Bug#799923: squid3: some squid3 scenari stop working with CVE-2015-5400 fix

Thu, 24 Sep 2015 02:33:31 -0700 

Package: squid3
Version: 3.4.8-6+deb8u1
Severity: important
Tags: upstream

Dear Maintainer,

In our campus, We use two level of squid proxy.
computer<-->proxy2<-->proxy1<-->internet

proxy2 basicaly pass every request to proxy1 when internet and do direct
request when intranet.

cache_peer proxy1.tld parent 3128 0 no-query default login=PASS
name=proxy1

proxy1 does require authentication.

When computer request any external https page without being previously
authenticated, proxy2 pass the CONNECT request to proxy1. Proxy1 reply
with an HTTP/407 response.
- Before CVE-2015-5400 fix, proxy1 used to pass this response to computer
and further communication ran normaly.
- With CVE-2015-5400 fix, proxy1 consider HTTP/407 as an error and reply
to computer with an HTTP/502 response and further communication is stopped.

I expect HTTP/407 to be passed to computer (and maybe some others codes)

Note : this doesn't impact http as http uses other method (GET).

Sincerely yours,
François

-- System Information:
Debian Release: 8.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages squid3 depends on:
ii  adduser                  3.113+nmu3
ii  libc6                    2.19-18+deb8u1
ii  libcap2                  1:2.24-8
ii  libcomerr2               1.42.12-1.1
ii  libdb5.3                 5.3.28-9
ii  libecap2                 0.2.0-3
ii  libexpat1                2.1.0-6+deb8u1
ii  libgcc1                  1:4.9.2-10
ii  libgssapi-krb5-2         1.12.1+dfsg-19
ii  libk5crypto3             1.12.1+dfsg-19
ii  libkrb5-3                1.12.1+dfsg-19
ii  libldap-2.4-2            2.4.40+dfsg-1+deb8u1
ii  libltdl7                 2.4.2-1.11
ii  libnetfilter-conntrack3  1.0.4-1
ii  libnettle4               2.7.1-5
ii  libpam0g                 1.1.8-3.1
ii  libsasl2-2               2.1.26.dfsg1-13
ii  libstdc++6               4.9.2-10
ii  libxml2                  2.9.1+dfsg1-5
ii  logrotate                3.8.7-1+b1
ii  lsb-base                 4.1+Debian13+nmu1
ii  netbase                  5.3
ii  squid3-common            3.4.8-6+deb8u1

squid3 recommends no packages.

Versions of packages squid3 suggests:
pn  resolvconf   <none>
ii  smbclient    2:4.1.17+dfsg-2
ii  squid-cgi    3.4.8-6+deb8u1
pn  squid-purge  <none>
pn  squidclient  <none>
pn  ufw          <none>
pn  winbindd     <none>

-- Configuration Files:
/etc/squid3/squid.conf changed [not included]

-- no debconf information

Reply via email to