Ubuntu Pastebin

Paste from robie at Thu, 9 Feb 2017 16:36:47 +0000

Download as text 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
diff --git a/debian/NEWS.debian b/debian/NEWS.debian
index e6a7005..7a738d5 100644
--- a/debian/NEWS.debian
+++ b/debian/NEWS.debian
@@ -20,6 +20,18 @@ squid3 (3.5.6-1) unstable; urgency=medium
   or helper locations, the migrated squid.conf should be manually checked and
   path to helper programs fixed.
 
+  Data in /var/spool/squid3 is not moved automatically. If the cache store has
+  to be retained, the local administrator should move it over (usually to
+  /var/spool/squid) and change the cache_dir setting accordingly. Please note
+  that cache store format changed from squid 2.x and cannot be reused with
+  squid 3.x
+
+  [ Robie Basak ]
+  In Ubuntu, data in /var/spool/squid3 *was* moved automatically on upgrade to
+  Xenial (3.5.12-1ubuntu7). Upgrades from before Xenial to after Xenial are not
+  supported; you must upgrade through Xenial. Details of the historic migration
+  path are in Steve's note below.
+
   [ Steve Langasek ]
   An attempt will be made to move the data in /var/spool/squid3 automatically.
   If this is a mountpoint, the move will fail and you will need to migrate
diff --git a/debian/changelog b/debian/changelog
index 608bd2b..776ec61 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -43,7 +43,7 @@ squid3 (3.5.23-1ubuntu1) zesty; urgency=medium
     - Adjust seddery for upstream test squid binary location.
   * Drop dependency on init-system-helpers. This was introduced in LP 1432683.
     Since we no longer ship an upstart job, it is no longer required.
-  * Correct attribution in d/NEWS.debian.
+  * Correct attribution and add explanatory note in d/NEWS.debian.
 
  -- Robie Basak <robie.basak@ubuntu.com>  Tue, 24 Jan 2017 15:47:44 +0000
 
@@ -168,6 +168,20 @@ squid3 (3.5.14-1) unstable; urgency=medium
 
  -- Luigi Gangitano <luigi@debian.org>  Tue, 16 Feb 2016 23:14:00 +0100
 
+squid3 (3.5.12-1ubuntu9) zesty; urgency=medium
+
+  * SECURITY UPDATE: cookie data leak via If-Not-Modified HTTP conditional
+    - debian/patches/CVE-2016-10002.patch: properly handle combination of
+      If-Match and a Cache Hit in src/LogTags.h, src/client_side.cc,
+      src/client_side_reply.cc, src/client_side_reply.h.
+    - CVE-2016-10002
+  * SECURITY UPDATE: incorrect HTTP Request header comparison
+    - debian/patches/CVE-2016-10003.patch: don't share private responses
+      with collapsed client in src/client_side_reply.cc.
+    - CVE-2016-10003
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Fri, 03 Feb 2017 13:07:31 -0500
+
 squid3 (3.5.12-1ubuntu8) yakkety; urgency=medium
 
   * SECURITY UPDATE: denial of service via pinger and ICMPv6 packet
Download as text