Univention Bugzilla – Bug 52182
squid3: Multiple issues (4.4)
Last modified: 2021-01-20 12:50:44 CET
New Debian squid3 3.5.23-5+deb9u5A~4.4.6.202010050915 fixes: This update addresses the following issues: * Request smuggling and poisoning attack against the HTTP cache (CVE-2020-15049) * HTTP Request Smuggling could result in cache poisoning (CVE-2020-15810) * HTTP Request Splitting could result in cache poisoning (CVE-2020-15811) * Improper input validation could result in a DoS (CVE-2020-24606)
Package build failed. While integrating the fix for CVE-2020-15049, HttpHeader parsing changed, see debian/patches/CVE-2020-15049.patch " In order to completely address these kind of vulnerabilities the complete HttpHeader parsing code was backported from the 4.x branch of squid. " But the debian package by default is not build with SSL support, while UCS squid3 is built with SSL, see bug 18756, svn patch 001-enable-ssl.patch The SSL code was not backported from squid 4.x. This causes the squid3 package build to fail. /var/univention/buildsystem2/logs/ucs_4.4-ucs4.4-6/squid3_3.5.23-5+deb9u4A~4.4.6.202009161636.log.bz2
Added svn/patches/squid3/4.4-0-0-ucs/3.5.23-5+deb9u5-errata4.4-7/009-sec-update-ssl-52182.quilt, builds now, but not sure if this is the final solution. TODO testing proxy/https TODO merge to 5.0
OK - Jenkins tests OK - local ucs-test-proxy INVALID - merge to UCS 5, we already have squid 4.6-1+deb10u4 in UCS 5, so nothing todo here ssl test 10.200.7.150 -> master.new.test 10.200.7.160 -> proxy server with squid 3.5.23-5+deb9u5A~4.4.0.202012171304 and /etc/squid/local_bottom.conf: https_port 443 accel cert=/etc/squid/cert.pem key=/etc/squid/private.key defaultsite=master.new.test vhost cache_peer 10.200.7.150 parent 443 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER connection-auth=off name=yourwebap on the proxy server curl -vvv --proxy https://$(hostname -f):443 http://master.new.test/univention/portal/ on the other server curl -vvv --proxy-insecure -k --proxy https://10.200.7.160:443 http://master.new.test/univention/portal/ not sure if this is a valid test, QA please check that
OK: 009-sec-update-ssl-52182.quilt OK: no merge to UCS 5 neccessary OK: piuparts http://10.200.17.11/4.4-7/#2525884691641021131 OK: build with SSL OK: yaml Verified
<https://errata.software-univention.de/#/?erratum=4.4x872>