Ubuntu
squid package

Merge ~sergiodj/ubuntu/+source/squid:merge-5.6-1-kinetic into ubuntu/+source/squid:debian/sid

Proposed by Sergio Durigan Junior on 2022-08-10

Status:

Merged

Merge reported by:

Sergio Durigan Junior

Merged at revision:

caf7e094d6fb550a059dd6a7656ae819c0246259

Proposed branch:

~sergiodj/ubuntu/+source/squid:merge-5.6-1-kinetic

Merge into:

ubuntu/+source/squid:debian/sid

Diff against target:

1142 lines (+976/-2)

9 files modified

debian/NEWS (+7/-0)
debian/changelog (+735/-0)
debian/control (+3/-2)
debian/patches/0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch (+65/-0)
debian/patches/90-cf.data.ubuntu.patch (+22/-0)
debian/patches/99-ubuntu-ssl-cert-snakeoil.patch (+24/-0)
debian/patches/fix-max-pkt-sz-for-icmpEchoData-padding.patch (+89/-0)
debian/patches/series (+4/-0)
debian/usr.sbin.squid (+27/-0)

Related bugs:

Bug #1895694: FFe: disable NIS basic auth helper, doesn't build with glibc 2.32	Undecided	Fix Released
Bug #1939352: FTBFS 4.13-10ubuntu3 when building with GCC 11	Undecided	Fix Released
Bug #1946205: squid: Fail to build against OpenSSL 3.0	High	Fix Released
Bug #1971325: Merge squid from Debian unstable for kinetic	Undecided	Fix Released

Link a bug report

Reviewer	Date Requested	Status
Christian Ehrhardt  (community)	2022-08-10	Needs Fixing on 2022-08-11
Canonical Server Reporter	2022-08-10	Pending
Review via email: mp+428123@code.launchpad.net

Description of the change

This is the merge of squid 5.6-1 from Debian unstable.

The merge was relatively easy to perform, and I was able to drop 2 sets of changes from our delta:

1) A fix for CVE 2021-46784, which has been incorporated by upstream.

2) A set of patches that I had backported during the last cycle in order to implement support for OpenSSL 3.

The first drop is trivial, but the second is more involved.

Upstream spent quite a long time discussing the OpenSSL 3 support (for more details, see <https://github.com/squid-cache/squid/pull/694>). The made a bunch of attempts to get the patchset right, and by the time Jammy was being released they still hadn't reached a final version for this change. I was forced to backport and use the commits present in the PR at the time, and then deal with a possible MRE for squid on Jammy after upstream decided on the final version of the patch. This is still the plan, by the way...

A few weeks ago upstream finally merged the final version of the PR. Initially I thought that I'd be able to backport the commit to squid 5.6 (the latest version, also available in Debian) and be done with it, but unfortunately the situation is more complicated than that. The final patch makes use of a lot of new code that has been pushed after 5.6 was released, and the backport proved non-trivial (to say the least). So, my proposed solution here is: let's drop the OpenSSL 3 patches that I had backported for Jammy, let's use the (simpler) OpenSSL 3 patch that Debian has been carrying for a while, and let's postpone the backport of upstream's official commit to next cycle. By then, we may not even have to worry about backporting anything because I believe upstream will release a new version of squid soon.

Finally, I'm adding a minor delta needed to make the package build with GCC 12. I've forwarded the patch upstream as well, so it should be possible to remove it next cycle.

There's a PPA with the proposed changes here:

https://launchpad.net/~sergiodj/+archive/ubuntu/squid/+packages

Builds are still happening; I will post the autopkgtest results ASAP.

Revision history for this message

Simon Déziel (sdeziel) wrote on 2022-08-10:

I like your proposed plan.

Tiny nitpick, there is a double "/" in: "d//p/0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch"

Revision history for this message

Sergio Durigan Junior (sergiodj) wrote on 2022-08-10:

On Wednesday, August 10 2022, Simon Déziel wrote:

> I like your proposed plan.

Thanks, Simon.

> Tiny nitpick, there is a double "/" in: "d//p/0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch"

Ops, good catch. Fixed now.

--
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2022-08-11:

FYI - Cleared a few bugs linked here not addressed by this MR

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2022-08-11:

Download full text (4.3 KiB)

One finding so far

Logical LGTM when reading and on comparison
$ git diff sergiodj/logical/5.2-1ubuntu5..pkg/ubuntu/kinetic-devel | diffstat
changelog | 689 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
control | 3
2 files changed, 691 insertions(+), 1 deletion(-)

Comparing changelog to git range-diff sergiodj/old/debian..sergiodj/logical/5.2-1ubuntu5 sergiodj/new/debian..f5afde0918221ef801fed0e08b0731d4bb77a2c6

1: e8aa00ea58 = 1: b61bbdbef6 - d/usr.sbin.squid: Add sections for squid-deb-proxy and squidguard
=> equal and in changelog

2: 37cc10db0e ! 2: 5fcec25f2e - d/p/90-cf.data.ubuntu.patch: Add refresh patterns for deb packaging
=> just noise in d/p/series and in changelog

3: 7caf6552cf ! 3: 796331ccb0 - Use snakeoil certificates: + d/control: add ssl-cert to dependencies + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl to
=> had noise anyway and needed to be refreshed, done so with better quilt config and in changelog

4: 3de0e9ea5f = 4: 9f67994339 - d/rules, d/NEWS: drop the NIS basic auth helper (LP: #1895694)
=> equal and in changelog

5: de801abcee ! 5: b5a471d3d0 - Fix FTBFS with GCC 11 (LP: #1939352) + d/p/expand-max-pkt-sz-accomodate-icmphdr.patch: Expand MAX_PKT{4,6}_SZ to accomodate for icmp{,6_}hd
=> partially dropped as it is upstream, correct to do so

xxx
=> But I miss mentioning now dropping d/p/workaround-gcc11-wstringop-overread-bug.patch in changelog (easy to fix for you)
xxx

One finding so far

Logical LGTM when reading and on comparison
$ git diff sergiodj/logical/5.2-1ubuntu5..pkg/ubuntu/kinetic-devel  | diffstat
 changelog |  689 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 control   |    3 
 2 files changed, 691 insertions(+), 1 deletion(-)

Comparing changelog to git range-diff  sergiodj/old/debian..sergiodj/logical/5.2-1ubuntu5 sergiodj/new/debian..f5afde0918221ef801fed0e08b0731d4bb77a2c6

1:  e8aa00ea58 = 1:  b61bbdbef6     - d/usr.sbin.squid: Add sections for squid-deb-proxy and       squidguard
=> equal and in changelog

2:  37cc10db0e ! 2:  5fcec25f2e     - d/p/90-cf.data.ubuntu.patch: Add refresh patterns for deb       packaging
=> just noise in d/p/series and in changelog

3:  7caf6552cf ! 3:  796331ccb0     - Use snakeoil certificates:       + d/control: add ssl-cert to dependencies       + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl         to
=> had noise anyway and needed to be refreshed, done so with better quilt config and in changelog

4:  3de0e9ea5f = 4:  9f67994339     - d/rules, d/NEWS: drop the NIS basic auth helper (LP: #1895694)
=> equal and in changelog

5:  de801abcee ! 5:  b5a471d3d0     - Fix FTBFS with GCC 11 (LP: #1939352)       + d/p/expand-max-pkt-sz-accomodate-icmphdr.patch: Expand         MAX_PKT{4,6}_SZ to accomodate for icmp{,6_}hd
=> partially dropped as it is upstream, correct to do so

xxx
=> But I miss mentioning now dropping d/p/workaround-gcc11-wstringop-overread-bug.patch in changelog (easy to fix for you)
xxx

6:  32bdc5f5d6 < -:  ----------   * Fix FTBFS with OpenSSL 3.0 (LP: #1946205).  The following new     patches have been added:     - d/p/openssl3-Declaration-of-CRYPTO_EX_dup-changed-again-in-3.0.patch.     - d/p/openssl3-Detect-and-default-enable-OpenSSL-3.patch.     - d/p/openssl3-Fix-EVP_PKEY_get0_RSA-is-deprecated.patch.     - d/p/openssl3-Initial-DH-conversion-to-EVP_PKEY.patch.     - d/p/openssl3-Refactor-Ssl-createSslPrivateKey.patch.     - d/p/openssl3-Remove-stale-TODO-and-comment.patch.     - d/p/openssl3-SSL_OP_-macro-definitions-changed-in-3.0.patch.     - d/p/openssl3-Switch-to-BN_rand.patch.     - d/p/openssl3-TODO-Upgrade-API-calls-verifying-loaded-DH-params-fi.patch.     - d/p/openssl3-Tweak-RSA-key-generator.patch.     - d/p/openssl3-Update-ECDH-key-settings.patch.     - d/p/openssl3-Update-license-disclaimer.patch.
7:  1bbcea11c5 < -:  ----------   * Do not enable openssl as a default. This hinders packaging since we ship     squid in two different flavours (gnutls and openssl). Drop     d/p/openssl3-Detect-and-default-enable-OpenSSL-3.patch. (LP: #1968200)
8:  8573392502 < -:  ----------   * SECURITY UPDATE: Denial of Service in Gopher Processing     - debian/patches/CVE-2021-46784.patch: improve handling of Gopher       responses in src/gopher.cc.
-:  ---------- > 6:  91eb5d18f2   * Drop changes:     - Fix FTBFS with OpenSSL 3.0 (LP: #1946205).  The following new       patches have been added:       + d/p/openssl3-Declaration-of-CRYPTO_EX_dup-changed-again-in-3.0.patch.       + d/p/openssl3-Detect-and-default-enable-OpenSSL-3.patch.       + d/p/openssl3-Fix-EVP_PKEY_get0_RSA-is-deprecated.patch.       + d/p/openssl3-Initial-DH-conversion-to-EVP_PKEY.patch.       + d/p/openssl3-Refactor-Ssl-createSslPrivateKey.patch.       + d/p/openssl3-Remove-stale-TODO-and-comment.patch.       + d/p/openssl3-SSL_OP_-macro-definitions-changed-in-3.0.patch.       + d/p/openssl3-Switch-to-BN_rand.patch.       + d/p/openssl3-TODO-Upgrade-API-calls-verifying-loaded-DH-params-fi.patch.       + d/p/openssl3-Tweak-RSA-key-generator.patch.       + d/p/openssl3-Update-ECDH-key-settings.patch.       + d/p/openssl3-Update-license-disclaimer.patch.       [ Incorporated by Debian. ]
-:  ---------- > 7:  657653cd79     - SECURITY UPDATE: Denial of Service in Gopher Processing       + debian/patches/CVE-2021-46784.patch: improve handling of Gopher         responses in src/gopher.cc.       [ Incorporated by upstream. ]
-:  ---------- > 8:  f5afde0918   * Add changes:     - d/p/0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch:       Fix FTBFS due to -Werror=alloc-size-larger-than on GCC 12.       [ Forwarded upstream ]

=> all drops seem correct and are mentioned

review: Needs Fixing

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2022-08-11:

FYI - no autopkgtests ran so far, I've scheduled them now

Running:
    time pkg release arch ppa trigger
    30 squid kinetic s390x sergiodj/squid squid/5.6-1ubuntu1~ppa5
Waiting:
    Q-num pkg release arch ppa trigger
    1 squid kinetic ppc64el sergiodj/squid squid/5.6-1ubuntu1~ppa5
    1 squid kinetic arm64 sergiodj/squid squid/5.6-1ubuntu1~ppa5
    1 squid kinetic armhf sergiodj/squid squid/5.6-1ubuntu1~ppa5
    1 squid kinetic amd64 sergiodj/squid squid/5.6-1ubuntu1~ppa5

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2022-08-11:

launchpadlibrarian.net was down so I couldn't check the build log.
But the resulting debs seemed ok for me in a quick test.

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2022-08-11:

Summary:
- a little nit pick of a forgotten changelog entry
- waiting for the autopkgtest results

Once both are fixed consider this approved.
If you want explicit re-checking then let me know.

review: Needs Fixing

~sergiodj/ubuntu/+source/squid:merge-5.6-1-kinetic updated on 2022-08-11

b26282e... by Sergio Durigan Junior on 2022-08-11:     - Fix FTBFS with GCC 11 (LP #1939352)
      + d/p/workaround-gcc11-wstringop-overread-bug.patch: Workaround
        GCC 11 -Wstringop-overread bug.
      [ Not needed anymore. ]
d85920c... by Sergio Durigan Junior on 2022-08-11: merge-changelogs
c8bb7bd... by Sergio Durigan Junior on 2022-08-11: reconstruct-changelog
caf7e09... by Sergio Durigan Junior on 2022-08-11: update-maintainer

Revision history for this message

Sergio Durigan Junior (sergiodj) wrote on 2022-08-11:

Thank you for the review, Christian.

I've updated the changelog entry to reflect the dropped patch; thanks for catching this.

I have the autopkgtest results now; only armhf is failing, but that seems like a flaky failure. I've retriggered the test and will upload as soon as it succeeds.

Revision history for this message

Sergio Durigan Junior (sergiodj) wrote on 2022-08-11:

I just noticed that the armhf dep8 test is already failing against migration-reference/0, so I will go ahead and upload what I have here.

Thanks again.

$ dput squid_5.6-1ubuntu1_source.changes
Trying to upload package to ubuntu
Checking signature on .changes
gpg: /home/sergio/work/squid/squid_5.6-1ubuntu1_source.changes: Valid signature from 106DA1C8C3CBBF14
Checking signature on .dsc
gpg: /home/sergio/work/squid/squid_5.6-1ubuntu1.dsc: Valid signature from 106DA1C8C3CBBF14
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading squid_5.6-1ubuntu1.dsc: done.
  Uploading squid_5.6.orig.tar.xz: done.
  Uploading squid_5.6.orig.tar.xz.asc: done.
  Uploading squid_5.6-1ubuntu1.debian.tar.xz: done.
  Uploading squid_5.6-1ubuntu1_source.buildinfo: done.
  Uploading squid_5.6-1ubuntu1_source.changes: done.
Successfully uploaded packages.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Sergio Durigan Junior

git-ubuntu developers

 diff --git a/debian/NEWS b/debian/NEWS
 index 1ac410c..83136fb 100644
 --- a/debian/NEWS
 +++ b/debian/NEWS
@@ -37,6 +37,13 @@ squid (4.13-2) unstable; urgency=high
   -- Santiago Garcia Mantinan <manty@debian.org>  Sun, 07 Feb 2021 01:43:37 +0100
++squid (4.13-1ubuntu2) groovy; urgency=medium
++
++  Disable the NIS basic authentication helper, as it no longer builds with
++  glibc 2.32.
++
++ -- Andreas Hasenack <andreas@canonical.com>  Thu, 17 Sep 2020 18:17:53 -0300
++
  squid (4.1-1) unstable; urgency=medium
    Starting from this release support for systemd init has been added to the
 diff --git a/debian/changelog b/debian/changelog
 index 47a68d3..724392b 100644
 --- a/debian/changelog
 +++ b/debian/changelog
@@ -1,3 +1,49 @@
++squid (5.6-1ubuntu1) kinetic; urgency=medium
++
++  * Merge with Debian unstable (LP: #1971325). Remaining changes:
++    - d/usr.sbin.squid: Add sections for squid-deb-proxy and
++      squidguard
++    - d/p/90-cf.data.ubuntu.patch: Add refresh patterns for deb
++      packaging
++    - Use snakeoil certificates:
++      + d/control: add ssl-cert to dependencies
++      + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl
++        to the default config file
++    - d/rules, d/NEWS: drop the NIS basic auth helper (LP #1895694)
++    - Fix FTBFS with GCC 11 (LP #1939352)
++      + d/p/fix-max-pkt-sz-for-icmpEchoData-padding.patch: Fix
++        MAX_PKT{4,6}_SZ to account for icmpEchoData padding.
++  * Drop changes:
++    - Fix FTBFS with OpenSSL 3.0 (LP #1946205).  The following new
++      patches have been added:
++      + d/p/openssl3-Declaration-of-CRYPTO_EX_dup-changed-again-in-3.0.patch.
++      + d/p/openssl3-Detect-and-default-enable-OpenSSL-3.patch.
++      + d/p/openssl3-Fix-EVP_PKEY_get0_RSA-is-deprecated.patch.
++      + d/p/openssl3-Initial-DH-conversion-to-EVP_PKEY.patch.
++      + d/p/openssl3-Refactor-Ssl-createSslPrivateKey.patch.
++      + d/p/openssl3-Remove-stale-TODO-and-comment.patch.
++      + d/p/openssl3-SSL_OP_-macro-definitions-changed-in-3.0.patch.
++      + d/p/openssl3-Switch-to-BN_rand.patch.
++      + d/p/openssl3-TODO-Upgrade-API-calls-verifying-loaded-DH-params-fi.patch.
++      + d/p/openssl3-Tweak-RSA-key-generator.patch.
++      + d/p/openssl3-Update-ECDH-key-settings.patch.
++      + d/p/openssl3-Update-license-disclaimer.patch.
++      [ Incorporated by Debian. ]
++    - SECURITY UPDATE: Denial of Service in Gopher Processing
++      + debian/patches/CVE-2021-46784.patch: improve handling of Gopher
++        responses in src/gopher.cc.
++      [ Incorporated by upstream. ]
++    - Fix FTBFS with GCC 11 (LP #1939352)
++      + d/p/workaround-gcc11-wstringop-overread-bug.patch: Workaround
++        GCC 11 -Wstringop-overread bug.
++      [ Not needed anymore. ]
++  * Add changes:
++    - d/p/0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch:
++      Fix FTBFS due to -Werror=alloc-size-larger-than on GCC 12.
++      [ Forwarded upstream ]
++
++ -- Sergio Durigan Junior <sergio.durigan@canonical.com>  Thu, 11 Aug 2022 17:13:45 -0400
++
  squid (5.6-1) unstable; urgency=high
    * Urgency high due to security fixes
@@ -38,6 +84,87 @@ squid (5.5-1) unstable; urgency=medium
   -- Luigi Gangitano <luigi@debian.org>  Fri, 15 Apr 2022 14:39:54 +0200
++squid (5.2-1ubuntu5) kinetic; urgency=medium
++
++  * SECURITY UPDATE: Denial of Service in Gopher Processing
++    - debian/patches/CVE-2021-46784.patch: improve handling of Gopher
++      responses in src/gopher.cc.
++    - CVE-2021-46784
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Tue, 21 Jun 2022 13:38:17 -0400
++
++squid (5.2-1ubuntu4) jammy; urgency=medium
++
++  * Do not enable openssl as a default. This hinders packaging since we ship
++    squid in two different flavours (gnutls and openssl). Drop
++    d/p/openssl3-Detect-and-default-enable-OpenSSL-3.patch. (LP: #1968200)
++
++ -- Athos Ribeiro <athos.ribeiro@canonical.com>  Tue, 12 Apr 2022 23:41:41 -0300
++
++squid (5.2-1ubuntu3) jammy; urgency=medium
++
++  * Fix FTBFS with OpenSSL 3.0 (LP: #1946205).  The following new
++    patches have been added:
++    - d/p/openssl3-Declaration-of-CRYPTO_EX_dup-changed-again-in-3.0.patch.
++    - d/p/openssl3-Detect-and-default-enable-OpenSSL-3.patch.
++    - d/p/openssl3-Fix-EVP_PKEY_get0_RSA-is-deprecated.patch.
++    - d/p/openssl3-Initial-DH-conversion-to-EVP_PKEY.patch.
++    - d/p/openssl3-Refactor-Ssl-createSslPrivateKey.patch.
++    - d/p/openssl3-Remove-stale-TODO-and-comment.patch.
++    - d/p/openssl3-SSL_OP_-macro-definitions-changed-in-3.0.patch.
++    - d/p/openssl3-Switch-to-BN_rand.patch.
++    - d/p/openssl3-TODO-Upgrade-API-calls-verifying-loaded-DH-params-fi.patch.
++    - d/p/openssl3-Tweak-RSA-key-generator.patch.
++    - d/p/openssl3-Update-ECDH-key-settings.patch.
++    - d/p/openssl3-Update-license-disclaimer.patch.
++
++ -- Sergio Durigan Junior <sergio.durigan@canonical.com>  Tue, 08 Feb 2022 17:15:20 -0500
++
++squid (5.2-1ubuntu2) jammy; urgency=medium
++
++  * No-change rebuild against libssl3
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 09 Dec 2021 00:19:10 +0000
++
++squid (5.2-1ubuntu1) jammy; urgency=medium
++
++  * Merge with Debian unstable (LP: #1946903). Remaining changes:
++    - d/usr.sbin.squid: Add sections for squid-deb-proxy and
++      squidguard
++    - d/p/90-cf.data.ubuntu.patch: Add refresh patterns for deb
++      packaging
++    - Use snakeoil certificates:
++      + d/control: add ssl-cert to dependencies
++      + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl
++        to the default config file
++    - d/rules, d/NEWS: drop the NIS basic auth helper (LP #1895694)
++    - Fix FTBFS with GCC 11 (LP #1939352)
++      + d/p/expand-max-pkt-sz-accomodate-icmphdr.patch: Expand
++        MAX_PKT{4,6}_SZ to accomodate for icmp{,6_}hdr.
++      + d/p/workaround-gcc11-wstringop-overread-bug.patch: Workaround
++        GCC 11 -Wstringop-overread bug.
++  * Dropped changes:
++    - d/p/0008-Fix-free-nonheap-object-warning-error-on-snmp_core.c.patch:
++      Fix call to free on nonheap-object in snmpCreateOidFromStr
++      [ Incorporated by upstream. ]
++    - Fix failure to build on RISC-V (LP #1934891)
++      [ Incorporated by upstream. ]
++    - SECURITY UPDATE: information disclosure via OOB read in WCCP protocol
++      + debian/patches/CVE-2021-28116.patch: validate packets better in
++        src/wccp2.cc.
++      + CVE-2021-28116
++      [ Incorporated by upstream. ]
++    - Fix FTBFS with GCC 11 (LP #1939352)
++      + d/p/replace-cbdata-offset-hack-with-offsetof.patch: Replace
++        cbdata::Offset hack with offsetof().
++      + d/p/add-missing-limits-include-connmark.patch: Add missing
++        <limits> include to src/acl/ConnMark.cc.
++      [ Incorporated by upstream.  This is a partial drop; the other
++        two patches that compose this fix are still present in this
++        release. ]
++
++ -- Sergio Durigan Junior <sergio.durigan@canonical.com>  Mon, 01 Nov 2021 18:19:59 -0400
++
  squid (5.2-1) unstable; urgency=medium
    [ Amos Jeffries <amosjeffries@squid-cache.org> ]
@@ -78,6 +205,58 @@ squid (5.1-2) unstable; urgency=medium
   -- Luigi Gangitano <luigi@debian.org>  Fri, 17 Sep 2021 09:27:54 +0200
++squid (4.13-10ubuntu5) impish; urgency=medium
++
++  * SECURITY UPDATE: information disclosure via OOB read in WCCP protocol
++    - debian/patches/CVE-2021-28116.patch: validate packets better in
++      src/wccp2.cc.
++    - CVE-2021-28116
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 04 Oct 2021 08:20:07 -0400
++
++squid (4.13-10ubuntu4) impish; urgency=medium
++
++  * Fix FTBFS with GCC 11 (LP: #1939352)
++    - d/p/add-missing-limits-include-connmark.patch: Add missing
++      <limits> include to src/acl/ConnMark.cc.
++    - d/p/fix-max-pkt-sz-for-icmpEchoData-padding.patch.patch: Expand
++      MAX_PKT{4,6}_SZ to accomodate for icmp{,6_}hdr.
++    - d/p/replace-cbdata-offset-hack-with-offsetof.patch: Replace
++      cbdata::Offset hack with offsetof().
++    - d/p/workaround-gcc11-wstringop-overread-bug.patch: Workaround
++      GCC 11 -Wstringop-overread bug.
++
++ -- Sergio Durigan Junior <sergio.durigan@canonical.com>  Fri, 20 Aug 2021 00:19:41 -0400
++
++squid (4.13-10ubuntu3) impish; urgency=medium
++
++  * Fix failure to build on RISC-V (LP: #1934891)
++
++ -- Heinrich Schuchardt <heinrich.schuchardt@canonical.com>  Wed, 07 Jul 2021 14:11:51 +0200
++
++squid (4.13-10ubuntu2) impish; urgency=medium
++
++  * No-change rebuild due to OpenLDAP soname bump.
++
++ -- Sergio Durigan Junior <sergio.durigan@canonical.com>  Mon, 21 Jun 2021 18:09:05 -0400
++
++squid (4.13-10ubuntu1) impish; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - d/usr.sbin.squid: Add sections for squid-deb-proxy and
++      squidguard
++    - d/p/90-cf.data.ubuntu.patch: Add refresh patterns for deb
++      packaging
++    - Use snakeoil certificates:
++      + d/control: add ssl-cert to dependencies
++      + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl
++        to the default config file
++    - d/rules, d/NEWS: drop the NIS basic auth helper (LP: #1895694)
++    - d/p/0008-Fix-free-nonheap-object-warning-error-on-snmp_core.c.patch:
++      Fix call to free on nonheap-object in snmpCreateOidFromStr
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Fri, 04 Jun 2021 12:49:43 -0400
++
  squid (4.13-10) unstable; urgency=medium
    [ Francisco Vilmar Cardoso Ruviaro ]
@@ -96,6 +275,29 @@ squid (4.13-10) unstable; urgency=medium
   -- Santiago Garcia Mantinan <manty@debian.org>  Fri, 28 May 2021 12:28:20 +0200
++squid (4.13-9ubuntu1) impish; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - d/usr.sbin.squid: Add sections for squid-deb-proxy and
++      squidguard
++    - d/p/90-cf.data.ubuntu.patch: Add refresh patterns for deb
++      packaging
++    - Use snakeoil certificates:
++      + d/control: add ssl-cert to dependencies
++      + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl
++        to the default config file
++    - d/rules, d/NEWS: drop the NIS basic auth helper (LP: #1895694)
++    - d/p/0008-Fix-free-nonheap-object-warning-error-on-snmp_core.c.patch:
++      Fix call to free on nonheap-object in snmpCreateOidFromStr
++  * Drop changes:
++    - debian/patches/CVE-2020-25097.patch: Add slash prefix to path-
++      rootless or path-noscheme URLs in src/anyp/Uri.cc.
++      [Included in 4.13-8]
++    - d/usr.sbin.squid: Add section for maas-proxy
++      [maas-proxy is no longer shipped as a deb package]
++
++ -- Athos Ribeiro <athos.ribeiro@canonical.com>  Tue, 18 May 2021 10:51:16 -0300
++
  squid (4.13-9) unstable; urgency=medium
    * Clarify on NEWS and scripts that we no longer remove logs on purge.
@@ -156,6 +358,46 @@ squid (4.13-2) unstable; urgency=high
   -- Santiago Garcia Mantinan <manty@debian.org>  Sun, 07 Feb 2021 01:39:45 +0100
++squid (4.13-1ubuntu4) hirsute; urgency=medium
++
++  * d/p/0008-Fix-free-nonheap-object-warning-error-on-snmp_core.c.patch:
++    Fix FTBFS on Hirsute s390x when compiling with GCC 10.2.0.
++
++ -- Sergio Durigan Junior <sergio.durigan@canonical.com>  Mon, 05 Apr 2021 12:00:02 -0400
++
++squid (4.13-1ubuntu3) hirsute; urgency=medium
++
++  * SECURITY UPDATE: HTTP Request Smuggling issue
++    - debian/patches/CVE-2020-25097.patch: Add slash prefix to path-
++      rootless or path-noscheme URLs in src/anyp/Uri.cc.
++    - CVE-2020-25097
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 25 Mar 2021 12:38:06 -0400
++
++squid (4.13-1ubuntu2) groovy; urgency=medium
++
++  * d/rules, d/NEWS: drop the NIS basic auth helper (LP: #1895694)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Thu, 17 Sep 2020 18:19:42 -0300
++
++squid (4.13-1ubuntu1) groovy; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy
++      squidguard
++    - d/p/90-cf.data.ubuntu.patch: Add an example refresh pattern
++      for debs.
++    - Use snakeoil certificates:
++      + d/control: add ssl-cert to dependencies
++      + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl
++        to the default config file
++  * Dropped changes:
++    - d/p/0007-WCCP-Fix-GCC-10-Wstringop-truncation-failures.patch:
++      Fix GCC-10 build failure due to -Wstringop-truncation warning.
++      [ Accepted upstream. ]
++
++ -- Sergio Durigan Junior <sergio.durigan@canonical.com>  Tue, 25 Aug 2020 15:01:58 -0400
++
  squid (4.13-1) unstable; urgency=high
    [ Amos Jeffries <amosjeffries@squid-cache.org> ]
@@ -168,6 +410,43 @@ squid (4.13-1) unstable; urgency=high
   -- Luigi Gangitano <luigi@debian.org>  Mon, 24 Aug 2020 17:27:54 +0200
++squid (4.12-1ubuntu1) groovy; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy
++      squidguard
++    - d/p/90-cf.data.ubuntu.patch: Add an example refresh pattern
++      for debs.
++    - Use snakeoil certificates:
++      + d/control: add ssl-cert to dependencies
++      + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl
++        to the default config file
++  * Dropped changes, not needed anymore:
++    - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround
++      if building for ppc64el. On that arch, dpkg-buildflags sets -O3
++      instead of -O2 and that triggers a format-truncation error on
++      pcon.cc. See https://bugs.squid-cache.org/show_bug.cgi?id=4875.
++      [ Dropped because the build now passes on ppc64el ]
++  * Dropped changes, incorporated by Debian:
++    - Don't restart squid by hand on postinst script
++      + d/squid.postinst: When installing/upgrading squid, the service
++        is being restarted manually in the postinst script, which can
++        break installations that have the squid apparmor enabled because
++        it will try to restart the service before reloading the apparmor
++        profile.  There is no reason to restart squid manually, since the
++        restart will be automatically performed later.
++    - Drop conffile check for squid < 2.7
++      + d/squid.postinst: squid 2.7 is long, long gone, so it should be
++        safe to drop the postinst code to make sure that
++        /etc/squid/squid.conf was properly upgraded.
++    - d/tests/test-squid.py: Adjust 'pidfile' variable to reflect fact
++      that we now store the pidfile under '/run/squid/'.
++  * Added changes:
++    - d/p/0007-WCCP-Fix-GCC-10-Wstringop-truncation-failures.patch:
++      Fix GCC-10 build failure due to -Wstringop-truncation warning.
++
++ -- Sergio Durigan Junior <sergio.durigan@canonical.com>  Mon, 10 Aug 2020 11:20:46 -0400
++
  squid (4.12-1) unstable; urgency=high
    [ Sergio Durigan Junior <sergiodj@debian.org> ]
@@ -203,6 +482,63 @@ squid (4.12-1) unstable; urgency=high
   -- Luigi Gangitano <luigi@debian.org>  Wed,  1 Jul 2020 10:52:54 +0200
++squid (4.11-5ubuntu3) groovy; urgency=medium
++
++  * No change rebuild against new libnettle8 and libhogweed6 ABI.
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Mon, 29 Jun 2020 22:38:13 +0100
++
++squid (4.11-5ubuntu2) groovy; urgency=medium
++
++  * d/tests/test-squid.py: Adjust 'pidfile' variable to reflect fact
++    that we now store the pidfile under '/run/squid/'.
++
++ -- Sergio Durigan Junior <sergio.durigan@canonical.com>  Wed, 20 May 2020 10:32:32 -0400
++
++squid (4.11-5ubuntu1) groovy; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy,
++      squidguard
++    - d/p/90-cf.data.ubuntu.patch: Add an example refresh pattern for
++      debs.
++    - Use snakeoil certificates:
++      + d/control: add ssl-cert to dependencies
++      + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl to the
++        default config file
++    - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if
++      building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead
++      of -O2 and that triggers a format-truncation error on pcon.cc. See See
++      https://bugs.squid-cache.org/show_bug.cgi?id=4875
++  * Dropped:
++    - d/p/drop-sysctl_h.patch: no longer include sysctl.h as it was
++      deprecated in glibc 2.30 (LP #1843325)
++      [ In 4.11-4 ]
++    - SECURITY UPDATE: multiple ESI issues
++      + debian/patches/CVE-2019-12519_12521.patch: convert parse exceptions
++        into 500 status response in src/esi/Context.h, src/esi/Esi.cc,
++        src/esi/Esi.h, src/esi/Expression.cc.
++      + CVE-2019-12519
++      [ In 4.11-4 ]
++    - SECURITY UPDATE: Digest Authentication nonce replay issue
++      + debian/patches/CVE-2020-11945.patch: fix auth digest refcount integer
++        overflow in src/auth/digest/Config.cc.
++      [ In 4.11-4 ]
++  * Added:
++    - Don't restart squid by hand on postinst script
++      + d/squid.postinst: When installing/upgrading squid, the service
++        is being restarted manually in the postinst script, which can
++        break installations that have the squid apparmor enabled because
++        it will try to restart the service before reloading the apparmor
++        profile.  There is no reason to restart squid manually, since the
++        restart will be automatically performed later.
++    - Drop conffile check for squid < 2.7
++      + d/squid.postinst: squid 2.7 is long, long gone, so it should be
++        safe to drop the postinst code to make sure that
++        /etc/squid/squid.conf was properly upgraded.
++
++ -- Sergio Durigan Junior <sergio.durigan@canonical.com>  Tue, 19 May 2020 14:43:04 -0400
++
  squid (4.11-5) unstable; urgency=medium
    [ Sergio Durigan Junior <sergiodj@debian.org> ]
@@ -281,6 +617,64 @@ squid (4.11-1) unstable; urgency=high
   -- Luigi Gangitano <luigi@debian.org>  Thu, 23 Apr 2020 19:34:54 +0200
++squid (4.10-1ubuntu2) groovy; urgency=medium
++
++  * SECURITY UPDATE: multiple ESI issues
++    - debian/patches/CVE-2019-12519_12521.patch: convert parse exceptions
++      into 500 status response in src/esi/Context.h, src/esi/Esi.cc,
++      src/esi/Esi.h, src/esi/Expression.cc.
++    - CVE-2019-12519
++    - CVE-2019-12521
++  * SECURITY UPDATE: Digest Authentication nonce replay issue
++    - debian/patches/CVE-2020-11945.patch: fix auth digest refcount integer
++      overflow in src/auth/digest/Config.cc.
++    - CVE-2020-11945
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 13 May 2020 09:51:10 -0400
++
++squid (4.10-1ubuntu1) focal; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy,
++      squidguard
++    - d/p/90-cf.data.ubuntu.patch: Add an example refresh pattern for debs.
++    - Use snakeoil certificates:
++      + d/control: add ssl-cert to dependencies
++      + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl
++        to the default config file
++    - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if
++      building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of
++      -O2 and that triggers a format-truncation error on pcon.cc. See
++      See https://bugs.squid-cache.org/show_bug.cgi?id=4875
++    - d/p/drop-sysctl_h.patch: no longer include sysctl.h as it was
++      deprecated in glibc 2.30 (LP #1843325)
++  * Dropped:
++    - d/t/control, d/t/test-squid.py: remove gopher tests, as pygopherd is
++      no longer available in Focal (LP: #1858827)
++      [In 4.10-1, undocumented]
++    - d/t/test-squid.py, d/t/squid: switch to python3
++      [In 4.10-1, undocumented]
++    - d/t/control: depend on python3-minimal
++      [In 4.10-1, undocumented]
++    - SECURITY UPDATE: info disclosure via FTP server
++      + debian/patches/CVE-2019-12528.patch: fix FTP buffers handling in
++        src/clients/FtpGateway.cc.
++      + CVE-2019-12528
++      [Fixed upstream]
++    - SECURITY UPDATE: incorrect input validation and buffer management
++      + debian/patches/CVE-2020-84xx.patch: fix request URL generation in
++        reverse proxy configurations in src/client_side.cc.
++      + CVE-2020-8449
++      + CVE-2020-8450
++      [Fixed upstream]
++    - SECURITY UPDATE: DoS in NTLM authentication
++      + debian/patches/CVE-2020-8517.patch: improved username handling in
++        src/acl/external/LM_group/ext_lm_group_acl.cc.
++      + CVE-2020-8517
++      [Fixed upstream]
++
++ -- Andreas Hasenack <andreas@canonical.com>  Tue, 25 Feb 2020 15:37:55 -0300
++
  squid (4.10-1) unstable; urgency=high
    [ Amos Jeffries <amosjeffries@squid-cache.org> ]
@@ -302,6 +696,70 @@ squid (4.10-1) unstable; urgency=high
   -- Luigi Gangitano <luigi@debian.org>  Tue, 10 Feb 2020 14:12:54 +0100
++squid (4.9-2ubuntu4) focal; urgency=medium
++
++  * SECURITY UPDATE: info disclosure via FTP server
++    - debian/patches/CVE-2019-12528.patch: fix FTP buffers handling in
++      src/clients/FtpGateway.cc.
++    - CVE-2019-12528
++  * SECURITY UPDATE: incorrect input validation and buffer management
++    - debian/patches/CVE-2020-84xx.patch: fix request URL generation in
++      reverse proxy configurations in src/client_side.cc.
++    - CVE-2020-8449
++    - CVE-2020-8450
++  * SECURITY UPDATE: DoS in NTLM authentication
++    - debian/patches/CVE-2020-8517.patch: improved username handling in
++      src/acl/external/LM_group/ext_lm_group_acl.cc.
++    - CVE-2020-8517
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 19 Feb 2020 12:43:05 -0500
++
++squid (4.9-2ubuntu3) focal; urgency=medium
++
++  * No-change rebuild with fixed binutils on arm64.
++
++ -- Matthias Klose <doko@ubuntu.com>  Sat, 08 Feb 2020 11:20:19 +0000
++
++squid (4.9-2ubuntu2) focal; urgency=medium
++
++  * d/t/control, d/t/test-squid.py: remove gopher tests, as pygopherd is
++    no longer available in Focal (LP: #1858827)
++  * d/t/test-squid.py, d/t/squid: switch to python3
++  * d/t/control: depend on python3-minimal
++
++ -- Andreas Hasenack <andreas@canonical.com>  Wed, 08 Jan 2020 15:52:32 -0300
++
++squid (4.9-2ubuntu1) focal; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - Use snakeoil certificates.
++    - Add an example refresh pattern for debs.
++    - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy,
++      squidguard
++    - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if
++      building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of
++      -O2 and that triggers a format-truncation error on pcon.cc. See
++      See https://bugs.squid-cache.org/show_bug.cgi?id=4875
++    - d/p/drop-sysctl_h.patch: no longer include sysctl.h as it was
++      deprecated in glibc 2.30 (LP #1843325)
++  * Dropped:
++    - d/rules: Only use -latomic with the intended architectures, instead of
++      all of them. This matches what was suggested in
++      https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5
++      [Fixed upstream]
++    - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that
++      dh_installchangelogs can pick it up. dh_installchangelogs handles
++      d/NEWS or d/<package>.NEWS, but not NEWS.debian.
++      [Fixed upstream]
++    - debian/patches/more-gcc-9-fixes.patch: switch to xstrncpy in
++      lib/smblib/smblib-util.c. (LP #1835831)
++      [Fixed upstream]
++    - d/t/test-squid.py: test_zz_apparmor(): bail early if securityfs isn't
++      mounted
++      [Fixed upstream]
++
++ -- Lucas Kanashiro <lucas.kanashiro@canonical.com>  Thu, 14 Nov 2019 16:33:10 -0300
++
  squid (4.9-2) unstable; urgency=medium
    [ Andreas Hasenack <andreas@canonical.com> ]
@@ -358,6 +816,73 @@ squid (4.9-1) unstable; urgency=high
   -- Luigi Gangitano <luigi@debian.org>  Sun, 10 Nov 2019 20:28:15 +0100
++squid (4.8-1ubuntu3) focal; urgency=medium
++
++  * No-change rebuild against libnettle7
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 31 Oct 2019 22:15:39 +0000
++
++squid (4.8-1ubuntu2) eoan; urgency=medium
++
++  * d/p/drop-sysctl_h.patch: no longer include sysctl.h as it was
++    deprecated in glibc 2.30 (LP: #1843325)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Mon, 09 Sep 2019 17:31:45 -0300
++
++squid (4.8-1ubuntu1) eoan; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - Use snakeoil certificates.
++    - Add an example refresh pattern for debs.
++    - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy,
++      squidguard
++    - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if
++      building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of
++      -O2 and that triggers a format-truncation error on pcon.cc. See
++      See https://bugs.squid-cache.org/show_bug.cgi?id=4875
++    - d/rules: Only use -latomic with the intended architectures, instead of
++      all of them. This matches what was suggested in
++      https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5
++    - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that
++      dh_installchangelogs can pick it up. dh_installchangelogs handles
++      d/NEWS or d/<package>.NEWS, but not NEWS.debian.
++    - debian/patches/more-gcc-9-fixes.patch: switch to xstrncpy in
++      lib/smblib/smblib-util.c. (LP #1835831)
++  * Dropped:
++    - d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs.
++      Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP #1794553)
++      [Fixed upstream]
++    - debian/patches/413.patch: Fix gcc-9 build issues with upstream merged
++      patch
++      [Fixed upstream]
++    - SECURITY UPDATE: incorrect digest auth parameter parsing
++      + debian/patches/CVE-2019-12525.patch: check length in
++        src/auth/digest/Config.cc.
++      + CVE-2019-12525
++      [Fixed upstream]
++    - SECURITY UPDATE: buffer overflow in basic auth decoding
++      + debian/patches/CVE-2019-12527.patch: switch to SBuf in
++        src/HttpHeader.cc, src/HttpHeader.h, src/cache_manager.cc,
++        src/clients/FtpGateway.cc.
++      + CVE-2019-12527
++      [Fixed upstream]
++    - SECURITY UPDATE: basic auth uudecode length issue
++      + debian/patches/CVE-2019-12529.patch: replace uudecode with libnettle
++        base64 decoder in lib/Makefile.*, src/auth/basic/Config.cc,
++        include/uudecode.h, lib/uudecode.c.
++      + CVE-2019-12529
++      [Fixed upstream]
++    - SECURITY UPDATE: XSS issues in cachemgr.cgi
++      + debian/patches/CVE-2019-13345.patch: properly escape values in
++        tools/cachemgr.cc.
++      + CVE-2019-13345
++      [Fixed upstream]
++  * Added:
++    - d/t/test-squid.py: test_zz_apparmor(): bail early if securityfs isn't
++      mounted
++
++ -- Andreas Hasenack <andreas@canonical.com>  Wed, 24 Jul 2019 16:38:59 -0300
++
  squid (4.8-1) unstable; urgency=high
    [ Amos Jeffries <amosjeffries@squid-cache.org> ]
@@ -376,6 +901,86 @@ squid (4.8-1) unstable; urgency=high
   -- Luigi Gangitano <luigi@debian.org>  Thu, 18 Jul 2019 22:28:15 +0200
++squid (4.6-2ubuntu4) eoan; urgency=medium
++
++  * Fix gcc-9 issues (LP: #1835831)
++    - Remove -Wno-sizeof-pointer-memaccess -Wno-stringop-truncation
++    - debian/patches/more-gcc-9-fixes.patch: switch to xstrncpy in
++      lib/smblib/smblib-util.c.
++  * SECURITY UPDATE: incorrect digest auth parameter parsing
++    - debian/patches/CVE-2019-12525.patch: check length in
++      src/auth/digest/Config.cc.
++    - CVE-2019-12525
++  * SECURITY UPDATE: buffer overflow in basic auth decoding
++    - debian/patches/CVE-2019-12527.patch: switch to SBuf in
++      src/HttpHeader.cc, src/HttpHeader.h, src/cache_manager.cc,
++      src/clients/FtpGateway.cc.
++    - CVE-2019-12527
++  * SECURITY UPDATE: basic auth uudecode length issue
++    - debian/patches/CVE-2019-12529.patch: replace uudecode with libnettle
++      base64 decoder in lib/Makefile.*, src/auth/basic/Config.cc,
++      include/uudecode.h, lib/uudecode.c.
++    - CVE-2019-12529
++  * SECURITY UPDATE: XSS issues in cachemgr.cgi
++    - debian/patches/CVE-2019-13345.patch: properly escape values in
++      tools/cachemgr.cc.
++    - CVE-2019-13345
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Fri, 19 Jul 2019 08:01:58 -0400
++
++squid (4.6-2ubuntu3) eoan; urgency=medium
++
++  * Override newly added gcc-9 flags:
++    -Wno-sizeof-pointer-memaccess -Wno-stringop-truncation
++    NOTE: Overriding those flags is a possible security
++    asked for info on the gcc-9 issue bug tracker:
++    https://github.com/squid-cache/squid/pull/413#issuecomment-511314076
++
++ -- Gianfranco Costamagna <locutusofborg@debian.org>  Mon, 15 Jul 2019 10:21:47 +0200
++
++squid (4.6-2ubuntu2) eoan; urgency=medium
++
++  * Fix gcc-9 build issues with upstream merged patch
++
++ -- Gianfranco Costamagna <locutusofborg@debian.org>  Sun, 14 Jul 2019 14:41:16 +0200
++
++squid (4.6-2ubuntu1) eoan; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - Use snakeoil certificates.
++    - Add an example refresh pattern for debs.
++    - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy,
++      squidguard
++    - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if
++      building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of
++      -O2 and that triggers a format-truncation error on pcon.cc. See
++      See https://bugs.squid-cache.org/show_bug.cgi?id=4875
++    - d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs.
++      Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP #1794553)
++      [Added Applied-Upstream header]
++    - d/rules: Only use -latomic with the intended architectures, instead of
++      all of them. This matches what was suggested in
++      https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5
++    - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that
++      dh_installchangelogs can pick it up. dh_installchangelogs handles
++      d/NEWS or d/<package>.NEWS, but not NEWS.debian.
++  * Dropped:
++    - d/squid.tmpfile: add tmpfiles configuration to handle /var/run/squid
++      at boot. Thanks to Luigi Gangitano <luigi@debian.org> (LP #1816006)
++      [Fixed in 4.5-2]
++    - d/p/fix-uninitialized-var.patch: Workaround gcc's maybe-unitialized
++      error in parse_time_t, triggered on ppc64el due to the build using -O3
++      in that architecture.
++      [Fixed upstream]
++    - Add disabled by default AppArmor profile.
++      [Added by Debian in 4.6-2]
++    - d/usr.sbin.squid: fix the apparmor profile (LP #1796189):
++      + allow net_admin capability
++      + add attach_disconnected flag
++      [Fixed in 4.6-2]
++
++ -- Andreas Hasenack <andreas@canonical.com>  Sat, 18 May 2019 14:39:09 -0300
++
  squid (4.6-2) unstable; urgency=high
    [ Andreas Hasenack <andreas@canonical.com> ]
@@ -436,6 +1041,57 @@ squid (4.5-1) unstable; urgency=medium
   -- Luigi Gangitano <luigi@debian.org>  Wed, 20 Feb 2019 11:57:15 +0100
++squid (4.4-1ubuntu2) disco; urgency=medium
++
++  * d/squid.tmpfile: add tmpfiles configuration to handle /var/run/squid
++    at boot. Thanks to Luigi Gangitano <luigi@debian.org> (LP: #1816006)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Wed, 27 Feb 2019 08:54:45 -0300
++
++squid (4.4-1ubuntu1) disco; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - Use snakeoil certificates.
++    - Add an example refresh pattern for debs.
++    - Add disabled by default AppArmor profile.
++    - d/p/fix-uninitialized-var.patch: Workaround gcc's maybe-unitialized
++      error in parse_time_t, triggered on ppc64el due to the build using -O3
++      in that architecture.
++    - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if
++      building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of
++      -O2 and that triggers a format-truncation error on pcon.cc. See
++      See https://bugs.squid-cache.org/show_bug.cgi?id=4875
++    - d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs.
++      Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP #1794553)
++  * Drop:
++    - d/rules: enable cdbs parallel build
++      [Fixed in 4.2-1]
++    - d/t/test-squid.py: fix apparmor profile filename
++      [Fixed in 4.2-1]
++    - d/t/test-squid.py: fix the process name. The PID points at the parent.
++      [Fixed in 4.2-1]
++    - d/t/upstream-test-suite: also make libmem.la, needed by the tests.
++      [Fixed in 4.2-1]
++    - d/t/0003-installed-binary-for-debian-ci.patch:  use the squid
++      binary from the system, instead of the one from the source tree.
++      [Fixed in 4.2-1]
++    - d/t/upstream-test-suite: drop the sed line, since patch
++      0003-installed-binary-for-debian-ci.patch is doing this work now.
++      (https://salsa.debian.org/squid-team/squid/commit/ad4372b444ba8b1587839)
++      [Fixed in 4.2-1]
++  * Added changes:
++    - d/rules: Only use -latomic with the intended architectures, instead of
++      all of them. This matches what was suggested in
++      https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5
++    - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that
++      dh_installchangelogs can pick it up. dh_installchangelogs handles
++      d/NEWS or d/<package>.NEWS, but not NEWS.debian.
++    - d/usr.sbin.squid: fix the apparmor profile (LP: #1796189):
++      + allow net_admin capability
++      + add attach_disconnected flag
++
++ -- Andreas Hasenack <andreas@canonical.com>  Mon, 19 Nov 2018 10:51:18 -0200
++
  squid (4.4-1) unstable; urgency=high
    * Urgency high due to security fixes
@@ -500,6 +1156,85 @@ squid (4.2-1) unstable; urgency=high
   -- Luigi Gangitano <luigi@debian.org>  Wed, 22 Aug 2018 13:57:15 +0200
++squid (4.1-1ubuntu3) cosmic; urgency=medium
++
++  * d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs.
++    Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP: #1794553)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Tue, 09 Oct 2018 14:00:36 -0300
++
++squid (4.1-1ubuntu2) cosmic; urgency=medium
++
++  * d/usr.sbin.squid: Update apparmor profile to grant read access to squid
++    binary (LP: #1792728)
++
++ -- Simon Deziel <simon@sdeziel.info>  Sat, 15 Sep 2018 13:55:32 -0400
++
++squid (4.1-1ubuntu1) cosmic; urgency=medium
++
++  * Merged with Debian unstable (LP: #1780944, LP: #1097032, LP: #16669).
++    Remaining changes:
++    - Use snakeoil certificates.
++      [Updated to use the correct config setting names]
++    - Add an example refresh pattern for debs.
++      [Improved the refresh patterns based on the configuration from
++       squid-deb-proxy package]
++    - Add disabled by default AppArmor profile.
++      [Updated to include the ssl_certs abstraction and suggestions on how to
++       deal with the snakeoil private key and other keys in /etc/ssl.]
++  * Dropped changes:
++    - Add additional dep8 tests.
++      [Adopted in 4.0.21-1~exp5, albeit a stripped down version]
++    - Correct attribution and add explanatory note in d/NEWS.debian.
++      [That particular upgrade path has happened long ago.]
++    - Drop wrong short-circuiting of various invocations; we always want to
++      call the debhelper block.
++      [This was for the transitional squid3 package, and that transition has
++       already happened.]
++    - Revert "Set pidfile for systemd's sysv-generator" from Debian.
++      [Not needed anymore since we have a native systemd service file
++       and no longer rely on the generator.]
++    - Enable autoreconf. This is no longer required for the security updates,
++      but is needed for the seddery of test-suite/Makefile.am in
++      d/t/upstream-test-suite.
++      [Replaced by patch 0003-installed-binary-for-debian-ci.patch]
++    - Adjust seddery for upstream test squid binary location.
++      [sed no longer necessary since patch,
++       0003-installed-binary-for-debian-ci.patch, will be dropped
++       entirely.]
++    - Drop Conflicts/Replaces of squid against squid3. In Ubuntu, the migration
++      happened in Xenial, so no upgrade path still requires this code. This
++      reduces upgrade ordering difficulty.
++      [Again we have a migration, but this time from squid3 to squid, so we
++      need this].
++    - GCC7 FTBFS fixes (LP: #1712668):
++      + d/rules: don't error when hitting the "deprecated" and
++      "format-truncation" gcc7 warnings. Upstream 3.5.27 has fixes for these,
++      but one in Format.cc that affects 32bit builds was deemed too intrusive
++      for the 3.5 stable series and is only in squid 4.x
++      [No longer needed with squid 4.x]
++    - Do not force gcc-6
++      [It was a temporary workaround in Debian that got dropped]
++  * Added changes:
++    - d/rules: enable cdbs parallel build
++    - d/t/test-squid.py: fix apparmor profile filename
++    - d/t/test-squid.py: fix the process name. The PID points at the parent.
++    - d/t/upstream-test-suite: also make libmem.la, needed by the tests.
++    - d/t/0003-installed-binary-for-debian-ci.patch:  use the squid
++      binary from the system, instead of the one from the source tree.
++    - d/p/fix-uninitialized-var.patch: Workaround gcc's maybe-unitialized
++      error in parse_time_t, triggered on ppc64el due to the build using -O3
++      in that architecture.
++    - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if
++      building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of
++      -O2 and that triggers a format-truncation error on pcon.cc. See
++      See https://bugs.squid-cache.org/show_bug.cgi?id=4875
++    - d/t/upstream-test-suite: drop the sed line, since patch
++      0003-installed-binary-for-debian-ci.patch is doing this work now.
++      (https://salsa.debian.org/squid-team/squid/commit/ad4372b444ba8b1587839)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Thu, 16 Aug 2018 12:33:17 -0300
++
  squid (4.1-1) unstable; urgency=high
    * New Upstream Release (Closes: #896120)
 diff --git a/debian/control b/debian/control
 index 629cbbe..a5305c0 100644
 --- a/debian/control
 +++ b/debian/control
@@ -1,7 +1,8 @@
  Source: squid
  Section: web
  Priority: optional
--Maintainer: Luigi Gangitano <luigi@debian.org>
++Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
++XSBC-Original-Maintainer: Luigi Gangitano <luigi@debian.org>
  Uploaders: Santiago Garcia Mantinan <manty@debian.org>
  Homepage: http://www.squid-cache.org
  Standards-Version: 4.6.0
@@ -32,7 +33,7 @@ Build-Depends: ed, libltdl-dev, pkg-config
  Package: squid
  Architecture: any
  Pre-Depends: ${misc:Pre-Depends}, adduser
--Depends: ${shlibs:Depends}, ${misc:Depends}, netbase, logrotate (>= 3.5.4-1), squid-common (>= ${source:Version}), lsb-base, libdbi-perl
++Depends: ${shlibs:Depends}, ${misc:Depends}, netbase, logrotate (>= 3.5.4-1), squid-common (>= ${source:Version}), lsb-base, libdbi-perl, ssl-cert
  Suggests: squidclient, squid-cgi, squid-purge, resolvconf (>= 0.40), smbclient, ufw, winbind, apparmor
  Recommends: libcap2-bin [linux-any], ca-certificates
  Conflicts: squid-openssl
 diff --git a/debian/patches/0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch b/debian/patches/0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch
 new file mode 100644
 index 0000000..df677d8
 --- /dev/null
 +++ b/debian/patches/0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch
@@ -0,0 +1,65 @@
++From: Sergio Durigan Junior <sergio.durigan@canonical.com>
++Date: Tue, 9 Aug 2022 17:49:23 -0400
++Subject: Fix -Werror=alloc-size-larger-than on GCC 12
++
++Author: Sergio Durigan Junior <sergiodj@ubuntu.com>
++Forwarded: yes, https://github.com/squid-cache/squid/pull/1118
++---
++ src/SquidConfig.h  | 2 +-
++ src/pconn.cc       | 2 +-
++ src/pconn.h        | 2 +-
++ src/store/Disks.cc | 2 +-
++ 4 files changed, 4 insertions(+), 4 deletions(-)
++
++diff --git a/src/SquidConfig.h b/src/SquidConfig.h
++index feabdf1..6b3cca5 100644
++--- a/src/SquidConfig.h
+++++ b/src/SquidConfig.h
++@@ -61,7 +61,7 @@ public:
++     ~DiskConfig() { delete[] swapDirs; }
++
++     RefCount<SwapDir> *swapDirs = nullptr;
++-    int n_allocated = 0;
+++    unsigned int n_allocated = 0;
++     int n_configured = 0;
++     /// number of disk processes required to support all cache_dirs
++     int n_strands = 0;
++diff --git a/src/pconn.cc b/src/pconn.cc
++index 62e5411..d30726d 100644
++--- a/src/pconn.cc
+++++ b/src/pconn.cc
++@@ -167,7 +167,7 @@ IdleConnList::clearHandlers(const Comm::ConnectionPointer &conn)
++ void
++ IdleConnList::push(const Comm::ConnectionPointer &conn)
++ {
++-    if (size_ == capacity_) {
+++    if ((unsigned int) size_ == capacity_) {
++         debugs(48, 3, HERE << "growing idle Connection array");
++         capacity_ <<= 1;
++         const Comm::ConnectionPointer *oldList = theList_;
++diff --git a/src/pconn.h b/src/pconn.h
++index 85e44e5..b8f07d9 100644
++--- a/src/pconn.h
+++++ b/src/pconn.h
++@@ -80,7 +80,7 @@ private:
++     Comm::ConnectionPointer *theList_;
++
++     /// Number of entries theList can currently hold without re-allocating (capacity).
++-    int capacity_;
+++    unsigned int capacity_;
++     ///< Number of in-use entries in theList
++     int size_;
++
++diff --git a/src/store/Disks.cc b/src/store/Disks.cc
++index 4e8710a..f9c3171 100644
++--- a/src/store/Disks.cc
+++++ b/src/store/Disks.cc
++@@ -685,7 +685,7 @@ allocate_new_swapdir(Store::DiskConfig *swap)
++         swap->swapDirs = new SwapDir::Pointer[swap->n_allocated];
++     }
++
++-    if (swap->n_allocated == swap->n_configured) {
+++    if (swap->n_allocated == (size_t) swap->n_configured) {
++         swap->n_allocated <<= 1;
++         const auto tmp = new SwapDir::Pointer[swap->n_allocated];
++         for (int i = 0; i < swap->n_configured; ++i) {
 diff --git a/debian/patches/90-cf.data.ubuntu.patch b/debian/patches/90-cf.data.ubuntu.patch
 new file mode 100644
 index 0000000..68ef5bc
 --- /dev/null
 +++ b/debian/patches/90-cf.data.ubuntu.patch
@@ -0,0 +1,22 @@
++Description: Add refresh patterns for deb packaging
++
++Reviewed-By: Sergio Durigan Junior <sergio.durigan@canonical.com>
++Last-Updated: 2021-05-11
++Forwarded: https://salsa.debian.org/squid-team/squid/-/merge_requests/15
++
++--- a/src/cf.data.pre
+++++ b/src/cf.data.pre
++@@ -5859,6 +5862,12 @@ NOCOMMENT_START
++ refresh_pattern ^ftp:		1440	20%	10080
++ refresh_pattern ^gopher:	1440	0%	1440
++ refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
+++refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
+++refresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-ims
+++refresh_pattern \/InRelease$ 0 0% 0 refresh-ims
+++refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
+++# example pattern for deb packages
+++#refresh_pattern (\.deb|\.udeb)$   129600 100% 129600
++ refresh_pattern .		0	20%	4320
++ NOCOMMENT_END
++ DOC_END
++
 diff --git a/debian/patches/99-ubuntu-ssl-cert-snakeoil.patch b/debian/patches/99-ubuntu-ssl-cert-snakeoil.patch
 new file mode 100644
 index 0000000..adfc2ee
 --- /dev/null
 +++ b/debian/patches/99-ubuntu-ssl-cert-snakeoil.patch
@@ -0,0 +1,24 @@
++Index: squid/src/cf.data.pre
++===================================================================
++--- squid.orig/src/cf.data.pre	2022-07-18 07:49:02.052257318 -0400
+++++ squid/src/cf.data.pre	2022-07-18 07:51:17.843207049 -0400
++@@ -3742,6 +3742,19 @@
++ 			A client X.509 certificate to use when connecting to
++ 			this peer.
++
+++	Notes:
+++
+++	On Debian/Ubuntu systems a default snakeoil certificate is
+++	available in /etc/ssl and users can set:
+++
+++		sslcert=/etc/ssl/certs/ssl-cert-snakeoil.pem
+++
+++	and
+++
+++		sslkey=/etc/ssl/private/ssl-cert-snakeoil.key
+++
+++	for testing.
+++
++ 	sslkey=/path/to/ssl/key
++ 			The private key corresponding to sslcert above.
++
 diff --git a/debian/patches/fix-max-pkt-sz-for-icmpEchoData-padding.patch b/debian/patches/fix-max-pkt-sz-for-icmpEchoData-padding.patch
 new file mode 100644
 index 0000000..0480de4
 --- /dev/null
 +++ b/debian/patches/fix-max-pkt-sz-for-icmpEchoData-padding.patch
@@ -0,0 +1,89 @@
++From 78708065e8aa4f882848befe8fa04bf1a04f1c9b Mon Sep 17 00:00:00 2001
++From: Sergio Durigan Junior <sergiodj@sergiodj.net>
++Date: Thu, 19 Aug 2021 18:56:50 -0400
++Subject: [PATCH 1/3] Fix MAX_PKT{4,6}_SZ to account for icmpEchoData padding
++
++The bug was exposed by GCC v11 on Ubuntu Impish:
++
++Icmp4.cc:116:11: error: array subscript icmpEchoData[0] is partly
++    outside array bounds of char[282] [-Werror=array-bounds]
++    echo->opcode = (unsigned char) opcode;
++
++The array the compiler is talking about is the pkt buffer. That buffer
++size (i.e. MAX_PKT4_SZ) was calculated under the faulty assumption that
++a compiler cannot add padding after icmphdr (when doing "icmp+1") and/or
++between icmpEchoData data members. When compiler padded, the old
++MAX_PKT4_SZ math stopped working.
++
++Same for ICMPv6.
++
++Signed-off-by: Sergio Durigan Junior <sergiodj@sergiodj.net>
++
++Author: Sergio Durigan Junior <sergiodj@sergiodj.net>
++Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1939352
++Forwarded: yes, https://github.com/squid-cache/squid/pull/887
++---
++ src/icmp/Icmp.h   | 4 ++--
++ src/icmp/Icmp4.cc | 4 +++-
++ src/icmp/Icmp6.cc | 4 +++-
++ 3 files changed, 8 insertions(+), 4 deletions(-)
++
++diff --git a/src/icmp/Icmp.h b/src/icmp/Icmp.h
++index c9cada3..b8cdf77 100644
++--- a/src/icmp/Icmp.h
+++++ b/src/icmp/Icmp.h
++@@ -16,8 +16,8 @@
++ #define PINGER_PAYLOAD_SZ   8192
++
++ #define MAX_PAYLOAD 256 // WAS: SQUIDHOSTNAMELEN
++-#define MAX_PKT4_SZ (MAX_PAYLOAD + sizeof(struct timeval) + sizeof (char) + sizeof(struct icmphdr) + 1)
++-#define MAX_PKT6_SZ (MAX_PAYLOAD + sizeof(struct timeval) + sizeof (char) + sizeof(struct icmp6_hdr) + 1)
+++#define MAX_PKT4_SZ (sizeof(struct icmpEchoData) + sizeof(struct icmphdr) + 1)
+++#define MAX_PKT6_SZ (sizeof(struct icmpEchoData) + sizeof(struct icmp6_hdr) + 1)
++
++ #if USE_ICMP
++
++diff --git a/src/icmp/Icmp4.cc b/src/icmp/Icmp4.cc
++index 9500215..687d8d3 100644
++--- a/src/icmp/Icmp4.cc
+++++ b/src/icmp/Icmp4.cc
++@@ -91,6 +91,8 @@ Icmp4::SendEcho(Ip::Address &to, int opcode, const char *payload, int len)
++     size_t icmp_pktsize = sizeof(struct icmphdr);
++     struct addrinfo *S = NULL;
++
+++    static_assert(sizeof(*icmp) + sizeof(*echo) <= sizeof(pkt), "our custom ICMPv4 Echo payload fits the packet buffer");
+++
++     memset(pkt, '\0', MAX_PKT4_SZ);
++
++     icmp = (struct icmphdr *) (void *) pkt;
++@@ -112,7 +114,7 @@ Icmp4::SendEcho(Ip::Address &to, int opcode, const char *payload, int len)
++     ++icmp_pkts_sent;
++
++     // Construct ICMP packet data content
++-    echo = (icmpEchoData *) (icmp + 1);
+++    echo = reinterpret_cast<icmpEchoData *>(reinterpret_cast<char *>(pkt) + sizeof(*icmp));
++     echo->opcode = (unsigned char) opcode;
++     memcpy(&echo->tv, &current_time, sizeof(struct timeval));
++
++diff --git a/src/icmp/Icmp6.cc b/src/icmp/Icmp6.cc
++index 4bbd47a..a6ea79e 100644
++--- a/src/icmp/Icmp6.cc
+++++ b/src/icmp/Icmp6.cc
++@@ -125,6 +125,8 @@ Icmp6::SendEcho(Ip::Address &to, int opcode, const char *payload, int len)
++     struct addrinfo *S = NULL;
++     size_t icmp6_pktsize = 0;
++
+++    static_assert(sizeof(*icmp) + sizeof(*echo) <= sizeof(pkt), "our custom ICMPv6 Echo payload fits the packet buffer");
+++
++     memset(pkt, '\0', MAX_PKT6_SZ);
++     icmp = (struct icmp6_hdr *)pkt;
++
++@@ -147,7 +149,7 @@ Icmp6::SendEcho(Ip::Address &to, int opcode, const char *payload, int len)
++     icmp6_pktsize = sizeof(struct icmp6_hdr);
++
++     // Fill Icmp6 ECHO data content
++-    echo = (icmpEchoData *) (pkt + sizeof(icmp6_hdr));
+++    echo = reinterpret_cast<icmpEchoData *>(reinterpret_cast<char *>(pkt) + sizeof(*icmp));
++     echo->opcode = (unsigned char) opcode;
++     memcpy(&echo->tv, &current_time, sizeof(struct timeval));
++
 diff --git a/debian/patches/series b/debian/patches/series
 index 5438215..95d949e 100644
 --- a/debian/patches/series
 +++ b/debian/patches/series
@@ -3,3 +3,7 @@
 -installed-binary-for-debian-ci.patch
 -Use-RuntimeDirectory-to-create-run-squid.patch
 -Fix-build-against-OpenSSL-3-0.patch
++90-cf.data.ubuntu.patch
++99-ubuntu-ssl-cert-snakeoil.patch
++fix-max-pkt-sz-for-icmpEchoData-padding.patch
++0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch
 diff --git a/debian/usr.sbin.squid b/debian/usr.sbin.squid
 index d01bcd0..a34487a 100644
 --- a/debian/usr.sbin.squid
 +++ b/debian/usr.sbin.squid
@@ -51,6 +51,33 @@
    # squid-langpack
    /usr/share/squid-langpack/** r,
++  # squid-deb-proxy
++  /etc/squid-deb-proxy/** r,
++  /{,var/}run/squid-deb-proxy.pid rwk,
++  /var/cache/squid-deb-proxy/ r,
++  /var/cache/squid-deb-proxy/** rwk,
++  /var/log/squid-deb-proxy/* rw,
++
++  # squidguard
++  /usr/bin/squidGuard Cx -> squidguard,
++  profile squidguard {
++    #include <abstractions/base>
++
++    /etc/squid/squidGuard.conf r,
++    /var/log/squid{,3}/squidGuard.log w,
++    /var/lib/squidguard/** rw,
++
++    # squidguard by default uses /var/log/squid as its logdir, however, we
++    # don't want it to access squid's logs, only its own. Explicitly deny
++    # access to squid's files but allow all others since the user may specify
++    # anything for the squidGurad 'log' directive.
++    /var/log/squid{,3}/* rw,
++    audit deny /var/log/squid{,3}/{access,cache,store}.log* rw,
++
++    # Site-specific additions and overrides. See local/README for details.
++    #include <local/usr.sbin.squid>
++  }
++
    # Site-specific additions and overrides. See local/README for details.
    #include <local/usr.sbin.squid>
+ }

Ubuntusquid package

Merge ~sergiodj/ubuntu/+source/squid:merge-5.6-1-kinetic into ubuntu/+source/squid:debian/sid

Commit message

Description of the change

Preview Diff

Subscribers

Ubuntu
squid package