Change logs for squid3 source package in Artful

squid3 (3.5.23-5ubuntu1.1) artful-security; urgency=medium

  * SECURITY UPDATE: denial of service in ESI Response processing
    - debian/patches/CVE-2018-1000024.patch: make sure endofName never
      exceeds tagEnd in src/esi/CustomParser.cc.
    - CVE-2018-1000024
  * SECURITY UPDATE: denial of service in in HTTP Message processing
    - debian/patches/CVE-2018-1000027.patch: fix indirect IP logging for
      transactions without a client connection in
      src/client_side_request.cc.
    - CVE-2018-1000027

 -- Marc Deslauriers <email address hidden>  Thu, 01 Feb 2018 10:08:51 -0500

squid3 (3.5.23-5ubuntu1) artful; urgency=medium

  * Merge with Debian unstable (LP: #1712653). Remaining changes:
    - Add additional dep8 tests.
    - Use snakeoil certificates.
    - Add an example refresh pattern for debs.
    - Add disabled by default AppArmor profile.
    - Enable autoreconf. This is no longer required for the security updates,
      but is needed for the seddery of test-suite/Makefile.am in
      d/t/upstream-test-suite.
    - Correct attribution and add explanatory note in d/NEWS.debian.
    - Drop Conflicts/Replaces of squid against squid3. In Ubuntu, the migration
      happened in Xenial, so no upgrade path still requires this code. This
      reduces upgrade ordering difficulty.
    - Adjust seddery for upstream test squid binary location.
    - Revert "Set pidfile for systemd's sysv-generator" from Debian.
    - Drop wrong short-circuiting of various invocations; we always want to
      call the debhelper block.
  * Drop:
    - Add missing Pre-Depends on adduser.
      [Fixed in Debian 3.5.23-2]
  * GCC7 FTBFS fixes (LP: #1712668):
    - d/rules: don't error when hitting the "deprecated" and
      "format-truncation" gcc7 warnings. Upstream 3.5.27 has fixes for these,
      but one in Format.cc that affects 32bit builds was deemed too intrusive
      for the 3.5 stable series and is only in squid 4.x
    - debian/patches/gcc7-squidpurge-4695.patch: GCC 7 build errors.
      Thanks to Lubos Uhliarik <email address hidden>.
    - debian/patches/gcc7-assert-wants-boolean.patch: assert() takes a
      boolean.  Thanks to Amos Jeffries <email address hidden>

 -- Andreas Hasenack <email address hidden>  Thu, 24 Aug 2017 16:04:35 -0300

squid3 (3.5.23-1ubuntu1) zesty; urgency=medium

  * Merge from Debian (LP: #1644538). Remaining changes:
    - Add additional dep8 tests.
    - Use snakeoil certificates.
    - Add an example refresh pattern for debs.
    - Add disabled by default AppArmor profile.
    - Revert "Set pidfile for systemd's sysv-generator" from Debian.
    - Drop wrong short-circuiting of various invocations; we always want to
      call the debhelper block.
    - Add missing Pre-Depends on adduser.
    - Enable autoreconf. This is no longer required for the security updates,
      but is needed for the seddery of test-suite/Makefile.am in
      d/t/upstream-test-suite.
  * Drop changes (adopted in Debian):
    - Run sarg-reports if present before rotating logs.
    - Add lsb-release build dep.
  * Drop changes that no longer make a functional difference in Ubuntu, but may
    still be relevant to send to Debian:
    - d/squid3.postinst: don't try to stop squid3 again.
    - d/squid3.postrm: don't rm -f conffiles in purge.
    - Drop squid3 dependencies on ${shlib:Depends} and lsb-base.
    - Drop creation of /etc/squid.
  * Drop unnecessary changes:
    - Add executable bits to d/squid.preinst.
  * Drop changes relating to the upgrade path from prior to Xenial, so no
    longer required:
    - /var/spool/squid3 upgrade path handling.
    - Conffile upgrade path handling.
    - Remove redundant version-guarded restart code from squid postinst.
    - Clean up apparmor links for usr.sbin.squid3 on upgrade.
    - Attempt to migrate /var/log/squid3 -> /var/log/squid on upgrade.
    - Add Breaks on older ufw to fix upgrade path.
    - Use Breaks instead of Conflicts. Instead, drop the Conflicts/Replaces
      entirely (see below).
  * Drop security fixes: all included in 3.5.23 upstream.
  * Drop Conflicts/Replaces of squid against squid3. In Ubuntu, the migration
    happened in Xenial, so no upgrade path still requires this code. This
    reduces upgrade ordering difficulty.
  * Fix failing autopkgtests:
    - Adjust Python module dependencies.
    - Correctly handle the squid3 -> squid rename.
    - Adjust seddery for upstream test squid binary location.
  * Drop dependency on init-system-helpers. This was introduced in LP 1432683.
    Since we no longer ship an upstart job, it is no longer required.
  * Correct attribution and add explanatory note in d/NEWS.debian.

squid3 (3.5.23-1) unstable; urgency=high

  [ Amos Jeffries <email address hidden> ]
  * New Upstream Release (Closes: #793473, #822952)
    - Fixes security issue SQUID-2016:10 (CVE-2016-10003) (Closes: #848491)
    - Fixes security issue SQUID-2016:11 (CVE-2016-10002) (Closes: #848493)

  * debian/patches/
    - Remove patch included upstream

  * debian/tests/
    - Use package build-deps when testing so the make commands will work

squid3 (3.5.22-1) unstable; urgency=medium

  [ Amos Jeffries <email address hidden> ]
  * New Upstream Release

  * debian/patches
    - Add upstream patch to fix adaptation crashes

  * debian/{control, rules, squid.postinst}
    - Accept patch to remove setuid from pinger (Closes: #822992)

  [ Luigi Gangitano ]
  * debian/compat
    - Bump to debhelper compatibility level 10

  * debian/{control,tests/}
    - Add DEP-8 autopkgtest for upstream test suite, thanks to
      Santiago Ruano Rincan (Closes: #829141)

  * debian/rules
    - Avoid linking with unneeded libraries, thanks to Yuriy M. Kaminskiyi
      (Closes: #822998)

squid3 (3.5.19-1) unstable; urgency=high

  [ Amos Jeffries <email address hidden> ]
  * New Upstream Release (Closes: #823968)
    - Fixes security issue SQUID-2016:7 (CVE-2016-4553)
    - Fixes security issue SQUID-2016:8 (CVE-2016-4554)
    - Fixes security issue SQUID-2016:9 (CVE-2016-4555, CVE-2016-4556)

  * debian/control
    - Bumped Standards-Version to 3.9.8, no change needed

  * debian/rules
    - Send hardening CPPFLAGS to custom build tools

squid3 (3.5.17-1) unstable; urgency=high

  [ Amos Jeffries <email address hidden> ]
  * New Upstream Release
    - Fixes security issue SQUID-2016:5 (CVE-2016-4051)
    - Fixes security issue SQUID-2016:6 (CVE-2016-4052, CVE-2016-4053,
      CVE-2016-4054)

squid3 (3.5.16-1) unstable; urgency=high

  [ Amos Jeffries <email address hidden> ]
  * New Upstream Release
    - Fixes security issue SQUID-2016:3 (CVE-2016-3947) (Closes: #819783)
    - Fixes security issue SQUID-2016:4 (CVE-2016-3948) (Closes: #819784)

  * debian/patches/
    - Remove patch included upstream

squid3 (3.5.15-1) unstable; urgency=high

  [ Amos Jeffries <email address hidden> ]
  * New Upstream Release
    - Fixes security issues SQUID-2016:2
      (CVE-2016-2569, CVE-2016-2570, CVE-2016-2571)
      (Closes: #816011)

  * debian/patches/03-upstream-bug4447.patch
    - add upstream patch for their bug #4447

  [ Robie Basak <email address hidden> ]
  * debian/control
    - Add lsb-release build dep. This is required for the --enable-build-info
      line in debian/rules to work correctly.

  * debian/squid.logrotate
    - Run sarg-reports if present before rotating logs.

  [ Luigi Gangitano <email address hidden> ]
  * debian/control
    - Bumped Standards-Version to 3.9.7, no change needed

squid3 (3.5.14-1) unstable; urgency=medium

  [ Amos Jeffries <email address hidden> ]
  * New Upstream Release (Closes: #812038)

  * debian/control
    - add Depends libdbi-perl (Closes: #807512)
    - Fixed lintian complaint about squid3 package description
    - Fixed Vcs-Git Header pointing anonscm.debian.org

  * debian/rules
    - build ext_time_quota_acl helper (LP: #1391159)

  * debian/squid.install
    - add missing helper man pages

 -- Robie Basak <email address hidden>  Tue, 24 Jan 2017 15:47:44 +0000