UbuntuUpdates.org

Package "squid3"

Name: squid3

Description:

Full featured Web Proxy cache (HTTP proxy)

Latest version: 3.3.8-1ubuntu6.11
Release: trusty (14.04)
Level: updates
Repository: main
Homepage: http://www.squid-cache.org

Links


Download "squid3"


Other versions of "squid3" in Trusty

Repository Area Version
base universe 3.3.8-1ubuntu6
base main 3.3.8-1ubuntu6
security universe 3.3.8-1ubuntu6.11
security main 3.3.8-1ubuntu6.11
updates universe 3.3.8-1ubuntu6.11

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 3.3.8-1ubuntu6.11 2018-02-05 21:06:48 UTC

  squid3 (3.3.8-1ubuntu6.11) trusty-security; urgency=medium

  * SECURITY UPDATE: denial of service in ESI Response processing
    - debian/patches/CVE-2018-1000024.patch: make sure endofName never
      exceeds tagEnd in src/esi/CustomParser.cc.
    - CVE-2018-1000024
  * SECURITY UPDATE: denial of service in in HTTP Message processing
    - debian/patches/CVE-2018-1000027.patch: fix indirect IP logging for
      transactions without a client connection in
      src/client_side_request.cc.
    - CVE-2018-1000027

 -- Marc Deslauriers <email address hidden> Thu, 01 Feb 2018 10:11:57 -0500

Source diff to previous version

Version: 3.3.8-1ubuntu6.10 2017-10-30 19:06:35 UTC

  squid3 (3.3.8-1ubuntu6.10) trusty; urgency=medium

  * debian/patches/fix-assertion-ftp-put-empty-file.patch: Fix ftp
    assertion error when uploading empty file. Thanks to Alex Rousskov
    <email address hidden>. Closes LP: #1423498.

 -- Andreas Hasenack <email address hidden> Thu, 28 Sep 2017 12:23:01 -0400

Source diff to previous version
1423498 FTP upload causes squid hang

Version: 3.3.8-1ubuntu6.9 2017-02-06 20:06:50 UTC

  squid3 (3.3.8-1ubuntu6.9) trusty-security; urgency=medium

  * SECURITY UPDATE: cookie data leak via If-Not-Modified HTTP conditional
    - debian/patches/CVE-2016-10002.patch: properly handle combination of
      If-Match and a Cache Hit in src/client_side.cc,
      src/client_side_reply.cc, src/client_side_reply.h, src/enums.h,
      src/log/access_log.cc.
    - CVE-2016-10002

 -- Marc Deslauriers <email address hidden> Mon, 06 Feb 2017 09:56:36 -0500

Source diff to previous version
CVE-2016-1000 Use-after-free vulnerability in Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.

Version: 3.3.8-1ubuntu6.8 2016-06-09 19:06:39 UTC

  squid3 (3.3.8-1ubuntu6.8) trusty-security; urgency=medium

  * SECURITY UPDATE: denial of service via pinger and ICMPv6 packet
    - debian/patches/CVE-2016-3947.patch: fix sizes in src/icmp/Icmp6.cc.
    - CVE-2016-3947
  * SECURITY UPDATE: denial of service and possible code execution via
    seeding manager reporter with crafted data
    - debian/patches/CVE-2016-4051.patch: use dynamic MemBuf for internal
      content generation in tools/cachemgr.cc, src/tests/Stub.list,
      src/tests/stub_cbdata.cc, src/tests/stub_mem.cc,
      tools/Makefile.am.
    - CVE-2016-4051
  * SECURITY UPDATE: denial of service or arbitrary code execution via
    crafted ESI responses
    - debian/patches/CVE-2016-4052.patch: perform bounds checking and
      remove asserts in src/esi/Esi.cc.
    - CVE-2016-4052
    - CVE-2016-4053
    - CVE-2016-4054
  * SECURITY UPDATE: cache-poisoning attacks via an HTTP request with an
    absolute-URI
    - debian/patches/CVE-2016-4553.patch: properly handle condition in
      src/client_side.cc
    - CVE-2016-4553
  * SECURITY UPDATE: same-origin bypass and cache-poisoning attack via
    crafted HTTP host header
    - debian/patches/CVE-2016-4554.patch: properly handle whitespace in
      src/mime_header.cc.
    - CVE-2016-4554
  * SECURITY UPDATE: denial of service via ESI responses
    - debian/patches/CVE-2016-4555.patch: fix segfaults in
      src/client_side_request.cc, src/esi/Context.h, src/esi/Esi.cc.
    - CVE-2016-4555
    - CVE-2016-4556
  * debian/rules: include autoreconf.mk.
  * debian/control: add dh-autoreconf to BuildDepends.
  * debian/patches/02-makefile-defaults.patch: also patch src/Makefile.am.
  * WARNING: This package does _not_ contain the changes from
    (3.3.8-1ubuntu6.7) in trusty-proposed.

 -- Marc Deslauriers <email address hidden> Wed, 08 Jun 2016 08:07:57 -0400

Source diff to previous version
CVE-2016-3947 Heap-based buffer overflow in the Icmp6::Recv function in icmp/Icmp6.cc in the pinger in Squid before 3.5.16 and 4.x before 4.0.8 allows remote serve
CVE-2016-4051 Buffer overflow in cachemgr.cgi in Squid 2.x, 3.x before 3.5.17, and 4.x before 4.0.9 might allow remote attackers to cause a denial of service or ex
CVE-2016-4052 Multiple stack-based buffer overflows in Squid 3.x before 3.5.17 and 4.x before 4.0.9 allow remote HTTP servers to cause a denial of service or execu
CVE-2016-4053 Squid 3.x before 3.5.17 and 4.x before 4.0.9 allow remote attackers to obtain sensitive stack layout information via crafted Edge Side Includes (ESI)
CVE-2016-4054 Buffer overflow in Squid 3.x before 3.5.17 and 4.x before 4.0.9 allows remote attackers to execute arbitrary code via crafted Edge Side Includes (ESI
CVE-2016-4553 client_side.cc in Squid before 3.5.18 and 4.x before 4.0.10 does not properly ignore the Host header when absolute-URI is provided, which allows remo
CVE-2016-4554 mime_header.cc in Squid before 3.5.18 allows remote attackers to bypass intended same-origin restrictions and possibly conduct cache-poisoning attack
CVE-2016-4555 client_side_request.cc in Squid 3.x before 3.5.18 and 4.x before 4.0.10 allows remote servers to cause a denial of service (crash) via crafted Edge S
CVE-2016-4556 Double free vulnerability in Esi.cc in Squid 3.x before 3.5.18 and 4.x before 4.0.10 allows remote servers to cause a denial of service (crash) via a

Version: 3.3.8-1ubuntu6.6 2016-03-07 15:06:28 UTC

  squid3 (3.3.8-1ubuntu6.6) trusty-security; urgency=medium

  [ Scott Moser ]
  * debian/patches/increase-default-forward-max-tries.patch:
    change the default setting of 'forward_max_tries' from 10
    to 25. (LP: #1547640)

  [ Marc Deslauriers ]
  * SECURITY UPDATE: denial of service via crafted UDP SNMP request
    - debian/patches/CVE-2014-6270.patch: fix off-by-one in
      src/snmp_core.cc.
    - CVE-2014-6270
  * SECURITY UPDATE: error handling vulnerability
    - debian/patches/CVE-2016-2571.patch: better handling of huge response
      headers in src/http.cc.
    - CVE-2016-2571
  * Fix security issues that only apply when package is rebuilt with the
    enable-ssl flag, which is not the case in the Ubuntu archive.
    - debian/patches/CVE-2014-0128.patch: denial of service via a crafted
      range request.
    - debian/patches/CVE-2015-3455.patch: incorrect X509 server certificate
      domain matching.

 -- Marc Deslauriers <email address hidden> Fri, 04 Mar 2016 14:58:52 -0500

1547640 proxy tries ipv6 and gets 503 when no ipv6 routes
CVE-2014-6270 Off-by-one error in the snmpHandleUdp function in snmp_core.cc in Squid 2.x and 3.x, when an SNMP port is configured, allows remote attackers to caus
CVE-2016-2571 http.cc in Squid 3.x before 3.5.15 and 4.x before 4.0.7 proceeds with the storage of certain data after a response-parsing failure, which allows remo
CVE-2014-0128 Squid 3.1 before 3.3.12 and 3.4 before 3.4.4, when SSL-Bump is enabled, allows remote attackers to cause a denial of service (assertion failure) via
CVE-2015-3455 Squid 3.2.x before 3.2.14, 3.3.x before 3.3.14, 3.4.x before 3.4.13, and 3.5.x before 3.5.4, when configured with client-first SSL-bump, does not pro



About   -   Send Feedback to @ubuntu_updates