-
squid3 (3.3.8-1ubuntu16.3) wily-security; urgency=medium
* SECURITY UPDATE: denial of service via pinger and ICMPv6 packet
- debian/patches/CVE-2016-3947.patch: fix sizes in src/icmp/Icmp6.cc.
- CVE-2016-3947
* SECURITY UPDATE: denial of service and possible code execution via
seeding manager reporter with crafted data
- debian/patches/CVE-2016-4051.patch: use dynamic MemBuf for internal
content generation in tools/cachemgr.cc, added tests to
src/tests/Stub.list, src/tests/stub_cbdata.cc, src/tests/stub_mem.cc,
tools/Makefile.am.
- CVE-2016-4051
* SECURITY UPDATE: denial of service or arbitrary code execution via
crafted ESI responses
- debian/patches/CVE-2016-4052.patch: perform bounds checking and
remove asserts in src/esi/Esi.cc.
- CVE-2016-4052
- CVE-2016-4053
- CVE-2016-4054
* SECURITY UPDATE: cache-poisoning attacks via an HTTP request with an
absolute-URI
- debian/patches/CVE-2016-4553.patch: properly handle condition in
src/client_side.cc
- CVE-2016-4553
* SECURITY UPDATE: same-origin bypass and cache-poisoning attack via
crafted HTTP host header
- debian/patches/CVE-2016-4554.patch: properly handle whitespace in
src/mime_header.cc.
- CVE-2016-4554
* SECURITY UPDATE: denial of service via ESI responses
- debian/patches/CVE-2016-4555.patch: fix segfaults in
src/client_side_request.cc, src/esi/Context.h, src/esi/Esi.cc.
- CVE-2016-4555
- CVE-2016-4556
* debian/rules: include autoreconf.mk.
* debian/control: add dh-autoreconf to BuildDepends.
* debian/patches/02-makefile-defaults.patch: also patch src/Makefile.am.
-- Marc Deslauriers <email address hidden> Tue, 07 Jun 2016 10:02:11 -0400
-
squid3 (3.3.8-1ubuntu16.2) wily-security; urgency=medium
[ Scott Moser ]
* debian/patches/increase-default-forward-max-tries.patch:
change the default setting of 'forward_max_tries' from 10
to 25. (LP: #1547640)
[ Marc Deslauriers ]
* SECURITY UPDATE: denial of service via crafted UDP SNMP request
- debian/patches/CVE-2014-6270.patch: fix off-by-one in
src/snmp_core.cc.
- CVE-2014-6270
* SECURITY UPDATE: error handling vulnerability
- debian/patches/CVE-2016-2571.patch: better handling of huge response
headers in src/http.cc.
- CVE-2016-2571
* Fix security issues that only apply when package is rebuilt with the
enable-ssl flag, which is not the case in the Ubuntu archive.
- debian/patches/CVE-2014-0128.patch: denial of service via a crafted
range request.
- debian/patches/CVE-2015-3455.patch: incorrect X509 server certificate
domain matching.
-- Marc Deslauriers <email address hidden> Fri, 04 Mar 2016 14:59:48 -0500
-
squid3 (3.3.8-1ubuntu16) wily; urgency=medium
[ Tiago Stürmer Daitx ]
* d/patches/fix-logical-not-parentheses-warning.patch: Fix warning for
logical-not-parentheses which caused squid to FTBFS. (LP: #1496924)
* d/patches/netfilter_fix.patch: Backported from Squid Bug #4323.
(LP: #1496223)
* d/patches/fix-pod2name-pipe-failure.patch: Add --name parameter to
pod2man (LP: #1501566)
* roll back build-dependency to libecap2-dev, this version of squid3 is not
compatible with libecap3 and libecap3 transition has been rolled back for
wily.
-- Steve Langasek <email address hidden> Fri, 09 Oct 2015 00:29:47 +0000
-
squid3 (3.3.8-1ubuntu15) wily; urgency=medium
* Build-depend on libecap3-dev instead of libecap2-dev.
-- Matthias Klose <email address hidden> Wed, 02 Sep 2015 12:16:29 +0200
-
squid3 (3.3.8-1ubuntu14) vivid; urgency=medium
* Add versioned dependency on init-system-helpers (>> 1.22ubuntu5) to ensure
we have the apparmor-profile-load script at boot time. (LP: #1432683)
-- Serge Hallyn <email address hidden> Thu, 02 Apr 2015 11:12:27 -0500