Package: squid3 Version: 3.4.8-5 Severity: grave Tags: security patch upstream
Upstream fixed a security issue in digest_authentication that can allow disabled user or users with changed password to access the squid service with old credentials. See http://bugs.squid-cache.org/show_bug.cgi?id=4066 for upstream bug details. -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Init: sysvinit (via /sbin/init) Versions of packages squid3 depends on: ii adduser 3.113+nmu3 ii libc6 2.19-13 ii libcap2 1:2.24-6 ii libcomerr2 1.42.12-1 ii libdb5.3 5.3.28-9 ii libecap2 0.2.0-3 ii libexpat1 2.1.0-6+b3 ii libgcc1 1:4.9.2-10 ii libgssapi-krb5-2 1.12.1+dfsg-16 ii libk5crypto3 1.12.1+dfsg-16 ii libkrb5-3 1.12.1+dfsg-16 ii libldap-2.4-2 2.4.40-3 ii libltdl7 2.4.2-1.11 ii libnetfilter-conntrack3 1.0.4-1 ii libnettle4 2.7.1-5 ii libpam0g 1.1.8-3.1 ii libsasl2-2 2.1.26.dfsg1-12 ii libstdc++6 4.9.2-10 ii libxml2 2.9.2+dfsg1-1+b1 ii logrotate 3.8.7-1+b1 ii lsb-base 4.1+Debian13+nmu1 ii netbase 5.3 ii squid3-common 3.4.8-5 squid3 recommends no packages. Versions of packages squid3 suggests: pn resolvconf <none> ii smbclient 2:4.1.13+dfsg-4 pn squid-cgi <none> pn squid-purge <none> pn squidclient <none> pn ufw <none> pn winbindd <none> -- no debconf information
------------------------------------------------------------ revno: 13211 revision-id: squ...@treenet.co.nz-20150119164241-7q1rhjwxjygeq2zf parent: squ...@treenet.co.nz-20150118110213-zbcrupnx78b4y9mq fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4066 author: Frederic Bourgeois <fredbm...@free.fr> committer: Amos Jeffries <squ...@treenet.co.nz> branch nick: 3.4 timestamp: Mon 2015-01-19 08:42:41 -0800 message: Bug 4066: Digest auth nonce indefinite rollover ------------------------------------------------------------ # Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: squ...@treenet.co.nz-20150119164241-7q1rhjwxjygeq2zf # target_branch: http://bzr.squid-cache.org/bzr/squid3/3.4 # testament_sha1: ac9315f664d6d3037dcf6119c44bcade866be0a8 # timestamp: 2015-01-19 16:50:57 +0000 # source_branch: http://bzr.squid-cache.org/bzr/squid3/3.4 # base_revision_id: squ...@treenet.co.nz-20150118110213-\ # zbcrupnx78b4y9mq # # Begin patch === modified file 'src/auth/digest/UserRequest.cc' --- src/auth/digest/UserRequest.cc 2015-01-18 11:02:13 +0000 +++ src/auth/digest/UserRequest.cc 2015-01-19 16:42:41 +0000 @@ -152,10 +152,14 @@ } /* check for stale nonce */ - if (!authDigestNonceIsValid(digest_request->nonce, digest_request->nc)) { - debugs(29, 3, "user '" << auth_user->username() << "' validated OK but nonce stale"); - auth_user->credentials(Auth::Handshake); - digest_request->setDenyMessage("Stale nonce"); + /* check Auth::Pending to avoid loop */ + + if (!authDigestNonceIsValid(digest_request->nonce, digest_request->nc) && user()->credentials() != Auth::Pending) { + debugs(29, 3, auth_user->username() << "' validated OK but nonce stale: " << digest_request->nonceb64); + /* Pending prevent banner and makes a ldap control */ + auth_user->credentials(Auth::Pending); + nonce->flags.valid = false; + authDigestNoncePurge(nonce); return; } === modified file 'src/auth/digest/auth_digest.cc' --- src/auth/digest/auth_digest.cc 2014-03-05 02:48:25 +0000 +++ src/auth/digest/auth_digest.cc 2015-01-19 16:42:41 +0000 @@ -1038,12 +1038,7 @@ debugs(29, 2, "Username for the nonce does not equal the username for the request"); nonce = NULL; } - /* check for stale nonce */ - if (authDigestNonceIsStale(nonce)) { - debugs(29, 3, "The received nonce is stale from " << username); - digest_request->setDenyMessage("Stale nonce"); - nonce = NULL; - } + if (!nonce) { /* we couldn't find a matching nonce! */ debugs(29, 2, "Unexpected or invalid nonce received from " << username);
