UbuntuUpdates.org

Package "squid"

Name: squid

Description:

dummy transitional package from squid to squid3

Latest version: 3.1.19-1ubuntu3.12.04.8
Release: precise (12.04)
Level: updates
Repository: universe
Head package: squid3
Homepage: http://www.squid-cache.org

Links


Download "squid"


Other versions of "squid" in Precise

Repository Area Version
base universe 3.1.19-1ubuntu2
security universe 3.1.19-1ubuntu3.12.04.8
PPA: nathan-renniewaldock ppa 3.1.23-1~ppa1~precise

Changelog

Version: 3.1.19-1ubuntu3.12.04.8 2017-02-06 20:06:48 UTC

  squid3 (3.1.19-1ubuntu3.12.04.8) precise-security; urgency=medium

  * SECURITY UPDATE: cookie data leak via If-Not-Modified HTTP conditional
    - debian/patches/CVE-2016-10002.patch: properly handle combination of
      If-Match and a Cache Hit in src/client_side_reply.cc,
      src/client_side_reply.h.
    - CVE-2016-10002

 -- Marc Deslauriers <email address hidden> Mon, 06 Feb 2017 10:00:45 -0500

Source diff to previous version
CVE-2016-1000 Use-after-free vulnerability in Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.

Version: 3.1.19-1ubuntu3.12.04.7 2016-06-09 19:06:35 UTC

  squid3 (3.1.19-1ubuntu3.12.04.7) precise-security; urgency=medium

  * SECURITY UPDATE: denial of service via pinger and ICMPv6 packet
    - debian/patches/CVE-2016-3947.patch: fix sizes in src/icmp/Icmp6.cc.
    - CVE-2016-3947
  * SECURITY UPDATE: denial of service and possible code execution via
    seeding manager reporter with crafted data
    - debian/patches/CVE-2016-4051.patch: use dynamic MemBuf for internal
      content generation in tools/cachemgr.cc, src/tests/stub_mem.cc,
      tools/Makefile.am, src/tests/STUB.h, src/squid.h.
    - CVE-2016-4051
  * SECURITY UPDATE: denial of service or arbitrary code execution via
    crafted ESI responses
    - debian/patches/CVE-2016-4052.patch: perform bounds checking and
      remove asserts in src/esi/Esi.cc.
    - CVE-2016-4052
    - CVE-2016-4053
    - CVE-2016-4054
  * SECURITY UPDATE: cache-poisoning attacks via an HTTP request with an
    absolute-URI
    - debian/patches/CVE-2016-4553.patch: properly handle condition in
      src/client_side.cc
    - CVE-2016-4553
  * SECURITY UPDATE: same-origin bypass and cache-poisoning attack via
    crafted HTTP host header
    - debian/patches/CVE-2016-4554.patch: properly handle whitespace in
      src/mime_header.cc.
    - CVE-2016-4554
  * SECURITY UPDATE: denial of service via ESI responses
    - debian/patches/CVE-2016-4555.patch: fix segfaults in
      src/client_side_request.cc, src/esi/Context.h, src/esi/Esi.cc.
    - CVE-2016-4555
    - CVE-2016-4556
  * debian/rules: include autoreconf.mk.
  * debian/control: add dh-autoreconf to BuildDepends.
  * debian/patches/02-makefile-defaults.patch: also patch src/Makefile.am.

 -- Marc Deslauriers <email address hidden> Wed, 08 Jun 2016 07:50:10 -0400

Source diff to previous version
CVE-2016-3947 Heap-based buffer overflow in the Icmp6::Recv function in icmp/Icmp6.cc in the pinger in Squid before 3.5.16 and 4.x before 4.0.8 allows remote serve
CVE-2016-4051 Buffer overflow in cachemgr.cgi in Squid 2.x, 3.x before 3.5.17, and 4.x before 4.0.9 might allow remote attackers to cause a denial of service or ex
CVE-2016-4052 Multiple stack-based buffer overflows in Squid 3.x before 3.5.17 and 4.x before 4.0.9 allow remote HTTP servers to cause a denial of service or execu
CVE-2016-4053 Squid 3.x before 3.5.17 and 4.x before 4.0.9 allow remote attackers to obtain sensitive stack layout information via crafted Edge Side Includes (ESI)
CVE-2016-4054 Buffer overflow in Squid 3.x before 3.5.17 and 4.x before 4.0.9 allows remote attackers to execute arbitrary code via crafted Edge Side Includes (ESI
CVE-2016-4553 client_side.cc in Squid before 3.5.18 and 4.x before 4.0.10 does not properly ignore the Host header when absolute-URI is provided, which allows remo
CVE-2016-4554 mime_header.cc in Squid before 3.5.18 allows remote attackers to bypass intended same-origin restrictions and possibly conduct cache-poisoning attack
CVE-2016-4555 client_side_request.cc in Squid 3.x before 3.5.18 and 4.x before 4.0.10 allows remote servers to cause a denial of service (crash) via crafted Edge S
CVE-2016-4556 Double free vulnerability in Esi.cc in Squid 3.x before 3.5.18 and 4.x before 4.0.10 allows remote servers to cause a denial of service (crash) via a

Version: 3.1.19-1ubuntu3.12.04.6 2016-03-07 15:06:26 UTC

  squid3 (3.1.19-1ubuntu3.12.04.6) precise-security; urgency=medium

  * SECURITY UPDATE: denial of service via crafted UDP SNMP request
    - debian/patches/CVE-2014-6270.patch: fix off-by-one in
      src/snmp_core.cc.
    - CVE-2014-6270
  * SECURITY UPDATE: error handling vulnerability
    - debian/patches/CVE-2016-2571.patch: better handling of huge response
      headers in src/http.cc.
    - CVE-2016-2571
  * Fix security issue that only applies when package is rebuilt with the
    enable-ssl flag, which is not the case in the Ubuntu archive.
    - debian/patches/CVE-2014-0128.patch: denial of service via a crafted
      range request.
  * debian/patches/increase-default-forward-max-tries.patch:
    change the default setting of 'forward_max_tries' from 10
    to 25. (LP: #1547640)

 -- Marc Deslauriers <email address hidden> Fri, 04 Mar 2016 14:57:14 -0500

Source diff to previous version
1547640 proxy tries ipv6 and gets 503 when no ipv6 routes
CVE-2014-6270 Off-by-one error in the snmpHandleUdp function in snmp_core.cc in Squid 2.x and 3.x, when an SNMP port is configured, allows remote attackers to caus
CVE-2016-2571 http.cc in Squid 3.x before 3.5.15 and 4.x before 4.0.7 proceeds with the storage of certain data after a response-parsing failure, which allows remo
CVE-2014-0128 Squid 3.1 before 3.3.12 and 3.4 before 3.4.4, when SSL-Bump is enabled, allows remote attackers to cause a denial of service (assertion failure) via

Version: 3.1.19-1ubuntu3.12.04.4 2015-10-28 17:07:45 UTC

  squid3 (3.1.19-1ubuntu3.12.04.4) precise-proposed; urgency=low

  * d/squid3.upstart: Use SIGINT to terminate squid and wait at most 40
    seconds for it to finish. (LP: #1073478)

 -- Tiago Stürmer Daitx Wed, 14 Oct 2015 02:54:20 +0000

Source diff to previous version
1073478 [SRU] Update squid3 upstart script to kill it with SIGINT and wait longer

Version: 3.1.19-1ubuntu3.12.04.3 2014-08-28 06:06:24 UTC

  squid3 (3.1.19-1ubuntu3.12.04.3) precise-security; urgency=medium

  * SECURITY UPDATE: Ignore Range headers with unidentifiable byte-range
    values
    - debian/patches/CVE-2014-3609.patch: adjust src/HttpHdrRange.cc to
      return an error if unable to determine the byte value for ranges
    - CVE-2014-3609
 -- Jamie Strandboge <email address hidden> Tue, 26 Aug 2014 13:55:57 -0500

CVE-2014-3609 Denial of service in request processing



About   -   Send Feedback to @ubuntu_updates