Your message dated Wed, 28 Jan 2015 12:19:40 +0000
with message-id <[email protected]>
and subject line Bug#776463: fixed in squid3 3.4.8-6
has caused the Debian Bug report #776463,
regarding squid3: Excessive memory and CPU consumption when performing NTLM or
Negotiate authentication
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
776463: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776463
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: squid3
Version: 3.4.8-5
Severity: grace
Tags: patch upstream
Upstream fixed an issue with NTLM and Negotiate authentication helpers that can
result in
excessive CPU and memory consumption.
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: sysvinit (via /sbin/init)
Versions of packages squid3 depends on:
ii adduser 3.113+nmu3
ii libc6 2.19-13
ii libcap2 1:2.24-6
ii libcomerr2 1.42.12-1
ii libdb5.3 5.3.28-9
ii libecap2 0.2.0-3
ii libexpat1 2.1.0-6+b3
ii libgcc1 1:4.9.2-10
ii libgssapi-krb5-2 1.12.1+dfsg-16
ii libk5crypto3 1.12.1+dfsg-16
ii libkrb5-3 1.12.1+dfsg-16
ii libldap-2.4-2 2.4.40-3
ii libltdl7 2.4.2-1.11
ii libnetfilter-conntrack3 1.0.4-1
ii libnettle4 2.7.1-5
ii libpam0g 1.1.8-3.1
ii libsasl2-2 2.1.26.dfsg1-12
ii libstdc++6 4.9.2-10
ii libxml2 2.9.2+dfsg1-1+b1
ii logrotate 3.8.7-1+b1
ii lsb-base 4.1+Debian13+nmu1
ii netbase 5.3
ii squid3-common 3.4.8-5
squid3 recommends no packages.
Versions of packages squid3 suggests:
pn resolvconf <none>
ii smbclient 2:4.1.13+dfsg-4
pn squid-cgi <none>
pn squid-purge <none>
pn squidclient <none>
pn ufw <none>
pn winbindd <none>
-- no debconf information
------------------------------------------------------------
revno: 13210
revision-id: [email protected]
parent: [email protected]
fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=3997
author: Amos Jeffries <[email protected]>, Steve Hill <[email protected]>
committer: Amos Jeffries <[email protected]>
branch nick: 3.4
timestamp: Sun 2015-01-18 03:02:13 -0800
message:
Bug 3997: Excessive NTLM or Negotiate auth helper annotations
With the transaction annotations feature added in Squid-3.4 auth
helper response values get recorded as annotatiions. In the case
of NTLM and Negotiate authentication the helper response contains
a large credentials token which changes frequently.
Also, user credentials state is cached. In the case of NTLM and
Negotiate the active credentials are cached in the TCP connection
state data, but also for the cache mgr helper reports make use of
caching in a global username cache.
When these two features are combined, the global username cache
for mgr reporting accumulates all TCP connection specific
token= values presented by the client on all its connections, and
any changes to the token over its lifetime.
The result is that for users performing either many transactions,
or staying connected for long periods the memory consumption from
unnecesarily stored tokens is excessive. When clients do both the
machine memory can be consumed, and the CPU can reach 100%
consumption just walking the annotations lists during regular
operations.
To fix this we drop the security credentials tokens from cached
annotations list in NTLM and Negotiate. Digest is also included
though its HA1 token value is static it has similar privacy issues
related to storage.
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: [email protected]
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.4
# testament_sha1: a0115b5c42386ae4597d9e9c8e8842571c1fca1f
# timestamp: 2015-01-18 11:50:54 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.4
# base_revision_id: [email protected]\
# g92c3d0w5sbsccj1
#
# Begin patch
=== modified file 'src/Notes.cc'
--- src/Notes.cc 2014-05-02 07:51:33 +0000
+++ src/Notes.cc 2015-01-18 11:02:13 +0000
@@ -189,6 +189,21 @@
}
void
+NotePairs::remove(const char *key)
+{
+ Vector<NotePairs::Entry *>::iterator i = entries.begin();
+ while (i != entries.end()) {
+ if ((*i)->name.cmp(key) == 0) {
+ NotePairs::Entry *e = (*i);
+ entries.prune(e);
+ delete e;
+ i = entries.begin(); // vector changed underneath us
+ } else
+ ++i;
+ }
+}
+
+void
NotePairs::addStrList(const char *key, const char *values)
{
String strValues(values);
=== modified file 'src/Notes.h'
--- src/Notes.h 2014-05-02 07:51:33 +0000
+++ src/Notes.h 2015-01-18 11:02:13 +0000
@@ -155,6 +155,11 @@
void add(const char *key, const char *value);
/**
+ * Remove all notes with a given key.
+ */
+ void remove(const char *key);
+
+ /**
* Adds a note key and values strList to the notes list.
* If the key name already exists in list, add the new values to its set
* of values.
=== modified file 'src/auth/digest/UserRequest.cc'
--- src/auth/digest/UserRequest.cc 2014-03-05 02:48:25 +0000
+++ src/auth/digest/UserRequest.cc 2015-01-18 11:02:13 +0000
@@ -298,6 +298,8 @@
// add new helper kv-pair notes to the credentials object
// so that any transaction using those credentials can access them
auth_user_request->user()->notes.appendNewOnly(&reply.notes);
+ // remove any private credentials detail which got added.
+ auth_user_request->user()->notes.remove("ha1");
static bool oldHelperWarningDone = false;
switch (reply.result) {
=== modified file 'src/auth/negotiate/UserRequest.cc'
--- src/auth/negotiate/UserRequest.cc 2013-11-29 10:55:53 +0000
+++ src/auth/negotiate/UserRequest.cc 2015-01-18 11:02:13 +0000
@@ -229,6 +229,8 @@
// add new helper kv-pair notes to the credentials object
// so that any transaction using those credentials can access them
auth_user_request->user()->notes.appendNewOnly(&reply.notes);
+ // remove any private credentials detail which got added.
+ auth_user_request->user()->notes.remove("token");
Auth::Negotiate::UserRequest *lm_request = dynamic_cast<Auth::Negotiate::UserRequest *>(auth_user_request.getRaw());
assert(lm_request != NULL);
=== modified file 'src/auth/ntlm/UserRequest.cc'
--- src/auth/ntlm/UserRequest.cc 2013-11-29 10:55:53 +0000
+++ src/auth/ntlm/UserRequest.cc 2015-01-18 11:02:13 +0000
@@ -223,6 +223,8 @@
// add new helper kv-pair notes to the credentials object
// so that any transaction using those credentials can access them
auth_user_request->user()->notes.appendNewOnly(&reply.notes);
+ // remove any private credentials detail which got added.
+ auth_user_request->user()->notes.remove("token");
Auth::Ntlm::UserRequest *lm_request = dynamic_cast<Auth::Ntlm::UserRequest *>(auth_user_request.getRaw());
assert(lm_request != NULL);
--- End Message ---
--- Begin Message ---
Source: squid3
Source-Version: 3.4.8-6
We believe that the bug you reported is fixed in the latest version of
squid3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Luigi Gangitano <[email protected]> (supplier of updated squid3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 28 Jan 2015 12:34:42 +0100
Source: squid3
Binary: squid3 squid3-dbg squid3-common squidclient squid-cgi squid-purge
Architecture: source all amd64
Version: 3.4.8-6
Distribution: unstable
Urgency: medium
Maintainer: Luigi Gangitano <[email protected]>
Changed-By: Luigi Gangitano <[email protected]>
Description:
squid-cgi - Full featured Web Proxy cache (HTTP proxy) - control CGI
squid-purge - Full featured Web Proxy cache (HTTP proxy) - control utility
squid3 - Full featured Web Proxy cache (HTTP proxy)
squid3-common - Full featured Web Proxy cache (HTTP proxy) - common files
squid3-dbg - Full featured Web Proxy cache (HTTP proxy) - Debug symbols
squidclient - Full featured Web Proxy cache (HTTP proxy) - control utility
Closes: 742425 776461 776463 776464 776468
Changes:
squid3 (3.4.8-6) unstable; urgency=medium
.
[ Luigi Gangitano <[email protected]> ]
* debian/patches/31-squid-3.4-13199.patch
- Added upstream patch fixing excessive CPU usage (Closes: #776461)
.
* debian/patches/32-squid-3.4-13210.patch
- Added upstream patch fixing excessive CPU and memory usage in
NTLM and Negotiate authentication helpers (Closes: #776463)
.
* debian/patches/33-squid-3.4-13211.patch
- Added upstream patch fixing a possible replay vulnerability on Digest
authentication (Closes: #776464)
.
* debian/patches/34-squid-3.4-13213.patch
- Added upstream patch fixing incorrect security permissions for
TOS/DiffServ packet marking (Closes: #776468)
.
* debian/patches/35-squid-3.4-13203.patch
- Added upstream patch fixing squidclient unable to connect to host with
both IPv4 and IPv6 addresses (Closes: #742425)
Checksums-Sha1:
2788b28d58e5507644924fe023542d63faab874a 2271 squid3_3.4.8-6.dsc
96253e6797b2dcd9e710745dc252135e93fb78b8 29968 squid3_3.4.8-6.debian.tar.xz
05a79a13298063dfb6bf1bbdca01fdc341a614f3 258036 squid3-common_3.4.8-6_all.deb
893c2f9f4b6f698bffa0a2c3337204511e2e896f 2066774 squid3_3.4.8-6_amd64.deb
4e158d1a3bea8bd3a52a76f54263677743fb118a 8652908 squid3-dbg_3.4.8-6_amd64.deb
6832783fbc2acbd386930b9ed16d85771aec6b3b 140248 squidclient_3.4.8-6_amd64.deb
de1fe6a05c11ae70d8046e7e2a7e67321276f191 143162 squid-cgi_3.4.8-6_amd64.deb
d74649b43d50032a00b4879cfff79a8b514de5eb 138804 squid-purge_3.4.8-6_amd64.deb
Checksums-Sha256:
e0c511390482945b694e444bd1861524faf4f817385c059851f9ef7a1349aafc 2271
squid3_3.4.8-6.dsc
5b5cf0571516c221ad659e4fddcf7af3b3f5311ceaedf4413051c44231247aef 29968
squid3_3.4.8-6.debian.tar.xz
ac540fcd3d6eea3a1fd477492effc7e0fb39c05d7df3c2908daa852dfd22bfa5 258036
squid3-common_3.4.8-6_all.deb
ce2cb8e2dee057b8e837849e2286c5da505316b830548b288e2d5f52c485dc1a 2066774
squid3_3.4.8-6_amd64.deb
4095e47fee3c15644e3ddfd168f63621c9afef4af3916ace36b79e98c53aef09 8652908
squid3-dbg_3.4.8-6_amd64.deb
708a16482144250762fce3ba11fb8330da01788cb1484e4d11915729ae891f5e 140248
squidclient_3.4.8-6_amd64.deb
bc28ac831120310b54862e90a3ca1674522534cf85ead399ed3104a4b72d9a33 143162
squid-cgi_3.4.8-6_amd64.deb
a3dd990bc3ae0e927773d4147e5ae366c6586c1acceb9eee77991da9ab7b995b 138804
squid-purge_3.4.8-6_amd64.deb
Files:
a9b46fa4ca1830510441c9e3ac2a47d1 2271 web optional squid3_3.4.8-6.dsc
924957fd4679ccc131091d5226f81d30 29968 web optional
squid3_3.4.8-6.debian.tar.xz
e2d7eddd1221a196362d0337e9c1ba8f 258036 web optional
squid3-common_3.4.8-6_all.deb
c6c3d8d40328ca685d799b919820466d 2066774 web optional squid3_3.4.8-6_amd64.deb
31bba1f5501b3a92e80e5c17e27ef51d 8652908 debug extra
squid3-dbg_3.4.8-6_amd64.deb
f49cff69b226f43b32488941aa00e2ed 140248 web optional
squidclient_3.4.8-6_amd64.deb
5edb66d453474133d6dd808fbff6f003 143162 web optional
squid-cgi_3.4.8-6_amd64.deb
df92c40e529d70ed3e91ef8a4780f22e 138804 web optional
squid-purge_3.4.8-6_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJUyM/AAAoJEAKE8gwrqXzti3AP/1OfXO88RiL55Iz315UkgI62
aH+Gdl33/Qi2qshT/8cjiMvNBDwhfZodCvhygKPbwim76kF0CKc/Ae148sy7IS/F
KJWWlsEDDPyHZ5oBArAqa/eRfBMRtqVhGu6CuxzczTUgzC1VpxejYk6ZYjCafeQI
rHE+HUjGM79OWt9zTM5iJHaw7T/hdRX/snoDKGOuKg9gn8+ti6kJAG9xzUBey0XN
q6lGpKn4I9fu+QUFpjIYL8r8l5eORdJ3xKWol1BNqIL5KKIiJAbEjJIVtwtVJ/1V
MjEKb93yE0piZuydq/tHAxp3x6/KYgt5Z1J9rwBP8/WVhvg4n2MlcUbMzG54aWTI
G1IcrV3Y2oFFGMvkZbfFBfH9miF4BMiTyGhg6lwxxzVJQ1CTeDoPbnMsgPaxgjC7
QLiLvTxIs3mGy/gHJcX+ULAa45fS4G3Dc0UsgCUYZjIqSvt2jmcjb2ltnQ+ECgN4
zuGA1xqcYRtaGJoQG5W/m+6A80r1A5GWxPVZH1qxzbrhnryFKf5s8nqSL1i4gHdg
ZjuxlIRWGINRvTrUkguVgx6M4zigrwGHCLozvP5842Rc6O7ESnyhMOqET3hhimNn
RimuieQ+rt5TJFkeVYwEhwDAllW1XzuEAzqXh2VwPXM/8UU1GC4Z5W95C3q6O4mH
6oqj4yznhF7ySpYvWjp8
=aHep
-----END PGP SIGNATURE-----
--- End Message ---
