enterprise-support team mailing list archive

Thread
Date

[Bug 2040426] Re: Merge squid from Debian unstable for noble

To: enterprise-support@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <2040426@xxxxxxxxxxxxxxxxxx>
Date: Thu, 14 Dec 2023 03:00:35 -0000
Reply-to: Bug 2040426 <2040426@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

This bug was fixed in the package squid - 6.5-1ubuntu1

---------------
squid (6.5-1ubuntu1) noble; urgency=medium

  * Merge with Debian unstable (LP: #2040426). Remaining changes:
    - d/usr.sbin.squid: Add sections for squid-deb-proxy and
      squidguard
    - d/p/90-cf.data.ubuntu.patch: Add refresh patterns for deb
      packaging
    - Use snakeoil certificates:
      + d/control: add ssl-cert to dependencies
      + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl
        to the default config file
    - d/NEWS: drop the NIS basic auth helper (LP #1895694)
    - d/p/0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch:
      Fix FTBFS due to -Werror=alloc-size-larger-than on GCC 12.
    - d/rules: halt build upon test failures.
    - d/rules: do not include additional configuration files during
      build time tests. This would lead to test failures due to missing
      paths.
    - d/t/upstream-test-suite: use installed squid binary for
      autopkgtest config file checks.
    - d/p/0010-Fix-Werror-sign-compare-on-GCC-13.patch: fix comparison
      between signed and unsigned values.
    - d/rules: disable LTO related compilation errors for ppc64el builds.
  * Dropped changes:
    - d/t/upstream-test-suite: make missing targets for squid 6.
      [ Fixed in Debian in 6.5-1 ]
    - d/p/0011-Fix-ftp-support.patch: Fix pure virtual call in
      Ftp::Client constructor leading to problems in FTP support.
      [ Fixed upstream in 6.2 ]
    - SECURITY UPDATE: DoS against certificate validation
      + debian/patches/CVE-2023-46724.patch: fix validation of certificates
        with CN=* in src/anyp/Uri.cc.
      + CVE-2023-46724
      [ Fixed in Debian in 6.5-1 ]
    - SECURITY UPDATE: HTTP request smuggling, caused by chunked decoder
      lenience
      + debian/patches/CVE-2023-46846.patch: improve HTTP chunked encoding
        compliance in src/http/one/Parser.cc, src/http/one/Parser.h,
        src/http/one/TeChunkedParser.cc, src/parser/Tokenizer.cc,
        src/parser/Tokenizer.h.
      + CVE-2023-46846
      [ Fixed in Debian in 6.5-1 ]
    - SECURITY UPDATE: DoS via HTTP Digest Authentication
      + debian/patches/CVE-2023-46847.patch: fix stack buffer overflow when
        parsing Digest Authorization in src/auth/digest/Config.cc.
      + CVE-2023-46847
      [ Fixed in Debian in 6.5-1 ]
    - SECURITY UPDATE: DoS via ftp:// URLs
      + debian/patches/CVE-2023-46848.patch: fix userinfo percent-encoding in
        src/acl/external/eDirectory_userip/ext_edirectory_userip_acl.cc,
        src/anyp/Uri.cc.
      + CVE-2023-46848
      [ Fixed in Debian in 6.5-1 ]

 -- Athos Ribeiro <athos.ribeiro@xxxxxxxxxxxxx>  Tue, 12 Dec 2023
12:05:40 -0300

** Changed in: squid (Ubuntu)
       Status: In Progress => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-46724

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-46846

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-46847

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-46848

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to squid in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/2040426

Title:
  Merge squid from Debian unstable for noble

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/squid/+bug/2040426/+subscriptions

References

[Bug 2040426] [NEW] Merge squid from Debian unstable for noble
From: Bryce Harrington, 2023-10-25