BUG: Version 3.5.27-1ubuntu1.7 breaks config using icap
Bug #1890265 reported by
xavier
This bug affects 4 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
squid3 (Debian) |
Fix Released
|
Unknown
|
|||
squid3 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
High
|
Marc Deslauriers | ||
Bionic |
Fix Released
|
High
|
Marc Deslauriers |
Bug Description
Using ubuntu 18.04
I had a squid config using c-icap to scan requests/responses using ClamAV.
It was working OK since long time ago.
Today, squid has (security)updated to 3.5.27-1ubuntu1.7 and now, connection to icap is broken.
That is the error at squid-cache.log
2020/08/04 09:44:08 kid1| essential ICAP service is down after an options fetch failure: icap://
After downgrading to 3.5.27-1ubuntu1.6 it starts working again.
The icap service is working fine, tested with `c-icap-client -i 127.0.0.1 -p 1344 -s virus_scan`
Thanks.
CVE References
Changed in squid3 (Ubuntu Bionic): | |
status: | New → Confirmed |
Changed in squid3 (Ubuntu): | |
status: | New → Triaged |
Changed in squid3 (Ubuntu Bionic): | |
importance: | Undecided → High |
Changed in squid3 (Ubuntu Xenial): | |
status: | New → Confirmed |
importance: | Undecided → High |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in squid3 (Ubuntu Bionic): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in squid3 (Debian): | |
status: | Unknown → New |
Changed in squid3 (Ubuntu): | |
status: | Triaged → Fix Released |
Changed in squid3 (Debian): | |
status: | New → Fix Released |
To post a comment you must log in.
I was about to read code for latest 2 included patches and @ahasenack warned me about:
https:/ /bugs.debian. org/cgi- bin/bugreport. cgi?bug= 965012
with current status:
"""
Hello Andreas,
thanks for your patience. I believe I have found the underlying problem. icap/ModXact. cc and HttpMsg.cc.
It is a parsing issue in src/adaptation/
2020/07/28 09:55:14.614 kid1| 58,3| HttpMsg.cc(184) parse: 127.0.0. 1:1344/ virus_scan ICAP/1.0
HttpMsg::parse: cannot parse isolated headers in 'OPTIONS
icap://
To fix CVE-2019-12523 the urlParse function had to be updated to use the 12523.patch. You can just replace it with the old one. If
new SBuf API for better access checks. However at one point in time
upstream did no longer used this function to parse icap headers and
simply copied an already known url. I have attached the
CVE-2019-
everything works as expected I will upload this change as +deb9u3 shortly.
Regards,
Markus
"""