This bug was fixed in the package squid - 6.5-1ubuntu1 --------------- squid (6.5-1ubuntu1) noble; urgency=medium
* Merge with Debian unstable (LP: #2040426). Remaining changes: - d/usr.sbin.squid: Add sections for squid-deb-proxy and squidguard - d/p/90-cf.data.ubuntu.patch: Add refresh patterns for deb packaging - Use snakeoil certificates: + d/control: add ssl-cert to dependencies + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl to the default config file - d/NEWS: drop the NIS basic auth helper (LP #1895694) - d/p/0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch: Fix FTBFS due to -Werror=alloc-size-larger-than on GCC 12. - d/rules: halt build upon test failures. - d/rules: do not include additional configuration files during build time tests. This would lead to test failures due to missing paths. - d/t/upstream-test-suite: use installed squid binary for autopkgtest config file checks. - d/p/0010-Fix-Werror-sign-compare-on-GCC-13.patch: fix comparison between signed and unsigned values. - d/rules: disable LTO related compilation errors for ppc64el builds. * Dropped changes: - d/t/upstream-test-suite: make missing targets for squid 6. [ Fixed in Debian in 6.5-1 ] - d/p/0011-Fix-ftp-support.patch: Fix pure virtual call in Ftp::Client constructor leading to problems in FTP support. [ Fixed upstream in 6.2 ] - SECURITY UPDATE: DoS against certificate validation + debian/patches/CVE-2023-46724.patch: fix validation of certificates with CN=* in src/anyp/Uri.cc. + CVE-2023-46724 [ Fixed in Debian in 6.5-1 ] - SECURITY UPDATE: HTTP request smuggling, caused by chunked decoder lenience + debian/patches/CVE-2023-46846.patch: improve HTTP chunked encoding compliance in src/http/one/Parser.cc, src/http/one/Parser.h, src/http/one/TeChunkedParser.cc, src/parser/Tokenizer.cc, src/parser/Tokenizer.h. + CVE-2023-46846 [ Fixed in Debian in 6.5-1 ] - SECURITY UPDATE: DoS via HTTP Digest Authentication + debian/patches/CVE-2023-46847.patch: fix stack buffer overflow when parsing Digest Authorization in src/auth/digest/Config.cc. + CVE-2023-46847 [ Fixed in Debian in 6.5-1 ] - SECURITY UPDATE: DoS via ftp:// URLs + debian/patches/CVE-2023-46848.patch: fix userinfo percent-encoding in src/acl/external/eDirectory_userip/ext_edirectory_userip_acl.cc, src/anyp/Uri.cc. + CVE-2023-46848 [ Fixed in Debian in 6.5-1 ] -- Athos Ribeiro <athos.ribe...@canonical.com> Tue, 12 Dec 2023 12:05:40 -0300 ** Changed in: squid (Ubuntu) Status: In Progress => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-46724 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-46846 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-46847 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-46848 -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to squid in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/2040426 Title: Merge squid from Debian unstable for noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/2040426/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp