Ubuntu
squid package

Merge ~sergiodj/ubuntu/+source/squid:merge-5.6-1-kinetic into ubuntu/+source/squid:debian/sid

  1. Git
  2. lp:~sergiodj/ubuntu/+source/squid
  3. merge-5.6-1-kinetic
  4. Merge into debian/sid
Proposed by Sergio Durigan Junior
Status: Merged
Merge reported by: Sergio Durigan Junior
Merged at revision: caf7e094d6fb550a059dd6a7656ae819c0246259
Proposed branch: ~sergiodj/ubuntu/+source/squid:merge-5.6-1-kinetic
Merge into: ubuntu/+source/squid:debian/sid
Diff against target: 1142 lines (+976/-2)
9 files modified
debian/NEWS (+7/-0)
debian/changelog (+735/-0)
debian/control (+3/-2)
debian/patches/0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch (+65/-0)
debian/patches/90-cf.data.ubuntu.patch (+22/-0)
debian/patches/99-ubuntu-ssl-cert-snakeoil.patch (+24/-0)
debian/patches/fix-max-pkt-sz-for-icmpEchoData-padding.patch (+89/-0)
debian/patches/series (+4/-0)
debian/usr.sbin.squid (+27/-0)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  (community) Needs Fixing
Canonical Server Reporter Pending
Review via email: mp+428123@code.launchpad.net

Description of the change

This is the merge of squid 5.6-1 from Debian unstable.

The merge was relatively easy to perform, and I was able to drop 2 sets of changes from our delta:

1) A fix for CVE 2021-46784, which has been incorporated by upstream.

2) A set of patches that I had backported during the last cycle in order to implement support for OpenSSL 3.

The first drop is trivial, but the second is more involved.

Upstream spent quite a long time discussing the OpenSSL 3 support (for more details, see <https://github.com/squid-cache/squid/pull/694>). The made a bunch of attempts to get the patchset right, and by the time Jammy was being released they still hadn't reached a final version for this change. I was forced to backport and use the commits present in the PR at the time, and then deal with a possible MRE for squid on Jammy after upstream decided on the final version of the patch. This is still the plan, by the way...

A few weeks ago upstream finally merged the final version of the PR. Initially I thought that I'd be able to backport the commit to squid 5.6 (the latest version, also available in Debian) and be done with it, but unfortunately the situation is more complicated than that. The final patch makes use of a lot of new code that has been pushed after 5.6 was released, and the backport proved non-trivial (to say the least). So, my proposed solution here is: let's drop the OpenSSL 3 patches that I had backported for Jammy, let's use the (simpler) OpenSSL 3 patch that Debian has been carrying for a while, and let's postpone the backport of upstream's official commit to next cycle. By then, we may not even have to worry about backporting anything because I believe upstream will release a new version of squid soon.

Finally, I'm adding a minor delta needed to make the package build with GCC 12. I've forwarded the patch upstream as well, so it should be possible to remove it next cycle.

There's a PPA with the proposed changes here:

https://launchpad.net/~sergiodj/+archive/ubuntu/squid/+packages

Builds are still happening; I will post the autopkgtest results ASAP.

To post a comment you must log in.
Revision history for this message
Simon Déziel (sdeziel) wrote :

I like your proposed plan.

Tiny nitpick, there is a double "/" in: "d//p/0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch"

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

On Wednesday, August 10 2022, Simon Déziel wrote:

> I like your proposed plan.

Thanks, Simon.

> Tiny nitpick, there is a double "/" in: "d//p/0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch"

Ops, good catch. Fixed now.

--
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

FYI - Cleared a few bugs linked here not addressed by this MR

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :
Download full text (4.3 KiB)

One finding so far

Logical LGTM when reading and on comparison
$ git diff sergiodj/logical/5.2-1ubuntu5..pkg/ubuntu/kinetic-devel | diffstat
 changelog | 689 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 control | 3
 2 files changed, 691 insertions(+), 1 deletion(-)

Comparing changelog to git range-diff sergiodj/old/debian..sergiodj/logical/5.2-1ubuntu5 sergiodj/new/debian..f5afde0918221ef801fed0e08b0731d4bb77a2c6

1: e8aa00ea58 = 1: b61bbdbef6 - d/usr.sbin.squid: Add sections for squid-deb-proxy and squidguard
=> equal and in changelog

2: 37cc10db0e ! 2: 5fcec25f2e - d/p/90-cf.data.ubuntu.patch: Add refresh patterns for deb packaging
=> just noise in d/p/series and in changelog

3: 7caf6552cf ! 3: 796331ccb0 - Use snakeoil certificates: + d/control: add ssl-cert to dependencies + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl to
=> had noise anyway and needed to be refreshed, done so with better quilt config and in changelog

4: 3de0e9ea5f = 4: 9f67994339 - d/rules, d/NEWS: drop the NIS basic auth helper (LP: #1895694)
=> equal and in changelog

5: de801abcee ! 5: b5a471d3d0 - Fix FTBFS with GCC 11 (LP: #1939352) + d/p/expand-max-pkt-sz-accomodate-icmphdr.patch: Expand MAX_PKT{4,6}_SZ to accomodate for icmp{,6_}hd
=> partially dropped as it is upstream, correct to do so

xxx
=> But I miss mentioning now dropping d/p/workaround-gcc11-wstringop-overread-bug.patch in changelog (easy to fix for you)
xxx

6: 32bdc5f5d6 < -: ---------- * Fix FTBFS with OpenSSL 3.0 (LP: #1946205). The following new patches have been added: - d/p/openssl3-Declaration-of-CRYPTO_EX_dup-changed-again-in-3.0.patch. - d/p/openssl3-Detect-and-default-enable-OpenSSL-3.patch. - d/p/openssl3-Fix-EVP_PKEY_get0_RSA-is-deprecated.patch. - d/p/openssl3-Initial-DH-conversion-to-EVP_PKEY.patch. - d/p/openssl3-Refactor-Ssl-createSslPrivateKey.patch. - d/p/openssl3-Remove-stale-TODO-and-comment.patch. - d/p/openssl3-SSL_OP_-macro-definitions-changed-in-3.0.patch. - d/p/openssl3-Switch-to-BN_rand.patch. - d/p/openssl3-TODO-Upgrade-API-calls-verifying-loaded-DH-params-fi.patch. - d/p/openssl3-Tweak-RSA-key-generator.patch. - d/p/openssl3-Update-ECDH-key-settings.patch. - d/p/openssl3-Update-license-disclaimer.patch.
7: 1bbcea11c5 < -: ---------- * Do not enable openssl as a default. This hinders packaging since we ship squid in two different flavours (gnutls and openssl). Drop d/p/openssl3-Detect-and-default-enable-OpenSSL-3.patch. (LP: #1968200)
8: 8573392502 < -: ---------- * SECURITY UPDATE: Denial of Service in Gopher Processing - debian/patches/CVE-2021-46784.patch: improve handling of Gopher responses in src/gopher.cc.
-: ---------- > 6: 91eb5d18f2 * Drop changes: - Fix FTBFS with OpenSSL 3.0 (LP: #1946205). The following new patches have been added: + d/p/openssl3-Declaration-of-CRYPTO_EX_dup-changed-again-in-3.0.patch. + d/p/openssl3-Detect-...

Read more...

review: Needs Fixing
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

FYI - no autopkgtests ran so far, I've scheduled them now

Running:
    time pkg release arch ppa trigger
    30 squid kinetic s390x sergiodj/squid squid/5.6-1ubuntu1~ppa5
Waiting:
    Q-num pkg release arch ppa trigger
    1 squid kinetic ppc64el sergiodj/squid squid/5.6-1ubuntu1~ppa5
    1 squid kinetic arm64 sergiodj/squid squid/5.6-1ubuntu1~ppa5
    1 squid kinetic armhf sergiodj/squid squid/5.6-1ubuntu1~ppa5
    1 squid kinetic amd64 sergiodj/squid squid/5.6-1ubuntu1~ppa5

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

launchpadlibrarian.net was down so I couldn't check the build log.
But the resulting debs seemed ok for me in a quick test.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Summary:
- a little nit pick of a forgotten changelog entry
- waiting for the autopkgtest results

Once both are fixed consider this approved.
If you want explicit re-checking then let me know.

review: Needs Fixing
~sergiodj/ubuntu/+source/squid:merge-5.6-1-kinetic updated
b26282e... by Sergio Durigan Junior

    - Fix FTBFS with GCC 11 (LP #1939352)
      + d/p/workaround-gcc11-wstringop-overread-bug.patch: Workaround
        GCC 11 -Wstringop-overread bug.
      [ Not needed anymore. ]

d85920c... by Sergio Durigan Junior

merge-changelogs

c8bb7bd... by Sergio Durigan Junior

reconstruct-changelog

caf7e09... by Sergio Durigan Junior

update-maintainer

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Thank you for the review, Christian.

I've updated the changelog entry to reflect the dropped patch; thanks for catching this.

I have the autopkgtest results now; only armhf is failing, but that seems like a flaky failure. I've retriggered the test and will upload as soon as it succeeds.

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

I just noticed that the armhf dep8 test is already failing against migration-reference/0, so I will go ahead and upload what I have here.

Thanks again.

$ dput squid_5.6-1ubuntu1_source.changes
Trying to upload package to ubuntu
Checking signature on .changes
gpg: /home/sergio/work/squid/squid_5.6-1ubuntu1_source.changes: Valid signature from 106DA1C8C3CBBF14
Checking signature on .dsc
gpg: /home/sergio/work/squid/squid_5.6-1ubuntu1.dsc: Valid signature from 106DA1C8C3CBBF14
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading squid_5.6-1ubuntu1.dsc: done.
  Uploading squid_5.6.orig.tar.xz: done.
  Uploading squid_5.6.orig.tar.xz.asc: done.
  Uploading squid_5.6-1ubuntu1.debian.tar.xz: done.
  Uploading squid_5.6-1ubuntu1_source.buildinfo: done.
  Uploading squid_5.6-1ubuntu1_source.changes: done.
Successfully uploaded packages.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/NEWS b/debian/NEWS
index 1ac410c..83136fb 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -37,6 +37,13 @@ squid (4.13-2) unstable; urgency=high
3737
38 -- Santiago Garcia Mantinan <manty@debian.org> Sun, 07 Feb 2021 01:43:37 +010038 -- Santiago Garcia Mantinan <manty@debian.org> Sun, 07 Feb 2021 01:43:37 +0100
3939
40squid (4.13-1ubuntu2) groovy; urgency=medium
41
42 Disable the NIS basic authentication helper, as it no longer builds with
43 glibc 2.32.
44
45 -- Andreas Hasenack <andreas@canonical.com> Thu, 17 Sep 2020 18:17:53 -0300
46
40squid (4.1-1) unstable; urgency=medium47squid (4.1-1) unstable; urgency=medium
4148
42 Starting from this release support for systemd init has been added to the49 Starting from this release support for systemd init has been added to the
diff --git a/debian/changelog b/debian/changelog
index 47a68d3..724392b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,49 @@
1squid (5.6-1ubuntu1) kinetic; urgency=medium
2
3 * Merge with Debian unstable (LP: #1971325). Remaining changes:
4 - d/usr.sbin.squid: Add sections for squid-deb-proxy and
5 squidguard
6 - d/p/90-cf.data.ubuntu.patch: Add refresh patterns for deb
7 packaging
8 - Use snakeoil certificates:
9 + d/control: add ssl-cert to dependencies
10 + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl
11 to the default config file
12 - d/rules, d/NEWS: drop the NIS basic auth helper (LP #1895694)
13 - Fix FTBFS with GCC 11 (LP #1939352)
14 + d/p/fix-max-pkt-sz-for-icmpEchoData-padding.patch: Fix
15 MAX_PKT{4,6}_SZ to account for icmpEchoData padding.
16 * Drop changes:
17 - Fix FTBFS with OpenSSL 3.0 (LP #1946205). The following new
18 patches have been added:
19 + d/p/openssl3-Declaration-of-CRYPTO_EX_dup-changed-again-in-3.0.patch.
20 + d/p/openssl3-Detect-and-default-enable-OpenSSL-3.patch.
21 + d/p/openssl3-Fix-EVP_PKEY_get0_RSA-is-deprecated.patch.
22 + d/p/openssl3-Initial-DH-conversion-to-EVP_PKEY.patch.
23 + d/p/openssl3-Refactor-Ssl-createSslPrivateKey.patch.
24 + d/p/openssl3-Remove-stale-TODO-and-comment.patch.
25 + d/p/openssl3-SSL_OP_-macro-definitions-changed-in-3.0.patch.
26 + d/p/openssl3-Switch-to-BN_rand.patch.
27 + d/p/openssl3-TODO-Upgrade-API-calls-verifying-loaded-DH-params-fi.patch.
28 + d/p/openssl3-Tweak-RSA-key-generator.patch.
29 + d/p/openssl3-Update-ECDH-key-settings.patch.
30 + d/p/openssl3-Update-license-disclaimer.patch.
31 [ Incorporated by Debian. ]
32 - SECURITY UPDATE: Denial of Service in Gopher Processing
33 + debian/patches/CVE-2021-46784.patch: improve handling of Gopher
34 responses in src/gopher.cc.
35 [ Incorporated by upstream. ]
36 - Fix FTBFS with GCC 11 (LP #1939352)
37 + d/p/workaround-gcc11-wstringop-overread-bug.patch: Workaround
38 GCC 11 -Wstringop-overread bug.
39 [ Not needed anymore. ]
40 * Add changes:
41 - d/p/0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch:
42 Fix FTBFS due to -Werror=alloc-size-larger-than on GCC 12.
43 [ Forwarded upstream ]
44
45 -- Sergio Durigan Junior <sergio.durigan@canonical.com> Thu, 11 Aug 2022 17:13:45 -0400
46
1squid (5.6-1) unstable; urgency=high47squid (5.6-1) unstable; urgency=high
248
3 * Urgency high due to security fixes49 * Urgency high due to security fixes
@@ -38,6 +84,87 @@ squid (5.5-1) unstable; urgency=medium
3884
39 -- Luigi Gangitano <luigi@debian.org> Fri, 15 Apr 2022 14:39:54 +020085 -- Luigi Gangitano <luigi@debian.org> Fri, 15 Apr 2022 14:39:54 +0200
4086
87squid (5.2-1ubuntu5) kinetic; urgency=medium
88
89 * SECURITY UPDATE: Denial of Service in Gopher Processing
90 - debian/patches/CVE-2021-46784.patch: improve handling of Gopher
91 responses in src/gopher.cc.
92 - CVE-2021-46784
93
94 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 21 Jun 2022 13:38:17 -0400
95
96squid (5.2-1ubuntu4) jammy; urgency=medium
97
98 * Do not enable openssl as a default. This hinders packaging since we ship
99 squid in two different flavours (gnutls and openssl). Drop
100 d/p/openssl3-Detect-and-default-enable-OpenSSL-3.patch. (LP: #1968200)
101
102 -- Athos Ribeiro <athos.ribeiro@canonical.com> Tue, 12 Apr 2022 23:41:41 -0300
103
104squid (5.2-1ubuntu3) jammy; urgency=medium
105
106 * Fix FTBFS with OpenSSL 3.0 (LP: #1946205). The following new
107 patches have been added:
108 - d/p/openssl3-Declaration-of-CRYPTO_EX_dup-changed-again-in-3.0.patch.
109 - d/p/openssl3-Detect-and-default-enable-OpenSSL-3.patch.
110 - d/p/openssl3-Fix-EVP_PKEY_get0_RSA-is-deprecated.patch.
111 - d/p/openssl3-Initial-DH-conversion-to-EVP_PKEY.patch.
112 - d/p/openssl3-Refactor-Ssl-createSslPrivateKey.patch.
113 - d/p/openssl3-Remove-stale-TODO-and-comment.patch.
114 - d/p/openssl3-SSL_OP_-macro-definitions-changed-in-3.0.patch.
115 - d/p/openssl3-Switch-to-BN_rand.patch.
116 - d/p/openssl3-TODO-Upgrade-API-calls-verifying-loaded-DH-params-fi.patch.
117 - d/p/openssl3-Tweak-RSA-key-generator.patch.
118 - d/p/openssl3-Update-ECDH-key-settings.patch.
119 - d/p/openssl3-Update-license-disclaimer.patch.
120
121 -- Sergio Durigan Junior <sergio.durigan@canonical.com> Tue, 08 Feb 2022 17:15:20 -0500
122
123squid (5.2-1ubuntu2) jammy; urgency=medium
124
125 * No-change rebuild against libssl3
126
127 -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 09 Dec 2021 00:19:10 +0000
128
129squid (5.2-1ubuntu1) jammy; urgency=medium
130
131 * Merge with Debian unstable (LP: #1946903). Remaining changes:
132 - d/usr.sbin.squid: Add sections for squid-deb-proxy and
133 squidguard
134 - d/p/90-cf.data.ubuntu.patch: Add refresh patterns for deb
135 packaging
136 - Use snakeoil certificates:
137 + d/control: add ssl-cert to dependencies
138 + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl
139 to the default config file
140 - d/rules, d/NEWS: drop the NIS basic auth helper (LP #1895694)
141 - Fix FTBFS with GCC 11 (LP #1939352)
142 + d/p/expand-max-pkt-sz-accomodate-icmphdr.patch: Expand
143 MAX_PKT{4,6}_SZ to accomodate for icmp{,6_}hdr.
144 + d/p/workaround-gcc11-wstringop-overread-bug.patch: Workaround
145 GCC 11 -Wstringop-overread bug.
146 * Dropped changes:
147 - d/p/0008-Fix-free-nonheap-object-warning-error-on-snmp_core.c.patch:
148 Fix call to free on nonheap-object in snmpCreateOidFromStr
149 [ Incorporated by upstream. ]
150 - Fix failure to build on RISC-V (LP #1934891)
151 [ Incorporated by upstream. ]
152 - SECURITY UPDATE: information disclosure via OOB read in WCCP protocol
153 + debian/patches/CVE-2021-28116.patch: validate packets better in
154 src/wccp2.cc.
155 + CVE-2021-28116
156 [ Incorporated by upstream. ]
157 - Fix FTBFS with GCC 11 (LP #1939352)
158 + d/p/replace-cbdata-offset-hack-with-offsetof.patch: Replace
159 cbdata::Offset hack with offsetof().
160 + d/p/add-missing-limits-include-connmark.patch: Add missing
161 <limits> include to src/acl/ConnMark.cc.
162 [ Incorporated by upstream. This is a partial drop; the other
163 two patches that compose this fix are still present in this
164 release. ]
165
166 -- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 01 Nov 2021 18:19:59 -0400
167
41squid (5.2-1) unstable; urgency=medium168squid (5.2-1) unstable; urgency=medium
42169
43 [ Amos Jeffries <amosjeffries@squid-cache.org> ]170 [ Amos Jeffries <amosjeffries@squid-cache.org> ]
@@ -78,6 +205,58 @@ squid (5.1-2) unstable; urgency=medium
78205
79 -- Luigi Gangitano <luigi@debian.org> Fri, 17 Sep 2021 09:27:54 +0200206 -- Luigi Gangitano <luigi@debian.org> Fri, 17 Sep 2021 09:27:54 +0200
80207
208squid (4.13-10ubuntu5) impish; urgency=medium
209
210 * SECURITY UPDATE: information disclosure via OOB read in WCCP protocol
211 - debian/patches/CVE-2021-28116.patch: validate packets better in
212 src/wccp2.cc.
213 - CVE-2021-28116
214
215 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 04 Oct 2021 08:20:07 -0400
216
217squid (4.13-10ubuntu4) impish; urgency=medium
218
219 * Fix FTBFS with GCC 11 (LP: #1939352)
220 - d/p/add-missing-limits-include-connmark.patch: Add missing
221 <limits> include to src/acl/ConnMark.cc.
222 - d/p/fix-max-pkt-sz-for-icmpEchoData-padding.patch.patch: Expand
223 MAX_PKT{4,6}_SZ to accomodate for icmp{,6_}hdr.
224 - d/p/replace-cbdata-offset-hack-with-offsetof.patch: Replace
225 cbdata::Offset hack with offsetof().
226 - d/p/workaround-gcc11-wstringop-overread-bug.patch: Workaround
227 GCC 11 -Wstringop-overread bug.
228
229 -- Sergio Durigan Junior <sergio.durigan@canonical.com> Fri, 20 Aug 2021 00:19:41 -0400
230
231squid (4.13-10ubuntu3) impish; urgency=medium
232
233 * Fix failure to build on RISC-V (LP: #1934891)
234
235 -- Heinrich Schuchardt <heinrich.schuchardt@canonical.com> Wed, 07 Jul 2021 14:11:51 +0200
236
237squid (4.13-10ubuntu2) impish; urgency=medium
238
239 * No-change rebuild due to OpenLDAP soname bump.
240
241 -- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 21 Jun 2021 18:09:05 -0400
242
243squid (4.13-10ubuntu1) impish; urgency=medium
244
245 * Merge with Debian unstable. Remaining changes:
246 - d/usr.sbin.squid: Add sections for squid-deb-proxy and
247 squidguard
248 - d/p/90-cf.data.ubuntu.patch: Add refresh patterns for deb
249 packaging
250 - Use snakeoil certificates:
251 + d/control: add ssl-cert to dependencies
252 + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl
253 to the default config file
254 - d/rules, d/NEWS: drop the NIS basic auth helper (LP: #1895694)
255 - d/p/0008-Fix-free-nonheap-object-warning-error-on-snmp_core.c.patch:
256 Fix call to free on nonheap-object in snmpCreateOidFromStr
257
258 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 04 Jun 2021 12:49:43 -0400
259
81squid (4.13-10) unstable; urgency=medium260squid (4.13-10) unstable; urgency=medium
82261
83 [ Francisco Vilmar Cardoso Ruviaro ]262 [ Francisco Vilmar Cardoso Ruviaro ]
@@ -96,6 +275,29 @@ squid (4.13-10) unstable; urgency=medium
96275
97 -- Santiago Garcia Mantinan <manty@debian.org> Fri, 28 May 2021 12:28:20 +0200276 -- Santiago Garcia Mantinan <manty@debian.org> Fri, 28 May 2021 12:28:20 +0200
98277
278squid (4.13-9ubuntu1) impish; urgency=medium
279
280 * Merge with Debian unstable. Remaining changes:
281 - d/usr.sbin.squid: Add sections for squid-deb-proxy and
282 squidguard
283 - d/p/90-cf.data.ubuntu.patch: Add refresh patterns for deb
284 packaging
285 - Use snakeoil certificates:
286 + d/control: add ssl-cert to dependencies
287 + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl
288 to the default config file
289 - d/rules, d/NEWS: drop the NIS basic auth helper (LP: #1895694)
290 - d/p/0008-Fix-free-nonheap-object-warning-error-on-snmp_core.c.patch:
291 Fix call to free on nonheap-object in snmpCreateOidFromStr
292 * Drop changes:
293 - debian/patches/CVE-2020-25097.patch: Add slash prefix to path-
294 rootless or path-noscheme URLs in src/anyp/Uri.cc.
295 [Included in 4.13-8]
296 - d/usr.sbin.squid: Add section for maas-proxy
297 [maas-proxy is no longer shipped as a deb package]
298
299 -- Athos Ribeiro <athos.ribeiro@canonical.com> Tue, 18 May 2021 10:51:16 -0300
300
99squid (4.13-9) unstable; urgency=medium301squid (4.13-9) unstable; urgency=medium
100302
101 * Clarify on NEWS and scripts that we no longer remove logs on purge.303 * Clarify on NEWS and scripts that we no longer remove logs on purge.
@@ -156,6 +358,46 @@ squid (4.13-2) unstable; urgency=high
156358
157 -- Santiago Garcia Mantinan <manty@debian.org> Sun, 07 Feb 2021 01:39:45 +0100359 -- Santiago Garcia Mantinan <manty@debian.org> Sun, 07 Feb 2021 01:39:45 +0100
158360
361squid (4.13-1ubuntu4) hirsute; urgency=medium
362
363 * d/p/0008-Fix-free-nonheap-object-warning-error-on-snmp_core.c.patch:
364 Fix FTBFS on Hirsute s390x when compiling with GCC 10.2.0.
365
366 -- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 05 Apr 2021 12:00:02 -0400
367
368squid (4.13-1ubuntu3) hirsute; urgency=medium
369
370 * SECURITY UPDATE: HTTP Request Smuggling issue
371 - debian/patches/CVE-2020-25097.patch: Add slash prefix to path-
372 rootless or path-noscheme URLs in src/anyp/Uri.cc.
373 - CVE-2020-25097
374
375 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 25 Mar 2021 12:38:06 -0400
376
377squid (4.13-1ubuntu2) groovy; urgency=medium
378
379 * d/rules, d/NEWS: drop the NIS basic auth helper (LP: #1895694)
380
381 -- Andreas Hasenack <andreas@canonical.com> Thu, 17 Sep 2020 18:19:42 -0300
382
383squid (4.13-1ubuntu1) groovy; urgency=medium
384
385 * Merge with Debian unstable. Remaining changes:
386 - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy
387 squidguard
388 - d/p/90-cf.data.ubuntu.patch: Add an example refresh pattern
389 for debs.
390 - Use snakeoil certificates:
391 + d/control: add ssl-cert to dependencies
392 + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl
393 to the default config file
394 * Dropped changes:
395 - d/p/0007-WCCP-Fix-GCC-10-Wstringop-truncation-failures.patch:
396 Fix GCC-10 build failure due to -Wstringop-truncation warning.
397 [ Accepted upstream. ]
398
399 -- Sergio Durigan Junior <sergio.durigan@canonical.com> Tue, 25 Aug 2020 15:01:58 -0400
400
159squid (4.13-1) unstable; urgency=high401squid (4.13-1) unstable; urgency=high
160402
161 [ Amos Jeffries <amosjeffries@squid-cache.org> ]403 [ Amos Jeffries <amosjeffries@squid-cache.org> ]
@@ -168,6 +410,43 @@ squid (4.13-1) unstable; urgency=high
168410
169 -- Luigi Gangitano <luigi@debian.org> Mon, 24 Aug 2020 17:27:54 +0200411 -- Luigi Gangitano <luigi@debian.org> Mon, 24 Aug 2020 17:27:54 +0200
170412
413squid (4.12-1ubuntu1) groovy; urgency=medium
414
415 * Merge with Debian unstable. Remaining changes:
416 - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy
417 squidguard
418 - d/p/90-cf.data.ubuntu.patch: Add an example refresh pattern
419 for debs.
420 - Use snakeoil certificates:
421 + d/control: add ssl-cert to dependencies
422 + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl
423 to the default config file
424 * Dropped changes, not needed anymore:
425 - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround
426 if building for ppc64el. On that arch, dpkg-buildflags sets -O3
427 instead of -O2 and that triggers a format-truncation error on
428 pcon.cc. See https://bugs.squid-cache.org/show_bug.cgi?id=4875.
429 [ Dropped because the build now passes on ppc64el ]
430 * Dropped changes, incorporated by Debian:
431 - Don't restart squid by hand on postinst script
432 + d/squid.postinst: When installing/upgrading squid, the service
433 is being restarted manually in the postinst script, which can
434 break installations that have the squid apparmor enabled because
435 it will try to restart the service before reloading the apparmor
436 profile. There is no reason to restart squid manually, since the
437 restart will be automatically performed later.
438 - Drop conffile check for squid < 2.7
439 + d/squid.postinst: squid 2.7 is long, long gone, so it should be
440 safe to drop the postinst code to make sure that
441 /etc/squid/squid.conf was properly upgraded.
442 - d/tests/test-squid.py: Adjust 'pidfile' variable to reflect fact
443 that we now store the pidfile under '/run/squid/'.
444 * Added changes:
445 - d/p/0007-WCCP-Fix-GCC-10-Wstringop-truncation-failures.patch:
446 Fix GCC-10 build failure due to -Wstringop-truncation warning.
447
448 -- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 10 Aug 2020 11:20:46 -0400
449
171squid (4.12-1) unstable; urgency=high450squid (4.12-1) unstable; urgency=high
172451
173 [ Sergio Durigan Junior <sergiodj@debian.org> ]452 [ Sergio Durigan Junior <sergiodj@debian.org> ]
@@ -203,6 +482,63 @@ squid (4.12-1) unstable; urgency=high
203482
204 -- Luigi Gangitano <luigi@debian.org> Wed, 1 Jul 2020 10:52:54 +0200483 -- Luigi Gangitano <luigi@debian.org> Wed, 1 Jul 2020 10:52:54 +0200
205484
485squid (4.11-5ubuntu3) groovy; urgency=medium
486
487 * No change rebuild against new libnettle8 and libhogweed6 ABI.
488
489 -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 29 Jun 2020 22:38:13 +0100
490
491squid (4.11-5ubuntu2) groovy; urgency=medium
492
493 * d/tests/test-squid.py: Adjust 'pidfile' variable to reflect fact
494 that we now store the pidfile under '/run/squid/'.
495
496 -- Sergio Durigan Junior <sergio.durigan@canonical.com> Wed, 20 May 2020 10:32:32 -0400
497
498squid (4.11-5ubuntu1) groovy; urgency=medium
499
500 * Merge with Debian unstable. Remaining changes:
501 - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy,
502 squidguard
503 - d/p/90-cf.data.ubuntu.patch: Add an example refresh pattern for
504 debs.
505 - Use snakeoil certificates:
506 + d/control: add ssl-cert to dependencies
507 + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl to the
508 default config file
509 - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if
510 building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead
511 of -O2 and that triggers a format-truncation error on pcon.cc. See See
512 https://bugs.squid-cache.org/show_bug.cgi?id=4875
513 * Dropped:
514 - d/p/drop-sysctl_h.patch: no longer include sysctl.h as it was
515 deprecated in glibc 2.30 (LP #1843325)
516 [ In 4.11-4 ]
517 - SECURITY UPDATE: multiple ESI issues
518 + debian/patches/CVE-2019-12519_12521.patch: convert parse exceptions
519 into 500 status response in src/esi/Context.h, src/esi/Esi.cc,
520 src/esi/Esi.h, src/esi/Expression.cc.
521 + CVE-2019-12519
522 [ In 4.11-4 ]
523 - SECURITY UPDATE: Digest Authentication nonce replay issue
524 + debian/patches/CVE-2020-11945.patch: fix auth digest refcount integer
525 overflow in src/auth/digest/Config.cc.
526 [ In 4.11-4 ]
527 * Added:
528 - Don't restart squid by hand on postinst script
529 + d/squid.postinst: When installing/upgrading squid, the service
530 is being restarted manually in the postinst script, which can
531 break installations that have the squid apparmor enabled because
532 it will try to restart the service before reloading the apparmor
533 profile. There is no reason to restart squid manually, since the
534 restart will be automatically performed later.
535 - Drop conffile check for squid < 2.7
536 + d/squid.postinst: squid 2.7 is long, long gone, so it should be
537 safe to drop the postinst code to make sure that
538 /etc/squid/squid.conf was properly upgraded.
539
540 -- Sergio Durigan Junior <sergio.durigan@canonical.com> Tue, 19 May 2020 14:43:04 -0400
541
206squid (4.11-5) unstable; urgency=medium542squid (4.11-5) unstable; urgency=medium
207543
208 [ Sergio Durigan Junior <sergiodj@debian.org> ]544 [ Sergio Durigan Junior <sergiodj@debian.org> ]
@@ -281,6 +617,64 @@ squid (4.11-1) unstable; urgency=high
281617
282 -- Luigi Gangitano <luigi@debian.org> Thu, 23 Apr 2020 19:34:54 +0200618 -- Luigi Gangitano <luigi@debian.org> Thu, 23 Apr 2020 19:34:54 +0200
283619
620squid (4.10-1ubuntu2) groovy; urgency=medium
621
622 * SECURITY UPDATE: multiple ESI issues
623 - debian/patches/CVE-2019-12519_12521.patch: convert parse exceptions
624 into 500 status response in src/esi/Context.h, src/esi/Esi.cc,
625 src/esi/Esi.h, src/esi/Expression.cc.
626 - CVE-2019-12519
627 - CVE-2019-12521
628 * SECURITY UPDATE: Digest Authentication nonce replay issue
629 - debian/patches/CVE-2020-11945.patch: fix auth digest refcount integer
630 overflow in src/auth/digest/Config.cc.
631 - CVE-2020-11945
632
633 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 13 May 2020 09:51:10 -0400
634
635squid (4.10-1ubuntu1) focal; urgency=medium
636
637 * Merge with Debian unstable. Remaining changes:
638 - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy,
639 squidguard
640 - d/p/90-cf.data.ubuntu.patch: Add an example refresh pattern for debs.
641 - Use snakeoil certificates:
642 + d/control: add ssl-cert to dependencies
643 + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl
644 to the default config file
645 - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if
646 building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of
647 -O2 and that triggers a format-truncation error on pcon.cc. See
648 See https://bugs.squid-cache.org/show_bug.cgi?id=4875
649 - d/p/drop-sysctl_h.patch: no longer include sysctl.h as it was
650 deprecated in glibc 2.30 (LP #1843325)
651 * Dropped:
652 - d/t/control, d/t/test-squid.py: remove gopher tests, as pygopherd is
653 no longer available in Focal (LP: #1858827)
654 [In 4.10-1, undocumented]
655 - d/t/test-squid.py, d/t/squid: switch to python3
656 [In 4.10-1, undocumented]
657 - d/t/control: depend on python3-minimal
658 [In 4.10-1, undocumented]
659 - SECURITY UPDATE: info disclosure via FTP server
660 + debian/patches/CVE-2019-12528.patch: fix FTP buffers handling in
661 src/clients/FtpGateway.cc.
662 + CVE-2019-12528
663 [Fixed upstream]
664 - SECURITY UPDATE: incorrect input validation and buffer management
665 + debian/patches/CVE-2020-84xx.patch: fix request URL generation in
666 reverse proxy configurations in src/client_side.cc.
667 + CVE-2020-8449
668 + CVE-2020-8450
669 [Fixed upstream]
670 - SECURITY UPDATE: DoS in NTLM authentication
671 + debian/patches/CVE-2020-8517.patch: improved username handling in
672 src/acl/external/LM_group/ext_lm_group_acl.cc.
673 + CVE-2020-8517
674 [Fixed upstream]
675
676 -- Andreas Hasenack <andreas@canonical.com> Tue, 25 Feb 2020 15:37:55 -0300
677
284squid (4.10-1) unstable; urgency=high678squid (4.10-1) unstable; urgency=high
285679
286 [ Amos Jeffries <amosjeffries@squid-cache.org> ]680 [ Amos Jeffries <amosjeffries@squid-cache.org> ]
@@ -302,6 +696,70 @@ squid (4.10-1) unstable; urgency=high
302696
303 -- Luigi Gangitano <luigi@debian.org> Tue, 10 Feb 2020 14:12:54 +0100697 -- Luigi Gangitano <luigi@debian.org> Tue, 10 Feb 2020 14:12:54 +0100
304698
699squid (4.9-2ubuntu4) focal; urgency=medium
700
701 * SECURITY UPDATE: info disclosure via FTP server
702 - debian/patches/CVE-2019-12528.patch: fix FTP buffers handling in
703 src/clients/FtpGateway.cc.
704 - CVE-2019-12528
705 * SECURITY UPDATE: incorrect input validation and buffer management
706 - debian/patches/CVE-2020-84xx.patch: fix request URL generation in
707 reverse proxy configurations in src/client_side.cc.
708 - CVE-2020-8449
709 - CVE-2020-8450
710 * SECURITY UPDATE: DoS in NTLM authentication
711 - debian/patches/CVE-2020-8517.patch: improved username handling in
712 src/acl/external/LM_group/ext_lm_group_acl.cc.
713 - CVE-2020-8517
714
715 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 19 Feb 2020 12:43:05 -0500
716
717squid (4.9-2ubuntu3) focal; urgency=medium
718
719 * No-change rebuild with fixed binutils on arm64.
720
721 -- Matthias Klose <doko@ubuntu.com> Sat, 08 Feb 2020 11:20:19 +0000
722
723squid (4.9-2ubuntu2) focal; urgency=medium
724
725 * d/t/control, d/t/test-squid.py: remove gopher tests, as pygopherd is
726 no longer available in Focal (LP: #1858827)
727 * d/t/test-squid.py, d/t/squid: switch to python3
728 * d/t/control: depend on python3-minimal
729
730 -- Andreas Hasenack <andreas@canonical.com> Wed, 08 Jan 2020 15:52:32 -0300
731
732squid (4.9-2ubuntu1) focal; urgency=medium
733
734 * Merge with Debian unstable. Remaining changes:
735 - Use snakeoil certificates.
736 - Add an example refresh pattern for debs.
737 - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy,
738 squidguard
739 - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if
740 building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of
741 -O2 and that triggers a format-truncation error on pcon.cc. See
742 See https://bugs.squid-cache.org/show_bug.cgi?id=4875
743 - d/p/drop-sysctl_h.patch: no longer include sysctl.h as it was
744 deprecated in glibc 2.30 (LP #1843325)
745 * Dropped:
746 - d/rules: Only use -latomic with the intended architectures, instead of
747 all of them. This matches what was suggested in
748 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5
749 [Fixed upstream]
750 - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that
751 dh_installchangelogs can pick it up. dh_installchangelogs handles
752 d/NEWS or d/<package>.NEWS, but not NEWS.debian.
753 [Fixed upstream]
754 - debian/patches/more-gcc-9-fixes.patch: switch to xstrncpy in
755 lib/smblib/smblib-util.c. (LP #1835831)
756 [Fixed upstream]
757 - d/t/test-squid.py: test_zz_apparmor(): bail early if securityfs isn't
758 mounted
759 [Fixed upstream]
760
761 -- Lucas Kanashiro <lucas.kanashiro@canonical.com> Thu, 14 Nov 2019 16:33:10 -0300
762
305squid (4.9-2) unstable; urgency=medium763squid (4.9-2) unstable; urgency=medium
306764
307 [ Andreas Hasenack <andreas@canonical.com> ]765 [ Andreas Hasenack <andreas@canonical.com> ]
@@ -358,6 +816,73 @@ squid (4.9-1) unstable; urgency=high
358816
359 -- Luigi Gangitano <luigi@debian.org> Sun, 10 Nov 2019 20:28:15 +0100817 -- Luigi Gangitano <luigi@debian.org> Sun, 10 Nov 2019 20:28:15 +0100
360818
819squid (4.8-1ubuntu3) focal; urgency=medium
820
821 * No-change rebuild against libnettle7
822
823 -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 31 Oct 2019 22:15:39 +0000
824
825squid (4.8-1ubuntu2) eoan; urgency=medium
826
827 * d/p/drop-sysctl_h.patch: no longer include sysctl.h as it was
828 deprecated in glibc 2.30 (LP: #1843325)
829
830 -- Andreas Hasenack <andreas@canonical.com> Mon, 09 Sep 2019 17:31:45 -0300
831
832squid (4.8-1ubuntu1) eoan; urgency=medium
833
834 * Merge with Debian unstable. Remaining changes:
835 - Use snakeoil certificates.
836 - Add an example refresh pattern for debs.
837 - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy,
838 squidguard
839 - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if
840 building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of
841 -O2 and that triggers a format-truncation error on pcon.cc. See
842 See https://bugs.squid-cache.org/show_bug.cgi?id=4875
843 - d/rules: Only use -latomic with the intended architectures, instead of
844 all of them. This matches what was suggested in
845 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5
846 - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that
847 dh_installchangelogs can pick it up. dh_installchangelogs handles
848 d/NEWS or d/<package>.NEWS, but not NEWS.debian.
849 - debian/patches/more-gcc-9-fixes.patch: switch to xstrncpy in
850 lib/smblib/smblib-util.c. (LP #1835831)
851 * Dropped:
852 - d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs.
853 Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP #1794553)
854 [Fixed upstream]
855 - debian/patches/413.patch: Fix gcc-9 build issues with upstream merged
856 patch
857 [Fixed upstream]
858 - SECURITY UPDATE: incorrect digest auth parameter parsing
859 + debian/patches/CVE-2019-12525.patch: check length in
860 src/auth/digest/Config.cc.
861 + CVE-2019-12525
862 [Fixed upstream]
863 - SECURITY UPDATE: buffer overflow in basic auth decoding
864 + debian/patches/CVE-2019-12527.patch: switch to SBuf in
865 src/HttpHeader.cc, src/HttpHeader.h, src/cache_manager.cc,
866 src/clients/FtpGateway.cc.
867 + CVE-2019-12527
868 [Fixed upstream]
869 - SECURITY UPDATE: basic auth uudecode length issue
870 + debian/patches/CVE-2019-12529.patch: replace uudecode with libnettle
871 base64 decoder in lib/Makefile.*, src/auth/basic/Config.cc,
872 include/uudecode.h, lib/uudecode.c.
873 + CVE-2019-12529
874 [Fixed upstream]
875 - SECURITY UPDATE: XSS issues in cachemgr.cgi
876 + debian/patches/CVE-2019-13345.patch: properly escape values in
877 tools/cachemgr.cc.
878 + CVE-2019-13345
879 [Fixed upstream]
880 * Added:
881 - d/t/test-squid.py: test_zz_apparmor(): bail early if securityfs isn't
882 mounted
883
884 -- Andreas Hasenack <andreas@canonical.com> Wed, 24 Jul 2019 16:38:59 -0300
885
361squid (4.8-1) unstable; urgency=high886squid (4.8-1) unstable; urgency=high
362887
363 [ Amos Jeffries <amosjeffries@squid-cache.org> ]888 [ Amos Jeffries <amosjeffries@squid-cache.org> ]
@@ -376,6 +901,86 @@ squid (4.8-1) unstable; urgency=high
376901
377 -- Luigi Gangitano <luigi@debian.org> Thu, 18 Jul 2019 22:28:15 +0200902 -- Luigi Gangitano <luigi@debian.org> Thu, 18 Jul 2019 22:28:15 +0200
378903
904squid (4.6-2ubuntu4) eoan; urgency=medium
905
906 * Fix gcc-9 issues (LP: #1835831)
907 - Remove -Wno-sizeof-pointer-memaccess -Wno-stringop-truncation
908 - debian/patches/more-gcc-9-fixes.patch: switch to xstrncpy in
909 lib/smblib/smblib-util.c.
910 * SECURITY UPDATE: incorrect digest auth parameter parsing
911 - debian/patches/CVE-2019-12525.patch: check length in
912 src/auth/digest/Config.cc.
913 - CVE-2019-12525
914 * SECURITY UPDATE: buffer overflow in basic auth decoding
915 - debian/patches/CVE-2019-12527.patch: switch to SBuf in
916 src/HttpHeader.cc, src/HttpHeader.h, src/cache_manager.cc,
917 src/clients/FtpGateway.cc.
918 - CVE-2019-12527
919 * SECURITY UPDATE: basic auth uudecode length issue
920 - debian/patches/CVE-2019-12529.patch: replace uudecode with libnettle
921 base64 decoder in lib/Makefile.*, src/auth/basic/Config.cc,
922 include/uudecode.h, lib/uudecode.c.
923 - CVE-2019-12529
924 * SECURITY UPDATE: XSS issues in cachemgr.cgi
925 - debian/patches/CVE-2019-13345.patch: properly escape values in
926 tools/cachemgr.cc.
927 - CVE-2019-13345
928
929 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 19 Jul 2019 08:01:58 -0400
930
931squid (4.6-2ubuntu3) eoan; urgency=medium
932
933 * Override newly added gcc-9 flags:
934 -Wno-sizeof-pointer-memaccess -Wno-stringop-truncation
935 NOTE: Overriding those flags is a possible security
936 asked for info on the gcc-9 issue bug tracker:
937 https://github.com/squid-cache/squid/pull/413#issuecomment-511314076
938
939 -- Gianfranco Costamagna <locutusofborg@debian.org> Mon, 15 Jul 2019 10:21:47 +0200
940
941squid (4.6-2ubuntu2) eoan; urgency=medium
942
943 * Fix gcc-9 build issues with upstream merged patch
944
945 -- Gianfranco Costamagna <locutusofborg@debian.org> Sun, 14 Jul 2019 14:41:16 +0200
946
947squid (4.6-2ubuntu1) eoan; urgency=medium
948
949 * Merge with Debian unstable. Remaining changes:
950 - Use snakeoil certificates.
951 - Add an example refresh pattern for debs.
952 - d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy,
953 squidguard
954 - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if
955 building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of
956 -O2 and that triggers a format-truncation error on pcon.cc. See
957 See https://bugs.squid-cache.org/show_bug.cgi?id=4875
958 - d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs.
959 Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP #1794553)
960 [Added Applied-Upstream header]
961 - d/rules: Only use -latomic with the intended architectures, instead of
962 all of them. This matches what was suggested in
963 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5
964 - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that
965 dh_installchangelogs can pick it up. dh_installchangelogs handles
966 d/NEWS or d/<package>.NEWS, but not NEWS.debian.
967 * Dropped:
968 - d/squid.tmpfile: add tmpfiles configuration to handle /var/run/squid
969 at boot. Thanks to Luigi Gangitano <luigi@debian.org> (LP #1816006)
970 [Fixed in 4.5-2]
971 - d/p/fix-uninitialized-var.patch: Workaround gcc's maybe-unitialized
972 error in parse_time_t, triggered on ppc64el due to the build using -O3
973 in that architecture.
974 [Fixed upstream]
975 - Add disabled by default AppArmor profile.
976 [Added by Debian in 4.6-2]
977 - d/usr.sbin.squid: fix the apparmor profile (LP #1796189):
978 + allow net_admin capability
979 + add attach_disconnected flag
980 [Fixed in 4.6-2]
981
982 -- Andreas Hasenack <andreas@canonical.com> Sat, 18 May 2019 14:39:09 -0300
983
379squid (4.6-2) unstable; urgency=high984squid (4.6-2) unstable; urgency=high
380985
381 [ Andreas Hasenack <andreas@canonical.com> ]986 [ Andreas Hasenack <andreas@canonical.com> ]
@@ -436,6 +1041,57 @@ squid (4.5-1) unstable; urgency=medium
4361041
437 -- Luigi Gangitano <luigi@debian.org> Wed, 20 Feb 2019 11:57:15 +01001042 -- Luigi Gangitano <luigi@debian.org> Wed, 20 Feb 2019 11:57:15 +0100
4381043
1044squid (4.4-1ubuntu2) disco; urgency=medium
1045
1046 * d/squid.tmpfile: add tmpfiles configuration to handle /var/run/squid
1047 at boot. Thanks to Luigi Gangitano <luigi@debian.org> (LP: #1816006)
1048
1049 -- Andreas Hasenack <andreas@canonical.com> Wed, 27 Feb 2019 08:54:45 -0300
1050
1051squid (4.4-1ubuntu1) disco; urgency=medium
1052
1053 * Merge with Debian unstable. Remaining changes:
1054 - Use snakeoil certificates.
1055 - Add an example refresh pattern for debs.
1056 - Add disabled by default AppArmor profile.
1057 - d/p/fix-uninitialized-var.patch: Workaround gcc's maybe-unitialized
1058 error in parse_time_t, triggered on ppc64el due to the build using -O3
1059 in that architecture.
1060 - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if
1061 building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of
1062 -O2 and that triggers a format-truncation error on pcon.cc. See
1063 See https://bugs.squid-cache.org/show_bug.cgi?id=4875
1064 - d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs.
1065 Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP #1794553)
1066 * Drop:
1067 - d/rules: enable cdbs parallel build
1068 [Fixed in 4.2-1]
1069 - d/t/test-squid.py: fix apparmor profile filename
1070 [Fixed in 4.2-1]
1071 - d/t/test-squid.py: fix the process name. The PID points at the parent.
1072 [Fixed in 4.2-1]
1073 - d/t/upstream-test-suite: also make libmem.la, needed by the tests.
1074 [Fixed in 4.2-1]
1075 - d/t/0003-installed-binary-for-debian-ci.patch: use the squid
1076 binary from the system, instead of the one from the source tree.
1077 [Fixed in 4.2-1]
1078 - d/t/upstream-test-suite: drop the sed line, since patch
1079 0003-installed-binary-for-debian-ci.patch is doing this work now.
1080 (https://salsa.debian.org/squid-team/squid/commit/ad4372b444ba8b1587839)
1081 [Fixed in 4.2-1]
1082 * Added changes:
1083 - d/rules: Only use -latomic with the intended architectures, instead of
1084 all of them. This matches what was suggested in
1085 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5
1086 - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that
1087 dh_installchangelogs can pick it up. dh_installchangelogs handles
1088 d/NEWS or d/<package>.NEWS, but not NEWS.debian.
1089 - d/usr.sbin.squid: fix the apparmor profile (LP: #1796189):
1090 + allow net_admin capability
1091 + add attach_disconnected flag
1092
1093 -- Andreas Hasenack <andreas@canonical.com> Mon, 19 Nov 2018 10:51:18 -0200
1094
439squid (4.4-1) unstable; urgency=high1095squid (4.4-1) unstable; urgency=high
4401096
441 * Urgency high due to security fixes1097 * Urgency high due to security fixes
@@ -500,6 +1156,85 @@ squid (4.2-1) unstable; urgency=high
5001156
501 -- Luigi Gangitano <luigi@debian.org> Wed, 22 Aug 2018 13:57:15 +02001157 -- Luigi Gangitano <luigi@debian.org> Wed, 22 Aug 2018 13:57:15 +0200
5021158
1159squid (4.1-1ubuntu3) cosmic; urgency=medium
1160
1161 * d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs.
1162 Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP: #1794553)
1163
1164 -- Andreas Hasenack <andreas@canonical.com> Tue, 09 Oct 2018 14:00:36 -0300
1165
1166squid (4.1-1ubuntu2) cosmic; urgency=medium
1167
1168 * d/usr.sbin.squid: Update apparmor profile to grant read access to squid
1169 binary (LP: #1792728)
1170
1171 -- Simon Deziel <simon@sdeziel.info> Sat, 15 Sep 2018 13:55:32 -0400
1172
1173squid (4.1-1ubuntu1) cosmic; urgency=medium
1174
1175 * Merged with Debian unstable (LP: #1780944, LP: #1097032, LP: #16669).
1176 Remaining changes:
1177 - Use snakeoil certificates.
1178 [Updated to use the correct config setting names]
1179 - Add an example refresh pattern for debs.
1180 [Improved the refresh patterns based on the configuration from
1181 squid-deb-proxy package]
1182 - Add disabled by default AppArmor profile.
1183 [Updated to include the ssl_certs abstraction and suggestions on how to
1184 deal with the snakeoil private key and other keys in /etc/ssl.]
1185 * Dropped changes:
1186 - Add additional dep8 tests.
1187 [Adopted in 4.0.21-1~exp5, albeit a stripped down version]
1188 - Correct attribution and add explanatory note in d/NEWS.debian.
1189 [That particular upgrade path has happened long ago.]
1190 - Drop wrong short-circuiting of various invocations; we always want to
1191 call the debhelper block.
1192 [This was for the transitional squid3 package, and that transition has
1193 already happened.]
1194 - Revert "Set pidfile for systemd's sysv-generator" from Debian.
1195 [Not needed anymore since we have a native systemd service file
1196 and no longer rely on the generator.]
1197 - Enable autoreconf. This is no longer required for the security updates,
1198 but is needed for the seddery of test-suite/Makefile.am in
1199 d/t/upstream-test-suite.
1200 [Replaced by patch 0003-installed-binary-for-debian-ci.patch]
1201 - Adjust seddery for upstream test squid binary location.
1202 [sed no longer necessary since patch,
1203 0003-installed-binary-for-debian-ci.patch, will be dropped
1204 entirely.]
1205 - Drop Conflicts/Replaces of squid against squid3. In Ubuntu, the migration
1206 happened in Xenial, so no upgrade path still requires this code. This
1207 reduces upgrade ordering difficulty.
1208 [Again we have a migration, but this time from squid3 to squid, so we
1209 need this].
1210 - GCC7 FTBFS fixes (LP: #1712668):
1211 + d/rules: don't error when hitting the "deprecated" and
1212 "format-truncation" gcc7 warnings. Upstream 3.5.27 has fixes for these,
1213 but one in Format.cc that affects 32bit builds was deemed too intrusive
1214 for the 3.5 stable series and is only in squid 4.x
1215 [No longer needed with squid 4.x]
1216 - Do not force gcc-6
1217 [It was a temporary workaround in Debian that got dropped]
1218 * Added changes:
1219 - d/rules: enable cdbs parallel build
1220 - d/t/test-squid.py: fix apparmor profile filename
1221 - d/t/test-squid.py: fix the process name. The PID points at the parent.
1222 - d/t/upstream-test-suite: also make libmem.la, needed by the tests.
1223 - d/t/0003-installed-binary-for-debian-ci.patch: use the squid
1224 binary from the system, instead of the one from the source tree.
1225 - d/p/fix-uninitialized-var.patch: Workaround gcc's maybe-unitialized
1226 error in parse_time_t, triggered on ppc64el due to the build using -O3
1227 in that architecture.
1228 - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if
1229 building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of
1230 -O2 and that triggers a format-truncation error on pcon.cc. See
1231 See https://bugs.squid-cache.org/show_bug.cgi?id=4875
1232 - d/t/upstream-test-suite: drop the sed line, since patch
1233 0003-installed-binary-for-debian-ci.patch is doing this work now.
1234 (https://salsa.debian.org/squid-team/squid/commit/ad4372b444ba8b1587839)
1235
1236 -- Andreas Hasenack <andreas@canonical.com> Thu, 16 Aug 2018 12:33:17 -0300
1237
503squid (4.1-1) unstable; urgency=high1238squid (4.1-1) unstable; urgency=high
5041239
505 * New Upstream Release (Closes: #896120)1240 * New Upstream Release (Closes: #896120)
diff --git a/debian/control b/debian/control
index 629cbbe..a5305c0 100644
--- a/debian/control
+++ b/debian/control
@@ -1,7 +1,8 @@
1Source: squid1Source: squid
2Section: web2Section: web
3Priority: optional3Priority: optional
4Maintainer: Luigi Gangitano <luigi@debian.org>4Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
5XSBC-Original-Maintainer: Luigi Gangitano <luigi@debian.org>
5Uploaders: Santiago Garcia Mantinan <manty@debian.org>6Uploaders: Santiago Garcia Mantinan <manty@debian.org>
6Homepage: http://www.squid-cache.org7Homepage: http://www.squid-cache.org
7Standards-Version: 4.6.08Standards-Version: 4.6.0
@@ -32,7 +33,7 @@ Build-Depends: ed, libltdl-dev, pkg-config
32Package: squid33Package: squid
33Architecture: any34Architecture: any
34Pre-Depends: ${misc:Pre-Depends}, adduser35Pre-Depends: ${misc:Pre-Depends}, adduser
35Depends: ${shlibs:Depends}, ${misc:Depends}, netbase, logrotate (>= 3.5.4-1), squid-common (>= ${source:Version}), lsb-base, libdbi-perl36Depends: ${shlibs:Depends}, ${misc:Depends}, netbase, logrotate (>= 3.5.4-1), squid-common (>= ${source:Version}), lsb-base, libdbi-perl, ssl-cert
36Suggests: squidclient, squid-cgi, squid-purge, resolvconf (>= 0.40), smbclient, ufw, winbind, apparmor37Suggests: squidclient, squid-cgi, squid-purge, resolvconf (>= 0.40), smbclient, ufw, winbind, apparmor
37Recommends: libcap2-bin [linux-any], ca-certificates38Recommends: libcap2-bin [linux-any], ca-certificates
38Conflicts: squid-openssl39Conflicts: squid-openssl
diff --git a/debian/patches/0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch b/debian/patches/0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch
39new file mode 10064440new file mode 100644
index 0000000..df677d8
--- /dev/null
+++ b/debian/patches/0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch
@@ -0,0 +1,65 @@
1From: Sergio Durigan Junior <sergio.durigan@canonical.com>
2Date: Tue, 9 Aug 2022 17:49:23 -0400
3Subject: Fix -Werror=alloc-size-larger-than on GCC 12
4
5Author: Sergio Durigan Junior <sergiodj@ubuntu.com>
6Forwarded: yes, https://github.com/squid-cache/squid/pull/1118
7---
8 src/SquidConfig.h | 2 +-
9 src/pconn.cc | 2 +-
10 src/pconn.h | 2 +-
11 src/store/Disks.cc | 2 +-
12 4 files changed, 4 insertions(+), 4 deletions(-)
13
14diff --git a/src/SquidConfig.h b/src/SquidConfig.h
15index feabdf1..6b3cca5 100644
16--- a/src/SquidConfig.h
17+++ b/src/SquidConfig.h
18@@ -61,7 +61,7 @@ public:
19 ~DiskConfig() { delete[] swapDirs; }
20
21 RefCount<SwapDir> *swapDirs = nullptr;
22- int n_allocated = 0;
23+ unsigned int n_allocated = 0;
24 int n_configured = 0;
25 /// number of disk processes required to support all cache_dirs
26 int n_strands = 0;
27diff --git a/src/pconn.cc b/src/pconn.cc
28index 62e5411..d30726d 100644
29--- a/src/pconn.cc
30+++ b/src/pconn.cc
31@@ -167,7 +167,7 @@ IdleConnList::clearHandlers(const Comm::ConnectionPointer &conn)
32 void
33 IdleConnList::push(const Comm::ConnectionPointer &conn)
34 {
35- if (size_ == capacity_) {
36+ if ((unsigned int) size_ == capacity_) {
37 debugs(48, 3, HERE << "growing idle Connection array");
38 capacity_ <<= 1;
39 const Comm::ConnectionPointer *oldList = theList_;
40diff --git a/src/pconn.h b/src/pconn.h
41index 85e44e5..b8f07d9 100644
42--- a/src/pconn.h
43+++ b/src/pconn.h
44@@ -80,7 +80,7 @@ private:
45 Comm::ConnectionPointer *theList_;
46
47 /// Number of entries theList can currently hold without re-allocating (capacity).
48- int capacity_;
49+ unsigned int capacity_;
50 ///< Number of in-use entries in theList
51 int size_;
52
53diff --git a/src/store/Disks.cc b/src/store/Disks.cc
54index 4e8710a..f9c3171 100644
55--- a/src/store/Disks.cc
56+++ b/src/store/Disks.cc
57@@ -685,7 +685,7 @@ allocate_new_swapdir(Store::DiskConfig *swap)
58 swap->swapDirs = new SwapDir::Pointer[swap->n_allocated];
59 }
60
61- if (swap->n_allocated == swap->n_configured) {
62+ if (swap->n_allocated == (size_t) swap->n_configured) {
63 swap->n_allocated <<= 1;
64 const auto tmp = new SwapDir::Pointer[swap->n_allocated];
65 for (int i = 0; i < swap->n_configured; ++i) {
diff --git a/debian/patches/90-cf.data.ubuntu.patch b/debian/patches/90-cf.data.ubuntu.patch
0new file mode 10064466new file mode 100644
index 0000000..68ef5bc
--- /dev/null
+++ b/debian/patches/90-cf.data.ubuntu.patch
@@ -0,0 +1,22 @@
1Description: Add refresh patterns for deb packaging
2
3Reviewed-By: Sergio Durigan Junior <sergio.durigan@canonical.com>
4Last-Updated: 2021-05-11
5Forwarded: https://salsa.debian.org/squid-team/squid/-/merge_requests/15
6
7--- a/src/cf.data.pre
8+++ b/src/cf.data.pre
9@@ -5859,6 +5862,12 @@ NOCOMMENT_START
10 refresh_pattern ^ftp: 1440 20% 10080
11 refresh_pattern ^gopher: 1440 0% 1440
12 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
13+refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
14+refresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-ims
15+refresh_pattern \/InRelease$ 0 0% 0 refresh-ims
16+refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
17+# example pattern for deb packages
18+#refresh_pattern (\.deb|\.udeb)$ 129600 100% 129600
19 refresh_pattern . 0 20% 4320
20 NOCOMMENT_END
21 DOC_END
22
diff --git a/debian/patches/99-ubuntu-ssl-cert-snakeoil.patch b/debian/patches/99-ubuntu-ssl-cert-snakeoil.patch
0new file mode 10064423new file mode 100644
index 0000000..adfc2ee
--- /dev/null
+++ b/debian/patches/99-ubuntu-ssl-cert-snakeoil.patch
@@ -0,0 +1,24 @@
1Index: squid/src/cf.data.pre
2===================================================================
3--- squid.orig/src/cf.data.pre 2022-07-18 07:49:02.052257318 -0400
4+++ squid/src/cf.data.pre 2022-07-18 07:51:17.843207049 -0400
5@@ -3742,6 +3742,19 @@
6 A client X.509 certificate to use when connecting to
7 this peer.
8
9+ Notes:
10+
11+ On Debian/Ubuntu systems a default snakeoil certificate is
12+ available in /etc/ssl and users can set:
13+
14+ sslcert=/etc/ssl/certs/ssl-cert-snakeoil.pem
15+
16+ and
17+
18+ sslkey=/etc/ssl/private/ssl-cert-snakeoil.key
19+
20+ for testing.
21+
22 sslkey=/path/to/ssl/key
23 The private key corresponding to sslcert above.
24
diff --git a/debian/patches/fix-max-pkt-sz-for-icmpEchoData-padding.patch b/debian/patches/fix-max-pkt-sz-for-icmpEchoData-padding.patch
0new file mode 10064425new file mode 100644
index 0000000..0480de4
--- /dev/null
+++ b/debian/patches/fix-max-pkt-sz-for-icmpEchoData-padding.patch
@@ -0,0 +1,89 @@
1From 78708065e8aa4f882848befe8fa04bf1a04f1c9b Mon Sep 17 00:00:00 2001
2From: Sergio Durigan Junior <sergiodj@sergiodj.net>
3Date: Thu, 19 Aug 2021 18:56:50 -0400
4Subject: [PATCH 1/3] Fix MAX_PKT{4,6}_SZ to account for icmpEchoData padding
5
6The bug was exposed by GCC v11 on Ubuntu Impish:
7
8Icmp4.cc:116:11: error: array subscript icmpEchoData[0] is partly
9 outside array bounds of char[282] [-Werror=array-bounds]
10 echo->opcode = (unsigned char) opcode;
11
12The array the compiler is talking about is the pkt buffer. That buffer
13size (i.e. MAX_PKT4_SZ) was calculated under the faulty assumption that
14a compiler cannot add padding after icmphdr (when doing "icmp+1") and/or
15between icmpEchoData data members. When compiler padded, the old
16MAX_PKT4_SZ math stopped working.
17
18Same for ICMPv6.
19
20Signed-off-by: Sergio Durigan Junior <sergiodj@sergiodj.net>
21
22Author: Sergio Durigan Junior <sergiodj@sergiodj.net>
23Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1939352
24Forwarded: yes, https://github.com/squid-cache/squid/pull/887
25---
26 src/icmp/Icmp.h | 4 ++--
27 src/icmp/Icmp4.cc | 4 +++-
28 src/icmp/Icmp6.cc | 4 +++-
29 3 files changed, 8 insertions(+), 4 deletions(-)
30
31diff --git a/src/icmp/Icmp.h b/src/icmp/Icmp.h
32index c9cada3..b8cdf77 100644
33--- a/src/icmp/Icmp.h
34+++ b/src/icmp/Icmp.h
35@@ -16,8 +16,8 @@
36 #define PINGER_PAYLOAD_SZ 8192
37
38 #define MAX_PAYLOAD 256 // WAS: SQUIDHOSTNAMELEN
39-#define MAX_PKT4_SZ (MAX_PAYLOAD + sizeof(struct timeval) + sizeof (char) + sizeof(struct icmphdr) + 1)
40-#define MAX_PKT6_SZ (MAX_PAYLOAD + sizeof(struct timeval) + sizeof (char) + sizeof(struct icmp6_hdr) + 1)
41+#define MAX_PKT4_SZ (sizeof(struct icmpEchoData) + sizeof(struct icmphdr) + 1)
42+#define MAX_PKT6_SZ (sizeof(struct icmpEchoData) + sizeof(struct icmp6_hdr) + 1)
43
44 #if USE_ICMP
45
46diff --git a/src/icmp/Icmp4.cc b/src/icmp/Icmp4.cc
47index 9500215..687d8d3 100644
48--- a/src/icmp/Icmp4.cc
49+++ b/src/icmp/Icmp4.cc
50@@ -91,6 +91,8 @@ Icmp4::SendEcho(Ip::Address &to, int opcode, const char *payload, int len)
51 size_t icmp_pktsize = sizeof(struct icmphdr);
52 struct addrinfo *S = NULL;
53
54+ static_assert(sizeof(*icmp) + sizeof(*echo) <= sizeof(pkt), "our custom ICMPv4 Echo payload fits the packet buffer");
55+
56 memset(pkt, '\0', MAX_PKT4_SZ);
57
58 icmp = (struct icmphdr *) (void *) pkt;
59@@ -112,7 +114,7 @@ Icmp4::SendEcho(Ip::Address &to, int opcode, const char *payload, int len)
60 ++icmp_pkts_sent;
61
62 // Construct ICMP packet data content
63- echo = (icmpEchoData *) (icmp + 1);
64+ echo = reinterpret_cast<icmpEchoData *>(reinterpret_cast<char *>(pkt) + sizeof(*icmp));
65 echo->opcode = (unsigned char) opcode;
66 memcpy(&echo->tv, &current_time, sizeof(struct timeval));
67
68diff --git a/src/icmp/Icmp6.cc b/src/icmp/Icmp6.cc
69index 4bbd47a..a6ea79e 100644
70--- a/src/icmp/Icmp6.cc
71+++ b/src/icmp/Icmp6.cc
72@@ -125,6 +125,8 @@ Icmp6::SendEcho(Ip::Address &to, int opcode, const char *payload, int len)
73 struct addrinfo *S = NULL;
74 size_t icmp6_pktsize = 0;
75
76+ static_assert(sizeof(*icmp) + sizeof(*echo) <= sizeof(pkt), "our custom ICMPv6 Echo payload fits the packet buffer");
77+
78 memset(pkt, '\0', MAX_PKT6_SZ);
79 icmp = (struct icmp6_hdr *)pkt;
80
81@@ -147,7 +149,7 @@ Icmp6::SendEcho(Ip::Address &to, int opcode, const char *payload, int len)
82 icmp6_pktsize = sizeof(struct icmp6_hdr);
83
84 // Fill Icmp6 ECHO data content
85- echo = (icmpEchoData *) (pkt + sizeof(icmp6_hdr));
86+ echo = reinterpret_cast<icmpEchoData *>(reinterpret_cast<char *>(pkt) + sizeof(*icmp));
87 echo->opcode = (unsigned char) opcode;
88 memcpy(&echo->tv, &current_time, sizeof(struct timeval));
89
diff --git a/debian/patches/series b/debian/patches/series
index 5438215..95d949e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,7 @@
30003-installed-binary-for-debian-ci.patch30003-installed-binary-for-debian-ci.patch
40005-Use-RuntimeDirectory-to-create-run-squid.patch40005-Use-RuntimeDirectory-to-create-run-squid.patch
50006-Fix-build-against-OpenSSL-3-0.patch50006-Fix-build-against-OpenSSL-3-0.patch
690-cf.data.ubuntu.patch
799-ubuntu-ssl-cert-snakeoil.patch
8fix-max-pkt-sz-for-icmpEchoData-padding.patch
90009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch
diff --git a/debian/usr.sbin.squid b/debian/usr.sbin.squid
index d01bcd0..a34487a 100644
--- a/debian/usr.sbin.squid
+++ b/debian/usr.sbin.squid
@@ -51,6 +51,33 @@
51 # squid-langpack51 # squid-langpack
52 /usr/share/squid-langpack/** r,52 /usr/share/squid-langpack/** r,
5353
54 # squid-deb-proxy
55 /etc/squid-deb-proxy/** r,
56 /{,var/}run/squid-deb-proxy.pid rwk,
57 /var/cache/squid-deb-proxy/ r,
58 /var/cache/squid-deb-proxy/** rwk,
59 /var/log/squid-deb-proxy/* rw,
60
61 # squidguard
62 /usr/bin/squidGuard Cx -> squidguard,
63 profile squidguard {
64 #include <abstractions/base>
65
66 /etc/squid/squidGuard.conf r,
67 /var/log/squid{,3}/squidGuard.log w,
68 /var/lib/squidguard/** rw,
69
70 # squidguard by default uses /var/log/squid as its logdir, however, we
71 # don't want it to access squid's logs, only its own. Explicitly deny
72 # access to squid's files but allow all others since the user may specify
73 # anything for the squidGurad 'log' directive.
74 /var/log/squid{,3}/* rw,
75 audit deny /var/log/squid{,3}/{access,cache,store}.log* rw,
76
77 # Site-specific additions and overrides. See local/README for details.
78 #include <local/usr.sbin.squid>
79 }
80
54 # Site-specific additions and overrides. See local/README for details.81 # Site-specific additions and overrides. See local/README for details.
55 #include <local/usr.sbin.squid>82 #include <local/usr.sbin.squid>
56}83}

Subscribers

People subscribed via source and target branches