Debian Package Tracker

general

source: squid (main)
version: 4.6-2
maintainer: Luigi Gangitano [DMD]
uploaders: Santiago Garcia Mantinan [DMD]
arch: all any
std-ver: 4.3.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

stable: 4.6-1
testing: 4.6-1
unstable: 4.6-2

versioned links

4.6-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.6-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

squid (11 bugs: 0, 6, 5, 0)
squid-cgi
squid-common
squid-purge
squid3 (17 bugs: 0, 9, 8, 0)
squidclient

action needed

Debci reports failed tests high

testing: test failures (log)
The tests ran in 0h 7m 54s
Last run: 2019-07-18 04:39:45
Previous status: fail

unstable: test failures (log)
The tests ran in 0h 7m 56s
Last run: 2019-07-06 01:23:32
Previous status: fail

Created: 2019-02-25 Last update: 2019-07-18 16:42

A new upstream version is available: 4.8 high

A new upstream version 4.8 is available, you should consider packaging it.

Created: 2019-05-12 Last update: 2019-07-18 12:16

5 security issues in bullseye high

There are 5 open security issues in bullseye.

5 important issues:

CVE-2019-12854:
CVE-2019-12527: An issue was discovered in Squid 4.0.23 through 4.7. When checking Basic Authentication with HttpHeader::getAuth, Squid uses a global buffer to store the decoded data. Squid does not check that the decoded length isn't greater than the buffer, leading to a heap-based buffer overflow with user controlled data.
CVE-2019-12525: An issue was discovered in Squid 3.3.9 through 3.5.28 and 4.x through 4.7. When Squid is configured to use Digest authentication, it parses the header Proxy-Authorization. It searches for certain tokens such as domain, uri, and qop. Squid checks if this token's value starts with a quote and ends with one. If so, it performs a memcpy of its length minus 2. Squid never checks whether the value is just a single quote (which would satisfy its requirements), leading to a memcpy of its length minus 1.
CVE-2019-13345: The cachemgr.cgi web module of Squid through 4.7 has XSS via the user_name or auth parameter.
CVE-2019-12529: An issue was discovered in Squid 2.x through 2.7.STABLE9, 3.x through 3.5.28, and 4.x through 4.7. When Squid is configured to use Basic Authentication, the Proxy-Authorization header is parsed via uudecode. uudecode determines how many bytes will be decoded by iterating over the input and checking its table. The length is then used to start decoding the string. There are no checks to ensure that the length it calculates isn't greater than the input buffer. This leads to adjacent memory being decoded as well. An attacker would not be able to retrieve the decoded data unless the Squid maintainer had configured the display of usernames on error pages.

Please fix them.

Created: 2019-07-07 Last update: 2019-07-17 09:08

5 security issues in sid high

There are 5 open security issues in sid.

5 important issues:

CVE-2019-12854:
CVE-2019-12527: An issue was discovered in Squid 4.0.23 through 4.7. When checking Basic Authentication with HttpHeader::getAuth, Squid uses a global buffer to store the decoded data. Squid does not check that the decoded length isn't greater than the buffer, leading to a heap-based buffer overflow with user controlled data.
CVE-2019-12525: An issue was discovered in Squid 3.3.9 through 3.5.28 and 4.x through 4.7. When Squid is configured to use Digest authentication, it parses the header Proxy-Authorization. It searches for certain tokens such as domain, uri, and qop. Squid checks if this token's value starts with a quote and ends with one. If so, it performs a memcpy of its length minus 2. Squid never checks whether the value is just a single quote (which would satisfy its requirements), leading to a memcpy of its length minus 1.
CVE-2019-13345: The cachemgr.cgi web module of Squid through 4.7 has XSS via the user_name or auth parameter.
CVE-2019-12529: An issue was discovered in Squid 2.x through 2.7.STABLE9, 3.x through 3.5.28, and 4.x through 4.7. When Squid is configured to use Basic Authentication, the Proxy-Authorization header is parsed via uudecode. uudecode determines how many bytes will be decoded by iterating over the input and checking its table. The length is then used to start decoding the string. There are no checks to ensure that the length it calculates isn't greater than the input buffer. This leads to adjacent memory being decoded as well. An attacker would not be able to retrieve the decoded data unless the Squid maintainer had configured the display of usernames on error pages.

Please fix them.

Created: 2019-07-05 Last update: 2019-07-17 09:08

5 security issues in buster high

There are 5 open security issues in buster.

5 important issues:

CVE-2019-12854:
CVE-2019-12527: An issue was discovered in Squid 4.0.23 through 4.7. When checking Basic Authentication with HttpHeader::getAuth, Squid uses a global buffer to store the decoded data. Squid does not check that the decoded length isn't greater than the buffer, leading to a heap-based buffer overflow with user controlled data.
CVE-2019-12525: An issue was discovered in Squid 3.3.9 through 3.5.28 and 4.x through 4.7. When Squid is configured to use Digest authentication, it parses the header Proxy-Authorization. It searches for certain tokens such as domain, uri, and qop. Squid checks if this token's value starts with a quote and ends with one. If so, it performs a memcpy of its length minus 2. Squid never checks whether the value is just a single quote (which would satisfy its requirements), leading to a memcpy of its length minus 1.
CVE-2019-13345: The cachemgr.cgi web module of Squid through 4.7 has XSS via the user_name or auth parameter.
CVE-2019-12529: An issue was discovered in Squid 2.x through 2.7.STABLE9, 3.x through 3.5.28, and 4.x through 4.7. When Squid is configured to use Basic Authentication, the Proxy-Authorization header is parsed via uudecode. uudecode determines how many bytes will be decoded by iterating over the input and checking its table. The length is then used to start decoding the string. There are no checks to ensure that the length it calculates isn't greater than the input buffer. This leads to adjacent memory being decoded as well. An attacker would not be able to retrieve the decoded data unless the Squid maintainer had configured the display of usernames on error pages.

Please fix them.

Created: 2019-07-05 Last update: 2019-07-17 09:08

2 bugs tagged patch in the BTS normal

The BTS contains patches fixing 2 bugs, consider including or untagging them.

Created: 2019-04-01 Last update: 2019-07-18 16:37

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 5-day delay is over. Check why.

Created: 2019-03-18 Last update: 2019-07-18 16:32

Depends on packages which need a new maintainer normal

The packages that squid depends on which need a new maintainer are:

lsb (#924519)
- Depends: lsb-base lsb-base
- Build-Depends: lsb-release
apache2 (#910917)
- Depends: apache2

Created: 2018-10-13 Last update: 2019-07-18 15:36

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 4.8-1, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit e36148f6798499afa70baf811c6b668ebe072eb4
Author: Amos Jeffries <amosjeffries@squid-cache.org>
Date:   Sat Jul 13 02:47:27 2019 +1200

    Skip Apparmor tests when profile not installed
    
    Fixes DebCI current failure when apparmor-utils not installed before squid package is.
    There is apparently no Pre-Depends in tests/control to ensure autopkgtest environments are correct.

commit ac221442f4f1d6836e018cbe3ecde619be693ac9
Author: Amos Jeffries <amosjeffries@squid-cache.org>
Date:   Sat Jul 13 01:39:30 2019 +1200

    Bump Standards-Version, no changes

commit a19751b15be5ae73fb761bc1e91ddeb36a9feef7
Author: Amos Jeffries <amosjeffries@squid-cache.org>
Date:   Sat Jul 13 01:36:26 2019 +1200

    Update Changelog for new upstream release

commit f6dd94cfc104a1caee58f9ed18d5c8ec20785132
Merge: bd3dd8e1 c37a6765
Author: Amos Jeffries <amosjeffries@squid-cache.org>
Date:   Sat Jul 13 01:12:28 2019 +1200

    Update upstream source from tag 'upstream/4.8'
    
    Update to upstream version '4.8'
    with Debian dir 5f430759b1e5be9527e3ce704c1a713722b5739b

commit c37a6765f78687f477d7e88345681bfb4835d19b
Author: Amos Jeffries <amosjeffries@squid-cache.org>
Date:   Sat Jul 13 01:12:27 2019 +1200

    New upstream version 4.8

commit bcc454e1e51c08523eb5c2d521bbd9d02ea36154
Author: Amos Jeffries <amosjeffries@squid-cache.org>
Date:   Tue Feb 19 18:29:20 2019 +1300

    New upstream version 4.6

Created: 2019-07-12 Last update: 2019-07-18 12:17

Build log checks report 1 warning low

Build log checks report 1 warning

Created: 2018-07-04 Last update: 2018-07-04 08:17

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.4.0 instead of 4.3.0).

Created: 2019-07-08 Last update: 2019-07-08 20:09

testing migrations

excuses:
- 132 days old (5 needed)
- Piuparts tested OK - https://piuparts.debian.org/sid/source/s/squid.html
- Not built on buildd: arch amd64 binaries uploaded by luigi
- Not built on buildd: arch all binaries uploaded by luigi
- Not considered

news

[rss feed]

[2019-03-07] Accepted squid 4.6-2 (source amd64 all) into unstable (Luigi Gangitano)
[2019-03-05] squid 4.6-1 MIGRATED to testing (Debian testing watch)
[2019-02-22] Accepted squid 4.6-1 (source amd64 all) into unstable (Luigi Gangitano)
[2019-02-21] Accepted squid 4.5-2 (source amd64 all) into unstable (Luigi Gangitano)
[2018-11-02] squid 4.4-1 MIGRATED to testing (Debian testing watch)
[2018-10-30] Accepted squid 4.4-1 (source amd64 all) into unstable (Luigi Gangitano)
[2018-10-15] squid 4.3-1 MIGRATED to testing (Debian testing watch)
[2018-10-08] Accepted squid 4.3-1 (source amd64 all) into unstable (Luigi Gangitano)
[2018-09-02] squid 4.2-2 MIGRATED to testing (Debian testing watch)
[2018-08-24] Accepted squid 4.2-2 (source amd64 all) into unstable (Luigi Gangitano)
[2018-08-22] Accepted squid 4.2-1 (source amd64 all) into unstable (Luigi Gangitano)
[2018-07-03] Accepted squid 4.1-1 (source amd64 all) into unstable (Luigi Gangitano)
[2018-04-30] Accepted squid 4.0.24-1~exp16 (source amd64 all) into experimental (Luigi Gangitano)
[2018-04-29] Accepted squid 4.0.24-1~exp15 (source amd64 all) into experimental (Luigi Gangitano)
[2018-02-02] Accepted squid 2.7.STABLE9-4.1+deb7u3 (source all amd64) into oldoldstable (Roberto C. Sanchez)
[2018-01-23] Accepted squid 4.0.23-1~exp8 (source amd64 all) into experimental (Luigi Gangitano)
[2017-11-21] Accepted squid 4.0.21-1~exp5 (source amd64 all) into experimental, experimental (Santiago Garcia Mantinan)
[2016-07-25] Accepted squid 2.7.STABLE9-4.1+deb7u2 (source all amd64) into oldstable (Santiago Ruano Rincón)
[2015-05-18] Removed 2.7.STABLE9-5 from unstable
[2015-04-30] Accepted squid 2.7.STABLE9-2.1+deb6u1 (source all amd64) into squeeze-lts (Santiago Ruano Rincón)
[2015-01-27] Accepted squid 2.7.STABLE9-5 (source all amd64) into unstable (Luigi Gangitano)
[2015-01-25] Accepted squid 2.7.STABLE9-4.1+deb7u1 (source all amd64) into proposed-updates->stable-new, proposed-updates (Sebastien Delafond)
[2013-12-31] squid REMOVED from testing (Debian testing watch)
[2013-11-29] squid 2.7.STABLE9-4.1 MIGRATED to testing (Debian testing watch)
[2013-11-24] squid REMOVED from testing (Debian testing watch)
[2012-02-15] squid 2.7.STABLE9-4.1 MIGRATED to testing (Debian testing watch)
[2012-02-04] Accepted squid 2.7.STABLE9-4.1 (source all i386) (Christian Perrier)
[2011-04-09] squid 2.7.STABLE9-4 MIGRATED to testing (Debian testing watch)
[2011-03-29] Accepted squid 2.7.STABLE9-4 (source all i386) (Luigi Gangitano)
[2011-03-05] Accepted squid 2.7.STABLE9-3 (source all i386) (Luigi Gangitano)

bugs [bug history graph]

all: 29 31
RC: 0
I&N: 17 18
M&W: 12 13
F&P: 0
patch: 2

links

homepage
lintian
buildd: logs, checks, clang, reproducibility, cross
popcon
browse source code
edit tags
security tracker
screenshots
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 4.6-2ubuntu3
5 bugs