Merge ~sergiodj/ubuntu/+source/squid:squid-merge-4.12-1 into ubuntu/+source/squid:debian/sid
- Git
- lp:~sergiodj/ubuntu/+source/squid
- squid-merge-4.12-1
- Merge into debian/sid
Status: | Merged |
---|---|
Approved by: | Andreas Hasenack |
Approved revision: | db0be8a903e911be4fa27b1fe29ad5c57590291b |
Merge reported by: | Sergio Durigan Junior |
Merged at revision: | db0be8a903e911be4fa27b1fe29ad5c57590291b |
Proposed branch: | ~sergiodj/ubuntu/+source/squid:squid-merge-4.12-1 |
Merge into: | ubuntu/+source/squid:debian/sid |
Diff against target: |
802 lines (+688/-2) 7 files modified
debian/changelog (+493/-0) debian/control (+3/-2) debian/patches/0007-WCCP-Fix-GCC-10-Wstringop-truncation-failures.patch (+112/-0) debian/patches/90-cf.data.ubuntu.patch (+22/-0) debian/patches/99-ubuntu-ssl-cert-snakeoil.patch (+22/-0) debian/patches/series (+3/-0) debian/usr.sbin.squid (+33/-0) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Andreas Hasenack | Approve | ||
Canonical Server | Pending | ||
Review via email: mp+389025@code.launchpad.net |
Commit message
Description of the change
This is the merge of squid 4.12.1 from Debian.
We're still keeping some of our existing delta. I'm taking a closer look at the patches we're carrying and checking which ones can be proposed upstream or to Debian.
As for the good news, we can drop a number of local modifications:
- No need to add -Wno-format-
- Dropped 2 patches accepted by Debian which simplify and fix the postinst script.
- Dropped 1 patch acccepted by Debian which adjusts the 'test-squid.py' dep8 test.
I'm adding a patch needed to make the build pass on s390x; there's a GCC-10 FTBFS that happens there. This patch has already been proposed and accepted upstream:
https:/
autopkgtest is still happy:
autopkgtest [15:11:15]: @@@@@@@
upstream-test-suite PASS
squid PASS
Andreas Hasenack (ahasenack) wrote : | # |
Andreas Hasenack (ahasenack) wrote : | # |
Looks good, +1. You said you would still add a DEP3 header to d/p/90-
Sergio Durigan Junior (sergiodj) wrote : | # |
On Tuesday, August 11 2020, Andreas Hasenack wrote:
> Looks good, +1. You said you would still add a DEP3 header to
> d/p/90-
> Feel free to do that and commit, and then ping here when ready for
> sponsoring.
Thanks for the review, Andreas.
I have force-pushed the branch with the DEP3 header update now, so it's
ready for sponsorship.
--
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14
Andreas Hasenack (ahasenack) wrote : | # |
Tagging and uploading db0be8a903e911b
$ git push pkg upload/
Enumerating objects: 43, done.
Counting objects: 100% (43/43), done.
Delta compression using up to 4 threads
Compressing objects: 100% (32/32), done.
Writing objects: 100% (36/36), 11.59 KiB | 565.00 KiB/s, done.
Total 36 (delta 25), reused 7 (delta 4)
To ssh://git.
* [new tag] upload/
$ dput ubuntu ../squid_
Checking signature on .changes
gpg: ../squid_
Checking signature on .dsc
gpg: ../squid_
Uploading to ubuntu (via ftp to upload.ubuntu.com):
Uploading squid_4.
Uploading squid_4.
Uploading squid_4.
Uploading squid_4.
Uploading squid_4.
Successfully uploaded packages.
Please follow its migration.
Sergio Durigan Junior (sergiodj) wrote : | # |
This has migrated.
Preview Diff
1 | diff --git a/debian/changelog b/debian/changelog | |||
2 | index 345a140..c1c8b6b 100644 | |||
3 | --- a/debian/changelog | |||
4 | +++ b/debian/changelog | |||
5 | @@ -1,3 +1,40 @@ | |||
6 | 1 | squid (4.12-1ubuntu1) groovy; urgency=medium | ||
7 | 2 | |||
8 | 3 | * Merge with Debian unstable. Remaining changes: | ||
9 | 4 | - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy | ||
10 | 5 | squidguard | ||
11 | 6 | - d/p/90-cf.data.ubuntu.patch: Add an example refresh pattern | ||
12 | 7 | for debs. | ||
13 | 8 | - Use snakeoil certificates: | ||
14 | 9 | + d/control: add ssl-cert to dependencies | ||
15 | 10 | + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl | ||
16 | 11 | to the default config file | ||
17 | 12 | * Dropped changes, not needed anymore: | ||
18 | 13 | - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround | ||
19 | 14 | if building for ppc64el. On that arch, dpkg-buildflags sets -O3 | ||
20 | 15 | instead of -O2 and that triggers a format-truncation error on | ||
21 | 16 | pcon.cc. See https://bugs.squid-cache.org/show_bug.cgi?id=4875. | ||
22 | 17 | [ Dropped because the build now passes on ppc64el ] | ||
23 | 18 | * Dropped changes, incorporated by Debian: | ||
24 | 19 | - Don't restart squid by hand on postinst script | ||
25 | 20 | + d/squid.postinst: When installing/upgrading squid, the service | ||
26 | 21 | is being restarted manually in the postinst script, which can | ||
27 | 22 | break installations that have the squid apparmor enabled because | ||
28 | 23 | it will try to restart the service before reloading the apparmor | ||
29 | 24 | profile. There is no reason to restart squid manually, since the | ||
30 | 25 | restart will be automatically performed later. | ||
31 | 26 | - Drop conffile check for squid < 2.7 | ||
32 | 27 | + d/squid.postinst: squid 2.7 is long, long gone, so it should be | ||
33 | 28 | safe to drop the postinst code to make sure that | ||
34 | 29 | /etc/squid/squid.conf was properly upgraded. | ||
35 | 30 | - d/tests/test-squid.py: Adjust 'pidfile' variable to reflect fact | ||
36 | 31 | that we now store the pidfile under '/run/squid/'. | ||
37 | 32 | * Added changes: | ||
38 | 33 | - d/p/0007-WCCP-Fix-GCC-10-Wstringop-truncation-failures.patch: | ||
39 | 34 | Fix GCC-10 build failure due to -Wstringop-truncation warning. | ||
40 | 35 | |||
41 | 36 | -- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 10 Aug 2020 11:20:46 -0400 | ||
42 | 37 | |||
43 | 1 | squid (4.12-1) unstable; urgency=high | 38 | squid (4.12-1) unstable; urgency=high |
44 | 2 | 39 | ||
45 | 3 | * Urgency high due to security fixes | 40 | * Urgency high due to security fixes |
46 | @@ -35,6 +72,63 @@ squid (4.12-1) unstable; urgency=high | |||
47 | 35 | 72 | ||
48 | 36 | -- Luigi Gangitano <luigi@debian.org> Wed, 1 Jul 2020 10:52:54 +0200 | 73 | -- Luigi Gangitano <luigi@debian.org> Wed, 1 Jul 2020 10:52:54 +0200 |
49 | 37 | 74 | ||
50 | 75 | squid (4.11-5ubuntu3) groovy; urgency=medium | ||
51 | 76 | |||
52 | 77 | * No change rebuild against new libnettle8 and libhogweed6 ABI. | ||
53 | 78 | |||
54 | 79 | -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 29 Jun 2020 22:38:13 +0100 | ||
55 | 80 | |||
56 | 81 | squid (4.11-5ubuntu2) groovy; urgency=medium | ||
57 | 82 | |||
58 | 83 | * d/tests/test-squid.py: Adjust 'pidfile' variable to reflect fact | ||
59 | 84 | that we now store the pidfile under '/run/squid/'. | ||
60 | 85 | |||
61 | 86 | -- Sergio Durigan Junior <sergio.durigan@canonical.com> Wed, 20 May 2020 10:32:32 -0400 | ||
62 | 87 | |||
63 | 88 | squid (4.11-5ubuntu1) groovy; urgency=medium | ||
64 | 89 | |||
65 | 90 | * Merge with Debian unstable. Remaining changes: | ||
66 | 91 | - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy, | ||
67 | 92 | squidguard | ||
68 | 93 | - d/p/90-cf.data.ubuntu.patch: Add an example refresh pattern for | ||
69 | 94 | debs. | ||
70 | 95 | - Use snakeoil certificates: | ||
71 | 96 | + d/control: add ssl-cert to dependencies | ||
72 | 97 | + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl to the | ||
73 | 98 | default config file | ||
74 | 99 | - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if | ||
75 | 100 | building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead | ||
76 | 101 | of -O2 and that triggers a format-truncation error on pcon.cc. See See | ||
77 | 102 | https://bugs.squid-cache.org/show_bug.cgi?id=4875 | ||
78 | 103 | * Dropped: | ||
79 | 104 | - d/p/drop-sysctl_h.patch: no longer include sysctl.h as it was | ||
80 | 105 | deprecated in glibc 2.30 (LP #1843325) | ||
81 | 106 | [ In 4.11-4 ] | ||
82 | 107 | - SECURITY UPDATE: multiple ESI issues | ||
83 | 108 | + debian/patches/CVE-2019-12519_12521.patch: convert parse exceptions | ||
84 | 109 | into 500 status response in src/esi/Context.h, src/esi/Esi.cc, | ||
85 | 110 | src/esi/Esi.h, src/esi/Expression.cc. | ||
86 | 111 | + CVE-2019-12519 | ||
87 | 112 | [ In 4.11-4 ] | ||
88 | 113 | - SECURITY UPDATE: Digest Authentication nonce replay issue | ||
89 | 114 | + debian/patches/CVE-2020-11945.patch: fix auth digest refcount integer | ||
90 | 115 | overflow in src/auth/digest/Config.cc. | ||
91 | 116 | [ In 4.11-4 ] | ||
92 | 117 | * Added: | ||
93 | 118 | - Don't restart squid by hand on postinst script | ||
94 | 119 | + d/squid.postinst: When installing/upgrading squid, the service | ||
95 | 120 | is being restarted manually in the postinst script, which can | ||
96 | 121 | break installations that have the squid apparmor enabled because | ||
97 | 122 | it will try to restart the service before reloading the apparmor | ||
98 | 123 | profile. There is no reason to restart squid manually, since the | ||
99 | 124 | restart will be automatically performed later. | ||
100 | 125 | - Drop conffile check for squid < 2.7 | ||
101 | 126 | + d/squid.postinst: squid 2.7 is long, long gone, so it should be | ||
102 | 127 | safe to drop the postinst code to make sure that | ||
103 | 128 | /etc/squid/squid.conf was properly upgraded. | ||
104 | 129 | |||
105 | 130 | -- Sergio Durigan Junior <sergio.durigan@canonical.com> Tue, 19 May 2020 14:43:04 -0400 | ||
106 | 131 | |||
107 | 38 | squid (4.11-5) unstable; urgency=medium | 132 | squid (4.11-5) unstable; urgency=medium |
108 | 39 | 133 | ||
109 | 40 | [ Sergio Durigan Junior <sergiodj@debian.org> ] | 134 | [ Sergio Durigan Junior <sergiodj@debian.org> ] |
110 | @@ -113,6 +207,64 @@ squid (4.11-1) unstable; urgency=high | |||
111 | 113 | 207 | ||
112 | 114 | -- Luigi Gangitano <luigi@debian.org> Thu, 23 Apr 2020 19:34:54 +0200 | 208 | -- Luigi Gangitano <luigi@debian.org> Thu, 23 Apr 2020 19:34:54 +0200 |
113 | 115 | 209 | ||
114 | 210 | squid (4.10-1ubuntu2) groovy; urgency=medium | ||
115 | 211 | |||
116 | 212 | * SECURITY UPDATE: multiple ESI issues | ||
117 | 213 | - debian/patches/CVE-2019-12519_12521.patch: convert parse exceptions | ||
118 | 214 | into 500 status response in src/esi/Context.h, src/esi/Esi.cc, | ||
119 | 215 | src/esi/Esi.h, src/esi/Expression.cc. | ||
120 | 216 | - CVE-2019-12519 | ||
121 | 217 | - CVE-2019-12521 | ||
122 | 218 | * SECURITY UPDATE: Digest Authentication nonce replay issue | ||
123 | 219 | - debian/patches/CVE-2020-11945.patch: fix auth digest refcount integer | ||
124 | 220 | overflow in src/auth/digest/Config.cc. | ||
125 | 221 | - CVE-2020-11945 | ||
126 | 222 | |||
127 | 223 | -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 13 May 2020 09:51:10 -0400 | ||
128 | 224 | |||
129 | 225 | squid (4.10-1ubuntu1) focal; urgency=medium | ||
130 | 226 | |||
131 | 227 | * Merge with Debian unstable. Remaining changes: | ||
132 | 228 | - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy, | ||
133 | 229 | squidguard | ||
134 | 230 | - d/p/90-cf.data.ubuntu.patch: Add an example refresh pattern for debs. | ||
135 | 231 | - Use snakeoil certificates: | ||
136 | 232 | + d/control: add ssl-cert to dependencies | ||
137 | 233 | + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl | ||
138 | 234 | to the default config file | ||
139 | 235 | - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if | ||
140 | 236 | building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of | ||
141 | 237 | -O2 and that triggers a format-truncation error on pcon.cc. See | ||
142 | 238 | See https://bugs.squid-cache.org/show_bug.cgi?id=4875 | ||
143 | 239 | - d/p/drop-sysctl_h.patch: no longer include sysctl.h as it was | ||
144 | 240 | deprecated in glibc 2.30 (LP #1843325) | ||
145 | 241 | * Dropped: | ||
146 | 242 | - d/t/control, d/t/test-squid.py: remove gopher tests, as pygopherd is | ||
147 | 243 | no longer available in Focal (LP: #1858827) | ||
148 | 244 | [In 4.10-1, undocumented] | ||
149 | 245 | - d/t/test-squid.py, d/t/squid: switch to python3 | ||
150 | 246 | [In 4.10-1, undocumented] | ||
151 | 247 | - d/t/control: depend on python3-minimal | ||
152 | 248 | [In 4.10-1, undocumented] | ||
153 | 249 | - SECURITY UPDATE: info disclosure via FTP server | ||
154 | 250 | + debian/patches/CVE-2019-12528.patch: fix FTP buffers handling in | ||
155 | 251 | src/clients/FtpGateway.cc. | ||
156 | 252 | + CVE-2019-12528 | ||
157 | 253 | [Fixed upstream] | ||
158 | 254 | - SECURITY UPDATE: incorrect input validation and buffer management | ||
159 | 255 | + debian/patches/CVE-2020-84xx.patch: fix request URL generation in | ||
160 | 256 | reverse proxy configurations in src/client_side.cc. | ||
161 | 257 | + CVE-2020-8449 | ||
162 | 258 | + CVE-2020-8450 | ||
163 | 259 | [Fixed upstream] | ||
164 | 260 | - SECURITY UPDATE: DoS in NTLM authentication | ||
165 | 261 | + debian/patches/CVE-2020-8517.patch: improved username handling in | ||
166 | 262 | src/acl/external/LM_group/ext_lm_group_acl.cc. | ||
167 | 263 | + CVE-2020-8517 | ||
168 | 264 | [Fixed upstream] | ||
169 | 265 | |||
170 | 266 | -- Andreas Hasenack <andreas@canonical.com> Tue, 25 Feb 2020 15:37:55 -0300 | ||
171 | 267 | |||
172 | 116 | squid (4.10-1) unstable; urgency=high | 268 | squid (4.10-1) unstable; urgency=high |
173 | 117 | 269 | ||
174 | 118 | [ Amos Jeffries <amosjeffries@squid-cache.org> ] | 270 | [ Amos Jeffries <amosjeffries@squid-cache.org> ] |
175 | @@ -134,6 +286,70 @@ squid (4.10-1) unstable; urgency=high | |||
176 | 134 | 286 | ||
177 | 135 | -- Luigi Gangitano <luigi@debian.org> Tue, 10 Feb 2020 14:12:54 +0100 | 287 | -- Luigi Gangitano <luigi@debian.org> Tue, 10 Feb 2020 14:12:54 +0100 |
178 | 136 | 288 | ||
179 | 289 | squid (4.9-2ubuntu4) focal; urgency=medium | ||
180 | 290 | |||
181 | 291 | * SECURITY UPDATE: info disclosure via FTP server | ||
182 | 292 | - debian/patches/CVE-2019-12528.patch: fix FTP buffers handling in | ||
183 | 293 | src/clients/FtpGateway.cc. | ||
184 | 294 | - CVE-2019-12528 | ||
185 | 295 | * SECURITY UPDATE: incorrect input validation and buffer management | ||
186 | 296 | - debian/patches/CVE-2020-84xx.patch: fix request URL generation in | ||
187 | 297 | reverse proxy configurations in src/client_side.cc. | ||
188 | 298 | - CVE-2020-8449 | ||
189 | 299 | - CVE-2020-8450 | ||
190 | 300 | * SECURITY UPDATE: DoS in NTLM authentication | ||
191 | 301 | - debian/patches/CVE-2020-8517.patch: improved username handling in | ||
192 | 302 | src/acl/external/LM_group/ext_lm_group_acl.cc. | ||
193 | 303 | - CVE-2020-8517 | ||
194 | 304 | |||
195 | 305 | -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 19 Feb 2020 12:43:05 -0500 | ||
196 | 306 | |||
197 | 307 | squid (4.9-2ubuntu3) focal; urgency=medium | ||
198 | 308 | |||
199 | 309 | * No-change rebuild with fixed binutils on arm64. | ||
200 | 310 | |||
201 | 311 | -- Matthias Klose <doko@ubuntu.com> Sat, 08 Feb 2020 11:20:19 +0000 | ||
202 | 312 | |||
203 | 313 | squid (4.9-2ubuntu2) focal; urgency=medium | ||
204 | 314 | |||
205 | 315 | * d/t/control, d/t/test-squid.py: remove gopher tests, as pygopherd is | ||
206 | 316 | no longer available in Focal (LP: #1858827) | ||
207 | 317 | * d/t/test-squid.py, d/t/squid: switch to python3 | ||
208 | 318 | * d/t/control: depend on python3-minimal | ||
209 | 319 | |||
210 | 320 | -- Andreas Hasenack <andreas@canonical.com> Wed, 08 Jan 2020 15:52:32 -0300 | ||
211 | 321 | |||
212 | 322 | squid (4.9-2ubuntu1) focal; urgency=medium | ||
213 | 323 | |||
214 | 324 | * Merge with Debian unstable. Remaining changes: | ||
215 | 325 | - Use snakeoil certificates. | ||
216 | 326 | - Add an example refresh pattern for debs. | ||
217 | 327 | - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy, | ||
218 | 328 | squidguard | ||
219 | 329 | - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if | ||
220 | 330 | building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of | ||
221 | 331 | -O2 and that triggers a format-truncation error on pcon.cc. See | ||
222 | 332 | See https://bugs.squid-cache.org/show_bug.cgi?id=4875 | ||
223 | 333 | - d/p/drop-sysctl_h.patch: no longer include sysctl.h as it was | ||
224 | 334 | deprecated in glibc 2.30 (LP #1843325) | ||
225 | 335 | * Dropped: | ||
226 | 336 | - d/rules: Only use -latomic with the intended architectures, instead of | ||
227 | 337 | all of them. This matches what was suggested in | ||
228 | 338 | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5 | ||
229 | 339 | [Fixed upstream] | ||
230 | 340 | - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that | ||
231 | 341 | dh_installchangelogs can pick it up. dh_installchangelogs handles | ||
232 | 342 | d/NEWS or d/<package>.NEWS, but not NEWS.debian. | ||
233 | 343 | [Fixed upstream] | ||
234 | 344 | - debian/patches/more-gcc-9-fixes.patch: switch to xstrncpy in | ||
235 | 345 | lib/smblib/smblib-util.c. (LP #1835831) | ||
236 | 346 | [Fixed upstream] | ||
237 | 347 | - d/t/test-squid.py: test_zz_apparmor(): bail early if securityfs isn't | ||
238 | 348 | mounted | ||
239 | 349 | [Fixed upstream] | ||
240 | 350 | |||
241 | 351 | -- Lucas Kanashiro <lucas.kanashiro@canonical.com> Thu, 14 Nov 2019 16:33:10 -0300 | ||
242 | 352 | |||
243 | 137 | squid (4.9-2) unstable; urgency=medium | 353 | squid (4.9-2) unstable; urgency=medium |
244 | 138 | 354 | ||
245 | 139 | [ Andreas Hasenack <andreas@canonical.com> ] | 355 | [ Andreas Hasenack <andreas@canonical.com> ] |
246 | @@ -190,6 +406,73 @@ squid (4.9-1) unstable; urgency=high | |||
247 | 190 | 406 | ||
248 | 191 | -- Luigi Gangitano <luigi@debian.org> Sun, 10 Nov 2019 20:28:15 +0100 | 407 | -- Luigi Gangitano <luigi@debian.org> Sun, 10 Nov 2019 20:28:15 +0100 |
249 | 192 | 408 | ||
250 | 409 | squid (4.8-1ubuntu3) focal; urgency=medium | ||
251 | 410 | |||
252 | 411 | * No-change rebuild against libnettle7 | ||
253 | 412 | |||
254 | 413 | -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 31 Oct 2019 22:15:39 +0000 | ||
255 | 414 | |||
256 | 415 | squid (4.8-1ubuntu2) eoan; urgency=medium | ||
257 | 416 | |||
258 | 417 | * d/p/drop-sysctl_h.patch: no longer include sysctl.h as it was | ||
259 | 418 | deprecated in glibc 2.30 (LP: #1843325) | ||
260 | 419 | |||
261 | 420 | -- Andreas Hasenack <andreas@canonical.com> Mon, 09 Sep 2019 17:31:45 -0300 | ||
262 | 421 | |||
263 | 422 | squid (4.8-1ubuntu1) eoan; urgency=medium | ||
264 | 423 | |||
265 | 424 | * Merge with Debian unstable. Remaining changes: | ||
266 | 425 | - Use snakeoil certificates. | ||
267 | 426 | - Add an example refresh pattern for debs. | ||
268 | 427 | - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy, | ||
269 | 428 | squidguard | ||
270 | 429 | - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if | ||
271 | 430 | building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of | ||
272 | 431 | -O2 and that triggers a format-truncation error on pcon.cc. See | ||
273 | 432 | See https://bugs.squid-cache.org/show_bug.cgi?id=4875 | ||
274 | 433 | - d/rules: Only use -latomic with the intended architectures, instead of | ||
275 | 434 | all of them. This matches what was suggested in | ||
276 | 435 | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5 | ||
277 | 436 | - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that | ||
278 | 437 | dh_installchangelogs can pick it up. dh_installchangelogs handles | ||
279 | 438 | d/NEWS or d/<package>.NEWS, but not NEWS.debian. | ||
280 | 439 | - debian/patches/more-gcc-9-fixes.patch: switch to xstrncpy in | ||
281 | 440 | lib/smblib/smblib-util.c. (LP #1835831) | ||
282 | 441 | * Dropped: | ||
283 | 442 | - d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs. | ||
284 | 443 | Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP #1794553) | ||
285 | 444 | [Fixed upstream] | ||
286 | 445 | - debian/patches/413.patch: Fix gcc-9 build issues with upstream merged | ||
287 | 446 | patch | ||
288 | 447 | [Fixed upstream] | ||
289 | 448 | - SECURITY UPDATE: incorrect digest auth parameter parsing | ||
290 | 449 | + debian/patches/CVE-2019-12525.patch: check length in | ||
291 | 450 | src/auth/digest/Config.cc. | ||
292 | 451 | + CVE-2019-12525 | ||
293 | 452 | [Fixed upstream] | ||
294 | 453 | - SECURITY UPDATE: buffer overflow in basic auth decoding | ||
295 | 454 | + debian/patches/CVE-2019-12527.patch: switch to SBuf in | ||
296 | 455 | src/HttpHeader.cc, src/HttpHeader.h, src/cache_manager.cc, | ||
297 | 456 | src/clients/FtpGateway.cc. | ||
298 | 457 | + CVE-2019-12527 | ||
299 | 458 | [Fixed upstream] | ||
300 | 459 | - SECURITY UPDATE: basic auth uudecode length issue | ||
301 | 460 | + debian/patches/CVE-2019-12529.patch: replace uudecode with libnettle | ||
302 | 461 | base64 decoder in lib/Makefile.*, src/auth/basic/Config.cc, | ||
303 | 462 | include/uudecode.h, lib/uudecode.c. | ||
304 | 463 | + CVE-2019-12529 | ||
305 | 464 | [Fixed upstream] | ||
306 | 465 | - SECURITY UPDATE: XSS issues in cachemgr.cgi | ||
307 | 466 | + debian/patches/CVE-2019-13345.patch: properly escape values in | ||
308 | 467 | tools/cachemgr.cc. | ||
309 | 468 | + CVE-2019-13345 | ||
310 | 469 | [Fixed upstream] | ||
311 | 470 | * Added: | ||
312 | 471 | - d/t/test-squid.py: test_zz_apparmor(): bail early if securityfs isn't | ||
313 | 472 | mounted | ||
314 | 473 | |||
315 | 474 | -- Andreas Hasenack <andreas@canonical.com> Wed, 24 Jul 2019 16:38:59 -0300 | ||
316 | 475 | |||
317 | 193 | squid (4.8-1) unstable; urgency=high | 476 | squid (4.8-1) unstable; urgency=high |
318 | 194 | 477 | ||
319 | 195 | [ Amos Jeffries <amosjeffries@squid-cache.org> ] | 478 | [ Amos Jeffries <amosjeffries@squid-cache.org> ] |
320 | @@ -208,6 +491,86 @@ squid (4.8-1) unstable; urgency=high | |||
321 | 208 | 491 | ||
322 | 209 | -- Luigi Gangitano <luigi@debian.org> Thu, 18 Jul 2019 22:28:15 +0200 | 492 | -- Luigi Gangitano <luigi@debian.org> Thu, 18 Jul 2019 22:28:15 +0200 |
323 | 210 | 493 | ||
324 | 494 | squid (4.6-2ubuntu4) eoan; urgency=medium | ||
325 | 495 | |||
326 | 496 | * Fix gcc-9 issues (LP: #1835831) | ||
327 | 497 | - Remove -Wno-sizeof-pointer-memaccess -Wno-stringop-truncation | ||
328 | 498 | - debian/patches/more-gcc-9-fixes.patch: switch to xstrncpy in | ||
329 | 499 | lib/smblib/smblib-util.c. | ||
330 | 500 | * SECURITY UPDATE: incorrect digest auth parameter parsing | ||
331 | 501 | - debian/patches/CVE-2019-12525.patch: check length in | ||
332 | 502 | src/auth/digest/Config.cc. | ||
333 | 503 | - CVE-2019-12525 | ||
334 | 504 | * SECURITY UPDATE: buffer overflow in basic auth decoding | ||
335 | 505 | - debian/patches/CVE-2019-12527.patch: switch to SBuf in | ||
336 | 506 | src/HttpHeader.cc, src/HttpHeader.h, src/cache_manager.cc, | ||
337 | 507 | src/clients/FtpGateway.cc. | ||
338 | 508 | - CVE-2019-12527 | ||
339 | 509 | * SECURITY UPDATE: basic auth uudecode length issue | ||
340 | 510 | - debian/patches/CVE-2019-12529.patch: replace uudecode with libnettle | ||
341 | 511 | base64 decoder in lib/Makefile.*, src/auth/basic/Config.cc, | ||
342 | 512 | include/uudecode.h, lib/uudecode.c. | ||
343 | 513 | - CVE-2019-12529 | ||
344 | 514 | * SECURITY UPDATE: XSS issues in cachemgr.cgi | ||
345 | 515 | - debian/patches/CVE-2019-13345.patch: properly escape values in | ||
346 | 516 | tools/cachemgr.cc. | ||
347 | 517 | - CVE-2019-13345 | ||
348 | 518 | |||
349 | 519 | -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 19 Jul 2019 08:01:58 -0400 | ||
350 | 520 | |||
351 | 521 | squid (4.6-2ubuntu3) eoan; urgency=medium | ||
352 | 522 | |||
353 | 523 | * Override newly added gcc-9 flags: | ||
354 | 524 | -Wno-sizeof-pointer-memaccess -Wno-stringop-truncation | ||
355 | 525 | NOTE: Overriding those flags is a possible security | ||
356 | 526 | asked for info on the gcc-9 issue bug tracker: | ||
357 | 527 | https://github.com/squid-cache/squid/pull/413#issuecomment-511314076 | ||
358 | 528 | |||
359 | 529 | -- Gianfranco Costamagna <locutusofborg@debian.org> Mon, 15 Jul 2019 10:21:47 +0200 | ||
360 | 530 | |||
361 | 531 | squid (4.6-2ubuntu2) eoan; urgency=medium | ||
362 | 532 | |||
363 | 533 | * Fix gcc-9 build issues with upstream merged patch | ||
364 | 534 | |||
365 | 535 | -- Gianfranco Costamagna <locutusofborg@debian.org> Sun, 14 Jul 2019 14:41:16 +0200 | ||
366 | 536 | |||
367 | 537 | squid (4.6-2ubuntu1) eoan; urgency=medium | ||
368 | 538 | |||
369 | 539 | * Merge with Debian unstable. Remaining changes: | ||
370 | 540 | - Use snakeoil certificates. | ||
371 | 541 | - Add an example refresh pattern for debs. | ||
372 | 542 | - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy, | ||
373 | 543 | squidguard | ||
374 | 544 | - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if | ||
375 | 545 | building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of | ||
376 | 546 | -O2 and that triggers a format-truncation error on pcon.cc. See | ||
377 | 547 | See https://bugs.squid-cache.org/show_bug.cgi?id=4875 | ||
378 | 548 | - d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs. | ||
379 | 549 | Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP #1794553) | ||
380 | 550 | [Added Applied-Upstream header] | ||
381 | 551 | - d/rules: Only use -latomic with the intended architectures, instead of | ||
382 | 552 | all of them. This matches what was suggested in | ||
383 | 553 | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5 | ||
384 | 554 | - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that | ||
385 | 555 | dh_installchangelogs can pick it up. dh_installchangelogs handles | ||
386 | 556 | d/NEWS or d/<package>.NEWS, but not NEWS.debian. | ||
387 | 557 | * Dropped: | ||
388 | 558 | - d/squid.tmpfile: add tmpfiles configuration to handle /var/run/squid | ||
389 | 559 | at boot. Thanks to Luigi Gangitano <luigi@debian.org> (LP #1816006) | ||
390 | 560 | [Fixed in 4.5-2] | ||
391 | 561 | - d/p/fix-uninitialized-var.patch: Workaround gcc's maybe-unitialized | ||
392 | 562 | error in parse_time_t, triggered on ppc64el due to the build using -O3 | ||
393 | 563 | in that architecture. | ||
394 | 564 | [Fixed upstream] | ||
395 | 565 | - Add disabled by default AppArmor profile. | ||
396 | 566 | [Added by Debian in 4.6-2] | ||
397 | 567 | - d/usr.sbin.squid: fix the apparmor profile (LP #1796189): | ||
398 | 568 | + allow net_admin capability | ||
399 | 569 | + add attach_disconnected flag | ||
400 | 570 | [Fixed in 4.6-2] | ||
401 | 571 | |||
402 | 572 | -- Andreas Hasenack <andreas@canonical.com> Sat, 18 May 2019 14:39:09 -0300 | ||
403 | 573 | |||
404 | 211 | squid (4.6-2) unstable; urgency=high | 574 | squid (4.6-2) unstable; urgency=high |
405 | 212 | 575 | ||
406 | 213 | [ Andreas Hasenack <andreas@canonical.com> ] | 576 | [ Andreas Hasenack <andreas@canonical.com> ] |
407 | @@ -268,6 +631,57 @@ squid (4.5-1) unstable; urgency=medium | |||
408 | 268 | 631 | ||
409 | 269 | -- Luigi Gangitano <luigi@debian.org> Wed, 20 Feb 2019 11:57:15 +0100 | 632 | -- Luigi Gangitano <luigi@debian.org> Wed, 20 Feb 2019 11:57:15 +0100 |
410 | 270 | 633 | ||
411 | 634 | squid (4.4-1ubuntu2) disco; urgency=medium | ||
412 | 635 | |||
413 | 636 | * d/squid.tmpfile: add tmpfiles configuration to handle /var/run/squid | ||
414 | 637 | at boot. Thanks to Luigi Gangitano <luigi@debian.org> (LP: #1816006) | ||
415 | 638 | |||
416 | 639 | -- Andreas Hasenack <andreas@canonical.com> Wed, 27 Feb 2019 08:54:45 -0300 | ||
417 | 640 | |||
418 | 641 | squid (4.4-1ubuntu1) disco; urgency=medium | ||
419 | 642 | |||
420 | 643 | * Merge with Debian unstable. Remaining changes: | ||
421 | 644 | - Use snakeoil certificates. | ||
422 | 645 | - Add an example refresh pattern for debs. | ||
423 | 646 | - Add disabled by default AppArmor profile. | ||
424 | 647 | - d/p/fix-uninitialized-var.patch: Workaround gcc's maybe-unitialized | ||
425 | 648 | error in parse_time_t, triggered on ppc64el due to the build using -O3 | ||
426 | 649 | in that architecture. | ||
427 | 650 | - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if | ||
428 | 651 | building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of | ||
429 | 652 | -O2 and that triggers a format-truncation error on pcon.cc. See | ||
430 | 653 | See https://bugs.squid-cache.org/show_bug.cgi?id=4875 | ||
431 | 654 | - d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs. | ||
432 | 655 | Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP #1794553) | ||
433 | 656 | * Drop: | ||
434 | 657 | - d/rules: enable cdbs parallel build | ||
435 | 658 | [Fixed in 4.2-1] | ||
436 | 659 | - d/t/test-squid.py: fix apparmor profile filename | ||
437 | 660 | [Fixed in 4.2-1] | ||
438 | 661 | - d/t/test-squid.py: fix the process name. The PID points at the parent. | ||
439 | 662 | [Fixed in 4.2-1] | ||
440 | 663 | - d/t/upstream-test-suite: also make libmem.la, needed by the tests. | ||
441 | 664 | [Fixed in 4.2-1] | ||
442 | 665 | - d/t/0003-installed-binary-for-debian-ci.patch: use the squid | ||
443 | 666 | binary from the system, instead of the one from the source tree. | ||
444 | 667 | [Fixed in 4.2-1] | ||
445 | 668 | - d/t/upstream-test-suite: drop the sed line, since patch | ||
446 | 669 | 0003-installed-binary-for-debian-ci.patch is doing this work now. | ||
447 | 670 | (https://salsa.debian.org/squid-team/squid/commit/ad4372b444ba8b1587839) | ||
448 | 671 | [Fixed in 4.2-1] | ||
449 | 672 | * Added changes: | ||
450 | 673 | - d/rules: Only use -latomic with the intended architectures, instead of | ||
451 | 674 | all of them. This matches what was suggested in | ||
452 | 675 | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5 | ||
453 | 676 | - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that | ||
454 | 677 | dh_installchangelogs can pick it up. dh_installchangelogs handles | ||
455 | 678 | d/NEWS or d/<package>.NEWS, but not NEWS.debian. | ||
456 | 679 | - d/usr.sbin.squid: fix the apparmor profile (LP: #1796189): | ||
457 | 680 | + allow net_admin capability | ||
458 | 681 | + add attach_disconnected flag | ||
459 | 682 | |||
460 | 683 | -- Andreas Hasenack <andreas@canonical.com> Mon, 19 Nov 2018 10:51:18 -0200 | ||
461 | 684 | |||
462 | 271 | squid (4.4-1) unstable; urgency=high | 685 | squid (4.4-1) unstable; urgency=high |
463 | 272 | 686 | ||
464 | 273 | * Urgency high due to security fixes | 687 | * Urgency high due to security fixes |
465 | @@ -332,6 +746,85 @@ squid (4.2-1) unstable; urgency=high | |||
466 | 332 | 746 | ||
467 | 333 | -- Luigi Gangitano <luigi@debian.org> Wed, 22 Aug 2018 13:57:15 +0200 | 747 | -- Luigi Gangitano <luigi@debian.org> Wed, 22 Aug 2018 13:57:15 +0200 |
468 | 334 | 748 | ||
469 | 749 | squid (4.1-1ubuntu3) cosmic; urgency=medium | ||
470 | 750 | |||
471 | 751 | * d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs. | ||
472 | 752 | Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP: #1794553) | ||
473 | 753 | |||
474 | 754 | -- Andreas Hasenack <andreas@canonical.com> Tue, 09 Oct 2018 14:00:36 -0300 | ||
475 | 755 | |||
476 | 756 | squid (4.1-1ubuntu2) cosmic; urgency=medium | ||
477 | 757 | |||
478 | 758 | * d/usr.sbin.squid: Update apparmor profile to grant read access to squid | ||
479 | 759 | binary (LP: #1792728) | ||
480 | 760 | |||
481 | 761 | -- Simon Deziel <simon@sdeziel.info> Sat, 15 Sep 2018 13:55:32 -0400 | ||
482 | 762 | |||
483 | 763 | squid (4.1-1ubuntu1) cosmic; urgency=medium | ||
484 | 764 | |||
485 | 765 | * Merged with Debian unstable (LP: #1780944, LP: #1097032, LP: #16669). | ||
486 | 766 | Remaining changes: | ||
487 | 767 | - Use snakeoil certificates. | ||
488 | 768 | [Updated to use the correct config setting names] | ||
489 | 769 | - Add an example refresh pattern for debs. | ||
490 | 770 | [Improved the refresh patterns based on the configuration from | ||
491 | 771 | squid-deb-proxy package] | ||
492 | 772 | - Add disabled by default AppArmor profile. | ||
493 | 773 | [Updated to include the ssl_certs abstraction and suggestions on how to | ||
494 | 774 | deal with the snakeoil private key and other keys in /etc/ssl.] | ||
495 | 775 | * Dropped changes: | ||
496 | 776 | - Add additional dep8 tests. | ||
497 | 777 | [Adopted in 4.0.21-1~exp5, albeit a stripped down version] | ||
498 | 778 | - Correct attribution and add explanatory note in d/NEWS.debian. | ||
499 | 779 | [That particular upgrade path has happened long ago.] | ||
500 | 780 | - Drop wrong short-circuiting of various invocations; we always want to | ||
501 | 781 | call the debhelper block. | ||
502 | 782 | [This was for the transitional squid3 package, and that transition has | ||
503 | 783 | already happened.] | ||
504 | 784 | - Revert "Set pidfile for systemd's sysv-generator" from Debian. | ||
505 | 785 | [Not needed anymore since we have a native systemd service file | ||
506 | 786 | and no longer rely on the generator.] | ||
507 | 787 | - Enable autoreconf. This is no longer required for the security updates, | ||
508 | 788 | but is needed for the seddery of test-suite/Makefile.am in | ||
509 | 789 | d/t/upstream-test-suite. | ||
510 | 790 | [Replaced by patch 0003-installed-binary-for-debian-ci.patch] | ||
511 | 791 | - Adjust seddery for upstream test squid binary location. | ||
512 | 792 | [sed no longer necessary since patch, | ||
513 | 793 | 0003-installed-binary-for-debian-ci.patch, will be dropped | ||
514 | 794 | entirely.] | ||
515 | 795 | - Drop Conflicts/Replaces of squid against squid3. In Ubuntu, the migration | ||
516 | 796 | happened in Xenial, so no upgrade path still requires this code. This | ||
517 | 797 | reduces upgrade ordering difficulty. | ||
518 | 798 | [Again we have a migration, but this time from squid3 to squid, so we | ||
519 | 799 | need this]. | ||
520 | 800 | - GCC7 FTBFS fixes (LP: #1712668): | ||
521 | 801 | + d/rules: don't error when hitting the "deprecated" and | ||
522 | 802 | "format-truncation" gcc7 warnings. Upstream 3.5.27 has fixes for these, | ||
523 | 803 | but one in Format.cc that affects 32bit builds was deemed too intrusive | ||
524 | 804 | for the 3.5 stable series and is only in squid 4.x | ||
525 | 805 | [No longer needed with squid 4.x] | ||
526 | 806 | - Do not force gcc-6 | ||
527 | 807 | [It was a temporary workaround in Debian that got dropped] | ||
528 | 808 | * Added changes: | ||
529 | 809 | - d/rules: enable cdbs parallel build | ||
530 | 810 | - d/t/test-squid.py: fix apparmor profile filename | ||
531 | 811 | - d/t/test-squid.py: fix the process name. The PID points at the parent. | ||
532 | 812 | - d/t/upstream-test-suite: also make libmem.la, needed by the tests. | ||
533 | 813 | - d/t/0003-installed-binary-for-debian-ci.patch: use the squid | ||
534 | 814 | binary from the system, instead of the one from the source tree. | ||
535 | 815 | - d/p/fix-uninitialized-var.patch: Workaround gcc's maybe-unitialized | ||
536 | 816 | error in parse_time_t, triggered on ppc64el due to the build using -O3 | ||
537 | 817 | in that architecture. | ||
538 | 818 | - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if | ||
539 | 819 | building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of | ||
540 | 820 | -O2 and that triggers a format-truncation error on pcon.cc. See | ||
541 | 821 | See https://bugs.squid-cache.org/show_bug.cgi?id=4875 | ||
542 | 822 | - d/t/upstream-test-suite: drop the sed line, since patch | ||
543 | 823 | 0003-installed-binary-for-debian-ci.patch is doing this work now. | ||
544 | 824 | (https://salsa.debian.org/squid-team/squid/commit/ad4372b444ba8b1587839) | ||
545 | 825 | |||
546 | 826 | -- Andreas Hasenack <andreas@canonical.com> Thu, 16 Aug 2018 12:33:17 -0300 | ||
547 | 827 | |||
548 | 335 | squid (4.1-1) unstable; urgency=high | 828 | squid (4.1-1) unstable; urgency=high |
549 | 336 | 829 | ||
550 | 337 | * New Upstream Release (Closes: #896120) | 830 | * New Upstream Release (Closes: #896120) |
551 | diff --git a/debian/control b/debian/control | |||
552 | index 9645a8d..a567c91 100644 | |||
553 | --- a/debian/control | |||
554 | +++ b/debian/control | |||
555 | @@ -1,7 +1,8 @@ | |||
556 | 1 | Source: squid | 1 | Source: squid |
557 | 2 | Section: web | 2 | Section: web |
558 | 3 | Priority: optional | 3 | Priority: optional |
560 | 4 | Maintainer: Luigi Gangitano <luigi@debian.org> | 4 | Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> |
561 | 5 | XSBC-Original-Maintainer: Luigi Gangitano <luigi@debian.org> | ||
562 | 5 | Uploaders: Santiago Garcia Mantinan <manty@debian.org> | 6 | Uploaders: Santiago Garcia Mantinan <manty@debian.org> |
563 | 6 | Homepage: http://www.squid-cache.org | 7 | Homepage: http://www.squid-cache.org |
564 | 7 | Standards-Version: 4.5.0 | 8 | Standards-Version: 4.5.0 |
565 | @@ -31,7 +32,7 @@ Build-Depends: ed, libltdl-dev, pkg-config | |||
566 | 31 | Package: squid | 32 | Package: squid |
567 | 32 | Architecture: any | 33 | Architecture: any |
568 | 33 | Pre-Depends: adduser | 34 | Pre-Depends: adduser |
570 | 34 | Depends: ${shlibs:Depends}, ${misc:Depends}, netbase, logrotate (>= 3.5.4-1), squid-common (>= ${source:Version}), lsb-base, libdbi-perl | 35 | Depends: ${shlibs:Depends}, ${misc:Depends}, netbase, logrotate (>= 3.5.4-1), squid-common (>= ${source:Version}), lsb-base, libdbi-perl, ssl-cert |
571 | 35 | Suggests: squidclient, squid-cgi, squid-purge, resolvconf (>= 0.40), smbclient, ufw, winbind, apparmor | 36 | Suggests: squidclient, squid-cgi, squid-purge, resolvconf (>= 0.40), smbclient, ufw, winbind, apparmor |
572 | 36 | Recommends: libcap2-bin [linux-any], ca-certificates | 37 | Recommends: libcap2-bin [linux-any], ca-certificates |
573 | 37 | Provides: squid3 | 38 | Provides: squid3 |
574 | diff --git a/debian/patches/0007-WCCP-Fix-GCC-10-Wstringop-truncation-failures.patch b/debian/patches/0007-WCCP-Fix-GCC-10-Wstringop-truncation-failures.patch | |||
575 | 38 | new file mode 100644 | 39 | new file mode 100644 |
576 | index 0000000..8de4e08 | |||
577 | --- /dev/null | |||
578 | +++ b/debian/patches/0007-WCCP-Fix-GCC-10-Wstringop-truncation-failures.patch | |||
579 | @@ -0,0 +1,112 @@ | |||
580 | 1 | From: Sergio Durigan Junior <sergiodj@sergiodj.net> | ||
581 | 2 | Date: Fri, 7 Aug 2020 00:00:30 -0400 | ||
582 | 3 | Subject: WCCP: Fix GCC-10 -Wstringop-truncation failures | ||
583 | 4 | MIME-Version: 1.0 | ||
584 | 5 | Content-Type: text/plain; charset="utf-8" | ||
585 | 6 | Content-Transfer-Encoding: 8bit | ||
586 | 7 | |||
587 | 8 | When building squid using GCC10, I'm seeing a few failures related to | ||
588 | 9 | the -Wstringop-truncation option: | ||
589 | 10 | |||
590 | 11 | In file included from /usr/include/string.h:495, | ||
591 | 12 | from ../compat/xstring.h:13, | ||
592 | 13 | from ../compat/compat_shared.h:225, | ||
593 | 14 | from ../compat/compat.h:87, | ||
594 | 15 | from ../include/squid.h:43, | ||
595 | 16 | from wccp2.cc:11: | ||
596 | 17 | In function ‘char* strncpy(char*, const char*, size_t)’, | ||
597 | 18 | inlined from ‘void wccp2_add_service_list(int, int, int, int, int, int*, int, char*)’ at wccp2.cc:523:12, | ||
598 | 19 | inlined from ‘void parse_wccp2_service(void*)’ at wccp2.cc:2140:27: | ||
599 | 20 | /usr/include/s390x-linux-gnu/bits/string_fortified.h:106:34: error: ‘char* __builtin_strncpy(char*, const char*, long unsigned int)’ output may be truncated copying 8 bytes from a string of length 8 [-Werror=stringop-truncation] | ||
600 | 21 | 106 | return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest)); | ||
601 | 22 | | ~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
602 | 23 | cc1plus: all warnings being treated as errors | ||
603 | 24 | |||
604 | 25 | The curious thing is that I can only trigger these failures when I | ||
605 | 26 | compile on s390x. | ||
606 | 27 | |||
607 | 28 | The fix here is simple and inspired by | ||
608 | 29 | 02fc37ca9112cd2afd7d9f3acea06c53b900453a: use xstrncpy instead of | ||
609 | 30 | strncpy. I confirmed that this fixes the problem by recompiling, and | ||
610 | 31 | doesn't introduce any other issues. | ||
611 | 32 | |||
612 | 33 | Signed-off-by: Sergio Durigan Junior <sergiodj@debian.org> | ||
613 | 34 | |||
614 | 35 | Author: Sergio Durigan Junior <sergiodj@debian.org> | ||
615 | 36 | Last-Updated: 2020-08-10 | ||
616 | 37 | Forwarded: https://github.com/squid-cache/squid/pull/708/ | ||
617 | 38 | --- | ||
618 | 39 | src/wccp2.cc | 18 ++++++++---------- | ||
619 | 40 | 1 file changed, 8 insertions(+), 10 deletions(-) | ||
620 | 41 | |||
621 | 42 | diff --git a/src/wccp2.cc b/src/wccp2.cc | ||
622 | 43 | index 70a2796..05dfc6e 100644 | ||
623 | 44 | --- a/src/wccp2.cc | ||
624 | 45 | +++ b/src/wccp2.cc | ||
625 | 46 | @@ -49,7 +49,7 @@ static EVH wccp2AssignBuckets; | ||
626 | 47 | |||
627 | 48 | /* Useful defines */ | ||
628 | 49 | #define WCCP2_NUMPORTS 8 | ||
629 | 50 | -#define WCCP2_PASSWORD_LEN 8 | ||
630 | 51 | +#define WCCP2_PASSWORD_LEN 8 + 1 /* + 1 for C-string NUL terminator */ | ||
631 | 52 | |||
632 | 53 | /* WCCPv2 Pakcet format structures */ | ||
633 | 54 | /* Defined in draft-wilson-wccp-v2-12-oct-2001.txt */ | ||
634 | 55 | @@ -451,7 +451,7 @@ struct wccp2_service_list_t { | ||
635 | 56 | size_t wccp_packet_size; | ||
636 | 57 | |||
637 | 58 | struct wccp2_service_list_t *next; | ||
638 | 59 | - char wccp_password[WCCP2_PASSWORD_LEN + 1]; /* hold the trailing C-string NUL */ | ||
639 | 60 | + char wccp_password[WCCP2_PASSWORD_LEN]; /* hold the trailing C-string NUL */ | ||
640 | 61 | uint32_t wccp2_security_type; | ||
641 | 62 | }; | ||
642 | 63 | |||
643 | 64 | @@ -519,8 +519,8 @@ wccp2_add_service_list(int service, int service_id, int service_priority, | ||
644 | 65 | wccp2_update_service(wccp2_service_list_ptr, service, service_id, | ||
645 | 66 | service_priority, service_proto, service_flags, ports); | ||
646 | 67 | wccp2_service_list_ptr->wccp2_security_type = security_type; | ||
647 | 68 | - memset(wccp2_service_list_ptr->wccp_password, 0, WCCP2_PASSWORD_LEN + 1); | ||
648 | 69 | - strncpy(wccp2_service_list_ptr->wccp_password, password, WCCP2_PASSWORD_LEN); | ||
649 | 70 | + memset(wccp2_service_list_ptr->wccp_password, 0, WCCP2_PASSWORD_LEN); | ||
650 | 71 | + xstrncpy(wccp2_service_list_ptr->wccp_password, password, WCCP2_PASSWORD_LEN); | ||
651 | 72 | /* add to linked list - XXX this should use the Squid dlink* routines! */ | ||
652 | 73 | wccp2_service_list_ptr->next = wccp2_service_list_head; | ||
653 | 74 | wccp2_service_list_head = wccp2_service_list_ptr; | ||
654 | 75 | @@ -562,8 +562,7 @@ wccp2_update_md5_security(char *password, char *ptr, char *packet, int len) | ||
655 | 76 | |||
656 | 77 | /* The password field, for the MD5 hash, needs to be 8 bytes and NUL padded. */ | ||
657 | 78 | memset(pwd, 0, sizeof(pwd)); | ||
658 | 79 | - strncpy(pwd, password, sizeof(pwd)); | ||
659 | 80 | - pwd[sizeof(pwd) - 1] = '\0'; | ||
660 | 81 | + xstrncpy(pwd, password, sizeof(pwd)); | ||
661 | 82 | |||
662 | 83 | ws = (struct wccp2_security_md5_t *) ptr; | ||
663 | 84 | assert(ntohs(ws->security_type) == WCCP2_SECURITY_INFO); | ||
664 | 85 | @@ -630,8 +629,7 @@ wccp2_check_security(struct wccp2_service_list_t *srv, char *security, char *pac | ||
665 | 86 | |||
666 | 87 | /* The password field, for the MD5 hash, needs to be 8 bytes and NUL padded. */ | ||
667 | 88 | memset(pwd, 0, sizeof(pwd)); | ||
668 | 89 | - strncpy(pwd, srv->wccp_password, sizeof(pwd)); | ||
669 | 90 | - pwd[sizeof(pwd) - 1] = '\0'; | ||
670 | 91 | + xstrncpy(pwd, srv->wccp_password, sizeof(pwd)); | ||
671 | 92 | |||
672 | 93 | /* Take a copy of the challenge: we need to NUL it before comparing */ | ||
673 | 94 | memcpy(md5_challenge, ws->security_implementation, sizeof(md5_challenge)); | ||
674 | 95 | @@ -2096,7 +2094,7 @@ parse_wccp2_service(void *) | ||
675 | 96 | int service = 0; | ||
676 | 97 | int service_id = 0; | ||
677 | 98 | int security_type = WCCP2_NO_SECURITY; | ||
678 | 99 | - char wccp_password[WCCP2_PASSWORD_LEN + 1]; | ||
679 | 100 | + char wccp_password[WCCP2_PASSWORD_LEN]; | ||
680 | 101 | |||
681 | 102 | if (wccp2_connected == 1) { | ||
682 | 103 | debugs(80, DBG_IMPORTANT, "WCCPv2: Somehow reparsing the configuration without having shut down WCCP! Try reloading squid again."); | ||
683 | 104 | @@ -2132,7 +2130,7 @@ parse_wccp2_service(void *) | ||
684 | 105 | if ((t = ConfigParser::NextToken()) != NULL) { | ||
685 | 106 | if (strncmp(t, "password=", 9) == 0) { | ||
686 | 107 | security_type = WCCP2_MD5_SECURITY; | ||
687 | 108 | - strncpy(wccp_password, t + 9, WCCP2_PASSWORD_LEN); | ||
688 | 109 | + xstrncpy(wccp_password, t + 9, sizeof(wccp_password)); | ||
689 | 110 | } | ||
690 | 111 | } | ||
691 | 112 | |||
692 | diff --git a/debian/patches/90-cf.data.ubuntu.patch b/debian/patches/90-cf.data.ubuntu.patch | |||
693 | 0 | new file mode 100644 | 113 | new file mode 100644 |
694 | index 0000000..2c15c53 | |||
695 | --- /dev/null | |||
696 | +++ b/debian/patches/90-cf.data.ubuntu.patch | |||
697 | @@ -0,0 +1,22 @@ | |||
698 | 1 | Description: Add an example refresh pattern for .debs | ||
699 | 2 | |||
700 | 3 | Reviewed-By: Sergio Durigan Junior <sergio.durigan@canonical.com> | ||
701 | 4 | Last-Updated: 2020-08-12 | ||
702 | 5 | Forwarded: https://salsa.debian.org/squid-team/squid/-/merge_requests/15 | ||
703 | 6 | |||
704 | 7 | --- a/src/cf.data.pre | ||
705 | 8 | +++ b/src/cf.data.pre | ||
706 | 9 | @@ -5859,6 +5862,12 @@ NOCOMMENT_START | ||
707 | 10 | refresh_pattern ^ftp: 1440 20% 10080 | ||
708 | 11 | refresh_pattern ^gopher: 1440 0% 1440 | ||
709 | 12 | refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 | ||
710 | 13 | +refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims | ||
711 | 14 | +refresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-ims | ||
712 | 15 | +refresh_pattern \/InRelease$ 0 0% 0 refresh-ims | ||
713 | 16 | +refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims | ||
714 | 17 | +# example pattern for deb packages | ||
715 | 18 | +#refresh_pattern (\.deb|\.udeb)$ 129600 100% 129600 | ||
716 | 19 | refresh_pattern . 0 20% 4320 | ||
717 | 20 | NOCOMMENT_END | ||
718 | 21 | DOC_END | ||
719 | 22 | |||
720 | diff --git a/debian/patches/99-ubuntu-ssl-cert-snakeoil.patch b/debian/patches/99-ubuntu-ssl-cert-snakeoil.patch | |||
721 | 0 | new file mode 100644 | 23 | new file mode 100644 |
722 | index 0000000..40b5306 | |||
723 | --- /dev/null | |||
724 | +++ b/debian/patches/99-ubuntu-ssl-cert-snakeoil.patch | |||
725 | @@ -0,0 +1,22 @@ | |||
726 | 1 | --- a/src/cf.data.pre | ||
727 | 2 | +++ b/src/cf.data.pre | ||
728 | 3 | @@ -3516,6 +3516,19 @@ | ||
729 | 4 | reference a PEM file containing both the certificate | ||
730 | 5 | and private key. | ||
731 | 6 | |||
732 | 7 | + Notes: | ||
733 | 8 | + | ||
734 | 9 | + On Debian/Ubuntu systems a default snakeoil certificate is | ||
735 | 10 | + available in /etc/ssl and users can set: | ||
736 | 11 | + | ||
737 | 12 | + sslcert=/etc/ssl/certs/ssl-cert-snakeoil.pem | ||
738 | 13 | + | ||
739 | 14 | + and | ||
740 | 15 | + | ||
741 | 16 | + sslkey=/etc/ssl/private/ssl-cert-snakeoil.key | ||
742 | 17 | + | ||
743 | 18 | + for testing. | ||
744 | 19 | + | ||
745 | 20 | sslcipher=... The list of valid SSL ciphers to use when connecting | ||
746 | 21 | to this peer. | ||
747 | 22 | |||
748 | diff --git a/debian/patches/series b/debian/patches/series | |||
749 | index 6561436..d481df0 100644 | |||
750 | --- a/debian/patches/series | |||
751 | +++ b/debian/patches/series | |||
752 | @@ -3,3 +3,6 @@ | |||
753 | 3 | 0003-installed-binary-for-debian-ci.patch | 3 | 0003-installed-binary-for-debian-ci.patch |
754 | 4 | #0004-upstream-bug5041.patch | 4 | #0004-upstream-bug5041.patch |
755 | 5 | 0005-Use-RuntimeDirectory-to-create-run-squid.patch | 5 | 0005-Use-RuntimeDirectory-to-create-run-squid.patch |
756 | 6 | 90-cf.data.ubuntu.patch | ||
757 | 7 | 99-ubuntu-ssl-cert-snakeoil.patch | ||
758 | 8 | 0007-WCCP-Fix-GCC-10-Wstringop-truncation-failures.patch | ||
759 | diff --git a/debian/usr.sbin.squid b/debian/usr.sbin.squid | |||
760 | index bc1f987..232b59f 100644 | |||
761 | --- a/debian/usr.sbin.squid | |||
762 | +++ b/debian/usr.sbin.squid | |||
763 | @@ -50,6 +50,39 @@ | |||
764 | 50 | # squid-langpack | 50 | # squid-langpack |
765 | 51 | /usr/share/squid-langpack/** r, | 51 | /usr/share/squid-langpack/** r, |
766 | 52 | 52 | ||
767 | 53 | # maas-proxy | ||
768 | 54 | /var/lib/maas/maas-proxy.conf r, | ||
769 | 55 | /var/log/maas/proxy/** rw, | ||
770 | 56 | /var/spool/maas-proxy/ r, | ||
771 | 57 | /var/spool/maas-proxy/** rwk, | ||
772 | 58 | |||
773 | 59 | # squid-deb-proxy | ||
774 | 60 | /etc/squid-deb-proxy/** r, | ||
775 | 61 | /{,var/}run/squid-deb-proxy.pid rwk, | ||
776 | 62 | /var/cache/squid-deb-proxy/ r, | ||
777 | 63 | /var/cache/squid-deb-proxy/** rwk, | ||
778 | 64 | /var/log/squid-deb-proxy/* rw, | ||
779 | 65 | |||
780 | 66 | # squidguard | ||
781 | 67 | /usr/bin/squidGuard Cx -> squidguard, | ||
782 | 68 | profile squidguard { | ||
783 | 69 | #include <abstractions/base> | ||
784 | 70 | |||
785 | 71 | /etc/squid/squidGuard.conf r, | ||
786 | 72 | /var/log/squid{,3}/squidGuard.log w, | ||
787 | 73 | /var/lib/squidguard/** rw, | ||
788 | 74 | |||
789 | 75 | # squidguard by default uses /var/log/squid as its logdir, however, we | ||
790 | 76 | # don't want it to access squid's logs, only its own. Explicitly deny | ||
791 | 77 | # access to squid's files but allow all others since the user may specify | ||
792 | 78 | # anything for the squidGurad 'log' directive. | ||
793 | 79 | /var/log/squid{,3}/* rw, | ||
794 | 80 | audit deny /var/log/squid{,3}/{access,cache,store}.log* rw, | ||
795 | 81 | |||
796 | 82 | # Site-specific additions and overrides. See local/README for details. | ||
797 | 83 | #include <local/usr.sbin.squid> | ||
798 | 84 | } | ||
799 | 85 | |||
800 | 53 | # Site-specific additions and overrides. See local/README for details. | 86 | # Site-specific additions and overrides. See local/README for details. |
801 | 54 | #include <local/usr.sbin.squid> | 87 | #include <local/usr.sbin.squid> |
802 | 55 | } | 88 | } |
grabbing this