First Last Prev Next    This bug is not in your last search results.
Bug 52182 - squid3: Multiple issues (4.4)
squid3: Multiple issues (4.4)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.4
All Linux
: P3 normal (vote)
: UCS 4.4-7-errata
Assigned To: Felix Botner
Erik Damrose
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-10-05 09:26 CEST by Quality Assurance
Modified: 2021-01-20 12:50 CET (History)
3 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 9.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2020-10-05 09:26:38 CEST 
New Debian squid3 3.5.23-5+deb9u5A~4.4.6.202010050915 fixes:
This update addresses the following issues:
* Request smuggling and poisoning attack against the HTTP cache  (CVE-2020-15049)
* HTTP Request Smuggling could result in cache poisoning (CVE-2020-15810)
* HTTP Request Splitting could result in cache poisoning (CVE-2020-15811)
* Improper input validation could result in a DoS (CVE-2020-24606)
Comment 1 Erik Damrose univentionstaff 2020-10-06 18:55:48 CEST 
Package build failed.

While integrating the fix for CVE-2020-15049, HttpHeader parsing changed, see debian/patches/CVE-2020-15049.patch

"
In order to completely address these kind of vulnerabilities the complete
HttpHeader parsing code was backported from the 4.x branch of squid.
"

But the debian package by default is not build with SSL support, while UCS squid3 is built with SSL, see bug 18756, svn patch 001-enable-ssl.patch

The SSL code was not backported from squid 4.x. This causes the squid3 package build to fail.

/var/univention/buildsystem2/logs/ucs_4.4-ucs4.4-6/squid3_3.5.23-5+deb9u4A~4.4.6.202009161636.log.bz2
Comment 3 Felix Botner univentionstaff 2020-12-17 14:48:09 CET 
Added svn/patches/squid3/4.4-0-0-ucs/3.5.23-5+deb9u5-errata4.4-7/009-sec-update-ssl-52182.quilt, builds now, but not sure if this is the final solution.

TODO testing proxy/https
TODO merge to 5.0
Comment 4 Felix Botner univentionstaff 2020-12-22 14:02:02 CET 
OK - Jenkins tests
OK - local ucs-test-proxy
INVALID - merge to UCS 5, we already have squid 4.6-1+deb10u4 in UCS 5, so nothing todo here


ssl test

10.200.7.150 -> master.new.test

10.200.7.160 -> proxy server
with squid 3.5.23-5+deb9u5A~4.4.0.202012171304
and 
/etc/squid/local_bottom.conf:
https_port 443 accel cert=/etc/squid/cert.pem key=/etc/squid/private.key defaultsite=master.new.test vhost
cache_peer 10.200.7.150 parent 443 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER connection-auth=off name=yourwebap


on the proxy server
curl -vvv  --proxy https://$(hostname -f):443 http://master.new.test/univention/portal/
on the other server
curl -vvv  --proxy-insecure -k --proxy https://10.200.7.160:443 http://master.new.test/univention/portal/

not sure if this is a valid test, QA please check that
Comment 5 Erik Damrose univentionstaff 2021-01-19 10:14:31 CET 
OK: 009-sec-update-ssl-52182.quilt
OK: no merge to UCS 5 neccessary
OK: piuparts
http://10.200.17.11/4.4-7/#2525884691641021131
OK: build with SSL
OK: yaml
Verified
First Last Prev Next    This bug is not in your last search results.