Bug 43408

Summary: squid3: Regression Erratum 346 built without SSL
Product: UCS Reporter: Arvid Requate <requate>
Component: Security updatesAssignee: Arvid Requate <requate>
Status: CLOSED FIXED QA Contact: Daniel Tröder <troeder>
Severity: normal    
Priority: P2 CC: gohmann, grandjean, requate
Version: UCS 4.1Flags: requate: Patch_Available+
Target Milestone: UCS 4.1-4-errata   
Hardware: Other   
OS: Linux   
See Also: https://forge.univention.org/bugzilla/show_bug.cgi?id=53005
What kind of report is it?: Security Issue What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional): Security
Max CVSS v3 score:
Bug Depends on: 40834    
Bug Blocks: 42563    

Description Arvid Requate univentionstaff 2017-01-24 15:41:08 CET 
The squid3 Erratum 346 for UCS 4.1 has been built without SSL support, this breaks http://wiki.univention.de/index.php?title=Cool_Solution_-_Squid_as_Reverse_SSL_Proxy

The 001-enable-ssl.patch simply has not been merged from errata4.0-3.
Comment 1 Arvid Requate univentionstaff 2017-01-24 16:22:31 CET 
The package has been rebuilt with the missing patch.

Advisory: squid3.yaml
Comment 2 Daniel Tröder univentionstaff 2017-01-24 21:35:02 CET 
OK: patch was applied in build:
------------------------------------------------------------------
dtroeder@ladda:~$ bzgrep -i -A5 ssl.patch /var/univention/buildsystem2/logs/ucs_4.1-0-0-errata4.1-4/squid3_3.1.20-2.2.24.201701241545.log.bz2
A    3.1.20-2.2+deb7u6-errata4.1-4/001-enable-ssl.patch
Exportiert, Revision 17064.
dpkg-source: Warnung: Patches noch nicht angewandt, werden jetzt angewendet (verwenden Sie --no-preparation zum Aufheben)
dpkg-source: Information: 01-cf.data.debian.patch wird angewandt
dpkg-source: Information: 02-makefile-defaults.patch wird angewandt
dpkg-source: Information: 15-cachemgr-default-config.patch wird angewandt
--
 001-enable-ssl.patch
Applying patch 001-enable-ssl.patch using -p1
Output of the patch process:
patching file debian/control
patching file debian/rules

OK
------------------------------------------------------------------
OK: advisory
OK: automatic tests: ucs-test -E dangerous -s proxy
Some tests failed though - those failed before too, so I guess it is a problem of my VM or the tests 00 and 02 must be reworked.

OK: manual test:

root@slave45:~# DEBIAN_FRONTEND=noninteractive apt-get install --reinstall squid3
root@slave45:~# dpkg -l squid3
ii  squid3                   3.1.20-2.2.24.201

root@slave45:~# /etc/init.d/apache2 stop
root@slave45:~# cp /etc/squid3/local.conf /etc/squid3/local.conf.backup
root@slave45:~# vi /etc/squid3/local.conf
------------------------------------------------------------------
https_port 443 cert=/etc/univention/ssl/slave45.uni.dtr/cert.pem key=/etc/univention/ssl/slave45.uni.dtr/private.key defaultsite=www.debian.org vhost
cache_peer 130.89.148.14 parent 443 0 no-query proxy-only originserver ssl sslflags=DONT_VERIFY_PEER name=myHost

acl myNetwork src 10.200.3.0/24
http_access allow myNetwork
cache_peer_access myHost allow myNetwork
------------------------------------------------------------------
root@slave45:~# ucr set squid/allowfrom=10.200.3.0/24
root@slave45:~# service squid3 restart


root@master43:~# wget --no-check-certificate -q https://10.200.3.45 -O - | grep '<title>' 
  <title>Debian -- The Universal Operating System </title>
Comment 3 Janek Walkenhorst univentionstaff 2017-01-25 13:48:39 CET 
<http://errata.software-univention.de/ucs/4.1/380.html>