This bug was fixed in the package squid3 - 3.5.27-1ubuntu1

---------------
squid3 (3.5.27-1ubuntu1) bionic; urgency=medium

  * Merge with Debian unstable (LP: #1751286). Remaining changes:
    - Add additional dep8 tests.
    - Use snakeoil certificates.
    - Add an example refresh pattern for debs.
    - Add disabled by default AppArmor profile.
    - Enable autoreconf. This is no longer required for the security updates,
      but is needed for the seddery of test-suite/Makefile.am in
      d/t/upstream-test-suite.
    - Correct attribution and add explanatory note in d/NEWS.debian.
    - Drop Conflicts/Replaces of squid against squid3. In Ubuntu, the migration
      happened in Xenial, so no upgrade path still requires this code. This
      reduces upgrade ordering difficulty.
    - Adjust seddery for upstream test squid binary location.
    - Revert "Set pidfile for systemd's sysv-generator" from Debian.
    - Drop wrong short-circuiting of various invocations; we always want to
      call the debhelper block.
    - GCC7 FTBFS fixes (LP #1712668):
      + d/rules: don't error when hitting the "deprecated" and
       "format-truncation" gcc7 warnings. Upstream 3.5.27 has fixes for these,
       but one in Format.cc that affects 32bit builds was deemed too intrusive
       for the 3.5 stable series and is only in squid 4.x
  * Dropped changes:
    - debian/patches/gcc7-squidpurge-4695.patch: GCC 7 build errors.
      Thanks to Lubos Uhliarik <luhli...@redhat.com>.
      [Already applied upstream]
    - debian/patches/gcc7-assert-wants-boolean.patch: assert() takes a
      boolean.  Thanks to Amos Jeffries <squ...@treenet.co.nz>
      [Already applied upstream]
    - SECURITY UPDATE: denial of service in ESI Response processing
      + debian/patches/CVE-2018-1000024.patch: make sure endofName never
        exceeds tagEnd in src/esi/CustomParser.cc.
      + CVE-2018-1000024
        [Added in 3.5.27-1]
    - SECURITY UPDATE: denial of service in in HTTP Message processing
      + debian/patches/CVE-2018-1000027.patch: fix indirect IP logging for
        transactions without a client connection in
        src/client_side_request.cc.
      + CVE-2018-1000027
        [Included in 3.5.27-1]
  * Added changes:
    - Do not force gcc-6

squid3 (3.5.27-1) unstable; urgency=high

  [ Amos Jeffries <amosjeffr...@squid-cache.org> ]
  * New Upstream Release

  * debian/{control,rules}
    - Add temporary dependency on gcc-6 and g++-6 to workaround FTBFS in
      unstable

  * debian/patches/
    - Fix security issue SQUID-2018:1 (CVE-2016-1000024) (Closes: #888719)
    - Fix security issue SQUID-2018:2 (CVE-2016-1000027) (Closes: #888720)

  [ Luigi Gangitano <lu...@debian.org> ]
  * debian/control
    - Changed priority to optional for squid3 and squid-dbg
    - Removed unneeded Build-Dep on autotools-dev

  * debian/rules
    - Include dpkg-architecture Makefile instead of invoking the binary at
      build time

  * debian/squid.postinst
    - Remove recursive chown calls

 -- Andreas Hasenack <andr...@canonical.com>  Tue, 27 Feb 2018 08:09:21
-0300

** Changed in: squid3 (Ubuntu)
       Status: In Progress => Fix Released

** CVE added: https://cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-1000024

** CVE added: https://cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-1000027

** CVE added: https://cve.mitre.org/cgi-
bin/cvename.cgi?name=2018-1000024

** CVE added: https://cve.mitre.org/cgi-
bin/cvename.cgi?name=2018-1000027

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1751286

Title:
  Please merge from debian's 3.5.27

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/squid3/+bug/1751286/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to