Change log for squid3 package in Ubuntu
| 1 → 75 of 145 results | First • Previous • Next • Last |
squid3 (3.5.27-1ubuntu1.14) bionic-security; urgency=medium
* SECURITY UPDATE: Buffer Over Read in SSPI and SMB Authentication
- debian/patches/CVE-2022-41318.patch: improve checks in
lib/ntlmauth/ntlmauth.cc.
- CVE-2022-41318
-- Marc Deslauriers <email address hidden> Fri, 23 Sep 2022 08:08:17 -0400
Available diffs
squid3 (3.5.27-1ubuntu1.13) bionic-security; urgency=medium
* SECURITY UPDATE: Denial of Service in Gopher Processing
- debian/patches/CVE-2021-46784.patch: improve handling of Gopher
responses in src/gopher.cc.
- CVE-2021-46784
-- Marc Deslauriers <email address hidden> Tue, 21 Jun 2022 13:45:17 -0400
Available diffs
squid3 (3.5.27-1ubuntu1.12) bionic-security; urgency=medium
* SECURITY UPDATE: information disclosure via OOB read in WCCP protocol
- debian/patches/CVE-2021-28116.patch: validate packets better in
src/wccp2.cc.
- CVE-2021-28116
-- Marc Deslauriers <email address hidden> Mon, 04 Oct 2021 08:32:25 -0400
Available diffs
squid3 (3.5.27-1ubuntu1.11) bionic-security; urgency=medium
* SECURITY UPDATE: DoS via buffer-management bug
- debian/patches/CVE-2021-28651.patch: fix memory leak in src/urn.cc.
- CVE-2021-28651
* SECURITY UPDATE: DoS via HTTP Range request
- debian/patches/CVE-2021-3180x.patch: handle more Range requests in
src/HttpHdrRange.cc, src/HttpHeaderRange.h, src/client_side.cc,
src/client_side_request.cc, src/client_side_request.h.
- CVE-2021-31806
- CVE-2021-31807
- CVE-2021-31808
* SECURITY UPDATE: DoS via HTTP response
- debian/patches/CVE-2021-33620.patch: handle more partial responses in
src/HttpHdrContRange.cc, src/HttpHeaderRange.h,
src/clients/Client.cc, src/client_side.cc.
- CVE-2021-33620
-- Marc Deslauriers <email address hidden> Wed, 02 Jun 2021 13:03:13 -0400
Available diffs
squid3 (3.5.27-1ubuntu1.10) bionic-security; urgency=medium
* SECURITY UPDATE: HTTP Request Smuggling issue
- debian/patches/CVE-2020-25097.patch: Add slash prefix to path-
rootless or path-noscheme URLs in src/url.cc.
- CVE-2020-25097
-- Marc Deslauriers <email address hidden> Thu, 25 Mar 2021 12:45:30 -0400
Available diffs
squid3 (3.5.12-1ubuntu7.16) xenial-security; urgency=medium
* SECURITY UPDATE: HTTP Request Smuggling issue
- debian/patches/CVE-2020-25097.patch: Add slash prefix to path-
rootless or path-noscheme URLs in src/url.cc.
- CVE-2020-25097
-- Marc Deslauriers <email address hidden> Thu, 25 Mar 2021 12:46:49 -0400
Available diffs
squid3 (3.5.12-1ubuntu7.15) xenial-security; urgency=medium
* SECURITY UPDATE: Request Smuggling and Poisoning issue
- debian/patches/CVE-2020-15049.patch: validate Content-Length value
prefix in src/http/ContentLengthInterpreter.cc,
src/http/ContentLengthInterpreter.h.
- CVE-2020-15049
* SECURITY UPDATE: HTTP Request Smuggling issue
- debian/patches/CVE-2020-15810.patch: enforce token characters for
field-name in src/HttpHeader.cc.
- CVE-2020-15810
* SECURITY UPDATE: HTTP Request Splitting issue
- debian/patches/CVE-2020-15811-pre.patch: validate Content-Length
header values in src/HttpHeader.cc, src/HttpHeaderTools.cc,
src/HttpHeaderTools.h, src/http/ContentLengthInterpreter.cc,
src/http/ContentLengthInterpreter.h, src/http/Makefile.am.
- debian/patches/CVE-2020-15811.patch: Improve Transfer-Encoding
handling in src/HttpHeader.cc, src/HttpHeader.h, src/client_side.cc,
src/http.cc.
- CVE-2020-15811
* SECURITY UPDATE: DoS via peer crafted Cache Digest response message
- debian/patches/CVE-2020-24606.patch: fix livelocking in
peerDigestHandleReply in src/peer_digest.cc.
- CVE-2020-24606
* Enable the test suite
- debian/rules: enable test suite
- debian/patches/enable-the-test-suite.patch: fix FTBFS.
- debian/patches/fix-stub-comm-test.patch: fix FTBFS.
-- Marc Deslauriers <email address hidden> Wed, 16 Sep 2020 11:34:11 -0400
Available diffs
squid3 (3.5.12-1ubuntu7.14) xenial; urgency=medium
* d/squid.resolvconf: Invoke "systemctl reload --no-block" if we are
using systemd. This prevents squid from blocking if the reload
action is being issued indirectly because of another
service (e.g., because dnsmasq has been restarted), which may
cause a deadlock and prevent the whole transaction to
complete. (LP: #1761096)
-- Sergio Durigan Junior <email address hidden> Fri, 04 Sep 2020 08:31:36 -0400
Available diffs
squid3 (3.5.27-1ubuntu1.9) bionic-security; urgency=medium
* SECURITY UPDATE: Request Smuggling and Poisoning issue
- debian/patches/CVE-2020-15049.patch: validate Content-Length value
prefix in src/http/ContentLengthInterpreter.cc,
src/http/ContentLengthInterpreter.h.
- CVE-2020-15049
* SECURITY UPDATE: HTTP Request Smuggling issue
- debian/patches/CVE-2020-15810.patch: enforce token characters for
field-name in src/HttpHeader.cc.
- CVE-2020-15810
* SECURITY UPDATE: HTTP Request Splitting issue
- debian/patches/CVE-2020-15811-pre.patch: validate Content-Length
header values in src/HttpHeader.cc, src/HttpHeaderTools.cc,
src/HttpHeaderTools.h, src/http/ContentLengthInterpreter.cc,
src/http/ContentLengthInterpreter.h, src/http/Makefile.am.
- debian/patches/CVE-2020-15811.patch: Improve Transfer-Encoding
handling in src/HttpHeader.cc, src/HttpHeader.h, src/client_side.cc,
src/http.cc.
- CVE-2020-15811
* SECURITY UPDATE: DoS via peer crafted Cache Digest response message
- debian/patches/CVE-2020-24606.patch: fix livelocking in
peerDigestHandleReply in src/peer_digest.cc.
- CVE-2020-24606
* Enable the test suite
- debian/rules: enable test suite
- debian/patches/enable-the-test-suite.patch: fix FTBFS.
- debain/patches/fix-cppunit-detection.patch: don't use cppunit-config
which is no longer available in bionic.
-- Marc Deslauriers <email address hidden> Wed, 02 Sep 2020 11:35:51 -0400
Available diffs
squid3 (3.5.12-1ubuntu7.13) xenial-security; urgency=medium
* SECURITY REGRESSION: regression when parsing icap and ecap protocols
(LP: #1890265)
- debian/patches/CVE-2019-12523-bug965012.patch
* Thanks to Markus Koschany for the regression fix!
-- Marc Deslauriers <email address hidden> Wed, 26 Aug 2020 06:46:39 -0400
Available diffs
squid3 (3.5.27-1ubuntu1.8) bionic-security; urgency=medium
* SECURITY REGRESSION: regression when parsing icap and ecap protocols
(LP: #1890265)
- debian/patches/CVE-2019-12523-bug965012.patch
* Thanks to Markus Koschany for the regression fix!
-- Marc Deslauriers <email address hidden> Tue, 25 Aug 2020 13:12:13 -0400
Available diffs
squid3 (3.5.12-1ubuntu7.12) xenial-security; urgency=medium
* SECURITY UPDATE: Multiple Issues in HTTP Request processing
- debian/patches/CVE-2019-12520.patch: properly handle userinfo in
src/url.cc.
- CVE-2019-12520
- CVE-2019-12524
* SECURITY UPDATE: Multiple issues in URI processing
- debian/patches/CVE-2019-12526.patch: replace patch with the one from
Debian to get backported functions.
- debian/patches/CVE-2019-12523.patch: update URI parser to use SBuf
parsing APIs.
- CVE-2019-12523
- CVE-2019-18676
* Thanks to Markus Koschany for the backports this update is based on.
-- Marc Deslauriers <email address hidden> Thu, 30 Jul 2020 07:01:11 -0400
Available diffs
squid3 (3.5.27-1ubuntu1.7) bionic-security; urgency=medium
* SECURITY UPDATE: Multiple Issues in HTTP Request processing
- debian/patches/CVE-2019-12520.patch: properly handle userinfo in
src/url.cc.
- CVE-2019-12520
- CVE-2019-12524
* SECURITY UPDATE: Multiple issues in URI processing
- debian/patches/CVE-2019-12526.patch: replace patch with the one from
Debian to get backported functions.
- debian/patches/CVE-2019-12523.patch: update URI parser to use SBuf
parsing APIs.
- CVE-2019-12523
- CVE-2019-18676
* Thanks to Markus Koschany for the backports this update is based on.
-- Marc Deslauriers <email address hidden> Tue, 28 Jul 2020 12:38:51 -0400
Available diffs
squid3 (3.5.12-1ubuntu7.11) xenial-security; urgency=medium
* SECURITY UPDATE: multiple ESI issues
- debian/patches/CVE-2019-12519_12521.patch: convert parse exceptions
into 500 status response in src/esi/Context.h, src/esi/Esi.cc,
src/esi/Esi.h, src/esi/Expression.cc.
- CVE-2019-12519
- CVE-2019-12521
* SECURITY UPDATE: hostname parameter mishandling in cachemgr.cgi
- debian/patches/CVE-2019-18860.patch: add validation for hostname
parameter in src/base/CharacterSet.cc, tools/Makefile.am,
tools/cachemgr.cc.
- CVE-2019-18860
* SECURITY UPDATE: Digest Authentication nonce replay issue
- debian/patches/CVE-2020-11945.patch: fix auth digest refcount integer
overflow in src/auth/digest/Config.cc.
- CVE-2020-11945
-- Marc Deslauriers <email address hidden> Thu, 07 May 2020 10:05:12 -0400
Available diffs
squid3 (3.5.27-1ubuntu1.6) bionic-security; urgency=medium
* SECURITY UPDATE: multiple ESI issues
- debian/patches/CVE-2019-12519_12521.patch: convert parse exceptions
into 500 status response in src/esi/Context.h, src/esi/Esi.cc,
src/esi/Esi.h, src/esi/Expression.cc.
- CVE-2019-12519
- CVE-2019-12521
* SECURITY UPDATE: hostname parameter mishandling in cachemgr.cgi
- debian/patches/CVE-2019-18860.patch: add validation for hostname
parameter in src/base/CharacterSet.cc, tools/Makefile.am,
tools/cachemgr.cc.
- CVE-2019-18860
* SECURITY UPDATE: Digest Authentication nonce replay issue
- debian/patches/CVE-2020-11945.patch: fix auth digest refcount integer
overflow in src/auth/digest/Config.cc.
- CVE-2020-11945
-- Marc Deslauriers <email address hidden> Thu, 07 May 2020 10:03:32 -0400
Available diffs
squid3 (3.5.27-1ubuntu1.5) bionic-security; urgency=medium
* SECURITY UPDATE: info disclosure via FTP server
- debian/patches/CVE-2019-12528.patch: fix FTP buffers handling in
src/clients/FtpGateway.cc.
- CVE-2019-12528
* SECURITY UPDATE: incorrect input validation and buffer management
- debian/patches/CVE-2020-84xx-1.patch: ignore malformed Host header in
intercept and reverse proxy mode in src/client_side.cc.
- debian/patches/CVE-2020-84xx-2.patch: fix request URL generation in
reverse proxy configurations in src/client_side.cc.
- debian/patches/CVE-2020-84xx-3.patch: fix security patch in
src/client_side.cc.
- CVE-2020-8449
- CVE-2020-8450
* SECURITY UPDATE: DoS in NTLM authentication
- debian/patches/CVE-2020-8517.patch: improved username handling in
helpers/external_acl/LM_group/ext_lm_group_acl.cc.
- CVE-2020-8517
-- Marc Deslauriers <email address hidden> Wed, 19 Feb 2020 12:50:27 -0500
Available diffs
squid3 (3.5.12-1ubuntu7.10) xenial-security; urgency=medium
* SECURITY UPDATE: info disclosure via FTP server
- debian/patches/CVE-2019-12528.patch: fix FTP buffers handling in
src/clients/FtpGateway.cc.
- CVE-2019-12528
* SECURITY UPDATE: incorrect input validation and buffer management
- debian/patches/CVE-2020-84xx-1.patch: ignore malformed Host header in
intercept and reverse proxy mode in src/client_side.cc.
- debian/patches/CVE-2020-84xx-2.patch: fix request URL generation in
reverse proxy configurations in src/client_side.cc.
- debian/patches/CVE-2020-84xx-3.patch: fix security patch in
src/client_side.cc.
- CVE-2020-8449
- CVE-2020-8450
* SECURITY UPDATE: DoS in NTLM authentication
- debian/patches/CVE-2020-8517.patch: improved username handling in
helpers/external_acl/LM_group/ext_lm_group_acl.cc.
- CVE-2020-8517
-- Marc Deslauriers <email address hidden> Wed, 19 Feb 2020 13:06:13 -0500
Available diffs
squid3 (3.5.12-1ubuntu7.9) xenial-security; urgency=medium
* SECURITY UPDATE: Heap Overflow issue in URN processing
- debian/patches/CVE-2019-12526.patch: fix URN response handling in
src/urn.cc.
- CVE-2019-12526
* SECURITY UPDATE: CSRF issue in HTTP Request processing
- debian/patches/CVE-2019-18677.patch: prevent truncation for large
origin-relative domains in src/URL.h, src/internal.cc, src/url.cc.
- CVE-2019-18677
* SECURITY UPDATE: HTTP Request Splitting in HTTP message processing
- debian/patches/CVE-2019-18678.patch: server MUST reject messages with
BWS after field-name in src/HttpHeader.cc, src/HttpHeader.h.
- CVE-2019-18678
- CVE-2019-18679
-- Marc Deslauriers <email address hidden> Wed, 20 Nov 2019 07:11:17 -0500
Available diffs
squid3 (3.5.27-1ubuntu1.4) bionic-security; urgency=medium
* SECURITY UPDATE: Heap Overflow issue in URN processing
- debian/patches/CVE-2019-12526.patch: fix URN response handling in
src/urn.cc.
- CVE-2019-12526
* SECURITY UPDATE: CSRF issue in HTTP Request processing
- debian/patches/CVE-2019-18677.patch: prevent truncation for large
origin-relative domains in src/URL.h, src/internal.cc, src/url.cc.
- CVE-2019-18677
* SECURITY UPDATE: HTTP Request Splitting in HTTP message processing
- debian/patches/CVE-2019-18678.patch: server MUST reject messages with
BWS after field-name in src/HttpHeader.cc, src/HttpHeader.h.
- CVE-2019-18678
- CVE-2019-18679
-- Marc Deslauriers <email address hidden> Tue, 19 Nov 2019 14:59:43 -0500
Available diffs
squid3 (3.1.19-1ubuntu3.12.04.10) precise-security; urgency=medium
[ Marc Deslauriers ]
* SECURITY UPDATE: incorrect digest auth parameter parsing
- debian/patches/CVE-2019-12525.patch: check length in
src/auth/digest/auth_digest.cc.
- CVE-2019-12525
* SECURITY UPDATE: basic auth uudecode length issue
- debian/patches/CVE-2019-12529.patch: replace uudecode with libnettle
base64 decoder in lib/Makefile.*, src/auth/basic/auth_basic.cc,
, lib/uudecode.c.
- CVE-2019-12529
-- <email address hidden> (Leonidas S. Barbosa) Thu, 18 Jul 2019 15:42:15 -0300
squid3 (3.5.12-1ubuntu7.8) xenial-security; urgency=medium
* SECURITY UPDATE: incorrect digest auth parameter parsing
- debian/patches/CVE-2019-12525.patch: check length in
src/auth/digest/Config.cc.
- CVE-2019-12525
* SECURITY UPDATE: basic auth uudecode length issue
- debian/patches/CVE-2019-12529.patch: replace uudecode with libnettle
base64 decoder in lib/Makefile.*, src/auth/basic/Config.cc,
include/uudecode.h, lib/uudecode.c.
- CVE-2019-12529
-- Marc Deslauriers <email address hidden> Tue, 16 Jul 2019 14:49:40 -0400
Available diffs
squid3 (3.5.27-1ubuntu1.3) bionic-security; urgency=medium
* SECURITY UPDATE: incorrect digest auth parameter parsing
- debian/patches/CVE-2019-12525.patch: check length in
src/auth/digest/Config.cc.
- CVE-2019-12525
* SECURITY UPDATE: basic auth uudecode length issue
- debian/patches/CVE-2019-12529.patch: replace uudecode with libnettle
base64 decoder in lib/Makefile.*, src/auth/basic/Config.cc,
include/uudecode.h, lib/uudecode.c.
- CVE-2019-12529
-- Marc Deslauriers <email address hidden> Tue, 16 Jul 2019 11:49:31 -0400
Available diffs
squid3 (3.5.27-1ubuntu1.2) bionic-security; urgency=medium
* SECURITY UPDATE: DoS via SNMP memory leak
- debian/patches/CVE-2018-19132.patch: fix leak in src/snmp_core.cc.
- CVE-2018-19132
* SECURITY UPDATE: XSS issues in cachemgr.cgi
- debian/patches/CVE-2019-13345.patch: properly escape values in
tools/cachemgr.cc.
- CVE-2019-13345
-- Marc Deslauriers <email address hidden> Thu, 11 Jul 2019 12:59:25 -0400
Available diffs
squid3 (3.5.12-1ubuntu7.7) xenial-security; urgency=medium
* SECURITY UPDATE: DoS via SNMP memory leak
- debian/patches/CVE-2018-19132.patch: fix leak in src/snmp_core.cc.
- CVE-2018-19132
* SECURITY UPDATE: XSS issues in cachemgr.cgi
- debian/patches/CVE-2019-13345.patch: properly escape values in
tools/cachemgr.cc.
- CVE-2019-13345
-- Marc Deslauriers <email address hidden> Thu, 11 Jul 2019 13:03:44 -0400
Available diffs
squid3 (3.5.12-1ubuntu7.6) xenial; urgency=medium * d/squid.rc: fix regexp for catching FATAL errors (LP: #1738412) * d/t/test-squid.py: in xenial, initscript, apparmor profile, pidfile and process are named squid, not squid3. Get rid of the multiple distro logic since these tests will be only run on xenial. * d/t/control: drop uneeded dependency on python-unit. * d/t/squid: use a shorter shutdown timeout for the tests, so they run faster -- Andreas Hasenack <email address hidden> Wed, 31 Oct 2018 09:22:14 -0300
Available diffs
squid3 (3.5.27-1ubuntu1.1) bionic; urgency=medium
[ Simon Deziel ]
* d/usr.sbin.squid: Update apparmor profile to grant read access to squid
binary (LP: #1792728)
-- Christian Ehrhardt <email address hidden> Fri, 28 Sep 2018 09:09:50 +0200
Available diffs
- diff from 3.5.27-1ubuntu1 to 3.5.27-1ubuntu1.1 (550 bytes)
| Deleted in cosmic-proposed (Reason: Removed per uploader request; obsoleted by squid 4.x) |
squid3 (3.5.27-1ubuntu2) cosmic; urgency=medium * Update apparmor profile to grant read access to squid binary (LP: #1792728) -- Simon Deziel <email address hidden> Sat, 15 Sep 2018 13:55:32 -0400
Available diffs
- diff from 3.5.27-1ubuntu1 to 3.5.27-1ubuntu2 (512 bytes)
| Deleted in cosmic-release (Reason: Superseded by squid) |
| Superseded in cosmic-release |
| Published in bionic-release |
| Deleted in bionic-proposed (Reason: moved to release) |
squid3 (3.5.27-1ubuntu1) bionic; urgency=medium * Merge with Debian unstable (LP: #1751286). Remaining changes: - Add additional dep8 tests. - Use snakeoil certificates. - Add an example refresh pattern for debs. - Add disabled by default AppArmor profile. - Enable autoreconf. This is no longer required for the security updates, but is needed for the seddery of test-suite/Makefile.am in d/t/upstream-test-suite. - Correct attribution and add explanatory note in d/NEWS.debian. - Drop Conflicts/Replaces of squid against squid3. In Ubuntu, the migration happened in Xenial, so no upgrade path still requires this code. This reduces upgrade ordering difficulty. - Adjust seddery for upstream test squid binary location. - Revert "Set pidfile for systemd's sysv-generator" from Debian. - Drop wrong short-circuiting of various invocations; we always want to call the debhelper block. - GCC7 FTBFS fixes (LP #1712668): + d/rules: don't error when hitting the "deprecated" and "format-truncation" gcc7 warnings. Upstream 3.5.27 has fixes for these, but one in Format.cc that affects 32bit builds was deemed too intrusive for the 3.5 stable series and is only in squid 4.x * Dropped changes: - debian/patches/gcc7-squidpurge-4695.patch: GCC 7 build errors. Thanks to Lubos Uhliarik <email address hidden>. [Already applied upstream] - debian/patches/gcc7-assert-wants-boolean.patch: assert() takes a boolean. Thanks to Amos Jeffries <email address hidden> [Already applied upstream] - SECURITY UPDATE: denial of service in ESI Response processing + debian/patches/CVE-2018-1000024.patch: make sure endofName never exceeds tagEnd in src/esi/CustomParser.cc. + CVE-2018-1000024 [Added in 3.5.27-1] - SECURITY UPDATE: denial of service in in HTTP Message processing + debian/patches/CVE-2018-1000027.patch: fix indirect IP logging for transactions without a client connection in src/client_side_request.cc. + CVE-2018-1000027 [Included in 3.5.27-1] * Added changes: - Do not force gcc-6
Available diffs
- diff from 3.5.23-5ubuntu2 to 3.5.27-1ubuntu1 (139.1 KiB)
squid3 (3.5.23-5ubuntu2) bionic; urgency=medium
* SECURITY UPDATE: denial of service in ESI Response processing
- debian/patches/CVE-2018-1000024.patch: make sure endofName never
exceeds tagEnd in src/esi/CustomParser.cc.
- CVE-2018-1000024
* SECURITY UPDATE: denial of service in in HTTP Message processing
- debian/patches/CVE-2018-1000027.patch: fix indirect IP logging for
transactions without a client connection in
src/client_side_request.cc.
- CVE-2018-1000027
-- Marc Deslauriers <email address hidden> Thu, 01 Feb 2018 10:08:51 -0500
Available diffs
squid3 (3.5.23-5ubuntu1.1) artful-security; urgency=medium
* SECURITY UPDATE: denial of service in ESI Response processing
- debian/patches/CVE-2018-1000024.patch: make sure endofName never
exceeds tagEnd in src/esi/CustomParser.cc.
- CVE-2018-1000024
* SECURITY UPDATE: denial of service in in HTTP Message processing
- debian/patches/CVE-2018-1000027.patch: fix indirect IP logging for
transactions without a client connection in
src/client_side_request.cc.
- CVE-2018-1000027
-- Marc Deslauriers <email address hidden> Thu, 01 Feb 2018 10:08:51 -0500
Available diffs
squid3 (3.3.8-1ubuntu6.11) trusty-security; urgency=medium
* SECURITY UPDATE: denial of service in ESI Response processing
- debian/patches/CVE-2018-1000024.patch: make sure endofName never
exceeds tagEnd in src/esi/CustomParser.cc.
- CVE-2018-1000024
* SECURITY UPDATE: denial of service in in HTTP Message processing
- debian/patches/CVE-2018-1000027.patch: fix indirect IP logging for
transactions without a client connection in
src/client_side_request.cc.
- CVE-2018-1000027
-- Marc Deslauriers <email address hidden> Thu, 01 Feb 2018 10:11:57 -0500
Available diffs
squid3 (3.5.12-1ubuntu7.5) xenial-security; urgency=medium
* SECURITY UPDATE: various denial of service issues
- debian/patches/CVE-2016-25xx-1.patch: better handling of huge
response headers in src/http.cc.
- debian/patches/CVE-2016-25xx-2.patch: throw instead of asserting on
some String overflows in src/SquidString.h, src/StrList.cc,
src/String.cc, src/clients/Client.cc, src/clients/Client.h,
src/clients/FtpClient.cc, src/http.cc.
- debian/patches/CVE-2016-25xx-3.patch: fix assertion in custom ESI
parser in src/esi/CustomParser.cc, src/esi/CustomParser.h.
- debian/patches/CVE-2016-25xx-4.patch: fix assertion in
src/FwdState.cc, src/FwdState.h, src/clients/Client.h, src/comm.cc,
src/comm.h, src/http.cc.
- CVE-2016-2569
- CVE-2016-2570
- CVE-2016-2571
* SECURITY UPDATE: denial of service via crafted HTTP response
- debian/patches/CVE-2016-3948.patch: convert Vary handling to SBuf in
src/HttpRequest.cc, src/HttpRequest.h, src/MemObject.cc,
src/MemObject.h, src/MemStore.cc, src/StoreMetaVary.cc,
src/client_side.cc, src/client_side_reply.cc, src/http.cc,
src/http.h, src/store.cc, src/store_key_md5.cc,
src/store_swapmeta.cc, src/tests/stub_MemObject.cc,
src/tests/stub_http.cc.
- CVE-2016-3948
* SECURITY UPDATE: denial of service in ESI Response processing
- debian/patches/CVE-2018-1000024.patch: make sure endofName never
exceeds tagEnd in src/esi/CustomParser.cc.
- CVE-2018-1000024
* SECURITY UPDATE: denial of service in in HTTP Message processing
- debian/patches/CVE-2018-1000027.patch: fix indirect IP logging for
transactions without a client connection in
src/client_side_request.cc.
- CVE-2018-1000027
-- Marc Deslauriers <email address hidden> Thu, 01 Feb 2018 09:56:31 -0500
Available diffs
squid3 (3.3.8-1ubuntu6.10) trusty; urgency=medium
* debian/patches/fix-assertion-ftp-put-empty-file.patch: Fix ftp
assertion error when uploading empty file. Thanks to Alex Rousskov
<email address hidden>. Closes LP: #1423498.
-- Andreas Hasenack <email address hidden> Thu, 28 Sep 2017 12:23:01 -0400
Available diffs
| Superseded in bionic-release |
| Obsolete in artful-release |
| Deleted in artful-proposed (Reason: moved to release) |
squid3 (3.5.23-5ubuntu1) artful; urgency=medium * Merge with Debian unstable (LP: #1712653). Remaining changes: - Add additional dep8 tests. - Use snakeoil certificates. - Add an example refresh pattern for debs. - Add disabled by default AppArmor profile. - Enable autoreconf. This is no longer required for the security updates, but is needed for the seddery of test-suite/Makefile.am in d/t/upstream-test-suite. - Correct attribution and add explanatory note in d/NEWS.debian. - Drop Conflicts/Replaces of squid against squid3. In Ubuntu, the migration happened in Xenial, so no upgrade path still requires this code. This reduces upgrade ordering difficulty. - Adjust seddery for upstream test squid binary location. - Revert "Set pidfile for systemd's sysv-generator" from Debian. - Drop wrong short-circuiting of various invocations; we always want to call the debhelper block. * Drop: - Add missing Pre-Depends on adduser. [Fixed in Debian 3.5.23-2] * GCC7 FTBFS fixes (LP: #1712668): - d/rules: don't error when hitting the "deprecated" and "format-truncation" gcc7 warnings. Upstream 3.5.27 has fixes for these, but one in Format.cc that affects 32bit builds was deemed too intrusive for the 3.5 stable series and is only in squid 4.x - debian/patches/gcc7-squidpurge-4695.patch: GCC 7 build errors. Thanks to Lubos Uhliarik <email address hidden>. - debian/patches/gcc7-assert-wants-boolean.patch: assert() takes a boolean. Thanks to Amos Jeffries <email address hidden> -- Andreas Hasenack <email address hidden> Thu, 24 Aug 2017 16:04:35 -0300
Available diffs
squid3 (3.5.12-1ubuntu7.4) xenial; urgency=medium
* debian/patches/passive-ftp-segfault-1560429.patch: Fix for segfault
when ftp passive mode is not available. Closes: #793473, LP:
#1560429.
-- Andreas Hasenack <email address hidden> Fri, 07 Jul 2017 09:39:40 -0300
Available diffs
| Superseded in artful-release |
| Obsolete in zesty-release |
| Deleted in zesty-proposed (Reason: moved to release) |
squid3 (3.5.23-1ubuntu1) zesty; urgency=medium * Merge from Debian (LP: #1644538). Remaining changes: - Add additional dep8 tests. - Use snakeoil certificates. - Add an example refresh pattern for debs. - Add disabled by default AppArmor profile. - Revert "Set pidfile for systemd's sysv-generator" from Debian. - Drop wrong short-circuiting of various invocations; we always want to call the debhelper block. - Add missing Pre-Depends on adduser. - Enable autoreconf. This is no longer required for the security updates, but is needed for the seddery of test-suite/Makefile.am in d/t/upstream-test-suite. * Drop changes (adopted in Debian): - Run sarg-reports if present before rotating logs. - Add lsb-release build dep. * Drop changes that no longer make a functional difference in Ubuntu, but may still be relevant to send to Debian: - d/squid3.postinst: don't try to stop squid3 again. - d/squid3.postrm: don't rm -f conffiles in purge. - Drop squid3 dependencies on ${shlib:Depends} and lsb-base. - Drop creation of /etc/squid. * Drop unnecessary changes: - Add executable bits to d/squid.preinst. * Drop changes relating to the upgrade path from prior to Xenial, so no longer required: - /var/spool/squid3 upgrade path handling. - Conffile upgrade path handling. - Remove redundant version-guarded restart code from squid postinst. - Clean up apparmor links for usr.sbin.squid3 on upgrade. - Attempt to migrate /var/log/squid3 -> /var/log/squid on upgrade. - Add Breaks on older ufw to fix upgrade path. - Use Breaks instead of Conflicts. Instead, drop the Conflicts/Replaces entirely (see below). * Drop security fixes: all included in 3.5.23 upstream. * Drop Conflicts/Replaces of squid against squid3. In Ubuntu, the migration happened in Xenial, so no upgrade path still requires this code. This reduces upgrade ordering difficulty. * Fix failing autopkgtests: - Adjust Python module dependencies. - Correctly handle the squid3 -> squid rename. - Adjust seddery for upstream test squid binary location. * Drop dependency on init-system-helpers. This was introduced in LP 1432683. Since we no longer ship an upstart job, it is no longer required. * Correct attribution and add explanatory note in d/NEWS.debian.
Available diffs
- diff from 3.5.12-1ubuntu9 to 3.5.23-1ubuntu1 (687.3 KiB)
squid3 (3.1.19-1ubuntu3.12.04.8) precise-security; urgency=medium
* SECURITY UPDATE: cookie data leak via If-Not-Modified HTTP conditional
- debian/patches/CVE-2016-10002.patch: properly handle combination of
If-Match and a Cache Hit in src/client_side_reply.cc,
src/client_side_reply.h.
- CVE-2016-10002
-- Marc Deslauriers <email address hidden> Mon, 06 Feb 2017 10:00:45 -0500
Available diffs
squid3 (3.3.8-1ubuntu6.9) trusty-security; urgency=medium
* SECURITY UPDATE: cookie data leak via If-Not-Modified HTTP conditional
- debian/patches/CVE-2016-10002.patch: properly handle combination of
If-Match and a Cache Hit in src/client_side.cc,
src/client_side_reply.cc, src/client_side_reply.h, src/enums.h,
src/log/access_log.cc.
- CVE-2016-10002
-- Marc Deslauriers <email address hidden> Mon, 06 Feb 2017 09:56:36 -0500
Available diffs
squid3 (3.5.12-1ubuntu7.3) xenial-security; urgency=medium
* SECURITY UPDATE: cookie data leak via If-Not-Modified HTTP conditional
- debian/patches/CVE-2016-10002.patch: properly handle combination of
If-Match and a Cache Hit in src/LogTags.h, src/client_side.cc,
src/client_side_reply.cc, src/client_side_reply.h.
- CVE-2016-10002
* SECURITY UPDATE: incorrect HTTP Request header comparison
- debian/patches/CVE-2016-10003.patch: don't share private responses
with collapsed client in src/client_side_reply.cc.
- CVE-2016-10003
-- Marc Deslauriers <email address hidden> Fri, 03 Feb 2017 14:09:18 -0500
Available diffs
squid3 (3.5.12-1ubuntu8.1) yakkety-security; urgency=medium
* SECURITY UPDATE: cookie data leak via If-Not-Modified HTTP conditional
- debian/patches/CVE-2016-10002.patch: properly handle combination of
If-Match and a Cache Hit in src/LogTags.h, src/client_side.cc,
src/client_side_reply.cc, src/client_side_reply.h.
- CVE-2016-10002
* SECURITY UPDATE: incorrect HTTP Request header comparison
- debian/patches/CVE-2016-10003.patch: don't share private responses
with collapsed client in src/client_side_reply.cc.
- CVE-2016-10003
-- Marc Deslauriers <email address hidden> Fri, 03 Feb 2017 14:08:07 -0500
Available diffs
squid3 (3.5.12-1ubuntu9) zesty; urgency=medium
* SECURITY UPDATE: cookie data leak via If-Not-Modified HTTP conditional
- debian/patches/CVE-2016-10002.patch: properly handle combination of
If-Match and a Cache Hit in src/LogTags.h, src/client_side.cc,
src/client_side_reply.cc, src/client_side_reply.h.
- CVE-2016-10002
* SECURITY UPDATE: incorrect HTTP Request header comparison
- debian/patches/CVE-2016-10003.patch: don't share private responses
with collapsed client in src/client_side_reply.cc.
- CVE-2016-10003
-- Marc Deslauriers <email address hidden> Fri, 03 Feb 2017 13:07:31 -0500
Available diffs
squid3 (3.3.8-1ubuntu6.8) trusty-security; urgency=medium
* SECURITY UPDATE: denial of service via pinger and ICMPv6 packet
- debian/patches/CVE-2016-3947.patch: fix sizes in src/icmp/Icmp6.cc.
- CVE-2016-3947
* SECURITY UPDATE: denial of service and possible code execution via
seeding manager reporter with crafted data
- debian/patches/CVE-2016-4051.patch: use dynamic MemBuf for internal
content generation in tools/cachemgr.cc, src/tests/Stub.list,
src/tests/stub_cbdata.cc, src/tests/stub_mem.cc,
tools/Makefile.am.
- CVE-2016-4051
* SECURITY UPDATE: denial of service or arbitrary code execution via
crafted ESI responses
- debian/patches/CVE-2016-4052.patch: perform bounds checking and
remove asserts in src/esi/Esi.cc.
- CVE-2016-4052
- CVE-2016-4053
- CVE-2016-4054
* SECURITY UPDATE: cache-poisoning attacks via an HTTP request with an
absolute-URI
- debian/patches/CVE-2016-4553.patch: properly handle condition in
src/client_side.cc
- CVE-2016-4553
* SECURITY UPDATE: same-origin bypass and cache-poisoning attack via
crafted HTTP host header
- debian/patches/CVE-2016-4554.patch: properly handle whitespace in
src/mime_header.cc.
- CVE-2016-4554
* SECURITY UPDATE: denial of service via ESI responses
- debian/patches/CVE-2016-4555.patch: fix segfaults in
src/client_side_request.cc, src/esi/Context.h, src/esi/Esi.cc.
- CVE-2016-4555
- CVE-2016-4556
* debian/rules: include autoreconf.mk.
* debian/control: add dh-autoreconf to BuildDepends.
* debian/patches/02-makefile-defaults.patch: also patch src/Makefile.am.
* WARNING: This package does _not_ contain the changes from
(3.3.8-1ubuntu6.7) in trusty-proposed.
-- Marc Deslauriers <email address hidden> Wed, 08 Jun 2016 08:07:57 -0400
Available diffs
squid3 (3.1.19-1ubuntu3.12.04.7) precise-security; urgency=medium
* SECURITY UPDATE: denial of service via pinger and ICMPv6 packet
- debian/patches/CVE-2016-3947.patch: fix sizes in src/icmp/Icmp6.cc.
- CVE-2016-3947
* SECURITY UPDATE: denial of service and possible code execution via
seeding manager reporter with crafted data
- debian/patches/CVE-2016-4051.patch: use dynamic MemBuf for internal
content generation in tools/cachemgr.cc, src/tests/stub_mem.cc,
tools/Makefile.am, src/tests/STUB.h, src/squid.h.
- CVE-2016-4051
* SECURITY UPDATE: denial of service or arbitrary code execution via
crafted ESI responses
- debian/patches/CVE-2016-4052.patch: perform bounds checking and
remove asserts in src/esi/Esi.cc.
- CVE-2016-4052
- CVE-2016-4053
- CVE-2016-4054
* SECURITY UPDATE: cache-poisoning attacks via an HTTP request with an
absolute-URI
- debian/patches/CVE-2016-4553.patch: properly handle condition in
src/client_side.cc
- CVE-2016-4553
* SECURITY UPDATE: same-origin bypass and cache-poisoning attack via
crafted HTTP host header
- debian/patches/CVE-2016-4554.patch: properly handle whitespace in
src/mime_header.cc.
- CVE-2016-4554
* SECURITY UPDATE: denial of service via ESI responses
- debian/patches/CVE-2016-4555.patch: fix segfaults in
src/client_side_request.cc, src/esi/Context.h, src/esi/Esi.cc.
- CVE-2016-4555
- CVE-2016-4556
* debian/rules: include autoreconf.mk.
* debian/control: add dh-autoreconf to BuildDepends.
* debian/patches/02-makefile-defaults.patch: also patch src/Makefile.am.
-- Marc Deslauriers <email address hidden> Wed, 08 Jun 2016 07:50:10 -0400
Available diffs
squid3 (3.3.8-1ubuntu16.3) wily-security; urgency=medium
* SECURITY UPDATE: denial of service via pinger and ICMPv6 packet
- debian/patches/CVE-2016-3947.patch: fix sizes in src/icmp/Icmp6.cc.
- CVE-2016-3947
* SECURITY UPDATE: denial of service and possible code execution via
seeding manager reporter with crafted data
- debian/patches/CVE-2016-4051.patch: use dynamic MemBuf for internal
content generation in tools/cachemgr.cc, added tests to
src/tests/Stub.list, src/tests/stub_cbdata.cc, src/tests/stub_mem.cc,
tools/Makefile.am.
- CVE-2016-4051
* SECURITY UPDATE: denial of service or arbitrary code execution via
crafted ESI responses
- debian/patches/CVE-2016-4052.patch: perform bounds checking and
remove asserts in src/esi/Esi.cc.
- CVE-2016-4052
- CVE-2016-4053
- CVE-2016-4054
* SECURITY UPDATE: cache-poisoning attacks via an HTTP request with an
absolute-URI
- debian/patches/CVE-2016-4553.patch: properly handle condition in
src/client_side.cc
- CVE-2016-4553
* SECURITY UPDATE: same-origin bypass and cache-poisoning attack via
crafted HTTP host header
- debian/patches/CVE-2016-4554.patch: properly handle whitespace in
src/mime_header.cc.
- CVE-2016-4554
* SECURITY UPDATE: denial of service via ESI responses
- debian/patches/CVE-2016-4555.patch: fix segfaults in
src/client_side_request.cc, src/esi/Context.h, src/esi/Esi.cc.
- CVE-2016-4555
- CVE-2016-4556
* debian/rules: include autoreconf.mk.
* debian/control: add dh-autoreconf to BuildDepends.
* debian/patches/02-makefile-defaults.patch: also patch src/Makefile.am.
-- Marc Deslauriers <email address hidden> Tue, 07 Jun 2016 10:02:11 -0400
Available diffs
squid3 (3.5.12-1ubuntu7.2) xenial-security; urgency=medium
* SECURITY UPDATE: denial of service via pinger and ICMPv6 packet
- debian/patches/CVE-2016-3947.patch: fix sizes in src/icmp/Icmp6.cc.
- CVE-2016-3947
* SECURITY UPDATE: denial of service and possible code execution via
seeding manager reporter with crafted data
- debian/patches/CVE-2016-4051.patch: use dynamic MemBuf for internal
content generation in tools/cachemgr.cc, src/tests/stub_cbdata.cc,
src/tests/stub_mem.cc, tools/Makefile.am.
- CVE-2016-4051
* SECURITY UPDATE: denial of service or arbitrary code execution via
crafted ESI responses
- debian/patches/CVE-2016-4052.patch: perform bounds checking and
remove asserts in src/esi/Esi.cc.
- CVE-2016-4052
- CVE-2016-4053
- CVE-2016-4054
* SECURITY UPDATE: cache-poisoning attacks via an HTTP request with an
absolute-URI
- debian/patches/CVE-2016-4553.patch: properly handle condition in
src/client_side.cc
- CVE-2016-4553
* SECURITY UPDATE: same-origin bypass and cache-poisoning attack via
crafted HTTP host header
- debian/patches/CVE-2016-4554.patch: properly handle whitespace in
src/mime_header.cc.
- CVE-2016-4554
* SECURITY UPDATE: denial of service via ESI responses
- debian/patches/CVE-2016-4555.patch: fix segfaults in
src/client_side_request.cc, src/esi/Context.h, src/esi/Esi.cc.
- CVE-2016-4555
- CVE-2016-4556
* debian/rules: include autoreconf.mk.
* debian/control: add dh-autoreconf to BuildDepends.
-- Marc Deslauriers <email address hidden> Wed, 08 Jun 2016 08:06:59 -0400
Available diffs
| Superseded in zesty-release |
| Obsolete in yakkety-release |
| Deleted in yakkety-proposed (Reason: moved to release) |
squid3 (3.5.12-1ubuntu8) yakkety; urgency=medium
* SECURITY UPDATE: denial of service via pinger and ICMPv6 packet
- debian/patches/CVE-2016-3947.patch: fix sizes in src/icmp/Icmp6.cc.
- CVE-2016-3947
* SECURITY UPDATE: denial of service and possible code execution via
seeding manager reporter with crafted data
- debian/patches/CVE-2016-4051.patch: use dynamic MemBuf for internal
content generation in tools/cachemgr.cc, src/tests/stub_cbdata.cc,
src/tests/stub_mem.cc, tools/Makefile.am.
- CVE-2016-4051
* SECURITY UPDATE: denial of service or arbitrary code execution via
crafted ESI responses
- debian/patches/CVE-2016-4052.patch: perform bounds checking and
remove asserts in src/esi/Esi.cc.
- CVE-2016-4052
- CVE-2016-4053
- CVE-2016-4054
* SECURITY UPDATE: cache-poisoning attacks via an HTTP request with an
absolute-URI
- debian/patches/CVE-2016-4553.patch: properly handle condition in
src/client_side.cc
- CVE-2016-4553
* SECURITY UPDATE: same-origin bypass and cache-poisoning attack via
crafted HTTP host header
- debian/patches/CVE-2016-4554.patch: properly handle whitespace in
src/mime_header.cc.
- CVE-2016-4554
* SECURITY UPDATE: denial of service via ESI responses
- debian/patches/CVE-2016-4555.patch: fix segfaults in
src/client_side_request.cc, src/esi/Context.h, src/esi/Esi.cc.
- CVE-2016-4555
- CVE-2016-4556
* debian/rules: include autoreconf.mk.
* debian/control: add dh-autoreconf to BuildDepends.
-- Marc Deslauriers <email address hidden> Wed, 08 Jun 2016 08:05:32 -0400
Available diffs
| Superseded in xenial-updates |
| Superseded in yakkety-release |
| Deleted in yakkety-proposed (Reason: moved to release) |
| Deleted in xenial-proposed (Reason: moved to -updates) |
squid3 (3.5.12-1ubuntu7.1) xenial; urgency=medium * Add Breaks on older ufw to fix upgrade path (LP: #1571174). -- Robie Basak <email address hidden> Thu, 12 May 2016 11:03:06 +0000
Available diffs
- diff from 3.5.12-1ubuntu7 to 3.5.12-1ubuntu7.1 (700 bytes)
| Deleted in trusty-proposed (Reason: moved to -updates) |
squid3 (3.3.8-1ubuntu6.7) trusty; urgency=medium
[ Stanislav German-Evtushenko ]
* debian/squid3.upstart:
- Don't daemonize squid3 when it's setting up directories
(LP: #1405351)
-- Michael Terry <email address hidden> Thu, 14 Apr 2016 12:04:53 -0400
Available diffs
| Superseded in yakkety-release |
| Published in xenial-release |
| Deleted in xenial-proposed (Reason: moved to release) |
squid3 (3.5.12-1ubuntu7) xenial; urgency=medium * Update apparmor profile to be correct for maas-proxy. -- LaMont Jones <email address hidden> Tue, 12 Apr 2016 13:05:00 -0600
Available diffs
- diff from 3.5.12-1ubuntu6 to 3.5.12-1ubuntu7 (503 bytes)
squid3 (3.5.12-1ubuntu6) xenial; urgency=medium * Attempt to migrate /var/log/squid3 -> /var/log/squid on upgrade. * Update apparmor profile for s/squid3/squid/ and /dev/shm access. -- Adam Conrad <email address hidden> Sun, 03 Apr 2016 21:34:50 -0600
Available diffs
- diff from 3.3.8-1ubuntu17 to 3.5.12-1ubuntu6 (3.9 MiB)
- diff from 3.5.12-1ubuntu5 to 3.5.12-1ubuntu6 (899 bytes)
| Superseded in xenial-proposed |
squid3 (3.5.12-1ubuntu5) xenial; urgency=medium
* Use versioned Breaks/Replaces instead of an unversioned Conflicts, to
further clean up the upgrade ordering.
-- Steve Langasek <email address hidden> Fri, 01 Apr 2016 21:05:38 +0000
Available diffs
- diff from 3.5.12-1ubuntu4 to 3.5.12-1ubuntu5 (714 bytes)
| Superseded in xenial-proposed |
squid3 (3.5.12-1ubuntu4) xenial; urgency=medium
* Remove redundant version-guarded restart code from squid postinst, which
doesn't do the right thing on Ubuntu upgrades.
* Remove duplicated conffile handling from the squid3 dummy package with
extreme prejudice. The conffile moving absolutely *must* be done
exclusively in the squid package; trying to do it in the squid3 package
causes pristine conffiles to be silently overwritten with any
locally-modified version from the squid3 package, with hilarious effect.
* Adjust squid.{pre,post}inst to trick dpkg-maintscript-helper into
believing we had a previously installed version of this package even if
we did not, which appears to be a requirement for mv_conffile to DTRT.
This is certainly a dpkg bug that needs to be filed.
* Move all Ubuntu-specific dpkg-maintscript-helper delta into
debian/squid.maintscript for clarity/sanity. Among other things,
this uncovers a bug where we're trying to call both mv_conffile and
rm_conffile for /etc/init.d/squid3.
* debian/squid3.{pre,post}inst: drop wrong short-circuiting of various
invocations; we always want to call the debhelper block.
* debian/squid3.postinst: don't try to stop squid3 again, this is
redundant.
* debian/squid3.postrm: don't rm -f conffiles in purge when dpkg already
handles these.
* Add missing pre-depends on adduser
* Anchor the Conflicts/Replaces to the version of the package that
introduced the name change in Ubuntu, to avoid upgrade ordering problems
later.
* Include upgrade migration handling for /var/spool/squid3 ->
/var/spool/squid. This won't work if /var/spool/squid3 is a mount point,
so fail gracefully, but leaving two full squid cache directories around
after upgrade is a nuisance.
* Remove empty /etc/squid3 dir on upgrade.
* Clean up apparmor links for usr.sbin.squid3 on upgrade. We don't migrate
these apparmor settings over, so at least don't leave stale links behind.
-- Steve Langasek <email address hidden> Thu, 31 Mar 2016 19:01:47 -0700
Available diffs
| Superseded in xenial-proposed |
squid3 (3.5.12-1ubuntu3) xenial; urgency=medium * Revert last postinst change as it's buggy. * Remove /etc/init.d/squid3 from preinst on upgrade. -- Stéphane Graber <email address hidden> Tue, 29 Mar 2016 22:46:16 -0400
Available diffs
- diff from 3.5.12-1ubuntu2 to 3.5.12-1ubuntu3 (925 bytes)
| Superseded in xenial-proposed |
squid3 (3.5.12-1ubuntu2) xenial; urgency=medium
* debian/squid.postinst: Fix dist-upgrade of squid by detecting service
name (/etc/init.d/squid vs. squid3).
Available diffs
- diff from 3.5.12-1ubuntu1 to 3.5.12-1ubuntu2 (617 bytes)
squid3 (3.3.8-1ubuntu16.2) wily-security; urgency=medium
[ Scott Moser ]
* debian/patches/increase-default-forward-max-tries.patch:
change the default setting of 'forward_max_tries' from 10
to 25. (LP: #1547640)
[ Marc Deslauriers ]
* SECURITY UPDATE: denial of service via crafted UDP SNMP request
- debian/patches/CVE-2014-6270.patch: fix off-by-one in
src/snmp_core.cc.
- CVE-2014-6270
* SECURITY UPDATE: error handling vulnerability
- debian/patches/CVE-2016-2571.patch: better handling of huge response
headers in src/http.cc.
- CVE-2016-2571
* Fix security issues that only apply when package is rebuilt with the
enable-ssl flag, which is not the case in the Ubuntu archive.
- debian/patches/CVE-2014-0128.patch: denial of service via a crafted
range request.
- debian/patches/CVE-2015-3455.patch: incorrect X509 server certificate
domain matching.
-- Marc Deslauriers <email address hidden> Fri, 04 Mar 2016 14:59:48 -0500
Available diffs
squid3 (3.3.8-1ubuntu6.6) trusty-security; urgency=medium
[ Scott Moser ]
* debian/patches/increase-default-forward-max-tries.patch:
change the default setting of 'forward_max_tries' from 10
to 25. (LP: #1547640)
[ Marc Deslauriers ]
* SECURITY UPDATE: denial of service via crafted UDP SNMP request
- debian/patches/CVE-2014-6270.patch: fix off-by-one in
src/snmp_core.cc.
- CVE-2014-6270
* SECURITY UPDATE: error handling vulnerability
- debian/patches/CVE-2016-2571.patch: better handling of huge response
headers in src/http.cc.
- CVE-2016-2571
* Fix security issues that only apply when package is rebuilt with the
enable-ssl flag, which is not the case in the Ubuntu archive.
- debian/patches/CVE-2014-0128.patch: denial of service via a crafted
range request.
- debian/patches/CVE-2015-3455.patch: incorrect X509 server certificate
domain matching.
-- Marc Deslauriers <email address hidden> Fri, 04 Mar 2016 14:58:52 -0500
Available diffs
squid3 (3.1.19-1ubuntu3.12.04.6) precise-security; urgency=medium
* SECURITY UPDATE: denial of service via crafted UDP SNMP request
- debian/patches/CVE-2014-6270.patch: fix off-by-one in
src/snmp_core.cc.
- CVE-2014-6270
* SECURITY UPDATE: error handling vulnerability
- debian/patches/CVE-2016-2571.patch: better handling of huge response
headers in src/http.cc.
- CVE-2016-2571
* Fix security issue that only applies when package is rebuilt with the
enable-ssl flag, which is not the case in the Ubuntu archive.
- debian/patches/CVE-2014-0128.patch: denial of service via a crafted
range request.
* debian/patches/increase-default-forward-max-tries.patch:
change the default setting of 'forward_max_tries' from 10
to 25. (LP: #1547640)
-- Marc Deslauriers <email address hidden> Fri, 04 Mar 2016 14:57:14 -0500
| Superseded in xenial-proposed |
squid3 (3.5.12-1ubuntu1) xenial; urgency=medium * Merge from Debian (LP: #1473691). Remaining changes: - Add dep8 tests. - Use snakeoil certificates. - Run sarg-reports if present before rotating logs - debian/patches/90-cf.data.ubuntu.dpatch: add an example refresh pattern for debs. - Add disabled by default AppArmor profile. Versioned dependency on init-system-helpers (>> 1.22ubuntu5) to ensure we have the apparmor-profile-load script at boot time. * Drop changes: - No longer needed: + Upstart job. + Dependency package for squid -> squid3: depcrecated; the transitional package now runs the other way. + Fix perl & pod2man config.tests. + fix-logical-not-parentheses-warning.patch. + fix-pod2name-pipe-failure.patch. + --disable-strict-error-checking to fix FTBFS. - NEWS.Debian: no longer relevant. - Hardening options: deprecated. - Add patch to show distribution: fixed in Debian (but see lsb-release B-D). - Enable parallel build: makes no difference to build time. - Force -O2 to work around build failure with -O3: presumed no longer needed. - Fixed upstream: + CVE-2014-3609.patch: confirmed fixed since 3.4.7 from upstream advisory. + Fix various ICMP handling issues in Squid pinger: confirmed fixed since 3.4.7 from upstream advisory. + fix-caching-vary-header.patch. + netfilter_fix.patch. * Drop Testsuite: header from dep8 tests: no longer required since dpkg-source >= 1.17.11 does it. * Revert "Set pidfile for systemd's sysv-generator" from Debian. systemd races the squid daemon for pidfile creation, causing systemd to consider the service start to have failed. Work around for now by not telling systemd to use the pidfile. * Add lsb-release build dep. This is required for the --enable-build-info line in debian/rules to work correctly. * Correctly rename conffiles migrated by Debian from squid3 to squid. * Remove conffile for old upstart job Ubuntu delta. * Rename Apparmor profile conffile. * Drop old transitional Apparmor code no longer required. * Adjust AppArmor profile for squid3->squid rename. * Drop versioned AppArmor dependency (transitional; no longer required).
Available diffs
squid3 (3.3.8-1ubuntu17) xenial; urgency=medium
* --disable-strict-error-checking to fix FTBFS due to auto_ptr defined
in unique pointer headers. (LP: #1521234).
-- Dimitri John Ledkov <email address hidden> Mon, 30 Nov 2015 15:32:14 +0000
Available diffs
- diff from 3.3.8-1ubuntu16 to 3.3.8-1ubuntu17 (565 bytes)
squid3 (3.3.8-1ubuntu6.4) trusty-proposed; urgency=low
* d/squid3.upstart: Use SIGINT to terminate squid and wait at most 40
seconds for it to finish. (LP: #1073478)
-- Tiago Stürmer Daitx <email address hidden> Wed, 14 Oct 2015 02:54:20 +0000
Available diffs
- diff from 3.3.8-1ubuntu6.3 to 3.3.8-1ubuntu6.4 (543 bytes)
squid3 (3.1.19-1ubuntu3.12.04.4) precise-proposed; urgency=low
* d/squid3.upstart: Use SIGINT to terminate squid and wait at most 40
seconds for it to finish. (LP: #1073478)
-- Tiago Stürmer Daitx <email address hidden> Wed, 14 Oct 2015 02:54:20 +0000
Available diffs
| Superseded in xenial-release |
| Obsolete in wily-release |
| Deleted in wily-proposed (Reason: moved to release) |
squid3 (3.3.8-1ubuntu16) wily; urgency=medium
[ Tiago Stürmer Daitx ]
* d/patches/fix-logical-not-parentheses-warning.patch: Fix warning for
logical-not-parentheses which caused squid to FTBFS. (LP: #1496924)
* d/patches/netfilter_fix.patch: Backported from Squid Bug #4323.
(LP: #1496223)
* d/patches/fix-pod2name-pipe-failure.patch: Add --name parameter to
pod2man (LP: #1501566)
* roll back build-dependency to libecap2-dev, this version of squid3 is not
compatible with libecap3 and libecap3 transition has been rolled back for
wily.
-- Steve Langasek <email address hidden> Fri, 09 Oct 2015 00:29:47 +0000
Available diffs
| Superseded in wily-proposed |
squid3 (3.3.8-1ubuntu15) wily; urgency=medium * Build-depend on libecap3-dev instead of libecap2-dev. -- Matthias Klose <email address hidden> Wed, 02 Sep 2015 12:16:29 +0200
Available diffs
- diff from 3.3.8-1 (in Debian) to 3.3.8-1ubuntu15 (37.0 KiB)
- diff from 3.3.8-1ubuntu14 to 3.3.8-1ubuntu15 (677 bytes)
squid3 (3.3.8-1ubuntu6.3) trusty-proposed; urgency=low
* d/patches/fix-caching-vary-header.patch: Added upstream patch
for the bug which prevented squid from caching responses with
Vary header. (LP: #1336742) Based on work by Oleg Strikov.
-- Rolf Leggewie <email address hidden> Wed, 01 Jul 2015 15:25:59 -0700
Available diffs
| Superseded in wily-release |
| Obsolete in vivid-release |
| Deleted in vivid-proposed (Reason: moved to release) |
squid3 (3.3.8-1ubuntu14) vivid; urgency=medium
* Add versioned dependency on init-system-helpers (>> 1.22ubuntu5) to ensure
we have the apparmor-profile-load script at boot time. (LP: #1432683)
-- Serge Hallyn <email address hidden> Thu, 02 Apr 2015 11:12:27 -0500
Available diffs
- diff from 3.3.8-1ubuntu13 to 3.3.8-1ubuntu14 (750 bytes)
squid3 (3.3.8-1ubuntu13) vivid; urgency=medium
* d/squid3.prerm: Removed redundant upstart-only code. Equivalent
operations are carried out by debhelper-generated code in a more
generic manner. (LP: #1424508)
-- Oleg Strikov <email address hidden> Thu, 05 Mar 2015 14:24:33 +0300
Available diffs
- diff from 3.3.8-1ubuntu12 to 3.3.8-1ubuntu13 (669 bytes)
squid3 (3.3.8-1ubuntu12) vivid; urgency=medium
* debian/tests/testlib_httpd.py: Use "service" command instead of upstart
specific ones, and simplify the logic.
* debian/tests/testlib.py, check_exe(): Check /proc/pid/exe symlink instead
of parsing cmdline; the latter has "(squid-1)" with the init.d script, and
it's not really what we are interested in.
-- Martin Pitt <email address hidden> Fri, 06 Mar 2015 12:10:59 +0100
Available diffs
| Superseded in vivid-proposed |
squid3 (3.3.8-1ubuntu11) vivid; urgency=medium
* d/patches/fix-caching-vary-header.patch: Added upstream patch
for the bug which prevented squid from caching responses with
Vary header. (LP: #1336742)
-- Oleg Strikov <email address hidden> Wed, 04 Mar 2015 15:08:54 +0300
Available diffs
squid3 (3.3.8-1ubuntu10) vivid; urgency=medium
[Jacek Nykis]
* d/usr.sbin.squid3: Apparmor profile has been changed to allow child
processes to run execvp(argv[0], [kidname, ...]). (LP: #1416039)
-- Oleg Strikov <email address hidden> Tue, 03 Mar 2015 18:18:20 +0300
Available diffs
- diff from 3.3.8-1ubuntu9 to 3.3.8-1ubuntu10 (539 bytes)
squid3 (3.3.8-1ubuntu8.1) utopic-security; urgency=medium
* SECURITY UPDATE: Fix various ICMP handling issues in Squid pinger.
(LP: #1384943)
- CVE-2014-7141
- CVE-2014-7142
-- Jorge Niedbalski <email address hidden> Tue, 18 Nov 2014 14:47:33 -0300
Available diffs
squid3 (3.3.8-1ubuntu6.2) trusty-security; urgency=medium
* SECURITY UPDATE: Fix various ICMP handling issues in Squid pinger.
(LP: #1384943)
- CVE-2014-7141
- CVE-2014-7142
-- Jorge Niedbalski <email address hidden> Tue, 18 Nov 2014 15:03:54 -0300
Available diffs
squid3 (3.3.8-1ubuntu9) vivid; urgency=medium * Fix various ICMP handling issues in Squid pinger. (LP: #1384943) -- Jorge Niedbalski <email address hidden> Tue, 18 Nov 2014 14:47:33 -0300
Available diffs
| Superseded in vivid-release |
| Obsolete in utopic-release |
| Deleted in utopic-proposed (Reason: moved to release) |
squid3 (3.3.8-1ubuntu8) utopic; urgency=medium
* SECURITY UPDATE: Ignore Range headers with unidentifiable byte-range
values
- debian/patches/CVE-2014-3609.patch: adjust src/HttpHdrRange.cc to
return an error if unable to determine the byte value for ranges
- CVE-2014-3609
-- Jamie Strandboge <email address hidden> Tue, 26 Aug 2014 13:51:07 -0500
Available diffs
squid3 (3.1.19-1ubuntu3.12.04.3) precise-security; urgency=medium
* SECURITY UPDATE: Ignore Range headers with unidentifiable byte-range
values
- debian/patches/CVE-2014-3609.patch: adjust src/HttpHdrRange.cc to
return an error if unable to determine the byte value for ranges
- CVE-2014-3609
-- Jamie Strandboge <email address hidden> Tue, 26 Aug 2014 13:55:57 -0500
Available diffs
squid3 (3.3.8-1ubuntu6.1) trusty-security; urgency=medium
* SECURITY UPDATE: Ignore Range headers with unidentifiable byte-range
values
- debian/patches/CVE-2014-3609.patch: adjust src/HttpHdrRange.cc to
return an error if unable to determine the byte value for ranges
- CVE-2014-3609
-- Jamie Strandboge <email address hidden> Tue, 26 Aug 2014 13:54:02 -0500
Available diffs
| 1 → 75 of 145 results | First • Previous • Next • Last |
