-
squid (5.7-0ubuntu0.22.04.1) jammy; urgency=medium
* New upstream version. (LP: #2013423):
- Fix FATAL FwdState::noteDestinationsEnd exception. (LP: #1975399)
- Fix regression that made the default value for the esi_parser
configuration directive behave differently from its documented behavior.
It now correctly uses libxml2 if available and falls back to libexpat
otherwise.
- Fix unexpected dispatch of client CA certificates to https_port clients
when OpenSSL SSL_MODE_NO_AUTO_CHAIN mode is on.
- Add OpenSSL 3.0 support for features that were already supported by
squid. No new OpenSSL 3.0 feature support added at this time.
- The configuration directive ssl_engine is no longer recognized. Since
this option is not implemented for the OpenSSL 3 used in Ubuntu 22.04
LTS, this is not a functional regression. Now, instead of failing with
"FATAL: Your OpenSSL has no SSL engine support", it fails with "FATAL:
bad configuration: Cannot use ssl_engine in Squid built with OpenSSL 3.0
or newer".
- For a comprehensive list of changes, please see
http://www.squid-cache.org/Versions/v5/ChangeLog.html.
* d/p/close-tunnel-if-to-server-conn-closes-after-client.patch: remove
upstreamed patch.
[ Fixed in 5.4 ]
* d/p/0004-Change-default-Makefiles-for-debian.patch: remove upstreamed
patch.
[ Fixed in 5.5 ]
* d/p/CVE-2021-46784.patch: remove upstreamed patch.
[ Fixed in 5.6 ]
* d/p/CVE-2022-41317.patch: drop patch to fix typo in manager ACL.
[ Fixed in 5.7 ]
* d/p/CVE-2022-41318.patch: drop patch to fix NTLM decoder truncated strings.
[ Fixed in 5.7 ]
* d/p/openssl3-*.patch: drop downstream OpenSSL 3 support patch.
[ Fixed in 5.7 ]
* d/p/99-ubuntu-ssl-cert-snakeoil.patch: refresh patch.
squid (5.2-1ubuntu4.4) jammy; urgency=medium
* Make builds fail when upstream test suite fails (LP: #2004050):
- d/p/series: do not rely on installed binaries for build time tests.
- d/rules: halt build upon test failures.
- d/rules: do not include additional configuration files during
build time tests. This would lead to test failures due to missing
paths.
- d/t/upstream-test-suite: use installed squid binary for
autopkgtest config file checks.
-- Athos Ribeiro <email address hidden> Thu, 30 Mar 2023 17:06:59 -0300
-
squid (5.2-1ubuntu4.4) jammy; urgency=medium
* Make builds fail when upstream test suite fails (LP: #2004050):
- d/p/series: do not rely on installed binaries for build time tests.
- d/rules: halt build upon test failures.
- d/rules: do not include additional configuration files during
build time tests. This would lead to test failures due to missing
paths.
- d/t/upstream-test-suite: use installed squid binary for
autopkgtest config file checks.
-- Athos Ribeiro <email address hidden> Tue, 31 Jan 2023 09:42:58 -0300
-
squid (5.2-1ubuntu4.3) jammy; urgency=medium
* d/p/close-tunnel-if-to-server-conn-closes-after-client.patch:
Close tunnel "job" after to-server client connection closes,
fixing memory leak. (LP: #1989380)
-- Sergio Durigan Junior <email address hidden> Thu, 05 Jan 2023 15:50:48 -0500
-
squid (5.2-1ubuntu4.2) jammy-security; urgency=medium
* SECURITY UPDATE: Exposure of Sensitive Information in Cache Manager
- debian/patches/CVE-2022-41317.patch: fix typo in ACL in
src/cf.data.pre.
- CVE-2022-41317
* SECURITY UPDATE: Buffer Over Read in SSPI and SMB Authentication
- debian/patches/CVE-2022-41318.patch: improve checks in
lib/ntlmauth/ntlmauth.cc.
- CVE-2022-41318
-- Marc Deslauriers <email address hidden> Fri, 23 Sep 2022 08:06:42 -0400
-
squid (5.2-1ubuntu4.1) jammy-security; urgency=medium
* SECURITY UPDATE: Denial of Service in Gopher Processing
- debian/patches/CVE-2021-46784.patch: improve handling of Gopher
responses in src/gopher.cc.
- CVE-2021-46784
-- Marc Deslauriers <email address hidden> Tue, 21 Jun 2022 13:38:17 -0400
-
squid (5.2-1ubuntu4) jammy; urgency=medium
* Do not enable openssl as a default. This hinders packaging since we ship
squid in two different flavours (gnutls and openssl). Drop
d/p/openssl3-Detect-and-default-enable-OpenSSL-3.patch. (LP: #1968200)
-- Athos Ribeiro <email address hidden> Tue, 12 Apr 2022 23:41:41 -0300
-
squid (5.2-1ubuntu3) jammy; urgency=medium
* Fix FTBFS with OpenSSL 3.0 (LP: #1946205). The following new
patches have been added:
- d/p/openssl3-Declaration-of-CRYPTO_EX_dup-changed-again-in-3.0.patch.
- d/p/openssl3-Detect-and-default-enable-OpenSSL-3.patch.
- d/p/openssl3-Fix-EVP_PKEY_get0_RSA-is-deprecated.patch.
- d/p/openssl3-Initial-DH-conversion-to-EVP_PKEY.patch.
- d/p/openssl3-Refactor-Ssl-createSslPrivateKey.patch.
- d/p/openssl3-Remove-stale-TODO-and-comment.patch.
- d/p/openssl3-SSL_OP_-macro-definitions-changed-in-3.0.patch.
- d/p/openssl3-Switch-to-BN_rand.patch.
- d/p/openssl3-TODO-Upgrade-API-calls-verifying-loaded-DH-params-fi.patch.
- d/p/openssl3-Tweak-RSA-key-generator.patch.
- d/p/openssl3-Update-ECDH-key-settings.patch.
- d/p/openssl3-Update-license-disclaimer.patch.
-- Sergio Durigan Junior <email address hidden> Tue, 08 Feb 2022 17:15:20 -0500
-
squid (5.2-1ubuntu2) jammy; urgency=medium
* No-change rebuild against libssl3
-- Steve Langasek <email address hidden> Thu, 09 Dec 2021 00:19:10 +0000
-
squid (5.2-1ubuntu1) jammy; urgency=medium
* Merge with Debian unstable (LP: #1946903). Remaining changes:
- d/usr.sbin.squid: Add sections for squid-deb-proxy and
squidguard
- d/p/90-cf.data.ubuntu.patch: Add refresh patterns for deb
packaging
- Use snakeoil certificates:
+ d/control: add ssl-cert to dependencies
+ d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl
to the default config file
- d/rules, d/NEWS: drop the NIS basic auth helper (LP #1895694)
- Fix FTBFS with GCC 11 (LP #1939352)
+ d/p/expand-max-pkt-sz-accomodate-icmphdr.patch: Expand
MAX_PKT{4,6}_SZ to accomodate for icmp{,6_}hdr.
+ d/p/workaround-gcc11-wstringop-overread-bug.patch: Workaround
GCC 11 -Wstringop-overread bug.
* Dropped changes:
- d/p/0008-Fix-free-nonheap-object-warning-error-on-snmp_core.c.patch:
Fix call to free on nonheap-object in snmpCreateOidFromStr
[ Incorporated by upstream. ]
- Fix failure to build on RISC-V (LP #1934891)
[ Incorporated by upstream. ]
- SECURITY UPDATE: information disclosure via OOB read in WCCP protocol
+ debian/patches/CVE-2021-28116.patch: validate packets better in
src/wccp2.cc.
+ CVE-2021-28116
[ Incorporated by upstream. ]
- Fix FTBFS with GCC 11 (LP #1939352)
+ d/p/replace-cbdata-offset-hack-with-offsetof.patch: Replace
cbdata::Offset hack with offsetof().
+ d/p/add-missing-limits-include-connmark.patch: Add missing
<limits> include to src/acl/ConnMark.cc.
[ Incorporated by upstream. This is a partial drop; the other
two patches that compose this fix are still present in this
release. ]
-- Sergio Durigan Junior <email address hidden> Mon, 01 Nov 2021 18:19:59 -0400
-
squid (4.13-10ubuntu5) impish; urgency=medium
* SECURITY UPDATE: information disclosure via OOB read in WCCP protocol
- debian/patches/CVE-2021-28116.patch: validate packets better in
src/wccp2.cc.
- CVE-2021-28116
-- Marc Deslauriers <email address hidden> Mon, 04 Oct 2021 08:20:07 -0400