Merge ~sergiodj/ubuntu/+source/squid:squid-merge-4.12-1 into ubuntu/+source/squid:debian/sid

Proposed by Sergio Durigan Junior
Status: Merged
Approved by: Andreas Hasenack
Approved revision: db0be8a903e911be4fa27b1fe29ad5c57590291b
Merge reported by: Sergio Durigan Junior
Merged at revision: db0be8a903e911be4fa27b1fe29ad5c57590291b
Proposed branch: ~sergiodj/ubuntu/+source/squid:squid-merge-4.12-1
Merge into: ubuntu/+source/squid:debian/sid
Diff against target: 802 lines (+688/-2)
7 files modified
debian/changelog (+493/-0)
debian/control (+3/-2)
debian/patches/0007-WCCP-Fix-GCC-10-Wstringop-truncation-failures.patch (+112/-0)
debian/patches/90-cf.data.ubuntu.patch (+22/-0)
debian/patches/99-ubuntu-ssl-cert-snakeoil.patch (+22/-0)
debian/patches/series (+3/-0)
debian/usr.sbin.squid (+33/-0)
Reviewer Review Type Date Requested Status
Andreas Hasenack Approve
Canonical Server Pending
Review via email: mp+389025@code.launchpad.net

Description of the change

This is the merge of squid 4.12.1 from Debian.

We're still keeping some of our existing delta. I'm taking a closer look at the patches we're carrying and checking which ones can be proposed upstream or to Debian.

As for the good news, we can drop a number of local modifications:

- No need to add -Wno-format-truncation to CXXFLAGS anymore; the build works normally on ppc64el on groovy now.

- Dropped 2 patches accepted by Debian which simplify and fix the postinst script.

- Dropped 1 patch acccepted by Debian which adjusts the 'test-squid.py' dep8 test.

I'm adding a patch needed to make the build pass on s390x; there's a GCC-10 FTBFS that happens there. This patch has already been proposed and accepted upstream:

  https://github.com/squid-cache/squid/pull/708/

autopkgtest is still happy:

autopkgtest [15:11:15]: @@@@@@@@@@@@@@@@@@@@ summary
upstream-test-suite PASS
squid PASS

To post a comment you must log in.
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

grabbing this

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Looks good, +1. You said you would still add a DEP3 header to d/p/90-cf.data.ubuntu.patch because you forwarded it to debian, right? Feel free to do that and commit, and then ping here when ready for sponsoring.

review: Approve
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

On Tuesday, August 11 2020, Andreas Hasenack wrote:

> Looks good, +1. You said you would still add a DEP3 header to
> d/p/90-cf.data.ubuntu.patch because you forwarded it to debian, right?
> Feel free to do that and commit, and then ping here when ready for
> sponsoring.

Thanks for the review, Andreas.

I have force-pushed the branch with the DEP3 header update now, so it's
ready for sponsorship.

--
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Tagging and uploading db0be8a903e911be4fa27b1fe29ad5c57590291b

$ git push pkg upload/4.12-1ubuntu1
Enumerating objects: 43, done.
Counting objects: 100% (43/43), done.
Delta compression using up to 4 threads
Compressing objects: 100% (32/32), done.
Writing objects: 100% (36/36), 11.59 KiB | 565.00 KiB/s, done.
Total 36 (delta 25), reused 7 (delta 4)
To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/squid
 * [new tag] upload/4.12-1ubuntu1 -> upload/4.12-1ubuntu1

$ dput ubuntu ../squid_4.12-1ubuntu1_source.changes
Checking signature on .changes
gpg: ../squid_4.12-1ubuntu1_source.changes: Valid signature from AC983EB5BF6BCBA9
Checking signature on .dsc
gpg: ../squid_4.12-1ubuntu1.dsc: Valid signature from AC983EB5BF6BCBA9
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading squid_4.12-1ubuntu1.dsc: done.
  Uploading squid_4.12.orig.tar.xz: done.
  Uploading squid_4.12-1ubuntu1.debian.tar.xz: done.
  Uploading squid_4.12-1ubuntu1_source.buildinfo: done.
  Uploading squid_4.12-1ubuntu1_source.changes: done.
Successfully uploaded packages.

Please follow its migration.

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

This has migrated.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 345a140..c1c8b6b 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,40 @@
6+squid (4.12-1ubuntu1) groovy; urgency=medium
7+
8+ * Merge with Debian unstable. Remaining changes:
9+ - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy
10+ squidguard
11+ - d/p/90-cf.data.ubuntu.patch: Add an example refresh pattern
12+ for debs.
13+ - Use snakeoil certificates:
14+ + d/control: add ssl-cert to dependencies
15+ + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl
16+ to the default config file
17+ * Dropped changes, not needed anymore:
18+ - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround
19+ if building for ppc64el. On that arch, dpkg-buildflags sets -O3
20+ instead of -O2 and that triggers a format-truncation error on
21+ pcon.cc. See https://bugs.squid-cache.org/show_bug.cgi?id=4875.
22+ [ Dropped because the build now passes on ppc64el ]
23+ * Dropped changes, incorporated by Debian:
24+ - Don't restart squid by hand on postinst script
25+ + d/squid.postinst: When installing/upgrading squid, the service
26+ is being restarted manually in the postinst script, which can
27+ break installations that have the squid apparmor enabled because
28+ it will try to restart the service before reloading the apparmor
29+ profile. There is no reason to restart squid manually, since the
30+ restart will be automatically performed later.
31+ - Drop conffile check for squid < 2.7
32+ + d/squid.postinst: squid 2.7 is long, long gone, so it should be
33+ safe to drop the postinst code to make sure that
34+ /etc/squid/squid.conf was properly upgraded.
35+ - d/tests/test-squid.py: Adjust 'pidfile' variable to reflect fact
36+ that we now store the pidfile under '/run/squid/'.
37+ * Added changes:
38+ - d/p/0007-WCCP-Fix-GCC-10-Wstringop-truncation-failures.patch:
39+ Fix GCC-10 build failure due to -Wstringop-truncation warning.
40+
41+ -- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 10 Aug 2020 11:20:46 -0400
42+
43 squid (4.12-1) unstable; urgency=high
44
45 * Urgency high due to security fixes
46@@ -35,6 +72,63 @@ squid (4.12-1) unstable; urgency=high
47
48 -- Luigi Gangitano <luigi@debian.org> Wed, 1 Jul 2020 10:52:54 +0200
49
50+squid (4.11-5ubuntu3) groovy; urgency=medium
51+
52+ * No change rebuild against new libnettle8 and libhogweed6 ABI.
53+
54+ -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 29 Jun 2020 22:38:13 +0100
55+
56+squid (4.11-5ubuntu2) groovy; urgency=medium
57+
58+ * d/tests/test-squid.py: Adjust 'pidfile' variable to reflect fact
59+ that we now store the pidfile under '/run/squid/'.
60+
61+ -- Sergio Durigan Junior <sergio.durigan@canonical.com> Wed, 20 May 2020 10:32:32 -0400
62+
63+squid (4.11-5ubuntu1) groovy; urgency=medium
64+
65+ * Merge with Debian unstable. Remaining changes:
66+ - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy,
67+ squidguard
68+ - d/p/90-cf.data.ubuntu.patch: Add an example refresh pattern for
69+ debs.
70+ - Use snakeoil certificates:
71+ + d/control: add ssl-cert to dependencies
72+ + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl to the
73+ default config file
74+ - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if
75+ building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead
76+ of -O2 and that triggers a format-truncation error on pcon.cc. See See
77+ https://bugs.squid-cache.org/show_bug.cgi?id=4875
78+ * Dropped:
79+ - d/p/drop-sysctl_h.patch: no longer include sysctl.h as it was
80+ deprecated in glibc 2.30 (LP #1843325)
81+ [ In 4.11-4 ]
82+ - SECURITY UPDATE: multiple ESI issues
83+ + debian/patches/CVE-2019-12519_12521.patch: convert parse exceptions
84+ into 500 status response in src/esi/Context.h, src/esi/Esi.cc,
85+ src/esi/Esi.h, src/esi/Expression.cc.
86+ + CVE-2019-12519
87+ [ In 4.11-4 ]
88+ - SECURITY UPDATE: Digest Authentication nonce replay issue
89+ + debian/patches/CVE-2020-11945.patch: fix auth digest refcount integer
90+ overflow in src/auth/digest/Config.cc.
91+ [ In 4.11-4 ]
92+ * Added:
93+ - Don't restart squid by hand on postinst script
94+ + d/squid.postinst: When installing/upgrading squid, the service
95+ is being restarted manually in the postinst script, which can
96+ break installations that have the squid apparmor enabled because
97+ it will try to restart the service before reloading the apparmor
98+ profile. There is no reason to restart squid manually, since the
99+ restart will be automatically performed later.
100+ - Drop conffile check for squid < 2.7
101+ + d/squid.postinst: squid 2.7 is long, long gone, so it should be
102+ safe to drop the postinst code to make sure that
103+ /etc/squid/squid.conf was properly upgraded.
104+
105+ -- Sergio Durigan Junior <sergio.durigan@canonical.com> Tue, 19 May 2020 14:43:04 -0400
106+
107 squid (4.11-5) unstable; urgency=medium
108
109 [ Sergio Durigan Junior <sergiodj@debian.org> ]
110@@ -113,6 +207,64 @@ squid (4.11-1) unstable; urgency=high
111
112 -- Luigi Gangitano <luigi@debian.org> Thu, 23 Apr 2020 19:34:54 +0200
113
114+squid (4.10-1ubuntu2) groovy; urgency=medium
115+
116+ * SECURITY UPDATE: multiple ESI issues
117+ - debian/patches/CVE-2019-12519_12521.patch: convert parse exceptions
118+ into 500 status response in src/esi/Context.h, src/esi/Esi.cc,
119+ src/esi/Esi.h, src/esi/Expression.cc.
120+ - CVE-2019-12519
121+ - CVE-2019-12521
122+ * SECURITY UPDATE: Digest Authentication nonce replay issue
123+ - debian/patches/CVE-2020-11945.patch: fix auth digest refcount integer
124+ overflow in src/auth/digest/Config.cc.
125+ - CVE-2020-11945
126+
127+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 13 May 2020 09:51:10 -0400
128+
129+squid (4.10-1ubuntu1) focal; urgency=medium
130+
131+ * Merge with Debian unstable. Remaining changes:
132+ - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy,
133+ squidguard
134+ - d/p/90-cf.data.ubuntu.patch: Add an example refresh pattern for debs.
135+ - Use snakeoil certificates:
136+ + d/control: add ssl-cert to dependencies
137+ + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl
138+ to the default config file
139+ - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if
140+ building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of
141+ -O2 and that triggers a format-truncation error on pcon.cc. See
142+ See https://bugs.squid-cache.org/show_bug.cgi?id=4875
143+ - d/p/drop-sysctl_h.patch: no longer include sysctl.h as it was
144+ deprecated in glibc 2.30 (LP #1843325)
145+ * Dropped:
146+ - d/t/control, d/t/test-squid.py: remove gopher tests, as pygopherd is
147+ no longer available in Focal (LP: #1858827)
148+ [In 4.10-1, undocumented]
149+ - d/t/test-squid.py, d/t/squid: switch to python3
150+ [In 4.10-1, undocumented]
151+ - d/t/control: depend on python3-minimal
152+ [In 4.10-1, undocumented]
153+ - SECURITY UPDATE: info disclosure via FTP server
154+ + debian/patches/CVE-2019-12528.patch: fix FTP buffers handling in
155+ src/clients/FtpGateway.cc.
156+ + CVE-2019-12528
157+ [Fixed upstream]
158+ - SECURITY UPDATE: incorrect input validation and buffer management
159+ + debian/patches/CVE-2020-84xx.patch: fix request URL generation in
160+ reverse proxy configurations in src/client_side.cc.
161+ + CVE-2020-8449
162+ + CVE-2020-8450
163+ [Fixed upstream]
164+ - SECURITY UPDATE: DoS in NTLM authentication
165+ + debian/patches/CVE-2020-8517.patch: improved username handling in
166+ src/acl/external/LM_group/ext_lm_group_acl.cc.
167+ + CVE-2020-8517
168+ [Fixed upstream]
169+
170+ -- Andreas Hasenack <andreas@canonical.com> Tue, 25 Feb 2020 15:37:55 -0300
171+
172 squid (4.10-1) unstable; urgency=high
173
174 [ Amos Jeffries <amosjeffries@squid-cache.org> ]
175@@ -134,6 +286,70 @@ squid (4.10-1) unstable; urgency=high
176
177 -- Luigi Gangitano <luigi@debian.org> Tue, 10 Feb 2020 14:12:54 +0100
178
179+squid (4.9-2ubuntu4) focal; urgency=medium
180+
181+ * SECURITY UPDATE: info disclosure via FTP server
182+ - debian/patches/CVE-2019-12528.patch: fix FTP buffers handling in
183+ src/clients/FtpGateway.cc.
184+ - CVE-2019-12528
185+ * SECURITY UPDATE: incorrect input validation and buffer management
186+ - debian/patches/CVE-2020-84xx.patch: fix request URL generation in
187+ reverse proxy configurations in src/client_side.cc.
188+ - CVE-2020-8449
189+ - CVE-2020-8450
190+ * SECURITY UPDATE: DoS in NTLM authentication
191+ - debian/patches/CVE-2020-8517.patch: improved username handling in
192+ src/acl/external/LM_group/ext_lm_group_acl.cc.
193+ - CVE-2020-8517
194+
195+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 19 Feb 2020 12:43:05 -0500
196+
197+squid (4.9-2ubuntu3) focal; urgency=medium
198+
199+ * No-change rebuild with fixed binutils on arm64.
200+
201+ -- Matthias Klose <doko@ubuntu.com> Sat, 08 Feb 2020 11:20:19 +0000
202+
203+squid (4.9-2ubuntu2) focal; urgency=medium
204+
205+ * d/t/control, d/t/test-squid.py: remove gopher tests, as pygopherd is
206+ no longer available in Focal (LP: #1858827)
207+ * d/t/test-squid.py, d/t/squid: switch to python3
208+ * d/t/control: depend on python3-minimal
209+
210+ -- Andreas Hasenack <andreas@canonical.com> Wed, 08 Jan 2020 15:52:32 -0300
211+
212+squid (4.9-2ubuntu1) focal; urgency=medium
213+
214+ * Merge with Debian unstable. Remaining changes:
215+ - Use snakeoil certificates.
216+ - Add an example refresh pattern for debs.
217+ - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy,
218+ squidguard
219+ - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if
220+ building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of
221+ -O2 and that triggers a format-truncation error on pcon.cc. See
222+ See https://bugs.squid-cache.org/show_bug.cgi?id=4875
223+ - d/p/drop-sysctl_h.patch: no longer include sysctl.h as it was
224+ deprecated in glibc 2.30 (LP #1843325)
225+ * Dropped:
226+ - d/rules: Only use -latomic with the intended architectures, instead of
227+ all of them. This matches what was suggested in
228+ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5
229+ [Fixed upstream]
230+ - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that
231+ dh_installchangelogs can pick it up. dh_installchangelogs handles
232+ d/NEWS or d/<package>.NEWS, but not NEWS.debian.
233+ [Fixed upstream]
234+ - debian/patches/more-gcc-9-fixes.patch: switch to xstrncpy in
235+ lib/smblib/smblib-util.c. (LP #1835831)
236+ [Fixed upstream]
237+ - d/t/test-squid.py: test_zz_apparmor(): bail early if securityfs isn't
238+ mounted
239+ [Fixed upstream]
240+
241+ -- Lucas Kanashiro <lucas.kanashiro@canonical.com> Thu, 14 Nov 2019 16:33:10 -0300
242+
243 squid (4.9-2) unstable; urgency=medium
244
245 [ Andreas Hasenack <andreas@canonical.com> ]
246@@ -190,6 +406,73 @@ squid (4.9-1) unstable; urgency=high
247
248 -- Luigi Gangitano <luigi@debian.org> Sun, 10 Nov 2019 20:28:15 +0100
249
250+squid (4.8-1ubuntu3) focal; urgency=medium
251+
252+ * No-change rebuild against libnettle7
253+
254+ -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 31 Oct 2019 22:15:39 +0000
255+
256+squid (4.8-1ubuntu2) eoan; urgency=medium
257+
258+ * d/p/drop-sysctl_h.patch: no longer include sysctl.h as it was
259+ deprecated in glibc 2.30 (LP: #1843325)
260+
261+ -- Andreas Hasenack <andreas@canonical.com> Mon, 09 Sep 2019 17:31:45 -0300
262+
263+squid (4.8-1ubuntu1) eoan; urgency=medium
264+
265+ * Merge with Debian unstable. Remaining changes:
266+ - Use snakeoil certificates.
267+ - Add an example refresh pattern for debs.
268+ - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy,
269+ squidguard
270+ - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if
271+ building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of
272+ -O2 and that triggers a format-truncation error on pcon.cc. See
273+ See https://bugs.squid-cache.org/show_bug.cgi?id=4875
274+ - d/rules: Only use -latomic with the intended architectures, instead of
275+ all of them. This matches what was suggested in
276+ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5
277+ - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that
278+ dh_installchangelogs can pick it up. dh_installchangelogs handles
279+ d/NEWS or d/<package>.NEWS, but not NEWS.debian.
280+ - debian/patches/more-gcc-9-fixes.patch: switch to xstrncpy in
281+ lib/smblib/smblib-util.c. (LP #1835831)
282+ * Dropped:
283+ - d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs.
284+ Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP #1794553)
285+ [Fixed upstream]
286+ - debian/patches/413.patch: Fix gcc-9 build issues with upstream merged
287+ patch
288+ [Fixed upstream]
289+ - SECURITY UPDATE: incorrect digest auth parameter parsing
290+ + debian/patches/CVE-2019-12525.patch: check length in
291+ src/auth/digest/Config.cc.
292+ + CVE-2019-12525
293+ [Fixed upstream]
294+ - SECURITY UPDATE: buffer overflow in basic auth decoding
295+ + debian/patches/CVE-2019-12527.patch: switch to SBuf in
296+ src/HttpHeader.cc, src/HttpHeader.h, src/cache_manager.cc,
297+ src/clients/FtpGateway.cc.
298+ + CVE-2019-12527
299+ [Fixed upstream]
300+ - SECURITY UPDATE: basic auth uudecode length issue
301+ + debian/patches/CVE-2019-12529.patch: replace uudecode with libnettle
302+ base64 decoder in lib/Makefile.*, src/auth/basic/Config.cc,
303+ include/uudecode.h, lib/uudecode.c.
304+ + CVE-2019-12529
305+ [Fixed upstream]
306+ - SECURITY UPDATE: XSS issues in cachemgr.cgi
307+ + debian/patches/CVE-2019-13345.patch: properly escape values in
308+ tools/cachemgr.cc.
309+ + CVE-2019-13345
310+ [Fixed upstream]
311+ * Added:
312+ - d/t/test-squid.py: test_zz_apparmor(): bail early if securityfs isn't
313+ mounted
314+
315+ -- Andreas Hasenack <andreas@canonical.com> Wed, 24 Jul 2019 16:38:59 -0300
316+
317 squid (4.8-1) unstable; urgency=high
318
319 [ Amos Jeffries <amosjeffries@squid-cache.org> ]
320@@ -208,6 +491,86 @@ squid (4.8-1) unstable; urgency=high
321
322 -- Luigi Gangitano <luigi@debian.org> Thu, 18 Jul 2019 22:28:15 +0200
323
324+squid (4.6-2ubuntu4) eoan; urgency=medium
325+
326+ * Fix gcc-9 issues (LP: #1835831)
327+ - Remove -Wno-sizeof-pointer-memaccess -Wno-stringop-truncation
328+ - debian/patches/more-gcc-9-fixes.patch: switch to xstrncpy in
329+ lib/smblib/smblib-util.c.
330+ * SECURITY UPDATE: incorrect digest auth parameter parsing
331+ - debian/patches/CVE-2019-12525.patch: check length in
332+ src/auth/digest/Config.cc.
333+ - CVE-2019-12525
334+ * SECURITY UPDATE: buffer overflow in basic auth decoding
335+ - debian/patches/CVE-2019-12527.patch: switch to SBuf in
336+ src/HttpHeader.cc, src/HttpHeader.h, src/cache_manager.cc,
337+ src/clients/FtpGateway.cc.
338+ - CVE-2019-12527
339+ * SECURITY UPDATE: basic auth uudecode length issue
340+ - debian/patches/CVE-2019-12529.patch: replace uudecode with libnettle
341+ base64 decoder in lib/Makefile.*, src/auth/basic/Config.cc,
342+ include/uudecode.h, lib/uudecode.c.
343+ - CVE-2019-12529
344+ * SECURITY UPDATE: XSS issues in cachemgr.cgi
345+ - debian/patches/CVE-2019-13345.patch: properly escape values in
346+ tools/cachemgr.cc.
347+ - CVE-2019-13345
348+
349+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 19 Jul 2019 08:01:58 -0400
350+
351+squid (4.6-2ubuntu3) eoan; urgency=medium
352+
353+ * Override newly added gcc-9 flags:
354+ -Wno-sizeof-pointer-memaccess -Wno-stringop-truncation
355+ NOTE: Overriding those flags is a possible security
356+ asked for info on the gcc-9 issue bug tracker:
357+ https://github.com/squid-cache/squid/pull/413#issuecomment-511314076
358+
359+ -- Gianfranco Costamagna <locutusofborg@debian.org> Mon, 15 Jul 2019 10:21:47 +0200
360+
361+squid (4.6-2ubuntu2) eoan; urgency=medium
362+
363+ * Fix gcc-9 build issues with upstream merged patch
364+
365+ -- Gianfranco Costamagna <locutusofborg@debian.org> Sun, 14 Jul 2019 14:41:16 +0200
366+
367+squid (4.6-2ubuntu1) eoan; urgency=medium
368+
369+ * Merge with Debian unstable. Remaining changes:
370+ - Use snakeoil certificates.
371+ - Add an example refresh pattern for debs.
372+ - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy,
373+ squidguard
374+ - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if
375+ building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of
376+ -O2 and that triggers a format-truncation error on pcon.cc. See
377+ See https://bugs.squid-cache.org/show_bug.cgi?id=4875
378+ - d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs.
379+ Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP #1794553)
380+ [Added Applied-Upstream header]
381+ - d/rules: Only use -latomic with the intended architectures, instead of
382+ all of them. This matches what was suggested in
383+ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5
384+ - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that
385+ dh_installchangelogs can pick it up. dh_installchangelogs handles
386+ d/NEWS or d/<package>.NEWS, but not NEWS.debian.
387+ * Dropped:
388+ - d/squid.tmpfile: add tmpfiles configuration to handle /var/run/squid
389+ at boot. Thanks to Luigi Gangitano <luigi@debian.org> (LP #1816006)
390+ [Fixed in 4.5-2]
391+ - d/p/fix-uninitialized-var.patch: Workaround gcc's maybe-unitialized
392+ error in parse_time_t, triggered on ppc64el due to the build using -O3
393+ in that architecture.
394+ [Fixed upstream]
395+ - Add disabled by default AppArmor profile.
396+ [Added by Debian in 4.6-2]
397+ - d/usr.sbin.squid: fix the apparmor profile (LP #1796189):
398+ + allow net_admin capability
399+ + add attach_disconnected flag
400+ [Fixed in 4.6-2]
401+
402+ -- Andreas Hasenack <andreas@canonical.com> Sat, 18 May 2019 14:39:09 -0300
403+
404 squid (4.6-2) unstable; urgency=high
405
406 [ Andreas Hasenack <andreas@canonical.com> ]
407@@ -268,6 +631,57 @@ squid (4.5-1) unstable; urgency=medium
408
409 -- Luigi Gangitano <luigi@debian.org> Wed, 20 Feb 2019 11:57:15 +0100
410
411+squid (4.4-1ubuntu2) disco; urgency=medium
412+
413+ * d/squid.tmpfile: add tmpfiles configuration to handle /var/run/squid
414+ at boot. Thanks to Luigi Gangitano <luigi@debian.org> (LP: #1816006)
415+
416+ -- Andreas Hasenack <andreas@canonical.com> Wed, 27 Feb 2019 08:54:45 -0300
417+
418+squid (4.4-1ubuntu1) disco; urgency=medium
419+
420+ * Merge with Debian unstable. Remaining changes:
421+ - Use snakeoil certificates.
422+ - Add an example refresh pattern for debs.
423+ - Add disabled by default AppArmor profile.
424+ - d/p/fix-uninitialized-var.patch: Workaround gcc's maybe-unitialized
425+ error in parse_time_t, triggered on ppc64el due to the build using -O3
426+ in that architecture.
427+ - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if
428+ building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of
429+ -O2 and that triggers a format-truncation error on pcon.cc. See
430+ See https://bugs.squid-cache.org/show_bug.cgi?id=4875
431+ - d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs.
432+ Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP #1794553)
433+ * Drop:
434+ - d/rules: enable cdbs parallel build
435+ [Fixed in 4.2-1]
436+ - d/t/test-squid.py: fix apparmor profile filename
437+ [Fixed in 4.2-1]
438+ - d/t/test-squid.py: fix the process name. The PID points at the parent.
439+ [Fixed in 4.2-1]
440+ - d/t/upstream-test-suite: also make libmem.la, needed by the tests.
441+ [Fixed in 4.2-1]
442+ - d/t/0003-installed-binary-for-debian-ci.patch: use the squid
443+ binary from the system, instead of the one from the source tree.
444+ [Fixed in 4.2-1]
445+ - d/t/upstream-test-suite: drop the sed line, since patch
446+ 0003-installed-binary-for-debian-ci.patch is doing this work now.
447+ (https://salsa.debian.org/squid-team/squid/commit/ad4372b444ba8b1587839)
448+ [Fixed in 4.2-1]
449+ * Added changes:
450+ - d/rules: Only use -latomic with the intended architectures, instead of
451+ all of them. This matches what was suggested in
452+ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5
453+ - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that
454+ dh_installchangelogs can pick it up. dh_installchangelogs handles
455+ d/NEWS or d/<package>.NEWS, but not NEWS.debian.
456+ - d/usr.sbin.squid: fix the apparmor profile (LP: #1796189):
457+ + allow net_admin capability
458+ + add attach_disconnected flag
459+
460+ -- Andreas Hasenack <andreas@canonical.com> Mon, 19 Nov 2018 10:51:18 -0200
461+
462 squid (4.4-1) unstable; urgency=high
463
464 * Urgency high due to security fixes
465@@ -332,6 +746,85 @@ squid (4.2-1) unstable; urgency=high
466
467 -- Luigi Gangitano <luigi@debian.org> Wed, 22 Aug 2018 13:57:15 +0200
468
469+squid (4.1-1ubuntu3) cosmic; urgency=medium
470+
471+ * d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs.
472+ Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP: #1794553)
473+
474+ -- Andreas Hasenack <andreas@canonical.com> Tue, 09 Oct 2018 14:00:36 -0300
475+
476+squid (4.1-1ubuntu2) cosmic; urgency=medium
477+
478+ * d/usr.sbin.squid: Update apparmor profile to grant read access to squid
479+ binary (LP: #1792728)
480+
481+ -- Simon Deziel <simon@sdeziel.info> Sat, 15 Sep 2018 13:55:32 -0400
482+
483+squid (4.1-1ubuntu1) cosmic; urgency=medium
484+
485+ * Merged with Debian unstable (LP: #1780944, LP: #1097032, LP: #16669).
486+ Remaining changes:
487+ - Use snakeoil certificates.
488+ [Updated to use the correct config setting names]
489+ - Add an example refresh pattern for debs.
490+ [Improved the refresh patterns based on the configuration from
491+ squid-deb-proxy package]
492+ - Add disabled by default AppArmor profile.
493+ [Updated to include the ssl_certs abstraction and suggestions on how to
494+ deal with the snakeoil private key and other keys in /etc/ssl.]
495+ * Dropped changes:
496+ - Add additional dep8 tests.
497+ [Adopted in 4.0.21-1~exp5, albeit a stripped down version]
498+ - Correct attribution and add explanatory note in d/NEWS.debian.
499+ [That particular upgrade path has happened long ago.]
500+ - Drop wrong short-circuiting of various invocations; we always want to
501+ call the debhelper block.
502+ [This was for the transitional squid3 package, and that transition has
503+ already happened.]
504+ - Revert "Set pidfile for systemd's sysv-generator" from Debian.
505+ [Not needed anymore since we have a native systemd service file
506+ and no longer rely on the generator.]
507+ - Enable autoreconf. This is no longer required for the security updates,
508+ but is needed for the seddery of test-suite/Makefile.am in
509+ d/t/upstream-test-suite.
510+ [Replaced by patch 0003-installed-binary-for-debian-ci.patch]
511+ - Adjust seddery for upstream test squid binary location.
512+ [sed no longer necessary since patch,
513+ 0003-installed-binary-for-debian-ci.patch, will be dropped
514+ entirely.]
515+ - Drop Conflicts/Replaces of squid against squid3. In Ubuntu, the migration
516+ happened in Xenial, so no upgrade path still requires this code. This
517+ reduces upgrade ordering difficulty.
518+ [Again we have a migration, but this time from squid3 to squid, so we
519+ need this].
520+ - GCC7 FTBFS fixes (LP: #1712668):
521+ + d/rules: don't error when hitting the "deprecated" and
522+ "format-truncation" gcc7 warnings. Upstream 3.5.27 has fixes for these,
523+ but one in Format.cc that affects 32bit builds was deemed too intrusive
524+ for the 3.5 stable series and is only in squid 4.x
525+ [No longer needed with squid 4.x]
526+ - Do not force gcc-6
527+ [It was a temporary workaround in Debian that got dropped]
528+ * Added changes:
529+ - d/rules: enable cdbs parallel build
530+ - d/t/test-squid.py: fix apparmor profile filename
531+ - d/t/test-squid.py: fix the process name. The PID points at the parent.
532+ - d/t/upstream-test-suite: also make libmem.la, needed by the tests.
533+ - d/t/0003-installed-binary-for-debian-ci.patch: use the squid
534+ binary from the system, instead of the one from the source tree.
535+ - d/p/fix-uninitialized-var.patch: Workaround gcc's maybe-unitialized
536+ error in parse_time_t, triggered on ppc64el due to the build using -O3
537+ in that architecture.
538+ - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if
539+ building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of
540+ -O2 and that triggers a format-truncation error on pcon.cc. See
541+ See https://bugs.squid-cache.org/show_bug.cgi?id=4875
542+ - d/t/upstream-test-suite: drop the sed line, since patch
543+ 0003-installed-binary-for-debian-ci.patch is doing this work now.
544+ (https://salsa.debian.org/squid-team/squid/commit/ad4372b444ba8b1587839)
545+
546+ -- Andreas Hasenack <andreas@canonical.com> Thu, 16 Aug 2018 12:33:17 -0300
547+
548 squid (4.1-1) unstable; urgency=high
549
550 * New Upstream Release (Closes: #896120)
551diff --git a/debian/control b/debian/control
552index 9645a8d..a567c91 100644
553--- a/debian/control
554+++ b/debian/control
555@@ -1,7 +1,8 @@
556 Source: squid
557 Section: web
558 Priority: optional
559-Maintainer: Luigi Gangitano <luigi@debian.org>
560+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
561+XSBC-Original-Maintainer: Luigi Gangitano <luigi@debian.org>
562 Uploaders: Santiago Garcia Mantinan <manty@debian.org>
563 Homepage: http://www.squid-cache.org
564 Standards-Version: 4.5.0
565@@ -31,7 +32,7 @@ Build-Depends: ed, libltdl-dev, pkg-config
566 Package: squid
567 Architecture: any
568 Pre-Depends: adduser
569-Depends: ${shlibs:Depends}, ${misc:Depends}, netbase, logrotate (>= 3.5.4-1), squid-common (>= ${source:Version}), lsb-base, libdbi-perl
570+Depends: ${shlibs:Depends}, ${misc:Depends}, netbase, logrotate (>= 3.5.4-1), squid-common (>= ${source:Version}), lsb-base, libdbi-perl, ssl-cert
571 Suggests: squidclient, squid-cgi, squid-purge, resolvconf (>= 0.40), smbclient, ufw, winbind, apparmor
572 Recommends: libcap2-bin [linux-any], ca-certificates
573 Provides: squid3
574diff --git a/debian/patches/0007-WCCP-Fix-GCC-10-Wstringop-truncation-failures.patch b/debian/patches/0007-WCCP-Fix-GCC-10-Wstringop-truncation-failures.patch
575new file mode 100644
576index 0000000..8de4e08
577--- /dev/null
578+++ b/debian/patches/0007-WCCP-Fix-GCC-10-Wstringop-truncation-failures.patch
579@@ -0,0 +1,112 @@
580+From: Sergio Durigan Junior <sergiodj@sergiodj.net>
581+Date: Fri, 7 Aug 2020 00:00:30 -0400
582+Subject: WCCP: Fix GCC-10 -Wstringop-truncation failures
583+MIME-Version: 1.0
584+Content-Type: text/plain; charset="utf-8"
585+Content-Transfer-Encoding: 8bit
586+
587+When building squid using GCC10, I'm seeing a few failures related to
588+the -Wstringop-truncation option:
589+
590+In file included from /usr/include/string.h:495,
591+ from ../compat/xstring.h:13,
592+ from ../compat/compat_shared.h:225,
593+ from ../compat/compat.h:87,
594+ from ../include/squid.h:43,
595+ from wccp2.cc:11:
596+In function ‘char* strncpy(char*, const char*, size_t)’,
597+ inlined from ‘void wccp2_add_service_list(int, int, int, int, int, int*, int, char*)’ at wccp2.cc:523:12,
598+ inlined from ‘void parse_wccp2_service(void*)’ at wccp2.cc:2140:27:
599+/usr/include/s390x-linux-gnu/bits/string_fortified.h:106:34: error: ‘char* __builtin_strncpy(char*, const char*, long unsigned int)’ output may be truncated copying 8 bytes from a string of length 8 [-Werror=stringop-truncation]
600+ 106 | return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
601+ | ~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
602+cc1plus: all warnings being treated as errors
603+
604+The curious thing is that I can only trigger these failures when I
605+compile on s390x.
606+
607+The fix here is simple and inspired by
608+02fc37ca9112cd2afd7d9f3acea06c53b900453a: use xstrncpy instead of
609+strncpy. I confirmed that this fixes the problem by recompiling, and
610+doesn't introduce any other issues.
611+
612+Signed-off-by: Sergio Durigan Junior <sergiodj@debian.org>
613+
614+Author: Sergio Durigan Junior <sergiodj@debian.org>
615+Last-Updated: 2020-08-10
616+Forwarded: https://github.com/squid-cache/squid/pull/708/
617+---
618+ src/wccp2.cc | 18 ++++++++----------
619+ 1 file changed, 8 insertions(+), 10 deletions(-)
620+
621+diff --git a/src/wccp2.cc b/src/wccp2.cc
622+index 70a2796..05dfc6e 100644
623+--- a/src/wccp2.cc
624++++ b/src/wccp2.cc
625+@@ -49,7 +49,7 @@ static EVH wccp2AssignBuckets;
626+
627+ /* Useful defines */
628+ #define WCCP2_NUMPORTS 8
629+-#define WCCP2_PASSWORD_LEN 8
630++#define WCCP2_PASSWORD_LEN 8 + 1 /* + 1 for C-string NUL terminator */
631+
632+ /* WCCPv2 Pakcet format structures */
633+ /* Defined in draft-wilson-wccp-v2-12-oct-2001.txt */
634+@@ -451,7 +451,7 @@ struct wccp2_service_list_t {
635+ size_t wccp_packet_size;
636+
637+ struct wccp2_service_list_t *next;
638+- char wccp_password[WCCP2_PASSWORD_LEN + 1]; /* hold the trailing C-string NUL */
639++ char wccp_password[WCCP2_PASSWORD_LEN]; /* hold the trailing C-string NUL */
640+ uint32_t wccp2_security_type;
641+ };
642+
643+@@ -519,8 +519,8 @@ wccp2_add_service_list(int service, int service_id, int service_priority,
644+ wccp2_update_service(wccp2_service_list_ptr, service, service_id,
645+ service_priority, service_proto, service_flags, ports);
646+ wccp2_service_list_ptr->wccp2_security_type = security_type;
647+- memset(wccp2_service_list_ptr->wccp_password, 0, WCCP2_PASSWORD_LEN + 1);
648+- strncpy(wccp2_service_list_ptr->wccp_password, password, WCCP2_PASSWORD_LEN);
649++ memset(wccp2_service_list_ptr->wccp_password, 0, WCCP2_PASSWORD_LEN);
650++ xstrncpy(wccp2_service_list_ptr->wccp_password, password, WCCP2_PASSWORD_LEN);
651+ /* add to linked list - XXX this should use the Squid dlink* routines! */
652+ wccp2_service_list_ptr->next = wccp2_service_list_head;
653+ wccp2_service_list_head = wccp2_service_list_ptr;
654+@@ -562,8 +562,7 @@ wccp2_update_md5_security(char *password, char *ptr, char *packet, int len)
655+
656+ /* The password field, for the MD5 hash, needs to be 8 bytes and NUL padded. */
657+ memset(pwd, 0, sizeof(pwd));
658+- strncpy(pwd, password, sizeof(pwd));
659+- pwd[sizeof(pwd) - 1] = '\0';
660++ xstrncpy(pwd, password, sizeof(pwd));
661+
662+ ws = (struct wccp2_security_md5_t *) ptr;
663+ assert(ntohs(ws->security_type) == WCCP2_SECURITY_INFO);
664+@@ -630,8 +629,7 @@ wccp2_check_security(struct wccp2_service_list_t *srv, char *security, char *pac
665+
666+ /* The password field, for the MD5 hash, needs to be 8 bytes and NUL padded. */
667+ memset(pwd, 0, sizeof(pwd));
668+- strncpy(pwd, srv->wccp_password, sizeof(pwd));
669+- pwd[sizeof(pwd) - 1] = '\0';
670++ xstrncpy(pwd, srv->wccp_password, sizeof(pwd));
671+
672+ /* Take a copy of the challenge: we need to NUL it before comparing */
673+ memcpy(md5_challenge, ws->security_implementation, sizeof(md5_challenge));
674+@@ -2096,7 +2094,7 @@ parse_wccp2_service(void *)
675+ int service = 0;
676+ int service_id = 0;
677+ int security_type = WCCP2_NO_SECURITY;
678+- char wccp_password[WCCP2_PASSWORD_LEN + 1];
679++ char wccp_password[WCCP2_PASSWORD_LEN];
680+
681+ if (wccp2_connected == 1) {
682+ debugs(80, DBG_IMPORTANT, "WCCPv2: Somehow reparsing the configuration without having shut down WCCP! Try reloading squid again.");
683+@@ -2132,7 +2130,7 @@ parse_wccp2_service(void *)
684+ if ((t = ConfigParser::NextToken()) != NULL) {
685+ if (strncmp(t, "password=", 9) == 0) {
686+ security_type = WCCP2_MD5_SECURITY;
687+- strncpy(wccp_password, t + 9, WCCP2_PASSWORD_LEN);
688++ xstrncpy(wccp_password, t + 9, sizeof(wccp_password));
689+ }
690+ }
691+
692diff --git a/debian/patches/90-cf.data.ubuntu.patch b/debian/patches/90-cf.data.ubuntu.patch
693new file mode 100644
694index 0000000..2c15c53
695--- /dev/null
696+++ b/debian/patches/90-cf.data.ubuntu.patch
697@@ -0,0 +1,22 @@
698+Description: Add an example refresh pattern for .debs
699+
700+Reviewed-By: Sergio Durigan Junior <sergio.durigan@canonical.com>
701+Last-Updated: 2020-08-12
702+Forwarded: https://salsa.debian.org/squid-team/squid/-/merge_requests/15
703+
704+--- a/src/cf.data.pre
705++++ b/src/cf.data.pre
706+@@ -5859,6 +5862,12 @@ NOCOMMENT_START
707+ refresh_pattern ^ftp: 1440 20% 10080
708+ refresh_pattern ^gopher: 1440 0% 1440
709+ refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
710++refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
711++refresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-ims
712++refresh_pattern \/InRelease$ 0 0% 0 refresh-ims
713++refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
714++# example pattern for deb packages
715++#refresh_pattern (\.deb|\.udeb)$ 129600 100% 129600
716+ refresh_pattern . 0 20% 4320
717+ NOCOMMENT_END
718+ DOC_END
719+
720diff --git a/debian/patches/99-ubuntu-ssl-cert-snakeoil.patch b/debian/patches/99-ubuntu-ssl-cert-snakeoil.patch
721new file mode 100644
722index 0000000..40b5306
723--- /dev/null
724+++ b/debian/patches/99-ubuntu-ssl-cert-snakeoil.patch
725@@ -0,0 +1,22 @@
726+--- a/src/cf.data.pre
727++++ b/src/cf.data.pre
728+@@ -3516,6 +3516,19 @@
729+ reference a PEM file containing both the certificate
730+ and private key.
731+
732++ Notes:
733++
734++ On Debian/Ubuntu systems a default snakeoil certificate is
735++ available in /etc/ssl and users can set:
736++
737++ sslcert=/etc/ssl/certs/ssl-cert-snakeoil.pem
738++
739++ and
740++
741++ sslkey=/etc/ssl/private/ssl-cert-snakeoil.key
742++
743++ for testing.
744++
745+ sslcipher=... The list of valid SSL ciphers to use when connecting
746+ to this peer.
747+
748diff --git a/debian/patches/series b/debian/patches/series
749index 6561436..d481df0 100644
750--- a/debian/patches/series
751+++ b/debian/patches/series
752@@ -3,3 +3,6 @@
753 0003-installed-binary-for-debian-ci.patch
754 #0004-upstream-bug5041.patch
755 0005-Use-RuntimeDirectory-to-create-run-squid.patch
756+90-cf.data.ubuntu.patch
757+99-ubuntu-ssl-cert-snakeoil.patch
758+0007-WCCP-Fix-GCC-10-Wstringop-truncation-failures.patch
759diff --git a/debian/usr.sbin.squid b/debian/usr.sbin.squid
760index bc1f987..232b59f 100644
761--- a/debian/usr.sbin.squid
762+++ b/debian/usr.sbin.squid
763@@ -50,6 +50,39 @@
764 # squid-langpack
765 /usr/share/squid-langpack/** r,
766
767+ # maas-proxy
768+ /var/lib/maas/maas-proxy.conf r,
769+ /var/log/maas/proxy/** rw,
770+ /var/spool/maas-proxy/ r,
771+ /var/spool/maas-proxy/** rwk,
772+
773+ # squid-deb-proxy
774+ /etc/squid-deb-proxy/** r,
775+ /{,var/}run/squid-deb-proxy.pid rwk,
776+ /var/cache/squid-deb-proxy/ r,
777+ /var/cache/squid-deb-proxy/** rwk,
778+ /var/log/squid-deb-proxy/* rw,
779+
780+ # squidguard
781+ /usr/bin/squidGuard Cx -> squidguard,
782+ profile squidguard {
783+ #include <abstractions/base>
784+
785+ /etc/squid/squidGuard.conf r,
786+ /var/log/squid{,3}/squidGuard.log w,
787+ /var/lib/squidguard/** rw,
788+
789+ # squidguard by default uses /var/log/squid as its logdir, however, we
790+ # don't want it to access squid's logs, only its own. Explicitly deny
791+ # access to squid's files but allow all others since the user may specify
792+ # anything for the squidGurad 'log' directive.
793+ /var/log/squid{,3}/* rw,
794+ audit deny /var/log/squid{,3}/{access,cache,store}.log* rw,
795+
796+ # Site-specific additions and overrides. See local/README for details.
797+ #include <local/usr.sbin.squid>
798+ }
799+
800 # Site-specific additions and overrides. See local/README for details.
801 #include <local/usr.sbin.squid>
802 }

Subscribers

People subscribed via source and target branches