2016-03-23 14:17:55 |
Lukas Erlacher |
bug |
|
|
added bug |
2016-03-23 14:17:55 |
Lukas Erlacher |
attachment added |
|
First part of patch https://bugs.launchpad.net/bugs/1561007/+attachment/4608645/+files/fix-3769.patch |
|
2016-03-23 14:19:02 |
Lukas Erlacher |
attachment added |
|
fix-3769-2.patch https://bugs.launchpad.net/ubuntu/+source/squid3/+bug/1561007/+attachment/4608655/+files/fix-3769-2.patch |
|
2016-03-23 14:20:32 |
Lukas Erlacher |
description |
http://www.squid-cache.org/mail-archive/squid-users/201403/0065.html:
> This bug caused the client_netmask directive in Squid-3.2 and Squid-3.3
releases to have no effect. The designed behaviour of masking client IPs
in logs is now restored.
Upstream issue tracker: http://bugs.squid-cache.org/show_bug.cgi?id=3769
In all versions of squid3 between 3.2 and 3.4.4 a pretty severe bug exists that disables the scrubbing of client IPs. Scrubbing of client IPs is extremely important for any privacy-aware and risk-aware provider.
Based on the bzr commit fixing the bug (http://bazaar.launchpad.net/~squid/squid/3.4/revision/squid3@treenet.co.nz-20140212085229-edx2i4es622uo0gm) I made a patch. The diff of the bzr revision doesn't apply but the differences are solely due to cosmetic refactoring of method names in squid 3.4. I'm not familiar with the debian / ubuntu package maintenance tools so the patch ended up as a two-parter. |
NOTE: This bug is for trusty.
http://www.squid-cache.org/mail-archive/squid-users/201403/0065.html:
> This bug caused the client_netmask directive in Squid-3.2 and Squid-3.3
releases to have no effect. The designed behaviour of masking client IPs
in logs is now restored.
Upstream issue tracker: http://bugs.squid-cache.org/show_bug.cgi?id=3769
In all versions of squid3 between 3.2 and 3.4.4 a pretty severe bug exists that disables the scrubbing of client IPs. Scrubbing of client IPs is extremely important for any privacy-aware and risk-aware provider.
Based on the bzr commit fixing the bug (http://bazaar.launchpad.net/~squid/squid/3.4/revision/squid3@treenet.co.nz-20140212085229-edx2i4es622uo0gm) I made a patch. The diff of the bzr revision doesn't apply but the differences are solely due to cosmetic refactoring of method names in squid 3.4. I'm not familiar with the debian / ubuntu package maintenance tools so the patch ended up as a two-parter. |
|
2016-03-23 14:52:58 |
Robie Basak |
bug watch added |
|
http://bugs.squid-cache.org/show_bug.cgi?id=3769 |
|
2016-03-23 14:52:58 |
Robie Basak |
bug task added |
|
squid |
|
2016-03-23 14:53:26 |
Robie Basak |
nominated for series |
|
Ubuntu Trusty |
|
2016-03-23 14:53:26 |
Robie Basak |
bug task added |
|
squid3 (Ubuntu Trusty) |
|
2016-03-23 14:53:32 |
Robie Basak |
squid3 (Ubuntu): status |
New |
Fix Released |
|
2016-03-23 15:04:33 |
Robie Basak |
bug |
|
|
added subscriber Ubuntu Server Team |
2016-03-24 00:22:22 |
Michael Hudson-Doyle |
description |
NOTE: This bug is for trusty.
http://www.squid-cache.org/mail-archive/squid-users/201403/0065.html:
> This bug caused the client_netmask directive in Squid-3.2 and Squid-3.3
releases to have no effect. The designed behaviour of masking client IPs
in logs is now restored.
Upstream issue tracker: http://bugs.squid-cache.org/show_bug.cgi?id=3769
In all versions of squid3 between 3.2 and 3.4.4 a pretty severe bug exists that disables the scrubbing of client IPs. Scrubbing of client IPs is extremely important for any privacy-aware and risk-aware provider.
Based on the bzr commit fixing the bug (http://bazaar.launchpad.net/~squid/squid/3.4/revision/squid3@treenet.co.nz-20140212085229-edx2i4es622uo0gm) I made a patch. The diff of the bzr revision doesn't apply but the differences are solely due to cosmetic refactoring of method names in squid 3.4. I'm not familiar with the debian / ubuntu package maintenance tools so the patch ended up as a two-parter. |
[Impact]
http://www.squid-cache.org/mail-archive/squid-users/201403/0065.html:
> This bug caused the client_netmask directive in Squid-3.2 and Squid-3.3
releases to have no effect. The designed behaviour of masking client IPs
in logs is now restored.
Upstream issue tracker: http://bugs.squid-cache.org/show_bug.cgi?id=3769
In all versions of squid3 between 3.2 and 3.4.4 a pretty severe bug exists that disables the scrubbing of client IPs. Scrubbing of client IPs is extremely important for any privacy-aware and risk-aware provider.
[Test Case]
TBD
[Regression Potential]
TBD |
|
2016-03-24 00:25:05 |
Michael Hudson-Doyle |
attachment added |
|
backoorted fix https://bugs.launchpad.net/ubuntu/+source/squid3/+bug/1561007/+attachment/4609124/+files/squid3_3.3.8-1ubuntu6.6_3.3.8-1ubuntu6.7.diff |
|
2016-03-24 00:26:52 |
Michael Hudson-Doyle |
bug |
|
|
added subscriber Michael Hudson-Doyle |
2016-03-24 07:09:09 |
Lukas Erlacher |
description |
[Impact]
http://www.squid-cache.org/mail-archive/squid-users/201403/0065.html:
> This bug caused the client_netmask directive in Squid-3.2 and Squid-3.3
releases to have no effect. The designed behaviour of masking client IPs
in logs is now restored.
Upstream issue tracker: http://bugs.squid-cache.org/show_bug.cgi?id=3769
In all versions of squid3 between 3.2 and 3.4.4 a pretty severe bug exists that disables the scrubbing of client IPs. Scrubbing of client IPs is extremely important for any privacy-aware and risk-aware provider.
[Test Case]
TBD
[Regression Potential]
TBD |
[Impact]
http://www.squid-cache.org/mail-archive/squid-users/201403/0065.html:
> This bug caused the client_netmask directive in Squid-3.2 and Squid-3.3
releases to have no effect. The designed behaviour of masking client IPs
in logs is now restored.
Upstream issue tracker: http://bugs.squid-cache.org/show_bug.cgi?id=3769
In all versions of squid3 between 3.2 and 3.4.4 a pretty severe bug exists that disables the scrubbing of client IPs. Scrubbing of client IPs is extremely important for any privacy-aware and risk-aware provider.
[Test Case]
1. Install squid3: apt-get install squid3
2. Observe that full client IP is logged to /var/log/squid/access.log
2. Add "client_netmask 255.255.0.0" to config
3. Observe that full client IP is still logged
4. Apply patch
5. Observe that only the first two octets of client IP are logged now.
[Regression Potential]
The fix is minimally invasive and adds only an interaction with the IP::Address class that was not present. It is also identical to upstream changes except for cosmetic refactoring done between the trusty version of squid3 and when the bug was fixed in upstream. |
|
2016-03-24 07:12:04 |
Lukas Erlacher |
description |
[Impact]
http://www.squid-cache.org/mail-archive/squid-users/201403/0065.html:
> This bug caused the client_netmask directive in Squid-3.2 and Squid-3.3
releases to have no effect. The designed behaviour of masking client IPs
in logs is now restored.
Upstream issue tracker: http://bugs.squid-cache.org/show_bug.cgi?id=3769
In all versions of squid3 between 3.2 and 3.4.4 a pretty severe bug exists that disables the scrubbing of client IPs. Scrubbing of client IPs is extremely important for any privacy-aware and risk-aware provider.
[Test Case]
1. Install squid3: apt-get install squid3
2. Observe that full client IP is logged to /var/log/squid/access.log
2. Add "client_netmask 255.255.0.0" to config
3. Observe that full client IP is still logged
4. Apply patch
5. Observe that only the first two octets of client IP are logged now.
[Regression Potential]
The fix is minimally invasive and adds only an interaction with the IP::Address class that was not present. It is also identical to upstream changes except for cosmetic refactoring done between the trusty version of squid3 and when the bug was fixed in upstream. |
[Impact]
http://www.squid-cache.org/mail-archive/squid-users/201403/0065.html:
> This bug caused the client_netmask directive in Squid-3.2 and Squid-3.3
releases to have no effect. The designed behaviour of masking client IPs
in logs is now restored.
Upstream issue tracker: http://bugs.squid-cache.org/show_bug.cgi?id=3769
In all versions of squid3 between 3.2 and 3.4.4 a pretty severe bug exists that disables the scrubbing of client IPs. Scrubbing of client IPs is extremely important for any privacy-aware and risk-aware provider.
[Test Case]
1. Install squid3: apt-get install squid3
2. Observe that full client IP is logged to /var/log/squid/access.log
2. Add "client_netmask 255.255.0.0" to config
3. Observe that full client IP is still logged
4. Apply patch
5. Observe that only the first two octets of client IP are logged now.
[Regression Potential]
The fix is minimally invasive and adds only an interaction with the IP::Address class that was not present in the current release. It is also identical to upstream changes except for cosmetic refactoring done between the trusty version of squid3 and when the bug was fixed in upstream.
Regression potential is therefore minimal. |
|
2021-09-29 15:19:51 |
Athos Ribeiro |
squid3 (Ubuntu Trusty): status |
New |
Won't Fix |
|
2021-10-20 15:13:57 |
Athos Ribeiro |
removed subscriber Ubuntu Server |
|
|
|