Bug 43408 – squid3: Regression Erratum 346 built without SSL

Bug 43408 - squid3: Regression Erratum 346 built without SSL


Summary:	squid3: Regression Erratum 346 built without SSL

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 4.1
Hardware:	Other Linux

Importance:	P2 normal (vote)
Target Milestone:	UCS 4.1-4-errata
Assigned To:	Arvid Requate
QA Contact:	Daniel Tröder

URL:
Keywords:

Depends on:	40834
Blocks:	42563
	Show dependency tree / graph

Reported:	2017-01-24 15:41 CET by Arvid Requate
Modified:	2021-03-29 18:01 CEST (History)
CC List:	3 users (show)

See Also:	53005
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Security
Max CVSS v3 score:

Flags:	requate: Patch_Available+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2017-01-24 15:41:08 CET

The squid3 Erratum 346 for UCS 4.1 has been built without SSL support, this breaks http://wiki.univention.de/index.php?title=Cool_Solution_-_Squid_as_Reverse_SSL_Proxy

The 001-enable-ssl.patch simply has not been merged from errata4.0-3.

Comment 1 Arvid Requate

2017-01-24 16:22:31 CET

The package has been rebuilt with the missing patch.

Advisory: squid3.yaml

Comment 2 Daniel Tröder

2017-01-24 21:35:02 CET

OK: patch was applied in build:
------------------------------------------------------------------
dtroeder@ladda:~$ bzgrep -i -A5 ssl.patch /var/univention/buildsystem2/logs/ucs_4.1-0-0-errata4.1-4/squid3_3.1.20-2.2.24.201701241545.log.bz2
A    3.1.20-2.2+deb7u6-errata4.1-4/001-enable-ssl.patch
Exportiert, Revision 17064.
dpkg-source: Warnung: Patches noch nicht angewandt, werden jetzt angewendet (verwenden Sie --no-preparation zum Aufheben)
dpkg-source: Information: 01-cf.data.debian.patch wird angewandt
dpkg-source: Information: 02-makefile-defaults.patch wird angewandt
dpkg-source: Information: 15-cachemgr-default-config.patch wird angewandt
--
 001-enable-ssl.patch
Applying patch 001-enable-ssl.patch using -p1
Output of the patch process:
patching file debian/control
patching file debian/rules

OK
------------------------------------------------------------------
OK: advisory
OK: automatic tests: ucs-test -E dangerous -s proxy
Some tests failed though - those failed before too, so I guess it is a problem of my VM or the tests 00 and 02 must be reworked.

OK: manual test:

root@slave45:~# DEBIAN_FRONTEND=noninteractive apt-get install --reinstall squid3
root@slave45:~# dpkg -l squid3
ii  squid3                   3.1.20-2.2.24.201

root@slave45:~# /etc/init.d/apache2 stop
root@slave45:~# cp /etc/squid3/local.conf /etc/squid3/local.conf.backup
root@slave45:~# vi /etc/squid3/local.conf
------------------------------------------------------------------
https_port 443 cert=/etc/univention/ssl/slave45.uni.dtr/cert.pem key=/etc/univention/ssl/slave45.uni.dtr/private.key defaultsite=www.debian.org vhost
cache_peer 130.89.148.14 parent 443 0 no-query proxy-only originserver ssl sslflags=DONT_VERIFY_PEER name=myHost

acl myNetwork src 10.200.3.0/24
http_access allow myNetwork
cache_peer_access myHost allow myNetwork
------------------------------------------------------------------
root@slave45:~# ucr set squid/allowfrom=10.200.3.0/24
root@slave45:~# service squid3 restart


root@master43:~# wget --no-check-certificate -q https://10.200.3.45 -O - | grep '<title>' 
  <title>Debian -- The Universal Operating System </title>

Comment 3 Janek Walkenhorst

2017-01-25 13:48:39 CET

<http://errata.software-univention.de/ucs/4.1/380.html>