[ubuntu/yakkety-proposed] squid3 3.5.12-1ubuntu8 (Accepted)

Marc Deslauriers marc.deslauriers at ubuntu.com
Wed Jun 8 13:25:16 UTC 2016 

squid3 (3.5.12-1ubuntu8) yakkety; urgency=medium

  * SECURITY UPDATE: denial of service via pinger and ICMPv6 packet
    - debian/patches/CVE-2016-3947.patch: fix sizes in src/icmp/Icmp6.cc.
    - CVE-2016-3947
  * SECURITY UPDATE: denial of service and possible code execution via
    seeding manager reporter with crafted data
    - debian/patches/CVE-2016-4051.patch: use dynamic MemBuf for internal
      content generation in tools/cachemgr.cc, src/tests/stub_cbdata.cc,
      src/tests/stub_mem.cc, tools/Makefile.am.
    - CVE-2016-4051
  * SECURITY UPDATE: denial of service or arbitrary code execution via
    crafted ESI responses
    - debian/patches/CVE-2016-4052.patch: perform bounds checking and
      remove asserts in src/esi/Esi.cc.
    - CVE-2016-4052
    - CVE-2016-4053
    - CVE-2016-4054
  * SECURITY UPDATE: cache-poisoning attacks via an HTTP request with an
    absolute-URI
    - debian/patches/CVE-2016-4553.patch: properly handle condition in
      src/client_side.cc
    - CVE-2016-4553
  * SECURITY UPDATE: same-origin bypass and cache-poisoning attack via
    crafted HTTP host header
    - debian/patches/CVE-2016-4554.patch: properly handle whitespace in
      src/mime_header.cc.
    - CVE-2016-4554
  * SECURITY UPDATE: denial of service via ESI responses
    - debian/patches/CVE-2016-4555.patch: fix segfaults in
      src/client_side_request.cc, src/esi/Context.h, src/esi/Esi.cc.
    - CVE-2016-4555
    - CVE-2016-4556
  * debian/rules: include autoreconf.mk.
  * debian/control: add dh-autoreconf to BuildDepends.

Date: Wed, 08 Jun 2016 08:05:32 -0400
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/squid3/3.5.12-1ubuntu8
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 08 Jun 2016 08:05:32 -0400
Source: squid3
Binary: squid3 squid squid-dbg squid-common squidclient squid-cgi squid-purge
Architecture: source
Version: 3.5.12-1ubuntu8
Distribution: yakkety
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Description:
 squid      - Full featured Web Proxy cache (HTTP proxy)
 squid-cgi  - Full featured Web Proxy cache (HTTP proxy) - control CGI
 squid-common - Full featured Web Proxy cache (HTTP proxy) - common files
 squid-dbg  - Full featured Web Proxy cache (HTTP proxy) - Debug symbols
 squid-purge - Full featured Web Proxy cache (HTTP proxy) - control utility
 squid3     - Dummy transitional package.
 squidclient - Full featured Web Proxy cache (HTTP proxy) - control utility
Changes:
 squid3 (3.5.12-1ubuntu8) yakkety; urgency=medium
 .
   * SECURITY UPDATE: denial of service via pinger and ICMPv6 packet
     - debian/patches/CVE-2016-3947.patch: fix sizes in src/icmp/Icmp6.cc.
     - CVE-2016-3947
   * SECURITY UPDATE: denial of service and possible code execution via
     seeding manager reporter with crafted data
     - debian/patches/CVE-2016-4051.patch: use dynamic MemBuf for internal
       content generation in tools/cachemgr.cc, src/tests/stub_cbdata.cc,
       src/tests/stub_mem.cc, tools/Makefile.am.
     - CVE-2016-4051
   * SECURITY UPDATE: denial of service or arbitrary code execution via
     crafted ESI responses
     - debian/patches/CVE-2016-4052.patch: perform bounds checking and
       remove asserts in src/esi/Esi.cc.
     - CVE-2016-4052
     - CVE-2016-4053
     - CVE-2016-4054
   * SECURITY UPDATE: cache-poisoning attacks via an HTTP request with an
     absolute-URI
     - debian/patches/CVE-2016-4553.patch: properly handle condition in
       src/client_side.cc
     - CVE-2016-4553
   * SECURITY UPDATE: same-origin bypass and cache-poisoning attack via
     crafted HTTP host header
     - debian/patches/CVE-2016-4554.patch: properly handle whitespace in
       src/mime_header.cc.
     - CVE-2016-4554
   * SECURITY UPDATE: denial of service via ESI responses
     - debian/patches/CVE-2016-4555.patch: fix segfaults in
       src/client_side_request.cc, src/esi/Context.h, src/esi/Esi.cc.
     - CVE-2016-4555
     - CVE-2016-4556
   * debian/rules: include autoreconf.mk.
   * debian/control: add dh-autoreconf to BuildDepends.
Checksums-Sha1:
 d77db36739b4dd15b6e024520548ef0a8f177736 2520 squid3_3.5.12-1ubuntu8.dsc
 d2357756cf1619765fe648475196db74096cfd98 49640 squid3_3.5.12-1ubuntu8.debian.tar.xz
Checksums-Sha256:
 8469ff4c962654f36f8ea392208d027d95bc6a15214ae09afbddb0e6b8ce7be9 2520 squid3_3.5.12-1ubuntu8.dsc
 1858d8ba9299cfc40c969b774869f9546dd4d6ab3a76a24d3c5c506a6174d582 49640 squid3_3.5.12-1ubuntu8.debian.tar.xz
Files:
 a0ff613fbe9a1a1aea8c6741cdb4480d 2520 web optional squid3_3.5.12-1ubuntu8.dsc
 49d6573a4696ffb1a4acc9f5a3789d61 49640 web optional squid3_3.5.12-1ubuntu8.debian.tar.xz
Original-Maintainer: Luigi Gangitano <luigi at debian.org>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJXWBGaAAoJEGVp2FWnRL6TSdgP/iuPKvA9cEMLJUtPuZfq4zZe
9zQXNIzdT6VZkuwE1zxd6Ifz4aMsWhBCxWReYgVntTzsE/n684rmwuYaoqY9rhyz
GYHG63420o1oFrWRPDHZrSuCQg2W/diPMzQiamq3F357I0nxO6C6dZcpf8drGQsw
NBAejadOTyFXguqJv9gDtbrRUiwqVmu+66oLuKQ2T1++VfQqeIuOiALzUdOe9gIV
PYJ3F4KMLC2VKtDjQ0W7vPoFZDcljFF3Ryt0TvuMrRbJYQQxxEK+GvgQh9yfcQHd
/r26TaoDov3cZ8cj2Pdcu6weDd8Qeq59FMm50qBQ91C3Bs18+47vULqSzlEHOO2J
x2aNL1jEfrSeWnfi2183zZJwyEIJjIeCkVrkOFx5Y4yM4Y/IiSJS7I17GdByAgSD
yFfTJr3MgUNS7XBH5mZzS7ASacoNadqS8Lkb4lXwOTnJThsS4H6Xxm6om+8Cb7L0
JfVLrYRJS3uKRaUZURUQHeNLbLAgNL6vktrneQb020Xusi2pPXghHChiKNlmdwTu
fn/ko/8KfhbD+pAOF/Cjh+Tz9LMUNxOos9w4DJEq2AsufQVXF1cie46biKbxLBXt
bMXpG63n6YLLtBcxJwRKxSUgEgiDpofdSdPl+jiwFbEZBbS99UlgtiWo3NH7IJlx
hKrGRdrWJHV/iRbQ5rn7
=E8w8
-----END PGP SIGNATURE-----

More information about the Yakkety-changes mailing list