Please sync Squid 3.5 latest from Debian

Pretty sure it fixes bug #1585828. It should also fix bug #1572715 and bug #1589567

Thanks for taking your time to report this issue and help making Ubuntu better.

I briefly looked at this package, and it looks like it has quite a few Ubuntu-specific patches. So most likely this will need to be merged to get the latest version from Debian with the remaining Ubuntu-only changes which still needs to be applied.

Hi,
IIRC there is a merge of latest squid in progress for Zesty by Robie Basak.

Subscribing him here, so he can decide to close this as a dup to whatever merge bug he already has - or to use this one for it if no one exists so far.

Yes, I've been working on this. Thanks.

Any progress? I'm getting pings upstream about newer Ubuntu versions.

You can see my progress at https://git.launchpad.net/~racb/ubuntu/+source/squid3/refs/

The "debian" branch is things I intend to send to Debian. The "merge" branch is the current state of the merge (still untested). I will be rebasing both branches before they are ready, but feel free to pick anything into Debian that you think is appropriate directly - it'll save me sending it up.

The previous delta that I have distilled is at https://git.launchpad.net/~racb/ubuntu/+source/squid3/log/?id=logical/3.5.12-1ubuntu8

Amos, I think we spoke about https://git.launchpad.net/~racb/ubuntu/+source/squid3/commit/?id=873ae5aef1b845eb683b2886c819ed5d4be4c5cf but I can't find any reference to it. Do you recall where it might have been? I think that's a bug that's still outstanding in Debian.

Thanks.

Yes, I recall a discussion about that change in the early 'installation script failure' bug reports, the one where others in the Ubuntu team got involved and the squid.maintscript got added. But I too can't find which one right now.
 - We have not had any repots of similar behaviour from Debian users, but did have several reports about the issue the lack of that init script line caused. So in balance I am procrastinating on taking it until Debian has a documented need/bug. The issue should disappear entirely with the upcoming 4.x package.

I'm pulling in the adduser and Vcs-Browser patches. Though please note there was some discussion in debian-devel recently about these URLs that concluded the /cgit/ path segment should be /git/ so as not to depend on the cgit tool specifically. The web server now handles redirection itself from the generic URL syntax.

I still dont think the snakeoil patch in its current form is correct for squid/3.x packages. The code to use those certs is not even compiled so at the very least a Depends relationship is bogus. The squidclient/3.x could Recommend since it supports HTTPS, but that is a separate package. And the documentation note I suspect has fooled at least some people into thinking they can use the HTTPS config options already.

The rest it will need some testing. I hope to have some time for that this week to try to further minimize the diff, but no guarantees.

Thanks for looking into these. Everything you've said sounds reasonable. I'm going to leave the snakeoil patch as-is in Ubuntu for now for the sake of making progress, but I will make a note to look at this again when we next merge.

I think this is ready. Merge proposal in https://code.launchpad.net/~racb/ubuntu/+source/squid3/+git/squid3/+merge/316496. I'll upload in a week if nobody finds the time to review.

This bug was fixed in the package squid3 - 3.5.23-1ubuntu1

---------------
squid3 (3.5.23-1ubuntu1) zesty; urgency=medium

  * Merge from Debian (LP: #1644538). Remaining changes:
    - Add additional dep8 tests.
    - Use snakeoil certificates.
    - Add an example refresh pattern for debs.
    - Add disabled by default AppArmor profile.
    - Revert "Set pidfile for systemd's sysv-generator" from Debian.
    - Drop wrong short-circuiting of various invocations; we always want to
      call the debhelper block.
    - Add missing Pre-Depends on adduser.
    - Enable autoreconf. This is no longer required for the security updates,
      but is needed for the seddery of test-suite/Makefile.am in
      d/t/upstream-test-suite.
  * Drop changes (adopted in Debian):
    - Run sarg-reports if present before rotating logs.
    - Add lsb-release build dep.
  * Drop changes that no longer make a functional difference in Ubuntu, but may
    still be relevant to send to Debian:
    - d/squid3.postinst: don't try to stop squid3 again.
    - d/squid3.postrm: don't rm -f conffiles in purge.
    - Drop squid3 dependencies on ${shlib:Depends} and lsb-base.
    - Drop creation of /etc/squid.
  * Drop unnecessary changes:
    - Add executable bits to d/squid.preinst.
  * Drop changes relating to the upgrade path from prior to Xenial, so no
    longer required:
    - /var/spool/squid3 upgrade path handling.
    - Conffile upgrade path handling.
    - Remove redundant version-guarded restart code from squid postinst.
    - Clean up apparmor links for usr.sbin.squid3 on upgrade.
    - Attempt to migrate /var/log/squid3 -> /var/log/squid on upgrade.
    - Add Breaks on older ufw to fix upgrade path.
    - Use Breaks instead of Conflicts. Instead, drop the Conflicts/Replaces
      entirely (see below).
  * Drop security fixes: all included in 3.5.23 upstream.
  * Drop Conflicts/Replaces of squid against squid3. In Ubuntu, the migration
    happened in Xenial, so no upgrade path still requires this code. This
    reduces upgrade ordering difficulty.
  * Fix failing autopkgtests:
    - Adjust Python module dependencies.
    - Correctly handle the squid3 -> squid rename.
    - Adjust seddery for upstream test squid binary location.
  * Drop dependency on init-system-helpers. This was introduced in LP 1432683.
    Since we no longer ship an upstart job, it is no longer required.
  * Correct attribution and add explanatory note in d/NEWS.debian.

squid3 (3.5.23-1) unstable; urgency=high

  [ Amos Jeffries <email address hidden> ]
  * New Upstream Release (Closes: #793473, #822952)
    - Fixes security issue SQUID-2016:10 (CVE-2016-10003) (Closes: #848491)
    - Fixes security issue SQUID-2016:11 (CVE-2016-10002) (Closes: #848493)

  * debian/patches/
    - Remove patch included upstream

  * debian/tests/
    - Use package build-deps when testing so the make commands will work

squid3 (3.5.22-1) unstable; urgency=medium

  [ Amos Jeffries <email address hidden> ]
  * New Upstream Release

  * debian/patches
    - Add upstream patch to fix adaptation crashes

  * debian/{control, rules, squid.postinst}
    - Accept patch to remove setuid from pinger (Clo...

Hi,
Could you please release Squid 3.5.23-1ubuntu1 to Xenial aswell?

On Mon, Feb 13, 2017 at 01:47:12PM -0000, Erik Berggren wrote:
> Could you please release Squid 3.5.23-1ubuntu1 to Xenial aswell?

I'm afraid not. Something may be possible though if you can specify why
you need this. Please see https://wiki.ubuntu.com/StableReleaseUpdates
for the policy and rationale, and details of what is acceptable. Please
then file a separate bug with details of what you actually need fixing.

When we used the current 3.5.12 in Xenial, we got very poor upload speeds ranging from 30-50mbit/s, after we upgraded to 3.5.23 we got the full upload speed.
Is this bug sufficent enough to change the 3.5.12 -> 3.5.23 in Xenial?

Best Regards

If the bug is valid it's certainly sufficient for an SRU. Please file it with detailed information. Whether we backport a fix or update wholesale to 3.5.23 depends on whether all the other changes qualify.

Hi Robie, please head over to this new bug report i created: https://bugs.launchpad.net/ubuntu/+source/squid3/+bug/1665292