UbuntuUpdates.org

Package "squid3"

Name: squid3

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • Full featured Web Proxy cache (HTTP proxy) - control CGI
  • Full featured Web Proxy cache (HTTP proxy) - control utility
  • Full featured Web Proxy cache (HTTP proxy) - control utility

Latest version: 3.5.12-1ubuntu7.11
Release: xenial (16.04)
Level: updates
Repository: universe

Links

Save this URL for the latest version of "squid3": https://www.ubuntuupdates.org/squid3



Other versions of "squid3" in Xenial

Repository Area Version
base main 3.5.12-1ubuntu7
base universe 3.5.12-1ubuntu7
security main 3.5.12-1ubuntu7.11
security universe 3.5.12-1ubuntu7.11
updates main 3.5.12-1ubuntu7.11

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 3.5.12-1ubuntu7.6 2018-11-13 17:07:29 UTC

  squid3 (3.5.12-1ubuntu7.6) xenial; urgency=medium

  * d/squid.rc: fix regexp for catching FATAL errors (LP: #1738412)
  * d/t/test-squid.py: in xenial, initscript, apparmor profile, pidfile and
    process are named squid, not squid3. Get rid of the multiple distro
    logic since these tests will be only run on xenial.
  * d/t/control: drop uneeded dependency on python-unit.
  * d/t/squid: use a shorter shutdown timeout for the tests, so they
    run faster

 -- Andreas Hasenack <email address hidden> Wed, 31 Oct 2018 09:22:14 -0300

Source diff to previous version
1738412 Init script fails test on reload/restart because of faulty regex

Version: 3.5.12-1ubuntu7.5 2018-02-05 21:06:51 UTC

  squid3 (3.5.12-1ubuntu7.5) xenial-security; urgency=medium

  * SECURITY UPDATE: various denial of service issues
    - debian/patches/CVE-2016-25xx-1.patch: better handling of huge
      response headers in src/http.cc.
    - debian/patches/CVE-2016-25xx-2.patch: throw instead of asserting on
      some String overflows in src/SquidString.h, src/StrList.cc,
      src/String.cc, src/clients/Client.cc, src/clients/Client.h,
      src/clients/FtpClient.cc, src/http.cc.
    - debian/patches/CVE-2016-25xx-3.patch: fix assertion in custom ESI
      parser in src/esi/CustomParser.cc, src/esi/CustomParser.h.
    - debian/patches/CVE-2016-25xx-4.patch: fix assertion in
      src/FwdState.cc, src/FwdState.h, src/clients/Client.h, src/comm.cc,
      src/comm.h, src/http.cc.
    - CVE-2016-2569
    - CVE-2016-2570
    - CVE-2016-2571
  * SECURITY UPDATE: denial of service via crafted HTTP response
    - debian/patches/CVE-2016-3948.patch: convert Vary handling to SBuf in
      src/HttpRequest.cc, src/HttpRequest.h, src/MemObject.cc,
      src/MemObject.h, src/MemStore.cc, src/StoreMetaVary.cc,
      src/client_side.cc, src/client_side_reply.cc, src/http.cc,
      src/http.h, src/store.cc, src/store_key_md5.cc,
      src/store_swapmeta.cc, src/tests/stub_MemObject.cc,
      src/tests/stub_http.cc.
    - CVE-2016-3948
  * SECURITY UPDATE: denial of service in ESI Response processing
    - debian/patches/CVE-2018-1000024.patch: make sure endofName never
      exceeds tagEnd in src/esi/CustomParser.cc.
    - CVE-2018-1000024
  * SECURITY UPDATE: denial of service in in HTTP Message processing
    - debian/patches/CVE-2018-1000027.patch: fix indirect IP logging for
      transactions without a client connection in
      src/client_side_request.cc.
    - CVE-2018-1000027

 -- Marc Deslauriers <email address hidden> Thu, 01 Feb 2018 09:56:31 -0500

Source diff to previous version
CVE-2016-2569 Squid 3.x before 3.5.15 and 4.x before 4.0.7 does not properly append data to String objects, which allows remote servers to cause a denial of servic
CVE-2016-2570 The Edge Side Includes (ESI) parser in Squid 3.x before 3.5.15 and 4.x before 4.0.7 does not check buffer limits during XML parsing, which allows rem
CVE-2016-2571 http.cc in Squid 3.x before 3.5.15 and 4.x before 4.0.7 proceeds with the storage of certain data after a response-parsing failure, which allows remo
CVE-2016-3948 Squid 3.x before 3.5.16 and 4.x before 4.0.8 improperly perform bounds checking, which allows remote attackers to cause a denial of service via a cra

Version: 3.5.12-1ubuntu7.4 2017-08-03 17:06:50 UTC

  squid3 (3.5.12-1ubuntu7.4) xenial; urgency=medium

  * debian/patches/passive-ftp-segfault-1560429.patch: Fix for segfault
    when ftp passive mode is not available. Closes: #793473, LP:
    #1560429.

 -- Andreas Hasenack <email address hidden> Fri, 07 Jul 2017 09:39:40 -0300

Source diff to previous version
793473 squid3: segfault when ftp passive mode is not available - Debian Bug report logs

Version: 3.5.12-1ubuntu7.3 2017-02-06 20:06:53 UTC

  squid3 (3.5.12-1ubuntu7.3) xenial-security; urgency=medium

  * SECURITY UPDATE: cookie data leak via If-Not-Modified HTTP conditional
    - debian/patches/CVE-2016-10002.patch: properly handle combination of
      If-Match and a Cache Hit in src/LogTags.h, src/client_side.cc,
      src/client_side_reply.cc, src/client_side_reply.h.
    - CVE-2016-10002
  * SECURITY UPDATE: incorrect HTTP Request header comparison
    - debian/patches/CVE-2016-10003.patch: don't share private responses
      with collapsed client in src/client_side_reply.cc.
    - CVE-2016-10003

 -- Marc Deslauriers <email address hidden> Fri, 03 Feb 2017 14:09:18 -0500

Source diff to previous version
CVE-2016-1000 Use-after-free vulnerability in Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.

Version: 3.5.12-1ubuntu7.2 2016-06-09 19:06:49 UTC

  squid3 (3.5.12-1ubuntu7.2) xenial-security; urgency=medium

  * SECURITY UPDATE: denial of service via pinger and ICMPv6 packet
    - debian/patches/CVE-2016-3947.patch: fix sizes in src/icmp/Icmp6.cc.
    - CVE-2016-3947
  * SECURITY UPDATE: denial of service and possible code execution via
    seeding manager reporter with crafted data
    - debian/patches/CVE-2016-4051.patch: use dynamic MemBuf for internal
      content generation in tools/cachemgr.cc, src/tests/stub_cbdata.cc,
      src/tests/stub_mem.cc, tools/Makefile.am.
    - CVE-2016-4051
  * SECURITY UPDATE: denial of service or arbitrary code execution via
    crafted ESI responses
    - debian/patches/CVE-2016-4052.patch: perform bounds checking and
      remove asserts in src/esi/Esi.cc.
    - CVE-2016-4052
    - CVE-2016-4053
    - CVE-2016-4054
  * SECURITY UPDATE: cache-poisoning attacks via an HTTP request with an
    absolute-URI
    - debian/patches/CVE-2016-4553.patch: properly handle condition in
      src/client_side.cc
    - CVE-2016-4553
  * SECURITY UPDATE: same-origin bypass and cache-poisoning attack via
    crafted HTTP host header
    - debian/patches/CVE-2016-4554.patch: properly handle whitespace in
      src/mime_header.cc.
    - CVE-2016-4554
  * SECURITY UPDATE: denial of service via ESI responses
    - debian/patches/CVE-2016-4555.patch: fix segfaults in
      src/client_side_request.cc, src/esi/Context.h, src/esi/Esi.cc.
    - CVE-2016-4555
    - CVE-2016-4556
  * debian/rules: include autoreconf.mk.
  * debian/control: add dh-autoreconf to BuildDepends.

 -- Marc Deslauriers <email address hidden> Wed, 08 Jun 2016 08:06:59 -0400

CVE-2016-3947 Heap-based buffer overflow in the Icmp6::Recv function in icmp/Icmp6.cc in the pinger in Squid before 3.5.16 and 4.x before 4.0.8 allows remote serve
CVE-2016-4051 Buffer overflow in cachemgr.cgi in Squid 2.x, 3.x before 3.5.17, and 4.x before 4.0.9 might allow remote attackers to cause a denial of service or ex
CVE-2016-4052 Multiple stack-based buffer overflows in Squid 3.x before 3.5.17 and 4.x before 4.0.9 allow remote HTTP servers to cause a denial of service or execu
CVE-2016-4053 Squid 3.x before 3.5.17 and 4.x before 4.0.9 allow remote attackers to obtain sensitive stack layout information via crafted Edge Side Includes (ESI)
CVE-2016-4054 Buffer overflow in Squid 3.x before 3.5.17 and 4.x before 4.0.9 allows remote attackers to execute arbitrary code via crafted Edge Side Includes (ESI
CVE-2016-4553 client_side.cc in Squid before 3.5.18 and 4.x before 4.0.10 does not properly ignore the Host header when absolute-URI is provided, which allows remo
CVE-2016-4554 mime_header.cc in Squid before 3.5.18 allows remote attackers to bypass intended same-origin restrictions and possibly conduct cache-poisoning attack
CVE-2016-4555 client_side_request.cc in Squid 3.x before 3.5.18 and 4.x before 4.0.10 allows remote servers to cause a denial of service (crash) via crafted Edge S
CVE-2016-4556 Double free vulnerability in Esi.cc in Squid 3.x before 3.5.18 and 4.x before 4.0.10 allows remote servers to cause a denial of service (crash) via a



About   -   Send Feedback to @ubuntu_updates