UbuntuUpdates.org

Package "squid"

Name: squid

Description:

dummy transitional package from squid to squid3

Latest version: 3.1.19-1ubuntu3.12.04.10
Release: precise (12.04)
Level: security
Repository: universe
Head package: squid3
Homepage: http://www.squid-cache.org

Links


Download "squid"


Other versions of "squid" in Precise

Repository Area Version
base universe 3.1.19-1ubuntu2
updates universe 3.1.19-1ubuntu3.12.04.10
PPA: nathan-renniewaldock ppa 3.1.23-1~ppa1~precise

Changelog

Version: 3.1.19-1ubuntu3.12.04.10 2021-05-03 15:06:28 UTC

  squid3 (3.1.19-1ubuntu3.12.04.10) precise-security; urgency=medium

  [ Marc Deslauriers ]
  * SECURITY UPDATE: incorrect digest auth parameter parsing
    - debian/patches/CVE-2019-12525.patch: check length in
      src/auth/digest/auth_digest.cc.
    - CVE-2019-12525
  * SECURITY UPDATE: basic auth uudecode length issue
    - debian/patches/CVE-2019-12529.patch: replace uudecode with libnettle
      base64 decoder in lib/Makefile.*, src/auth/basic/auth_basic.cc,
      , lib/uudecode.c.
    - CVE-2019-12529

 -- <email address hidden> (Leonidas S. Barbosa) Thu, 18 Jul 2019 15:42:15 -0300

Source diff to previous version
CVE-2019-12525 An issue was discovered in Squid 3.3.9 through 3.5.28 and 4.x through 4.7. When Squid is configured to use Digest authentication, it parses the heade
CVE-2019-12529 An issue was discovered in Squid 2.x through 2.7.STABLE9, 3.x through 3.5.28, and 4.x through 4.7. When Squid is configured to use Basic Authenticati

Version: 3.1.19-1ubuntu3.12.04.8 2017-02-06 19:06:43 UTC

  squid3 (3.1.19-1ubuntu3.12.04.8) precise-security; urgency=medium

  * SECURITY UPDATE: cookie data leak via If-Not-Modified HTTP conditional
    - debian/patches/CVE-2016-10002.patch: properly handle combination of
      If-Match and a Cache Hit in src/client_side_reply.cc,
      src/client_side_reply.h.
    - CVE-2016-10002

 -- Marc Deslauriers <email address hidden> Mon, 06 Feb 2017 10:00:45 -0500

Source diff to previous version
CVE-2016-1000 Use-after-free vulnerability in Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.

Version: 3.1.19-1ubuntu3.12.04.7 2016-06-09 18:06:29 UTC

  squid3 (3.1.19-1ubuntu3.12.04.7) precise-security; urgency=medium

  * SECURITY UPDATE: denial of service via pinger and ICMPv6 packet
    - debian/patches/CVE-2016-3947.patch: fix sizes in src/icmp/Icmp6.cc.
    - CVE-2016-3947
  * SECURITY UPDATE: denial of service and possible code execution via
    seeding manager reporter with crafted data
    - debian/patches/CVE-2016-4051.patch: use dynamic MemBuf for internal
      content generation in tools/cachemgr.cc, src/tests/stub_mem.cc,
      tools/Makefile.am, src/tests/STUB.h, src/squid.h.
    - CVE-2016-4051
  * SECURITY UPDATE: denial of service or arbitrary code execution via
    crafted ESI responses
    - debian/patches/CVE-2016-4052.patch: perform bounds checking and
      remove asserts in src/esi/Esi.cc.
    - CVE-2016-4052
    - CVE-2016-4053
    - CVE-2016-4054
  * SECURITY UPDATE: cache-poisoning attacks via an HTTP request with an
    absolute-URI
    - debian/patches/CVE-2016-4553.patch: properly handle condition in
      src/client_side.cc
    - CVE-2016-4553
  * SECURITY UPDATE: same-origin bypass and cache-poisoning attack via
    crafted HTTP host header
    - debian/patches/CVE-2016-4554.patch: properly handle whitespace in
      src/mime_header.cc.
    - CVE-2016-4554
  * SECURITY UPDATE: denial of service via ESI responses
    - debian/patches/CVE-2016-4555.patch: fix segfaults in
      src/client_side_request.cc, src/esi/Context.h, src/esi/Esi.cc.
    - CVE-2016-4555
    - CVE-2016-4556
  * debian/rules: include autoreconf.mk.
  * debian/control: add dh-autoreconf to BuildDepends.
  * debian/patches/02-makefile-defaults.patch: also patch src/Makefile.am.

 -- Marc Deslauriers <email address hidden> Wed, 08 Jun 2016 07:50:10 -0400

Source diff to previous version
CVE-2016-3947 Heap-based buffer overflow in the Icmp6::Recv function in icmp/Icmp6.cc in the pinger in Squid before 3.5.16 and 4.x before 4.0.8 allows remote serve
CVE-2016-4051 Buffer overflow in cachemgr.cgi in Squid 2.x, 3.x before 3.5.17, and 4.x before 4.0.9 might allow remote attackers to cause a denial of service or ex
CVE-2016-4052 Multiple stack-based buffer overflows in Squid 3.x before 3.5.17 and 4.x before 4.0.9 allow remote HTTP servers to cause a denial of service or execu
CVE-2016-4053 Squid 3.x before 3.5.17 and 4.x before 4.0.9 allow remote attackers to obtain sensitive stack layout information via crafted Edge Side Includes (ESI)
CVE-2016-4054 Buffer overflow in Squid 3.x before 3.5.17 and 4.x before 4.0.9 allows remote attackers to execute arbitrary code via crafted Edge Side Includes (ESI
CVE-2016-4553 client_side.cc in Squid before 3.5.18 and 4.x before 4.0.10 does not properly ignore the Host header when absolute-URI is provided, which allows remo
CVE-2016-4554 mime_header.cc in Squid before 3.5.18 allows remote attackers to bypass intended same-origin restrictions and possibly conduct cache-poisoning attack
CVE-2016-4555 client_side_request.cc in Squid 3.x before 3.5.18 and 4.x before 4.0.10 allows remote servers to cause a denial of service (crash) via crafted Edge S
CVE-2016-4556 Double free vulnerability in Esi.cc in Squid 3.x before 3.5.18 and 4.x before 4.0.10 allows remote servers to cause a denial of service (crash) via a

Version: 3.1.19-1ubuntu3.12.04.6 2016-03-07 14:06:28 UTC

  squid3 (3.1.19-1ubuntu3.12.04.6) precise-security; urgency=medium

  * SECURITY UPDATE: denial of service via crafted UDP SNMP request
    - debian/patches/CVE-2014-6270.patch: fix off-by-one in
      src/snmp_core.cc.
    - CVE-2014-6270
  * SECURITY UPDATE: error handling vulnerability
    - debian/patches/CVE-2016-2571.patch: better handling of huge response
      headers in src/http.cc.
    - CVE-2016-2571
  * Fix security issue that only applies when package is rebuilt with the
    enable-ssl flag, which is not the case in the Ubuntu archive.
    - debian/patches/CVE-2014-0128.patch: denial of service via a crafted
      range request.
  * debian/patches/increase-default-forward-max-tries.patch:
    change the default setting of 'forward_max_tries' from 10
    to 25. (LP: #1547640)

 -- Marc Deslauriers <email address hidden> Fri, 04 Mar 2016 14:57:14 -0500

Source diff to previous version
1547640 proxy tries ipv6 and gets 503 when no ipv6 routes
CVE-2014-6270 Off-by-one error in the snmpHandleUdp function in snmp_core.cc in Squid 2.x and 3.x, when an SNMP port is configured, allows remote attackers to caus
CVE-2016-2571 http.cc in Squid 3.x before 3.5.15 and 4.x before 4.0.7 proceeds with the storage of certain data after a response-parsing failure, which allows remo
CVE-2014-0128 Squid 3.1 before 3.3.12 and 3.4 before 3.4.4, when SSL-Bump is enabled, allows remote attackers to cause a denial of service (assertion failure) via

Version: 3.1.19-1ubuntu3.12.04.3 2014-08-28 04:06:22 UTC

  squid3 (3.1.19-1ubuntu3.12.04.3) precise-security; urgency=medium

  * SECURITY UPDATE: Ignore Range headers with unidentifiable byte-range
    values
    - debian/patches/CVE-2014-3609.patch: adjust src/HttpHdrRange.cc to
      return an error if unable to determine the byte value for ranges
    - CVE-2014-3609
 -- Jamie Strandboge <email address hidden> Tue, 26 Aug 2014 13:55:57 -0500

CVE-2014-3609 Denial of service in request processing



About   -   Send Feedback to @ubuntu_updates