Package: squid3 Version: 3.4.8-5 Severity: grave Tags: patch upstream Upstream fixed an issue with missing capabilities while squid sets TOS/DiffServ marks on outgoing packets, which can lead to missing marks and unwanted behavior in security devices handling those packages
-- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Init: sysvinit (via /sbin/init) Versions of packages squid3 depends on: ii adduser 3.113+nmu3 ii libc6 2.19-13 ii libcap2 1:2.24-6 ii libcomerr2 1.42.12-1 ii libdb5.3 5.3.28-9 ii libecap2 0.2.0-3 ii libexpat1 2.1.0-6+b3 ii libgcc1 1:4.9.2-10 ii libgssapi-krb5-2 1.12.1+dfsg-16 ii libk5crypto3 1.12.1+dfsg-16 ii libkrb5-3 1.12.1+dfsg-16 ii libldap-2.4-2 2.4.40-3 ii libltdl7 2.4.2-1.11 ii libnetfilter-conntrack3 1.0.4-1 ii libnettle4 2.7.1-5 ii libpam0g 1.1.8-3.1 ii libsasl2-2 2.1.26.dfsg1-12 ii libstdc++6 4.9.2-10 ii libxml2 2.9.2+dfsg1-1+b1 ii logrotate 3.8.7-1+b1 ii lsb-base 4.1+Debian13+nmu1 ii netbase 5.3 ii squid3-common 3.4.8-5 squid3 recommends no packages. Versions of packages squid3 suggests: pn resolvconf <none> ii smbclient 2:4.1.13+dfsg-4 pn squid-cgi <none> pn squid-purge <none> pn squidclient <none> pn ufw <none> pn winbindd <none> -- no debconf information
------------------------------------------------------------ revno: 13213 revision-id: squ...@treenet.co.nz-20150124050858-go67ro2e85kaus1s parent: squ...@treenet.co.nz-20150124050758-iynm037xhk6k8kx0 author: Christos Tsantilas <chtsa...@users.sourceforge.net> committer: Amos Jeffries <squ...@treenet.co.nz> branch nick: 3.4 timestamp: Fri 2015-01-23 21:08:58 -0800 message: Set cap_net_admin capability when Squid sets TOS/Diffserv packet values. In capabilities-capable environments (e.g., Linux with libcap), CAP_NET_ADMIN capability is required to honor clientside_tos and tcp_outgoing_tos directives. The code was setting that capability when Netfilter marks or tproxy was enabled, but missed the clientside_tos and tcp_outgoing_tos cases. This is a Measurement Factory project ------------------------------------------------------------ # Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: squ...@treenet.co.nz-20150124050858-go67ro2e85kaus1s # target_branch: http://bzr.squid-cache.org/bzr/squid3/3.4 # testament_sha1: 13004a32b4579593437ff48c84593c3cab5113f7 # timestamp: 2015-01-24 05:14:34 +0000 # source_branch: http://bzr.squid-cache.org/bzr/squid3/3.4 # base_revision_id: squ...@treenet.co.nz-20150124050758-\ # iynm037xhk6k8kx0 # # Begin patch === modified file 'src/tools.cc' --- src/tools.cc 2014-03-04 10:05:16 +0000 +++ src/tools.cc 2015-01-24 05:08:58 +0000 @@ -1319,7 +1319,10 @@ cap_value_t cap_list[10]; cap_list[ncaps] = CAP_NET_BIND_SERVICE; ++ncaps; - if (Ip::Interceptor.TransparentActive() || Ip::Qos::TheConfig.isHitNfmarkActive() || Ip::Qos::TheConfig.isAclNfmarkActive()) { + if (Ip::Interceptor.TransparentActive() || + Ip::Qos::TheConfig.isHitNfmarkActive() || + Ip::Qos::TheConfig.isAclNfmarkActive() || + Ip::Qos::TheConfig.isAclTosActive()) { cap_list[ncaps] = CAP_NET_ADMIN; ++ncaps; }