Merge ~sergiodj/ubuntu/+source/squid:squid-merge-4.12-1 into ubuntu/+source/squid:debian/sid
- Git
- lp:~sergiodj/ubuntu/+source/squid
- squid-merge-4.12-1
- Merge into debian/sid
Status: | Merged |
---|---|
Approved by: | Andreas Hasenack |
Approved revision: | db0be8a903e911be4fa27b1fe29ad5c57590291b |
Merge reported by: | Sergio Durigan Junior |
Merged at revision: | db0be8a903e911be4fa27b1fe29ad5c57590291b |
Proposed branch: | ~sergiodj/ubuntu/+source/squid:squid-merge-4.12-1 |
Merge into: | ubuntu/+source/squid:debian/sid |
Diff against target: |
802 lines (+688/-2) 7 files modified
debian/changelog (+493/-0) debian/control (+3/-2) debian/patches/0007-WCCP-Fix-GCC-10-Wstringop-truncation-failures.patch (+112/-0) debian/patches/90-cf.data.ubuntu.patch (+22/-0) debian/patches/99-ubuntu-ssl-cert-snakeoil.patch (+22/-0) debian/patches/series (+3/-0) debian/usr.sbin.squid (+33/-0) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Andreas Hasenack | Approve | ||
Canonical Server | Pending | ||
Review via email: mp+389025@code.launchpad.net |
Commit message
Description of the change
This is the merge of squid 4.12.1 from Debian.
We're still keeping some of our existing delta. I'm taking a closer look at the patches we're carrying and checking which ones can be proposed upstream or to Debian.
As for the good news, we can drop a number of local modifications:
- No need to add -Wno-format-
- Dropped 2 patches accepted by Debian which simplify and fix the postinst script.
- Dropped 1 patch acccepted by Debian which adjusts the 'test-squid.py' dep8 test.
I'm adding a patch needed to make the build pass on s390x; there's a GCC-10 FTBFS that happens there. This patch has already been proposed and accepted upstream:
https:/
autopkgtest is still happy:
autopkgtest [15:11:15]: @@@@@@@
upstream-test-suite PASS
squid PASS
Andreas Hasenack (ahasenack) wrote : | # |
Andreas Hasenack (ahasenack) wrote : | # |
Looks good, +1. You said you would still add a DEP3 header to d/p/90-
Sergio Durigan Junior (sergiodj) wrote : | # |
On Tuesday, August 11 2020, Andreas Hasenack wrote:
> Looks good, +1. You said you would still add a DEP3 header to
> d/p/90-
> Feel free to do that and commit, and then ping here when ready for
> sponsoring.
Thanks for the review, Andreas.
I have force-pushed the branch with the DEP3 header update now, so it's
ready for sponsorship.
--
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14
Andreas Hasenack (ahasenack) wrote : | # |
Tagging and uploading db0be8a903e911b
$ git push pkg upload/
Enumerating objects: 43, done.
Counting objects: 100% (43/43), done.
Delta compression using up to 4 threads
Compressing objects: 100% (32/32), done.
Writing objects: 100% (36/36), 11.59 KiB | 565.00 KiB/s, done.
Total 36 (delta 25), reused 7 (delta 4)
To ssh://git.
* [new tag] upload/
$ dput ubuntu ../squid_
Checking signature on .changes
gpg: ../squid_
Checking signature on .dsc
gpg: ../squid_
Uploading to ubuntu (via ftp to upload.ubuntu.com):
Uploading squid_4.
Uploading squid_4.
Uploading squid_4.
Uploading squid_4.
Uploading squid_4.
Successfully uploaded packages.
Please follow its migration.
Sergio Durigan Junior (sergiodj) wrote : | # |
This has migrated.
Preview Diff
1 | diff --git a/debian/changelog b/debian/changelog |
2 | index 345a140..c1c8b6b 100644 |
3 | --- a/debian/changelog |
4 | +++ b/debian/changelog |
5 | @@ -1,3 +1,40 @@ |
6 | +squid (4.12-1ubuntu1) groovy; urgency=medium |
7 | + |
8 | + * Merge with Debian unstable. Remaining changes: |
9 | + - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy |
10 | + squidguard |
11 | + - d/p/90-cf.data.ubuntu.patch: Add an example refresh pattern |
12 | + for debs. |
13 | + - Use snakeoil certificates: |
14 | + + d/control: add ssl-cert to dependencies |
15 | + + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl |
16 | + to the default config file |
17 | + * Dropped changes, not needed anymore: |
18 | + - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround |
19 | + if building for ppc64el. On that arch, dpkg-buildflags sets -O3 |
20 | + instead of -O2 and that triggers a format-truncation error on |
21 | + pcon.cc. See https://bugs.squid-cache.org/show_bug.cgi?id=4875. |
22 | + [ Dropped because the build now passes on ppc64el ] |
23 | + * Dropped changes, incorporated by Debian: |
24 | + - Don't restart squid by hand on postinst script |
25 | + + d/squid.postinst: When installing/upgrading squid, the service |
26 | + is being restarted manually in the postinst script, which can |
27 | + break installations that have the squid apparmor enabled because |
28 | + it will try to restart the service before reloading the apparmor |
29 | + profile. There is no reason to restart squid manually, since the |
30 | + restart will be automatically performed later. |
31 | + - Drop conffile check for squid < 2.7 |
32 | + + d/squid.postinst: squid 2.7 is long, long gone, so it should be |
33 | + safe to drop the postinst code to make sure that |
34 | + /etc/squid/squid.conf was properly upgraded. |
35 | + - d/tests/test-squid.py: Adjust 'pidfile' variable to reflect fact |
36 | + that we now store the pidfile under '/run/squid/'. |
37 | + * Added changes: |
38 | + - d/p/0007-WCCP-Fix-GCC-10-Wstringop-truncation-failures.patch: |
39 | + Fix GCC-10 build failure due to -Wstringop-truncation warning. |
40 | + |
41 | + -- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 10 Aug 2020 11:20:46 -0400 |
42 | + |
43 | squid (4.12-1) unstable; urgency=high |
44 | |
45 | * Urgency high due to security fixes |
46 | @@ -35,6 +72,63 @@ squid (4.12-1) unstable; urgency=high |
47 | |
48 | -- Luigi Gangitano <luigi@debian.org> Wed, 1 Jul 2020 10:52:54 +0200 |
49 | |
50 | +squid (4.11-5ubuntu3) groovy; urgency=medium |
51 | + |
52 | + * No change rebuild against new libnettle8 and libhogweed6 ABI. |
53 | + |
54 | + -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 29 Jun 2020 22:38:13 +0100 |
55 | + |
56 | +squid (4.11-5ubuntu2) groovy; urgency=medium |
57 | + |
58 | + * d/tests/test-squid.py: Adjust 'pidfile' variable to reflect fact |
59 | + that we now store the pidfile under '/run/squid/'. |
60 | + |
61 | + -- Sergio Durigan Junior <sergio.durigan@canonical.com> Wed, 20 May 2020 10:32:32 -0400 |
62 | + |
63 | +squid (4.11-5ubuntu1) groovy; urgency=medium |
64 | + |
65 | + * Merge with Debian unstable. Remaining changes: |
66 | + - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy, |
67 | + squidguard |
68 | + - d/p/90-cf.data.ubuntu.patch: Add an example refresh pattern for |
69 | + debs. |
70 | + - Use snakeoil certificates: |
71 | + + d/control: add ssl-cert to dependencies |
72 | + + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl to the |
73 | + default config file |
74 | + - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if |
75 | + building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead |
76 | + of -O2 and that triggers a format-truncation error on pcon.cc. See See |
77 | + https://bugs.squid-cache.org/show_bug.cgi?id=4875 |
78 | + * Dropped: |
79 | + - d/p/drop-sysctl_h.patch: no longer include sysctl.h as it was |
80 | + deprecated in glibc 2.30 (LP #1843325) |
81 | + [ In 4.11-4 ] |
82 | + - SECURITY UPDATE: multiple ESI issues |
83 | + + debian/patches/CVE-2019-12519_12521.patch: convert parse exceptions |
84 | + into 500 status response in src/esi/Context.h, src/esi/Esi.cc, |
85 | + src/esi/Esi.h, src/esi/Expression.cc. |
86 | + + CVE-2019-12519 |
87 | + [ In 4.11-4 ] |
88 | + - SECURITY UPDATE: Digest Authentication nonce replay issue |
89 | + + debian/patches/CVE-2020-11945.patch: fix auth digest refcount integer |
90 | + overflow in src/auth/digest/Config.cc. |
91 | + [ In 4.11-4 ] |
92 | + * Added: |
93 | + - Don't restart squid by hand on postinst script |
94 | + + d/squid.postinst: When installing/upgrading squid, the service |
95 | + is being restarted manually in the postinst script, which can |
96 | + break installations that have the squid apparmor enabled because |
97 | + it will try to restart the service before reloading the apparmor |
98 | + profile. There is no reason to restart squid manually, since the |
99 | + restart will be automatically performed later. |
100 | + - Drop conffile check for squid < 2.7 |
101 | + + d/squid.postinst: squid 2.7 is long, long gone, so it should be |
102 | + safe to drop the postinst code to make sure that |
103 | + /etc/squid/squid.conf was properly upgraded. |
104 | + |
105 | + -- Sergio Durigan Junior <sergio.durigan@canonical.com> Tue, 19 May 2020 14:43:04 -0400 |
106 | + |
107 | squid (4.11-5) unstable; urgency=medium |
108 | |
109 | [ Sergio Durigan Junior <sergiodj@debian.org> ] |
110 | @@ -113,6 +207,64 @@ squid (4.11-1) unstable; urgency=high |
111 | |
112 | -- Luigi Gangitano <luigi@debian.org> Thu, 23 Apr 2020 19:34:54 +0200 |
113 | |
114 | +squid (4.10-1ubuntu2) groovy; urgency=medium |
115 | + |
116 | + * SECURITY UPDATE: multiple ESI issues |
117 | + - debian/patches/CVE-2019-12519_12521.patch: convert parse exceptions |
118 | + into 500 status response in src/esi/Context.h, src/esi/Esi.cc, |
119 | + src/esi/Esi.h, src/esi/Expression.cc. |
120 | + - CVE-2019-12519 |
121 | + - CVE-2019-12521 |
122 | + * SECURITY UPDATE: Digest Authentication nonce replay issue |
123 | + - debian/patches/CVE-2020-11945.patch: fix auth digest refcount integer |
124 | + overflow in src/auth/digest/Config.cc. |
125 | + - CVE-2020-11945 |
126 | + |
127 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 13 May 2020 09:51:10 -0400 |
128 | + |
129 | +squid (4.10-1ubuntu1) focal; urgency=medium |
130 | + |
131 | + * Merge with Debian unstable. Remaining changes: |
132 | + - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy, |
133 | + squidguard |
134 | + - d/p/90-cf.data.ubuntu.patch: Add an example refresh pattern for debs. |
135 | + - Use snakeoil certificates: |
136 | + + d/control: add ssl-cert to dependencies |
137 | + + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl |
138 | + to the default config file |
139 | + - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if |
140 | + building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of |
141 | + -O2 and that triggers a format-truncation error on pcon.cc. See |
142 | + See https://bugs.squid-cache.org/show_bug.cgi?id=4875 |
143 | + - d/p/drop-sysctl_h.patch: no longer include sysctl.h as it was |
144 | + deprecated in glibc 2.30 (LP #1843325) |
145 | + * Dropped: |
146 | + - d/t/control, d/t/test-squid.py: remove gopher tests, as pygopherd is |
147 | + no longer available in Focal (LP: #1858827) |
148 | + [In 4.10-1, undocumented] |
149 | + - d/t/test-squid.py, d/t/squid: switch to python3 |
150 | + [In 4.10-1, undocumented] |
151 | + - d/t/control: depend on python3-minimal |
152 | + [In 4.10-1, undocumented] |
153 | + - SECURITY UPDATE: info disclosure via FTP server |
154 | + + debian/patches/CVE-2019-12528.patch: fix FTP buffers handling in |
155 | + src/clients/FtpGateway.cc. |
156 | + + CVE-2019-12528 |
157 | + [Fixed upstream] |
158 | + - SECURITY UPDATE: incorrect input validation and buffer management |
159 | + + debian/patches/CVE-2020-84xx.patch: fix request URL generation in |
160 | + reverse proxy configurations in src/client_side.cc. |
161 | + + CVE-2020-8449 |
162 | + + CVE-2020-8450 |
163 | + [Fixed upstream] |
164 | + - SECURITY UPDATE: DoS in NTLM authentication |
165 | + + debian/patches/CVE-2020-8517.patch: improved username handling in |
166 | + src/acl/external/LM_group/ext_lm_group_acl.cc. |
167 | + + CVE-2020-8517 |
168 | + [Fixed upstream] |
169 | + |
170 | + -- Andreas Hasenack <andreas@canonical.com> Tue, 25 Feb 2020 15:37:55 -0300 |
171 | + |
172 | squid (4.10-1) unstable; urgency=high |
173 | |
174 | [ Amos Jeffries <amosjeffries@squid-cache.org> ] |
175 | @@ -134,6 +286,70 @@ squid (4.10-1) unstable; urgency=high |
176 | |
177 | -- Luigi Gangitano <luigi@debian.org> Tue, 10 Feb 2020 14:12:54 +0100 |
178 | |
179 | +squid (4.9-2ubuntu4) focal; urgency=medium |
180 | + |
181 | + * SECURITY UPDATE: info disclosure via FTP server |
182 | + - debian/patches/CVE-2019-12528.patch: fix FTP buffers handling in |
183 | + src/clients/FtpGateway.cc. |
184 | + - CVE-2019-12528 |
185 | + * SECURITY UPDATE: incorrect input validation and buffer management |
186 | + - debian/patches/CVE-2020-84xx.patch: fix request URL generation in |
187 | + reverse proxy configurations in src/client_side.cc. |
188 | + - CVE-2020-8449 |
189 | + - CVE-2020-8450 |
190 | + * SECURITY UPDATE: DoS in NTLM authentication |
191 | + - debian/patches/CVE-2020-8517.patch: improved username handling in |
192 | + src/acl/external/LM_group/ext_lm_group_acl.cc. |
193 | + - CVE-2020-8517 |
194 | + |
195 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 19 Feb 2020 12:43:05 -0500 |
196 | + |
197 | +squid (4.9-2ubuntu3) focal; urgency=medium |
198 | + |
199 | + * No-change rebuild with fixed binutils on arm64. |
200 | + |
201 | + -- Matthias Klose <doko@ubuntu.com> Sat, 08 Feb 2020 11:20:19 +0000 |
202 | + |
203 | +squid (4.9-2ubuntu2) focal; urgency=medium |
204 | + |
205 | + * d/t/control, d/t/test-squid.py: remove gopher tests, as pygopherd is |
206 | + no longer available in Focal (LP: #1858827) |
207 | + * d/t/test-squid.py, d/t/squid: switch to python3 |
208 | + * d/t/control: depend on python3-minimal |
209 | + |
210 | + -- Andreas Hasenack <andreas@canonical.com> Wed, 08 Jan 2020 15:52:32 -0300 |
211 | + |
212 | +squid (4.9-2ubuntu1) focal; urgency=medium |
213 | + |
214 | + * Merge with Debian unstable. Remaining changes: |
215 | + - Use snakeoil certificates. |
216 | + - Add an example refresh pattern for debs. |
217 | + - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy, |
218 | + squidguard |
219 | + - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if |
220 | + building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of |
221 | + -O2 and that triggers a format-truncation error on pcon.cc. See |
222 | + See https://bugs.squid-cache.org/show_bug.cgi?id=4875 |
223 | + - d/p/drop-sysctl_h.patch: no longer include sysctl.h as it was |
224 | + deprecated in glibc 2.30 (LP #1843325) |
225 | + * Dropped: |
226 | + - d/rules: Only use -latomic with the intended architectures, instead of |
227 | + all of them. This matches what was suggested in |
228 | + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5 |
229 | + [Fixed upstream] |
230 | + - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that |
231 | + dh_installchangelogs can pick it up. dh_installchangelogs handles |
232 | + d/NEWS or d/<package>.NEWS, but not NEWS.debian. |
233 | + [Fixed upstream] |
234 | + - debian/patches/more-gcc-9-fixes.patch: switch to xstrncpy in |
235 | + lib/smblib/smblib-util.c. (LP #1835831) |
236 | + [Fixed upstream] |
237 | + - d/t/test-squid.py: test_zz_apparmor(): bail early if securityfs isn't |
238 | + mounted |
239 | + [Fixed upstream] |
240 | + |
241 | + -- Lucas Kanashiro <lucas.kanashiro@canonical.com> Thu, 14 Nov 2019 16:33:10 -0300 |
242 | + |
243 | squid (4.9-2) unstable; urgency=medium |
244 | |
245 | [ Andreas Hasenack <andreas@canonical.com> ] |
246 | @@ -190,6 +406,73 @@ squid (4.9-1) unstable; urgency=high |
247 | |
248 | -- Luigi Gangitano <luigi@debian.org> Sun, 10 Nov 2019 20:28:15 +0100 |
249 | |
250 | +squid (4.8-1ubuntu3) focal; urgency=medium |
251 | + |
252 | + * No-change rebuild against libnettle7 |
253 | + |
254 | + -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 31 Oct 2019 22:15:39 +0000 |
255 | + |
256 | +squid (4.8-1ubuntu2) eoan; urgency=medium |
257 | + |
258 | + * d/p/drop-sysctl_h.patch: no longer include sysctl.h as it was |
259 | + deprecated in glibc 2.30 (LP: #1843325) |
260 | + |
261 | + -- Andreas Hasenack <andreas@canonical.com> Mon, 09 Sep 2019 17:31:45 -0300 |
262 | + |
263 | +squid (4.8-1ubuntu1) eoan; urgency=medium |
264 | + |
265 | + * Merge with Debian unstable. Remaining changes: |
266 | + - Use snakeoil certificates. |
267 | + - Add an example refresh pattern for debs. |
268 | + - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy, |
269 | + squidguard |
270 | + - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if |
271 | + building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of |
272 | + -O2 and that triggers a format-truncation error on pcon.cc. See |
273 | + See https://bugs.squid-cache.org/show_bug.cgi?id=4875 |
274 | + - d/rules: Only use -latomic with the intended architectures, instead of |
275 | + all of them. This matches what was suggested in |
276 | + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5 |
277 | + - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that |
278 | + dh_installchangelogs can pick it up. dh_installchangelogs handles |
279 | + d/NEWS or d/<package>.NEWS, but not NEWS.debian. |
280 | + - debian/patches/more-gcc-9-fixes.patch: switch to xstrncpy in |
281 | + lib/smblib/smblib-util.c. (LP #1835831) |
282 | + * Dropped: |
283 | + - d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs. |
284 | + Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP #1794553) |
285 | + [Fixed upstream] |
286 | + - debian/patches/413.patch: Fix gcc-9 build issues with upstream merged |
287 | + patch |
288 | + [Fixed upstream] |
289 | + - SECURITY UPDATE: incorrect digest auth parameter parsing |
290 | + + debian/patches/CVE-2019-12525.patch: check length in |
291 | + src/auth/digest/Config.cc. |
292 | + + CVE-2019-12525 |
293 | + [Fixed upstream] |
294 | + - SECURITY UPDATE: buffer overflow in basic auth decoding |
295 | + + debian/patches/CVE-2019-12527.patch: switch to SBuf in |
296 | + src/HttpHeader.cc, src/HttpHeader.h, src/cache_manager.cc, |
297 | + src/clients/FtpGateway.cc. |
298 | + + CVE-2019-12527 |
299 | + [Fixed upstream] |
300 | + - SECURITY UPDATE: basic auth uudecode length issue |
301 | + + debian/patches/CVE-2019-12529.patch: replace uudecode with libnettle |
302 | + base64 decoder in lib/Makefile.*, src/auth/basic/Config.cc, |
303 | + include/uudecode.h, lib/uudecode.c. |
304 | + + CVE-2019-12529 |
305 | + [Fixed upstream] |
306 | + - SECURITY UPDATE: XSS issues in cachemgr.cgi |
307 | + + debian/patches/CVE-2019-13345.patch: properly escape values in |
308 | + tools/cachemgr.cc. |
309 | + + CVE-2019-13345 |
310 | + [Fixed upstream] |
311 | + * Added: |
312 | + - d/t/test-squid.py: test_zz_apparmor(): bail early if securityfs isn't |
313 | + mounted |
314 | + |
315 | + -- Andreas Hasenack <andreas@canonical.com> Wed, 24 Jul 2019 16:38:59 -0300 |
316 | + |
317 | squid (4.8-1) unstable; urgency=high |
318 | |
319 | [ Amos Jeffries <amosjeffries@squid-cache.org> ] |
320 | @@ -208,6 +491,86 @@ squid (4.8-1) unstable; urgency=high |
321 | |
322 | -- Luigi Gangitano <luigi@debian.org> Thu, 18 Jul 2019 22:28:15 +0200 |
323 | |
324 | +squid (4.6-2ubuntu4) eoan; urgency=medium |
325 | + |
326 | + * Fix gcc-9 issues (LP: #1835831) |
327 | + - Remove -Wno-sizeof-pointer-memaccess -Wno-stringop-truncation |
328 | + - debian/patches/more-gcc-9-fixes.patch: switch to xstrncpy in |
329 | + lib/smblib/smblib-util.c. |
330 | + * SECURITY UPDATE: incorrect digest auth parameter parsing |
331 | + - debian/patches/CVE-2019-12525.patch: check length in |
332 | + src/auth/digest/Config.cc. |
333 | + - CVE-2019-12525 |
334 | + * SECURITY UPDATE: buffer overflow in basic auth decoding |
335 | + - debian/patches/CVE-2019-12527.patch: switch to SBuf in |
336 | + src/HttpHeader.cc, src/HttpHeader.h, src/cache_manager.cc, |
337 | + src/clients/FtpGateway.cc. |
338 | + - CVE-2019-12527 |
339 | + * SECURITY UPDATE: basic auth uudecode length issue |
340 | + - debian/patches/CVE-2019-12529.patch: replace uudecode with libnettle |
341 | + base64 decoder in lib/Makefile.*, src/auth/basic/Config.cc, |
342 | + include/uudecode.h, lib/uudecode.c. |
343 | + - CVE-2019-12529 |
344 | + * SECURITY UPDATE: XSS issues in cachemgr.cgi |
345 | + - debian/patches/CVE-2019-13345.patch: properly escape values in |
346 | + tools/cachemgr.cc. |
347 | + - CVE-2019-13345 |
348 | + |
349 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 19 Jul 2019 08:01:58 -0400 |
350 | + |
351 | +squid (4.6-2ubuntu3) eoan; urgency=medium |
352 | + |
353 | + * Override newly added gcc-9 flags: |
354 | + -Wno-sizeof-pointer-memaccess -Wno-stringop-truncation |
355 | + NOTE: Overriding those flags is a possible security |
356 | + asked for info on the gcc-9 issue bug tracker: |
357 | + https://github.com/squid-cache/squid/pull/413#issuecomment-511314076 |
358 | + |
359 | + -- Gianfranco Costamagna <locutusofborg@debian.org> Mon, 15 Jul 2019 10:21:47 +0200 |
360 | + |
361 | +squid (4.6-2ubuntu2) eoan; urgency=medium |
362 | + |
363 | + * Fix gcc-9 build issues with upstream merged patch |
364 | + |
365 | + -- Gianfranco Costamagna <locutusofborg@debian.org> Sun, 14 Jul 2019 14:41:16 +0200 |
366 | + |
367 | +squid (4.6-2ubuntu1) eoan; urgency=medium |
368 | + |
369 | + * Merge with Debian unstable. Remaining changes: |
370 | + - Use snakeoil certificates. |
371 | + - Add an example refresh pattern for debs. |
372 | + - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy, |
373 | + squidguard |
374 | + - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if |
375 | + building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of |
376 | + -O2 and that triggers a format-truncation error on pcon.cc. See |
377 | + See https://bugs.squid-cache.org/show_bug.cgi?id=4875 |
378 | + - d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs. |
379 | + Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP #1794553) |
380 | + [Added Applied-Upstream header] |
381 | + - d/rules: Only use -latomic with the intended architectures, instead of |
382 | + all of them. This matches what was suggested in |
383 | + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5 |
384 | + - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that |
385 | + dh_installchangelogs can pick it up. dh_installchangelogs handles |
386 | + d/NEWS or d/<package>.NEWS, but not NEWS.debian. |
387 | + * Dropped: |
388 | + - d/squid.tmpfile: add tmpfiles configuration to handle /var/run/squid |
389 | + at boot. Thanks to Luigi Gangitano <luigi@debian.org> (LP #1816006) |
390 | + [Fixed in 4.5-2] |
391 | + - d/p/fix-uninitialized-var.patch: Workaround gcc's maybe-unitialized |
392 | + error in parse_time_t, triggered on ppc64el due to the build using -O3 |
393 | + in that architecture. |
394 | + [Fixed upstream] |
395 | + - Add disabled by default AppArmor profile. |
396 | + [Added by Debian in 4.6-2] |
397 | + - d/usr.sbin.squid: fix the apparmor profile (LP #1796189): |
398 | + + allow net_admin capability |
399 | + + add attach_disconnected flag |
400 | + [Fixed in 4.6-2] |
401 | + |
402 | + -- Andreas Hasenack <andreas@canonical.com> Sat, 18 May 2019 14:39:09 -0300 |
403 | + |
404 | squid (4.6-2) unstable; urgency=high |
405 | |
406 | [ Andreas Hasenack <andreas@canonical.com> ] |
407 | @@ -268,6 +631,57 @@ squid (4.5-1) unstable; urgency=medium |
408 | |
409 | -- Luigi Gangitano <luigi@debian.org> Wed, 20 Feb 2019 11:57:15 +0100 |
410 | |
411 | +squid (4.4-1ubuntu2) disco; urgency=medium |
412 | + |
413 | + * d/squid.tmpfile: add tmpfiles configuration to handle /var/run/squid |
414 | + at boot. Thanks to Luigi Gangitano <luigi@debian.org> (LP: #1816006) |
415 | + |
416 | + -- Andreas Hasenack <andreas@canonical.com> Wed, 27 Feb 2019 08:54:45 -0300 |
417 | + |
418 | +squid (4.4-1ubuntu1) disco; urgency=medium |
419 | + |
420 | + * Merge with Debian unstable. Remaining changes: |
421 | + - Use snakeoil certificates. |
422 | + - Add an example refresh pattern for debs. |
423 | + - Add disabled by default AppArmor profile. |
424 | + - d/p/fix-uninitialized-var.patch: Workaround gcc's maybe-unitialized |
425 | + error in parse_time_t, triggered on ppc64el due to the build using -O3 |
426 | + in that architecture. |
427 | + - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if |
428 | + building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of |
429 | + -O2 and that triggers a format-truncation error on pcon.cc. See |
430 | + See https://bugs.squid-cache.org/show_bug.cgi?id=4875 |
431 | + - d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs. |
432 | + Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP #1794553) |
433 | + * Drop: |
434 | + - d/rules: enable cdbs parallel build |
435 | + [Fixed in 4.2-1] |
436 | + - d/t/test-squid.py: fix apparmor profile filename |
437 | + [Fixed in 4.2-1] |
438 | + - d/t/test-squid.py: fix the process name. The PID points at the parent. |
439 | + [Fixed in 4.2-1] |
440 | + - d/t/upstream-test-suite: also make libmem.la, needed by the tests. |
441 | + [Fixed in 4.2-1] |
442 | + - d/t/0003-installed-binary-for-debian-ci.patch: use the squid |
443 | + binary from the system, instead of the one from the source tree. |
444 | + [Fixed in 4.2-1] |
445 | + - d/t/upstream-test-suite: drop the sed line, since patch |
446 | + 0003-installed-binary-for-debian-ci.patch is doing this work now. |
447 | + (https://salsa.debian.org/squid-team/squid/commit/ad4372b444ba8b1587839) |
448 | + [Fixed in 4.2-1] |
449 | + * Added changes: |
450 | + - d/rules: Only use -latomic with the intended architectures, instead of |
451 | + all of them. This matches what was suggested in |
452 | + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5 |
453 | + - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that |
454 | + dh_installchangelogs can pick it up. dh_installchangelogs handles |
455 | + d/NEWS or d/<package>.NEWS, but not NEWS.debian. |
456 | + - d/usr.sbin.squid: fix the apparmor profile (LP: #1796189): |
457 | + + allow net_admin capability |
458 | + + add attach_disconnected flag |
459 | + |
460 | + -- Andreas Hasenack <andreas@canonical.com> Mon, 19 Nov 2018 10:51:18 -0200 |
461 | + |
462 | squid (4.4-1) unstable; urgency=high |
463 | |
464 | * Urgency high due to security fixes |
465 | @@ -332,6 +746,85 @@ squid (4.2-1) unstable; urgency=high |
466 | |
467 | -- Luigi Gangitano <luigi@debian.org> Wed, 22 Aug 2018 13:57:15 +0200 |
468 | |
469 | +squid (4.1-1ubuntu3) cosmic; urgency=medium |
470 | + |
471 | + * d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs. |
472 | + Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP: #1794553) |
473 | + |
474 | + -- Andreas Hasenack <andreas@canonical.com> Tue, 09 Oct 2018 14:00:36 -0300 |
475 | + |
476 | +squid (4.1-1ubuntu2) cosmic; urgency=medium |
477 | + |
478 | + * d/usr.sbin.squid: Update apparmor profile to grant read access to squid |
479 | + binary (LP: #1792728) |
480 | + |
481 | + -- Simon Deziel <simon@sdeziel.info> Sat, 15 Sep 2018 13:55:32 -0400 |
482 | + |
483 | +squid (4.1-1ubuntu1) cosmic; urgency=medium |
484 | + |
485 | + * Merged with Debian unstable (LP: #1780944, LP: #1097032, LP: #16669). |
486 | + Remaining changes: |
487 | + - Use snakeoil certificates. |
488 | + [Updated to use the correct config setting names] |
489 | + - Add an example refresh pattern for debs. |
490 | + [Improved the refresh patterns based on the configuration from |
491 | + squid-deb-proxy package] |
492 | + - Add disabled by default AppArmor profile. |
493 | + [Updated to include the ssl_certs abstraction and suggestions on how to |
494 | + deal with the snakeoil private key and other keys in /etc/ssl.] |
495 | + * Dropped changes: |
496 | + - Add additional dep8 tests. |
497 | + [Adopted in 4.0.21-1~exp5, albeit a stripped down version] |
498 | + - Correct attribution and add explanatory note in d/NEWS.debian. |
499 | + [That particular upgrade path has happened long ago.] |
500 | + - Drop wrong short-circuiting of various invocations; we always want to |
501 | + call the debhelper block. |
502 | + [This was for the transitional squid3 package, and that transition has |
503 | + already happened.] |
504 | + - Revert "Set pidfile for systemd's sysv-generator" from Debian. |
505 | + [Not needed anymore since we have a native systemd service file |
506 | + and no longer rely on the generator.] |
507 | + - Enable autoreconf. This is no longer required for the security updates, |
508 | + but is needed for the seddery of test-suite/Makefile.am in |
509 | + d/t/upstream-test-suite. |
510 | + [Replaced by patch 0003-installed-binary-for-debian-ci.patch] |
511 | + - Adjust seddery for upstream test squid binary location. |
512 | + [sed no longer necessary since patch, |
513 | + 0003-installed-binary-for-debian-ci.patch, will be dropped |
514 | + entirely.] |
515 | + - Drop Conflicts/Replaces of squid against squid3. In Ubuntu, the migration |
516 | + happened in Xenial, so no upgrade path still requires this code. This |
517 | + reduces upgrade ordering difficulty. |
518 | + [Again we have a migration, but this time from squid3 to squid, so we |
519 | + need this]. |
520 | + - GCC7 FTBFS fixes (LP: #1712668): |
521 | + + d/rules: don't error when hitting the "deprecated" and |
522 | + "format-truncation" gcc7 warnings. Upstream 3.5.27 has fixes for these, |
523 | + but one in Format.cc that affects 32bit builds was deemed too intrusive |
524 | + for the 3.5 stable series and is only in squid 4.x |
525 | + [No longer needed with squid 4.x] |
526 | + - Do not force gcc-6 |
527 | + [It was a temporary workaround in Debian that got dropped] |
528 | + * Added changes: |
529 | + - d/rules: enable cdbs parallel build |
530 | + - d/t/test-squid.py: fix apparmor profile filename |
531 | + - d/t/test-squid.py: fix the process name. The PID points at the parent. |
532 | + - d/t/upstream-test-suite: also make libmem.la, needed by the tests. |
533 | + - d/t/0003-installed-binary-for-debian-ci.patch: use the squid |
534 | + binary from the system, instead of the one from the source tree. |
535 | + - d/p/fix-uninitialized-var.patch: Workaround gcc's maybe-unitialized |
536 | + error in parse_time_t, triggered on ppc64el due to the build using -O3 |
537 | + in that architecture. |
538 | + - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if |
539 | + building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of |
540 | + -O2 and that triggers a format-truncation error on pcon.cc. See |
541 | + See https://bugs.squid-cache.org/show_bug.cgi?id=4875 |
542 | + - d/t/upstream-test-suite: drop the sed line, since patch |
543 | + 0003-installed-binary-for-debian-ci.patch is doing this work now. |
544 | + (https://salsa.debian.org/squid-team/squid/commit/ad4372b444ba8b1587839) |
545 | + |
546 | + -- Andreas Hasenack <andreas@canonical.com> Thu, 16 Aug 2018 12:33:17 -0300 |
547 | + |
548 | squid (4.1-1) unstable; urgency=high |
549 | |
550 | * New Upstream Release (Closes: #896120) |
551 | diff --git a/debian/control b/debian/control |
552 | index 9645a8d..a567c91 100644 |
553 | --- a/debian/control |
554 | +++ b/debian/control |
555 | @@ -1,7 +1,8 @@ |
556 | Source: squid |
557 | Section: web |
558 | Priority: optional |
559 | -Maintainer: Luigi Gangitano <luigi@debian.org> |
560 | +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> |
561 | +XSBC-Original-Maintainer: Luigi Gangitano <luigi@debian.org> |
562 | Uploaders: Santiago Garcia Mantinan <manty@debian.org> |
563 | Homepage: http://www.squid-cache.org |
564 | Standards-Version: 4.5.0 |
565 | @@ -31,7 +32,7 @@ Build-Depends: ed, libltdl-dev, pkg-config |
566 | Package: squid |
567 | Architecture: any |
568 | Pre-Depends: adduser |
569 | -Depends: ${shlibs:Depends}, ${misc:Depends}, netbase, logrotate (>= 3.5.4-1), squid-common (>= ${source:Version}), lsb-base, libdbi-perl |
570 | +Depends: ${shlibs:Depends}, ${misc:Depends}, netbase, logrotate (>= 3.5.4-1), squid-common (>= ${source:Version}), lsb-base, libdbi-perl, ssl-cert |
571 | Suggests: squidclient, squid-cgi, squid-purge, resolvconf (>= 0.40), smbclient, ufw, winbind, apparmor |
572 | Recommends: libcap2-bin [linux-any], ca-certificates |
573 | Provides: squid3 |
574 | diff --git a/debian/patches/0007-WCCP-Fix-GCC-10-Wstringop-truncation-failures.patch b/debian/patches/0007-WCCP-Fix-GCC-10-Wstringop-truncation-failures.patch |
575 | new file mode 100644 |
576 | index 0000000..8de4e08 |
577 | --- /dev/null |
578 | +++ b/debian/patches/0007-WCCP-Fix-GCC-10-Wstringop-truncation-failures.patch |
579 | @@ -0,0 +1,112 @@ |
580 | +From: Sergio Durigan Junior <sergiodj@sergiodj.net> |
581 | +Date: Fri, 7 Aug 2020 00:00:30 -0400 |
582 | +Subject: WCCP: Fix GCC-10 -Wstringop-truncation failures |
583 | +MIME-Version: 1.0 |
584 | +Content-Type: text/plain; charset="utf-8" |
585 | +Content-Transfer-Encoding: 8bit |
586 | + |
587 | +When building squid using GCC10, I'm seeing a few failures related to |
588 | +the -Wstringop-truncation option: |
589 | + |
590 | +In file included from /usr/include/string.h:495, |
591 | + from ../compat/xstring.h:13, |
592 | + from ../compat/compat_shared.h:225, |
593 | + from ../compat/compat.h:87, |
594 | + from ../include/squid.h:43, |
595 | + from wccp2.cc:11: |
596 | +In function ‘char* strncpy(char*, const char*, size_t)’, |
597 | + inlined from ‘void wccp2_add_service_list(int, int, int, int, int, int*, int, char*)’ at wccp2.cc:523:12, |
598 | + inlined from ‘void parse_wccp2_service(void*)’ at wccp2.cc:2140:27: |
599 | +/usr/include/s390x-linux-gnu/bits/string_fortified.h:106:34: error: ‘char* __builtin_strncpy(char*, const char*, long unsigned int)’ output may be truncated copying 8 bytes from a string of length 8 [-Werror=stringop-truncation] |
600 | + 106 | return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest)); |
601 | + | ~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
602 | +cc1plus: all warnings being treated as errors |
603 | + |
604 | +The curious thing is that I can only trigger these failures when I |
605 | +compile on s390x. |
606 | + |
607 | +The fix here is simple and inspired by |
608 | +02fc37ca9112cd2afd7d9f3acea06c53b900453a: use xstrncpy instead of |
609 | +strncpy. I confirmed that this fixes the problem by recompiling, and |
610 | +doesn't introduce any other issues. |
611 | + |
612 | +Signed-off-by: Sergio Durigan Junior <sergiodj@debian.org> |
613 | + |
614 | +Author: Sergio Durigan Junior <sergiodj@debian.org> |
615 | +Last-Updated: 2020-08-10 |
616 | +Forwarded: https://github.com/squid-cache/squid/pull/708/ |
617 | +--- |
618 | + src/wccp2.cc | 18 ++++++++---------- |
619 | + 1 file changed, 8 insertions(+), 10 deletions(-) |
620 | + |
621 | +diff --git a/src/wccp2.cc b/src/wccp2.cc |
622 | +index 70a2796..05dfc6e 100644 |
623 | +--- a/src/wccp2.cc |
624 | ++++ b/src/wccp2.cc |
625 | +@@ -49,7 +49,7 @@ static EVH wccp2AssignBuckets; |
626 | + |
627 | + /* Useful defines */ |
628 | + #define WCCP2_NUMPORTS 8 |
629 | +-#define WCCP2_PASSWORD_LEN 8 |
630 | ++#define WCCP2_PASSWORD_LEN 8 + 1 /* + 1 for C-string NUL terminator */ |
631 | + |
632 | + /* WCCPv2 Pakcet format structures */ |
633 | + /* Defined in draft-wilson-wccp-v2-12-oct-2001.txt */ |
634 | +@@ -451,7 +451,7 @@ struct wccp2_service_list_t { |
635 | + size_t wccp_packet_size; |
636 | + |
637 | + struct wccp2_service_list_t *next; |
638 | +- char wccp_password[WCCP2_PASSWORD_LEN + 1]; /* hold the trailing C-string NUL */ |
639 | ++ char wccp_password[WCCP2_PASSWORD_LEN]; /* hold the trailing C-string NUL */ |
640 | + uint32_t wccp2_security_type; |
641 | + }; |
642 | + |
643 | +@@ -519,8 +519,8 @@ wccp2_add_service_list(int service, int service_id, int service_priority, |
644 | + wccp2_update_service(wccp2_service_list_ptr, service, service_id, |
645 | + service_priority, service_proto, service_flags, ports); |
646 | + wccp2_service_list_ptr->wccp2_security_type = security_type; |
647 | +- memset(wccp2_service_list_ptr->wccp_password, 0, WCCP2_PASSWORD_LEN + 1); |
648 | +- strncpy(wccp2_service_list_ptr->wccp_password, password, WCCP2_PASSWORD_LEN); |
649 | ++ memset(wccp2_service_list_ptr->wccp_password, 0, WCCP2_PASSWORD_LEN); |
650 | ++ xstrncpy(wccp2_service_list_ptr->wccp_password, password, WCCP2_PASSWORD_LEN); |
651 | + /* add to linked list - XXX this should use the Squid dlink* routines! */ |
652 | + wccp2_service_list_ptr->next = wccp2_service_list_head; |
653 | + wccp2_service_list_head = wccp2_service_list_ptr; |
654 | +@@ -562,8 +562,7 @@ wccp2_update_md5_security(char *password, char *ptr, char *packet, int len) |
655 | + |
656 | + /* The password field, for the MD5 hash, needs to be 8 bytes and NUL padded. */ |
657 | + memset(pwd, 0, sizeof(pwd)); |
658 | +- strncpy(pwd, password, sizeof(pwd)); |
659 | +- pwd[sizeof(pwd) - 1] = '\0'; |
660 | ++ xstrncpy(pwd, password, sizeof(pwd)); |
661 | + |
662 | + ws = (struct wccp2_security_md5_t *) ptr; |
663 | + assert(ntohs(ws->security_type) == WCCP2_SECURITY_INFO); |
664 | +@@ -630,8 +629,7 @@ wccp2_check_security(struct wccp2_service_list_t *srv, char *security, char *pac |
665 | + |
666 | + /* The password field, for the MD5 hash, needs to be 8 bytes and NUL padded. */ |
667 | + memset(pwd, 0, sizeof(pwd)); |
668 | +- strncpy(pwd, srv->wccp_password, sizeof(pwd)); |
669 | +- pwd[sizeof(pwd) - 1] = '\0'; |
670 | ++ xstrncpy(pwd, srv->wccp_password, sizeof(pwd)); |
671 | + |
672 | + /* Take a copy of the challenge: we need to NUL it before comparing */ |
673 | + memcpy(md5_challenge, ws->security_implementation, sizeof(md5_challenge)); |
674 | +@@ -2096,7 +2094,7 @@ parse_wccp2_service(void *) |
675 | + int service = 0; |
676 | + int service_id = 0; |
677 | + int security_type = WCCP2_NO_SECURITY; |
678 | +- char wccp_password[WCCP2_PASSWORD_LEN + 1]; |
679 | ++ char wccp_password[WCCP2_PASSWORD_LEN]; |
680 | + |
681 | + if (wccp2_connected == 1) { |
682 | + debugs(80, DBG_IMPORTANT, "WCCPv2: Somehow reparsing the configuration without having shut down WCCP! Try reloading squid again."); |
683 | +@@ -2132,7 +2130,7 @@ parse_wccp2_service(void *) |
684 | + if ((t = ConfigParser::NextToken()) != NULL) { |
685 | + if (strncmp(t, "password=", 9) == 0) { |
686 | + security_type = WCCP2_MD5_SECURITY; |
687 | +- strncpy(wccp_password, t + 9, WCCP2_PASSWORD_LEN); |
688 | ++ xstrncpy(wccp_password, t + 9, sizeof(wccp_password)); |
689 | + } |
690 | + } |
691 | + |
692 | diff --git a/debian/patches/90-cf.data.ubuntu.patch b/debian/patches/90-cf.data.ubuntu.patch |
693 | new file mode 100644 |
694 | index 0000000..2c15c53 |
695 | --- /dev/null |
696 | +++ b/debian/patches/90-cf.data.ubuntu.patch |
697 | @@ -0,0 +1,22 @@ |
698 | +Description: Add an example refresh pattern for .debs |
699 | + |
700 | +Reviewed-By: Sergio Durigan Junior <sergio.durigan@canonical.com> |
701 | +Last-Updated: 2020-08-12 |
702 | +Forwarded: https://salsa.debian.org/squid-team/squid/-/merge_requests/15 |
703 | + |
704 | +--- a/src/cf.data.pre |
705 | ++++ b/src/cf.data.pre |
706 | +@@ -5859,6 +5862,12 @@ NOCOMMENT_START |
707 | + refresh_pattern ^ftp: 1440 20% 10080 |
708 | + refresh_pattern ^gopher: 1440 0% 1440 |
709 | + refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 |
710 | ++refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims |
711 | ++refresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-ims |
712 | ++refresh_pattern \/InRelease$ 0 0% 0 refresh-ims |
713 | ++refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims |
714 | ++# example pattern for deb packages |
715 | ++#refresh_pattern (\.deb|\.udeb)$ 129600 100% 129600 |
716 | + refresh_pattern . 0 20% 4320 |
717 | + NOCOMMENT_END |
718 | + DOC_END |
719 | + |
720 | diff --git a/debian/patches/99-ubuntu-ssl-cert-snakeoil.patch b/debian/patches/99-ubuntu-ssl-cert-snakeoil.patch |
721 | new file mode 100644 |
722 | index 0000000..40b5306 |
723 | --- /dev/null |
724 | +++ b/debian/patches/99-ubuntu-ssl-cert-snakeoil.patch |
725 | @@ -0,0 +1,22 @@ |
726 | +--- a/src/cf.data.pre |
727 | ++++ b/src/cf.data.pre |
728 | +@@ -3516,6 +3516,19 @@ |
729 | + reference a PEM file containing both the certificate |
730 | + and private key. |
731 | + |
732 | ++ Notes: |
733 | ++ |
734 | ++ On Debian/Ubuntu systems a default snakeoil certificate is |
735 | ++ available in /etc/ssl and users can set: |
736 | ++ |
737 | ++ sslcert=/etc/ssl/certs/ssl-cert-snakeoil.pem |
738 | ++ |
739 | ++ and |
740 | ++ |
741 | ++ sslkey=/etc/ssl/private/ssl-cert-snakeoil.key |
742 | ++ |
743 | ++ for testing. |
744 | ++ |
745 | + sslcipher=... The list of valid SSL ciphers to use when connecting |
746 | + to this peer. |
747 | + |
748 | diff --git a/debian/patches/series b/debian/patches/series |
749 | index 6561436..d481df0 100644 |
750 | --- a/debian/patches/series |
751 | +++ b/debian/patches/series |
752 | @@ -3,3 +3,6 @@ |
753 | 0003-installed-binary-for-debian-ci.patch |
754 | #0004-upstream-bug5041.patch |
755 | 0005-Use-RuntimeDirectory-to-create-run-squid.patch |
756 | +90-cf.data.ubuntu.patch |
757 | +99-ubuntu-ssl-cert-snakeoil.patch |
758 | +0007-WCCP-Fix-GCC-10-Wstringop-truncation-failures.patch |
759 | diff --git a/debian/usr.sbin.squid b/debian/usr.sbin.squid |
760 | index bc1f987..232b59f 100644 |
761 | --- a/debian/usr.sbin.squid |
762 | +++ b/debian/usr.sbin.squid |
763 | @@ -50,6 +50,39 @@ |
764 | # squid-langpack |
765 | /usr/share/squid-langpack/** r, |
766 | |
767 | + # maas-proxy |
768 | + /var/lib/maas/maas-proxy.conf r, |
769 | + /var/log/maas/proxy/** rw, |
770 | + /var/spool/maas-proxy/ r, |
771 | + /var/spool/maas-proxy/** rwk, |
772 | + |
773 | + # squid-deb-proxy |
774 | + /etc/squid-deb-proxy/** r, |
775 | + /{,var/}run/squid-deb-proxy.pid rwk, |
776 | + /var/cache/squid-deb-proxy/ r, |
777 | + /var/cache/squid-deb-proxy/** rwk, |
778 | + /var/log/squid-deb-proxy/* rw, |
779 | + |
780 | + # squidguard |
781 | + /usr/bin/squidGuard Cx -> squidguard, |
782 | + profile squidguard { |
783 | + #include <abstractions/base> |
784 | + |
785 | + /etc/squid/squidGuard.conf r, |
786 | + /var/log/squid{,3}/squidGuard.log w, |
787 | + /var/lib/squidguard/** rw, |
788 | + |
789 | + # squidguard by default uses /var/log/squid as its logdir, however, we |
790 | + # don't want it to access squid's logs, only its own. Explicitly deny |
791 | + # access to squid's files but allow all others since the user may specify |
792 | + # anything for the squidGurad 'log' directive. |
793 | + /var/log/squid{,3}/* rw, |
794 | + audit deny /var/log/squid{,3}/{access,cache,store}.log* rw, |
795 | + |
796 | + # Site-specific additions and overrides. See local/README for details. |
797 | + #include <local/usr.sbin.squid> |
798 | + } |
799 | + |
800 | # Site-specific additions and overrides. See local/README for details. |
801 | #include <local/usr.sbin.squid> |
802 | } |
grabbing this