squid (5.9-0ubuntu0.22.04.2) jammy-security; urgency=medium
* SECURITY UPDATE: DoS in ESI processing using multi-byte characters
- debian/patches/CVE-2024-37894.patch: fix variable datatype to handle
variables names outside standard ASCII characters
- CVE-2024-37894
-- Vyom Yadav <vyom.yadav@canonical.com> Tue, 09 Jul 2024 15:49:37 +0530
squid (5.9-0ubuntu0.22.04.1) jammy; urgency=medium
* New upstream version 5.9 (LP: #2040470):
- mgr:index URL do not produce MGR_INDEX template
- Block all non-localhost requests by default
- Block to-localhost, to-link-local requests by default
- ext_kerberos_ldap_group_acl: Support -b with -D
- For a comprehensive list of changes, please see
http://www.squid-cache.org/Versions/v5/ChangeLog.html.
* Refresh patches:
- d/p/0001-Default-configuration-file-for-debian.patch
- d/p/CVE-{2023-5824-1,2024-25111}.patch
* d/p/0001-Default-configuration-file-for-debian.patch: Comment
disruptive upstream changes introduced because of upstream bug
#5241.
* d/NEWS: Write news entry regarding the decision to comment out the
more strict defaults for connection to localhost and link-local
networks.
-- Sergio Durigan Junior <sergio.durigan@canonical.com> Wed, 03 Apr 2024 12:31:46 -0400
squid (5.7-0ubuntu0.22.04.4) jammy-security; urgency=medium
* SECURITY UPDATE: DoS via Cache Manager error responses
- debian/patches/CVE-2024-23638.patch: just close after a write(2)
response sending error in src/servers/Server.cc.
- CVE-2024-23638
* SECURITY UPDATE: DoS in HTTP header parsing
- debian/patches/CVE-2024-25617.patch: improve handling of expanding
HTTP header values in src/SquidString.h, src/cache_cf.cc,
src/cf.data.pre, src/http.cc.
- CVE-2024-25617
* SECURITY UPDATE: DoS via chunked decoder uncontrolled recursion bug
- debian/patches/CVE-2024-25111.patch: fix infinite recursion in
src/SquidMath.h, src/http.cc, src/http.h.
- CVE-2024-25111
* SECURITY UPDATE: DoS via Improper Handling of Structural Elements bug
- debian/patches/CVE-2023-5824-pre1.patch: break long store_client call
chains with async calls.
- debian/patches/CVE-2023-5824-pre2.patch: add Assure() as a
replacement for problematic Must().
- debian/patches/CVE-2023-5824-pre3.patch: fix compiler errors.
- debian/patches/CVE-2023-5824-1.patch: remove serialized HTTP headers
from storeClientCopy().
- debian/patches/CVE-2023-5824-2.patch: fix frequent assertion.
- debian/patches/CVE-2023-5824-3.patch: remove mem_hdr::freeDataUpto()
assertion.
- debian/patches/CVE-2023-5824-4.patch: fix Bug 5318.
- CVE-2023-5824
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 14 Mar 2024 10:47:38 -0400
squid (5.7-0ubuntu0.22.04.3) jammy-security; urgency=medium
* SECURITY UPDATE: denial of service in HTTP message processing
- debian/patches/CVE-2023-49285.patch: additional parsing checks added to
fix buffer overread in lib/rfc1123.c.
- CVE-2023-49285
* SECURITY UPDATE: denial of service in helper process management
- debian/patches/CVE-2023-49286.patch: improved error handling included
for helper process initialisation in src/ipc.cc.
- CVE-2023-49286
* SECURITY UPDATE: denial of service in HTTP request parsing
- debian/patches/CVE-2023-50269.patch: limit x-forwarded-for hops and log
limit as error when exceeded in src/ClientRequestContext.h,
src/client_side_request.cc.
- CVE-2023-50269
-- Evan Caville <evan.caville@canonical.com> Wed, 17 Jan 2024 14:01:57 +1000
squid (5.7-0ubuntu0.22.04.2) jammy-security; urgency=medium
* SECURITY UPDATE: DoS against certificate validation
- debian/patches/CVE-2023-46724.patch: fix validation of certificates
with CN=* in src/anyp/Uri.cc.
- CVE-2023-46724
* SECURITY UPDATE: DoS via Gopher gateway
- debian/patches/CVE-2023-46728.patch: disable gopher support in
src/FwdState.cc, src/HttpRequest.cc, src/IoStats.h, src/Makefile.am,
src/adaptation/ecap/Host.cc, src/adaptation/ecap/MessageRep.cc,
src/anyp/ProtocolType.h, src/anyp/Uri.cc, src/anyp/UriScheme.cc,
src/client_side_request.cc, src/error/forward.h, src/http/Message.h,
src/mgr/IoAction.cc, src/mgr/IoAction.h, src/stat.cc,
src/tests/Stub.am.
- CVE-2023-46728
* SECURITY UPDATE: HTTP request smuggling, caused by chunked decoder
lenience
- debian/patches/CVE-2023-46846.patch: improve HTTP chunked encoding
compliance in src/http/one/Parser.cc, src/http/one/Parser.h,
src/http/one/TeChunkedParser.cc, src/parser/Tokenizer.cc,
src/parser/Tokenizer.h.
- CVE-2023-46846
* SECURITY UPDATE: DoS via HTTP Digest Authentication
- debian/patches/CVE-2023-46847.patch: fix stack buffer overflow when
parsing Digest Authorization in src/auth/digest/Config.cc.
- CVE-2023-46847
* SECURITY UPDATE: DoS via ftp:// URLs
- debian/patches/CVE-2023-46848.patch: fix userinfo percent-encoding in
src/acl/external/eDirectory_userip/ext_edirectory_userip_acl.cc,
src/anyp/Uri.cc.
- CVE-2023-46848
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 13 Nov 2023 09:20:05 -0500
squid (5.7-0ubuntu0.22.04.1) jammy; urgency=medium
* New upstream version. (LP: #2013423):
- Fix FATAL FwdState::noteDestinationsEnd exception. (LP: #1975399)
- Fix regression that made the default value for the esi_parser
configuration directive behave differently from its documented behavior.
It now correctly uses libxml2 if available and falls back to libexpat
otherwise.
- Fix unexpected dispatch of client CA certificates to https_port clients
when OpenSSL SSL_MODE_NO_AUTO_CHAIN mode is on.
- Add OpenSSL 3.0 support for features that were already supported by
squid. No new OpenSSL 3.0 feature support added at this time.
- The configuration directive ssl_engine is no longer recognized. Since
this option is not implemented for the OpenSSL 3 used in Ubuntu 22.04
LTS, this is not a functional regression. Now, instead of failing with
"FATAL: Your OpenSSL has no SSL engine support", it fails with "FATAL:
bad configuration: Cannot use ssl_engine in Squid built with OpenSSL 3.0
or newer".
- For a comprehensive list of changes, please see
http://www.squid-cache.org/Versions/v5/ChangeLog.html.
* d/p/close-tunnel-if-to-server-conn-closes-after-client.patch: remove
upstreamed patch.
[ Fixed in 5.4 ]
* d/p/0004-Change-default-Makefiles-for-debian.patch: remove upstreamed
patch.
[ Fixed in 5.5 ]
* d/p/CVE-2021-46784.patch: remove upstreamed patch.
[ Fixed in 5.6 ]
* d/p/CVE-2022-41317.patch: drop patch to fix typo in manager ACL.
[ Fixed in 5.7 ]
* d/p/CVE-2022-41318.patch: drop patch to fix NTLM decoder truncated strings.
[ Fixed in 5.7 ]
* d/p/openssl3-*.patch: drop downstream OpenSSL 3 support patch.
[ Fixed in 5.7 ]
* d/p/99-ubuntu-ssl-cert-snakeoil.patch: refresh patch.
-- Athos Ribeiro <athos.ribeiro@canonical.com> Thu, 30 Mar 2023 17:06:59 -0300
squid (5.2-1ubuntu4.4) jammy; urgency=medium
* Make builds fail when upstream test suite fails (LP: #2004050):
- d/p/series: do not rely on installed binaries for build time tests.
- d/rules: halt build upon test failures.
- d/rules: do not include additional configuration files during
build time tests. This would lead to test failures due to missing
paths.
- d/t/upstream-test-suite: use installed squid binary for
autopkgtest config file checks.
-- Athos Ribeiro <athos.ribeiro@canonical.com> Tue, 31 Jan 2023 09:42:58 -0300
squid (5.2-1ubuntu4.3) jammy; urgency=medium
* d/p/close-tunnel-if-to-server-conn-closes-after-client.patch:
Close tunnel "job" after to-server client connection closes,
fixing memory leak. (LP: #1989380)
-- Sergio Durigan Junior <sergio.durigan@canonical.com> Thu, 05 Jan 2023 15:50:48 -0500
squid (5.2-1ubuntu4.2) jammy-security; urgency=medium
* SECURITY UPDATE: Exposure of Sensitive Information in Cache Manager
- debian/patches/CVE-2022-41317.patch: fix typo in ACL in
src/cf.data.pre.
- CVE-2022-41317
* SECURITY UPDATE: Buffer Over Read in SSPI and SMB Authentication
- debian/patches/CVE-2022-41318.patch: improve checks in
lib/ntlmauth/ntlmauth.cc.
- CVE-2022-41318
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 23 Sep 2022 08:06:42 -0400
squid (5.2-1ubuntu4.1) jammy-security; urgency=medium
* SECURITY UPDATE: Denial of Service in Gopher Processing
- debian/patches/CVE-2021-46784.patch: improve handling of Gopher
responses in src/gopher.cc.
- CVE-2021-46784
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 21 Jun 2022 13:38:17 -0400
# For older changelog entries, run 'apt-get changelog squid-common'
Generated by dwww version 1.14 on Thu Jan 23 03:39:02 CET 2025.