[Bug 1952158] Re: squid does not accept WCCP of Cisco router since 3.5.27-1ubuntu1.12
Thanks for the further investigation, amk. And thanks for following up with upstream. We will track the progress of their bug and act accordingly (likely backporting a patch to fix the issue). ** Also affects: squid via http://bugs.squid-cache.org/show_bug.cgi?id=5179 Importance: Unknown Status: Unknown ** Also affects: squid (Ubuntu Jammy) Importance: Undecided Status: Invalid ** Also affects: squid3 (Ubuntu Jammy) Importance: Undecided Status: Confirmed ** Also affects: squid (Ubuntu Impish) Importance: Undecided Status: New ** Also affects: squid3 (Ubuntu Impish) Importance: Undecided Status: New ** Changed in: squid (Ubuntu Impish) Status: New => Invalid ** Changed in: squid (Ubuntu Impish) Status: Invalid => Confirmed ** Changed in: squid (Ubuntu Jammy) Status: Invalid => Confirmed ** Changed in: squid3 (Ubuntu Impish) Status: New => Invalid ** Changed in: squid3 (Ubuntu Jammy) Status: Confirmed => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1952158 Title: squid does not accept WCCP of Cisco router since 3.5.27-1ubuntu1.12 To manage notifications about this bug go to: https://bugs.launchpad.net/squid/+bug/1952158/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1952158] Re: squid does not accept WCCP of Cisco router since 3.5.27-1ubuntu1.12
** Changed in: squid3 (Ubuntu Bionic) Status: Incomplete => Confirmed ** Changed in: squid3 (Ubuntu) Status: Invalid => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1952158 Title: squid does not accept WCCP of Cisco router since 3.5.27-1ubuntu1.12 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1952158/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1952158] Re: squid does not accept WCCP of Cisco router since 3.5.27-1ubuntu1.12
Upstream bug https://bugs.squid-cache.org/show_bug.cgi?id=5179 ** Bug watch added: Squid Bugzilla #5179 http://bugs.squid-cache.org/show_bug.cgi?id=5179 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1952158 Title: squid does not accept WCCP of Cisco router since 3.5.27-1ubuntu1.12 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1952158/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1952158] Re: squid does not accept WCCP of Cisco router since 3.5.27-1ubuntu1.12
4.13-10ubuntu5 in 21.10 and 5.2-1ubuntu1 in jammy are failing as well, with debug log different when compared to version 3 involved here: 2021/12/05 19:58:41.705 kid1| 80,6| wccp2.cc(1580) wccp2HereIam: wccp2HereIam: Called 2021/12/05 19:58:41.705 kid1| 80,5| wccp2.cc(1599) wccp2HereIam: wccp2HereIam: sending to service id 0 2021/12/05 19:58:41.705 kid1| 80,3| wccp2.cc(1630) wccp2HereIam: Sending HereIam packet size 144 2021/12/05 19:58:41.707 kid1| 80,6| wccp2.cc(1202) wccp2HandleUdp: wccp2HandleUdp: Called. 2021/12/05 19:58:41.707 kid1| 80,3| wccp2.cc(1226) wccp2HandleUdp: Incoming WCCPv2 I_SEE_YOU length 128. 2021/12/05 19:58:41.707 kid1| ERROR: Ignoring WCCPv2 message: duplicate security definition exception location: wccp2.cc(1249) wccp2HandleUdp This looks like a problem with squid itself, the packet does not have duplicate security definition. In the code at http://www.squid- cache.org/Doc/code/wccp2_8cc_source.html I miss some debug output in the loop processing the packet /* Go through the data structure */ so would need to rebuild the package or to involve debugger. I was not able to find any documentation of squid listing supported/tested wccp servers but at this point this looks like an issue to be reported upstream. There is no reason to consider wccp packets from IOS 15.8(3)M2 invalid. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1952158 Title: squid does not accept WCCP of Cisco router since 3.5.27-1ubuntu1.12 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1952158/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1952158] Re: squid does not accept WCCP of Cisco router since 3.5.27-1ubuntu1.12
Hi, The patch was backported from Squid 4 as no patch for Squid 3 was available. The code in wccp2.cpp is almost identical. The resulting code in wccp2.cpp is almost identical to the code in 4.13 in impish, so I suspect you'll hit the same regression with current versions of Squid. The only two commits that are different are the two following commits, which I don't believe could be causing the regression you are seeing: https://github.com/squid-cache/squid/commit/7f7b4fd3f9af404d5bc528f7a73320f3ed1cc7d4 https://github.com/squid-cache/squid/commit/43b6575c9823248357a1eca8a55db76fd6c848ca It would help to be able to test your environment with current versions of Squid to determine if this is caused by the upstream fix or not. Thanks! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1952158 Title: squid does not accept WCCP of Cisco router since 3.5.27-1ubuntu1.12 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1952158/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1952158] Re: squid does not accept WCCP of Cisco router since 3.5.27-1ubuntu1.12
Thank you for looking into the issue. Let me first test current versions of squid against my router. If that works I shall dig into the ubuntu code. Already tried to enable wccp debug in squid but it did not help much. Ended up running a standalone wccp client as a workaround. Where is the patch coming from? Official patches for the issue I could find are for squid 4 and 5 only. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1952158 Title: squid does not accept WCCP of Cisco router since 3.5.27-1ubuntu1.12 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1952158/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1952158] Re: squid does not accept WCCP of Cisco router since 3.5.27-1ubuntu1.12
Thank you for taking the time to file a bug report. I noticed that the latest update of the squid3 package on Bionic was a security fix that touched exactly the WCCP code: squid3 (3.5.27-1ubuntu1.12) bionic-security; urgency=medium * SECURITY UPDATE: information disclosure via OOB read in WCCP protocol - debian/patches/CVE-2021-28116.patch: validate packets better in src/wccp2.cc. - CVE-2021-28116 -- Marc Deslauriers Mon, 04 Oct 2021 08:32:25 -0400 I'm trying to understand here how to reproduce this bug. I don't have access to Cisco hardware, and I'm not an expert on WCCP (far from it). Given the description of the changelog entry above, I would double check to see if your Cisco hardware is properly configured and running the latest version of its firmware/software. Based on the logs you posted, the following is one of the assertions that is failing on squid: Must(ntohl(wccp2_i_see_you.type) == WCCP2_I_SEE_YOU); This means that the packet received by squid don't have the expected type, apparently. This check wasn't here before the patch. This is another assertion that is failing: case WCCP2_SECURITY_INFO: Must(!security_info); // <- THIS ASSERTION HERE SetField(security_info, itemHeader, itemHeader, itemSize, "security definition truncated"); break; This case statement has been rewritten, and the assertion is now in place there. In fact, this whole function has been overhauled and is quite different than what it was before this latest squid3 version. I am not sure if what you're seeing is in fact a bug in squid, or is actually squid being more careful regarding what it accepts as WCCP packets. Either way, I would need a way to reproduce this error locally in order to further investigate it. Could you please provide some help in this regard? It would also be great if could try squid from newer Ubuntu releases to see if you can reproduce this problem. I am setting this as Incomplete for now. ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-28116 ** Changed in: squid3 (Ubuntu Bionic) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1952158 Title: squid does not accept WCCP of Cisco router since 3.5.27-1ubuntu1.12 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1952158/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1952158] Re: squid does not accept WCCP of Cisco router since 3.5.27-1ubuntu1.12
** Also affects: squid3 (Ubuntu) Importance: Undecided Status: New ** Changed in: squid (Ubuntu) Status: New => Invalid ** Also affects: squid (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: squid3 (Ubuntu Bionic) Importance: Undecided Status: New ** Changed in: squid (Ubuntu Bionic) Status: New => Invalid ** Changed in: squid3 (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1952158 Title: squid does not accept WCCP of Cisco router since 3.5.27-1ubuntu1.12 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1952158/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs