enterprise-support team mailing list archive

[Launchpad Bug Tracker <1644538@xxxxxxxxxxxxxxxxxx>]

This bug was fixed in the package squid3 - 3.5.23-1ubuntu1

---------------
squid3 (3.5.23-1ubuntu1) zesty; urgency=medium

  * Merge from Debian (LP: #1644538). Remaining changes:
    - Add additional dep8 tests.
    - Use snakeoil certificates.
    - Add an example refresh pattern for debs.
    - Add disabled by default AppArmor profile.
    - Revert "Set pidfile for systemd's sysv-generator" from Debian.
    - Drop wrong short-circuiting of various invocations; we always want to
      call the debhelper block.
    - Add missing Pre-Depends on adduser.
    - Enable autoreconf. This is no longer required for the security updates,
      but is needed for the seddery of test-suite/Makefile.am in
      d/t/upstream-test-suite.
  * Drop changes (adopted in Debian):
    - Run sarg-reports if present before rotating logs.
    - Add lsb-release build dep.
  * Drop changes that no longer make a functional difference in Ubuntu, but may
    still be relevant to send to Debian:
    - d/squid3.postinst: don't try to stop squid3 again.
    - d/squid3.postrm: don't rm -f conffiles in purge.
    - Drop squid3 dependencies on ${shlib:Depends} and lsb-base.
    - Drop creation of /etc/squid.
  * Drop unnecessary changes:
    - Add executable bits to d/squid.preinst.
  * Drop changes relating to the upgrade path from prior to Xenial, so no
    longer required:
    - /var/spool/squid3 upgrade path handling.
    - Conffile upgrade path handling.
    - Remove redundant version-guarded restart code from squid postinst.
    - Clean up apparmor links for usr.sbin.squid3 on upgrade.
    - Attempt to migrate /var/log/squid3 -> /var/log/squid on upgrade.
    - Add Breaks on older ufw to fix upgrade path.
    - Use Breaks instead of Conflicts. Instead, drop the Conflicts/Replaces
      entirely (see below).
  * Drop security fixes: all included in 3.5.23 upstream.
  * Drop Conflicts/Replaces of squid against squid3. In Ubuntu, the migration
    happened in Xenial, so no upgrade path still requires this code. This
    reduces upgrade ordering difficulty.
  * Fix failing autopkgtests:
    - Adjust Python module dependencies.
    - Correctly handle the squid3 -> squid rename.
    - Adjust seddery for upstream test squid binary location.
  * Drop dependency on init-system-helpers. This was introduced in LP 1432683.
    Since we no longer ship an upstart job, it is no longer required.
  * Correct attribution and add explanatory note in d/NEWS.debian.

squid3 (3.5.23-1) unstable; urgency=high

  [ Amos Jeffries <amosjeffries@xxxxxxxxxxxxxxx> ]
  * New Upstream Release (Closes: #793473, #822952)
    - Fixes security issue SQUID-2016:10 (CVE-2016-10003) (Closes: #848491)
    - Fixes security issue SQUID-2016:11 (CVE-2016-10002) (Closes: #848493)

  * debian/patches/
    - Remove patch included upstream

  * debian/tests/
    - Use package build-deps when testing so the make commands will work

squid3 (3.5.22-1) unstable; urgency=medium

  [ Amos Jeffries <amosjeffries@xxxxxxxxxxxxxxx> ]
  * New Upstream Release

  * debian/patches
    - Add upstream patch to fix adaptation crashes

  * debian/{control, rules, squid.postinst}
    - Accept patch to remove setuid from pinger (Closes: #822992)

  [ Luigi Gangitano ]
  * debian/compat
    - Bump to debhelper compatibility level 10

  * debian/{control,tests/}
    - Add DEP-8 autopkgtest for upstream test suite, thanks to
      Santiago Ruano Rincan (Closes: #829141)

  * debian/rules
    - Avoid linking with unneeded libraries, thanks to Yuriy M. Kaminskiyi
      (Closes: #822998)

squid3 (3.5.19-1) unstable; urgency=high

  [ Amos Jeffries <amosjeffries@xxxxxxxxxxxxxxx> ]
  * New Upstream Release (Closes: #823968)
    - Fixes security issue SQUID-2016:7 (CVE-2016-4553)
    - Fixes security issue SQUID-2016:8 (CVE-2016-4554)
    - Fixes security issue SQUID-2016:9 (CVE-2016-4555, CVE-2016-4556)

  * debian/control
    - Bumped Standards-Version to 3.9.8, no change needed

  * debian/rules
    - Send hardening CPPFLAGS to custom build tools

squid3 (3.5.17-1) unstable; urgency=high

  [ Amos Jeffries <amosjeffries@xxxxxxxxxxxxxxx> ]
  * New Upstream Release
    - Fixes security issue SQUID-2016:5 (CVE-2016-4051)
    - Fixes security issue SQUID-2016:6 (CVE-2016-4052, CVE-2016-4053,
      CVE-2016-4054)

squid3 (3.5.16-1) unstable; urgency=high

  [ Amos Jeffries <amosjeffries@xxxxxxxxxxxxxxx> ]
  * New Upstream Release
    - Fixes security issue SQUID-2016:3 (CVE-2016-3947) (Closes: #819783)
    - Fixes security issue SQUID-2016:4 (CVE-2016-3948) (Closes: #819784)

  * debian/patches/
    - Remove patch included upstream

squid3 (3.5.15-1) unstable; urgency=high

  [ Amos Jeffries <amosjeffries@xxxxxxxxxxxxxxx> ]
  * New Upstream Release
    - Fixes security issues SQUID-2016:2
      (CVE-2016-2569, CVE-2016-2570, CVE-2016-2571)
      (Closes: #816011)

  * debian/patches/03-upstream-bug4447.patch
    - add upstream patch for their bug #4447

  [ Robie Basak <robie.basak@xxxxxxxxxxxxx> ]
  * debian/control
    - Add lsb-release build dep. This is required for the --enable-build-info
      line in debian/rules to work correctly.

  * debian/squid.logrotate
    - Run sarg-reports if present before rotating logs.

  [ Luigi Gangitano <luigi@xxxxxxxxxx> ]
  * debian/control
    - Bumped Standards-Version to 3.9.7, no change needed

squid3 (3.5.14-1) unstable; urgency=medium

  [ Amos Jeffries <amosjeffries@xxxxxxxxxxxxxxx> ]
  * New Upstream Release (Closes: #812038)

  * debian/control
    - add Depends libdbi-perl (Closes: #807512)
    - Fixed lintian complaint about squid3 package description
    - Fixed Vcs-Git Header pointing anonscm.debian.org

  * debian/rules
    - build ext_time_quota_acl helper (LP: #1391159)

  * debian/squid.install
    - add missing helper man pages

 -- Robie Basak <robie.basak@xxxxxxxxxx>  Tue, 24 Jan 2017 15:47:44
+0000

** Changed in: squid3 (Ubuntu)
       Status: Fix Committed => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-10002

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-10003

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-2569

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-2570

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-2571

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-3947

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-3948

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-4051

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-4052

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-4053

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-4054

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-4553

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-4554

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-4555

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-4556

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to squid3 in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/1644538

Title:
  Please sync Squid 3.5 latest from Debian

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/squid3/+bug/1644538/+subscriptions