[ubuntu/jammy-security] squid 5.7-0ubuntu0.22.04.2 (Accepted)

Marc Deslauriers marc.deslauriers at canonical.com
Tue Nov 21 15:35:00 UTC 2023 

squid (5.7-0ubuntu0.22.04.2) jammy-security; urgency=medium

  * SECURITY UPDATE: DoS against certificate validation
    - debian/patches/CVE-2023-46724.patch: fix validation of certificates
      with CN=* in src/anyp/Uri.cc.
    - CVE-2023-46724
  * SECURITY UPDATE: DoS via Gopher gateway
    - debian/patches/CVE-2023-46728.patch: disable gopher support in
      src/FwdState.cc, src/HttpRequest.cc, src/IoStats.h, src/Makefile.am,
      src/adaptation/ecap/Host.cc, src/adaptation/ecap/MessageRep.cc,
      src/anyp/ProtocolType.h, src/anyp/Uri.cc, src/anyp/UriScheme.cc,
      src/client_side_request.cc, src/error/forward.h, src/http/Message.h,
      src/mgr/IoAction.cc, src/mgr/IoAction.h, src/stat.cc,
      src/tests/Stub.am.
    - CVE-2023-46728
  * SECURITY UPDATE: HTTP request smuggling, caused by chunked decoder
    lenience
    - debian/patches/CVE-2023-46846.patch: improve HTTP chunked encoding
      compliance in src/http/one/Parser.cc, src/http/one/Parser.h,
      src/http/one/TeChunkedParser.cc, src/parser/Tokenizer.cc,
      src/parser/Tokenizer.h.
    - CVE-2023-46846
  * SECURITY UPDATE: DoS via HTTP Digest Authentication
    - debian/patches/CVE-2023-46847.patch: fix stack buffer overflow when
      parsing Digest Authorization in src/auth/digest/Config.cc.
    - CVE-2023-46847
  * SECURITY UPDATE: DoS via ftp:// URLs
    - debian/patches/CVE-2023-46848.patch: fix userinfo percent-encoding in
      src/acl/external/eDirectory_userip/ext_edirectory_userip_acl.cc,
      src/anyp/Uri.cc.
    - CVE-2023-46848

squid (5.7-0ubuntu0.22.04.1) jammy; urgency=medium

  * New upstream version. (LP: #2013423):
    - Fix FATAL FwdState::noteDestinationsEnd exception. (LP: #1975399)
    - Fix regression that made the default value for the esi_parser
      configuration directive behave differently from its documented behavior.
      It now correctly uses libxml2 if available and falls back to libexpat
      otherwise.
    - Fix unexpected dispatch of client CA certificates to https_port clients
      when OpenSSL SSL_MODE_NO_AUTO_CHAIN mode is on.
    - Add OpenSSL 3.0 support for features that were already supported by
      squid. No new OpenSSL 3.0 feature support added at this time.
    - The configuration directive ssl_engine is no longer recognized. Since
      this option is not implemented for the OpenSSL 3 used in Ubuntu 22.04
      LTS, this is not a functional regression. Now, instead of failing with
      "FATAL: Your OpenSSL has no SSL engine support", it fails with "FATAL:
      bad configuration: Cannot use ssl_engine in Squid built with OpenSSL 3.0
      or newer".
    - For a comprehensive list of changes, please see
      http://www.squid-cache.org/Versions/v5/ChangeLog.html.
  * d/p/close-tunnel-if-to-server-conn-closes-after-client.patch: remove
    upstreamed patch.
    [ Fixed in 5.4 ]
  * d/p/0004-Change-default-Makefiles-for-debian.patch: remove upstreamed
    patch.
    [ Fixed in 5.5 ]
  * d/p/CVE-2021-46784.patch: remove upstreamed patch.
    [ Fixed in 5.6 ]
  * d/p/CVE-2022-41317.patch: drop patch to fix typo in manager ACL.
    [ Fixed in 5.7 ]
  * d/p/CVE-2022-41318.patch: drop patch to fix NTLM decoder truncated strings.
    [ Fixed in 5.7 ]
  * d/p/openssl3-*.patch: drop downstream OpenSSL 3 support patch.
    [ Fixed in 5.7 ]
  * d/p/99-ubuntu-ssl-cert-snakeoil.patch: refresh patch.

squid (5.2-1ubuntu4.4) jammy; urgency=medium

  * Make builds fail when upstream test suite fails (LP: #2004050):
    - d/p/series: do not rely on installed binaries for build time tests.
    - d/rules: halt build upon test failures.
    - d/rules: do not include additional configuration files during
      build time tests. This would lead to test failures due to missing
      paths.
    - d/t/upstream-test-suite: use installed squid binary for
      autopkgtest config file checks.

squid (5.2-1ubuntu4.3) jammy; urgency=medium

  * d/p/close-tunnel-if-to-server-conn-closes-after-client.patch:
    Close tunnel "job" after to-server client connection closes,
    fixing memory leak. (LP: #1989380)

Date: 2023-11-13 15:56:09.364606+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/squid/5.7-0ubuntu0.22.04.2
-------------- next part --------------
Sorry, changesfile not available.

More information about the jammy-changes mailing list