Bug#776472: unblock: squid3/3.4.8-6
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package squid3
Version 3.4.8-6 includes upstream fixes for 4 critical bugs (two high CPU/memory usage and two minor security issues) and a major usability issue in squidclient on default installation with localhost linked to both IPv4 and IPv6 addresses.
Debdiff follows.
diff -Nru squid3-3.4.8/debian/changelog squid3-3.4.8/debian/changelog
--- squid3-3.4.8/debian/changelog 2014-12-16 14:33:14.000000000 +0100
+++ squid3-3.4.8/debian/changelog 2015-01-28 12:59:07.000000000 +0100
@@ -1,3 +1,27 @@
+squid3 (3.4.8-6) unstable; urgency=medium
+
+ [ Luigi Gangitano <luigi@debian.org> ]
+ * debian/patches/31-squid-3.4-13199.patch
+ - Added upstream patch fixing excessive CPU usage (Closes: #776461)
+
+ * debian/patches/32-squid-3.4-13210.patch
+ - Added upstream patch fixing excessive CPU and memory usage in
+ NTLM and Negotiate authentication helpers (Closes: #776463)
+
+ * debian/patches/33-squid-3.4-13211.patch
+ - Added upstream patch fixing a possible replay vulnerability on Digest
+ authentication (Closes: #776464)
+
+ * debian/patches/34-squid-3.4-13213.patch
+ - Added upstream patch fixing incorrect security permissions for
+ TOS/DiffServ packet marking (Closes: #776468)
+
+ * debian/patches/35-squid-3.4-13203.patch
+ - Added upstream patch fixing squidclient unable to connect to host with
+ both IPv4 and IPv6 addresses (Closes: #742425)
+
+ -- Luigi Gangitano <luigi@debian.org> Wed, 28 Jan 2015 12:34:42 +0100
+
squid3 (3.4.8-5) unstable; urgency=medium
[ Luigi Gangitano <luigi@debian.org> ]
diff -Nru squid3-3.4.8/debian/patches/31-squid-3.4-13199.patch squid3-3.4.8/debian/patches/31-squid-3.4-13199.patch
--- squid3-3.4.8/debian/patches/31-squid-3.4-13199.patch 1970-01-01 01:00:00.000000000 +0100
+++ squid3-3.4.8/debian/patches/31-squid-3.4-13199.patch 2015-01-28 12:59:07.000000000 +0100
@@ -0,0 +1,28 @@
+From: Luigi Gangitano <luigi@debian.org>
+Date: Wed, 28 Jan 2015 12:27:49 +0100
+Subject: 31-squid-3.4-13199.patch Deleting first fs left psstate->servers
+ pointing to uninitialized memory, fixing excessive use of CPU
+
+---
+ src/peer_select.cc | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/peer_select.cc b/src/peer_select.cc
+index 19e3371..9c26a20 100644
+--- a/src/peer_select.cc
++++ b/src/peer_select.cc
+@@ -271,11 +271,12 @@ peerSelectDnsPaths(ps_state *psstate)
+ // due to the allocation method of fs, we must deallocate each manually.
+ // TODO: use a std::list so we can get the size and abort adding whenever the selection loops reach Config.forward_max_tries
+ if (fs && psstate->paths->size() >= (unsigned int)Config.forward_max_tries) {
++ assert(fs == psstate->servers);
+ while (fs) {
+- FwdServer *next = fs->next;
++ psstate->servers = fs->next;
+ cbdataReferenceDone(fs->_peer);
+ memFree(fs, MEM_FWD_SERVER);
+- fs = next;
++ fs = psstate->servers;
+ }
+ }
+
diff -Nru squid3-3.4.8/debian/patches/32-squid-3.4-13210.patch squid3-3.4.8/debian/patches/32-squid-3.4-13210.patch
--- squid3-3.4.8/debian/patches/32-squid-3.4-13210.patch 1970-01-01 01:00:00.000000000 +0100
+++ squid3-3.4.8/debian/patches/32-squid-3.4-13210.patch 2015-01-28 12:59:07.000000000 +0100
@@ -0,0 +1,94 @@
+From: Luigi Gangitano <luigi@debian.org>
+Date: Wed, 28 Jan 2015 12:28:51 +0100
+Subject: squid-3.4-13210.patch Fixes excessive NTLM or Negotiate auth helper
+ annotations, which lead to excessive CPU and memory use
+
+---
+ src/Notes.cc | 15 +++++++++++++++
+ src/Notes.h | 5 +++++
+ src/auth/digest/UserRequest.cc | 2 ++
+ src/auth/negotiate/UserRequest.cc | 2 ++
+ src/auth/ntlm/UserRequest.cc | 2 ++
+ 5 files changed, 26 insertions(+)
+
+diff --git a/src/Notes.cc b/src/Notes.cc
+index 0003956..13d530e 100644
+--- a/src/Notes.cc
++++ b/src/Notes.cc
+@@ -189,6 +189,21 @@ NotePairs::add(const char *key, const char *note)
+ }
+
+ void
++NotePairs::remove(const char *key)
++{
++ Vector<NotePairs::Entry *>::iterator i = entries.begin();
++ while (i != entries.end()) {
++ if ((*i)->name.cmp(key) == 0) {
++ NotePairs::Entry *e = (*i);
++ entries.prune(e);
++ delete e;
++ i = entries.begin(); // vector changed underneath us
++ } else
++ ++i;
++ }
++}
++
++void
+ NotePairs::addStrList(const char *key, const char *values)
+ {
+ String strValues(values);
+diff --git a/src/Notes.h b/src/Notes.h
+index 47950d4..401c8b9 100644
+--- a/src/Notes.h
++++ b/src/Notes.h
+@@ -155,6 +155,11 @@ public:
+ void add(const char *key, const char *value);
+
+ /**
++ * Remove all notes with a given key.
++ */
++ void remove(const char *key);
++
++ /**
+ * Adds a note key and values strList to the notes list.
+ * If the key name already exists in list, add the new values to its set
+ * of values.
+diff --git a/src/auth/digest/UserRequest.cc b/src/auth/digest/UserRequest.cc
+index f625bd8..9107d73 100644
+--- a/src/auth/digest/UserRequest.cc
++++ b/src/auth/digest/UserRequest.cc
+@@ -298,6 +298,8 @@ Auth::Digest::UserRequest::HandleReply(void *data, const HelperReply &reply)
+ // add new helper kv-pair notes to the credentials object
+ // so that any transaction using those credentials can access them
+ auth_user_request->user()->notes.appendNewOnly(&reply.notes);
++ // remove any private credentials detail which got added.
++ auth_user_request->user()->notes.remove("ha1");
+
+ static bool oldHelperWarningDone = false;
+ switch (reply.result) {
+diff --git a/src/auth/negotiate/UserRequest.cc b/src/auth/negotiate/UserRequest.cc
+index 086da9f..64cffc9 100644
+--- a/src/auth/negotiate/UserRequest.cc
++++ b/src/auth/negotiate/UserRequest.cc
+@@ -229,6 +229,8 @@ Auth::Negotiate::UserRequest::HandleReply(void *data, const HelperReply &reply)
+ // add new helper kv-pair notes to the credentials object
+ // so that any transaction using those credentials can access them
+ auth_user_request->user()->notes.appendNewOnly(&reply.notes);
++ // remove any private credentials detail which got added.
++ auth_user_request->user()->notes.remove("token");
+
+ Auth::Negotiate::UserRequest *lm_request = dynamic_cast<Auth::Negotiate::UserRequest *>(auth_user_request.getRaw());
+ assert(lm_request != NULL);
+diff --git a/src/auth/ntlm/UserRequest.cc b/src/auth/ntlm/UserRequest.cc
+index 4ce04eb..ebfe895 100644
+--- a/src/auth/ntlm/UserRequest.cc
++++ b/src/auth/ntlm/UserRequest.cc
+@@ -223,6 +223,8 @@ Auth::Ntlm::UserRequest::HandleReply(void *data, const HelperReply &reply)
+ // add new helper kv-pair notes to the credentials object
+ // so that any transaction using those credentials can access them
+ auth_user_request->user()->notes.appendNewOnly(&reply.notes);
++ // remove any private credentials detail which got added.
++ auth_user_request->user()->notes.remove("token");
+
+ Auth::Ntlm::UserRequest *lm_request = dynamic_cast<Auth::Ntlm::UserRequest *>(auth_user_request.getRaw());
+ assert(lm_request != NULL);
diff -Nru squid3-3.4.8/debian/patches/33-squid-3.4-13211.patch squid3-3.4.8/debian/patches/33-squid-3.4-13211.patch
--- squid3-3.4.8/debian/patches/33-squid-3.4-13211.patch 1970-01-01 01:00:00.000000000 +0100
+++ squid3-3.4.8/debian/patches/33-squid-3.4-13211.patch 2015-01-28 12:59:07.000000000 +0100
@@ -0,0 +1,51 @@
+From: Luigi Gangitano <luigi@debian.org>
+Date: Wed, 28 Jan 2015 12:30:04 +0100
+Subject: squid-3.4-13211.patch Fixes minor security issue in digest
+ authentication nonce indefinite rollover
+
+---
+ src/auth/digest/UserRequest.cc | 12 ++++++++----
+ src/auth/digest/auth_digest.cc | 7 +------
+ 2 files changed, 9 insertions(+), 10 deletions(-)
+
+diff --git a/src/auth/digest/UserRequest.cc b/src/auth/digest/UserRequest.cc
+index 9107d73..011f109 100644
+--- a/src/auth/digest/UserRequest.cc
++++ b/src/auth/digest/UserRequest.cc
+@@ -152,10 +152,14 @@ Auth::Digest::UserRequest::authenticate(HttpRequest * request, ConnStateData * c
+ }
+
+ /* check for stale nonce */
+- if (!authDigestNonceIsValid(digest_request->nonce, digest_request->nc)) {
+- debugs(29, 3, "user '" << auth_user->username() << "' validated OK but nonce stale");
+- auth_user->credentials(Auth::Handshake);
+- digest_request->setDenyMessage("Stale nonce");
++ /* check Auth::Pending to avoid loop */
++
++ if (!authDigestNonceIsValid(digest_request->nonce, digest_request->nc) && user()->credentials() != Auth::Pending) {
++ debugs(29, 3, auth_user->username() << "' validated OK but nonce stale: " << digest_request->nonceb64);
++ /* Pending prevent banner and makes a ldap control */
++ auth_user->credentials(Auth::Pending);
++ nonce->flags.valid = false;
++ authDigestNoncePurge(nonce);
+ return;
+ }
+
+diff --git a/src/auth/digest/auth_digest.cc b/src/auth/digest/auth_digest.cc
+index 7cc3276..610f547 100644
+--- a/src/auth/digest/auth_digest.cc
++++ b/src/auth/digest/auth_digest.cc
+@@ -1038,12 +1038,7 @@ Auth::Digest::Config::decode(char const *proxy_auth)
+ debugs(29, 2, "Username for the nonce does not equal the username for the request");
+ nonce = NULL;
+ }
+- /* check for stale nonce */
+- if (authDigestNonceIsStale(nonce)) {
+- debugs(29, 3, "The received nonce is stale from " << username);
+- digest_request->setDenyMessage("Stale nonce");
+- nonce = NULL;
+- }
++
+ if (!nonce) {
+ /* we couldn't find a matching nonce! */
+ debugs(29, 2, "Unexpected or invalid nonce received from " << username);
diff -Nru squid3-3.4.8/debian/patches/34-squid-3.4-13213.patch squid3-3.4.8/debian/patches/34-squid-3.4-13213.patch
--- squid3-3.4.8/debian/patches/34-squid-3.4-13213.patch 1970-01-01 01:00:00.000000000 +0100
+++ squid3-3.4.8/debian/patches/34-squid-3.4-13213.patch 2015-01-28 12:59:07.000000000 +0100
@@ -0,0 +1,25 @@
+From: Luigi Gangitano <luigi@debian.org>
+Date: Wed, 28 Jan 2015 12:31:10 +0100
+Subject: squid-3.4-13213.patch Adds corrects capabilities to set TOS/DiffServ
+ marks on output packages
+
+---
+ src/tools.cc | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/tools.cc b/src/tools.cc
+index 076446e..21923a0 100644
+--- a/src/tools.cc
++++ b/src/tools.cc
+@@ -1319,7 +1319,10 @@ restoreCapabilities(int keep)
+ cap_value_t cap_list[10];
+ cap_list[ncaps] = CAP_NET_BIND_SERVICE;
+ ++ncaps;
+- if (Ip::Interceptor.TransparentActive() || Ip::Qos::TheConfig.isHitNfmarkActive() || Ip::Qos::TheConfig.isAclNfmarkActive()) {
++ if (Ip::Interceptor.TransparentActive() ||
++ Ip::Qos::TheConfig.isHitNfmarkActive() ||
++ Ip::Qos::TheConfig.isAclNfmarkActive() ||
++ Ip::Qos::TheConfig.isAclTosActive()) {
+ cap_list[ncaps] = CAP_NET_ADMIN;
+ ++ncaps;
+ }
diff -Nru squid3-3.4.8/debian/patches/35-squid-3.4-13203.patch squid3-3.4.8/debian/patches/35-squid-3.4-13203.patch
--- squid3-3.4.8/debian/patches/35-squid-3.4-13203.patch 1970-01-01 01:00:00.000000000 +0100
+++ squid3-3.4.8/debian/patches/35-squid-3.4-13203.patch 2015-01-28 12:59:07.000000000 +0100
@@ -0,0 +1,43 @@
+From: Luigi Gangitano <luigi@debian.org>
+Date: Wed, 28 Jan 2015 12:31:49 +0100
+Subject: squid-3.4-13203.patch Fixes squidclient issue with hosts with both
+ IPv4 and IPv6 addresses
+
+---
+ src/ip/Address.cc | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/src/ip/Address.cc b/src/ip/Address.cc
+index ba3cff5..da40267 100644
+--- a/src/ip/Address.cc
++++ b/src/ip/Address.cc
+@@ -382,6 +382,20 @@ Ip::Address::lookupHostIP(const char *s, bool nodns)
+ return false;
+ }
+
++ struct addrinfo *resHead = res; // we need to free the whole list later
++ if (!Ip::EnableIpv6) {
++ // if we are IPv6-disabled, use first-IPv4 instead of first-IP.
++ struct addrinfo *maybeIpv4 = res;
++ while (maybeIpv4) {
++ if (maybeIpv4->ai_family == AF_INET)
++ break;
++ maybeIpv4 = maybeIpv4->ai_next;
++ }
++ if (maybeIpv4 != NULL)
++ res = maybeIpv4;
++ // else IPv6-only host, let the caller deal with first-IP anyway.
++ }
++
+ /*
+ * NP: =(sockaddr_*) may alter the port. we don't want that.
+ * all we have been given as input was an IPA.
+@@ -391,7 +405,7 @@ Ip::Address::lookupHostIP(const char *s, bool nodns)
+ port(portSaved);
+
+ /* free the memory getaddrinfo() dynamically allocated. */
+- freeaddrinfo(res);
++ freeaddrinfo(resHead);
+ return true;
+ }
+
diff -Nru squid3-3.4.8/debian/patches/series squid3-3.4.8/debian/patches/series
--- squid3-3.4.8/debian/patches/series 2014-12-16 14:33:14.000000000 +0100
+++ squid3-3.4.8/debian/patches/series 2015-01-28 12:59:07.000000000 +0100
@@ -4,3 +4,8 @@
16-ipc-statedir.patch
21-squid-3.4-13176-memoryleak.patch
30-cert_tool.patch
+31-squid-3.4-13199.patch
+32-squid-3.4-13210.patch
+33-squid-3.4-13211.patch
+34-squid-3.4-13213.patch
+35-squid-3.4-13203.patch
unblock squid3/3.4.8-6
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: sysvinit (via /sbin/init)
Reply to: