fixed upstream in 6.6 ]
++
++ -- Athos Ribeiro <athos.ribeiro@canonical.com>  Tue, 27 Feb 2024 12:25:05 -0300
++
  squid (6.6-1) unstable; urgency=high
    [ Amos Jeffries <amosjeffries@squid-cache.org> ]
@@ -16,6 +51,79 @@ squid (6.6-1) unstable; urgency=high
   -- Luigi Gangitano <luigi@debian.org>  Thu, 18 Jan 2024 13:04:20 +0100
++squid (6.5-1ubuntu3) noble; urgency=medium
++
++  * SECURITY UPDATE: denial of service in HTTP request parsing
++    - debian/patches/CVE-2023-50269.patch: limit x-forwarded-for hops and log
++      limit as error when exceeded in src/ClientRequestContext.h,
++      src/client_side_request.cc.
++    - CVE-2023-50269
++
++ -- Evan Caville <evan.caville@canonical.com>  Thu, 25 Jan 2024 15:41:32 +1000
++
++squid (6.5-1ubuntu2) noble; urgency=medium
++
++  * d/source_squid.py, d/rules: Add apport hook
++    (LP: #676141)
++
++ -- Bryce Harrington <bryce@canonical.com>  Thu, 18 Jan 2024 15:13:36 -0800
++
++squid (6.5-1ubuntu1) noble; urgency=medium
++
++  * Merge with Debian unstable (LP: #2040426). Remaining changes:
++    - d/usr.sbin.squid: Add sections for squid-deb-proxy and
++      squidguard
++    - d/p/90-cf.data.ubuntu.patch: Add refresh patterns for deb
++      packaging
++    - Use snakeoil certificates:
++      + d/control: add ssl-cert to dependencies
++      + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl
++        to the default config file
++    - d/NEWS: drop the NIS basic auth helper (LP #1895694)
++    - d/p/0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch:
++      Fix FTBFS due to -Werror=alloc-size-larger-than on GCC 12.
++    - d/rules: halt build upon test failures.
++    - d/rules: do not include additional configuration files during
++      build time tests. This would lead to test failures due to missing
++      paths.
++    - d/t/upstream-test-suite: use installed squid binary for
++      autopkgtest config file checks.
++    - d/p/0010-Fix-Werror-sign-compare-on-GCC-13.patch: fix comparison
++      between signed and unsigned values.
++    - d/rules: disable LTO related compilation errors for ppc64el builds.
++  * Dropped changes:
++    - d/t/upstream-test-suite: make missing targets for squid 6.
++      [ Fixed in Debian in 6.5-1 ]
++    - d/p/0011-Fix-ftp-support.patch: Fix pure virtual call in
++      Ftp::Client constructor leading to problems in FTP support.
++      [ Fixed upstream in 6.2 ]
++    - SECURITY UPDATE: DoS against certificate validation
++      + debian/patches/CVE-2023-46724.patch: fix validation of certificates
++        with CN=* in src/anyp/Uri.cc.
++      + CVE-2023-46724
++      [ Fixed in Debian in 6.5-1 ]
++    - SECURITY UPDATE: HTTP request smuggling, caused by chunked decoder
++      lenience
++      + debian/patches/CVE-2023-46846.patch: improve HTTP chunked encoding
++        compliance in src/http/one/Parser.cc, src/http/one/Parser.h,
++        src/http/one/TeChunkedParser.cc, src/parser/Tokenizer.cc,
++        src/parser/Tokenizer.h.
++      + CVE-2023-46846
++      [ Fixed in Debian in 6.5-1 ]
++    - SECURITY UPDATE: DoS via HTTP Digest Authentication
++      + debian/patches/CVE-2023-46847.patch: fix stack buffer overflow when
++        parsing Digest Authorization in src/auth/digest/Config.cc.
++      + CVE-2023-46847
++      [ Fixed in Debian in 6.5-1 ]
++    - SECURITY UPDATE: DoS via ftp:// URLs
++      + debian/patches/CVE-2023-46848.patch: fix userinfo percent-encoding in
++        src/acl/external/eDirectory_userip/ext_edirectory_userip_acl.cc,
++        src/anyp/Uri.cc.
++      + CVE-2023-46848
++      [ Fixed in Debian in 6.5-1 ]
++
++ -- Athos Ribeiro <athos.ribeiro@canonical.com>  Tue, 12 Dec 2023 12:05:40 -0300
++
  squid (6.5-1) unstable; urgency=high
    [ Amos Jeffries <amosjeffries@squid-cache.org> ]
@@ -43,6 +151,70 @@ squid (6.3-1) unstable; urgency=medium
   -- Luigi Gangitano <luigi@debian.org>  Thu, 28 Sep 2023 16:04:20 +0200
++squid (6.1-2ubuntu2) noble; urgency=medium
++
++  * SECURITY UPDATE: DoS against certificate validation
++    - debian/patches/CVE-2023-46724.patch: fix validation of certificates
++      with CN=* in src/anyp/Uri.cc.
++    - CVE-2023-46724
++  * SECURITY UPDATE: HTTP request smuggling, caused by chunked decoder
++    lenience
++    - debian/patches/CVE-2023-46846.patch: improve HTTP chunked encoding
++      compliance in src/http/one/Parser.cc, src/http/one/Parser.h,
++      src/http/one/TeChunkedParser.cc, src/parser/Tokenizer.cc,
++      src/parser/Tokenizer.h.
++    - CVE-2023-46846
++  * SECURITY UPDATE: DoS via HTTP Digest Authentication
++    - debian/patches/CVE-2023-46847.patch: fix stack buffer overflow when
++      parsing Digest Authorization in src/auth/digest/Config.cc.
++    - CVE-2023-46847
++  * SECURITY UPDATE: DoS via ftp:// URLs
++    - debian/patches/CVE-2023-46848.patch: fix userinfo percent-encoding in
++      src/acl/external/eDirectory_userip/ext_edirectory_userip_acl.cc,
++      src/anyp/Uri.cc.
++    - CVE-2023-46848
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 13 Nov 2023 08:41:30 -0500
++
++squid (6.1-2ubuntu1) mantic; urgency=medium
++
++  * Merge with Debian unstable (LP: #2018110). Remaining changes:
++    - d/usr.sbin.squid: Add sections for squid-deb-proxy and
++      squidguard
++    - d/p/90-cf.data.ubuntu.patch: Add refresh patterns for deb
++      packaging
++    - Use snakeoil certificates:
++      + d/control: add ssl-cert to dependencies
++      + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl
++        to the default config file
++    - d/rules, d/NEWS: drop the NIS basic auth helper (LP #1895694)
++    - d/p/0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch:
++      Fix FTBFS due to -Werror=alloc-size-larger-than on GCC 12.
++    - d/rules: halt build upon test failures.
++    - d/rules: do not include additional configuration files during
++      build time tests. This would lead to test failures due to missing
++      paths.
++    - d/t/upstream-test-suite: use installed squid binary for
++      autopkgtest config file checks.
++  * Drop changes:
++    - d/p/fix-max-pkt-sz-for-icmpEchoData-padding.patch: Adjust
++      MAX_PKT{4,6}_SZ to account for icmpEchoData padding, fixing FTBFS
++      with GCC 11 (LP #1939352).
++      [ Applied upstream in 6.0.1 ]
++    - d/p/series: do not rely on installed binaries for build time tests.
++      [ Applied in 6.1-1 ]
++    - d/rules: disable LTO related compilation errors for s390x builds.
++      [ Fixed in 6.1-1 ]
++  * New changes:
++    - d/p/0010-Fix-Werror-sign-compare-on-GCC-13.patch: fix comparison
++      between signed and unsigned values.
++    - d/p/0011-Fix-ftp-support.patch: Fix pure virtual call in
++      Ftp::Client constructor leading to problems in FTP support.
++    - d/rules: disable LTO related compilation errors for ppc64el builds.
++    - d/t/upstream-test-suite: make missing targets for squid 6.
++
++ -- Athos Ribeiro <athos.ribeiro@canonical.com>  Tue, 15 Aug 2023 21:51:44 -0300
++
  squid (6.1-2) unstable; urgency=low
    [ Amos Jeffries <amosjeffries@squid-cache.org> ]
@@ -80,6 +252,61 @@ squid (5.7-2) unstable; urgency=medium
   -- Santiago Garcia Mantinan <manty@debian.org>  Fri, 28 Apr 2023 08:35:27 +0200
++squid (5.7-1ubuntu3) lunar; urgency=medium
++
++  * d/rules:
++    - Re-enable LTO for s390x builds. (LP: #2011494)
++    - Disable LTO related compilation errors for s390x builds.
++
++ -- Athos Ribeiro <athos.ribeiro@canonical.com>  Mon, 13 Mar 2023 21:54:07 -0300
++
++squid (5.7-1ubuntu2) lunar; urgency=medium
++
++  * Make builds fail when upstream test suite fails (LP: #2004050):
++    - d/p/series: do not rely on installed binaries for build time tests.
++    - d/rules: halt build upon test failures.
++    - d/rules: do not include additional configuration files during
++      build time tests. This would lead to test failures due to missing
++      paths.
++    - d/t/upstream-test-suite: use installed squid binary for
++      autopkgtest config file checks.
++    - d/rules: disable LTO for s390x builds.
++
++ -- Athos Ribeiro <athos.ribeiro@canonical.com>  Fri, 27 Jan 2023 11:06:05 -0300
++
++squid (5.7-1ubuntu1) lunar; urgency=medium
++
++  * Merge with Debian unstable (LP: #1993446). Remaining changes:
++    - d/usr.sbin.squid: Add sections for squid-deb-proxy and
++      squidguard
++    - d/p/90-cf.data.ubuntu.patch: Add refresh patterns for deb
++      packaging
++    - Use snakeoil certificates:
++      + d/control: add ssl-cert to dependencies
++      + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl
++        to the default config file
++    - d/rules, d/NEWS: drop the NIS basic auth helper (LP #1895694)
++    - d/p/fix-max-pkt-sz-for-icmpEchoData-padding.patch: Adjust
++      MAX_PKT{4,6}_SZ to account for icmpEchoData padding, fixing FTBFS
++      with GCC 11 (LP #1939352).
++    - d/p/0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch:
++      Fix FTBFS due to -Werror=alloc-size-larger-than on GCC 12.
++  * Drop changes:
++    - d/t/upstream-test-suite: Also export DEB_*_MAINT_APPEND variables
++      here. (LP #1988217)
++      [ Not necessary anymore. ]
++    - SECURITY UPDATE: Exposure of Sensitive Information in Cache Manager
++      - debian/patches/CVE-2022-41317.patch: fix typo in ACL in
++        src/cf.data.pre.
++      - CVE-2022-41317
++      [ Incorporated upstream. ]
++    - SECURITY UPDATE: Buffer Over Read in SSPI and SMB Authentication
++      - debian/patches/CVE-2022-41318.patch: improve checks in
++        lib/ntlmauth/ntlmauth.cc.
++      [ Incorporated upstream. ]
++
++ -- Sergio Durigan Junior <sergio.durigan@canonical.com>  Tue, 03 Jan 2023 17:39:52 -0500
++
  squid (5.7-1) unstable; urgency=medium
    * Urgency high due to security fixes
@@ -119,6 +346,78 @@ squid (5.7-1) unstable; urgency=medium
   -- Luigi Gangitano <luigi@debian.org>  Tue,  4 Oct 2022 11:04:20 +0200
++squid (5.6-1ubuntu4) lunar; urgency=medium
++
++  * No-change rebuild against libldap-2
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 15 Dec 2022 19:56:14 +0000
++
++squid (5.6-1ubuntu3) kinetic; urgency=medium
++
++  * SECURITY UPDATE: Exposure of Sensitive Information in Cache Manager
++    - debian/patches/CVE-2022-41317.patch: fix typo in ACL in
++      src/cf.data.pre.
++    - CVE-2022-41317
++  * SECURITY UPDATE: Buffer Over Read in SSPI and SMB Authentication
++    - debian/patches/CVE-2022-41318.patch: improve checks in
++      lib/ntlmauth/ntlmauth.cc.
++    - CVE-2022-41318
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Fri, 23 Sep 2022 08:02:41 -0400
++
++squid (5.6-1ubuntu2) kinetic; urgency=medium
++
++  * d/t/upstream-test-suite: Also export DEB_*_MAINT_APPEND variables
++    here. (LP: #1988217)
++
++ -- Sergio Durigan Junior <sergio.durigan@canonical.com>  Tue, 30 Aug 2022 19:32:59 -0400
++
++squid (5.6-1ubuntu1) kinetic; urgency=medium
++
++  * Merge with Debian unstable (LP: #1971325). Remaining changes:
++    - d/usr.sbin.squid: Add sections for squid-deb-proxy and
++      squidguard
++    - d/p/90-cf.data.ubuntu.patch: Add refresh patterns for deb
++      packaging
++    - Use snakeoil certificates:
++      + d/control: add ssl-cert to dependencies
++      + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl
++        to the default config file
++    - d/rules, d/NEWS: drop the NIS basic auth helper (LP #1895694)
++    - Fix FTBFS with GCC 11 (LP #1939352)
++      + d/p/fix-max-pkt-sz-for-icmpEchoData-padding.patch: Fix
++        MAX_PKT{4,6}_SZ to account for icmpEchoData padding.
++  * Drop changes:
++    - Fix FTBFS with OpenSSL 3.0 (LP #1946205).  The following new
++      patches have been added:
++      + d/p/openssl3-Declaration-of-CRYPTO_EX_dup-changed-again-in-3.0.patch.
++      + d/p/openssl3-Detect-and-default-enable-OpenSSL-3.patch.
++      + d/p/openssl3-Fix-EVP_PKEY_get0_RSA-is-deprecated.patch.
++      + d/p/openssl3-Initial-DH-conversion-to-EVP_PKEY.patch.
++      + d/p/openssl3-Refactor-Ssl-createSslPrivateKey.patch.
++      + d/p/openssl3-Remove-stale-TODO-and-comment.patch.
++      + d/p/openssl3-SSL_OP_-macro-definitions-changed-in-3.0.patch.
++      + d/p/openssl3-Switch-to-BN_rand.patch.
++      + d/p/openssl3-TODO-Upgrade-API-calls-verifying-loaded-DH-params-fi.patch.
++      + d/p/openssl3-Tweak-RSA-key-generator.patch.
++      + d/p/openssl3-Update-ECDH-key-settings.patch.
++      + d/p/openssl3-Update-license-disclaimer.patch.
++      [ Incorporated by Debian. ]
++    - SECURITY UPDATE: Denial of Service in Gopher Processing
++      + debian/patches/CVE-2021-46784.patch: improve handling of Gopher
++        responses in src/gopher.cc.
++      [ Incorporated by upstream. ]
++    - Fix FTBFS with GCC 11 (LP #1939352)
++      + d/p/workaround-gcc11-wstringop-overread-bug.patch: Workaround
++        GCC 11 -Wstringop-overread bug.
++      [ Not needed anymore. ]
++  * Add changes:
++    - d/p/0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch:
++      Fix FTBFS due to -Werror=alloc-size-larger-than on GCC 12.
++      [ Forwarded upstream ]
++
++ -- Sergio Durigan Junior <sergio.durigan@canonical.com>  Thu, 11 Aug 2022 17:13:45 -0400
++
  squid (5.6-1) unstable; urgency=high
    * Urgency high due to security fixes
@@ -159,6 +458,87 @@ squid (5.5-1) unstable; urgency=medium
   -- Luigi Gangitano <luigi@debian.org>  Fri, 15 Apr 2022 14:39:54 +0200
++squid (5.2-1ubuntu5) kinetic; urgency=medium
++
++  * SECURITY UPDATE: Denial of Service in Gopher Processing
++    - debian/patches/CVE-2021-46784.patch: improve handling of Gopher
++      responses in src/gopher.cc.
++    - CVE-2021-46784
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Tue, 21 Jun 2022 13:38:17 -0400
++
++squid (5.2-1ubuntu4) jammy; urgency=medium
++
++  * Do not enable openssl as a default. This hinders packaging since we ship
++    squid in two different flavours (gnutls and openssl). Drop
++    d/p/openssl3-Detect-and-default-enable-OpenSSL-3.patch. (LP: #1968200)
++
++ -- Athos Ribeiro <athos.ribeiro@canonical.com>  Tue, 12 Apr 2022 23:41:41 -0300
++
++squid (5.2-1ubuntu3) jammy; urgency=medium
++
++  * Fix FTBFS with OpenSSL 3.0 (LP: #1946205).  The following new
++    patches have been added:
++    - d/p/openssl3-Declaration-of-CRYPTO_EX_dup-changed-again-in-3.0.patch.
++    - d/p/openssl3-Detect-and-default-enable-OpenSSL-3.patch.
++    - d/p/openssl3-Fix-EVP_PKEY_get0_RSA-is-deprecated.patch.
++    - d/p/openssl3-Initial-DH-conversion-to-EVP_PKEY.patch.
++    - d/p/openssl3-Refactor-Ssl-createSslPrivateKey.patch.
++    - d/p/openssl3-Remove-stale-TODO-and-comment.patch.
++    - d/p/openssl3-SSL_OP_-macro-definitions-changed-in-3.0.patch.
++    - d/p/openssl3-Switch-to-BN_rand.patch.
++    - d/p/openssl3-TODO-Upgrade-API-calls-verifying-loaded-DH-params-fi.patch.
++    - d/p/openssl3-Tweak-RSA-key-generator.patch.
++    - d/p/openssl3-Update-ECDH-key-settings.patch.
++    - d/p/openssl3-Update-license-disclaimer.patch.
++
++ -- Sergio Durigan Junior <sergio.durigan@canonical.com>  Tue, 08 Feb 2022 17:15:20 -0500
++
++squid (5.2-1ubuntu2) jammy; urgency=medium
++
++  * No-change rebuild against libssl3
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 09 Dec 2021 00:19:10 +0000
++
++squid (5.2-1ubuntu1) jammy; urgency=medium
++
++  * Merge with Debian unstable (LP: #1946903). Remaining changes:
++    - d/usr.sbin.squid: Add sections for squid-deb-proxy and
++      squidguard
++    - d/p/90-cf.data.ubuntu.patch: Add refresh patterns for deb
++      packaging
++    - Use snakeoil certificates:
++      + d/control: add ssl-cert to dependencies
++      + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl
++        to the default config file
++    - d/rules, d/NEWS: drop the NIS basic auth helper (LP #1895694)
++    - Fix FTBFS with GCC 11 (LP #1939352)
++      + d/p/expand-max-pkt-sz-accomodate-icmphdr.patch: Expand
++        MAX_PKT{4,6}_SZ to accomodate for icmp{,6_}hdr.
++      + d/p/workaround-gcc11-wstringop-overread-bug.patch: Workaround
++        GCC 11 -Wstringop-overread bug.
++  * Dropped changes:
++    - d/p/0008-Fix-free-nonheap-object-warning-error-on-snmp_core.c.patch:
++      Fix call to free on nonheap-object in snmpCreateOidFromStr
++      [ Incorporated by upstream. ]
++    - Fix failure to build on RISC-V (LP #1934891)
++      [ Incorporated by upstream. ]
++    - SECURITY UPDATE: information disclosure via OOB read in WCCP protocol
++      + debian/patches/CVE-2021-28116.patch: validate packets better in
++        src/wccp2.cc.
++      + CVE-2021-28116
++      [ Incorporated by upstream. ]
++    - Fix FTBFS with GCC 11 (LP #1939352)
++      + d/p/replace-cbdata-offset-hack-with-offsetof.patch: Replace
++        cbdata::Offset hack with offsetof().
++      + d/p/add-missing-limits-include-connmark.patch: Add missing
++        <limits> include to src/acl/ConnMark.cc.
++      [ Incorporated by upstream.  This is a partial drop; the other
++        two patches that compose this fix are still present in this
++        release. ]
++
++ -- Sergio Durigan Junior <sergio.durigan@canonical.com>  Mon, 01 Nov 2021 18:19:59 -0400
++
  squid (5.2-1) unstable; urgency=medium
    [ Amos Jeffries <amosjeffries@squid-cache.org> ]
@@ -199,6 +579,58 @@ squid (5.1-2) unstable; urgency=medium
   -- Luigi Gangitano <luigi@debian.org>  Fri, 17 Sep 2021 09:27:54 +0200
++squid (4.13-10ubuntu5) impish; urgency=medium
++
++  * SECURITY UPDATE: information disclosure via OOB read in WCCP protocol
++    - debian/patches/CVE-2021-28116.patch: validate packets better in
++      src/wccp2.cc.
++    - CVE-2021-28116
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 04 Oct 2021 08:20:07 -0400
++
++squid (4.13-10ubuntu4) impish; urgency=medium
++
++  * Fix FTBFS with GCC 11 (LP: #1939352)
++    - d/p/add-missing-limits-include-connmark.patch: Add missing
++      <limits> include to src/acl/ConnMark.cc.
++    - d/p/fix-max-pkt-sz-for-icmpEchoData-padding.patch.patch: Expand
++      MAX_PKT{4,6}_SZ to accomodate for icmp{,6_}hdr.
++    - d/p/replace-cbdata-offset-hack-with-offsetof.patch: Replace
++      cbdata::Offset hack with offsetof().
++    - d/p/workaround-gcc11-wstringop-overread-bug.patch: Workaround
++      GCC 11 -Wstringop-overread bug.
++
++ -- Sergio Durigan Junior <sergio.durigan@canonical.com>  Fri, 20 Aug 2021 00:19:41 -0400
++
++squid (4.13-10ubuntu3) impish; urgency=medium
++
++  * Fix failure to build on RISC-V (LP: #1934891)
++
++ -- Heinrich Schuchardt <heinrich.schuchardt@canonical.com>  Wed, 07 Jul 2021 14:11:51 +0200
++
++squid (4.13-10ubuntu2) impish; urgency=medium
++
++  * No-change rebuild due to OpenLDAP soname bump.
++
++ -- Sergio Durigan Junior <sergio.durigan@canonical.com>  Mon, 21 Jun 2021 18:09:05 -0400
++
++squid (4.13-10ubuntu1) impish; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - d/usr.sbin.squid: Add sections for squid-deb-proxy and
++      squidguard
++    - d/p/90-cf.data.ubuntu.patch: Add refresh patterns for deb
++      packaging
++    - Use snakeoil certificates:
++      + d/control: add ssl-cert to dependencies
++      + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl
++        to the default config file
++    - d/rules, d/NEWS: drop the NIS basic auth helper (LP: #1895694)
++    - d/p/0008-Fix-free-nonheap-object-warning-error-on-snmp_core.c.patch:
++      Fix call to free on nonheap-object in snmpCreateOidFromStr
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Fri, 04 Jun 2021 12:49:43 -0400
++
  squid (4.13-10) unstable; urgency=medium
    [ Francisco Vilmar Cardoso Ruviaro ]
@@ -217,6 +649,29 @@ squid (4.13-10) unstable; urgency=medium
   -- Santiago Garcia Mantinan <manty@debian.org>  Fri, 28 May 2021 12:28:20 +0200
++squid (4.13-9ubuntu1) impish; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - d/usr.sbin.squid: Add sections for squid-deb-proxy and
++      squidguard
++    - d/p/90-cf.data.ubuntu.patch: Add refresh patterns for deb
++      packaging
++    - Use snakeoil certificates:
++      + d/control: add ssl-cert to dependencies
++      + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl
++        to the default config file
++    - d/rules, d/NEWS: drop the NIS basic auth helper (LP: #1895694)
++    - d/p/0008-Fix-free-nonheap-object-warning-error-on-snmp_core.c.patch:
++      Fix call to free on nonheap-object in snmpCreateOidFromStr
++  * Drop changes:
++    - debian/patches/CVE-2020-25097.patch: Add slash prefix to path-
++      rootless or path-noscheme URLs in src/anyp/Uri.cc.
++      [Included in 4.13-8]
++    - d/usr.sbin.squid: Add section for maas-proxy
++      [maas-proxy is no longer shipped as a deb package]
++
++ -- Athos Ribeiro <athos.ribeiro@canonical.com>  Tue, 18 May 2021 10:51:16 -0300
++
  squid (4.13-9) unstable; urgency=medium
    * Clarify on NEWS and scripts that we no longer remove logs on purge.
@@ -277,6 +732,46 @@ squid (4.13-2) unstable; urgency=high
   -- Santiago Garcia Mantinan <manty@debian.org>  Sun, 07 Feb 2021 01:39:45 +0100
++squid (4.13-1ubuntu4) hirsute; urgency=medium
++
++  * d/p/0008-Fix-free-nonheap-object-warning-error-on-snmp_core.c.patch:
++    Fix FTBFS on Hirsute s390x when compiling with GCC 10.2.0.
++
++ -- Sergio Durigan Junior <sergio.durigan@canonical.com>  Mon, 05 Apr 2021 12:00:02 -0400
++
++squid (4.13-1ubuntu3) hirsute; urgency=medium
++
++  * SECURITY UPDATE: HTTP Request Smuggling issue
++    - debian/patches/CVE-2020-25097.patch: Add slash prefix to path-
++      rootless or path-noscheme URLs in src/anyp/Uri.cc.
++    - CVE-2020-25097
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 25 Mar 2021 12:38:06 -0400
++
++squid (4.13-1ubuntu2) groovy; urgency=medium
++
++  * d/rules, d/NEWS: drop the NIS basic auth helper (LP: #1895694)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Thu, 17 Sep 2020 18:19:42 -0300
++
++squid (4.13-1ubuntu1) groovy; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy
++      squidguard
++    - d/p/90-cf.data.ubuntu.patch: Add an example refresh pattern
++      for debs.
++    - Use snakeoil certificates:
++      + d/control: add ssl-cert to dependencies
++      + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl
++        to the default config file
++  * Dropped changes:
++    - d/p/0007-WCCP-Fix-GCC-10-Wstringop-truncation-failures.patch:
++      Fix GCC-10 build failure due to -Wstringop-truncation warning.
++      [ Accepted upstream. ]
++
++ -- Sergio Durigan Junior <sergio.durigan@canonical.com>  Tue, 25 Aug 2020 15:01:58 -0400
++
  squid (4.13-1) unstable; urgency=high
    [ Amos Jeffries <amosjeffries@squid-cache.org> ]
@@ -289,6 +784,43 @@ squid (4.13-1) unstable; urgency=high
   -- Luigi Gangitano <luigi@debian.org>  Mon, 24 Aug 2020 17:27:54 +0200
++squid (4.12-1ubuntu1) groovy; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy
++      squidguard
++    - d/p/90-cf.data.ubuntu.patch: Add an example refresh pattern
++      for debs.
++    - Use snakeoil certificates:
++      + d/control: add ssl-cert to dependencies
++      + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl
++        to the default config file
++  * Dropped changes, not needed anymore:
++    - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround
++      if building for ppc64el. On that arch, dpkg-buildflags sets -O3
++      instead of -O2 and that triggers a format-truncation error on
++      pcon.cc. See https://bugs.squid-cache.org/show_bug.cgi?id=4875.
++      [ Dropped because the build now passes on ppc64el ]
++  * Dropped changes, incorporated by Debian:
++    - Don't restart squid by hand on postinst script
++      + d/squid.postinst: When installing/upgrading squid, the service
++        is being restarted manually in the postinst script, which can
++        break installations that have the squid apparmor enabled because
++        it will try to restart the service before reloading the apparmor
++        profile.  There is no reason to restart squid manually, since the
++        restart will be automatically performed later.
++    - Drop conffile check for squid < 2.7
++      + d/squid.postinst: squid 2.7 is long, long gone, so it should be
++        safe to drop the postinst code to make sure that
++        /etc/squid/squid.conf was properly upgraded.
++    - d/tests/test-squid.py: Adjust 'pidfile' variable to reflect fact
++      that we now store the pidfile under '/run/squid/'.
++  * Added changes:
++    - d/p/0007-WCCP-Fix-GCC-10-Wstringop-truncation-failures.patch:
++      Fix GCC-10 build failure due to -Wstringop-truncation warning.
++
++ -- Sergio Durigan Junior <sergio.durigan@canonical.com>  Mon, 10 Aug 2020 11:20:46 -0400
++
  squid (4.12-1) unstable; urgency=high
    [ Sergio Durigan Junior <sergiodj@debian.org> ]
@@ -324,6 +856,63 @@ squid (4.12-1) unstable; urgency=high
   -- Luigi Gangitano <luigi@debian.org>  Wed,  1 Jul 2020 10:52:54 +0200
++squid (4.11-5ubuntu3) groovy; urgency=medium
++
++  * No change rebuild against new libnettle8 and libhogweed6 ABI.
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Mon, 29 Jun 2020 22:38:13 +0100
++
++squid (4.11-5ubuntu2) groovy; urgency=medium
++
++  * d/tests/test-squid.py: Adjust 'pidfile' variable to reflect fact
++    that we now store the pidfile under '/run/squid/'.
++
++ -- Sergio Durigan Junior <sergio.durigan@canonical.com>  Wed, 20 May 2020 10:32:32 -0400
++
++squid (4.11-5ubuntu1) groovy; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy,
++      squidguard
++    - d/p/90-cf.data.ubuntu.patch: Add an example refresh pattern for
++      debs.
++    - Use snakeoil certificates:
++      + d/control: add ssl-cert to dependencies
++      + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl to the
++        default config file
++    - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if
++      building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead
++      of -O2 and that triggers a format-truncation error on pcon.cc. See See
++      https://bugs.squid-cache.org/show_bug.cgi?id=4875
++  * Dropped:
++    - d/p/drop-sysctl_h.patch: no longer include sysctl.h as it was
++      deprecated in glibc 2.30 (LP #1843325)
++      [ In 4.11-4 ]
++    - SECURITY UPDATE: multiple ESI issues
++      + debian/patches/CVE-2019-12519_12521.patch: convert parse exceptions
++        into 500 status response in src/esi/Context.h, src/esi/Esi.cc,
++        src/esi/Esi.h, src/esi/Expression.cc.
++      + CVE-2019-12519
++      [ In 4.11-4 ]
++    - SECURITY UPDATE: Digest Authentication nonce replay issue
++      + debian/patches/CVE-2020-11945.patch: fix auth digest refcount integer
++        overflow in src/auth/digest/Config.cc.
++      [ In 4.11-4 ]
++  * Added:
++    - Don't restart squid by hand on postinst script
++      + d/squid.postinst: When installing/upgrading squid, the service
++        is being restarted manually in the postinst script, which can
++        break installations that have the squid apparmor enabled because
++        it will try to restart the service before reloading the apparmor
++        profile.  There is no reason to restart squid manually, since the
++        restart will be automatically performed later.
++    - Drop conffile check for squid < 2.7
++      + d/squid.postinst: squid 2.7 is long, long gone, so it should be
++        safe to drop the postinst code to make sure that
++        /etc/squid/squid.conf was properly upgraded.
++
++ -- Sergio Durigan Junior <sergio.durigan@canonical.com>  Tue, 19 May 2020 14:43:04 -0400
++
  squid (4.11-5) unstable; urgency=medium
    [ Sergio Durigan Junior <sergiodj@debian.org> ]
@@ -402,6 +991,64 @@ squid (4.11-1) unstable; urgency=high
   -- Luigi Gangitano <luigi@debian.org>  Thu, 23 Apr 2020 19:34:54 +0200
++squid (4.10-1ubuntu2) groovy; urgency=medium
++
++  * SECURITY UPDATE: multiple ESI issues
++    - debian/patches/CVE-2019-12519_12521.patch: convert parse exceptions
++      into 500 status response in src/esi/Context.h, src/esi/Esi.cc,
++      src/esi/Esi.h, src/esi/Expression.cc.
++    - CVE-2019-12519
++    - CVE-2019-12521
++  * SECURITY UPDATE: Digest Authentication nonce replay issue
++    - debian/patches/CVE-2020-11945.patch: fix auth digest refcount integer
++      overflow in src/auth/digest/Config.cc.
++    - CVE-2020-11945
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 13 May 2020 09:51:10 -0400
++
++squid (4.10-1ubuntu1) focal; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy,
++      squidguard
++    - d/p/90-cf.data.ubuntu.patch: Add an example refresh pattern for debs.
++    - Use snakeoil certificates:
++      + d/control: add ssl-cert to dependencies
++      + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl
++        to the default config file
++    - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if
++      building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of
++      -O2 and that triggers a format-truncation error on pcon.cc. See
++      See https://bugs.squid-cache.org/show_bug.cgi?id=4875
++    - d/p/drop-sysctl_h.patch: no longer include sysctl.h as it was
++      deprecated in glibc 2.30 (LP #1843325)
++  * Dropped:
++    - d/t/control, d/t/test-squid.py: remove gopher tests, as pygopherd is
++      no longer available in Focal (LP: #1858827)
++      [In 4.10-1, undocumented]
++    - d/t/test-squid.py, d/t/squid: switch to python3
++      [In 4.10-1, undocumented]
++    - d/t/control: depend on python3-minimal
++      [In 4.10-1, undocumented]
++    - SECURITY UPDATE: info disclosure via FTP server
++      + debian/patches/CVE-2019-12528.patch: fix FTP buffers handling in
++        src/clients/FtpGateway.cc.
++      + CVE-2019-12528
++      [Fixed upstream]
++    - SECURITY UPDATE: incorrect input validation and buffer management
++      + debian/patches/CVE-2020-84xx.patch: fix request URL generation in
++        reverse proxy configurations in src/client_side.cc.
++      + CVE-2020-8449
++      + CVE-2020-8450
++      [Fixed upstream]
++    - SECURITY UPDATE: DoS in NTLM authentication
++      + debian/patches/CVE-2020-8517.patch: improved username handling in
++        src/acl/external/LM_group/ext_lm_group_acl.cc.
++      + CVE-2020-8517
++      [Fixed upstream]
++
++ -- Andreas Hasenack <andreas@canonical.com>  Tue, 25 Feb 2020 15:37:55 -0300
++
  squid (4.10-1) unstable; urgency=high
    [ Amos Jeffries <amosjeffries@squid-cache.org> ]
@@ -423,6 +1070,70 @@ squid (4.10-1) unstable; urgency=high
   -- Luigi Gangitano <luigi@debian.org>  Tue, 10 Feb 2020 14:12:54 +0100
++squid (4.9-2ubuntu4) focal; urgency=medium
++
++  * SECURITY UPDATE: info disclosure via FTP server
++    - debian/patches/CVE-2019-12528.patch: fix FTP buffers handling in
++      src/clients/FtpGateway.cc.
++    - CVE-2019-12528
++  * SECURITY UPDATE: incorrect input validation and buffer management
++    - debian/patches/CVE-2020-84xx.patch: fix request URL generation in
++      reverse proxy configurations in src/client_side.cc.
++    - CVE-2020-8449
++    - CVE-2020-8450
++  * SECURITY UPDATE: DoS in NTLM authentication
++    - debian/patches/CVE-2020-8517.patch: improved username handling in
++      src/acl/external/LM_group/ext_lm_group_acl.cc.
++    - CVE-2020-8517
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 19 Feb 2020 12:43:05 -0500
++
++squid (4.9-2ubuntu3) focal; urgency=medium
++
++  * No-change rebuild with fixed binutils on arm64.
++
++ -- Matthias Klose <doko@ubuntu.com>  Sat, 08 Feb 2020 11:20:19 +0000
++
++squid (4.9-2ubuntu2) focal; urgency=medium
++
++  * d/t/control, d/t/test-squid.py: remove gopher tests, as pygopherd is
++    no longer available in Focal (LP: #1858827)
++  * d/t/test-squid.py, d/t/squid: switch to python3
++  * d/t/control: depend on python3-minimal
++
++ -- Andreas Hasenack <andreas@canonical.com>  Wed, 08 Jan 2020 15:52:32 -0300
++
++squid (4.9-2ubuntu1) focal; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - Use snakeoil certificates.
++    - Add an example refresh pattern for debs.
++    - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy,
++      squidguard
++    - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if
++      building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of
++      -O2 and that triggers a format-truncation error on pcon.cc. See
++      See https://bugs.squid-cache.org/show_bug.cgi?id=4875
++    - d/p/drop-sysctl_h.patch: no longer include sysctl.h as it was
++      deprecated in glibc 2.30 (LP #1843325)
++  * Dropped:
++    - d/rules: Only use -latomic with the intended architectures, instead of
++      all of them. This matches what was suggested in
++      https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5
++      [Fixed upstream]
++    - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that
++      dh_installchangelogs can pick it up. dh_installchangelogs handles
++      d/NEWS or d/<package>.NEWS, but not NEWS.debian.
++      [Fixed upstream]
++    - debian/patches/more-gcc-9-fixes.patch: switch to xstrncpy in
++      lib/smblib/smblib-util.c. (LP #1835831)
++      [Fixed upstream]
++    - d/t/test-squid.py: test_zz_apparmor(): bail early if securityfs isn't
++      mounted
++      [Fixed upstream]
++
++ -- Lucas Kanashiro <lucas.kanashiro@canonical.com>  Thu, 14 Nov 2019 16:33:10 -0300
++
  squid (4.9-2) unstable; urgency=medium
    [ Andreas Hasenack <andreas@canonical.com> ]
@@ -479,6 +1190,73 @@ squid (4.9-1) unstable; urgency=high
   -- Luigi Gangitano <luigi@debian.org>  Sun, 10 Nov 2019 20:28:15 +0100
++squid (4.8-1ubuntu3) focal; urgency=medium
++
++  * No-change rebuild against libnettle7
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 31 Oct 2019 22:15:39 +0000
++
++squid (4.8-1ubuntu2) eoan; urgency=medium
++
++  * d/p/drop-sysctl_h.patch: no longer include sysctl.h as it was
++    deprecated in glibc 2.30 (LP: #1843325)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Mon, 09 Sep 2019 17:31:45 -0300
++
++squid (4.8-1ubuntu1) eoan; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - Use snakeoil certificates.
++    - Add an example refresh pattern for debs.
++    - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy,
++      squidguard
++    - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if
++      building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of
++      -O2 and that triggers a format-truncation error on pcon.cc. See
++      See https://bugs.squid-cache.org/show_bug.cgi?id=4875
++    - d/rules: Only use -latomic with the intended architectures, instead of
++      all of them. This matches what was suggested in
++      https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5
++    - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that
++      dh_installchangelogs can pick it up. dh_installchangelogs handles
++      d/NEWS or d/<package>.NEWS, but not NEWS.debian.
++    - debian/patches/more-gcc-9-fixes.patch: switch to xstrncpy in
++      lib/smblib/smblib-util.c. (LP #1835831)
++  * Dropped:
++    - d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs.
++      Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP #1794553)
++      [Fixed upstream]
++    - debian/patches/413.patch: Fix gcc-9 build issues with upstream merged
++      patch
++      [Fixed upstream]
++    - SECURITY UPDATE: incorrect digest auth parameter parsing
++      + debian/patches/CVE-2019-12525.patch: check length in
++        src/auth/digest/Config.cc.
++      + CVE-2019-12525
++      [Fixed upstream]
++    - SECURITY UPDATE: buffer overflow in basic auth decoding
++      + debian/patches/CVE-2019-12527.patch: switch to SBuf in
++        src/HttpHeader.cc, src/HttpHeader.h, src/cache_manager.cc,
++        src/clients/FtpGateway.cc.
++      + CVE-2019-12527
++      [Fixed upstream]
++    - SECURITY UPDATE: basic auth uudecode length issue
++      + debian/patches/CVE-2019-12529.patch: replace uudecode with libnettle
++        base64 decoder in lib/Makefile.*, src/auth/basic/Config.cc,
++        include/uudecode.h, lib/uudecode.c.
++      + CVE-2019-12529
++      [Fixed upstream]
++    - SECURITY UPDATE: XSS issues in cachemgr.cgi
++      + debian/patches/CVE-2019-13345.patch: properly escape values in
++        tools/cachemgr.cc.
++      + CVE-2019-13345
++      [Fixed upstream]
++  * Added:
++    - d/t/test-squid.py: test_zz_apparmor(): bail early if securityfs isn't
++      mounted
++
++ -- Andreas Hasenack <andreas@canonical.com>  Wed, 24 Jul 2019 16:38:59 -0300
++
  squid (4.8-1) unstable; urgency=high
    [ Amos Jeffries <amosjeffries@squid-cache.org> ]
@@ -497,6 +1275,86 @@ squid (4.8-1) unstable; urgency=high
   -- Luigi Gangitano <luigi@debian.org>  Thu, 18 Jul 2019 22:28:15 +0200
++squid (4.6-2ubuntu4) eoan; urgency=medium
++
++  * Fix gcc-9 issues (LP: #1835831)
++    - Remove -Wno-sizeof-pointer-memaccess -Wno-stringop-truncation
++    - debian/patches/more-gcc-9-fixes.patch: switch to xstrncpy in
++      lib/smblib/smblib-util.c.
++  * SECURITY UPDATE: incorrect digest auth parameter parsing
++    - debian/patches/CVE-2019-12525.patch: check length in
++      src/auth/digest/Config.cc.
++    - CVE-2019-12525
++  * SECURITY UPDATE: buffer overflow in basic auth decoding
++    - debian/patches/CVE-2019-12527.patch: switch to SBuf in
++      src/HttpHeader.cc, src/HttpHeader.h, src/cache_manager.cc,
++      src/clients/FtpGateway.cc.
++    - CVE-2019-12527
++  * SECURITY UPDATE: basic auth uudecode length issue
++    - debian/patches/CVE-2019-12529.patch: replace uudecode with libnettle
++      base64 decoder in lib/Makefile.*, src/auth/basic/Config.cc,
++      include/uudecode.h, lib/uudecode.c.
++    - CVE-2019-12529
++  * SECURITY UPDATE: XSS issues in cachemgr.cgi
++    - debian/patches/CVE-2019-13345.patch: properly escape values in
++      tools/cachemgr.cc.
++    - CVE-2019-13345
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Fri, 19 Jul 2019 08:01:58 -0400
++
++squid (4.6-2ubuntu3) eoan; urgency=medium
++
++  * Override newly added gcc-9 flags:
++    -Wno-sizeof-pointer-memaccess -Wno-stringop-truncation
++    NOTE: Overriding those flags is a possible security
++    asked for info on the gcc-9 issue bug tracker:
++    https://github.com/squid-cache/squid/pull/413#issuecomment-511314076
++
++ -- Gianfranco Costamagna <locutusofborg@debian.org>  Mon, 15 Jul 2019 10:21:47 +0200
++
++squid (4.6-2ubuntu2) eoan; urgency=medium
++
++  * Fix gcc-9 build issues with upstream merged patch
++
++ -- Gianfranco Costamagna <locutusofborg@debian.org>  Sun, 14 Jul 2019 14:41:16 +0200
++
++squid (4.6-2ubuntu1) eoan; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - Use snakeoil certificates.
++    - Add an example refresh pattern for debs.
++    - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy,
++      squidguard
++    - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if
++      building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of
++      -O2 and that triggers a format-truncation error on pcon.cc. See
++      See https://bugs.squid-cache.org/show_bug.cgi?id=4875
++    - d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs.
++      Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP #1794553)
++      [Added Applied-Upstream header]
++    - d/rules: Only use -latomic with the intended architectures, instead of
++      all of them. This matches what was suggested in
++      https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5
++    - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that
++      dh_installchangelogs can pick it up. dh_installchangelogs handles
++      d/NEWS or d/<package>.NEWS, but not NEWS.debian.
++  * Dropped:
++    - d/squid.tmpfile: add tmpfiles configuration to handle /var/run/squid
++      at boot. Thanks to Luigi Gangitano <luigi@debian.org> (LP #1816006)
++      [Fixed in 4.5-2]
++    - d/p/fix-uninitialized-var.patch: Workaround gcc's maybe-unitialized
++      error in parse_time_t, triggered on ppc64el due to the build using -O3
++      in that architecture.
++      [Fixed upstream]
++    - Add disabled by default AppArmor profile.
++      [Added by Debian in 4.6-2]
++    - d/usr.sbin.squid: fix the apparmor profile (LP #1796189):
++      + allow net_admin capability
++      + add attach_disconnected flag
++      [Fixed in 4.6-2]
++
++ -- Andreas Hasenack <andreas@canonical.com>  Sat, 18 May 2019 14:39:09 -0300
++
  squid (4.6-2) unstable; urgency=high
    [ Andreas Hasenack <andreas@canonical.com> ]
@@ -557,6 +1415,57 @@ squid (4.5-1) unstable; urgency=medium
   -- Luigi Gangitano <luigi@debian.org>  Wed, 20 Feb 2019 11:57:15 +0100
++squid (4.4-1ubuntu2) disco; urgency=medium
++
++  * d/squid.tmpfile: add tmpfiles configuration to handle /var/run/squid
++    at boot. Thanks to Luigi Gangitano <luigi@debian.org> (LP: #1816006)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Wed, 27 Feb 2019 08:54:45 -0300
++
++squid (4.4-1ubuntu1) disco; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - Use snakeoil certificates.
++    - Add an example refresh pattern for debs.
++    - Add disabled by default AppArmor profile.
++    - d/p/fix-uninitialized-var.patch: Workaround gcc's maybe-unitialized
++      error in parse_time_t, triggered on ppc64el due to the build using -O3
++      in that architecture.
++    - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if
++      building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of
++      -O2 and that triggers a format-truncation error on pcon.cc. See
++      See https://bugs.squid-cache.org/show_bug.cgi?id=4875
++    - d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs.
++      Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP #1794553)
++  * Drop:
++    - d/rules: enable cdbs parallel build
++      [Fixed in 4.2-1]
++    - d/t/test-squid.py: fix apparmor profile filename
++      [Fixed in 4.2-1]
++    - d/t/test-squid.py: fix the process name. The PID points at the parent.
++      [Fixed in 4.2-1]
++    - d/t/upstream-test-suite: also make libmem.la, needed by the tests.
++      [Fixed in 4.2-1]
++    - d/t/0003-installed-binary-for-debian-ci.patch:  use the squid
++      binary from the system, instead of the one from the source tree.
++      [Fixed in 4.2-1]
++    - d/t/upstream-test-suite: drop the sed line, since patch
++      0003-installed-binary-for-debian-ci.patch is doing this work now.
++      (https://salsa.debian.org/squid-team/squid/commit/ad4372b444ba8b1587839)
++      [Fixed in 4.2-1]
++  * Added changes:
++    - d/rules: Only use -latomic with the intended architectures, instead of
++      all of them. This matches what was suggested in
++      https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5
++    - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that
++      dh_installchangelogs can pick it up. dh_installchangelogs handles
++      d/NEWS or d/<package>.NEWS, but not NEWS.debian.
++    - d/usr.sbin.squid: fix the apparmor profile (LP: #1796189):
++      + allow net_admin capability
++      + add attach_disconnected flag
++
++ -- Andreas Hasenack <andreas@canonical.com>  Mon, 19 Nov 2018 10:51:18 -0200
++
  squid (4.4-1) unstable; urgency=high
    * Urgency high due to security fixes
@@ -621,6 +1530,85 @@ squid (4.2-1) unstable; urgency=high
   -- Luigi Gangitano <luigi@debian.org>  Wed, 22 Aug 2018 13:57:15 +0200
++squid (4.1-1ubuntu3) cosmic; urgency=medium
++
++  * d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs.
++    Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP: #1794553)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Tue, 09 Oct 2018 14:00:36 -0300
++
++squid (4.1-1ubuntu2) cosmic; urgency=medium
++
++  * d/usr.sbin.squid: Update apparmor profile to grant read access to squid
++    binary (LP: #1792728)
++
++ -- Simon Deziel <simon@sdeziel.info>  Sat, 15 Sep 2018 13:55:32 -0400
++
++squid (4.1-1ubuntu1) cosmic; urgency=medium
++
++  * Merged with Debian unstable (LP: #1780944, LP: #1097032, LP: #16669).
++    Remaining changes:
++    - Use snakeoil certificates.
++      [Updated to use the correct config setting names]
++    - Add an example refresh pattern for debs.
++      [Improved the refresh patterns based on the configuration from
++       squid-deb-proxy package]
++    - Add disabled by default AppArmor profile.
++      [Updated to include the ssl_certs abstraction and suggestions on how to
++       deal with the snakeoil private key and other keys in /etc/ssl.]
++  * Dropped changes:
++    - Add additional dep8 tests.
++      [Adopted in 4.0.21-1~exp5, albeit a stripped down version]
++    - Correct attribution and add explanatory note in d/NEWS.debian.
++      [That particular upgrade path has happened long ago.]
++    - Drop wrong short-circuiting of various invocations; we always want to
++      call the debhelper block.
++      [This was for the transitional squid3 package, and that transition has
++       already happened.]
++    - Revert "Set pidfile for systemd's sysv-generator" from Debian.
++      [Not needed anymore since we have a native systemd service file
++       and no longer rely on the generator.]
++    - Enable autoreconf. This is no longer required for the security updates,
++      but is needed for the seddery of test-suite/Makefile.am in
++      d/t/upstream-test-suite.
++      [Replaced by patch 0003-installed-binary-for-debian-ci.patch]
++    - Adjust seddery for upstream test squid binary location.
++      [sed no longer necessary since patch,
++       0003-installed-binary-for-debian-ci.patch, will be dropped
++       entirely.]
++    - Drop Conflicts/Replaces of squid against squid3. In Ubuntu, the migration
++      happened in Xenial, so no upgrade path still requires this code. This
++      reduces upgrade ordering difficulty.
++      [Again we have a migration, but this time from squid3 to squid, so we
++      need this].
++    - GCC7 FTBFS fixes (LP: #1712668):
++      + d/rules: don't error when hitting the "deprecated" and
++      "format-truncation" gcc7 warnings. Upstream 3.5.27 has fixes for these,
++      but one in Format.cc that affects 32bit builds was deemed too intrusive
++      for the 3.5 stable series and is only in squid 4.x
++      [No longer needed with squid 4.x]
++    - Do not force gcc-6
++      [It was a temporary workaround in Debian that got dropped]
++  * Added changes:
++    - d/rules: enable cdbs parallel build
++    - d/t/test-squid.py: fix apparmor profile filename
++    - d/t/test-squid.py: fix the process name. The PID points at the parent.
++    - d/t/upstream-test-suite: also make libmem.la, needed by the tests.
++    - d/t/0003-installed-binary-for-debian-ci.patch:  use the squid
++      binary from the system, instead of the one from the source tree.
++    - d/p/fix-uninitialized-var.patch: Workaround gcc's maybe-unitialized
++      error in parse_time_t, triggered on ppc64el due to the build using -O3
++      in that architecture.
++    - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if
++      building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of
++      -O2 and that triggers a format-truncation error on pcon.cc. See
++      See https://bugs.squid-cache.org/show_bug.cgi?id=4875
++    - d/t/upstream-test-suite: drop the sed line, since patch
++      0003-installed-binary-for-debian-ci.patch is doing this work now.
++      (https://salsa.debian.org/squid-team/squid/commit/ad4372b444ba8b1587839)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Thu, 16 Aug 2018 12:33:17 -0300
++
  squid (4.1-1) unstable; urgency=high
    * New Upstream Release (Closes: #896120)
 diff --git a/debian/control b/debian/control
 index 844041f..f1a830f 100644
 --- a/debian/control
 +++ b/debian/control
@@ -1,7 +1,8 @@
  Source: squid
  Section: web
  Priority: optional
--Maintainer: Luigi Gangitano <luigi@debian.org>
++Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
++XSBC-Original-Maintainer: Luigi Gangitano <luigi@debian.org>
  Uploaders: Santiago Garcia Mantinan <manty@debian.org>
  Homepage: http://www.squid-cache.org
  Standards-Version: 4.6.2
@@ -35,7 +36,7 @@ Build-Depends: ed
  Package: squid
  Architecture: any
  Pre-Depends: ${misc:Pre-Depends}, adduser
--Depends: ${shlibs:Depends}, ${misc:Depends}, netbase, logrotate (>= 3.5.4-1), squid-common (>= ${source:Version}), lsb-base, libdbi-perl
++Depends: ${shlibs:Depends}, ${misc:Depends}, netbase, logrotate (>= 3.5.4-1), squid-common (>= ${source:Version}), lsb-base, libdbi-perl, ssl-cert
  Suggests: squidclient, squid-cgi, squid-purge, resolvconf (>= 0.40), smbclient, ufw, winbind, apparmor
  Recommends: libcap2-bin [linux-any], ca-certificates
  Conflicts: squid-openssl
 diff --git a/debian/patches/0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch b/debian/patches/0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch
 new file mode 100644
 index 0000000..d3b3efc
 --- /dev/null
 +++ b/debian/patches/0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch
@@ -0,0 +1,65 @@
++From: Sergio Durigan Junior <sergio.durigan@canonical.com>
++Date: Tue, 9 Aug 2022 17:49:23 -0400
++Subject: Fix -Werror=alloc-size-larger-than on GCC 12
++
++Author: Sergio Durigan Junior <sergiodj@ubuntu.com>
++Forwarded: yes, https://github.com/squid-cache/squid/pull/1118
++---
++ src/SquidConfig.h  | 2 +-
++ src/pconn.cc       | 2 +-
++ src/pconn.h        | 2 +-
++ src/store/Disks.cc | 2 +-
++ 4 files changed, 4 insertions(+), 4 deletions(-)
++
++diff --git a/src/SquidConfig.h b/src/SquidConfig.h
++index feabdf1..6b3cca5 100644
++--- a/src/SquidConfig.h
+++++ b/src/SquidConfig.h
++@@ -61,7 +61,7 @@ public:
++     ~DiskConfig() { delete[] swapDirs; }
++
++     RefCount<SwapDir> *swapDirs = nullptr;
++-    int n_allocated = 0;
+++    unsigned int n_allocated = 0;
++     int n_configured = 0;
++     /// number of disk processes required to support all cache_dirs
++     int n_strands = 0;
++diff --git a/src/pconn.cc b/src/pconn.cc
++index 62e5411..d30726d 100644
++--- a/src/pconn.cc
+++++ b/src/pconn.cc
++@@ -167,7 +167,7 @@ IdleConnList::clearHandlers(const Comm::ConnectionPointer &conn)
++ void
++ IdleConnList::push(const Comm::ConnectionPointer &conn)
++ {
++-    if (size_ == capacity_) {
+++    if ((unsigned int) size_ == capacity_) {
++         debugs(48, 3, "growing idle Connection array");
++         capacity_ <<= 1;
++         const Comm::ConnectionPointer *oldList = theList_;
++diff --git a/src/pconn.h b/src/pconn.h
++index 85e44e5..b8f07d9 100644
++--- a/src/pconn.h
+++++ b/src/pconn.h
++@@ -80,7 +80,7 @@ private:
++     Comm::ConnectionPointer *theList_;
++
++     /// Number of entries theList can currently hold without re-allocating (capacity).
++-    int capacity_;
+++    unsigned int capacity_;
++     ///< Number of in-use entries in theList
++     int size_;
++
++diff --git a/src/store/Disks.cc b/src/store/Disks.cc
++index 4e8710a..f9c3171 100644
++--- a/src/store/Disks.cc
+++++ b/src/store/Disks.cc
++@@ -685,7 +685,7 @@ allocate_new_swapdir(Store::DiskConfig *swap)
++         swap.swapDirs = new SwapDir::Pointer[swap.n_allocated];
++     }
++
++-    if (swap.n_allocated == swap.n_configured) {
+++    if (swap.n_allocated == (size_t) swap.n_configured) {
++         swap.n_allocated <<= 1;
++         const auto tmp = new SwapDir::Pointer[swap.n_allocated];
++         for (int i = 0; i < swap.n_configured; ++i) {
 diff --git a/debian/patches/0010-Fix-Werror-sign-compare-on-GCC-13.patch b/debian/patches/0010-Fix-Werror-sign-compare-on-GCC-13.patch
 new file mode 100644
 index 0000000..64975b8
 --- /dev/null
 +++ b/debian/patches/0010-Fix-Werror-sign-compare-on-GCC-13.patch
@@ -0,0 +1,24 @@
++Description: Fix -Werror=sign-compare
++ This is a consequence of
++ d/p/0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch on GCC 13. Once
++ that patch is dropped, this patch can most likely be dropped as well (even in
++ case 0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch is accepted
++ upstream, since the issue being fixed here will also need a fix upstream).
++ See https://github.com/squid-cache/squid/pull/1118#discussion_r941969015 for
++ further reference.
++Author: Athos Ribeiro <athos.ribeiro@canonical.com>
++Forwarded: not-needed
++Last-Update: 2023-08-10
++---
++This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
++--- a/src/store/Disks.cc
+++++ b/src/store/Disks.cc
++@@ -57,7 +57,7 @@
++ SwapDirByIndex(const int i)
++ {
++     assert(i >= 0);
++-    assert(i < Config.cacheSwap.n_allocated);
+++    assert((size_t) i < Config.cacheSwap.n_allocated);
++     const auto sd = INDEXSD(i);
++     assert(sd);
++     return *sd;
 diff --git a/debian/patches/90-cf.data.ubuntu.patch b/debian/patches/90-cf.data.ubuntu.patch
 new file mode 100644
 index 0000000..efd7265
 --- /dev/null
 +++ b/debian/patches/90-cf.data.ubuntu.patch
@@ -0,0 +1,21 @@
++Description: Add refresh patterns for deb packaging
++
++Reviewed-By: Sergio Durigan Junior <sergio.durigan@canonical.com>
++Last-Updated: 2021-05-11
++Forwarded: https://salsa.debian.org/squid-team/squid/-/merge_requests/15
++
++--- a/src/cf.data.pre
+++++ b/src/cf.data.pre
++@@ -6552,6 +6552,12 @@
++ #
++ refresh_pattern ^ftp:		1440	20%	10080
++ refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
+++refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
+++refresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-ims
+++refresh_pattern \/InRelease$ 0 0% 0 refresh-ims
+++refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
+++# example pattern for deb packages
+++#refresh_pattern (\.deb|\.udeb)$   129600 100% 129600
++ refresh_pattern .		0	20%	4320
++ CONFIG_END
++ DOC_END
 diff --git a/debian/patches/99-ubuntu-ssl-cert-snakeoil.patch b/debian/patches/99-ubuntu-ssl-cert-snakeoil.patch
 new file mode 100644
 index 0000000..ad38cdf
 --- /dev/null
 +++ b/debian/patches/99-ubuntu-ssl-cert-snakeoil.patch
@@ -0,0 +1,28 @@
++Description: Add notice about Debian/Ubuntu's snakeoil certificate
++Reviewed-By: Sergio Durigan Junior <sergiodj@ubuntu.com>
++Forwarded: not-needed
++
++Index: squid/src/cf.data.pre
++===================================================================
++--- squid.orig/src/cf.data.pre	2022-07-18 07:49:02.052257318 -0400
+++++ squid/src/cf.data.pre	2022-07-18 07:51:17.843207049 -0400
++@@ -3742,6 +3742,19 @@
++ 			A client X.509 certificate to use when connecting to
++ 			this peer.
++
+++	Notes:
+++
+++	On Debian/Ubuntu systems a default snakeoil certificate is
+++	available in /etc/ssl and users can set:
+++
+++		sslcert=/etc/ssl/certs/ssl-cert-snakeoil.pem
+++
+++	and
+++
+++		sslkey=/etc/ssl/private/ssl-cert-snakeoil.key
+++
+++	for testing.
+++
++ 	sslkey=/path/to/ssl/key
++ 			The private key corresponding to sslcert above.
++
 diff --git a/debian/patches/series b/debian/patches/series
 index 2612869..868b3c8 100644
 --- a/debian/patches/series
 +++ b/debian/patches/series
@@ -2,3 +2,7 @@
 -Change-default-file-locations-for-debian.patch
 -Use-RuntimeDirectory-to-create-run-squid.patch
 -upstream-807ae4df2164defbb5f59b99282e24010b4a0b85.patch
++90-cf.data.ubuntu.patch
++99-ubuntu-ssl-cert-snakeoil.patch
++0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch
++0010-Fix-Werror-sign-compare-on-GCC-13.patch
 diff --git a/debian/rules b/debian/rules
 index 59dce4e..8c6860a 100755
 --- a/debian/rules
 +++ b/debian/rules
@@ -4,6 +4,11 @@ export DEB_BUILD_MAINT_OPTIONS = hardening=+all
  export DEB_CFLAGS_MAINT_APPEND = -Wno-error=deprecated-declarations
  export DEB_CXXFLAGS_MAINT_APPEND = -Wno-error=deprecated-declarations
++ifeq ($(DEB_HOST_ARCH), ppc64el)
++    DEB_CFLAGS_MAINT_APPEND += -Wno-error=maybe-uninitialized
++    DEB_CXXFLAGS_MAINT_APPEND += -Wno-error=maybe-uninitialized
++endif
++
  ifneq (,$(filter $(DEB_HOST_ARCH), armel m68k mips mipsel powerpc powerpcspe sh4))
  	DEB_LDFLAGS_MAINT_APPEND += -latomic
  endif
@@ -89,9 +94,17 @@ override_dh_auto_build:
  	dh_auto_build
  	cd debian/build-openssl && dh_auto_build
++execute_before_dh_auto_test:
++	# Do not include additional configuration files during tests. This would lead to failures due to missing paths.
++	sed -i 's|^\(include /etc/squid/conf\.d/\*\.conf\)|# \1|' src/squid.conf.default debian/build-openssl/src/squid.conf.default
++
  override_dh_auto_test:
--	-dh_auto_test
--	-cd debian/build-openssl && dh_auto_test
++	dh_auto_test
++	cd debian/build-openssl && dh_auto_test
++
++execute_after_dh_auto_test:
++	# Restore configuration file to its previous state.
++	sed -i 's|^# \(include /etc/squid/conf\.d/\*\.conf\)|\1|' src/squid.conf.default debian/build-openssl/src/squid.conf.default
  override_dh_auto_install:
  	dh_auto_install
@@ -152,6 +165,10 @@ execute_after_dh_auto_install:
  	dh_apparmor --profile-name=usr.sbin.squid -psquid
  override_dh_install:
++	# Apport hook
++	dh_install -psquid-common debian/source_squid.py \
++		usr/share/apport/package-hooks/
++
  	dh_install -psquid -psquid-common -psquidclient -psquid-cgi -psquid-purge \
  		--sourcedir=$(INSTALLDIR)
  	dh_install -psquid-openssl \
 diff --git a/debian/source_squid.py b/debian/source_squid.py
 new file mode 100644
 index 0000000..c23e6da
 --- /dev/null
 +++ b/debian/source_squid.py
@@ -0,0 +1,54 @@
++#!/usr/bin/python3
++
++'''
++Apport package hook for Squid
++
++Copyright (C) 2022 Canonical Ltd.
++Author: Bryce Harrington <bryce@canonical.com>
++
++This program is free software; you can redistribute it and/or modify it
++under the terms of the GNU General Public License as published by the
++Free Software Foundation; either version 2 of the License, or (at your
++option) any later version.  See http://www.gnu.org/copyleft/gpl.html for
++the full text of the license.
++'''
++
++import os.path
++from apport.hookutils import attach_file_if_exists
++
++
++def add_info(report, ui=None):
++    '''Attaches squid-specific information to the Apport bug report.'''
++    def _add_file(report, filepath):
++        filename = os.path.basename(filepath)
++        attach_file_if_exists(report, filepath, key=filename)
++
++    # Configs
++    _add_file(report, '/etc/squid/squid.conf')
++    _add_file(report, '/etc/squid/squid.d/debian.conf')
++
++    if ui is None:
++        return
++
++    # Logs
++    response = ui.yesno(
++        "The contents of your Squid cache.log and access.log files "
++        "may help developers diagnose your bug more quickly.  "
++        "However, they may contain sensitive " "information.  "
++        "Do you want to include them in your bug report?"
++    )
++    if response is None:
++        # user cancelled
++        raise StopIteration
++    if response is True:
++        # Attach files
++        _add_file(report, '/var/log/squid/access.log')
++        _add_file(report, '/var/log/squid/cache.log')
++
++
++### DEBUGGING ###
++if __name__ == '__main__':
++    report = {}
++    add_info(report, None)
++    for key in report:
++        print(f'[{key}]\n{report[key]}')
 diff --git a/debian/tests/upstream-test-suite b/debian/tests/upstream-test-suite
 index a801bcb..fdd377a 100644
 --- a/debian/tests/upstream-test-suite
 +++ b/debian/tests/upstream-test-suite
@@ -2,6 +2,10 @@
  set -e
  dpkg-source --before-build `pwd`
++
++# Use installed squid binary
++sed -i 's|\$(top_builddir)/src/squid -k parse|/usr/sbin/squid -k parse|' test-suite/Makefile.am test-suite/Makefile.in
++
  dh_update_autotools_config
  dh_autoreconf
  dh_auto_configure -- ${DEB_CONFIGURE_EXTRA_FLAGS} --with-gnutls
 diff --git a/debian/usr.sbin.squid b/debian/usr.sbin.squid
 index d01bcd0..a34487a 100644
 --- a/debian/usr.sbin.squid
 +++ b/debian/usr.sbin.squid
@@ -51,6 +51,33 @@
    # squid-langpack
    /usr/share/squid-langpack/** r,
++  # squid-deb-proxy
++  /etc/squid-deb-proxy/** r,
++  /{,var/}run/squid-deb-proxy.pid rwk,
++  /var/cache/squid-deb-proxy/ r,
++  /var/cache/squid-deb-proxy/** rwk,
++  /var/log/squid-deb-proxy/* rw,
++
++  # squidguard
++  /usr/bin/squidGuard Cx -> squidguard,
++  profile squidguard {
++    #include <abstractions/base>
++
++    /etc/squid/squidGuard.conf r,
++    /var/log/squid{,3}/squidGuard.log w,
++    /var/lib/squidguard/** rw,
++
++    # squidguard by default uses /var/log/squid as its logdir, however, we
++    # don't want it to access squid's logs, only its own. Explicitly deny
++    # access to squid's files but allow all others since the user may specify
++    # anything for the squidGurad 'log' directive.
++    /var/log/squid{,3}/* rw,
++    audit deny /var/log/squid{,3}/{access,cache,store}.log* rw,
++
++    # Site-specific additions and overrides. See local/README for details.
++    #include <local/usr.sbin.squid>
++  }
++
    # Site-specific additions and overrides. See local/README for details.
    #include <local/usr.sbin.squid>
+ }

Ubuntusquid package

Merge ~athos-ribeiro/ubuntu/+source/squid:merge-lp2055179-noble into ubuntu/+source/squid:debian/sid

Commit message

Description of the change

Preview Diff

Subscribers

Ubuntu
squid package