Format: 1.8
Date: Wed, 02 Sep 2020 11:35:51 -0400
Source: squid3
Binary: squid3 squid squid-dbg squid-common squidclient squid-cgi squid-purge
Architecture: source
Version: 3.5.27-1ubuntu1.9
Distribution: bionic-security
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Changed-By: Marc Deslauriers <marc.deslauriers@ubuntu.com>
Description:
 squid      - Full featured Web Proxy cache (HTTP proxy)
 squid-cgi  - Full featured Web Proxy cache (HTTP proxy) - control CGI
 squid-common - Full featured Web Proxy cache (HTTP proxy) - common files
 squid-dbg  - Full featured Web Proxy cache (HTTP proxy) - Debug symbols
 squid-purge - Full featured Web Proxy cache (HTTP proxy) - control utility
 squid3     - Transitional package
 squidclient - Full featured Web Proxy cache (HTTP proxy) - control utility
Changes:
 squid3 (3.5.27-1ubuntu1.9) bionic-security; urgency=medium
 .
   * SECURITY UPDATE: Request Smuggling and Poisoning issue
     - debian/patches/CVE-2020-15049.patch: validate Content-Length value
       prefix in src/http/ContentLengthInterpreter.cc,
       src/http/ContentLengthInterpreter.h.
     - CVE-2020-15049
   * SECURITY UPDATE: HTTP Request Smuggling issue
     - debian/patches/CVE-2020-15810.patch: enforce token characters for
       field-name in src/HttpHeader.cc.
     - CVE-2020-15810
   * SECURITY UPDATE: HTTP Request Splitting issue
     - debian/patches/CVE-2020-15811-pre.patch: validate Content-Length
       header values in src/HttpHeader.cc, src/HttpHeaderTools.cc,
       src/HttpHeaderTools.h, src/http/ContentLengthInterpreter.cc,
       src/http/ContentLengthInterpreter.h, src/http/Makefile.am.
     - debian/patches/CVE-2020-15811.patch: Improve Transfer-Encoding
       handling in src/HttpHeader.cc, src/HttpHeader.h, src/client_side.cc,
       src/http.cc.
     - CVE-2020-15811
   * SECURITY UPDATE: DoS via peer crafted Cache Digest response message
     - debian/patches/CVE-2020-24606.patch:  fix livelocking in
       peerDigestHandleReply in src/peer_digest.cc.
     - CVE-2020-24606
   * Enable the test suite
     - debian/rules: enable test suite
     - debian/patches/enable-the-test-suite.patch: fix FTBFS.
     - debain/patches/fix-cppunit-detection.patch: don't use cppunit-config
       which is no longer available in bionic.
Checksums-Sha1:
 5eed81ae403ddc943986ff7588bcb5d33d8526b1 2739 squid3_3.5.27-1ubuntu1.9.dsc
 be140f053c75be83cfa4874ab8925a07aafa67dd 83412 squid3_3.5.27-1ubuntu1.9.debian.tar.xz
 7d9a0527a2c889150f0f61344f16c46b433cd4d3 11094 squid3_3.5.27-1ubuntu1.9_source.buildinfo
Checksums-Sha256:
 c15c7ef7dcef1cec20419a0835edd1389045e54a430f5123ecc5ff10b868e404 2739 squid3_3.5.27-1ubuntu1.9.dsc
 6b898fe4a20a03cc41ea9ae3863d0780d3219fd588ee512a6dca23902a57fb43 83412 squid3_3.5.27-1ubuntu1.9.debian.tar.xz
 162c3f37fe334e80a1d9e9a11b4c324d615d0b0c2db0fa4d884bd777e465a550 11094 squid3_3.5.27-1ubuntu1.9_source.buildinfo
Files:
 1b3ea066c7a5890d1e7dcf0b5900fa3e 2739 web optional squid3_3.5.27-1ubuntu1.9.dsc
 abddf3d883c1efc0cc7e3d6ea18793c6 83412 web optional squid3_3.5.27-1ubuntu1.9.debian.tar.xz
 268858077d928ec8db3f4e57d0f581df 11094 web optional squid3_3.5.27-1ubuntu1.9_source.buildinfo
Original-Maintainer: Luigi Gangitano <luigi@debian.org>