This bug was fixed in the package squid3 - 3.3.8-1ubuntu6.6
---
squid3 (3.3.8-1ubuntu6.6) trusty-security; urgency=medium
[ Scott Moser ]
* debian/patches/increase-default-forward-max-tries.patch:
change the default setting of 'forward_max_tries' from 10
to 25. (LP: #15476
This bug was fixed in the package squid3 - 3.3.8-1ubuntu16.2
---
squid3 (3.3.8-1ubuntu16.2) wily-security; urgency=medium
[ Scott Moser ]
* debian/patches/increase-default-forward-max-tries.patch:
change the default setting of 'forward_max_tries' from 10
to 25. (LP: #15476
This bug was fixed in the package squid3 - 3.1.19-1ubuntu3.12.04.6
---
squid3 (3.1.19-1ubuntu3.12.04.6) precise-security; urgency=medium
* SECURITY UPDATE: denial of service via crafted UDP SNMP request
- debian/patches/CVE-2014-6270.patch: fix off-by-one in
src/snmp_core.
@yadi: link-local only was the proposal by @andreserl (not RFC1918, or
its IPv6 equivalent, ULA), and that is completely doable. So is
detection of an isolated, but not link-local-only network. It's simple
- if there's no route in the local routing table to the destination, it
should be excluded
Andres,
Because there is no way to distinguish between a local-only network and one
using NAT without actually trying to connect to the IPs (which is exactly what
Squid is doing - up to the limit of forward_max_tries). The problem is
identical and far more widespread in IPv4. Disabling IPv4 whe
** Also affects: squid3 (Ubuntu Precise)
Importance: Undecided
Status: New
** Changed in: squid3 (Ubuntu Precise)
Status: New => Triaged
** Changed in: squid3 (Ubuntu Precise)
Importance: Undecided => High
--
You received this bug notification because you are a member of Ubu
Why wouldn't an appropriate fix be to prevent squid from using IPv6 if
the system only has link-local addresses and not global addresses?
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to squid3 in Ubuntu.
https://bugs.launchpad.net/bugs/
** Description changed:
== Begin SRU Information ==
[Impact]
Users of squid3 as a proxy on a host without ipv6 connectivity will see http
'503' errors if they attempt to access a url through that proxy that has
greater than 9 ipv6 addresses associated with it.
The failure case is that
** Description changed:
+ == Begin SRU Information ==
+ [Impact]
+ Users of squid3 as a proxy on a host without ipv6 connectivity will see http
'503' errors if they attempt to access a url through that proxy that has
greater than 9 ipv6 addresses associated with it.
+
+ The failure case is that
@paul,
I suspect the '25' is 25 ipv6 addresses. Thats based on our debugging and fix
we put into place. We started seeing the bug when a 10th ipv6 address was
added to archive.ubuntu.com (and security.ubuntu.com). The workaround we put
in place was to remove a single ipv6 address, resulting
@yadi Won't changing the limit from 10 to 25 just put off the problem
until later? As I understand it, the main reason this issue caused
problems is that squid attempts IPv6 connections from hosts without
global IPv6 connectivity.
--
You received this bug notification because you are a member of
And for the record. No Squid does not use libc getaddrinfo(). That API
provides speed restrictions several orders of magnitude too slow for
even small Squid installations.
** Description changed:
Many people run squid (squid-deb-proxy, or maas-proxy) to provide ubuntu
archive mirror caching a
The upstream fix was http://www.squid-
cache.org/Versions/v3/3.5/changesets/squid-3-12982.patch - which is to
increase the number of IPs attempted to 25 instead of just 10.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to squid3 in Ubunt
It appears this bug is fixed in 3.5.1, which Robie Basak is syncing from debian.
I've tried to reproduce but have not been able. When robie fixes bug 1473691,
the fix should come into xenial (16.04).
We can look upstream to find what fix this actually was and cherry pick
back to 14.04.
** No
I've marked 16.04 task as triaged.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to squid3 in Ubuntu.
https://bugs.launchpad.net/bugs/1547640
Title:
proxy tries ipv6 and gets 503 when no ipv6 routes
To manage notifications about this
** Attachment added: "test case that sets up a system to show this failure"
https://bugs.launchpad.net/ubuntu/+source/squid-deb-proxy/+bug/1547640/+attachment/4578153/+files/lp-1547640.sh
** Attachment removed: "test case that sets up a system to show this failure"
https://bugs.launchpad.n
** Attachment added: "test case that sets up a system to show this failure"
https://bugs.launchpad.net/ubuntu/+source/squid-deb-proxy/+bug/1547640/+attachment/4578121/+files/lp-1547640.sh
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed
** No longer affects: maas
** No longer affects: maas/1.10
** No longer affects: maas/1.9
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to squid-deb-proxy in Ubuntu.
https://bugs.launchpad.net/bugs/1547640
Title:
proxy tries ipv6 an
I think the MAAS tasks can be removed or marked as invalid here.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to squid3 in Ubuntu.
https://bugs.launchpad.net/bugs/1547640
Title:
proxy tries ipv6 and gets 503 when no ipv6 routes
To m
There is a work around for this issue currently in place.
The change was to remove one of the 10 ipv6 addresses that were returned in a
query for security.ubuntu.com or archive.ubuntu.com. Now there are only 9 ipv6
addresses in place.
This works around the issue and users should not see this er
I tried downgrading libc6 and restarting squid (heck, even rebooting the
container), but it still happened. Scott IIRC also tried that.
Still, it's a heck of a coincidence.
Squid in debug mode shows it's getting 10 IPv4 and 10 IPv6 addresses back for
the archive, and trying each one in turn. But
I'm unfamiliar with the squid codebase but if it does use the normal
socket library, it would be doing a getaddrinfo, then iterate over the
results, those results would begin with IPv6 records as IPv6 is
always to be preferred over IPv4 when available, but any attempt to
connect would result i
** Package changed: squid (Ubuntu) => squid3 (Ubuntu)
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to squid3 in Ubuntu.
https://bugs.launchpad.net/bugs/1547640
Title:
proxy tries ipv6 and gets 503 when no ipv6 routes
To manage notif
Does someone know yet what happened?
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to squid in Ubuntu.
https://bugs.launchpad.net/bugs/1547640
Title:
proxy tries ipv6 and gets 503 when no ipv6 routes
To manage notifications about thi
On my 14.04 LTS system the workaround was to add 'dns_v4_first on' to
/etc/maas/maas-proxy.conf
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to squid in Ubuntu.
https://bugs.launchpad.net/bugs/1547640
Title:
proxy tries ipv6 and gets
** Tags added: cloud-installer
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to squid in Ubuntu.
https://bugs.launchpad.net/bugs/1547640
Title:
proxy tries ipv6 and gets 503 when no ipv6 routes
To manage notifications about this bug
** Changed in: maas
Assignee: (unassigned) => Andres Rodriguez (andreserl)
** Changed in: maas/1.10
Assignee: (unassigned) => Andres Rodriguez (andreserl)
** Changed in: maas/1.9
Assignee: (unassigned) => Andres Rodriguez (andreserl)
--
You received this bug notification because
** Changed in: maas
Status: New => Triaged
** Changed in: maas
Importance: Undecided => High
** Also affects: maas/1.10
Importance: Undecided
Status: New
** Also affects: maas/1.9
Importance: Undecided
Status: New
** Changed in: maas/1.10
Status: New => Tria
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: squid-deb-proxy (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to squid-deb-proxy in Ubuntu.
https://bugs.launc
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: squid (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to squid-deb-proxy in Ubuntu.
https://bugs.launchpad.net/b
Adding dns_v4_first on to my 14.04 LTS /etc/squid-deb-proxy/squid-deb-
proxy.conf solved this for me.
My personal best guess is that something happened during machine reboots
in the Canonical datacenter to address the glibc updates.
My failures were to both security.ubuntu.com and archive.ubuntu.
31 matches
Mail list logo