[ubuntu/groovy-proposed] squid 4.11-5ubuntu1 (Accepted)
Sergio Durigan Junior
sergio.durigan at canonical.com
Tue May 19 21:11:12 UTC 2020
squid (4.11-5ubuntu1) groovy; urgency=medium
* Merge with Debian unstable. Remaining changes:
- d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy,
squidguard
- d/p/90-cf.data.ubuntu.patch: Add an example refresh pattern for
debs.
- Use snakeoil certificates:
+ d/control: add ssl-cert to dependencies
+ d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl to the
default config file
- d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if
building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead
of -O2 and that triggers a format-truncation error on pcon.cc. See See
https://bugs.squid-cache.org/show_bug.cgi?id=4875
* Dropped:
- d/p/drop-sysctl_h.patch: no longer include sysctl.h as it was
deprecated in glibc 2.30 (LP #1843325)
[ In 4.11-4 ]
- SECURITY UPDATE: multiple ESI issues
+ debian/patches/CVE-2019-12519_12521.patch: convert parse exceptions
into 500 status response in src/esi/Context.h, src/esi/Esi.cc,
src/esi/Esi.h, src/esi/Expression.cc.
+ CVE-2019-12519
[ In 4.11-4 ]
- SECURITY UPDATE: Digest Authentication nonce replay issue
+ debian/patches/CVE-2020-11945.patch: fix auth digest refcount integer
overflow in src/auth/digest/Config.cc.
[ In 4.11-4 ]
* Added:
- Don't restart squid by hand on postinst script
+ d/squid.postinst: When installing/upgrading squid, the service
is being restarted manually in the postinst script, which can
break installations that have the squid apparmor enabled because
it will try to restart the service before reloading the apparmor
profile. There is no reason to restart squid manually, since the
restart will be automatically performed later.
- Drop conffile check for squid < 2.7
+ d/squid.postinst: squid 2.7 is long, long gone, so it should be
safe to drop the postinst code to make sure that
/etc/squid/squid.conf was properly upgraded.
squid (4.11-5) unstable; urgency=medium
[ Sergio Durigan Junior <sergiodj at debian.org> ]
* Don't install /run/squid (use systemd's RuntimeDirectory instead).
Debian Policy states that /run is normally cleared at boot time, and
therefore packages must not install files/directories under /run.
Init scripts should be taught to dynamically handle /run instead.
This change uses systemd's RuntimeDirectory and RuntimeDirectoryMode
directives when starting the squid service in order to guarantee that
/run/squid/ will be created with the correct permission. This has the
added benefit of deleting the directory when the service is stopped.
(Closes: #960327)
* Allow /run/system/notify to be accessed by squid.
When apparmor is enabled and the squid profile is enforced, we must
make sure that the daemon will be able to access the
/run/system/notify file (because squid's systemd service file type is
"notify").
[ Luigi Gangitano <luigi at debian.org> ]
* debian/NEWS
- Fix unknown version of latest entry
squid (4.11-4) unstable; urgency=medium
[ Amos Jeffries <amosjeffries at squid-cache.org> ]
* Fix permissions on /run/squid
squid (4.11-3) unstable; urgency=low
[ Amos Jeffries <amosjeffries at squid-cache.org> ]
* Move PID file into /run/squid (Closes: #932593)
* Mark squid-common package Multi-Arch:foreign
squid (4.11-2) unstable; urgency=high
[ Amos Jeffries <amosjeffries at squid-cache.org> ]
* Add libsystemd-dev dependency on Linux (Closes: 958708)
- fixes systemd timeout failure during install
[ Luigi Gangitano <luigi at debian.org> ]
* debian/rules
- Removed --as-needed flag
squid (4.11-1) unstable; urgency=high
* Urgency high due to security fixes
[ Amos Jeffries <amosjeffries at squid-cache.org> ]
* New Upstream Release (Closes: #957840, #929574, #910337)
- Fixes security issue SQUID-2019:12 (CVE-2019-12519, CVE-2019-12521)
- Fixes security issue SQUID-2020:4 (CVE-2020-11945)
* debian/squid3.{maintscript,postinst,postrm,preinst,rc}
- Remove unused and obsolete scripts
* debian/squid.{postrm,preinst}
- Remove obsolete script logic
* debian/squid-common.postinst
- Remove obsolete script
* debian/changelog
- Add missing historic CVE references
* debian/patches/
- Add upstream fix for missing Debug::Extra in systemd builds
Date: Tue, 19 May 2020 14:43:04 -0400
Changed-By: Sergio Durigan Junior <sergio.durigan at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Signed-By: Andreas Hasenack <andreas at canonical.com>
https://launchpad.net/ubuntu/+source/squid/4.11-5ubuntu1
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 19 May 2020 14:43:04 -0400
Source: squid
Architecture: source
Version: 4.11-5ubuntu1
Distribution: groovy
Urgency: high
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Sergio Durigan Junior <sergio.durigan at canonical.com>
Closes: 910337 929574 932593 957840 958708 960327
Changes:
squid (4.11-5ubuntu1) groovy; urgency=medium
.
* Merge with Debian unstable. Remaining changes:
- d/usr.sbin.squid: Add sections for maas-proxy, squid-deb-proxy,
squidguard
- d/p/90-cf.data.ubuntu.patch: Add an example refresh pattern for
debs.
- Use snakeoil certificates:
+ d/control: add ssl-cert to dependencies
+ d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl to the
default config file
- d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if
building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead
of -O2 and that triggers a format-truncation error on pcon.cc. See See
https://bugs.squid-cache.org/show_bug.cgi?id=4875
* Dropped:
- d/p/drop-sysctl_h.patch: no longer include sysctl.h as it was
deprecated in glibc 2.30 (LP #1843325)
[ In 4.11-4 ]
- SECURITY UPDATE: multiple ESI issues
+ debian/patches/CVE-2019-12519_12521.patch: convert parse exceptions
into 500 status response in src/esi/Context.h, src/esi/Esi.cc,
src/esi/Esi.h, src/esi/Expression.cc.
+ CVE-2019-12519
[ In 4.11-4 ]
- SECURITY UPDATE: Digest Authentication nonce replay issue
+ debian/patches/CVE-2020-11945.patch: fix auth digest refcount integer
overflow in src/auth/digest/Config.cc.
[ In 4.11-4 ]
* Added:
- Don't restart squid by hand on postinst script
+ d/squid.postinst: When installing/upgrading squid, the service
is being restarted manually in the postinst script, which can
break installations that have the squid apparmor enabled because
it will try to restart the service before reloading the apparmor
profile. There is no reason to restart squid manually, since the
restart will be automatically performed later.
- Drop conffile check for squid < 2.7
+ d/squid.postinst: squid 2.7 is long, long gone, so it should be
safe to drop the postinst code to make sure that
/etc/squid/squid.conf was properly upgraded.
.
squid (4.11-5) unstable; urgency=medium
.
[ Sergio Durigan Junior <sergiodj at debian.org> ]
* Don't install /run/squid (use systemd's RuntimeDirectory instead).
Debian Policy states that /run is normally cleared at boot time, and
therefore packages must not install files/directories under /run.
Init scripts should be taught to dynamically handle /run instead.
This change uses systemd's RuntimeDirectory and RuntimeDirectoryMode
directives when starting the squid service in order to guarantee that
/run/squid/ will be created with the correct permission. This has the
added benefit of deleting the directory when the service is stopped.
(Closes: #960327)
* Allow /run/system/notify to be accessed by squid.
When apparmor is enabled and the squid profile is enforced, we must
make sure that the daemon will be able to access the
/run/system/notify file (because squid's systemd service file type is
"notify").
.
[ Luigi Gangitano <luigi at debian.org> ]
* debian/NEWS
- Fix unknown version of latest entry
.
squid (4.11-4) unstable; urgency=medium
.
[ Amos Jeffries <amosjeffries at squid-cache.org> ]
* Fix permissions on /run/squid
.
squid (4.11-3) unstable; urgency=low
.
[ Amos Jeffries <amosjeffries at squid-cache.org> ]
* Move PID file into /run/squid (Closes: #932593)
.
* Mark squid-common package Multi-Arch:foreign
.
squid (4.11-2) unstable; urgency=high
.
[ Amos Jeffries <amosjeffries at squid-cache.org> ]
* Add libsystemd-dev dependency on Linux (Closes: 958708)
- fixes systemd timeout failure during install
.
[ Luigi Gangitano <luigi at debian.org> ]
* debian/rules
- Removed --as-needed flag
.
squid (4.11-1) unstable; urgency=high
.
* Urgency high due to security fixes
.
[ Amos Jeffries <amosjeffries at squid-cache.org> ]
* New Upstream Release (Closes: #957840, #929574, #910337)
- Fixes security issue SQUID-2019:12 (CVE-2019-12519, CVE-2019-12521)
- Fixes security issue SQUID-2020:4 (CVE-2020-11945)
.
* debian/squid3.{maintscript,postinst,postrm,preinst,rc}
- Remove unused and obsolete scripts
.
* debian/squid.{postrm,preinst}
- Remove obsolete script logic
.
* debian/squid-common.postinst
- Remove obsolete script
.
* debian/changelog
- Add missing historic CVE references
.
* debian/patches/
- Add upstream fix for missing Debug::Extra in systemd builds
Checksums-Sha1:
e41f39bfb7fd6a9d4b9e7efb45276cff83699679 2757 squid_4.11-5ubuntu1.dsc
053277bf5497163ffc9261b9807abda5959bb6fc 2447700 squid_4.11.orig.tar.xz
d1bf380bfd3bb582629b68394bad1d2f59c4cc65 44420 squid_4.11-5ubuntu1.debian.tar.xz
17875da44beee1967b60fd9f434ba00cacb6dae2 8864 squid_4.11-5ubuntu1_source.buildinfo
Checksums-Sha256:
387d6cebe1835d1fa155ac6a579856be5bdbda3780ed081329fa5445b4491c9c 2757 squid_4.11-5ubuntu1.dsc
4ed947612410263f57ad0e39bfd087e60fb714f028d7d3b0e469943efd34287d 2447700 squid_4.11.orig.tar.xz
69c76fa3327f2876668ad24e763333ed707385fbfec23c2270a7de0c937f08a7 44420 squid_4.11-5ubuntu1.debian.tar.xz
7ac8fee72e89f28c78f26648a804c802423dbabe5a0a37c0e91e3b5821cc1ac8 8864 squid_4.11-5ubuntu1_source.buildinfo
Files:
fd03df6ecfc20bfd5fa39e0015a7ebda 2757 web optional squid_4.11-5ubuntu1.dsc
10f34e852153a9996aa4614670e2bda1 2447700 web optional squid_4.11.orig.tar.xz
49fae764709354629fd0a41934ad6f38 44420 web optional squid_4.11-5ubuntu1.debian.tar.xz
edc6d48dc4361c2fb2d5b69b62987383 8864 web optional squid_4.11-5ubuntu1_source.buildinfo
Original-Maintainer: Luigi Gangitano <luigi at debian.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEiGZB1jWM2kalbBxyrJg+tb9ry6kFAl7ESyUACgkQrJg+tb9r
y6mzdRAAjHVWqlUqQMdFBKr4JDgz1V7ua/jfUHLfuLIMTKZbVF7qCNjMNMFEYPLH
HcQO2pEhXVA1WN4S2OTl7m89akyRggPpCIwX0SwQgMKra7gvuDewTN79GvdZ0Fow
V3tAu6PdiLLt8kqP2tdFHs0QHUI216V4MfZM8Qo89AllIaj/tBW5Bogt0X9KLy/H
SKEBm1a1YkXi2XnPuASQSe+3Sb4ZpCvPuaABpBkczd93+PutVlFClQ50XCbgBYcw
AqXBu6BNZgDDKBISXw+NyHc6PX3kbTq/6fP8cpsxzwo7hijnxqcQxFUuD08xciyM
WgX7UDqhnju+4RjZhFwzZdmVlvQD8hKUYMDOmigki1mv1Qr81+Nn8gyf2Gaa+p8w
wfH8VQA1N6X4+OqZHTMLXAu+3vcW8KOWn5W7F+U+VGIgqnegnOWZMSr/JKK9Vp58
n9fHDGwnqOLVFOH8e7dFmKZAKKcAo8gh/1KosBWKXubCkgAP+tX+x0G+lABYDjMp
yHVdfdcfQJDs4PU+g8B/PBQ28Iuwz5LMmVDBFnuyhLvr1Uot2URnlR5IHMkhNgrZ
g3dCj7QlMP9PO27synFtWnevs6GI3Ut0W0PUeV99wzfUQghFylYvXJbkqEyOwW8C
BE8j3Gt4hXN1UHLe/JnTsQVxn3RHE2ePEaFGnoFUj1CYeKWQ5uE=
=K7kV
-----END PGP SIGNATURE-----
More information about the Groovy-changes
mailing list