ubuntu/+source/squid3:ubuntu/xenial-security

Last commit made on 2019-12-04
Get this branch:
git clone -b ubuntu/xenial-security https://git.launchpad.net/ubuntu/+source/squid3
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/xenial-security
Repository:
lp:ubuntu/+source/squid3

Recent commits

4acc1ec... by Marc Deslauriers on 2019-11-20

Import patches-unapplied version 3.5.12-1ubuntu7.9 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: 908cd81c957de9461255c18a96521023a08afdf1

New changelog entries:
  * SECURITY UPDATE: Heap Overflow issue in URN processing
    - debian/patches/CVE-2019-12526.patch: fix URN response handling in
      src/urn.cc.
    - CVE-2019-12526
  * SECURITY UPDATE: CSRF issue in HTTP Request processing
    - debian/patches/CVE-2019-18677.patch: prevent truncation for large
      origin-relative domains in src/URL.h, src/internal.cc, src/url.cc.
    - CVE-2019-18677
  * SECURITY UPDATE: HTTP Request Splitting in HTTP message processing
    - debian/patches/CVE-2019-18678.patch: server MUST reject messages with
      BWS after field-name in src/HttpHeader.cc, src/HttpHeader.h.
    - CVE-2019-18678
    - CVE-2019-18679

908cd81... by Marc Deslauriers on 2019-07-16

Import patches-unapplied version 3.5.12-1ubuntu7.8 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: 96b6871730d1251c3e4297cea3a56c88a39e24fe

New changelog entries:
  * SECURITY UPDATE: incorrect digest auth parameter parsing
    - debian/patches/CVE-2019-12525.patch: check length in
      src/auth/digest/Config.cc.
    - CVE-2019-12525
  * SECURITY UPDATE: basic auth uudecode length issue
    - debian/patches/CVE-2019-12529.patch: replace uudecode with libnettle
      base64 decoder in lib/Makefile.*, src/auth/basic/Config.cc,
      include/uudecode.h, lib/uudecode.c.
    - CVE-2019-12529

96b6871... by Marc Deslauriers on 2019-07-11

Import patches-unapplied version 3.5.12-1ubuntu7.7 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: 745fc519360964c2ed9e8dd9b0aca7a2a20ec972

New changelog entries:
  * SECURITY UPDATE: DoS via SNMP memory leak
    - debian/patches/CVE-2018-19132.patch: fix leak in src/snmp_core.cc.
    - CVE-2018-19132
  * SECURITY UPDATE: XSS issues in cachemgr.cgi
    - debian/patches/CVE-2019-13345.patch: properly escape values in
      tools/cachemgr.cc.
    - CVE-2019-13345

745fc51... by Andreas Hasenack on 2018-10-31

Import patches-unapplied version 3.5.12-1ubuntu7.6 to ubuntu/xenial-proposed

Imported using git-ubuntu import.

Upload parent: 952103bbf339cabc5fbe17214eb6909d2f23652e

952103b... by Andreas Hasenack on 2018-10-31

changelog

aeca44c... by Andreas Hasenack on 2018-10-30

  * d/t/squid: use a shorter shutdown timeout for the tests, so they
    run faster

9e1145b... by Andreas Hasenack on 2018-10-30

  * d/t/control: drop uneeded dependency on python-unit.

a06c85f... by Andreas Hasenack on 2018-10-30

  * d/t/test-squid.py: in xenial, initscript, apparmor profile, pidfile and
    process are named squid, not squid3. Get rid of the multiple distro
    logic since these tests will be only run on xenial.

f6cbea5... by Andreas Hasenack on 2018-10-29

  * d/squid.rc: fix regexp for catching FATAL errors (LP: #1738412)

5dc496f... by Marc Deslauriers on 2018-02-01

Import patches-unapplied version 3.5.12-1ubuntu7.5 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: 1ba3c2f3ef77a1fe4f1e2989052562b19fc9401d

New changelog entries:
  * SECURITY UPDATE: various denial of service issues
    - debian/patches/CVE-2016-25xx-1.patch: better handling of huge
      response headers in src/http.cc.
    - debian/patches/CVE-2016-25xx-2.patch: throw instead of asserting on
      some String overflows in src/SquidString.h, src/StrList.cc,
      src/String.cc, src/clients/Client.cc, src/clients/Client.h,
      src/clients/FtpClient.cc, src/http.cc.
    - debian/patches/CVE-2016-25xx-3.patch: fix assertion in custom ESI
      parser in src/esi/CustomParser.cc, src/esi/CustomParser.h.
    - debian/patches/CVE-2016-25xx-4.patch: fix assertion in
      src/FwdState.cc, src/FwdState.h, src/clients/Client.h, src/comm.cc,
      src/comm.h, src/http.cc.
    - CVE-2016-2569
    - CVE-2016-2570
    - CVE-2016-2571
  * SECURITY UPDATE: denial of service via crafted HTTP response
    - debian/patches/CVE-2016-3948.patch: convert Vary handling to SBuf in
      src/HttpRequest.cc, src/HttpRequest.h, src/MemObject.cc,
      src/MemObject.h, src/MemStore.cc, src/StoreMetaVary.cc,
      src/client_side.cc, src/client_side_reply.cc, src/http.cc,
      src/http.h, src/store.cc, src/store_key_md5.cc,
      src/store_swapmeta.cc, src/tests/stub_MemObject.cc,
      src/tests/stub_http.cc.
    - CVE-2016-3948
  * SECURITY UPDATE: denial of service in ESI Response processing
    - debian/patches/CVE-2018-1000024.patch: make sure endofName never
      exceeds tagEnd in src/esi/CustomParser.cc.
    - CVE-2018-1000024
  * SECURITY UPDATE: denial of service in in HTTP Message processing
    - debian/patches/CVE-2018-1000027.patch: fix indirect IP logging for
      transactions without a client connection in
      src/client_side_request.cc.
    - CVE-2018-1000027