Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package squid3 Version 3.4.8-6 includes upstream fixes for 4 critical bugs (two high CPU/memory usage and two minor security issues) and a major usability issue in squidclient on default installation with localhost linked to both IPv4 and IPv6 addresses. Debdiff follows. diff -Nru squid3-3.4.8/debian/changelog squid3-3.4.8/debian/changelog --- squid3-3.4.8/debian/changelog 2014-12-16 14:33:14.000000000 +0100 +++ squid3-3.4.8/debian/changelog 2015-01-28 12:59:07.000000000 +0100 @@ -1,3 +1,27 @@ +squid3 (3.4.8-6) unstable; urgency=medium + + [ Luigi Gangitano <lu...@debian.org> ] + * debian/patches/31-squid-3.4-13199.patch + - Added upstream patch fixing excessive CPU usage (Closes: #776461) + + * debian/patches/32-squid-3.4-13210.patch + - Added upstream patch fixing excessive CPU and memory usage in + NTLM and Negotiate authentication helpers (Closes: #776463) + + * debian/patches/33-squid-3.4-13211.patch + - Added upstream patch fixing a possible replay vulnerability on Digest + authentication (Closes: #776464) + + * debian/patches/34-squid-3.4-13213.patch + - Added upstream patch fixing incorrect security permissions for + TOS/DiffServ packet marking (Closes: #776468) + + * debian/patches/35-squid-3.4-13203.patch + - Added upstream patch fixing squidclient unable to connect to host with + both IPv4 and IPv6 addresses (Closes: #742425) + + -- Luigi Gangitano <lu...@debian.org> Wed, 28 Jan 2015 12:34:42 +0100 + squid3 (3.4.8-5) unstable; urgency=medium [ Luigi Gangitano <lu...@debian.org> ] diff -Nru squid3-3.4.8/debian/patches/31-squid-3.4-13199.patch squid3-3.4.8/debian/patches/31-squid-3.4-13199.patch --- squid3-3.4.8/debian/patches/31-squid-3.4-13199.patch 1970-01-01 01:00:00.000000000 +0100 +++ squid3-3.4.8/debian/patches/31-squid-3.4-13199.patch 2015-01-28 12:59:07.000000000 +0100 @@ -0,0 +1,28 @@ +From: Luigi Gangitano <lu...@debian.org> +Date: Wed, 28 Jan 2015 12:27:49 +0100 +Subject: 31-squid-3.4-13199.patch Deleting first fs left psstate->servers + pointing to uninitialized memory, fixing excessive use of CPU + +--- + src/peer_select.cc | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/peer_select.cc b/src/peer_select.cc +index 19e3371..9c26a20 100644 +--- a/src/peer_select.cc ++++ b/src/peer_select.cc +@@ -271,11 +271,12 @@ peerSelectDnsPaths(ps_state *psstate) + // due to the allocation method of fs, we must deallocate each manually. + // TODO: use a std::list so we can get the size and abort adding whenever the selection loops reach Config.forward_max_tries + if (fs && psstate->paths->size() >= (unsigned int)Config.forward_max_tries) { ++ assert(fs == psstate->servers); + while (fs) { +- FwdServer *next = fs->next; ++ psstate->servers = fs->next; + cbdataReferenceDone(fs->_peer); + memFree(fs, MEM_FWD_SERVER); +- fs = next; ++ fs = psstate->servers; + } + } + diff -Nru squid3-3.4.8/debian/patches/32-squid-3.4-13210.patch squid3-3.4.8/debian/patches/32-squid-3.4-13210.patch --- squid3-3.4.8/debian/patches/32-squid-3.4-13210.patch 1970-01-01 01:00:00.000000000 +0100 +++ squid3-3.4.8/debian/patches/32-squid-3.4-13210.patch 2015-01-28 12:59:07.000000000 +0100 @@ -0,0 +1,94 @@ +From: Luigi Gangitano <lu...@debian.org> +Date: Wed, 28 Jan 2015 12:28:51 +0100 +Subject: squid-3.4-13210.patch Fixes excessive NTLM or Negotiate auth helper + annotations, which lead to excessive CPU and memory use + +--- + src/Notes.cc | 15 +++++++++++++++ + src/Notes.h | 5 +++++ + src/auth/digest/UserRequest.cc | 2 ++ + src/auth/negotiate/UserRequest.cc | 2 ++ + src/auth/ntlm/UserRequest.cc | 2 ++ + 5 files changed, 26 insertions(+) + +diff --git a/src/Notes.cc b/src/Notes.cc +index 0003956..13d530e 100644 +--- a/src/Notes.cc ++++ b/src/Notes.cc +@@ -189,6 +189,21 @@ NotePairs::add(const char *key, const char *note) + } + + void ++NotePairs::remove(const char *key) ++{ ++ Vector<NotePairs::Entry *>::iterator i = entries.begin(); ++ while (i != entries.end()) { ++ if ((*i)->name.cmp(key) == 0) { ++ NotePairs::Entry *e = (*i); ++ entries.prune(e); ++ delete e; ++ i = entries.begin(); // vector changed underneath us ++ } else ++ ++i; ++ } ++} ++ ++void + NotePairs::addStrList(const char *key, const char *values) + { + String strValues(values); +diff --git a/src/Notes.h b/src/Notes.h +index 47950d4..401c8b9 100644 +--- a/src/Notes.h ++++ b/src/Notes.h +@@ -155,6 +155,11 @@ public: + void add(const char *key, const char *value); + + /** ++ * Remove all notes with a given key. ++ */ ++ void remove(const char *key); ++ ++ /** + * Adds a note key and values strList to the notes list. + * If the key name already exists in list, add the new values to its set + * of values. +diff --git a/src/auth/digest/UserRequest.cc b/src/auth/digest/UserRequest.cc +index f625bd8..9107d73 100644 +--- a/src/auth/digest/UserRequest.cc ++++ b/src/auth/digest/UserRequest.cc +@@ -298,6 +298,8 @@ Auth::Digest::UserRequest::HandleReply(void *data, const HelperReply &reply) + // add new helper kv-pair notes to the credentials object + // so that any transaction using those credentials can access them + auth_user_request->user()->notes.appendNewOnly(&reply.notes); ++ // remove any private credentials detail which got added. ++ auth_user_request->user()->notes.remove("ha1"); + + static bool oldHelperWarningDone = false; + switch (reply.result) { +diff --git a/src/auth/negotiate/UserRequest.cc b/src/auth/negotiate/UserRequest.cc +index 086da9f..64cffc9 100644 +--- a/src/auth/negotiate/UserRequest.cc ++++ b/src/auth/negotiate/UserRequest.cc +@@ -229,6 +229,8 @@ Auth::Negotiate::UserRequest::HandleReply(void *data, const HelperReply &reply) + // add new helper kv-pair notes to the credentials object + // so that any transaction using those credentials can access them + auth_user_request->user()->notes.appendNewOnly(&reply.notes); ++ // remove any private credentials detail which got added. ++ auth_user_request->user()->notes.remove("token"); + + Auth::Negotiate::UserRequest *lm_request = dynamic_cast<Auth::Negotiate::UserRequest *>(auth_user_request.getRaw()); + assert(lm_request != NULL); +diff --git a/src/auth/ntlm/UserRequest.cc b/src/auth/ntlm/UserRequest.cc +index 4ce04eb..ebfe895 100644 +--- a/src/auth/ntlm/UserRequest.cc ++++ b/src/auth/ntlm/UserRequest.cc +@@ -223,6 +223,8 @@ Auth::Ntlm::UserRequest::HandleReply(void *data, const HelperReply &reply) + // add new helper kv-pair notes to the credentials object + // so that any transaction using those credentials can access them + auth_user_request->user()->notes.appendNewOnly(&reply.notes); ++ // remove any private credentials detail which got added. ++ auth_user_request->user()->notes.remove("token"); + + Auth::Ntlm::UserRequest *lm_request = dynamic_cast<Auth::Ntlm::UserRequest *>(auth_user_request.getRaw()); + assert(lm_request != NULL); diff -Nru squid3-3.4.8/debian/patches/33-squid-3.4-13211.patch squid3-3.4.8/debian/patches/33-squid-3.4-13211.patch --- squid3-3.4.8/debian/patches/33-squid-3.4-13211.patch 1970-01-01 01:00:00.000000000 +0100 +++ squid3-3.4.8/debian/patches/33-squid-3.4-13211.patch 2015-01-28 12:59:07.000000000 +0100 @@ -0,0 +1,51 @@ +From: Luigi Gangitano <lu...@debian.org> +Date: Wed, 28 Jan 2015 12:30:04 +0100 +Subject: squid-3.4-13211.patch Fixes minor security issue in digest + authentication nonce indefinite rollover + +--- + src/auth/digest/UserRequest.cc | 12 ++++++++---- + src/auth/digest/auth_digest.cc | 7 +------ + 2 files changed, 9 insertions(+), 10 deletions(-) + +diff --git a/src/auth/digest/UserRequest.cc b/src/auth/digest/UserRequest.cc +index 9107d73..011f109 100644 +--- a/src/auth/digest/UserRequest.cc ++++ b/src/auth/digest/UserRequest.cc +@@ -152,10 +152,14 @@ Auth::Digest::UserRequest::authenticate(HttpRequest * request, ConnStateData * c + } + + /* check for stale nonce */ +- if (!authDigestNonceIsValid(digest_request->nonce, digest_request->nc)) { +- debugs(29, 3, "user '" << auth_user->username() << "' validated OK but nonce stale"); +- auth_user->credentials(Auth::Handshake); +- digest_request->setDenyMessage("Stale nonce"); ++ /* check Auth::Pending to avoid loop */ ++ ++ if (!authDigestNonceIsValid(digest_request->nonce, digest_request->nc) && user()->credentials() != Auth::Pending) { ++ debugs(29, 3, auth_user->username() << "' validated OK but nonce stale: " << digest_request->nonceb64); ++ /* Pending prevent banner and makes a ldap control */ ++ auth_user->credentials(Auth::Pending); ++ nonce->flags.valid = false; ++ authDigestNoncePurge(nonce); + return; + } + +diff --git a/src/auth/digest/auth_digest.cc b/src/auth/digest/auth_digest.cc +index 7cc3276..610f547 100644 +--- a/src/auth/digest/auth_digest.cc ++++ b/src/auth/digest/auth_digest.cc +@@ -1038,12 +1038,7 @@ Auth::Digest::Config::decode(char const *proxy_auth) + debugs(29, 2, "Username for the nonce does not equal the username for the request"); + nonce = NULL; + } +- /* check for stale nonce */ +- if (authDigestNonceIsStale(nonce)) { +- debugs(29, 3, "The received nonce is stale from " << username); +- digest_request->setDenyMessage("Stale nonce"); +- nonce = NULL; +- } ++ + if (!nonce) { + /* we couldn't find a matching nonce! */ + debugs(29, 2, "Unexpected or invalid nonce received from " << username); diff -Nru squid3-3.4.8/debian/patches/34-squid-3.4-13213.patch squid3-3.4.8/debian/patches/34-squid-3.4-13213.patch --- squid3-3.4.8/debian/patches/34-squid-3.4-13213.patch 1970-01-01 01:00:00.000000000 +0100 +++ squid3-3.4.8/debian/patches/34-squid-3.4-13213.patch 2015-01-28 12:59:07.000000000 +0100 @@ -0,0 +1,25 @@ +From: Luigi Gangitano <lu...@debian.org> +Date: Wed, 28 Jan 2015 12:31:10 +0100 +Subject: squid-3.4-13213.patch Adds corrects capabilities to set TOS/DiffServ + marks on output packages + +--- + src/tools.cc | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/tools.cc b/src/tools.cc +index 076446e..21923a0 100644 +--- a/src/tools.cc ++++ b/src/tools.cc +@@ -1319,7 +1319,10 @@ restoreCapabilities(int keep) + cap_value_t cap_list[10]; + cap_list[ncaps] = CAP_NET_BIND_SERVICE; + ++ncaps; +- if (Ip::Interceptor.TransparentActive() || Ip::Qos::TheConfig.isHitNfmarkActive() || Ip::Qos::TheConfig.isAclNfmarkActive()) { ++ if (Ip::Interceptor.TransparentActive() || ++ Ip::Qos::TheConfig.isHitNfmarkActive() || ++ Ip::Qos::TheConfig.isAclNfmarkActive() || ++ Ip::Qos::TheConfig.isAclTosActive()) { + cap_list[ncaps] = CAP_NET_ADMIN; + ++ncaps; + } diff -Nru squid3-3.4.8/debian/patches/35-squid-3.4-13203.patch squid3-3.4.8/debian/patches/35-squid-3.4-13203.patch --- squid3-3.4.8/debian/patches/35-squid-3.4-13203.patch 1970-01-01 01:00:00.000000000 +0100 +++ squid3-3.4.8/debian/patches/35-squid-3.4-13203.patch 2015-01-28 12:59:07.000000000 +0100 @@ -0,0 +1,43 @@ +From: Luigi Gangitano <lu...@debian.org> +Date: Wed, 28 Jan 2015 12:31:49 +0100 +Subject: squid-3.4-13203.patch Fixes squidclient issue with hosts with both + IPv4 and IPv6 addresses + +--- + src/ip/Address.cc | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/src/ip/Address.cc b/src/ip/Address.cc +index ba3cff5..da40267 100644 +--- a/src/ip/Address.cc ++++ b/src/ip/Address.cc +@@ -382,6 +382,20 @@ Ip::Address::lookupHostIP(const char *s, bool nodns) + return false; + } + ++ struct addrinfo *resHead = res; // we need to free the whole list later ++ if (!Ip::EnableIpv6) { ++ // if we are IPv6-disabled, use first-IPv4 instead of first-IP. ++ struct addrinfo *maybeIpv4 = res; ++ while (maybeIpv4) { ++ if (maybeIpv4->ai_family == AF_INET) ++ break; ++ maybeIpv4 = maybeIpv4->ai_next; ++ } ++ if (maybeIpv4 != NULL) ++ res = maybeIpv4; ++ // else IPv6-only host, let the caller deal with first-IP anyway. ++ } ++ + /* + * NP: =(sockaddr_*) may alter the port. we don't want that. + * all we have been given as input was an IPA. +@@ -391,7 +405,7 @@ Ip::Address::lookupHostIP(const char *s, bool nodns) + port(portSaved); + + /* free the memory getaddrinfo() dynamically allocated. */ +- freeaddrinfo(res); ++ freeaddrinfo(resHead); + return true; + } + diff -Nru squid3-3.4.8/debian/patches/series squid3-3.4.8/debian/patches/series --- squid3-3.4.8/debian/patches/series 2014-12-16 14:33:14.000000000 +0100 +++ squid3-3.4.8/debian/patches/series 2015-01-28 12:59:07.000000000 +0100 @@ -4,3 +4,8 @@ 16-ipc-statedir.patch 21-squid-3.4-13176-memoryleak.patch 30-cert_tool.patch +31-squid-3.4-13199.patch +32-squid-3.4-13210.patch +33-squid-3.4-13211.patch +34-squid-3.4-13213.patch +35-squid-3.4-13203.patch unblock squid3/3.4.8-6 -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Init: sysvinit (via /sbin/init) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org