Please merge from debian's 3.5.27
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
squid3 (Ubuntu) |
Fix Released
|
Undecided
|
Andreas Hasenack |
Bug Description
Please merge debian's 3.5.27 (or higher) into ubuntu.
squid3 (3.5.27-1) unstable; urgency=high
[ Amos Jeffries <email address hidden> ]
* New Upstream Release
* debian/
- Add temporary dependency on gcc-6 and g++-6 to workaround FTBFS in
unstable
* debian/patches/
- Fix security issue SQUID-2018:1 (CVE-2016-1000024) (Closes: #888719)
- Fix security issue SQUID-2018:2 (CVE-2016-1000027) (Closes: #888720)
[ Luigi Gangitano <email address hidden> ]
* debian/control
- Changed priority to optional for squid3 and squid-dbg
- Removed unneeded Build-Dep on autotools-dev
* debian/rules
- Include dpkg-architecture Makefile instead of invoking the binary at
build time
* debian/
- Remove recursive chown calls
-- Luigi Gangitano <email address hidden> Tue, 13 Feb 2018 15:31:24 +0100
CVE References
description: | updated |
This bug was fixed in the package squid3 - 3.5.27-1ubuntu1
---------------
squid3 (3.5.27-1ubuntu1) bionic; urgency=medium
* Merge with Debian unstable (LP: #1751286). Remaining changes: Makefile. am in t/upstream- test-suite.
"format- truncation" gcc7 warnings. Upstream 3.5.27 has fixes for these, patches/ gcc7-squidpurge -4695.patch: GCC 7 build errors. patches/ gcc7-assert- wants-boolean. patch: assert() takes a patches/ CVE-2018- 1000024. patch: make sure endofName never CustomParser. cc. patches/ CVE-2018- 1000027. patch: fix indirect IP logging for
transactions without a client connection in
src/client_ side_request. cc.
- Add additional dep8 tests.
- Use snakeoil certificates.
- Add an example refresh pattern for debs.
- Add disabled by default AppArmor profile.
- Enable autoreconf. This is no longer required for the security updates,
but is needed for the seddery of test-suite/
d/
- Correct attribution and add explanatory note in d/NEWS.debian.
- Drop Conflicts/Replaces of squid against squid3. In Ubuntu, the migration
happened in Xenial, so no upgrade path still requires this code. This
reduces upgrade ordering difficulty.
- Adjust seddery for upstream test squid binary location.
- Revert "Set pidfile for systemd's sysv-generator" from Debian.
- Drop wrong short-circuiting of various invocations; we always want to
call the debhelper block.
- GCC7 FTBFS fixes (LP #1712668):
+ d/rules: don't error when hitting the "deprecated" and
but one in Format.cc that affects 32bit builds was deemed too intrusive
for the 3.5 stable series and is only in squid 4.x
* Dropped changes:
- debian/
Thanks to Lubos Uhliarik <email address hidden>.
[Already applied upstream]
- debian/
boolean. Thanks to Amos Jeffries <email address hidden>
[Already applied upstream]
- SECURITY UPDATE: denial of service in ESI Response processing
+ debian/
exceeds tagEnd in src/esi/
+ CVE-2018-1000024
[Added in 3.5.27-1]
- SECURITY UPDATE: denial of service in in HTTP Message processing
+ debian/
+ CVE-2018-1000027
[Included in 3.5.27-1]
* Added changes:
- Do not force gcc-6
squid3 (3.5.27-1) unstable; urgency=high
[ Amos Jeffries <email address hidden> ]
* New Upstream Release
* debian/ {control, rules}
- Add temporary dependency on gcc-6 and g++-6 to workaround FTBFS in
unstable
* debian/patches/
- Fix security issue SQUID-2018:1 (CVE-2016-1000024) (Closes: #888719)
- Fix security issue SQUID-2018:2 (CVE-2016-1000027) (Closes: #888720)
[ Luigi Gangitano <email address hidden> ]
* debian/control
- Changed priority to optional for squid3 and squid-dbg
- Removed unneeded Build-Dep on autotools-dev
* debian/rules
- Include dpkg-architecture Makefile instead of invoking the binary at
build time
* debian/ squid.postinst
- Remove recursive chown calls
-- Andreas Hasenack <email address hidden> Tue, 27 Feb 2018 08:09:21 -0300