| 2016-03-22 10:35:07 |
Goacid |
bug |
|
|
added bug |
| 2016-12-03 02:29:55 |
Amos Jeffries |
bug watch added |
|
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=793473 |
|
| 2016-12-03 02:29:55 |
Amos Jeffries |
bug task added |
|
squid3 (Debian) |
|
| 2016-12-03 02:30:36 |
Amos Jeffries |
bug watch added |
|
http://bugs.squid-cache.org/show_bug.cgi?id=4004 |
|
| 2016-12-03 02:30:36 |
Amos Jeffries |
bug task added |
|
squid |
|
| 2016-12-03 02:41:25 |
Bug Watch Updater |
squid3 (Debian): status |
Unknown |
Confirmed |
|
| 2016-12-05 07:26:08 |
Christian Ehrhardt |
bug |
|
|
added subscriber Ubuntu Server Team |
| 2016-12-19 06:58:12 |
Bug Watch Updater |
squid3 (Debian): status |
Confirmed |
Fix Released |
|
| 2017-07-04 20:45:42 |
Andreas Hasenack |
squid3 (Ubuntu): status |
New |
Confirmed |
|
| 2017-07-05 13:48:42 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~ahasenack/ubuntu/+source/squid3/+git/squid3/+merge/326857 |
|
| 2017-07-05 13:49:03 |
Andreas Hasenack |
squid3 (Ubuntu): assignee |
|
Andreas Hasenack (ahasenack) |
|
| 2017-07-05 13:49:07 |
Andreas Hasenack |
squid3 (Ubuntu): status |
Confirmed |
In Progress |
|
| 2017-07-05 13:49:10 |
Andreas Hasenack |
squid3 (Ubuntu): importance |
Undecided |
Medium |
|
| 2017-07-05 13:50:19 |
Andreas Hasenack |
nominated for series |
|
Ubuntu Xenial |
|
| 2017-07-05 13:50:19 |
Andreas Hasenack |
nominated for series |
|
Ubuntu Yakkety |
|
| 2017-07-05 13:50:19 |
Andreas Hasenack |
nominated for series |
|
Ubuntu Trusty |
|
| 2017-07-05 13:51:11 |
Robie Basak |
bug task added |
|
squid3 (Ubuntu Trusty) |
|
| 2017-07-05 13:51:18 |
Robie Basak |
bug task added |
|
squid3 (Ubuntu Xenial) |
|
| 2017-07-05 13:51:26 |
Robie Basak |
bug task added |
|
squid3 (Ubuntu Yakkety) |
|
| 2017-07-05 13:52:19 |
Andreas Hasenack |
squid3 (Ubuntu Yakkety): status |
New |
In Progress |
|
| 2017-07-05 13:52:21 |
Andreas Hasenack |
squid3 (Ubuntu Yakkety): assignee |
|
Andreas Hasenack (ahasenack) |
|
| 2017-07-05 13:52:24 |
Andreas Hasenack |
squid3 (Ubuntu Yakkety): importance |
Undecided |
Medium |
|
| 2017-07-05 14:07:31 |
Andreas Hasenack |
squid3 (Ubuntu Xenial): status |
New |
In Progress |
|
| 2017-07-05 14:07:33 |
Andreas Hasenack |
squid3 (Ubuntu Xenial): importance |
Undecided |
Medium |
|
| 2017-07-05 14:07:35 |
Andreas Hasenack |
squid3 (Ubuntu Xenial): assignee |
|
Andreas Hasenack (ahasenack) |
|
| 2017-07-05 14:08:41 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~ahasenack/ubuntu/+source/squid3/+git/squid3/+merge/326860 |
|
| 2017-07-07 14:35:50 |
Andreas Hasenack |
description |
Ubuntu 14.04 LTS
Squid3 3.3.8-1ubuntu6.6
Same bug report than https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=793473 |
[Impact]
* An explanation of the effects of the bug on users and
* justification for backporting the fix to the stable release.
* In addition, it is helpful, but not required, to include an
explanation of how the upload fixes this bug.
[Test Case]
* detailed instructions how to reproduce the bug
* these should allow someone who is not familiar with the affected
package to reproduce the bug and verify that the updated package fixes
the problem.
[Regression Potential]
* discussion of how regressions are most likely to manifest as a result of this change.
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance |
|
| 2017-07-07 14:45:03 |
Andreas Hasenack |
description |
[Impact]
* An explanation of the effects of the bug on users and
* justification for backporting the fix to the stable release.
* In addition, it is helpful, but not required, to include an
explanation of how the upload fixes this bug.
[Test Case]
* detailed instructions how to reproduce the bug
* these should allow someone who is not familiar with the affected
package to reproduce the bug and verify that the updated package fixes
the problem.
[Regression Potential]
* discussion of how regressions are most likely to manifest as a result of this change.
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance |
[Impact]
Users who use squid as an FTP proxy and access sites that block ftp PASV mode will trigger a squid segfault. That means a brief service interruption, as upstart/systemd will restart it.
Since this is a crash, the backport seems justified. But there is an effective workaround, see below.
Upstream committed a fix, the same fix we are introducing here, which essentially adds a lot of NULL checks but at the same time disables the fallback ftp command EPRT should passive mode fail. Upstream states that this command doesn't work properly in squid yet.
This is also the recommended workaround: disable EPRT by setting the following in /etc/squid/squid.conf and restarting the service:
ftp_eprt off
[Test Case]
* detailed instructions how to reproduce the bug
* these should allow someone who is not familiar with the affected
package to reproduce the bug and verify that the updated package fixes
the problem.
[Regression Potential]
* discussion of how regressions are most likely to manifest as a result of this change.
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance |
|
| 2017-07-07 15:00:19 |
Andreas Hasenack |
description |
[Impact]
Users who use squid as an FTP proxy and access sites that block ftp PASV mode will trigger a squid segfault. That means a brief service interruption, as upstart/systemd will restart it.
Since this is a crash, the backport seems justified. But there is an effective workaround, see below.
Upstream committed a fix, the same fix we are introducing here, which essentially adds a lot of NULL checks but at the same time disables the fallback ftp command EPRT should passive mode fail. Upstream states that this command doesn't work properly in squid yet.
This is also the recommended workaround: disable EPRT by setting the following in /etc/squid/squid.conf and restarting the service:
ftp_eprt off
[Test Case]
* detailed instructions how to reproduce the bug
* these should allow someone who is not familiar with the affected
package to reproduce the bug and verify that the updated package fixes
the problem.
[Regression Potential]
* discussion of how regressions are most likely to manifest as a result of this change.
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance |
[Impact]
Users who use squid as an FTP proxy and access sites that block ftp PASV mode will trigger a squid segfault. That means a brief service interruption, as upstart/systemd will restart it.
Since this is a crash, the backport seems justified. But there is an effective workaround, see below.
Upstream committed a fix, the same fix we are introducing here, which essentially adds a lot of NULL checks but at the same time disables the fallback ftp command EPRT should passive mode fail. Upstream states that this command doesn't work properly in squid yet.
This is also the recommended workaround: disable EPRT by setting the following in /etc/squid/squid.conf and restarting the service:
ftp_eprt off
[Test Case]
- setup a xenial machine/lxd with proftpd configured like this (/etc/proftpd/proftpd.conf):
http://pastebin.ubuntu.com/25039718/
Alternatively, setup any anonymout ftp server to your liking with passive mode disabled/forbidden.
- Create a simple file under the anonymous area, for the ftp client to fetch later on:
echo hello | sudo tee /srv/ftp/readme.txt
- install the squid proxy under test in another machine/lxd.
- configure /etc/squid/squid.conf like this: http://pastebin.ubuntu.com/25039736/
- in the above, adjust localnet to your network, or replace the line "http_access allow localnet" with "http_access allow all" to accept everything
- access the ftp server via the squid proxy:
$ ftp_proxy=http://xenial-squid-passive.lxd:3128/ wget ftp://xenial-proftpd.lxd/readme.txt -O /dev/null -t1
(replace the URLs with whatever you need to reach the squid server under test, and the ftp server you setup)
In the case of a vulnerable squid server you will get:
a) wget gives up:
andreas@nsn7:~$ ftp_proxy=http://xenial-squid-passive.lxd:3128/ wget ftp://xenial-proftpd.lxd/readme.txt -O /dev/null -t1
--2017-07-07 11:58:16-- ftp://xenial-proftpd.lxd/readme.txt
Resolving xenial-squid-passive.lxd (xenial-squid-passive.lxd)... 10.0.100.151
Connecting to xenial-squid-passive.lxd (xenial-squid-passive.lxd)|10.0.100.151|:3128... connected.
Proxy request sent, awaiting response... No data received.
Giving up.
b) /var/log/squid/cache.log shows a squid restart with a new PID:
2017/07/07 14:58:19 kid1| Starting Squid Cache version 3.5.12 for x86_64-pc-linux-gnu...
2017/07/07 14:58:19 kid1| Service Name: squid
2017/07/07 14:58:19 kid1| Process ID 1638
c) proftpd /var/log/proftpd/extended.log will show the passive ftp attempts being forbidden with a 501 error:
xenial-squid-passive.lxd UNKNOWN - [07/Jul/2017:14:58:16 +0000] "USER anonymous" 331 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "PASS (hidden)" 230 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "TYPE A" 200 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "MDTM readme.txt" 213 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "EPSV 1" 501 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "PASV" 501 -
[Regression Potential]
* discussion of how regressions are most likely to manifest as a result of this change.
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance |
|
| 2017-07-07 15:05:07 |
Andreas Hasenack |
description |
[Impact]
Users who use squid as an FTP proxy and access sites that block ftp PASV mode will trigger a squid segfault. That means a brief service interruption, as upstart/systemd will restart it.
Since this is a crash, the backport seems justified. But there is an effective workaround, see below.
Upstream committed a fix, the same fix we are introducing here, which essentially adds a lot of NULL checks but at the same time disables the fallback ftp command EPRT should passive mode fail. Upstream states that this command doesn't work properly in squid yet.
This is also the recommended workaround: disable EPRT by setting the following in /etc/squid/squid.conf and restarting the service:
ftp_eprt off
[Test Case]
- setup a xenial machine/lxd with proftpd configured like this (/etc/proftpd/proftpd.conf):
http://pastebin.ubuntu.com/25039718/
Alternatively, setup any anonymout ftp server to your liking with passive mode disabled/forbidden.
- Create a simple file under the anonymous area, for the ftp client to fetch later on:
echo hello | sudo tee /srv/ftp/readme.txt
- install the squid proxy under test in another machine/lxd.
- configure /etc/squid/squid.conf like this: http://pastebin.ubuntu.com/25039736/
- in the above, adjust localnet to your network, or replace the line "http_access allow localnet" with "http_access allow all" to accept everything
- access the ftp server via the squid proxy:
$ ftp_proxy=http://xenial-squid-passive.lxd:3128/ wget ftp://xenial-proftpd.lxd/readme.txt -O /dev/null -t1
(replace the URLs with whatever you need to reach the squid server under test, and the ftp server you setup)
In the case of a vulnerable squid server you will get:
a) wget gives up:
andreas@nsn7:~$ ftp_proxy=http://xenial-squid-passive.lxd:3128/ wget ftp://xenial-proftpd.lxd/readme.txt -O /dev/null -t1
--2017-07-07 11:58:16-- ftp://xenial-proftpd.lxd/readme.txt
Resolving xenial-squid-passive.lxd (xenial-squid-passive.lxd)... 10.0.100.151
Connecting to xenial-squid-passive.lxd (xenial-squid-passive.lxd)|10.0.100.151|:3128... connected.
Proxy request sent, awaiting response... No data received.
Giving up.
b) /var/log/squid/cache.log shows a squid restart with a new PID:
2017/07/07 14:58:19 kid1| Starting Squid Cache version 3.5.12 for x86_64-pc-linux-gnu...
2017/07/07 14:58:19 kid1| Service Name: squid
2017/07/07 14:58:19 kid1| Process ID 1638
c) proftpd /var/log/proftpd/extended.log will show the passive ftp attempts being forbidden with a 501 error:
xenial-squid-passive.lxd UNKNOWN - [07/Jul/2017:14:58:16 +0000] "USER anonymous" 331 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "PASS (hidden)" 230 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "TYPE A" 200 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "MDTM readme.txt" 213 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "EPSV 1" 501 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "PASV" 501 -
[Regression Potential]
* discussion of how regressions are most likely to manifest as a result of this change.
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance |
[Impact]
Users who use squid as an FTP proxy and access sites that block ftp PASV mode will trigger a squid segfault. That means a brief service interruption, as upstart/systemd will restart it.
Since this is a crash, the backport seems justified. But there is an effective workaround, see below.
Upstream committed a fix, the same fix we are introducing here, which essentially adds a lot of NULL checks but at the same time disables the fallback ftp command EPRT should passive mode fail. Upstream states that this command doesn't work properly in squid yet.
This is also the recommended workaround: disable EPRT by setting the following in /etc/squid/squid.conf and restarting the service:
ftp_eprt off
[Test Case]
- setup a xenial machine/lxd with proftpd configured like this (/etc/proftpd/proftpd.conf):
http://pastebin.ubuntu.com/25039718/
Alternatively, setup any anonymout ftp server to your liking with passive mode disabled/forbidden.
- Create a simple file under the anonymous area, for the ftp client to fetch later on:
echo hello | sudo tee /srv/ftp/readme.txt
- install the squid proxy under test in another machine/lxd.
- configure /etc/squid/squid.conf like this: http://pastebin.ubuntu.com/25039736/
- in the above, adjust localnet to your network, or replace the line "http_access allow localnet" with "http_access allow all" to accept everything
- access the ftp server via the squid proxy:
$ ftp_proxy=http://xenial-squid-passive.lxd:3128/ wget ftp://xenial-proftpd.lxd/readme.txt -O /dev/null -t1
(replace the URLs with whatever you need to reach the squid server under test, and the ftp server you setup)
In the case of a vulnerable squid server you will get:
a) wget gives up:
andreas@nsn7:~$ ftp_proxy=http://xenial-squid-passive.lxd:3128/ wget ftp://xenial-proftpd.lxd/readme.txt -O /dev/null -t1
--2017-07-07 11:58:16-- ftp://xenial-proftpd.lxd/readme.txt
Resolving xenial-squid-passive.lxd (xenial-squid-passive.lxd)... 10.0.100.151
Connecting to xenial-squid-passive.lxd (xenial-squid-passive.lxd)|10.0.100.151|:3128... connected.
Proxy request sent, awaiting response... No data received.
Giving up.
b) /var/log/squid/cache.log shows a squid restart with a new PID:
2017/07/07 14:58:19 kid1| Starting Squid Cache version 3.5.12 for x86_64-pc-linux-gnu...
2017/07/07 14:58:19 kid1| Service Name: squid
2017/07/07 14:58:19 kid1| Process ID 1638
c) proftpd /var/log/proftpd/extended.log will show the passive ftp attempts being forbidden with a 501 error:
xenial-squid-passive.lxd UNKNOWN - [07/Jul/2017:14:58:16 +0000] "USER anonymous" 331 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "PASS (hidden)" 230 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "TYPE A" 200 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "MDTM readme.txt" 213 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "EPSV 1" 501 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "PASV" 501 -
In the case of the fixed squid server, you will get:
a) wget gets a 502 error instead of "no data":
andreas@nsn7:~$ ftp_proxy=http://xenial-squid-passive.lxd:3128/ wget ftp://xenial-proftpd.lxd/readme.txt -O /dev/null -t1
--2017-07-07 12:04:14-- ftp://xenial-proftpd.lxd/readme.txt
Resolving xenial-squid-passive.lxd (xenial-squid-passive.lxd)... 10.0.100.151
Connecting to xenial-squid-passive.lxd (xenial-squid-passive.lxd)|10.0.100.151|:3128... connected.
Proxy request sent, awaiting response... 502 Bad Gateway
2017-07-07 12:04:14 ERROR 502: Bad Gateway.
b) /var/log/squid/cache.log doesn't "blip", and access.log just logs the 502:
1499439854.710 18 10.0.100.1 TCP_MISS/502 4324 GET ftp://xenial-proftpd.lxd/readme.txt - HIER_DIRECT/10.0.100.134 text/html
[Regression Potential]
* discussion of how regressions are most likely to manifest as a result of this change.
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance |
|
| 2017-07-07 15:15:49 |
Andreas Hasenack |
description |
[Impact]
Users who use squid as an FTP proxy and access sites that block ftp PASV mode will trigger a squid segfault. That means a brief service interruption, as upstart/systemd will restart it.
Since this is a crash, the backport seems justified. But there is an effective workaround, see below.
Upstream committed a fix, the same fix we are introducing here, which essentially adds a lot of NULL checks but at the same time disables the fallback ftp command EPRT should passive mode fail. Upstream states that this command doesn't work properly in squid yet.
This is also the recommended workaround: disable EPRT by setting the following in /etc/squid/squid.conf and restarting the service:
ftp_eprt off
[Test Case]
- setup a xenial machine/lxd with proftpd configured like this (/etc/proftpd/proftpd.conf):
http://pastebin.ubuntu.com/25039718/
Alternatively, setup any anonymout ftp server to your liking with passive mode disabled/forbidden.
- Create a simple file under the anonymous area, for the ftp client to fetch later on:
echo hello | sudo tee /srv/ftp/readme.txt
- install the squid proxy under test in another machine/lxd.
- configure /etc/squid/squid.conf like this: http://pastebin.ubuntu.com/25039736/
- in the above, adjust localnet to your network, or replace the line "http_access allow localnet" with "http_access allow all" to accept everything
- access the ftp server via the squid proxy:
$ ftp_proxy=http://xenial-squid-passive.lxd:3128/ wget ftp://xenial-proftpd.lxd/readme.txt -O /dev/null -t1
(replace the URLs with whatever you need to reach the squid server under test, and the ftp server you setup)
In the case of a vulnerable squid server you will get:
a) wget gives up:
andreas@nsn7:~$ ftp_proxy=http://xenial-squid-passive.lxd:3128/ wget ftp://xenial-proftpd.lxd/readme.txt -O /dev/null -t1
--2017-07-07 11:58:16-- ftp://xenial-proftpd.lxd/readme.txt
Resolving xenial-squid-passive.lxd (xenial-squid-passive.lxd)... 10.0.100.151
Connecting to xenial-squid-passive.lxd (xenial-squid-passive.lxd)|10.0.100.151|:3128... connected.
Proxy request sent, awaiting response... No data received.
Giving up.
b) /var/log/squid/cache.log shows a squid restart with a new PID:
2017/07/07 14:58:19 kid1| Starting Squid Cache version 3.5.12 for x86_64-pc-linux-gnu...
2017/07/07 14:58:19 kid1| Service Name: squid
2017/07/07 14:58:19 kid1| Process ID 1638
c) proftpd /var/log/proftpd/extended.log will show the passive ftp attempts being forbidden with a 501 error:
xenial-squid-passive.lxd UNKNOWN - [07/Jul/2017:14:58:16 +0000] "USER anonymous" 331 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "PASS (hidden)" 230 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "TYPE A" 200 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "MDTM readme.txt" 213 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "EPSV 1" 501 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "PASV" 501 -
In the case of the fixed squid server, you will get:
a) wget gets a 502 error instead of "no data":
andreas@nsn7:~$ ftp_proxy=http://xenial-squid-passive.lxd:3128/ wget ftp://xenial-proftpd.lxd/readme.txt -O /dev/null -t1
--2017-07-07 12:04:14-- ftp://xenial-proftpd.lxd/readme.txt
Resolving xenial-squid-passive.lxd (xenial-squid-passive.lxd)... 10.0.100.151
Connecting to xenial-squid-passive.lxd (xenial-squid-passive.lxd)|10.0.100.151|:3128... connected.
Proxy request sent, awaiting response... 502 Bad Gateway
2017-07-07 12:04:14 ERROR 502: Bad Gateway.
b) /var/log/squid/cache.log doesn't "blip", and access.log just logs the 502:
1499439854.710 18 10.0.100.1 TCP_MISS/502 4324 GET ftp://xenial-proftpd.lxd/readme.txt - HIER_DIRECT/10.0.100.134 text/html
[Regression Potential]
* discussion of how regressions are most likely to manifest as a result of this change.
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance |
[Impact]
Users who use squid as an FTP proxy and access sites that block ftp PASV mode will trigger a squid segfault. That means a brief service interruption, as upstart/systemd will restart it.
Since this is a crash, the backport seems justified. But there is an effective workaround, see below.
Upstream committed a fix, the same fix we are introducing here, which essentially adds a lot of NULL checks but at the same time disables the fallback ftp command EPRT should passive mode fail. Upstream states that this command doesn't work properly in squid yet.
This is also the recommended workaround: disable EPRT by setting the following in /etc/squid/squid.conf and restarting the service:
ftp_eprt off
[Test Case]
- setup a xenial machine/lxd with proftpd configured like this (/etc/proftpd/proftpd.conf):
http://pastebin.ubuntu.com/25039718/
Alternatively, setup any anonymout ftp server to your liking with passive mode disabled/forbidden.
- Create a simple file under the anonymous area, for the ftp client to fetch later on:
echo hello | sudo tee /srv/ftp/readme.txt
- install the squid proxy under test in another machine/lxd.
- configure /etc/squid/squid.conf like this: http://pastebin.ubuntu.com/25039736/
- in the above, adjust localnet to your network, or replace the line "http_access allow localnet" with "http_access allow all" to accept everything
- access the ftp server via the squid proxy:
$ ftp_proxy=http://xenial-squid-passive.lxd:3128/ wget ftp://xenial-proftpd.lxd/readme.txt -O /dev/null -t1
(replace the URLs with whatever you need to reach the squid server under test, and the ftp server you setup)
In the case of a vulnerable squid server you will get:
a) wget gives up:
andreas@nsn7:~$ ftp_proxy=http://xenial-squid-passive.lxd:3128/ wget ftp://xenial-proftpd.lxd/readme.txt -O /dev/null -t1
--2017-07-07 11:58:16-- ftp://xenial-proftpd.lxd/readme.txt
Resolving xenial-squid-passive.lxd (xenial-squid-passive.lxd)... 10.0.100.151
Connecting to xenial-squid-passive.lxd (xenial-squid-passive.lxd)|10.0.100.151|:3128... connected.
Proxy request sent, awaiting response... No data received.
Giving up.
b) /var/log/squid/cache.log shows a squid restart with a new PID:
2017/07/07 14:58:19 kid1| Starting Squid Cache version 3.5.12 for x86_64-pc-linux-gnu...
2017/07/07 14:58:19 kid1| Service Name: squid
2017/07/07 14:58:19 kid1| Process ID 1638
c) proftpd /var/log/proftpd/extended.log will show the passive ftp attempts being forbidden with a 501 error:
xenial-squid-passive.lxd UNKNOWN - [07/Jul/2017:14:58:16 +0000] "USER anonymous" 331 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "PASS (hidden)" 230 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "TYPE A" 200 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "MDTM readme.txt" 213 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "EPSV 1" 501 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "PASV" 501 -
In the case of the fixed squid server, you will get:
a) wget gets a 502 error instead of "no data":
andreas@nsn7:~$ ftp_proxy=http://xenial-squid-passive.lxd:3128/ wget ftp://xenial-proftpd.lxd/readme.txt -O /dev/null -t1
--2017-07-07 12:04:14-- ftp://xenial-proftpd.lxd/readme.txt
Resolving xenial-squid-passive.lxd (xenial-squid-passive.lxd)... 10.0.100.151
Connecting to xenial-squid-passive.lxd (xenial-squid-passive.lxd)|10.0.100.151|:3128... connected.
Proxy request sent, awaiting response... 502 Bad Gateway
2017-07-07 12:04:14 ERROR 502: Bad Gateway.
b) /var/log/squid/cache.log doesn't "blip", and access.log just logs the 502:
1499439854.710 18 10.0.100.1 TCP_MISS/502 4324 GET ftp://xenial-proftpd.lxd/readme.txt - HIER_DIRECT/10.0.100.134 text/html
[Regression Potential]
You won't be able to use squid to access FTP sites that block passive mode transfers. But that was the case already, except it was the segfault that was preventing this from working, and not an error message.
There are many more fixes in the 3.5 branch that are not being applied here, related to other problems. Debian upted to upgrade to 3.5.23 in their bug http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=793473
One could argue that updating to that version is "safer" than cherry picking a patch from their code tree.
[Other Info]
I don't have a patch for trusty, which is on an older version of squid (3.3.8-1ubuntu6.9). The code changed a lot and it's not just a matter of fixing conflicts. |
|
| 2017-07-10 13:09:08 |
Andreas Hasenack |
squid3 (Ubuntu Trusty): status |
New |
Confirmed |
|
| 2017-07-10 13:09:12 |
Andreas Hasenack |
squid3 (Ubuntu Trusty): importance |
Undecided |
Medium |
|
| 2017-07-25 14:31:08 |
Robie Basak |
squid3 (Ubuntu Yakkety): status |
In Progress |
Won't Fix |
|
| 2017-07-25 14:31:49 |
Robie Basak |
squid3 (Ubuntu): status |
In Progress |
Fix Released |
|
| 2017-07-25 15:42:46 |
Andreas Hasenack |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2017-07-26 13:51:53 |
Chris J Arges |
squid3 (Ubuntu Xenial): status |
In Progress |
Fix Committed |
|
| 2017-07-26 13:51:57 |
Chris J Arges |
bug |
|
|
added subscriber SRU Verification |
| 2017-07-26 13:51:59 |
Chris J Arges |
tags |
|
verification-needed verification-needed-xenial |
|
| 2017-08-03 13:35:53 |
Andreas Hasenack |
description |
[Impact]
Users who use squid as an FTP proxy and access sites that block ftp PASV mode will trigger a squid segfault. That means a brief service interruption, as upstart/systemd will restart it.
Since this is a crash, the backport seems justified. But there is an effective workaround, see below.
Upstream committed a fix, the same fix we are introducing here, which essentially adds a lot of NULL checks but at the same time disables the fallback ftp command EPRT should passive mode fail. Upstream states that this command doesn't work properly in squid yet.
This is also the recommended workaround: disable EPRT by setting the following in /etc/squid/squid.conf and restarting the service:
ftp_eprt off
[Test Case]
- setup a xenial machine/lxd with proftpd configured like this (/etc/proftpd/proftpd.conf):
http://pastebin.ubuntu.com/25039718/
Alternatively, setup any anonymout ftp server to your liking with passive mode disabled/forbidden.
- Create a simple file under the anonymous area, for the ftp client to fetch later on:
echo hello | sudo tee /srv/ftp/readme.txt
- install the squid proxy under test in another machine/lxd.
- configure /etc/squid/squid.conf like this: http://pastebin.ubuntu.com/25039736/
- in the above, adjust localnet to your network, or replace the line "http_access allow localnet" with "http_access allow all" to accept everything
- access the ftp server via the squid proxy:
$ ftp_proxy=http://xenial-squid-passive.lxd:3128/ wget ftp://xenial-proftpd.lxd/readme.txt -O /dev/null -t1
(replace the URLs with whatever you need to reach the squid server under test, and the ftp server you setup)
In the case of a vulnerable squid server you will get:
a) wget gives up:
andreas@nsn7:~$ ftp_proxy=http://xenial-squid-passive.lxd:3128/ wget ftp://xenial-proftpd.lxd/readme.txt -O /dev/null -t1
--2017-07-07 11:58:16-- ftp://xenial-proftpd.lxd/readme.txt
Resolving xenial-squid-passive.lxd (xenial-squid-passive.lxd)... 10.0.100.151
Connecting to xenial-squid-passive.lxd (xenial-squid-passive.lxd)|10.0.100.151|:3128... connected.
Proxy request sent, awaiting response... No data received.
Giving up.
b) /var/log/squid/cache.log shows a squid restart with a new PID:
2017/07/07 14:58:19 kid1| Starting Squid Cache version 3.5.12 for x86_64-pc-linux-gnu...
2017/07/07 14:58:19 kid1| Service Name: squid
2017/07/07 14:58:19 kid1| Process ID 1638
c) proftpd /var/log/proftpd/extended.log will show the passive ftp attempts being forbidden with a 501 error:
xenial-squid-passive.lxd UNKNOWN - [07/Jul/2017:14:58:16 +0000] "USER anonymous" 331 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "PASS (hidden)" 230 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "TYPE A" 200 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "MDTM readme.txt" 213 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "EPSV 1" 501 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "PASV" 501 -
In the case of the fixed squid server, you will get:
a) wget gets a 502 error instead of "no data":
andreas@nsn7:~$ ftp_proxy=http://xenial-squid-passive.lxd:3128/ wget ftp://xenial-proftpd.lxd/readme.txt -O /dev/null -t1
--2017-07-07 12:04:14-- ftp://xenial-proftpd.lxd/readme.txt
Resolving xenial-squid-passive.lxd (xenial-squid-passive.lxd)... 10.0.100.151
Connecting to xenial-squid-passive.lxd (xenial-squid-passive.lxd)|10.0.100.151|:3128... connected.
Proxy request sent, awaiting response... 502 Bad Gateway
2017-07-07 12:04:14 ERROR 502: Bad Gateway.
b) /var/log/squid/cache.log doesn't "blip", and access.log just logs the 502:
1499439854.710 18 10.0.100.1 TCP_MISS/502 4324 GET ftp://xenial-proftpd.lxd/readme.txt - HIER_DIRECT/10.0.100.134 text/html
[Regression Potential]
You won't be able to use squid to access FTP sites that block passive mode transfers. But that was the case already, except it was the segfault that was preventing this from working, and not an error message.
There are many more fixes in the 3.5 branch that are not being applied here, related to other problems. Debian upted to upgrade to 3.5.23 in their bug http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=793473
One could argue that updating to that version is "safer" than cherry picking a patch from their code tree.
[Other Info]
I don't have a patch for trusty, which is on an older version of squid (3.3.8-1ubuntu6.9). The code changed a lot and it's not just a matter of fixing conflicts. |
[Impact]
Users who use squid as an FTP proxy and access sites that block ftp PASV mode will trigger a squid segfault. That means a brief service interruption, as upstart/systemd will restart it.
Since this is a crash, the backport seems justified. But there is an effective workaround, see below.
Upstream committed a fix, the same fix we are introducing here, which essentially adds a lot of NULL checks but at the same time disables the fallback ftp command EPRT should passive mode fail. Upstream states that this command doesn't work properly in squid yet.
This is also the recommended workaround: disable EPRT by setting the following in /etc/squid/squid.conf and restarting the service:
ftp_eprt off
[Test Case]
- setup a xenial machine/lxd with proftpd configured like this (/etc/proftpd/proftpd.conf):
http://pastebin.ubuntu.com/25039718/
- restart proftpd: sudo service proftpd restart
Alternatively, setup any anonymout ftp server to your liking with passive mode disabled/forbidden.
- Create a simple file under the anonymous area, for the ftp client to fetch later on:
echo hello | sudo tee /srv/ftp/readme.txt
- install the squid proxy under test in another machine/lxd.
- configure /etc/squid/squid.conf like this: http://pastebin.ubuntu.com/25039736/
- in the above, adjust localnet to your network, or replace the line "http_access allow localnet" with "http_access allow all" to accept everything
- access the ftp server via the squid proxy:
$ ftp_proxy=http://xenial-squid-passive.lxd:3128/ wget ftp://xenial-proftpd.lxd/readme.txt -O /dev/null -t1
(replace the URLs with whatever you need to reach the squid server under test, and the ftp server you setup)
In the case of a vulnerable squid server you will get:
a) wget gives up:
andreas@nsn7:~$ ftp_proxy=http://xenial-squid-passive.lxd:3128/ wget ftp://xenial-proftpd.lxd/readme.txt -O /dev/null -t1
--2017-07-07 11:58:16-- ftp://xenial-proftpd.lxd/readme.txt
Resolving xenial-squid-passive.lxd (xenial-squid-passive.lxd)... 10.0.100.151
Connecting to xenial-squid-passive.lxd (xenial-squid-passive.lxd)|10.0.100.151|:3128... connected.
Proxy request sent, awaiting response... No data received.
Giving up.
b) /var/log/squid/cache.log shows a squid restart with a new PID:
2017/07/07 14:58:19 kid1| Starting Squid Cache version 3.5.12 for x86_64-pc-linux-gnu...
2017/07/07 14:58:19 kid1| Service Name: squid
2017/07/07 14:58:19 kid1| Process ID 1638
c) proftpd /var/log/proftpd/extended.log will show the passive ftp attempts being forbidden with a 501 error:
xenial-squid-passive.lxd UNKNOWN - [07/Jul/2017:14:58:16 +0000] "USER anonymous" 331 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "PASS (hidden)" 230 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "TYPE A" 200 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "MDTM readme.txt" 213 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "EPSV 1" 501 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "PASV" 501 -
In the case of the fixed squid server, you will get:
a) wget gets a 502 error instead of "no data":
andreas@nsn7:~$ ftp_proxy=http://xenial-squid-passive.lxd:3128/ wget ftp://xenial-proftpd.lxd/readme.txt -O /dev/null -t1
--2017-07-07 12:04:14-- ftp://xenial-proftpd.lxd/readme.txt
Resolving xenial-squid-passive.lxd (xenial-squid-passive.lxd)... 10.0.100.151
Connecting to xenial-squid-passive.lxd (xenial-squid-passive.lxd)|10.0.100.151|:3128... connected.
Proxy request sent, awaiting response... 502 Bad Gateway
2017-07-07 12:04:14 ERROR 502: Bad Gateway.
b) /var/log/squid/cache.log doesn't "blip", and access.log just logs the 502:
1499439854.710 18 10.0.100.1 TCP_MISS/502 4324 GET ftp://xenial-proftpd.lxd/readme.txt - HIER_DIRECT/10.0.100.134 text/html
[Regression Potential]
You won't be able to use squid to access FTP sites that block passive mode transfers. But that was the case already, except it was the segfault that was preventing this from working, and not an error message.
There are many more fixes in the 3.5 branch that are not being applied here, related to other problems. Debian upted to upgrade to 3.5.23 in their bug http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=793473
One could argue that updating to that version is "safer" than cherry picking a patch from their code tree.
[Other Info]
I don't have a patch for trusty, which is on an older version of squid (3.3.8-1ubuntu6.9). The code changed a lot and it's not just a matter of fixing conflicts. |
|
| 2017-08-03 13:38:29 |
Andreas Hasenack |
description |
[Impact]
Users who use squid as an FTP proxy and access sites that block ftp PASV mode will trigger a squid segfault. That means a brief service interruption, as upstart/systemd will restart it.
Since this is a crash, the backport seems justified. But there is an effective workaround, see below.
Upstream committed a fix, the same fix we are introducing here, which essentially adds a lot of NULL checks but at the same time disables the fallback ftp command EPRT should passive mode fail. Upstream states that this command doesn't work properly in squid yet.
This is also the recommended workaround: disable EPRT by setting the following in /etc/squid/squid.conf and restarting the service:
ftp_eprt off
[Test Case]
- setup a xenial machine/lxd with proftpd configured like this (/etc/proftpd/proftpd.conf):
http://pastebin.ubuntu.com/25039718/
- restart proftpd: sudo service proftpd restart
Alternatively, setup any anonymout ftp server to your liking with passive mode disabled/forbidden.
- Create a simple file under the anonymous area, for the ftp client to fetch later on:
echo hello | sudo tee /srv/ftp/readme.txt
- install the squid proxy under test in another machine/lxd.
- configure /etc/squid/squid.conf like this: http://pastebin.ubuntu.com/25039736/
- in the above, adjust localnet to your network, or replace the line "http_access allow localnet" with "http_access allow all" to accept everything
- access the ftp server via the squid proxy:
$ ftp_proxy=http://xenial-squid-passive.lxd:3128/ wget ftp://xenial-proftpd.lxd/readme.txt -O /dev/null -t1
(replace the URLs with whatever you need to reach the squid server under test, and the ftp server you setup)
In the case of a vulnerable squid server you will get:
a) wget gives up:
andreas@nsn7:~$ ftp_proxy=http://xenial-squid-passive.lxd:3128/ wget ftp://xenial-proftpd.lxd/readme.txt -O /dev/null -t1
--2017-07-07 11:58:16-- ftp://xenial-proftpd.lxd/readme.txt
Resolving xenial-squid-passive.lxd (xenial-squid-passive.lxd)... 10.0.100.151
Connecting to xenial-squid-passive.lxd (xenial-squid-passive.lxd)|10.0.100.151|:3128... connected.
Proxy request sent, awaiting response... No data received.
Giving up.
b) /var/log/squid/cache.log shows a squid restart with a new PID:
2017/07/07 14:58:19 kid1| Starting Squid Cache version 3.5.12 for x86_64-pc-linux-gnu...
2017/07/07 14:58:19 kid1| Service Name: squid
2017/07/07 14:58:19 kid1| Process ID 1638
c) proftpd /var/log/proftpd/extended.log will show the passive ftp attempts being forbidden with a 501 error:
xenial-squid-passive.lxd UNKNOWN - [07/Jul/2017:14:58:16 +0000] "USER anonymous" 331 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "PASS (hidden)" 230 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "TYPE A" 200 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "MDTM readme.txt" 213 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "EPSV 1" 501 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "PASV" 501 -
In the case of the fixed squid server, you will get:
a) wget gets a 502 error instead of "no data":
andreas@nsn7:~$ ftp_proxy=http://xenial-squid-passive.lxd:3128/ wget ftp://xenial-proftpd.lxd/readme.txt -O /dev/null -t1
--2017-07-07 12:04:14-- ftp://xenial-proftpd.lxd/readme.txt
Resolving xenial-squid-passive.lxd (xenial-squid-passive.lxd)... 10.0.100.151
Connecting to xenial-squid-passive.lxd (xenial-squid-passive.lxd)|10.0.100.151|:3128... connected.
Proxy request sent, awaiting response... 502 Bad Gateway
2017-07-07 12:04:14 ERROR 502: Bad Gateway.
b) /var/log/squid/cache.log doesn't "blip", and access.log just logs the 502:
1499439854.710 18 10.0.100.1 TCP_MISS/502 4324 GET ftp://xenial-proftpd.lxd/readme.txt - HIER_DIRECT/10.0.100.134 text/html
[Regression Potential]
You won't be able to use squid to access FTP sites that block passive mode transfers. But that was the case already, except it was the segfault that was preventing this from working, and not an error message.
There are many more fixes in the 3.5 branch that are not being applied here, related to other problems. Debian upted to upgrade to 3.5.23 in their bug http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=793473
One could argue that updating to that version is "safer" than cherry picking a patch from their code tree.
[Other Info]
I don't have a patch for trusty, which is on an older version of squid (3.3.8-1ubuntu6.9). The code changed a lot and it's not just a matter of fixing conflicts. |
[Impact]
Users who use squid as an FTP proxy and access sites that block ftp PASV mode will trigger a squid segfault. That means a brief service interruption, as upstart/systemd will restart it.
Since this is a crash, the backport seems justified. But there is an effective workaround, see below.
Upstream committed a fix, the same fix we are introducing here, which essentially adds a lot of NULL checks but at the same time disables the fallback ftp command EPRT should passive mode fail. Upstream states that this command doesn't work properly in squid yet.
This is also the recommended workaround: disable EPRT by setting the following in /etc/squid/squid.conf and restarting the service:
ftp_eprt off
[Test Case]
- setup a xenial machine/lxd with proftpd configured like this (/etc/proftpd/proftpd.conf):
http://pastebin.ubuntu.com/25039718/
- restart proftpd: sudo service proftpd restart
Alternatively, setup any anonymout ftp server to your liking with passive mode disabled/forbidden.
- Create a simple file under the anonymous area, for the ftp client to fetch later on:
echo hello | sudo tee /srv/ftp/readme.txt
- install the squid proxy under test in another machine/lxd.
- configure /etc/squid/squid.conf like this: http://pastebin.ubuntu.com/25039736/
- in the above, adjust localnet to your network, or replace the line "http_access allow localnet" with "http_access allow all" to accept everything
- restart squid: sudo service squid restart
- access the ftp server via the squid proxy:
$ ftp_proxy=http://xenial-squid-passive.lxd:3128/ wget ftp://xenial-proftpd.lxd/readme.txt -O /dev/null -t1
(replace the URLs with whatever you need to reach the squid server under test, and the ftp server you setup)
In the case of a vulnerable squid server you will get:
a) wget gives up:
andreas@nsn7:~$ ftp_proxy=http://xenial-squid-passive.lxd:3128/ wget ftp://xenial-proftpd.lxd/readme.txt -O /dev/null -t1
--2017-07-07 11:58:16-- ftp://xenial-proftpd.lxd/readme.txt
Resolving xenial-squid-passive.lxd (xenial-squid-passive.lxd)... 10.0.100.151
Connecting to xenial-squid-passive.lxd (xenial-squid-passive.lxd)|10.0.100.151|:3128... connected.
Proxy request sent, awaiting response... No data received.
Giving up.
b) /var/log/squid/cache.log shows a squid restart with a new PID:
2017/07/07 14:58:19 kid1| Starting Squid Cache version 3.5.12 for x86_64-pc-linux-gnu...
2017/07/07 14:58:19 kid1| Service Name: squid
2017/07/07 14:58:19 kid1| Process ID 1638
c) proftpd /var/log/proftpd/extended.log will show the passive ftp attempts being forbidden with a 501 error:
xenial-squid-passive.lxd UNKNOWN - [07/Jul/2017:14:58:16 +0000] "USER anonymous" 331 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "PASS (hidden)" 230 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "TYPE A" 200 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "MDTM readme.txt" 213 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "EPSV 1" 501 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "PASV" 501 -
In the case of the fixed squid server, you will get:
a) wget gets a 502 error instead of "no data":
andreas@nsn7:~$ ftp_proxy=http://xenial-squid-passive.lxd:3128/ wget ftp://xenial-proftpd.lxd/readme.txt -O /dev/null -t1
--2017-07-07 12:04:14-- ftp://xenial-proftpd.lxd/readme.txt
Resolving xenial-squid-passive.lxd (xenial-squid-passive.lxd)... 10.0.100.151
Connecting to xenial-squid-passive.lxd (xenial-squid-passive.lxd)|10.0.100.151|:3128... connected.
Proxy request sent, awaiting response... 502 Bad Gateway
2017-07-07 12:04:14 ERROR 502: Bad Gateway.
b) /var/log/squid/cache.log doesn't "blip", and access.log just logs the 502:
1499439854.710 18 10.0.100.1 TCP_MISS/502 4324 GET ftp://xenial-proftpd.lxd/readme.txt - HIER_DIRECT/10.0.100.134 text/html
[Regression Potential]
You won't be able to use squid to access FTP sites that block passive mode transfers. But that was the case already, except it was the segfault that was preventing this from working, and not an error message.
There are many more fixes in the 3.5 branch that are not being applied here, related to other problems. Debian upted to upgrade to 3.5.23 in their bug http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=793473
One could argue that updating to that version is "safer" than cherry picking a patch from their code tree.
[Other Info]
I don't have a patch for trusty, which is on an older version of squid (3.3.8-1ubuntu6.9). The code changed a lot and it's not just a matter of fixing conflicts. |
|
| 2017-08-03 13:40:35 |
Andreas Hasenack |
description |
[Impact]
Users who use squid as an FTP proxy and access sites that block ftp PASV mode will trigger a squid segfault. That means a brief service interruption, as upstart/systemd will restart it.
Since this is a crash, the backport seems justified. But there is an effective workaround, see below.
Upstream committed a fix, the same fix we are introducing here, which essentially adds a lot of NULL checks but at the same time disables the fallback ftp command EPRT should passive mode fail. Upstream states that this command doesn't work properly in squid yet.
This is also the recommended workaround: disable EPRT by setting the following in /etc/squid/squid.conf and restarting the service:
ftp_eprt off
[Test Case]
- setup a xenial machine/lxd with proftpd configured like this (/etc/proftpd/proftpd.conf):
http://pastebin.ubuntu.com/25039718/
- restart proftpd: sudo service proftpd restart
Alternatively, setup any anonymout ftp server to your liking with passive mode disabled/forbidden.
- Create a simple file under the anonymous area, for the ftp client to fetch later on:
echo hello | sudo tee /srv/ftp/readme.txt
- install the squid proxy under test in another machine/lxd.
- configure /etc/squid/squid.conf like this: http://pastebin.ubuntu.com/25039736/
- in the above, adjust localnet to your network, or replace the line "http_access allow localnet" with "http_access allow all" to accept everything
- restart squid: sudo service squid restart
- access the ftp server via the squid proxy:
$ ftp_proxy=http://xenial-squid-passive.lxd:3128/ wget ftp://xenial-proftpd.lxd/readme.txt -O /dev/null -t1
(replace the URLs with whatever you need to reach the squid server under test, and the ftp server you setup)
In the case of a vulnerable squid server you will get:
a) wget gives up:
andreas@nsn7:~$ ftp_proxy=http://xenial-squid-passive.lxd:3128/ wget ftp://xenial-proftpd.lxd/readme.txt -O /dev/null -t1
--2017-07-07 11:58:16-- ftp://xenial-proftpd.lxd/readme.txt
Resolving xenial-squid-passive.lxd (xenial-squid-passive.lxd)... 10.0.100.151
Connecting to xenial-squid-passive.lxd (xenial-squid-passive.lxd)|10.0.100.151|:3128... connected.
Proxy request sent, awaiting response... No data received.
Giving up.
b) /var/log/squid/cache.log shows a squid restart with a new PID:
2017/07/07 14:58:19 kid1| Starting Squid Cache version 3.5.12 for x86_64-pc-linux-gnu...
2017/07/07 14:58:19 kid1| Service Name: squid
2017/07/07 14:58:19 kid1| Process ID 1638
c) proftpd /var/log/proftpd/extended.log will show the passive ftp attempts being forbidden with a 501 error:
xenial-squid-passive.lxd UNKNOWN - [07/Jul/2017:14:58:16 +0000] "USER anonymous" 331 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "PASS (hidden)" 230 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "TYPE A" 200 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "MDTM readme.txt" 213 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "EPSV 1" 501 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "PASV" 501 -
In the case of the fixed squid server, you will get:
a) wget gets a 502 error instead of "no data":
andreas@nsn7:~$ ftp_proxy=http://xenial-squid-passive.lxd:3128/ wget ftp://xenial-proftpd.lxd/readme.txt -O /dev/null -t1
--2017-07-07 12:04:14-- ftp://xenial-proftpd.lxd/readme.txt
Resolving xenial-squid-passive.lxd (xenial-squid-passive.lxd)... 10.0.100.151
Connecting to xenial-squid-passive.lxd (xenial-squid-passive.lxd)|10.0.100.151|:3128... connected.
Proxy request sent, awaiting response... 502 Bad Gateway
2017-07-07 12:04:14 ERROR 502: Bad Gateway.
b) /var/log/squid/cache.log doesn't "blip", and access.log just logs the 502:
1499439854.710 18 10.0.100.1 TCP_MISS/502 4324 GET ftp://xenial-proftpd.lxd/readme.txt - HIER_DIRECT/10.0.100.134 text/html
[Regression Potential]
You won't be able to use squid to access FTP sites that block passive mode transfers. But that was the case already, except it was the segfault that was preventing this from working, and not an error message.
There are many more fixes in the 3.5 branch that are not being applied here, related to other problems. Debian upted to upgrade to 3.5.23 in their bug http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=793473
One could argue that updating to that version is "safer" than cherry picking a patch from their code tree.
[Other Info]
I don't have a patch for trusty, which is on an older version of squid (3.3.8-1ubuntu6.9). The code changed a lot and it's not just a matter of fixing conflicts. |
[Impact]
Users who use squid as an FTP proxy and access sites that block ftp PASV mode will trigger a squid segfault. That means a brief service interruption, as upstart/systemd will restart it.
Since this is a crash, the backport seems justified. But there is an effective workaround, see below.
Upstream committed a fix, the same fix we are introducing here, which essentially adds a lot of NULL checks but at the same time disables the fallback ftp command EPRT should passive mode fail. Upstream states that this command doesn't work properly in squid yet.
This is also the recommended workaround: disable EPRT by setting the following in /etc/squid/squid.conf and restarting the service:
ftp_eprt off
[Test Case]
- setup a xenial machine/lxd with proftpd configured like this (/etc/proftpd/proftpd.conf):
http://pastebin.ubuntu.com/25039718/
- restart proftpd: sudo service proftpd restart
Alternatively, setup any anonymout ftp server to your liking with passive mode disabled/forbidden.
- Create a simple file under the anonymous area, for the ftp client to fetch later on:
echo hello | sudo tee /srv/ftp/readme.txt
- install the squid proxy under test in another machine/lxd.
- configure /etc/squid/squid.conf like this: http://pastebin.ubuntu.com/25233360/
- in the above, adjust localnet to your network, or replace the line "http_access allow localnet" with "http_access allow all" to accept everything
- restart squid: sudo service squid restart
- access the ftp server via the squid proxy:
$ ftp_proxy=http://xenial-squid-passive.lxd:3128/ wget ftp://xenial-proftpd.lxd/readme.txt -O /dev/null -t1
(replace the URLs with whatever you need to reach the squid server under test, and the ftp server you setup)
In the case of a vulnerable squid server you will get:
a) wget gives up:
andreas@nsn7:~$ ftp_proxy=http://xenial-squid-passive.lxd:3128/ wget ftp://xenial-proftpd.lxd/readme.txt -O /dev/null -t1
--2017-07-07 11:58:16-- ftp://xenial-proftpd.lxd/readme.txt
Resolving xenial-squid-passive.lxd (xenial-squid-passive.lxd)... 10.0.100.151
Connecting to xenial-squid-passive.lxd (xenial-squid-passive.lxd)|10.0.100.151|:3128... connected.
Proxy request sent, awaiting response... No data received.
Giving up.
b) /var/log/squid/cache.log shows a squid restart with a new PID:
2017/07/07 14:58:19 kid1| Starting Squid Cache version 3.5.12 for x86_64-pc-linux-gnu...
2017/07/07 14:58:19 kid1| Service Name: squid
2017/07/07 14:58:19 kid1| Process ID 1638
c) proftpd /var/log/proftpd/extended.log will show the passive ftp attempts being forbidden with a 501 error:
xenial-squid-passive.lxd UNKNOWN - [07/Jul/2017:14:58:16 +0000] "USER anonymous" 331 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "PASS (hidden)" 230 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "TYPE A" 200 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "MDTM readme.txt" 213 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "EPSV 1" 501 -
xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "PASV" 501 -
In the case of the fixed squid server, you will get:
a) wget gets a 502 error instead of "no data":
andreas@nsn7:~$ ftp_proxy=http://xenial-squid-passive.lxd:3128/ wget ftp://xenial-proftpd.lxd/readme.txt -O /dev/null -t1
--2017-07-07 12:04:14-- ftp://xenial-proftpd.lxd/readme.txt
Resolving xenial-squid-passive.lxd (xenial-squid-passive.lxd)... 10.0.100.151
Connecting to xenial-squid-passive.lxd (xenial-squid-passive.lxd)|10.0.100.151|:3128... connected.
Proxy request sent, awaiting response... 502 Bad Gateway
2017-07-07 12:04:14 ERROR 502: Bad Gateway.
b) /var/log/squid/cache.log doesn't "blip", and access.log just logs the 502:
1499439854.710 18 10.0.100.1 TCP_MISS/502 4324 GET ftp://xenial-proftpd.lxd/readme.txt - HIER_DIRECT/10.0.100.134 text/html
[Regression Potential]
You won't be able to use squid to access FTP sites that block passive mode transfers. But that was the case already, except it was the segfault that was preventing this from working, and not an error message.
There are many more fixes in the 3.5 branch that are not being applied here, related to other problems. Debian upted to upgrade to 3.5.23 in their bug http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=793473
One could argue that updating to that version is "safer" than cherry picking a patch from their code tree.
[Other Info]
I don't have a patch for trusty, which is on an older version of squid (3.3.8-1ubuntu6.9). The code changed a lot and it's not just a matter of fixing conflicts. |
|
| 2017-08-03 13:48:12 |
Andreas Hasenack |
tags |
verification-needed verification-needed-xenial |
verification-done-xenial verification-needed |
|
| 2017-08-03 16:14:07 |
Launchpad Janitor |
squid3 (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
| 2017-08-03 16:14:12 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
| 2021-10-13 13:31:34 |
Athos Ribeiro |
squid3 (Ubuntu Trusty): status |
Confirmed |
Won't Fix |
|
