Merge ~sergiodj/ubuntu/+source/squid:squid-merge-4.13-1 into ubuntu/+source/squid:debian/sid
- Git
- lp:~sergiodj/ubuntu/+source/squid
- squid-merge-4.13-1
- Merge into debian/sid
Status: | Merged |
---|---|
Approved by: | Christian Ehrhardt |
Approved revision: | eba831d8fc000becaf3b07bd250d573117d47e78 |
Merge reported by: | Sergio Durigan Junior |
Merged at revision: | eba831d8fc000becaf3b07bd250d573117d47e78 |
Proposed branch: | ~sergiodj/ubuntu/+source/squid:squid-merge-4.13-1 |
Merge into: | ubuntu/+source/squid:debian/sid |
Diff against target: |
708 lines (+593/-2) 6 files modified
debian/changelog (+511/-0) debian/control (+3/-2) debian/patches/90-cf.data.ubuntu.patch (+22/-0) debian/patches/99-ubuntu-ssl-cert-snakeoil.patch (+22/-0) debian/patches/series (+2/-0) debian/usr.sbin.squid (+33/-0) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Christian Ehrhardt (community) | Approve | ||
Canonical Server | Pending | ||
Review via email: mp+389821@code.launchpad.net |
Commit message
Description of the change
This is the merge of squid 4.13-1 from Debian.
It's a trivial merge. I was able to drop a patch that has been accepted upstream (to fix a FTBFS when building with GCC-10 on s390x). Still waiting to see if Debian will accept https:/
There's a PPA with the proposed update here: https:/
autopkgtest is still happy:
autopkgtest [17:15:11]: @@@@@@@
upstream-test-suite PASS
squid PASS
Christian Ehrhardt (paelzer) wrote : | # |
Christian Ehrhardt (paelzer) wrote : | # |
Dropping the now accepted patch is fine.
Everything else stays the same as it was 15 days ago, which means it still is as ok as it was last time.
Changelog entries look good and I see no good chance to upstream more of our delta except that which you have already started.
http://
I'm slightly unsure on the TLS/1.3 change, but following upstream should be the right choice here.
+1 and let me know if you want me to sponsor it.
Christian Ehrhardt (paelzer) wrote : | # |
Checked with Sergio and he wanted sponsoring as-is.
To ssh://git.
* [new tag] upload/
Uploading to ubuntu (via ftp to upload.ubuntu.com):
Uploading squid_4.
Uploading squid_4.
Uploading squid_4.
Uploading squid_4.
Uploading squid_4.
Uploading squid_4.
Successfully uploaded packages.
Sergio Durigan Junior (sergiodj) wrote : | # |
This has migrated.
Preview Diff
1 | diff --git a/debian/changelog b/debian/changelog |
2 | index a4a9ea2..2b95e27 100644 |
3 | --- a/debian/changelog |
4 | +++ b/debian/changelog |
5 | @@ -1,3 +1,21 @@ |
6 | +squid (4.13-1ubuntu1) groovy; urgency=medium |
7 | + |
8 | + * Merge with Debian unstable. Remaining changes: |
9 | + - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy |
10 | + squidguard |
11 | + - d/p/90-cf.data.ubuntu.patch: Add an example refresh pattern |
12 | + for debs. |
13 | + - Use snakeoil certificates: |
14 | + + d/control: add ssl-cert to dependencies |
15 | + + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl |
16 | + to the default config file |
17 | + * Dropped changes: |
18 | + - d/p/0007-WCCP-Fix-GCC-10-Wstringop-truncation-failures.patch: |
19 | + Fix GCC-10 build failure due to -Wstringop-truncation warning. |
20 | + [ Accepted upstream. ] |
21 | + |
22 | + -- Sergio Durigan Junior <sergio.durigan@canonical.com> Tue, 25 Aug 2020 15:01:58 -0400 |
23 | + |
24 | squid (4.13-1) unstable; urgency=high |
25 | |
26 | [ Amos Jeffries <amosjeffries@squid-cache.org> ] |
27 | @@ -10,6 +28,43 @@ squid (4.13-1) unstable; urgency=high |
28 | |
29 | -- Luigi Gangitano <luigi@debian.org> Mon, 24 Aug 2020 17:27:54 +0200 |
30 | |
31 | +squid (4.12-1ubuntu1) groovy; urgency=medium |
32 | + |
33 | + * Merge with Debian unstable. Remaining changes: |
34 | + - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy |
35 | + squidguard |
36 | + - d/p/90-cf.data.ubuntu.patch: Add an example refresh pattern |
37 | + for debs. |
38 | + - Use snakeoil certificates: |
39 | + + d/control: add ssl-cert to dependencies |
40 | + + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl |
41 | + to the default config file |
42 | + * Dropped changes, not needed anymore: |
43 | + - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround |
44 | + if building for ppc64el. On that arch, dpkg-buildflags sets -O3 |
45 | + instead of -O2 and that triggers a format-truncation error on |
46 | + pcon.cc. See https://bugs.squid-cache.org/show_bug.cgi?id=4875. |
47 | + [ Dropped because the build now passes on ppc64el ] |
48 | + * Dropped changes, incorporated by Debian: |
49 | + - Don't restart squid by hand on postinst script |
50 | + + d/squid.postinst: When installing/upgrading squid, the service |
51 | + is being restarted manually in the postinst script, which can |
52 | + break installations that have the squid apparmor enabled because |
53 | + it will try to restart the service before reloading the apparmor |
54 | + profile. There is no reason to restart squid manually, since the |
55 | + restart will be automatically performed later. |
56 | + - Drop conffile check for squid < 2.7 |
57 | + + d/squid.postinst: squid 2.7 is long, long gone, so it should be |
58 | + safe to drop the postinst code to make sure that |
59 | + /etc/squid/squid.conf was properly upgraded. |
60 | + - d/tests/test-squid.py: Adjust 'pidfile' variable to reflect fact |
61 | + that we now store the pidfile under '/run/squid/'. |
62 | + * Added changes: |
63 | + - d/p/0007-WCCP-Fix-GCC-10-Wstringop-truncation-failures.patch: |
64 | + Fix GCC-10 build failure due to -Wstringop-truncation warning. |
65 | + |
66 | + -- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 10 Aug 2020 11:20:46 -0400 |
67 | + |
68 | squid (4.12-1) unstable; urgency=high |
69 | |
70 | [ Sergio Durigan Junior <sergiodj@debian.org> ] |
71 | @@ -45,6 +100,63 @@ squid (4.12-1) unstable; urgency=high |
72 | |
73 | -- Luigi Gangitano <luigi@debian.org> Wed, 1 Jul 2020 10:52:54 +0200 |
74 | |
75 | +squid (4.11-5ubuntu3) groovy; urgency=medium |
76 | + |
77 | + * No change rebuild against new libnettle8 and libhogweed6 ABI. |
78 | + |
79 | + -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 29 Jun 2020 22:38:13 +0100 |
80 | + |
81 | +squid (4.11-5ubuntu2) groovy; urgency=medium |
82 | + |
83 | + * d/tests/test-squid.py: Adjust 'pidfile' variable to reflect fact |
84 | + that we now store the pidfile under '/run/squid/'. |
85 | + |
86 | + -- Sergio Durigan Junior <sergio.durigan@canonical.com> Wed, 20 May 2020 10:32:32 -0400 |
87 | + |
88 | +squid (4.11-5ubuntu1) groovy; urgency=medium |
89 | + |
90 | + * Merge with Debian unstable. Remaining changes: |
91 | + - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy, |
92 | + squidguard |
93 | + - d/p/90-cf.data.ubuntu.patch: Add an example refresh pattern for |
94 | + debs. |
95 | + - Use snakeoil certificates: |
96 | + + d/control: add ssl-cert to dependencies |
97 | + + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl to the |
98 | + default config file |
99 | + - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if |
100 | + building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead |
101 | + of -O2 and that triggers a format-truncation error on pcon.cc. See See |
102 | + https://bugs.squid-cache.org/show_bug.cgi?id=4875 |
103 | + * Dropped: |
104 | + - d/p/drop-sysctl_h.patch: no longer include sysctl.h as it was |
105 | + deprecated in glibc 2.30 (LP #1843325) |
106 | + [ In 4.11-4 ] |
107 | + - SECURITY UPDATE: multiple ESI issues |
108 | + + debian/patches/CVE-2019-12519_12521.patch: convert parse exceptions |
109 | + into 500 status response in src/esi/Context.h, src/esi/Esi.cc, |
110 | + src/esi/Esi.h, src/esi/Expression.cc. |
111 | + + CVE-2019-12519 |
112 | + [ In 4.11-4 ] |
113 | + - SECURITY UPDATE: Digest Authentication nonce replay issue |
114 | + + debian/patches/CVE-2020-11945.patch: fix auth digest refcount integer |
115 | + overflow in src/auth/digest/Config.cc. |
116 | + [ In 4.11-4 ] |
117 | + * Added: |
118 | + - Don't restart squid by hand on postinst script |
119 | + + d/squid.postinst: When installing/upgrading squid, the service |
120 | + is being restarted manually in the postinst script, which can |
121 | + break installations that have the squid apparmor enabled because |
122 | + it will try to restart the service before reloading the apparmor |
123 | + profile. There is no reason to restart squid manually, since the |
124 | + restart will be automatically performed later. |
125 | + - Drop conffile check for squid < 2.7 |
126 | + + d/squid.postinst: squid 2.7 is long, long gone, so it should be |
127 | + safe to drop the postinst code to make sure that |
128 | + /etc/squid/squid.conf was properly upgraded. |
129 | + |
130 | + -- Sergio Durigan Junior <sergio.durigan@canonical.com> Tue, 19 May 2020 14:43:04 -0400 |
131 | + |
132 | squid (4.11-5) unstable; urgency=medium |
133 | |
134 | [ Sergio Durigan Junior <sergiodj@debian.org> ] |
135 | @@ -123,6 +235,64 @@ squid (4.11-1) unstable; urgency=high |
136 | |
137 | -- Luigi Gangitano <luigi@debian.org> Thu, 23 Apr 2020 19:34:54 +0200 |
138 | |
139 | +squid (4.10-1ubuntu2) groovy; urgency=medium |
140 | + |
141 | + * SECURITY UPDATE: multiple ESI issues |
142 | + - debian/patches/CVE-2019-12519_12521.patch: convert parse exceptions |
143 | + into 500 status response in src/esi/Context.h, src/esi/Esi.cc, |
144 | + src/esi/Esi.h, src/esi/Expression.cc. |
145 | + - CVE-2019-12519 |
146 | + - CVE-2019-12521 |
147 | + * SECURITY UPDATE: Digest Authentication nonce replay issue |
148 | + - debian/patches/CVE-2020-11945.patch: fix auth digest refcount integer |
149 | + overflow in src/auth/digest/Config.cc. |
150 | + - CVE-2020-11945 |
151 | + |
152 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 13 May 2020 09:51:10 -0400 |
153 | + |
154 | +squid (4.10-1ubuntu1) focal; urgency=medium |
155 | + |
156 | + * Merge with Debian unstable. Remaining changes: |
157 | + - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy, |
158 | + squidguard |
159 | + - d/p/90-cf.data.ubuntu.patch: Add an example refresh pattern for debs. |
160 | + - Use snakeoil certificates: |
161 | + + d/control: add ssl-cert to dependencies |
162 | + + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl |
163 | + to the default config file |
164 | + - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if |
165 | + building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of |
166 | + -O2 and that triggers a format-truncation error on pcon.cc. See |
167 | + See https://bugs.squid-cache.org/show_bug.cgi?id=4875 |
168 | + - d/p/drop-sysctl_h.patch: no longer include sysctl.h as it was |
169 | + deprecated in glibc 2.30 (LP #1843325) |
170 | + * Dropped: |
171 | + - d/t/control, d/t/test-squid.py: remove gopher tests, as pygopherd is |
172 | + no longer available in Focal (LP: #1858827) |
173 | + [In 4.10-1, undocumented] |
174 | + - d/t/test-squid.py, d/t/squid: switch to python3 |
175 | + [In 4.10-1, undocumented] |
176 | + - d/t/control: depend on python3-minimal |
177 | + [In 4.10-1, undocumented] |
178 | + - SECURITY UPDATE: info disclosure via FTP server |
179 | + + debian/patches/CVE-2019-12528.patch: fix FTP buffers handling in |
180 | + src/clients/FtpGateway.cc. |
181 | + + CVE-2019-12528 |
182 | + [Fixed upstream] |
183 | + - SECURITY UPDATE: incorrect input validation and buffer management |
184 | + + debian/patches/CVE-2020-84xx.patch: fix request URL generation in |
185 | + reverse proxy configurations in src/client_side.cc. |
186 | + + CVE-2020-8449 |
187 | + + CVE-2020-8450 |
188 | + [Fixed upstream] |
189 | + - SECURITY UPDATE: DoS in NTLM authentication |
190 | + + debian/patches/CVE-2020-8517.patch: improved username handling in |
191 | + src/acl/external/LM_group/ext_lm_group_acl.cc. |
192 | + + CVE-2020-8517 |
193 | + [Fixed upstream] |
194 | + |
195 | + -- Andreas Hasenack <andreas@canonical.com> Tue, 25 Feb 2020 15:37:55 -0300 |
196 | + |
197 | squid (4.10-1) unstable; urgency=high |
198 | |
199 | [ Amos Jeffries <amosjeffries@squid-cache.org> ] |
200 | @@ -144,6 +314,70 @@ squid (4.10-1) unstable; urgency=high |
201 | |
202 | -- Luigi Gangitano <luigi@debian.org> Tue, 10 Feb 2020 14:12:54 +0100 |
203 | |
204 | +squid (4.9-2ubuntu4) focal; urgency=medium |
205 | + |
206 | + * SECURITY UPDATE: info disclosure via FTP server |
207 | + - debian/patches/CVE-2019-12528.patch: fix FTP buffers handling in |
208 | + src/clients/FtpGateway.cc. |
209 | + - CVE-2019-12528 |
210 | + * SECURITY UPDATE: incorrect input validation and buffer management |
211 | + - debian/patches/CVE-2020-84xx.patch: fix request URL generation in |
212 | + reverse proxy configurations in src/client_side.cc. |
213 | + - CVE-2020-8449 |
214 | + - CVE-2020-8450 |
215 | + * SECURITY UPDATE: DoS in NTLM authentication |
216 | + - debian/patches/CVE-2020-8517.patch: improved username handling in |
217 | + src/acl/external/LM_group/ext_lm_group_acl.cc. |
218 | + - CVE-2020-8517 |
219 | + |
220 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 19 Feb 2020 12:43:05 -0500 |
221 | + |
222 | +squid (4.9-2ubuntu3) focal; urgency=medium |
223 | + |
224 | + * No-change rebuild with fixed binutils on arm64. |
225 | + |
226 | + -- Matthias Klose <doko@ubuntu.com> Sat, 08 Feb 2020 11:20:19 +0000 |
227 | + |
228 | +squid (4.9-2ubuntu2) focal; urgency=medium |
229 | + |
230 | + * d/t/control, d/t/test-squid.py: remove gopher tests, as pygopherd is |
231 | + no longer available in Focal (LP: #1858827) |
232 | + * d/t/test-squid.py, d/t/squid: switch to python3 |
233 | + * d/t/control: depend on python3-minimal |
234 | + |
235 | + -- Andreas Hasenack <andreas@canonical.com> Wed, 08 Jan 2020 15:52:32 -0300 |
236 | + |
237 | +squid (4.9-2ubuntu1) focal; urgency=medium |
238 | + |
239 | + * Merge with Debian unstable. Remaining changes: |
240 | + - Use snakeoil certificates. |
241 | + - Add an example refresh pattern for debs. |
242 | + - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy, |
243 | + squidguard |
244 | + - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if |
245 | + building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of |
246 | + -O2 and that triggers a format-truncation error on pcon.cc. See |
247 | + See https://bugs.squid-cache.org/show_bug.cgi?id=4875 |
248 | + - d/p/drop-sysctl_h.patch: no longer include sysctl.h as it was |
249 | + deprecated in glibc 2.30 (LP #1843325) |
250 | + * Dropped: |
251 | + - d/rules: Only use -latomic with the intended architectures, instead of |
252 | + all of them. This matches what was suggested in |
253 | + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5 |
254 | + [Fixed upstream] |
255 | + - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that |
256 | + dh_installchangelogs can pick it up. dh_installchangelogs handles |
257 | + d/NEWS or d/<package>.NEWS, but not NEWS.debian. |
258 | + [Fixed upstream] |
259 | + - debian/patches/more-gcc-9-fixes.patch: switch to xstrncpy in |
260 | + lib/smblib/smblib-util.c. (LP #1835831) |
261 | + [Fixed upstream] |
262 | + - d/t/test-squid.py: test_zz_apparmor(): bail early if securityfs isn't |
263 | + mounted |
264 | + [Fixed upstream] |
265 | + |
266 | + -- Lucas Kanashiro <lucas.kanashiro@canonical.com> Thu, 14 Nov 2019 16:33:10 -0300 |
267 | + |
268 | squid (4.9-2) unstable; urgency=medium |
269 | |
270 | [ Andreas Hasenack <andreas@canonical.com> ] |
271 | @@ -200,6 +434,73 @@ squid (4.9-1) unstable; urgency=high |
272 | |
273 | -- Luigi Gangitano <luigi@debian.org> Sun, 10 Nov 2019 20:28:15 +0100 |
274 | |
275 | +squid (4.8-1ubuntu3) focal; urgency=medium |
276 | + |
277 | + * No-change rebuild against libnettle7 |
278 | + |
279 | + -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 31 Oct 2019 22:15:39 +0000 |
280 | + |
281 | +squid (4.8-1ubuntu2) eoan; urgency=medium |
282 | + |
283 | + * d/p/drop-sysctl_h.patch: no longer include sysctl.h as it was |
284 | + deprecated in glibc 2.30 (LP: #1843325) |
285 | + |
286 | + -- Andreas Hasenack <andreas@canonical.com> Mon, 09 Sep 2019 17:31:45 -0300 |
287 | + |
288 | +squid (4.8-1ubuntu1) eoan; urgency=medium |
289 | + |
290 | + * Merge with Debian unstable. Remaining changes: |
291 | + - Use snakeoil certificates. |
292 | + - Add an example refresh pattern for debs. |
293 | + - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy, |
294 | + squidguard |
295 | + - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if |
296 | + building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of |
297 | + -O2 and that triggers a format-truncation error on pcon.cc. See |
298 | + See https://bugs.squid-cache.org/show_bug.cgi?id=4875 |
299 | + - d/rules: Only use -latomic with the intended architectures, instead of |
300 | + all of them. This matches what was suggested in |
301 | + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5 |
302 | + - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that |
303 | + dh_installchangelogs can pick it up. dh_installchangelogs handles |
304 | + d/NEWS or d/<package>.NEWS, but not NEWS.debian. |
305 | + - debian/patches/more-gcc-9-fixes.patch: switch to xstrncpy in |
306 | + lib/smblib/smblib-util.c. (LP #1835831) |
307 | + * Dropped: |
308 | + - d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs. |
309 | + Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP #1794553) |
310 | + [Fixed upstream] |
311 | + - debian/patches/413.patch: Fix gcc-9 build issues with upstream merged |
312 | + patch |
313 | + [Fixed upstream] |
314 | + - SECURITY UPDATE: incorrect digest auth parameter parsing |
315 | + + debian/patches/CVE-2019-12525.patch: check length in |
316 | + src/auth/digest/Config.cc. |
317 | + + CVE-2019-12525 |
318 | + [Fixed upstream] |
319 | + - SECURITY UPDATE: buffer overflow in basic auth decoding |
320 | + + debian/patches/CVE-2019-12527.patch: switch to SBuf in |
321 | + src/HttpHeader.cc, src/HttpHeader.h, src/cache_manager.cc, |
322 | + src/clients/FtpGateway.cc. |
323 | + + CVE-2019-12527 |
324 | + [Fixed upstream] |
325 | + - SECURITY UPDATE: basic auth uudecode length issue |
326 | + + debian/patches/CVE-2019-12529.patch: replace uudecode with libnettle |
327 | + base64 decoder in lib/Makefile.*, src/auth/basic/Config.cc, |
328 | + include/uudecode.h, lib/uudecode.c. |
329 | + + CVE-2019-12529 |
330 | + [Fixed upstream] |
331 | + - SECURITY UPDATE: XSS issues in cachemgr.cgi |
332 | + + debian/patches/CVE-2019-13345.patch: properly escape values in |
333 | + tools/cachemgr.cc. |
334 | + + CVE-2019-13345 |
335 | + [Fixed upstream] |
336 | + * Added: |
337 | + - d/t/test-squid.py: test_zz_apparmor(): bail early if securityfs isn't |
338 | + mounted |
339 | + |
340 | + -- Andreas Hasenack <andreas@canonical.com> Wed, 24 Jul 2019 16:38:59 -0300 |
341 | + |
342 | squid (4.8-1) unstable; urgency=high |
343 | |
344 | [ Amos Jeffries <amosjeffries@squid-cache.org> ] |
345 | @@ -218,6 +519,86 @@ squid (4.8-1) unstable; urgency=high |
346 | |
347 | -- Luigi Gangitano <luigi@debian.org> Thu, 18 Jul 2019 22:28:15 +0200 |
348 | |
349 | +squid (4.6-2ubuntu4) eoan; urgency=medium |
350 | + |
351 | + * Fix gcc-9 issues (LP: #1835831) |
352 | + - Remove -Wno-sizeof-pointer-memaccess -Wno-stringop-truncation |
353 | + - debian/patches/more-gcc-9-fixes.patch: switch to xstrncpy in |
354 | + lib/smblib/smblib-util.c. |
355 | + * SECURITY UPDATE: incorrect digest auth parameter parsing |
356 | + - debian/patches/CVE-2019-12525.patch: check length in |
357 | + src/auth/digest/Config.cc. |
358 | + - CVE-2019-12525 |
359 | + * SECURITY UPDATE: buffer overflow in basic auth decoding |
360 | + - debian/patches/CVE-2019-12527.patch: switch to SBuf in |
361 | + src/HttpHeader.cc, src/HttpHeader.h, src/cache_manager.cc, |
362 | + src/clients/FtpGateway.cc. |
363 | + - CVE-2019-12527 |
364 | + * SECURITY UPDATE: basic auth uudecode length issue |
365 | + - debian/patches/CVE-2019-12529.patch: replace uudecode with libnettle |
366 | + base64 decoder in lib/Makefile.*, src/auth/basic/Config.cc, |
367 | + include/uudecode.h, lib/uudecode.c. |
368 | + - CVE-2019-12529 |
369 | + * SECURITY UPDATE: XSS issues in cachemgr.cgi |
370 | + - debian/patches/CVE-2019-13345.patch: properly escape values in |
371 | + tools/cachemgr.cc. |
372 | + - CVE-2019-13345 |
373 | + |
374 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 19 Jul 2019 08:01:58 -0400 |
375 | + |
376 | +squid (4.6-2ubuntu3) eoan; urgency=medium |
377 | + |
378 | + * Override newly added gcc-9 flags: |
379 | + -Wno-sizeof-pointer-memaccess -Wno-stringop-truncation |
380 | + NOTE: Overriding those flags is a possible security |
381 | + asked for info on the gcc-9 issue bug tracker: |
382 | + https://github.com/squid-cache/squid/pull/413#issuecomment-511314076 |
383 | + |
384 | + -- Gianfranco Costamagna <locutusofborg@debian.org> Mon, 15 Jul 2019 10:21:47 +0200 |
385 | + |
386 | +squid (4.6-2ubuntu2) eoan; urgency=medium |
387 | + |
388 | + * Fix gcc-9 build issues with upstream merged patch |
389 | + |
390 | + -- Gianfranco Costamagna <locutusofborg@debian.org> Sun, 14 Jul 2019 14:41:16 +0200 |
391 | + |
392 | +squid (4.6-2ubuntu1) eoan; urgency=medium |
393 | + |
394 | + * Merge with Debian unstable. Remaining changes: |
395 | + - Use snakeoil certificates. |
396 | + - Add an example refresh pattern for debs. |
397 | + - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy, |
398 | + squidguard |
399 | + - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if |
400 | + building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of |
401 | + -O2 and that triggers a format-truncation error on pcon.cc. See |
402 | + See https://bugs.squid-cache.org/show_bug.cgi?id=4875 |
403 | + - d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs. |
404 | + Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP #1794553) |
405 | + [Added Applied-Upstream header] |
406 | + - d/rules: Only use -latomic with the intended architectures, instead of |
407 | + all of them. This matches what was suggested in |
408 | + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5 |
409 | + - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that |
410 | + dh_installchangelogs can pick it up. dh_installchangelogs handles |
411 | + d/NEWS or d/<package>.NEWS, but not NEWS.debian. |
412 | + * Dropped: |
413 | + - d/squid.tmpfile: add tmpfiles configuration to handle /var/run/squid |
414 | + at boot. Thanks to Luigi Gangitano <luigi@debian.org> (LP #1816006) |
415 | + [Fixed in 4.5-2] |
416 | + - d/p/fix-uninitialized-var.patch: Workaround gcc's maybe-unitialized |
417 | + error in parse_time_t, triggered on ppc64el due to the build using -O3 |
418 | + in that architecture. |
419 | + [Fixed upstream] |
420 | + - Add disabled by default AppArmor profile. |
421 | + [Added by Debian in 4.6-2] |
422 | + - d/usr.sbin.squid: fix the apparmor profile (LP #1796189): |
423 | + + allow net_admin capability |
424 | + + add attach_disconnected flag |
425 | + [Fixed in 4.6-2] |
426 | + |
427 | + -- Andreas Hasenack <andreas@canonical.com> Sat, 18 May 2019 14:39:09 -0300 |
428 | + |
429 | squid (4.6-2) unstable; urgency=high |
430 | |
431 | [ Andreas Hasenack <andreas@canonical.com> ] |
432 | @@ -278,6 +659,57 @@ squid (4.5-1) unstable; urgency=medium |
433 | |
434 | -- Luigi Gangitano <luigi@debian.org> Wed, 20 Feb 2019 11:57:15 +0100 |
435 | |
436 | +squid (4.4-1ubuntu2) disco; urgency=medium |
437 | + |
438 | + * d/squid.tmpfile: add tmpfiles configuration to handle /var/run/squid |
439 | + at boot. Thanks to Luigi Gangitano <luigi@debian.org> (LP: #1816006) |
440 | + |
441 | + -- Andreas Hasenack <andreas@canonical.com> Wed, 27 Feb 2019 08:54:45 -0300 |
442 | + |
443 | +squid (4.4-1ubuntu1) disco; urgency=medium |
444 | + |
445 | + * Merge with Debian unstable. Remaining changes: |
446 | + - Use snakeoil certificates. |
447 | + - Add an example refresh pattern for debs. |
448 | + - Add disabled by default AppArmor profile. |
449 | + - d/p/fix-uninitialized-var.patch: Workaround gcc's maybe-unitialized |
450 | + error in parse_time_t, triggered on ppc64el due to the build using -O3 |
451 | + in that architecture. |
452 | + - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if |
453 | + building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of |
454 | + -O2 and that triggers a format-truncation error on pcon.cc. See |
455 | + See https://bugs.squid-cache.org/show_bug.cgi?id=4875 |
456 | + - d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs. |
457 | + Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP #1794553) |
458 | + * Drop: |
459 | + - d/rules: enable cdbs parallel build |
460 | + [Fixed in 4.2-1] |
461 | + - d/t/test-squid.py: fix apparmor profile filename |
462 | + [Fixed in 4.2-1] |
463 | + - d/t/test-squid.py: fix the process name. The PID points at the parent. |
464 | + [Fixed in 4.2-1] |
465 | + - d/t/upstream-test-suite: also make libmem.la, needed by the tests. |
466 | + [Fixed in 4.2-1] |
467 | + - d/t/0003-installed-binary-for-debian-ci.patch: use the squid |
468 | + binary from the system, instead of the one from the source tree. |
469 | + [Fixed in 4.2-1] |
470 | + - d/t/upstream-test-suite: drop the sed line, since patch |
471 | + 0003-installed-binary-for-debian-ci.patch is doing this work now. |
472 | + (https://salsa.debian.org/squid-team/squid/commit/ad4372b444ba8b1587839) |
473 | + [Fixed in 4.2-1] |
474 | + * Added changes: |
475 | + - d/rules: Only use -latomic with the intended architectures, instead of |
476 | + all of them. This matches what was suggested in |
477 | + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5 |
478 | + - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that |
479 | + dh_installchangelogs can pick it up. dh_installchangelogs handles |
480 | + d/NEWS or d/<package>.NEWS, but not NEWS.debian. |
481 | + - d/usr.sbin.squid: fix the apparmor profile (LP: #1796189): |
482 | + + allow net_admin capability |
483 | + + add attach_disconnected flag |
484 | + |
485 | + -- Andreas Hasenack <andreas@canonical.com> Mon, 19 Nov 2018 10:51:18 -0200 |
486 | + |
487 | squid (4.4-1) unstable; urgency=high |
488 | |
489 | * Urgency high due to security fixes |
490 | @@ -342,6 +774,85 @@ squid (4.2-1) unstable; urgency=high |
491 | |
492 | -- Luigi Gangitano <luigi@debian.org> Wed, 22 Aug 2018 13:57:15 +0200 |
493 | |
494 | +squid (4.1-1ubuntu3) cosmic; urgency=medium |
495 | + |
496 | + * d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs. |
497 | + Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP: #1794553) |
498 | + |
499 | + -- Andreas Hasenack <andreas@canonical.com> Tue, 09 Oct 2018 14:00:36 -0300 |
500 | + |
501 | +squid (4.1-1ubuntu2) cosmic; urgency=medium |
502 | + |
503 | + * d/usr.sbin.squid: Update apparmor profile to grant read access to squid |
504 | + binary (LP: #1792728) |
505 | + |
506 | + -- Simon Deziel <simon@sdeziel.info> Sat, 15 Sep 2018 13:55:32 -0400 |
507 | + |
508 | +squid (4.1-1ubuntu1) cosmic; urgency=medium |
509 | + |
510 | + * Merged with Debian unstable (LP: #1780944, LP: #1097032, LP: #16669). |
511 | + Remaining changes: |
512 | + - Use snakeoil certificates. |
513 | + [Updated to use the correct config setting names] |
514 | + - Add an example refresh pattern for debs. |
515 | + [Improved the refresh patterns based on the configuration from |
516 | + squid-deb-proxy package] |
517 | + - Add disabled by default AppArmor profile. |
518 | + [Updated to include the ssl_certs abstraction and suggestions on how to |
519 | + deal with the snakeoil private key and other keys in /etc/ssl.] |
520 | + * Dropped changes: |
521 | + - Add additional dep8 tests. |
522 | + [Adopted in 4.0.21-1~exp5, albeit a stripped down version] |
523 | + - Correct attribution and add explanatory note in d/NEWS.debian. |
524 | + [That particular upgrade path has happened long ago.] |
525 | + - Drop wrong short-circuiting of various invocations; we always want to |
526 | + call the debhelper block. |
527 | + [This was for the transitional squid3 package, and that transition has |
528 | + already happened.] |
529 | + - Revert "Set pidfile for systemd's sysv-generator" from Debian. |
530 | + [Not needed anymore since we have a native systemd service file |
531 | + and no longer rely on the generator.] |
532 | + - Enable autoreconf. This is no longer required for the security updates, |
533 | + but is needed for the seddery of test-suite/Makefile.am in |
534 | + d/t/upstream-test-suite. |
535 | + [Replaced by patch 0003-installed-binary-for-debian-ci.patch] |
536 | + - Adjust seddery for upstream test squid binary location. |
537 | + [sed no longer necessary since patch, |
538 | + 0003-installed-binary-for-debian-ci.patch, will be dropped |
539 | + entirely.] |
540 | + - Drop Conflicts/Replaces of squid against squid3. In Ubuntu, the migration |
541 | + happened in Xenial, so no upgrade path still requires this code. This |
542 | + reduces upgrade ordering difficulty. |
543 | + [Again we have a migration, but this time from squid3 to squid, so we |
544 | + need this]. |
545 | + - GCC7 FTBFS fixes (LP: #1712668): |
546 | + + d/rules: don't error when hitting the "deprecated" and |
547 | + "format-truncation" gcc7 warnings. Upstream 3.5.27 has fixes for these, |
548 | + but one in Format.cc that affects 32bit builds was deemed too intrusive |
549 | + for the 3.5 stable series and is only in squid 4.x |
550 | + [No longer needed with squid 4.x] |
551 | + - Do not force gcc-6 |
552 | + [It was a temporary workaround in Debian that got dropped] |
553 | + * Added changes: |
554 | + - d/rules: enable cdbs parallel build |
555 | + - d/t/test-squid.py: fix apparmor profile filename |
556 | + - d/t/test-squid.py: fix the process name. The PID points at the parent. |
557 | + - d/t/upstream-test-suite: also make libmem.la, needed by the tests. |
558 | + - d/t/0003-installed-binary-for-debian-ci.patch: use the squid |
559 | + binary from the system, instead of the one from the source tree. |
560 | + - d/p/fix-uninitialized-var.patch: Workaround gcc's maybe-unitialized |
561 | + error in parse_time_t, triggered on ppc64el due to the build using -O3 |
562 | + in that architecture. |
563 | + - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if |
564 | + building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of |
565 | + -O2 and that triggers a format-truncation error on pcon.cc. See |
566 | + See https://bugs.squid-cache.org/show_bug.cgi?id=4875 |
567 | + - d/t/upstream-test-suite: drop the sed line, since patch |
568 | + 0003-installed-binary-for-debian-ci.patch is doing this work now. |
569 | + (https://salsa.debian.org/squid-team/squid/commit/ad4372b444ba8b1587839) |
570 | + |
571 | + -- Andreas Hasenack <andreas@canonical.com> Thu, 16 Aug 2018 12:33:17 -0300 |
572 | + |
573 | squid (4.1-1) unstable; urgency=high |
574 | |
575 | * New Upstream Release (Closes: #896120) |
576 | diff --git a/debian/control b/debian/control |
577 | index 9645a8d..a567c91 100644 |
578 | --- a/debian/control |
579 | +++ b/debian/control |
580 | @@ -1,7 +1,8 @@ |
581 | Source: squid |
582 | Section: web |
583 | Priority: optional |
584 | -Maintainer: Luigi Gangitano <luigi@debian.org> |
585 | +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> |
586 | +XSBC-Original-Maintainer: Luigi Gangitano <luigi@debian.org> |
587 | Uploaders: Santiago Garcia Mantinan <manty@debian.org> |
588 | Homepage: http://www.squid-cache.org |
589 | Standards-Version: 4.5.0 |
590 | @@ -31,7 +32,7 @@ Build-Depends: ed, libltdl-dev, pkg-config |
591 | Package: squid |
592 | Architecture: any |
593 | Pre-Depends: adduser |
594 | -Depends: ${shlibs:Depends}, ${misc:Depends}, netbase, logrotate (>= 3.5.4-1), squid-common (>= ${source:Version}), lsb-base, libdbi-perl |
595 | +Depends: ${shlibs:Depends}, ${misc:Depends}, netbase, logrotate (>= 3.5.4-1), squid-common (>= ${source:Version}), lsb-base, libdbi-perl, ssl-cert |
596 | Suggests: squidclient, squid-cgi, squid-purge, resolvconf (>= 0.40), smbclient, ufw, winbind, apparmor |
597 | Recommends: libcap2-bin [linux-any], ca-certificates |
598 | Provides: squid3 |
599 | diff --git a/debian/patches/90-cf.data.ubuntu.patch b/debian/patches/90-cf.data.ubuntu.patch |
600 | new file mode 100644 |
601 | index 0000000..2c15c53 |
602 | --- /dev/null |
603 | +++ b/debian/patches/90-cf.data.ubuntu.patch |
604 | @@ -0,0 +1,22 @@ |
605 | +Description: Add an example refresh pattern for .debs |
606 | + |
607 | +Reviewed-By: Sergio Durigan Junior <sergio.durigan@canonical.com> |
608 | +Last-Updated: 2020-08-12 |
609 | +Forwarded: https://salsa.debian.org/squid-team/squid/-/merge_requests/15 |
610 | + |
611 | +--- a/src/cf.data.pre |
612 | ++++ b/src/cf.data.pre |
613 | +@@ -5859,6 +5862,12 @@ NOCOMMENT_START |
614 | + refresh_pattern ^ftp: 1440 20% 10080 |
615 | + refresh_pattern ^gopher: 1440 0% 1440 |
616 | + refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 |
617 | ++refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims |
618 | ++refresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-ims |
619 | ++refresh_pattern \/InRelease$ 0 0% 0 refresh-ims |
620 | ++refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims |
621 | ++# example pattern for deb packages |
622 | ++#refresh_pattern (\.deb|\.udeb)$ 129600 100% 129600 |
623 | + refresh_pattern . 0 20% 4320 |
624 | + NOCOMMENT_END |
625 | + DOC_END |
626 | + |
627 | diff --git a/debian/patches/99-ubuntu-ssl-cert-snakeoil.patch b/debian/patches/99-ubuntu-ssl-cert-snakeoil.patch |
628 | new file mode 100644 |
629 | index 0000000..40b5306 |
630 | --- /dev/null |
631 | +++ b/debian/patches/99-ubuntu-ssl-cert-snakeoil.patch |
632 | @@ -0,0 +1,22 @@ |
633 | +--- a/src/cf.data.pre |
634 | ++++ b/src/cf.data.pre |
635 | +@@ -3516,6 +3516,19 @@ |
636 | + reference a PEM file containing both the certificate |
637 | + and private key. |
638 | + |
639 | ++ Notes: |
640 | ++ |
641 | ++ On Debian/Ubuntu systems a default snakeoil certificate is |
642 | ++ available in /etc/ssl and users can set: |
643 | ++ |
644 | ++ sslcert=/etc/ssl/certs/ssl-cert-snakeoil.pem |
645 | ++ |
646 | ++ and |
647 | ++ |
648 | ++ sslkey=/etc/ssl/private/ssl-cert-snakeoil.key |
649 | ++ |
650 | ++ for testing. |
651 | ++ |
652 | + sslcipher=... The list of valid SSL ciphers to use when connecting |
653 | + to this peer. |
654 | + |
655 | diff --git a/debian/patches/series b/debian/patches/series |
656 | index 6561436..398816a 100644 |
657 | --- a/debian/patches/series |
658 | +++ b/debian/patches/series |
659 | @@ -3,3 +3,5 @@ |
660 | 0003-installed-binary-for-debian-ci.patch |
661 | #0004-upstream-bug5041.patch |
662 | 0005-Use-RuntimeDirectory-to-create-run-squid.patch |
663 | +90-cf.data.ubuntu.patch |
664 | +99-ubuntu-ssl-cert-snakeoil.patch |
665 | diff --git a/debian/usr.sbin.squid b/debian/usr.sbin.squid |
666 | index bc1f987..232b59f 100644 |
667 | --- a/debian/usr.sbin.squid |
668 | +++ b/debian/usr.sbin.squid |
669 | @@ -50,6 +50,39 @@ |
670 | # squid-langpack |
671 | /usr/share/squid-langpack/** r, |
672 | |
673 | + # maas-proxy |
674 | + /var/lib/maas/maas-proxy.conf r, |
675 | + /var/log/maas/proxy/** rw, |
676 | + /var/spool/maas-proxy/ r, |
677 | + /var/spool/maas-proxy/** rwk, |
678 | + |
679 | + # squid-deb-proxy |
680 | + /etc/squid-deb-proxy/** r, |
681 | + /{,var/}run/squid-deb-proxy.pid rwk, |
682 | + /var/cache/squid-deb-proxy/ r, |
683 | + /var/cache/squid-deb-proxy/** rwk, |
684 | + /var/log/squid-deb-proxy/* rw, |
685 | + |
686 | + # squidguard |
687 | + /usr/bin/squidGuard Cx -> squidguard, |
688 | + profile squidguard { |
689 | + #include <abstractions/base> |
690 | + |
691 | + /etc/squid/squidGuard.conf r, |
692 | + /var/log/squid{,3}/squidGuard.log w, |
693 | + /var/lib/squidguard/** rw, |
694 | + |
695 | + # squidguard by default uses /var/log/squid as its logdir, however, we |
696 | + # don't want it to access squid's logs, only its own. Explicitly deny |
697 | + # access to squid's files but allow all others since the user may specify |
698 | + # anything for the squidGurad 'log' directive. |
699 | + /var/log/squid{,3}/* rw, |
700 | + audit deny /var/log/squid{,3}/{access,cache,store}.log* rw, |
701 | + |
702 | + # Site-specific additions and overrides. See local/README for details. |
703 | + #include <local/usr.sbin.squid> |
704 | + } |
705 | + |
706 | # Site-specific additions and overrides. See local/README for details. |
707 | #include <local/usr.sbin.squid> |
708 | } |
Just after 4.12-1 merge landed, can't get enough :-) ?