-
squid (4.8-1ubuntu2.3) eoan-security; urgency=medium
* SECURITY UPDATE: multiple ESI issues
- debian/patches/CVE-2019-12519_12521.patch: convert parse exceptions
into 500 status response in src/esi/Context.h, src/esi/Esi.cc,
src/esi/Esi.h, src/esi/Expression.cc.
- CVE-2019-12519
- CVE-2019-12521
* SECURITY UPDATE: hostname parameter mishandling in cachemgr.cgi
- debian/patches/CVE-2019-18860.patch: add validation for hostname
parameter in src/base/CharacterSet.cc, tools/Makefile.am,
tools/cachemgr.cc.
- CVE-2019-18860
* SECURITY UPDATE: Digest Authentication nonce replay issue
- debian/patches/CVE-2020-11945.patch: fix auth digest refcount integer
overflow in src/auth/digest/Config.cc.
- CVE-2020-11945
-- Marc Deslauriers <email address hidden> Thu, 07 May 2020 09:25:08 -0400
-
squid (4.8-1ubuntu2.2) eoan-security; urgency=medium
* SECURITY UPDATE: info disclosure via FTP server
- debian/patches/CVE-2019-12528.patch: fix FTP buffers handling in
src/clients/FtpGateway.cc.
- CVE-2019-12528
* SECURITY UPDATE: incorrect input validation and buffer management
- debian/patches/CVE-2020-84xx-1.patch: ignore malformed Host header in
intercept and reverse proxy mode in src/client_side.cc,
src/http/one/Parser.cc, src/http/one/Parser.h.
- debian/patches/CVE-2020-84xx-2.patch: fix request URL generation in
reverse proxy configurations in src/client_side.cc.
- CVE-2020-8449
- CVE-2020-8450
* SECURITY UPDATE: DoS in NTLM authentication
- debian/patches/CVE-2020-8517.patch: improved username handling in
src/acl/external/LM_group/ext_lm_group_acl.cc.
- CVE-2020-8517
-- Marc Deslauriers <email address hidden> Wed, 19 Feb 2020 12:47:31 -0500
-
squid (4.8-1ubuntu2.1) eoan-security; urgency=medium
* SECURITY UPDATE: Multiple issues in URI processing
- debian/patches/CVE-2019-12523.patch: Update URI parser to use SBuf
parsing APIs in src/Downloader.cc, src/HttpRequest.cc,
src/HttpRequest.h, src/Makefile.am, src/acl/Asn.cc,
src/adaptation/ecap/MessageRep.cc, src/anyp/ProtocolType.h,
src/anyp/Uri.cc, src/anyp/Uri.h, src/anyp/UriScheme.cc,
src/anyp/UriScheme.h, src/client_side_request.cc, src/htcp.cc,
src/icmp/net_db.cc, src/icp_v2.cc, src/mgr/Inquirer.cc,
src/mime.cc, src/neighbors.cc, src/peer_digest.cc,
src/servers/FtpServer.cc, src/servers/Http1Server.cc,
src/store_digest.cc, src/tests/stub_HttpRequest.cc,
src/tests/stub_libanyp.cc, src/tests/testHttpRequest.cc,
src/urn.cc.
- CVE-2019-12523
- CVE-2019-18676
* SECURITY UPDATE: Heap Overflow issue in URN processing
- debian/patches/CVE-2019-12526.patch: fix URN response handling in
src/urn.cc.
- CVE-2019-12526
* SECURITY UPDATE: CSRF issue in HTTP Request processing
- debian/patches/CVE-2019-18677.patch: prevent truncation for large
origin-relative domains in src/anyp/Uri.cc, src/anyp/Uri.h,
src/internal.cc.
- CVE-2019-18677
* SECURITY UPDATE: HTTP Request Splitting in HTTP message processing
- debian/patches/CVE-2019-18678.patch: server MUST reject messages with
BWS after field-name in src/HttpHeader.cc, src/HttpHeader.h.
- CVE-2019-18678
- CVE-2019-18679
-- Marc Deslauriers <email address hidden> Tue, 19 Nov 2019 13:18:30 -0500
-
squid (4.8-1ubuntu2) eoan; urgency=medium
* d/p/drop-sysctl_h.patch: no longer include sysctl.h as it was
deprecated in glibc 2.30 (LP: #1843325)
-- Andreas Hasenack <email address hidden> Mon, 09 Sep 2019 17:31:45 -0300
-
squid (4.8-1ubuntu1) eoan; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Use snakeoil certificates.
- Add an example refresh pattern for debs.
- d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy,
squidguard
- d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if
building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of
-O2 and that triggers a format-truncation error on pcon.cc. See
See https://bugs.squid-cache.org/show_bug.cgi?id=4875
- d/rules: Only use -latomic with the intended architectures, instead of
all of them. This matches what was suggested in
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5
- d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that
dh_installchangelogs can pick it up. dh_installchangelogs handles
d/NEWS or d/<package>.NEWS, but not NEWS.debian.
- debian/patches/more-gcc-9-fixes.patch: switch to xstrncpy in
lib/smblib/smblib-util.c. (LP #1835831)
* Dropped:
- d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs.
Thanks to Vitaly Lavrov <email address hidden>. (LP #1794553)
[Fixed upstream]
- debian/patches/413.patch: Fix gcc-9 build issues with upstream merged
patch
[Fixed upstream]
- SECURITY UPDATE: incorrect digest auth parameter parsing
+ debian/patches/CVE-2019-12525.patch: check length in
src/auth/digest/Config.cc.
+ CVE-2019-12525
[Fixed upstream]
- SECURITY UPDATE: buffer overflow in basic auth decoding
+ debian/patches/CVE-2019-12527.patch: switch to SBuf in
src/HttpHeader.cc, src/HttpHeader.h, src/cache_manager.cc,
src/clients/FtpGateway.cc.
+ CVE-2019-12527
[Fixed upstream]
- SECURITY UPDATE: basic auth uudecode length issue
+ debian/patches/CVE-2019-12529.patch: replace uudecode with libnettle
base64 decoder in lib/Makefile.*, src/auth/basic/Config.cc,
include/uudecode.h, lib/uudecode.c.
+ CVE-2019-12529
[Fixed upstream]
- SECURITY UPDATE: XSS issues in cachemgr.cgi
+ debian/patches/CVE-2019-13345.patch: properly escape values in
tools/cachemgr.cc.
+ CVE-2019-13345
[Fixed upstream]
* Added:
- d/t/test-squid.py: test_zz_apparmor(): bail early if securityfs isn't
mounted
squid (4.8-1) unstable; urgency=high
[ Amos Jeffries <email address hidden> ]
* New Upstream Release
- Fixes security issue SQUID-2019:1 (CVE-2019-12824)
- Fixes security issue SQUID-2019:2 (CVE-2019-12529)
- Fixes security issue SQUID-2019:3 (CVE-2019-12525)
- Fixes security issue SQUID-2019:5 (CVE-2019-12527)
- Fixes security issue SQUID-2019:6 (CVE-2019-13345) (Closes: #931478)
* debian/control
- Bumped Standards-Version to 4.4.0, no change needed
* debian/tests/test-squid.py
- Skip Apparmor tests when profile not installed
-- Andreas Hasenack <email address hidden> Wed, 24 Jul 2019 16:38:59 -0300
-
squid (4.6-2ubuntu4) eoan; urgency=medium
* Fix gcc-9 issues (LP: #1835831)
- Remove -Wno-sizeof-pointer-memaccess -Wno-stringop-truncation
- debian/patches/more-gcc-9-fixes.patch: switch to xstrncpy in
lib/smblib/smblib-util.c.
* SECURITY UPDATE: incorrect digest auth parameter parsing
- debian/patches/CVE-2019-12525.patch: check length in
src/auth/digest/Config.cc.
- CVE-2019-12525
* SECURITY UPDATE: buffer overflow in basic auth decoding
- debian/patches/CVE-2019-12527.patch: switch to SBuf in
src/HttpHeader.cc, src/HttpHeader.h, src/cache_manager.cc,
src/clients/FtpGateway.cc.
- CVE-2019-12527
* SECURITY UPDATE: basic auth uudecode length issue
- debian/patches/CVE-2019-12529.patch: replace uudecode with libnettle
base64 decoder in lib/Makefile.*, src/auth/basic/Config.cc,
include/uudecode.h, lib/uudecode.c.
- CVE-2019-12529
* SECURITY UPDATE: XSS issues in cachemgr.cgi
- debian/patches/CVE-2019-13345.patch: properly escape values in
tools/cachemgr.cc.
- CVE-2019-13345
-- Marc Deslauriers <email address hidden> Fri, 19 Jul 2019 08:01:58 -0400
-
squid (4.6-2ubuntu3) eoan; urgency=medium
* Override newly added gcc-9 flags:
-Wno-sizeof-pointer-memaccess -Wno-stringop-truncation
NOTE: Overriding those flags is a possible security
asked for info on the gcc-9 issue bug tracker:
https://github.com/squid-cache/squid/pull/413#issuecomment-511314076
-- Gianfranco Costamagna <email address hidden> Mon, 15 Jul 2019 10:21:47 +0200
-
squid (4.6-2ubuntu2) eoan; urgency=medium
* Fix gcc-9 build issues with upstream merged patch
-- Gianfranco Costamagna <email address hidden> Sun, 14 Jul 2019 14:41:16 +0200
-
squid (4.6-2ubuntu1) eoan; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Use snakeoil certificates.
- Add an example refresh pattern for debs.
- d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy,
squidguard
- d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if
building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of
-O2 and that triggers a format-truncation error on pcon.cc. See
See https://bugs.squid-cache.org/show_bug.cgi?id=4875
- d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs.
Thanks to Vitaly Lavrov <email address hidden>. (LP #1794553)
[Added Applied-Upstream header]
- d/rules: Only use -latomic with the intended architectures, instead of
all of them. This matches what was suggested in
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5
- d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that
dh_installchangelogs can pick it up. dh_installchangelogs handles
d/NEWS or d/<package>.NEWS, but not NEWS.debian.
* Dropped:
- d/squid.tmpfile: add tmpfiles configuration to handle /var/run/squid
at boot. Thanks to Luigi Gangitano <email address hidden> (LP #1816006)
[Fixed in 4.5-2]
- d/p/fix-uninitialized-var.patch: Workaround gcc's maybe-unitialized
error in parse_time_t, triggered on ppc64el due to the build using -O3
in that architecture.
[Fixed upstream]
- Add disabled by default AppArmor profile.
[Added by Debian in 4.6-2]
- d/usr.sbin.squid: fix the apparmor profile (LP #1796189):
+ allow net_admin capability
+ add attach_disconnected flag
[Fixed in 4.6-2]
squid (4.6-2) unstable; urgency=high
[ Andreas Hasenack <email address hidden> ]
* Add disabled by default AppArmor profile (Closes: #923213)
squid (4.6-1) unstable; urgency=high
[ Amos Jeffries <email address hidden> ]
* New Upstream Release
- Fix multiple memory leak and data corruption issues
- Detect IPv6 loopback binding errors
- Do not call setsid() in --foreground mode
- Exit on fork() failures
- Fix OpenSSL builds that define OPENSSL_NO_ENGINE
- Fix multiple GCC-8 compile errors
squid (4.5-2) unstable; urgency=medium
[ Luigi Gangitano <email address hidden> ]
* debian/{rules,squid.tmpfile}
- Add tmpfiles configuration to handle /var/run/squid at boot
* debian/squid.lintian-overrides
- Removed unused override file
squid (4.5-1) unstable; urgency=medium
[ Amos Jeffries <email address hidden> ]
* New Upstream Release
* debian/control
- Bumped Standards-Version to 4.3.0, no change needed
* debian/rules
- Add /var/run/squid directory for SMP workers and helpers
[ Helmut Grohne <email address hidden> ]
* debian/rules
- Pass BUILDCXX to ./configure on cross-builds
- use --with-build-environment=default to avoid arm64 flag issues
* debian/control
- Add cross-compile annotations to restrict GCC/LLVM dependency
(Closes: #916536)
[ Luigi Gangitano <email address hidden> ]
* debian/control
- Fixed dependency on winbind instead of winbindd
* debian/squid{,3}.{postinst,postrm,preinst,maintscript}
- Moved dpkg-maintscript-helper commands to proper DH file
-- Andreas Hasenack <email address hidden> Sat, 18 May 2019 14:39:09 -0300
-
squid (4.4-1ubuntu2) disco; urgency=medium
* d/squid.tmpfile: add tmpfiles configuration to handle /var/run/squid
at boot. Thanks to Luigi Gangitano <email address hidden> (LP: #1816006)
-- Andreas Hasenack <email address hidden> Wed, 27 Feb 2019 08:54:45 -0300
