On 12/5/21 6:11 PM, Andrej Mikus wrote: > I would like to find some information about wccp servers (routers, > firewalls, etc) that are officially supported and therefore tested for > compatibility.
IIRC, there are no such servers/etc. WCCP code quality is low, the code has been neglected for a long time, and the changes we recently had to do for CVE 2021-28116 took a very long time, were unfinished and essentially untested because, in part, those looking for testers could not get anybody to test the changes and report the results back to us. > Is there any way to get in touch with the developper responsible for the > security patch and request his comments? You are using the right channel for that. I was one of the developers that were forced to work on code changes for CVE 2021-28116, but I am not sure I would consider myself "responsible for the patch" (it depends on your definition of "responsible"). The advisory says the bug was fixed by Amos; Amos is on this mailing list. > I do not have access to other > Cisco hardware, and I would like to know if the update was confirmed > working for example against a CSR1000v. I do not think that update was confirmed as working against any WCCP server. If you are using WCCP, you are relying on a long-neglected feature. There is no proper support for WCCP code in Squid today IMO. Alex. P.S. Squid side of CVE 2021-28116 is at https://github.com/squid-cache/squid/security/advisories/GHSA-rgf3-9v3p-qp82 > ----- Forwarded message from amk <[email protected]> ----- > > Date: Sun, 05 Dec 2021 22:21:51 -0000 > From: amk <[email protected]> > To: [email protected] > Subject: [Bug 1952158] Re: squid does not accept WCCP of Cisco router since > 3.5.27-1ubuntu1.12 > > 4.13-10ubuntu5 in 21.10 and 5.2-1ubuntu1 in jammy are failing as well, > with debug log different when compared to version 3 involved here: > > 2021/12/05 19:58:41.705 kid1| 80,6| wccp2.cc(1580) wccp2HereIam: > wccp2HereIam: Called > 2021/12/05 19:58:41.705 kid1| 80,5| wccp2.cc(1599) wccp2HereIam: > wccp2HereIam: sending to service id 0 > 2021/12/05 19:58:41.705 kid1| 80,3| wccp2.cc(1630) wccp2HereIam: Sending > HereIam packet size 144 > 2021/12/05 19:58:41.707 kid1| 80,6| wccp2.cc(1202) wccp2HandleUdp: > wccp2HandleUdp: Called. > 2021/12/05 19:58:41.707 kid1| 80,3| wccp2.cc(1226) wccp2HandleUdp: Incoming > WCCPv2 I_SEE_YOU length 128. > 2021/12/05 19:58:41.707 kid1| ERROR: Ignoring WCCPv2 message: duplicate > security definition > exception location: wccp2.cc(1249) wccp2HandleUdp > > This looks like a problem with squid itself, the packet does not have > duplicate security definition. In the code at http://www.squid- > cache.org/Doc/code/wccp2_8cc_source.html I miss some debug output in the > loop processing the packet /* Go through the data structure */ so would > need to rebuild the package or to involve debugger. > > I was not able to find any documentation of squid listing > supported/tested wccp servers but at this point this looks like an issue > to be reported upstream. There is no reason to consider wccp packets > from IOS 15.8(3)M2 invalid. > _______________________________________________ squid-dev mailing list [email protected] http://lists.squid-cache.org/listinfo/squid-dev
