| 2017-12-15 13:24:50 |
Tommy Nevtelen |
bug |
|
|
added bug |
| 2017-12-15 13:24:50 |
Tommy Nevtelen |
attachment added |
|
Fixing it https://bugs.launchpad.net/bugs/1738412/+attachment/5022981/+files/squid.rc.patch |
|
| 2017-12-15 16:20:37 |
Ubuntu Foundations Team Bug Bot |
tags |
|
patch |
|
| 2017-12-15 16:20:43 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Review Team |
| 2018-01-02 14:16:26 |
Christian Ehrhardt |
bug |
|
|
added subscriber Ubuntu Server Team |
| 2018-01-02 14:17:27 |
Christian Ehrhardt |
bug |
|
|
added subscriber Robie Basak |
| 2018-01-02 14:17:30 |
Christian Ehrhardt |
bug |
|
|
added subscriber ChristianEhrhardt |
| 2018-01-02 14:39:25 |
Robie Basak |
nominated for series |
|
Ubuntu Zesty |
|
| 2018-01-02 14:39:25 |
Robie Basak |
bug task added |
|
squid3 (Ubuntu Zesty) |
|
| 2018-01-02 14:39:25 |
Robie Basak |
nominated for series |
|
Ubuntu Xenial |
|
| 2018-01-02 14:39:25 |
Robie Basak |
bug task added |
|
squid3 (Ubuntu Xenial) |
|
| 2018-01-02 14:39:32 |
Robie Basak |
squid3 (Ubuntu): status |
New |
Fix Released |
|
| 2018-01-02 14:39:36 |
Robie Basak |
squid3 (Ubuntu Xenial): status |
New |
Triaged |
|
| 2018-01-02 14:39:39 |
Robie Basak |
squid3 (Ubuntu Zesty): status |
New |
Triaged |
|
| 2018-01-02 14:39:42 |
Robie Basak |
squid3 (Ubuntu Xenial): importance |
Undecided |
Medium |
|
| 2018-01-02 14:39:45 |
Robie Basak |
squid3 (Ubuntu Zesty): importance |
Undecided |
Medium |
|
| 2018-10-29 18:27:05 |
Andreas Hasenack |
squid3 (Ubuntu Zesty): status |
Triaged |
Won't Fix |
|
| 2018-10-29 18:57:07 |
Andreas Hasenack |
squid3 (Ubuntu Xenial): assignee |
|
Andreas Hasenack (ahasenack) |
|
| 2018-10-29 18:57:10 |
Andreas Hasenack |
squid3 (Ubuntu Xenial): status |
Triaged |
In Progress |
|
| 2018-10-29 19:33:47 |
Andreas Hasenack |
description |
This is a very serious issue that got fixed upstream in:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=800341
It is also logged in the Ubuntu changelog as fixed in:
squid3 (3.5.12-1) unstable; urgency=medium
[ Mathieu Parent ]
* Fix FATAL parsing before start/reload/restart (Closes: #800341)
But is in fact not fixed.
When I look in the source package I find two init scripts:
squid3.rc and squid.rc. squid3.rc has the patch while squid.rc does not.
The one being included in the package and deployed is the one that does not have the fix.
I'm including a patch to fix this issue.
Please push this out ASAP. |
[Impact]
* An explanation of the effects of the bug on users and
* justification for backporting the fix to the stable release.
* In addition, it is helpful, but not required, to include an
explanation of how the upload fixes this bug.
[Test Case]
* detailed instructions how to reproduce the bug
* these should allow someone who is not familiar with the affected
package to reproduce the bug and verify that the updated package fixes
the problem.
[Regression Potential]
* discussion of how regressions are most likely to manifest as a result of this change.
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[Original Description]
This is a very serious issue that got fixed upstream in:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=800341
It is also logged in the Ubuntu changelog as fixed in:
squid3 (3.5.12-1) unstable; urgency=medium
[ Mathieu Parent ]
* Fix FATAL parsing before start/reload/restart (Closes: #800341)
But is in fact not fixed.
When I look in the source package I find two init scripts:
squid3.rc and squid.rc. squid3.rc has the patch while squid.rc does not.
The one being included in the package and deployed is the one that does not have the fix.
I'm including a patch to fix this issue.
Please push this out ASAP. |
|
| 2018-10-29 19:42:27 |
Andreas Hasenack |
description |
[Impact]
* An explanation of the effects of the bug on users and
* justification for backporting the fix to the stable release.
* In addition, it is helpful, but not required, to include an
explanation of how the upload fixes this bug.
[Test Case]
* detailed instructions how to reproduce the bug
* these should allow someone who is not familiar with the affected
package to reproduce the bug and verify that the updated package fixes
the problem.
[Regression Potential]
* discussion of how regressions are most likely to manifest as a result of this change.
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[Original Description]
This is a very serious issue that got fixed upstream in:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=800341
It is also logged in the Ubuntu changelog as fixed in:
squid3 (3.5.12-1) unstable; urgency=medium
[ Mathieu Parent ]
* Fix FATAL parsing before start/reload/restart (Closes: #800341)
But is in fact not fixed.
When I look in the source package I find two init scripts:
squid3.rc and squid.rc. squid3.rc has the patch while squid.rc does not.
The one being included in the package and deployed is the one that does not have the fix.
I'm including a patch to fix this issue.
Please push this out ASAP. |
[Impact]
The squid initscript has a guard against configuration mistakes that prevents the service from being disrupted if the current config has an invalid setting.
This guard relies on the "squid -k parse" command which analyzes the configuration and, in the case of a fatal problem, outputs the string "FATAL: <reason>". The initscript parses that output to catch such errors before further action is taken.
There is a mistake in the expression that is looked for, though: instead of "FATAL: ", the initscript is looking for "FATAL " (i.e., no ":"). The consequence is that actions that would reload or restart the service end up shutting the service down in the case of a configuration error.
The change fixes the expression that is looked for, restoring the functionality of the guard.
[Test Case]
* detailed instructions how to reproduce the bug
* these should allow someone who is not familiar with the affected
package to reproduce the bug and verify that the updated package fixes
the problem.
[Regression Potential]
* discussion of how regressions are most likely to manifest as a result of this change.
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[Original Description]
This is a very serious issue that got fixed upstream in:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=800341
It is also logged in the Ubuntu changelog as fixed in:
squid3 (3.5.12-1) unstable; urgency=medium
[ Mathieu Parent ]
* Fix FATAL parsing before start/reload/restart (Closes: #800341)
But is in fact not fixed.
When I look in the source package I find two init scripts:
squid3.rc and squid.rc. squid3.rc has the patch while squid.rc does not.
The one being included in the package and deployed is the one that does not have the fix.
I'm including a patch to fix this issue.
Please push this out ASAP. |
|
| 2018-10-29 19:58:13 |
Andreas Hasenack |
description |
[Impact]
The squid initscript has a guard against configuration mistakes that prevents the service from being disrupted if the current config has an invalid setting.
This guard relies on the "squid -k parse" command which analyzes the configuration and, in the case of a fatal problem, outputs the string "FATAL: <reason>". The initscript parses that output to catch such errors before further action is taken.
There is a mistake in the expression that is looked for, though: instead of "FATAL: ", the initscript is looking for "FATAL " (i.e., no ":"). The consequence is that actions that would reload or restart the service end up shutting the service down in the case of a configuration error.
The change fixes the expression that is looked for, restoring the functionality of the guard.
[Test Case]
* detailed instructions how to reproduce the bug
* these should allow someone who is not familiar with the affected
package to reproduce the bug and verify that the updated package fixes
the problem.
[Regression Potential]
* discussion of how regressions are most likely to manifest as a result of this change.
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[Original Description]
This is a very serious issue that got fixed upstream in:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=800341
It is also logged in the Ubuntu changelog as fixed in:
squid3 (3.5.12-1) unstable; urgency=medium
[ Mathieu Parent ]
* Fix FATAL parsing before start/reload/restart (Closes: #800341)
But is in fact not fixed.
When I look in the source package I find two init scripts:
squid3.rc and squid.rc. squid3.rc has the patch while squid.rc does not.
The one being included in the package and deployed is the one that does not have the fix.
I'm including a patch to fix this issue.
Please push this out ASAP. |
[Impact]
The squid initscript has a guard against configuration mistakes that prevents the service from being disrupted if the current config has an invalid setting.
This guard relies on the "squid -k parse" command which analyzes the configuration and, in the case of a fatal problem, outputs the string "FATAL: <reason>". The initscript parses that output to catch such errors before further action is taken.
There is a mistake in the expression that is looked for, though: instead of "FATAL: ", the initscript is looking for "FATAL " (i.e., no ":"). The consequence is that actions that would reload or restart the service end up shutting the service down in the case of a configuration error.
The change fixes the expression that is looked for, restoring the functionality of the guard.
[Test Case]
* install squid:
sudo apt update && sudo apt install squid -y
* confirm the reload action is quick to return and doesn't change the pid of squid, i.e., it's not restarted:
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
2684
ubuntu@xenial-squid-reload-syntax:~$ sudo service squid reload
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
2684
ubuntu@xenial-squid-reload-syntax:~$
* add an invalid setting to the config file:
echo "acl nonsense nonsense nonsense" | sudo tee -a /etc/squid/squid.conf
* reload squid one more time:
sudo service squid reload
* After about 10s, squid should be dead and service squid status should show errors:
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
ubuntu@xenial-squid-reload-syntax:~$
ubuntu@xenial-squid-reload-syntax:~$ sudo service squid status
● squid.service - LSB: Squid HTTP Proxy version 3.x
(...)
Oct 29 19:56:26 xenial-squid-reload-syntax squid[2684]: Squid Parent: (squid-1) process 2881 started
Oct 29 19:56:26 xenial-squid-reload-syntax squid[2684]: Squid Parent: (squid-1) process 2881 exited with status 1
Oct 29 19:56:26 xenial-squid-reload-syntax squid[2684]: Squid Parent: (squid-1) process 2881 will not be restarted due to repeated, frequent failures
Oct 29 19:56:26 xenial-squid-reload-syntax squid[2684]: Exiting due to repeated, frequent failures
[Regression Potential]
* discussion of how regressions are most likely to manifest as a result of this change.
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[Original Description]
This is a very serious issue that got fixed upstream in:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=800341
It is also logged in the Ubuntu changelog as fixed in:
squid3 (3.5.12-1) unstable; urgency=medium
[ Mathieu Parent ]
* Fix FATAL parsing before start/reload/restart (Closes: #800341)
But is in fact not fixed.
When I look in the source package I find two init scripts:
squid3.rc and squid.rc. squid3.rc has the patch while squid.rc does not.
The one being included in the package and deployed is the one that does not have the fix.
I'm including a patch to fix this issue.
Please push this out ASAP. |
|
| 2018-10-29 20:15:23 |
Andreas Hasenack |
description |
[Impact]
The squid initscript has a guard against configuration mistakes that prevents the service from being disrupted if the current config has an invalid setting.
This guard relies on the "squid -k parse" command which analyzes the configuration and, in the case of a fatal problem, outputs the string "FATAL: <reason>". The initscript parses that output to catch such errors before further action is taken.
There is a mistake in the expression that is looked for, though: instead of "FATAL: ", the initscript is looking for "FATAL " (i.e., no ":"). The consequence is that actions that would reload or restart the service end up shutting the service down in the case of a configuration error.
The change fixes the expression that is looked for, restoring the functionality of the guard.
[Test Case]
* install squid:
sudo apt update && sudo apt install squid -y
* confirm the reload action is quick to return and doesn't change the pid of squid, i.e., it's not restarted:
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
2684
ubuntu@xenial-squid-reload-syntax:~$ sudo service squid reload
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
2684
ubuntu@xenial-squid-reload-syntax:~$
* add an invalid setting to the config file:
echo "acl nonsense nonsense nonsense" | sudo tee -a /etc/squid/squid.conf
* reload squid one more time:
sudo service squid reload
* After about 10s, squid should be dead and service squid status should show errors:
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
ubuntu@xenial-squid-reload-syntax:~$
ubuntu@xenial-squid-reload-syntax:~$ sudo service squid status
● squid.service - LSB: Squid HTTP Proxy version 3.x
(...)
Oct 29 19:56:26 xenial-squid-reload-syntax squid[2684]: Squid Parent: (squid-1) process 2881 started
Oct 29 19:56:26 xenial-squid-reload-syntax squid[2684]: Squid Parent: (squid-1) process 2881 exited with status 1
Oct 29 19:56:26 xenial-squid-reload-syntax squid[2684]: Squid Parent: (squid-1) process 2881 will not be restarted due to repeated, frequent failures
Oct 29 19:56:26 xenial-squid-reload-syntax squid[2684]: Exiting due to repeated, frequent failures
[Regression Potential]
* discussion of how regressions are most likely to manifest as a result of this change.
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[Original Description]
This is a very serious issue that got fixed upstream in:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=800341
It is also logged in the Ubuntu changelog as fixed in:
squid3 (3.5.12-1) unstable; urgency=medium
[ Mathieu Parent ]
* Fix FATAL parsing before start/reload/restart (Closes: #800341)
But is in fact not fixed.
When I look in the source package I find two init scripts:
squid3.rc and squid.rc. squid3.rc has the patch while squid.rc does not.
The one being included in the package and deployed is the one that does not have the fix.
I'm including a patch to fix this issue.
Please push this out ASAP. |
[Impact]
The squid initscript has a guard against configuration mistakes that prevents the service from being disrupted if the current config has an invalid setting.
This guard relies on the "squid -k parse" command which analyzes the configuration and, in the case of a fatal problem, outputs the string "FATAL: <reason>". The initscript parses that output to catch such errors before further action is taken.
There is a mistake in the expression that is looked for, though: instead of "FATAL: ", the initscript is looking for "FATAL " (i.e., no ":"). The consequence is that actions that would reload or restart the service end up shutting the service down in the case of a configuration error.
The change fixes the expression that is looked for, restoring the functionality of the guard.
[Test Case]
* install squid:
sudo apt update && sudo apt install squid -y
* confirm the reload action is quick to return and doesn't change the pid of squid, i.e., it's not restarted:
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
2684
ubuntu@xenial-squid-reload-syntax:~$ sudo service squid reload
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
2684
ubuntu@xenial-squid-reload-syntax:~$
* add an invalid setting to the config file:
echo "acl nonsense nonsense nonsense" | sudo tee -a /etc/squid/squid.conf
* reload squid one more time:
sudo service squid reload
* After about 10s, squid should be dead and service squid status should show errors:
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
ubuntu@xenial-squid-reload-syntax:~$
ubuntu@xenial-squid-reload-syntax:~$ sudo service squid status
● squid.service - LSB: Squid HTTP Proxy version 3.x
(...)
Oct 29 19:56:26 xenial-squid-reload-syntax squid[2684]: Squid Parent: (squid-1) process 2881 started
Oct 29 19:56:26 xenial-squid-reload-syntax squid[2684]: Squid Parent: (squid-1) process 2881 exited with status 1
Oct 29 19:56:26 xenial-squid-reload-syntax squid[2684]: Squid Parent: (squid-1) process 2881 will not be restarted due to repeated, frequent failures
Oct 29 19:56:26 xenial-squid-reload-syntax squid[2684]: Exiting due to repeated, frequent failures
With the fixed package, a reload action (for example) will flag the error, and keep the service running:
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
3801
ubuntu@xenial-squid-reload-syntax:~$ sudo service squid reload
Job for squid.service failed because the control process exited with error code. See "systemctl status squid.service" and "journalctl -xe" for details.
ubuntu@xenial-squid-reload-syntax:~$ echo $?
1
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
3801
And the status message will be much clearer:
ubuntu@xenial-squid-reload-syntax:~$ sudo service squid status
● squid.service - LSB: Squid HTTP Proxy version 3.x
...
Oct 29 20:13:26 xenial-squid-reload-syntax systemd[1]: Reloading LSB: Squid HTTP Proxy version 3.x.
Oct 29 20:13:26 xenial-squid-reload-syntax squid[3920]: * FATAL: Invalid ACL type 'nonsense'
Oct 29 20:13:26 xenial-squid-reload-syntax squid[3920]: FATAL: Bungled /etc/squid/squid.conf line 7897: acl nonsense nonsense nonsense
Oct 29 20:13:26 xenial-squid-reload-syntax systemd[1]: squid.service: Control process exited, code=exited status=3
Oct 29 20:13:26 xenial-squid-reload-syntax systemd[1]: Reload failed for LSB: Squid HTTP Proxy version 3.x.
[Regression Potential]
* discussion of how regressions are most likely to manifest as a result of this change.
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[Original Description]
This is a very serious issue that got fixed upstream in:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=800341
It is also logged in the Ubuntu changelog as fixed in:
squid3 (3.5.12-1) unstable; urgency=medium
[ Mathieu Parent ]
* Fix FATAL parsing before start/reload/restart (Closes: #800341)
But is in fact not fixed.
When I look in the source package I find two init scripts:
squid3.rc and squid.rc. squid3.rc has the patch while squid.rc does not.
The one being included in the package and deployed is the one that does not have the fix.
I'm including a patch to fix this issue.
Please push this out ASAP. |
|
| 2018-10-30 12:22:59 |
Andreas Hasenack |
description |
[Impact]
The squid initscript has a guard against configuration mistakes that prevents the service from being disrupted if the current config has an invalid setting.
This guard relies on the "squid -k parse" command which analyzes the configuration and, in the case of a fatal problem, outputs the string "FATAL: <reason>". The initscript parses that output to catch such errors before further action is taken.
There is a mistake in the expression that is looked for, though: instead of "FATAL: ", the initscript is looking for "FATAL " (i.e., no ":"). The consequence is that actions that would reload or restart the service end up shutting the service down in the case of a configuration error.
The change fixes the expression that is looked for, restoring the functionality of the guard.
[Test Case]
* install squid:
sudo apt update && sudo apt install squid -y
* confirm the reload action is quick to return and doesn't change the pid of squid, i.e., it's not restarted:
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
2684
ubuntu@xenial-squid-reload-syntax:~$ sudo service squid reload
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
2684
ubuntu@xenial-squid-reload-syntax:~$
* add an invalid setting to the config file:
echo "acl nonsense nonsense nonsense" | sudo tee -a /etc/squid/squid.conf
* reload squid one more time:
sudo service squid reload
* After about 10s, squid should be dead and service squid status should show errors:
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
ubuntu@xenial-squid-reload-syntax:~$
ubuntu@xenial-squid-reload-syntax:~$ sudo service squid status
● squid.service - LSB: Squid HTTP Proxy version 3.x
(...)
Oct 29 19:56:26 xenial-squid-reload-syntax squid[2684]: Squid Parent: (squid-1) process 2881 started
Oct 29 19:56:26 xenial-squid-reload-syntax squid[2684]: Squid Parent: (squid-1) process 2881 exited with status 1
Oct 29 19:56:26 xenial-squid-reload-syntax squid[2684]: Squid Parent: (squid-1) process 2881 will not be restarted due to repeated, frequent failures
Oct 29 19:56:26 xenial-squid-reload-syntax squid[2684]: Exiting due to repeated, frequent failures
With the fixed package, a reload action (for example) will flag the error, and keep the service running:
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
3801
ubuntu@xenial-squid-reload-syntax:~$ sudo service squid reload
Job for squid.service failed because the control process exited with error code. See "systemctl status squid.service" and "journalctl -xe" for details.
ubuntu@xenial-squid-reload-syntax:~$ echo $?
1
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
3801
And the status message will be much clearer:
ubuntu@xenial-squid-reload-syntax:~$ sudo service squid status
● squid.service - LSB: Squid HTTP Proxy version 3.x
...
Oct 29 20:13:26 xenial-squid-reload-syntax systemd[1]: Reloading LSB: Squid HTTP Proxy version 3.x.
Oct 29 20:13:26 xenial-squid-reload-syntax squid[3920]: * FATAL: Invalid ACL type 'nonsense'
Oct 29 20:13:26 xenial-squid-reload-syntax squid[3920]: FATAL: Bungled /etc/squid/squid.conf line 7897: acl nonsense nonsense nonsense
Oct 29 20:13:26 xenial-squid-reload-syntax systemd[1]: squid.service: Control process exited, code=exited status=3
Oct 29 20:13:26 xenial-squid-reload-syntax systemd[1]: Reload failed for LSB: Squid HTTP Proxy version 3.x.
[Regression Potential]
* discussion of how regressions are most likely to manifest as a result of this change.
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[Original Description]
This is a very serious issue that got fixed upstream in:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=800341
It is also logged in the Ubuntu changelog as fixed in:
squid3 (3.5.12-1) unstable; urgency=medium
[ Mathieu Parent ]
* Fix FATAL parsing before start/reload/restart (Closes: #800341)
But is in fact not fixed.
When I look in the source package I find two init scripts:
squid3.rc and squid.rc. squid3.rc has the patch while squid.rc does not.
The one being included in the package and deployed is the one that does not have the fix.
I'm including a patch to fix this issue.
Please push this out ASAP. |
[Impact]
The squid initscript has a guard against configuration mistakes that prevents the service from being disrupted if the current config has an invalid setting.
This guard relies on the "squid -k parse" command which analyzes the configuration and, in the case of a fatal problem, outputs the string "FATAL: <reason>". The initscript parses that output to catch such errors before further action is taken.
There is a mistake in the expression that is looked for, though: instead of "FATAL: ", the initscript is looking for "FATAL " (i.e., no ":"). The consequence is that actions that would reload or restart the service end up shutting the service down in the case of a configuration error.
The change fixes the expression that is looked for, restoring the functionality of the guard.
[Test Case]
* install squid:
sudo apt update && sudo apt install squid -y
* confirm the reload action is quick to return and doesn't change the pid of squid, i.e., it's not restarted:
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
2684
ubuntu@xenial-squid-reload-syntax:~$ sudo service squid reload
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
2684
ubuntu@xenial-squid-reload-syntax:~$
* add an invalid setting to the config file:
echo "acl nonsense nonsense nonsense" | sudo tee -a /etc/squid/squid.conf
* reload squid one more time:
sudo service squid reload
* After about 30s, squid should be dead and service squid status should show errors:
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
ubuntu@xenial-squid-reload-syntax:~$
ubuntu@xenial-squid-reload-syntax:~$ sudo service squid status
● squid.service - LSB: Squid HTTP Proxy version 3.x
(...)
Oct 29 19:56:26 xenial-squid-reload-syntax squid[2684]: Squid Parent: (squid-1) process 2881 started
Oct 29 19:56:26 xenial-squid-reload-syntax squid[2684]: Squid Parent: (squid-1) process 2881 exited with status 1
Oct 29 19:56:26 xenial-squid-reload-syntax squid[2684]: Squid Parent: (squid-1) process 2881 will not be restarted due to repeated, frequent failures
Oct 29 19:56:26 xenial-squid-reload-syntax squid[2684]: Exiting due to repeated, frequent failures
With the fixed package, a reload action (for example) will flag the error, and keep the service running:
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
3801
ubuntu@xenial-squid-reload-syntax:~$ sudo service squid reload
Job for squid.service failed because the control process exited with error code. See "systemctl status squid.service" and "journalctl -xe" for details.
ubuntu@xenial-squid-reload-syntax:~$ echo $?
1
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
3801
And the status message will be much clearer:
ubuntu@xenial-squid-reload-syntax:~$ sudo service squid status
● squid.service - LSB: Squid HTTP Proxy version 3.x
...
Oct 29 20:13:26 xenial-squid-reload-syntax systemd[1]: Reloading LSB: Squid HTTP Proxy version 3.x.
Oct 29 20:13:26 xenial-squid-reload-syntax squid[3920]: * FATAL: Invalid ACL type 'nonsense'
Oct 29 20:13:26 xenial-squid-reload-syntax squid[3920]: FATAL: Bungled /etc/squid/squid.conf line 7897: acl nonsense nonsense nonsense
Oct 29 20:13:26 xenial-squid-reload-syntax systemd[1]: squid.service: Control process exited, code=exited status=3
Oct 29 20:13:26 xenial-squid-reload-syntax systemd[1]: Reload failed for LSB: Squid HTTP Proxy version 3.x.
[Regression Potential]
* discussion of how regressions are most likely to manifest as a result of this change.
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[Original Description]
This is a very serious issue that got fixed upstream in:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=800341
It is also logged in the Ubuntu changelog as fixed in:
squid3 (3.5.12-1) unstable; urgency=medium
[ Mathieu Parent ]
* Fix FATAL parsing before start/reload/restart (Closes: #800341)
But is in fact not fixed.
When I look in the source package I find two init scripts:
squid3.rc and squid.rc. squid3.rc has the patch while squid.rc does not.
The one being included in the package and deployed is the one that does not have the fix.
I'm including a patch to fix this issue.
Please push this out ASAP. |
|
| 2018-10-30 13:21:07 |
Andreas Hasenack |
description |
[Impact]
The squid initscript has a guard against configuration mistakes that prevents the service from being disrupted if the current config has an invalid setting.
This guard relies on the "squid -k parse" command which analyzes the configuration and, in the case of a fatal problem, outputs the string "FATAL: <reason>". The initscript parses that output to catch such errors before further action is taken.
There is a mistake in the expression that is looked for, though: instead of "FATAL: ", the initscript is looking for "FATAL " (i.e., no ":"). The consequence is that actions that would reload or restart the service end up shutting the service down in the case of a configuration error.
The change fixes the expression that is looked for, restoring the functionality of the guard.
[Test Case]
* install squid:
sudo apt update && sudo apt install squid -y
* confirm the reload action is quick to return and doesn't change the pid of squid, i.e., it's not restarted:
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
2684
ubuntu@xenial-squid-reload-syntax:~$ sudo service squid reload
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
2684
ubuntu@xenial-squid-reload-syntax:~$
* add an invalid setting to the config file:
echo "acl nonsense nonsense nonsense" | sudo tee -a /etc/squid/squid.conf
* reload squid one more time:
sudo service squid reload
* After about 30s, squid should be dead and service squid status should show errors:
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
ubuntu@xenial-squid-reload-syntax:~$
ubuntu@xenial-squid-reload-syntax:~$ sudo service squid status
● squid.service - LSB: Squid HTTP Proxy version 3.x
(...)
Oct 29 19:56:26 xenial-squid-reload-syntax squid[2684]: Squid Parent: (squid-1) process 2881 started
Oct 29 19:56:26 xenial-squid-reload-syntax squid[2684]: Squid Parent: (squid-1) process 2881 exited with status 1
Oct 29 19:56:26 xenial-squid-reload-syntax squid[2684]: Squid Parent: (squid-1) process 2881 will not be restarted due to repeated, frequent failures
Oct 29 19:56:26 xenial-squid-reload-syntax squid[2684]: Exiting due to repeated, frequent failures
With the fixed package, a reload action (for example) will flag the error, and keep the service running:
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
3801
ubuntu@xenial-squid-reload-syntax:~$ sudo service squid reload
Job for squid.service failed because the control process exited with error code. See "systemctl status squid.service" and "journalctl -xe" for details.
ubuntu@xenial-squid-reload-syntax:~$ echo $?
1
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
3801
And the status message will be much clearer:
ubuntu@xenial-squid-reload-syntax:~$ sudo service squid status
● squid.service - LSB: Squid HTTP Proxy version 3.x
...
Oct 29 20:13:26 xenial-squid-reload-syntax systemd[1]: Reloading LSB: Squid HTTP Proxy version 3.x.
Oct 29 20:13:26 xenial-squid-reload-syntax squid[3920]: * FATAL: Invalid ACL type 'nonsense'
Oct 29 20:13:26 xenial-squid-reload-syntax squid[3920]: FATAL: Bungled /etc/squid/squid.conf line 7897: acl nonsense nonsense nonsense
Oct 29 20:13:26 xenial-squid-reload-syntax systemd[1]: squid.service: Control process exited, code=exited status=3
Oct 29 20:13:26 xenial-squid-reload-syntax systemd[1]: Reload failed for LSB: Squid HTTP Proxy version 3.x.
[Regression Potential]
* discussion of how regressions are most likely to manifest as a result of this change.
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[Original Description]
This is a very serious issue that got fixed upstream in:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=800341
It is also logged in the Ubuntu changelog as fixed in:
squid3 (3.5.12-1) unstable; urgency=medium
[ Mathieu Parent ]
* Fix FATAL parsing before start/reload/restart (Closes: #800341)
But is in fact not fixed.
When I look in the source package I find two init scripts:
squid3.rc and squid.rc. squid3.rc has the patch while squid.rc does not.
The one being included in the package and deployed is the one that does not have the fix.
I'm including a patch to fix this issue.
Please push this out ASAP. |
[Impact]
The squid initscript has a guard against configuration mistakes that prevents the service from being disrupted if the current config has an invalid setting.
This guard relies on the "squid -k parse" command which analyzes the configuration and, in the case of a fatal problem, outputs the string "FATAL: <reason>". The initscript parses that output to catch such errors before further action is taken.
There is a mistake in the expression that is looked for, though: instead of "FATAL: ", the initscript is looking for "FATAL " (i.e., no ":"). The consequence is that actions that would reload or restart the service end up shutting the service down in the case of a configuration error.
The change fixes the expression that is looked for, restoring the functionality of the guard.
[Test Case]
* install squid:
sudo apt update && sudo apt install squid -y
* confirm the reload action is quick to return and doesn't change the pid of squid, i.e., it's not restarted:
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
2684
ubuntu@xenial-squid-reload-syntax:~$ sudo service squid reload
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
2684
ubuntu@xenial-squid-reload-syntax:~$
* add an invalid setting to the config file:
echo "acl nonsense nonsense nonsense" | sudo tee -a /etc/squid/squid.conf
* reload squid one more time:
sudo service squid reload
* After about 30s, squid should be dead and service squid status should show errors:
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
ubuntu@xenial-squid-reload-syntax:~$
ubuntu@xenial-squid-reload-syntax:~$ sudo service squid status
● squid.service - LSB: Squid HTTP Proxy version 3.x
(...)
Oct 29 19:56:26 xenial-squid-reload-syntax squid[2684]: Squid Parent: (squid-1) process 2881 started
Oct 29 19:56:26 xenial-squid-reload-syntax squid[2684]: Squid Parent: (squid-1) process 2881 exited with status 1
Oct 29 19:56:26 xenial-squid-reload-syntax squid[2684]: Squid Parent: (squid-1) process 2881 will not be restarted due to repeated, frequent failures
Oct 29 19:56:26 xenial-squid-reload-syntax squid[2684]: Exiting due to repeated, frequent failures
With the fixed package, a reload action (for example) will flag the error, and keep the service running:
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
3801
ubuntu@xenial-squid-reload-syntax:~$ sudo service squid reload
Job for squid.service failed because the control process exited with error code. See "systemctl status squid.service" and "journalctl -xe" for details.
ubuntu@xenial-squid-reload-syntax:~$ echo $?
1
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
3801
And the status message will be much clearer:
ubuntu@xenial-squid-reload-syntax:~$ sudo service squid status
● squid.service - LSB: Squid HTTP Proxy version 3.x
...
Oct 29 20:13:26 xenial-squid-reload-syntax systemd[1]: Reloading LSB: Squid HTTP Proxy version 3.x.
Oct 29 20:13:26 xenial-squid-reload-syntax squid[3920]: * FATAL: Invalid ACL type 'nonsense'
Oct 29 20:13:26 xenial-squid-reload-syntax squid[3920]: FATAL: Bungled /etc/squid/squid.conf line 7897: acl nonsense nonsense nonsense
Oct 29 20:13:26 xenial-squid-reload-syntax systemd[1]: squid.service: Control process exited, code=exited status=3
Oct 29 20:13:26 xenial-squid-reload-syntax systemd[1]: Reload failed for LSB: Squid HTTP Proxy version 3.x.
[Regression Potential]
This changes not only the reload action, but also start and consequently restart. The fix makes an existing safety net around those actions actually work, instead of being ignored.
Due to the lack of an explicit restart action in systemd, however, the restart guard in the SysV initscript doesn't take effect. If there is a bad config, and squid is restarted, the service will be in a stopped state at the end:
- stop will succeed
- start will fail: service remains stopped
There is an upstream bug about it: https://github.com/systemd/systemd/issues/2175
This is not a regression, however, as it's the same behavior as before. We can't add the safety net around stop, and there is no way that I know of to discover if the stop action being carried out is part of a restart or not.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[Original Description]
This is a very serious issue that got fixed upstream in:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=800341
It is also logged in the Ubuntu changelog as fixed in:
squid3 (3.5.12-1) unstable; urgency=medium
[ Mathieu Parent ]
* Fix FATAL parsing before start/reload/restart (Closes: #800341)
But is in fact not fixed.
When I look in the source package I find two init scripts:
squid3.rc and squid.rc. squid3.rc has the patch while squid.rc does not.
The one being included in the package and deployed is the one that does not have the fix.
I'm including a patch to fix this issue.
Please push this out ASAP. |
|
| 2018-10-30 13:30:15 |
Andreas Hasenack |
description |
[Impact]
The squid initscript has a guard against configuration mistakes that prevents the service from being disrupted if the current config has an invalid setting.
This guard relies on the "squid -k parse" command which analyzes the configuration and, in the case of a fatal problem, outputs the string "FATAL: <reason>". The initscript parses that output to catch such errors before further action is taken.
There is a mistake in the expression that is looked for, though: instead of "FATAL: ", the initscript is looking for "FATAL " (i.e., no ":"). The consequence is that actions that would reload or restart the service end up shutting the service down in the case of a configuration error.
The change fixes the expression that is looked for, restoring the functionality of the guard.
[Test Case]
* install squid:
sudo apt update && sudo apt install squid -y
* confirm the reload action is quick to return and doesn't change the pid of squid, i.e., it's not restarted:
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
2684
ubuntu@xenial-squid-reload-syntax:~$ sudo service squid reload
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
2684
ubuntu@xenial-squid-reload-syntax:~$
* add an invalid setting to the config file:
echo "acl nonsense nonsense nonsense" | sudo tee -a /etc/squid/squid.conf
* reload squid one more time:
sudo service squid reload
* After about 30s, squid should be dead and service squid status should show errors:
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
ubuntu@xenial-squid-reload-syntax:~$
ubuntu@xenial-squid-reload-syntax:~$ sudo service squid status
● squid.service - LSB: Squid HTTP Proxy version 3.x
(...)
Oct 29 19:56:26 xenial-squid-reload-syntax squid[2684]: Squid Parent: (squid-1) process 2881 started
Oct 29 19:56:26 xenial-squid-reload-syntax squid[2684]: Squid Parent: (squid-1) process 2881 exited with status 1
Oct 29 19:56:26 xenial-squid-reload-syntax squid[2684]: Squid Parent: (squid-1) process 2881 will not be restarted due to repeated, frequent failures
Oct 29 19:56:26 xenial-squid-reload-syntax squid[2684]: Exiting due to repeated, frequent failures
With the fixed package, a reload action (for example) will flag the error, and keep the service running:
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
3801
ubuntu@xenial-squid-reload-syntax:~$ sudo service squid reload
Job for squid.service failed because the control process exited with error code. See "systemctl status squid.service" and "journalctl -xe" for details.
ubuntu@xenial-squid-reload-syntax:~$ echo $?
1
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
3801
And the status message will be much clearer:
ubuntu@xenial-squid-reload-syntax:~$ sudo service squid status
● squid.service - LSB: Squid HTTP Proxy version 3.x
...
Oct 29 20:13:26 xenial-squid-reload-syntax systemd[1]: Reloading LSB: Squid HTTP Proxy version 3.x.
Oct 29 20:13:26 xenial-squid-reload-syntax squid[3920]: * FATAL: Invalid ACL type 'nonsense'
Oct 29 20:13:26 xenial-squid-reload-syntax squid[3920]: FATAL: Bungled /etc/squid/squid.conf line 7897: acl nonsense nonsense nonsense
Oct 29 20:13:26 xenial-squid-reload-syntax systemd[1]: squid.service: Control process exited, code=exited status=3
Oct 29 20:13:26 xenial-squid-reload-syntax systemd[1]: Reload failed for LSB: Squid HTTP Proxy version 3.x.
[Regression Potential]
This changes not only the reload action, but also start and consequently restart. The fix makes an existing safety net around those actions actually work, instead of being ignored.
Due to the lack of an explicit restart action in systemd, however, the restart guard in the SysV initscript doesn't take effect. If there is a bad config, and squid is restarted, the service will be in a stopped state at the end:
- stop will succeed
- start will fail: service remains stopped
There is an upstream bug about it: https://github.com/systemd/systemd/issues/2175
This is not a regression, however, as it's the same behavior as before. We can't add the safety net around stop, and there is no way that I know of to discover if the stop action being carried out is part of a restart or not.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[Original Description]
This is a very serious issue that got fixed upstream in:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=800341
It is also logged in the Ubuntu changelog as fixed in:
squid3 (3.5.12-1) unstable; urgency=medium
[ Mathieu Parent ]
* Fix FATAL parsing before start/reload/restart (Closes: #800341)
But is in fact not fixed.
When I look in the source package I find two init scripts:
squid3.rc and squid.rc. squid3.rc has the patch while squid.rc does not.
The one being included in the package and deployed is the one that does not have the fix.
I'm including a patch to fix this issue.
Please push this out ASAP. |
[Impact]
The squid initscript has a guard against configuration mistakes that prevents the service from being disrupted if the current config has an invalid setting.
This guard relies on the "squid -k parse" command which analyzes the configuration and, in the case of a fatal problem, outputs the string "FATAL: <reason>". The initscript parses that output to catch such errors before further action is taken.
There is a mistake in the expression that is looked for, though: instead of "FATAL: ", the initscript is looking for "FATAL " (i.e., no ":"). The consequence is that actions that would reload or restart the service end up shutting the service down in the case of a configuration error.
The change fixes the expression that is looked for, restoring the functionality of the guard.
[Test Case]
* install squid:
sudo apt update && sudo apt install squid -y
* confirm the reload action is quick to return and doesn't change the pid of squid, i.e., it's not restarted:
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
2684
ubuntu@xenial-squid-reload-syntax:~$ sudo service squid reload
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
2684
ubuntu@xenial-squid-reload-syntax:~$
* add an invalid setting to the config file:
echo "acl nonsense nonsense nonsense" | sudo tee -a /etc/squid/squid.conf
* reload squid one more time:
sudo service squid reload
* After about 30s, squid should be dead and service squid status should show errors:
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
ubuntu@xenial-squid-reload-syntax:~$
ubuntu@xenial-squid-reload-syntax:~$ sudo service squid status
● squid.service - LSB: Squid HTTP Proxy version 3.x
(...)
Oct 29 19:56:26 xenial-squid-reload-syntax squid[2684]: Squid Parent: (squid-1) process 2881 started
Oct 29 19:56:26 xenial-squid-reload-syntax squid[2684]: Squid Parent: (squid-1) process 2881 exited with status 1
Oct 29 19:56:26 xenial-squid-reload-syntax squid[2684]: Squid Parent: (squid-1) process 2881 will not be restarted due to repeated, frequent failures
Oct 29 19:56:26 xenial-squid-reload-syntax squid[2684]: Exiting due to repeated, frequent failures
With the fixed package, a reload action (for example) will flag the error, and keep the service running:
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
3801
ubuntu@xenial-squid-reload-syntax:~$ sudo service squid reload
Job for squid.service failed because the control process exited with error code. See "systemctl status squid.service" and "journalctl -xe" for details.
ubuntu@xenial-squid-reload-syntax:~$ echo $?
1
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
3801
And the status message will be much clearer:
ubuntu@xenial-squid-reload-syntax:~$ sudo service squid status
● squid.service - LSB: Squid HTTP Proxy version 3.x
...
Oct 29 20:13:26 xenial-squid-reload-syntax systemd[1]: Reloading LSB: Squid HTTP Proxy version 3.x.
Oct 29 20:13:26 xenial-squid-reload-syntax squid[3920]: * FATAL: Invalid ACL type 'nonsense'
Oct 29 20:13:26 xenial-squid-reload-syntax squid[3920]: FATAL: Bungled /etc/squid/squid.conf line 7897: acl nonsense nonsense nonsense
Oct 29 20:13:26 xenial-squid-reload-syntax systemd[1]: squid.service: Control process exited, code=exited status=3
Oct 29 20:13:26 xenial-squid-reload-syntax systemd[1]: Reload failed for LSB: Squid HTTP Proxy version 3.x.
[Regression Potential]
This changes not only the reload action, but also start and consequently restart. The fix makes an existing safety net around those actions actually work, instead of being ignored.
Due to the lack of an explicit restart action in systemd, however, the restart guard in the SysV initscript doesn't take effect. If there is a bad config, and squid is restarted, the service will be in a stopped state at the end:
- stop will succeed
- start will fail: service remains stopped
There is an upstream bug about it: https://github.com/systemd/systemd/issues/2175
This is not a regression, however, as it's the same behavior as before.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[Original Description]
This is a very serious issue that got fixed upstream in:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=800341
It is also logged in the Ubuntu changelog as fixed in:
squid3 (3.5.12-1) unstable; urgency=medium
[ Mathieu Parent ]
* Fix FATAL parsing before start/reload/restart (Closes: #800341)
But is in fact not fixed.
When I look in the source package I find two init scripts:
squid3.rc and squid.rc. squid3.rc has the patch while squid.rc does not.
The one being included in the package and deployed is the one that does not have the fix.
I'm including a patch to fix this issue.
Please push this out ASAP. |
|
| 2018-10-30 13:43:05 |
Andreas Hasenack |
description |
[Impact]
The squid initscript has a guard against configuration mistakes that prevents the service from being disrupted if the current config has an invalid setting.
This guard relies on the "squid -k parse" command which analyzes the configuration and, in the case of a fatal problem, outputs the string "FATAL: <reason>". The initscript parses that output to catch such errors before further action is taken.
There is a mistake in the expression that is looked for, though: instead of "FATAL: ", the initscript is looking for "FATAL " (i.e., no ":"). The consequence is that actions that would reload or restart the service end up shutting the service down in the case of a configuration error.
The change fixes the expression that is looked for, restoring the functionality of the guard.
[Test Case]
* install squid:
sudo apt update && sudo apt install squid -y
* confirm the reload action is quick to return and doesn't change the pid of squid, i.e., it's not restarted:
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
2684
ubuntu@xenial-squid-reload-syntax:~$ sudo service squid reload
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
2684
ubuntu@xenial-squid-reload-syntax:~$
* add an invalid setting to the config file:
echo "acl nonsense nonsense nonsense" | sudo tee -a /etc/squid/squid.conf
* reload squid one more time:
sudo service squid reload
* After about 30s, squid should be dead and service squid status should show errors:
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
ubuntu@xenial-squid-reload-syntax:~$
ubuntu@xenial-squid-reload-syntax:~$ sudo service squid status
● squid.service - LSB: Squid HTTP Proxy version 3.x
(...)
Oct 29 19:56:26 xenial-squid-reload-syntax squid[2684]: Squid Parent: (squid-1) process 2881 started
Oct 29 19:56:26 xenial-squid-reload-syntax squid[2684]: Squid Parent: (squid-1) process 2881 exited with status 1
Oct 29 19:56:26 xenial-squid-reload-syntax squid[2684]: Squid Parent: (squid-1) process 2881 will not be restarted due to repeated, frequent failures
Oct 29 19:56:26 xenial-squid-reload-syntax squid[2684]: Exiting due to repeated, frequent failures
With the fixed package, a reload action (for example) will flag the error, and keep the service running:
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
3801
ubuntu@xenial-squid-reload-syntax:~$ sudo service squid reload
Job for squid.service failed because the control process exited with error code. See "systemctl status squid.service" and "journalctl -xe" for details.
ubuntu@xenial-squid-reload-syntax:~$ echo $?
1
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
3801
And the status message will be much clearer:
ubuntu@xenial-squid-reload-syntax:~$ sudo service squid status
● squid.service - LSB: Squid HTTP Proxy version 3.x
...
Oct 29 20:13:26 xenial-squid-reload-syntax systemd[1]: Reloading LSB: Squid HTTP Proxy version 3.x.
Oct 29 20:13:26 xenial-squid-reload-syntax squid[3920]: * FATAL: Invalid ACL type 'nonsense'
Oct 29 20:13:26 xenial-squid-reload-syntax squid[3920]: FATAL: Bungled /etc/squid/squid.conf line 7897: acl nonsense nonsense nonsense
Oct 29 20:13:26 xenial-squid-reload-syntax systemd[1]: squid.service: Control process exited, code=exited status=3
Oct 29 20:13:26 xenial-squid-reload-syntax systemd[1]: Reload failed for LSB: Squid HTTP Proxy version 3.x.
[Regression Potential]
This changes not only the reload action, but also start and consequently restart. The fix makes an existing safety net around those actions actually work, instead of being ignored.
Due to the lack of an explicit restart action in systemd, however, the restart guard in the SysV initscript doesn't take effect. If there is a bad config, and squid is restarted, the service will be in a stopped state at the end:
- stop will succeed
- start will fail: service remains stopped
There is an upstream bug about it: https://github.com/systemd/systemd/issues/2175
This is not a regression, however, as it's the same behavior as before.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[Original Description]
This is a very serious issue that got fixed upstream in:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=800341
It is also logged in the Ubuntu changelog as fixed in:
squid3 (3.5.12-1) unstable; urgency=medium
[ Mathieu Parent ]
* Fix FATAL parsing before start/reload/restart (Closes: #800341)
But is in fact not fixed.
When I look in the source package I find two init scripts:
squid3.rc and squid.rc. squid3.rc has the patch while squid.rc does not.
The one being included in the package and deployed is the one that does not have the fix.
I'm including a patch to fix this issue.
Please push this out ASAP. |
[Impact]
The squid initscript has a guard against configuration mistakes that prevents the service from being disrupted if the current config has an invalid setting.
This guard relies on the "squid -k parse" command which analyzes the configuration and, in the case of a fatal problem, outputs the string "FATAL: <reason>". The initscript parses that output to catch such errors before further action is taken.
There is a mistake in the expression that is looked for, though: instead of "FATAL: ", the initscript is looking for "FATAL " (i.e., no ":"). The consequence is that actions that would reload or restart the service end up shutting the service down in the case of a configuration error.
The change fixes the expression that is looked for, restoring the functionality of the guard.
[Test Case]
* install squid:
sudo apt update && sudo apt install squid -y
* confirm the reload action is quick to return and doesn't change the pid of squid, i.e., it's not restarted:
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
2684
ubuntu@xenial-squid-reload-syntax:~$ sudo service squid reload
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
2684
ubuntu@xenial-squid-reload-syntax:~$
* add an invalid setting to the config file:
echo "acl nonsense nonsense nonsense" | sudo tee -a /etc/squid/squid.conf
* reload squid one more time:
sudo service squid reload
* After about 30s, squid should be dead and service squid status should show errors:
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
ubuntu@xenial-squid-reload-syntax:~$
ubuntu@xenial-squid-reload-syntax:~$ sudo service squid status
● squid.service - LSB: Squid HTTP Proxy version 3.x
(...)
Oct 29 19:56:26 xenial-squid-reload-syntax squid[2684]: Squid Parent: (squid-1) process 2881 started
Oct 29 19:56:26 xenial-squid-reload-syntax squid[2684]: Squid Parent: (squid-1) process 2881 exited with status 1
Oct 29 19:56:26 xenial-squid-reload-syntax squid[2684]: Squid Parent: (squid-1) process 2881 will not be restarted due to repeated, frequent failures
Oct 29 19:56:26 xenial-squid-reload-syntax squid[2684]: Exiting due to repeated, frequent failures
With the fixed package, a reload action (for example) will flag the error, and keep the service running:
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
3801
ubuntu@xenial-squid-reload-syntax:~$ sudo service squid reload
Job for squid.service failed because the control process exited with error code. See "systemctl status squid.service" and "journalctl -xe" for details.
ubuntu@xenial-squid-reload-syntax:~$ echo $?
1
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
3801
And the status message will be much clearer:
ubuntu@xenial-squid-reload-syntax:~$ sudo service squid status
● squid.service - LSB: Squid HTTP Proxy version 3.x
...
Oct 29 20:13:26 xenial-squid-reload-syntax systemd[1]: Reloading LSB: Squid HTTP Proxy version 3.x.
Oct 29 20:13:26 xenial-squid-reload-syntax squid[3920]: * FATAL: Invalid ACL type 'nonsense'
Oct 29 20:13:26 xenial-squid-reload-syntax squid[3920]: FATAL: Bungled /etc/squid/squid.conf line 7897: acl nonsense nonsense nonsense
Oct 29 20:13:26 xenial-squid-reload-syntax systemd[1]: squid.service: Control process exited, code=exited status=3
Oct 29 20:13:26 xenial-squid-reload-syntax systemd[1]: Reload failed for LSB: Squid HTTP Proxy version 3.x.
[Regression Potential]
This changes not only the reload action, but also start and consequently restart. The fix makes an existing safety net around those actions actually work, instead of being ignored.
Due to the lack of an explicit restart action in systemd, however, the restart guard in the SysV initscript doesn't take effect. If there is a bad config, and squid is restarted, the service will be in a stopped state at the end:
- stop will succeed
- start will fail: service remains stopped
There is an upstream bug about it: https://github.com/systemd/systemd/issues/2175
This is not a regression, however, as it's the same behavior as before, but it will have an interesting consequence in package upgrades.
With the old package, admins upgrading squid to a newer version while having a syntax error in their configs will end up with a stopped service, but no notification of that, since the restart postinst action will exit 0.
With the new package, the same scenario will trigger an upgrade failure like this:
dpkg: error processing package squid (--configure):
subprocess installed post-installation script returned error exit status 1
Processing triggers for systemd (229-4ubuntu21.5) ...
Processing triggers for ureadahead (0.100.0-19) ...
Errors were encountered while processing:
squid
E: Sub-process /usr/bin/dpkg returned an error code (1)
So the end result is the same as before, in the sense that squid won't be running after the upgrade, but now it will be clear. I expect this can trigger some apport bug reports, though.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[Original Description]
This is a very serious issue that got fixed upstream in:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=800341
It is also logged in the Ubuntu changelog as fixed in:
squid3 (3.5.12-1) unstable; urgency=medium
[ Mathieu Parent ]
* Fix FATAL parsing before start/reload/restart (Closes: #800341)
But is in fact not fixed.
When I look in the source package I find two init scripts:
squid3.rc and squid.rc. squid3.rc has the patch while squid.rc does not.
The one being included in the package and deployed is the one that does not have the fix.
I'm including a patch to fix this issue.
Please push this out ASAP. |
|
| 2018-10-30 13:49:07 |
Andreas Hasenack |
description |
[Impact]
The squid initscript has a guard against configuration mistakes that prevents the service from being disrupted if the current config has an invalid setting.
This guard relies on the "squid -k parse" command which analyzes the configuration and, in the case of a fatal problem, outputs the string "FATAL: <reason>". The initscript parses that output to catch such errors before further action is taken.
There is a mistake in the expression that is looked for, though: instead of "FATAL: ", the initscript is looking for "FATAL " (i.e., no ":"). The consequence is that actions that would reload or restart the service end up shutting the service down in the case of a configuration error.
The change fixes the expression that is looked for, restoring the functionality of the guard.
[Test Case]
* install squid:
sudo apt update && sudo apt install squid -y
* confirm the reload action is quick to return and doesn't change the pid of squid, i.e., it's not restarted:
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
2684
ubuntu@xenial-squid-reload-syntax:~$ sudo service squid reload
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
2684
ubuntu@xenial-squid-reload-syntax:~$
* add an invalid setting to the config file:
echo "acl nonsense nonsense nonsense" | sudo tee -a /etc/squid/squid.conf
* reload squid one more time:
sudo service squid reload
* After about 30s, squid should be dead and service squid status should show errors:
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
ubuntu@xenial-squid-reload-syntax:~$
ubuntu@xenial-squid-reload-syntax:~$ sudo service squid status
● squid.service - LSB: Squid HTTP Proxy version 3.x
(...)
Oct 29 19:56:26 xenial-squid-reload-syntax squid[2684]: Squid Parent: (squid-1) process 2881 started
Oct 29 19:56:26 xenial-squid-reload-syntax squid[2684]: Squid Parent: (squid-1) process 2881 exited with status 1
Oct 29 19:56:26 xenial-squid-reload-syntax squid[2684]: Squid Parent: (squid-1) process 2881 will not be restarted due to repeated, frequent failures
Oct 29 19:56:26 xenial-squid-reload-syntax squid[2684]: Exiting due to repeated, frequent failures
With the fixed package, a reload action (for example) will flag the error, and keep the service running:
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
3801
ubuntu@xenial-squid-reload-syntax:~$ sudo service squid reload
Job for squid.service failed because the control process exited with error code. See "systemctl status squid.service" and "journalctl -xe" for details.
ubuntu@xenial-squid-reload-syntax:~$ echo $?
1
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
3801
And the status message will be much clearer:
ubuntu@xenial-squid-reload-syntax:~$ sudo service squid status
● squid.service - LSB: Squid HTTP Proxy version 3.x
...
Oct 29 20:13:26 xenial-squid-reload-syntax systemd[1]: Reloading LSB: Squid HTTP Proxy version 3.x.
Oct 29 20:13:26 xenial-squid-reload-syntax squid[3920]: * FATAL: Invalid ACL type 'nonsense'
Oct 29 20:13:26 xenial-squid-reload-syntax squid[3920]: FATAL: Bungled /etc/squid/squid.conf line 7897: acl nonsense nonsense nonsense
Oct 29 20:13:26 xenial-squid-reload-syntax systemd[1]: squid.service: Control process exited, code=exited status=3
Oct 29 20:13:26 xenial-squid-reload-syntax systemd[1]: Reload failed for LSB: Squid HTTP Proxy version 3.x.
[Regression Potential]
This changes not only the reload action, but also start and consequently restart. The fix makes an existing safety net around those actions actually work, instead of being ignored.
Due to the lack of an explicit restart action in systemd, however, the restart guard in the SysV initscript doesn't take effect. If there is a bad config, and squid is restarted, the service will be in a stopped state at the end:
- stop will succeed
- start will fail: service remains stopped
There is an upstream bug about it: https://github.com/systemd/systemd/issues/2175
This is not a regression, however, as it's the same behavior as before, but it will have an interesting consequence in package upgrades.
With the old package, admins upgrading squid to a newer version while having a syntax error in their configs will end up with a stopped service, but no notification of that, since the restart postinst action will exit 0.
With the new package, the same scenario will trigger an upgrade failure like this:
dpkg: error processing package squid (--configure):
subprocess installed post-installation script returned error exit status 1
Processing triggers for systemd (229-4ubuntu21.5) ...
Processing triggers for ureadahead (0.100.0-19) ...
Errors were encountered while processing:
squid
E: Sub-process /usr/bin/dpkg returned an error code (1)
So the end result is the same as before, in the sense that squid won't be running after the upgrade, but now it will be clear. I expect this can trigger some apport bug reports, though.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[Original Description]
This is a very serious issue that got fixed upstream in:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=800341
It is also logged in the Ubuntu changelog as fixed in:
squid3 (3.5.12-1) unstable; urgency=medium
[ Mathieu Parent ]
* Fix FATAL parsing before start/reload/restart (Closes: #800341)
But is in fact not fixed.
When I look in the source package I find two init scripts:
squid3.rc and squid.rc. squid3.rc has the patch while squid.rc does not.
The one being included in the package and deployed is the one that does not have the fix.
I'm including a patch to fix this issue.
Please push this out ASAP. |
[Impact]
The squid initscript has a guard against configuration mistakes that prevents the service from being disrupted if the current config has an invalid setting.
This guard relies on the "squid -k parse" command which analyzes the configuration and, in the case of a fatal problem, outputs the string "FATAL: <reason>". The initscript parses that output to catch such errors before further action is taken.
There is a mistake in the expression that is looked for, though: instead of "FATAL: ", the initscript is looking for "FATAL " (i.e., no ":"). The consequence is that actions that would reload or restart the service end up shutting the service down in the case of a configuration error.
The change fixes the expression that is looked for, restoring the functionality of the guard.
[Test Case]
* install squid:
sudo apt update && sudo apt install squid -y
* confirm the reload action is quick to return and doesn't change the pid of squid, i.e., it's not restarted:
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
2684
ubuntu@xenial-squid-reload-syntax:~$ sudo service squid reload
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
2684
ubuntu@xenial-squid-reload-syntax:~$
* add an invalid setting to the config file:
echo "acl nonsense nonsense nonsense" | sudo tee -a /etc/squid/squid.conf
* reload squid one more time:
sudo service squid reload
* After about 30s, squid should be dead and service squid status should show errors:
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
ubuntu@xenial-squid-reload-syntax:~$
ubuntu@xenial-squid-reload-syntax:~$ sudo service squid status
● squid.service - LSB: Squid HTTP Proxy version 3.x
(...)
Oct 29 19:56:26 xenial-squid-reload-syntax squid[2684]: Squid Parent: (squid-1) process 2881 started
Oct 29 19:56:26 xenial-squid-reload-syntax squid[2684]: Squid Parent: (squid-1) process 2881 exited with status 1
Oct 29 19:56:26 xenial-squid-reload-syntax squid[2684]: Squid Parent: (squid-1) process 2881 will not be restarted due to repeated, frequent failures
Oct 29 19:56:26 xenial-squid-reload-syntax squid[2684]: Exiting due to repeated, frequent failures
With the fixed package, a reload action (for example) will flag the error, and keep the service running:
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
3801
ubuntu@xenial-squid-reload-syntax:~$ sudo service squid reload
Job for squid.service failed because the control process exited with error code. See "systemctl status squid.service" and "journalctl -xe" for details.
ubuntu@xenial-squid-reload-syntax:~$ echo $?
1
ubuntu@xenial-squid-reload-syntax:~$ pidof squid
3801
And the status message will be much clearer:
ubuntu@xenial-squid-reload-syntax:~$ sudo service squid status
● squid.service - LSB: Squid HTTP Proxy version 3.x
...
Oct 29 20:13:26 xenial-squid-reload-syntax systemd[1]: Reloading LSB: Squid HTTP Proxy version 3.x.
Oct 29 20:13:26 xenial-squid-reload-syntax squid[3920]: * FATAL: Invalid ACL type 'nonsense'
Oct 29 20:13:26 xenial-squid-reload-syntax squid[3920]: FATAL: Bungled /etc/squid/squid.conf line 7897: acl nonsense nonsense nonsense
Oct 29 20:13:26 xenial-squid-reload-syntax systemd[1]: squid.service: Control process exited, code=exited status=3
Oct 29 20:13:26 xenial-squid-reload-syntax systemd[1]: Reload failed for LSB: Squid HTTP Proxy version 3.x.
[Regression Potential]
This changes not only the reload action, but also start and consequently restart. The fix makes an existing safety net around those actions actually work, instead of being ignored.
Due to the lack of an explicit restart action in systemd, however, the restart guard in the SysV initscript doesn't take effect. If there is a bad config, and squid is restarted, the service will be in a stopped state at the end:
- stop will succeed
- start will fail: service remains stopped
There is an upstream bug about it: https://github.com/systemd/systemd/issues/2175
This is not a regression, however, as it's the same behavior as before, but it will have an interesting consequence in package upgrades.
With the old package, admins upgrading squid to a newer version while having a syntax error in their configs will end up with a stopped service, but no notification of that, since the restart postinst action will exit 0.
With the new package, the same scenario will trigger an upgrade failure like this:
dpkg: error processing package squid (--configure):
subprocess installed post-installation script returned error exit status 1
Processing triggers for systemd (229-4ubuntu21.5) ...
Processing triggers for ureadahead (0.100.0-19) ...
Errors were encountered while processing:
squid
E: Sub-process /usr/bin/dpkg returned an error code (1)
So the end result is the same as before, in the sense that squid won't be running after the upgrade, but now it will be clear. I expect this can trigger some apport bug reports, though.
[Other Info]
Not at this time.
[Original Description]
This is a very serious issue that got fixed upstream in:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=800341
It is also logged in the Ubuntu changelog as fixed in:
squid3 (3.5.12-1) unstable; urgency=medium
[ Mathieu Parent ]
* Fix FATAL parsing before start/reload/restart (Closes: #800341)
But is in fact not fixed.
When I look in the source package I find two init scripts:
squid3.rc and squid.rc. squid3.rc has the patch while squid.rc does not.
The one being included in the package and deployed is the one that does not have the fix.
I'm including a patch to fix this issue.
Please push this out ASAP. |
|
| 2018-10-30 21:29:29 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~ahasenack/ubuntu/+source/squid3/+git/squid3/+merge/358050 |
|
| 2018-10-31 17:26:45 |
Robie Basak |
squid3 (Ubuntu Xenial): status |
In Progress |
Fix Committed |
|
| 2018-10-31 17:26:48 |
Robie Basak |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2018-10-31 17:26:49 |
Robie Basak |
bug |
|
|
added subscriber SRU Verification |
| 2018-10-31 17:26:53 |
Robie Basak |
tags |
patch |
patch verification-needed verification-needed-xenial |
|
| 2018-11-12 19:09:26 |
Andreas Hasenack |
tags |
patch verification-needed verification-needed-xenial |
patch verification-done-xenial verification-needed |
|
| 2018-11-13 15:45:42 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
| 2018-11-13 15:45:54 |
Launchpad Janitor |
squid3 (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
