Version in base suite: 4.6-1+deb10u4

Base version: squid_4.6-1+deb10u4
Target version: squid_4.6-1+deb10u5
Base file: /srv/ftp-master.debian.org/ftp/pool/main/s/squid/squid_4.6-1+deb10u4.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/s/squid/squid_4.6-1+deb10u5.dsc

 changelog                        |    6 ++++++
 patches/0028-SQUID-2020_11.patch |   26 ++++++++++++++++++++++++++
 patches/series                   |    1 +
 3 files changed, 33 insertions(+)

diff -Nru squid-4.6/debian/changelog squid-4.6/debian/changelog
--- squid-4.6/debian/changelog	2020-08-26 10:35:13.000000000 +0000
+++ squid-4.6/debian/changelog	2021-03-22 09:37:24.000000000 +0000
@@ -1,3 +1,9 @@
+squid (4.6-1+deb10u5) buster-security; urgency=medium
+
+  * SQUID-2020:11 HTTP Request Smuggling (CVE-2020-25097) (Closes: #985068)
+
+ -- Santiago García Mantiñán <manty@debian.org>  Mon, 22 Mar 2021 10:37:24 +0100
+
 squid (4.6-1+deb10u4) buster-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru squid-4.6/debian/patches/0028-SQUID-2020_11.patch squid-4.6/debian/patches/0028-SQUID-2020_11.patch
--- squid-4.6/debian/patches/0028-SQUID-2020_11.patch	1970-01-01 00:00:00.000000000 +0000
+++ squid-4.6/debian/patches/0028-SQUID-2020_11.patch	2021-03-22 09:37:24.000000000 +0000
@@ -0,0 +1,26 @@
+--- a/src/anyp/Uri.cc
++++ b/src/anyp/Uri.cc
+@@ -283,8 +283,9 @@
+             return false;
+         *dst = '\0';
+ 
+-        // bug 3074: received 'path' starting with '?', '#', or '\0' implies '/'
+-        if (*src == '?' || *src == '#' || *src == '\0') {
++        // We are looking at path-abempty.
++        if (*src != '/') {
++            // path-empty, including the end of the `src` c-string cases
+             urlpath[0] = '/';
+             dst = &urlpath[1];
+         } else {
+@@ -298,11 +299,6 @@
+         /* We -could- be at the end of the buffer here */
+         if (i > l)
+             return false;
+-        /* If the URL path is empty we set it to be "/" */
+-        if (dst == urlpath) {
+-            *dst = '/';
+-            ++dst;
+-        }
+         *dst = '\0';
+ 
+         foundPort = scheme.defaultPort(); // may be reset later
diff -Nru squid-4.6/debian/patches/series squid-4.6/debian/patches/series
--- squid-4.6/debian/patches/series	2020-08-26 10:35:13.000000000 +0000
+++ squid-4.6/debian/patches/series	2021-03-22 09:37:24.000000000 +0000
@@ -22,3 +22,4 @@
 0025-SQUID-2020_8.patch
 0026-SQUID-2020_9.patch
 0027-SQUID-2020_10.patch
+0028-SQUID-2020_11.patch