This bug was fixed in the package squid3 - 3.5.27-1ubuntu1

squid3 (3.5.27-1ubuntu1) bionic; urgency=medium

  * Merge with Debian unstable (LP: #1751286). Remaining changes:
    - Add additional dep8 tests.
    - Use snakeoil certificates.
    - Add an example refresh pattern for debs.
    - Add disabled by default AppArmor profile.
    - Enable autoreconf. This is no longer required for the security updates,
      but is needed for the seddery of test-suite/ in
    - Correct attribution and add explanatory note in d/NEWS.debian.
    - Drop Conflicts/Replaces of squid against squid3. In Ubuntu, the migration
      happened in Xenial, so no upgrade path still requires this code. This
      reduces upgrade ordering difficulty.
    - Adjust seddery for upstream test squid binary location.
    - Revert "Set pidfile for systemd's sysv-generator" from Debian.
    - Drop wrong short-circuiting of various invocations; we always want to
      call the debhelper block.
    - GCC7 FTBFS fixes (LP #1712668):
      + d/rules: don't error when hitting the "deprecated" and
       "format-truncation" gcc7 warnings. Upstream 3.5.27 has fixes for these,
       but one in that affects 32bit builds was deemed too intrusive
       for the 3.5 stable series and is only in squid 4.x
  * Dropped changes:
    - debian/patches/gcc7-squidpurge-4695.patch: GCC 7 build errors.
      Thanks to Lubos Uhliarik <>.
      [Already applied upstream]
    - debian/patches/gcc7-assert-wants-boolean.patch: assert() takes a
      boolean.  Thanks to Amos Jeffries <>
      [Already applied upstream]
    - SECURITY UPDATE: denial of service in ESI Response processing
      + debian/patches/CVE-2018-1000024.patch: make sure endofName never
        exceeds tagEnd in src/esi/
      + CVE-2018-1000024
        [Added in 3.5.27-1]
    - SECURITY UPDATE: denial of service in in HTTP Message processing
      + debian/patches/CVE-2018-1000027.patch: fix indirect IP logging for
        transactions without a client connection in
      + CVE-2018-1000027
        [Included in 3.5.27-1]
  * Added changes:
    - Do not force gcc-6

squid3 (3.5.27-1) unstable; urgency=high

  [ Amos Jeffries <> ]
  * New Upstream Release

  * debian/{control,rules}
    - Add temporary dependency on gcc-6 and g++-6 to workaround FTBFS in

  * debian/patches/
    - Fix security issue SQUID-2018:1 (CVE-2016-1000024) (Closes: #888719)
    - Fix security issue SQUID-2018:2 (CVE-2016-1000027) (Closes: #888720)

  [ Luigi Gangitano <> ]
  * debian/control
    - Changed priority to optional for squid3 and squid-dbg
    - Removed unneeded Build-Dep on autotools-dev

  * debian/rules
    - Include dpkg-architecture Makefile instead of invoking the binary at
      build time

  * debian/squid.postinst
    - Remove recursive chown calls

 -- Andreas Hasenack <>  Tue, 27 Feb 2018 08:09:21

** Changed in: squid3 (Ubuntu)
       Status: In Progress => Fix Released

** CVE added:

** CVE added:

** CVE added:

** CVE added:

You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to squid3 in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team

  Please merge from debian's 3.5.27

To manage notifications about this bug go to:

Mailing list:
Post to     :
Unsubscribe :
More help   :

Reply via email to