-
squid3 (3.5.27-1ubuntu1.14) bionic-security; urgency=medium
* SECURITY UPDATE: Buffer Over Read in SSPI and SMB Authentication
- debian/patches/CVE-2022-41318.patch: improve checks in
lib/ntlmauth/ntlmauth.cc.
- CVE-2022-41318
-- Marc Deslauriers <email address hidden> Fri, 23 Sep 2022 08:08:17 -0400
-
squid3 (3.5.27-1ubuntu1.13) bionic-security; urgency=medium
* SECURITY UPDATE: Denial of Service in Gopher Processing
- debian/patches/CVE-2021-46784.patch: improve handling of Gopher
responses in src/gopher.cc.
- CVE-2021-46784
-- Marc Deslauriers <email address hidden> Tue, 21 Jun 2022 13:45:17 -0400
-
squid3 (3.5.27-1ubuntu1.12) bionic-security; urgency=medium
* SECURITY UPDATE: information disclosure via OOB read in WCCP protocol
- debian/patches/CVE-2021-28116.patch: validate packets better in
src/wccp2.cc.
- CVE-2021-28116
-- Marc Deslauriers <email address hidden> Mon, 04 Oct 2021 08:32:25 -0400
-
squid3 (3.5.27-1ubuntu1.11) bionic-security; urgency=medium
* SECURITY UPDATE: DoS via buffer-management bug
- debian/patches/CVE-2021-28651.patch: fix memory leak in src/urn.cc.
- CVE-2021-28651
* SECURITY UPDATE: DoS via HTTP Range request
- debian/patches/CVE-2021-3180x.patch: handle more Range requests in
src/HttpHdrRange.cc, src/HttpHeaderRange.h, src/client_side.cc,
src/client_side_request.cc, src/client_side_request.h.
- CVE-2021-31806
- CVE-2021-31807
- CVE-2021-31808
* SECURITY UPDATE: DoS via HTTP response
- debian/patches/CVE-2021-33620.patch: handle more partial responses in
src/HttpHdrContRange.cc, src/HttpHeaderRange.h,
src/clients/Client.cc, src/client_side.cc.
- CVE-2021-33620
-- Marc Deslauriers <email address hidden> Wed, 02 Jun 2021 13:03:13 -0400
-
squid3 (3.5.27-1ubuntu1.10) bionic-security; urgency=medium
* SECURITY UPDATE: HTTP Request Smuggling issue
- debian/patches/CVE-2020-25097.patch: Add slash prefix to path-
rootless or path-noscheme URLs in src/url.cc.
- CVE-2020-25097
-- Marc Deslauriers <email address hidden> Thu, 25 Mar 2021 12:45:30 -0400
-
squid3 (3.5.27-1ubuntu1.9) bionic-security; urgency=medium
* SECURITY UPDATE: Request Smuggling and Poisoning issue
- debian/patches/CVE-2020-15049.patch: validate Content-Length value
prefix in src/http/ContentLengthInterpreter.cc,
src/http/ContentLengthInterpreter.h.
- CVE-2020-15049
* SECURITY UPDATE: HTTP Request Smuggling issue
- debian/patches/CVE-2020-15810.patch: enforce token characters for
field-name in src/HttpHeader.cc.
- CVE-2020-15810
* SECURITY UPDATE: HTTP Request Splitting issue
- debian/patches/CVE-2020-15811-pre.patch: validate Content-Length
header values in src/HttpHeader.cc, src/HttpHeaderTools.cc,
src/HttpHeaderTools.h, src/http/ContentLengthInterpreter.cc,
src/http/ContentLengthInterpreter.h, src/http/Makefile.am.
- debian/patches/CVE-2020-15811.patch: Improve Transfer-Encoding
handling in src/HttpHeader.cc, src/HttpHeader.h, src/client_side.cc,
src/http.cc.
- CVE-2020-15811
* SECURITY UPDATE: DoS via peer crafted Cache Digest response message
- debian/patches/CVE-2020-24606.patch: fix livelocking in
peerDigestHandleReply in src/peer_digest.cc.
- CVE-2020-24606
* Enable the test suite
- debian/rules: enable test suite
- debian/patches/enable-the-test-suite.patch: fix FTBFS.
- debain/patches/fix-cppunit-detection.patch: don't use cppunit-config
which is no longer available in bionic.
-- Marc Deslauriers <email address hidden> Wed, 02 Sep 2020 11:35:51 -0400
-
squid3 (3.5.27-1ubuntu1.8) bionic-security; urgency=medium
* SECURITY REGRESSION: regression when parsing icap and ecap protocols
(LP: #1890265)
- debian/patches/CVE-2019-12523-bug965012.patch
* Thanks to Markus Koschany for the regression fix!
-- Marc Deslauriers <email address hidden> Tue, 25 Aug 2020 13:12:13 -0400
-
squid3 (3.5.27-1ubuntu1.7) bionic-security; urgency=medium
* SECURITY UPDATE: Multiple Issues in HTTP Request processing
- debian/patches/CVE-2019-12520.patch: properly handle userinfo in
src/url.cc.
- CVE-2019-12520
- CVE-2019-12524
* SECURITY UPDATE: Multiple issues in URI processing
- debian/patches/CVE-2019-12526.patch: replace patch with the one from
Debian to get backported functions.
- debian/patches/CVE-2019-12523.patch: update URI parser to use SBuf
parsing APIs.
- CVE-2019-12523
- CVE-2019-18676
* Thanks to Markus Koschany for the backports this update is based on.
-- Marc Deslauriers <email address hidden> Tue, 28 Jul 2020 12:38:51 -0400
-
squid3 (3.5.27-1ubuntu1.6) bionic-security; urgency=medium
* SECURITY UPDATE: multiple ESI issues
- debian/patches/CVE-2019-12519_12521.patch: convert parse exceptions
into 500 status response in src/esi/Context.h, src/esi/Esi.cc,
src/esi/Esi.h, src/esi/Expression.cc.
- CVE-2019-12519
- CVE-2019-12521
* SECURITY UPDATE: hostname parameter mishandling in cachemgr.cgi
- debian/patches/CVE-2019-18860.patch: add validation for hostname
parameter in src/base/CharacterSet.cc, tools/Makefile.am,
tools/cachemgr.cc.
- CVE-2019-18860
* SECURITY UPDATE: Digest Authentication nonce replay issue
- debian/patches/CVE-2020-11945.patch: fix auth digest refcount integer
overflow in src/auth/digest/Config.cc.
- CVE-2020-11945
-- Marc Deslauriers <email address hidden> Thu, 07 May 2020 10:03:32 -0400
-
squid3 (3.5.27-1ubuntu1.5) bionic-security; urgency=medium
* SECURITY UPDATE: info disclosure via FTP server
- debian/patches/CVE-2019-12528.patch: fix FTP buffers handling in
src/clients/FtpGateway.cc.
- CVE-2019-12528
* SECURITY UPDATE: incorrect input validation and buffer management
- debian/patches/CVE-2020-84xx-1.patch: ignore malformed Host header in
intercept and reverse proxy mode in src/client_side.cc.
- debian/patches/CVE-2020-84xx-2.patch: fix request URL generation in
reverse proxy configurations in src/client_side.cc.
- debian/patches/CVE-2020-84xx-3.patch: fix security patch in
src/client_side.cc.
- CVE-2020-8449
- CVE-2020-8450
* SECURITY UPDATE: DoS in NTLM authentication
- debian/patches/CVE-2020-8517.patch: improved username handling in
helpers/external_acl/LM_group/ext_lm_group_acl.cc.
- CVE-2020-8517
-- Marc Deslauriers <email address hidden> Wed, 19 Feb 2020 12:50:27 -0500
-
squid3 (3.5.27-1ubuntu1.4) bionic-security; urgency=medium
* SECURITY UPDATE: Heap Overflow issue in URN processing
- debian/patches/CVE-2019-12526.patch: fix URN response handling in
src/urn.cc.
- CVE-2019-12526
* SECURITY UPDATE: CSRF issue in HTTP Request processing
- debian/patches/CVE-2019-18677.patch: prevent truncation for large
origin-relative domains in src/URL.h, src/internal.cc, src/url.cc.
- CVE-2019-18677
* SECURITY UPDATE: HTTP Request Splitting in HTTP message processing
- debian/patches/CVE-2019-18678.patch: server MUST reject messages with
BWS after field-name in src/HttpHeader.cc, src/HttpHeader.h.
- CVE-2019-18678
- CVE-2019-18679
-- Marc Deslauriers <email address hidden> Tue, 19 Nov 2019 14:59:43 -0500
-
squid3 (3.5.27-1ubuntu1.3) bionic-security; urgency=medium
* SECURITY UPDATE: incorrect digest auth parameter parsing
- debian/patches/CVE-2019-12525.patch: check length in
src/auth/digest/Config.cc.
- CVE-2019-12525
* SECURITY UPDATE: basic auth uudecode length issue
- debian/patches/CVE-2019-12529.patch: replace uudecode with libnettle
base64 decoder in lib/Makefile.*, src/auth/basic/Config.cc,
include/uudecode.h, lib/uudecode.c.
- CVE-2019-12529
-- Marc Deslauriers <email address hidden> Tue, 16 Jul 2019 11:49:31 -0400
-
squid3 (3.5.27-1ubuntu1.2) bionic-security; urgency=medium
* SECURITY UPDATE: DoS via SNMP memory leak
- debian/patches/CVE-2018-19132.patch: fix leak in src/snmp_core.cc.
- CVE-2018-19132
* SECURITY UPDATE: XSS issues in cachemgr.cgi
- debian/patches/CVE-2019-13345.patch: properly escape values in
tools/cachemgr.cc.
- CVE-2019-13345
-- Marc Deslauriers <email address hidden> Thu, 11 Jul 2019 12:59:25 -0400
-
squid3 (3.5.27-1ubuntu1.1) bionic; urgency=medium
[ Simon Deziel ]
* d/usr.sbin.squid: Update apparmor profile to grant read access to squid
binary (LP: #1792728)
-- Christian Ehrhardt <email address hidden> Fri, 28 Sep 2018 09:09:50 +0200
-
squid3 (3.5.27-1ubuntu1) bionic; urgency=medium
* Merge with Debian unstable (LP: #1751286). Remaining changes:
- Add additional dep8 tests.
- Use snakeoil certificates.
- Add an example refresh pattern for debs.
- Add disabled by default AppArmor profile.
- Enable autoreconf. This is no longer required for the security updates,
but is needed for the seddery of test-suite/Makefile.am in
d/t/upstream-test-suite.
- Correct attribution and add explanatory note in d/NEWS.debian.
- Drop Conflicts/Replaces of squid against squid3. In Ubuntu, the migration
happened in Xenial, so no upgrade path still requires this code. This
reduces upgrade ordering difficulty.
- Adjust seddery for upstream test squid binary location.
- Revert "Set pidfile for systemd's sysv-generator" from Debian.
- Drop wrong short-circuiting of various invocations; we always want to
call the debhelper block.
- GCC7 FTBFS fixes (LP #1712668):
+ d/rules: don't error when hitting the "deprecated" and
"format-truncation" gcc7 warnings. Upstream 3.5.27 has fixes for these,
but one in Format.cc that affects 32bit builds was deemed too intrusive
for the 3.5 stable series and is only in squid 4.x
* Dropped changes:
- debian/patches/gcc7-squidpurge-4695.patch: GCC 7 build errors.
Thanks to Lubos Uhliarik <email address hidden>.
[Already applied upstream]
- debian/patches/gcc7-assert-wants-boolean.patch: assert() takes a
boolean. Thanks to Amos Jeffries <email address hidden>
[Already applied upstream]
- SECURITY UPDATE: denial of service in ESI Response processing
+ debian/patches/CVE-2018-1000024.patch: make sure endofName never
exceeds tagEnd in src/esi/CustomParser.cc.
+ CVE-2018-1000024
[Added in 3.5.27-1]
- SECURITY UPDATE: denial of service in in HTTP Message processing
+ debian/patches/CVE-2018-1000027.patch: fix indirect IP logging for
transactions without a client connection in
src/client_side_request.cc.
+ CVE-2018-1000027
[Included in 3.5.27-1]
* Added changes:
- Do not force gcc-6
squid3 (3.5.27-1) unstable; urgency=high
[ Amos Jeffries <email address hidden> ]
* New Upstream Release
* debian/{control,rules}
- Add temporary dependency on gcc-6 and g++-6 to workaround FTBFS in
unstable
* debian/patches/
- Fix security issue SQUID-2018:1 (CVE-2016-1000024) (Closes: #888719)
- Fix security issue SQUID-2018:2 (CVE-2016-1000027) (Closes: #888720)
[ Luigi Gangitano <email address hidden> ]
* debian/control
- Changed priority to optional for squid3 and squid-dbg
- Removed unneeded Build-Dep on autotools-dev
* debian/rules
- Include dpkg-architecture Makefile instead of invoking the binary at
build time
* debian/squid.postinst
- Remove recursive chown calls
-- Andreas Hasenack <email address hidden> Tue, 27 Feb 2018 08:09:21 -0300
-
squid3 (3.5.23-5ubuntu2) bionic; urgency=medium
* SECURITY UPDATE: denial of service in ESI Response processing
- debian/patches/CVE-2018-1000024.patch: make sure endofName never
exceeds tagEnd in src/esi/CustomParser.cc.
- CVE-2018-1000024
* SECURITY UPDATE: denial of service in in HTTP Message processing
- debian/patches/CVE-2018-1000027.patch: fix indirect IP logging for
transactions without a client connection in
src/client_side_request.cc.
- CVE-2018-1000027
-- Marc Deslauriers <email address hidden> Thu, 01 Feb 2018 10:08:51 -0500
-
squid3 (3.5.23-5ubuntu1) artful; urgency=medium
* Merge with Debian unstable (LP: #1712653). Remaining changes:
- Add additional dep8 tests.
- Use snakeoil certificates.
- Add an example refresh pattern for debs.
- Add disabled by default AppArmor profile.
- Enable autoreconf. This is no longer required for the security updates,
but is needed for the seddery of test-suite/Makefile.am in
d/t/upstream-test-suite.
- Correct attribution and add explanatory note in d/NEWS.debian.
- Drop Conflicts/Replaces of squid against squid3. In Ubuntu, the migration
happened in Xenial, so no upgrade path still requires this code. This
reduces upgrade ordering difficulty.
- Adjust seddery for upstream test squid binary location.
- Revert "Set pidfile for systemd's sysv-generator" from Debian.
- Drop wrong short-circuiting of various invocations; we always want to
call the debhelper block.
* Drop:
- Add missing Pre-Depends on adduser.
[Fixed in Debian 3.5.23-2]
* GCC7 FTBFS fixes (LP: #1712668):
- d/rules: don't error when hitting the "deprecated" and
"format-truncation" gcc7 warnings. Upstream 3.5.27 has fixes for these,
but one in Format.cc that affects 32bit builds was deemed too intrusive
for the 3.5 stable series and is only in squid 4.x
- debian/patches/gcc7-squidpurge-4695.patch: GCC 7 build errors.
Thanks to Lubos Uhliarik <email address hidden>.
- debian/patches/gcc7-assert-wants-boolean.patch: assert() takes a
boolean. Thanks to Amos Jeffries <email address hidden>
-- Andreas Hasenack <email address hidden> Thu, 24 Aug 2017 16:04:35 -0300
