Amos Jeffries | 21 Apr 13:28 2016
Picon

[squid-announce] [ADVISORY SQUID-2016:6 Multiple issues in ESI processing.

__________________________________________________________________

Squid Proxy Cache Security Update Advisory SQUID-2016:6
__________________________________________________________________

Advisory ID:        SQUID-2016:6
Date:               April 20, 2016
Summary:            Multiple issues in ESI processing.
Affected versions:  Squid 3.x -> 3.5.16
                    Squid 4.x -> 4.0.8
Fixed in version:   Squid 3.5.17, 4.0.9
__________________________________________________________________

    http://www.squid-cache.org/Advisories/SQUID-2016_6.txt
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4052
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4053
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4054
    CESG REF: 56284998 / VULNERABILITY ID: 393536
__________________________________________________________________

Problem Description:

 Due to buffer overflow issues Squid is vulnerable to a denial
 of service attack when processing ESI responses.

 Due to incorrect input validation Squid is vulnerable to public
 information disclosure of the server stack layout when processing
 ESI responses.

 Due to incorrect input validation and buffer overflow Squid is
(Continue reading)

Amos Jeffries | 21 Apr 13:28 2016
Picon

[squid-announce] [ADVISORY] SQUID-2016:5 Buffer overflow in cachemgr.cgi

__________________________________________________________________

    Squid Proxy Cache Security Update Advisory SQUID-2016:5
__________________________________________________________________

Advisory ID:            SQUID-2016:5
Date:                   April 20, 2016
Summary:                Buffer overflow in cachemgr.cgi
Affected versions:      Squid 2.x all releases
                        Squid 3.x -> 3.5.16
                        Squid 4.x -> 4.0.8
Fixed in version:       Squid 3.5.17, 4.0.9
__________________________________________________________________

    http://www.squid-cache.org/Advisories/SQUID-2016_5.txt
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4051
    CESG REF: 56397140 / VULNERABILITY ID: 394201
__________________________________________________________________

Problem Description:

 Due to incorrect buffer management Squid cachemgr.cgi tool is
 vulnerable to a buffer overflow when processing remotely supplied
 inputs relayed to it from Squid.

__________________________________________________________________

Severity:

 This problem allows any client to seed the Squid manager reports
(Continue reading)

Amos Jeffries | 21 Apr 13:28 2016
Picon

[squid-announce] Squid 4.0.9 beta is available

The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.0.9 release!

This release is a security and bug fix release resolving several
vulnerabilities and issues found in the prior Squid releases.

The major changes to be aware of:

* SQUID-2016:5 - Buffer overflow in cachemgr.cgi

    http://www.squid-cache.org/Advisories/SQUID-2016_5.txt
    aka. CVE-2016-4051

Due to incorrect buffer management Squid cachemgr.cgi tool is
vulnerable to a buffer overflow when processing remotely supplied
inputs relayed to it from Squid.

* SQUID-2016:6 - Multiple issues in ESI processing.

    http://www.squid-cache.org/Advisories/SQUID-2016_6.txt
    aka. CVE-2016-4052, CVE-2016-4053, CVE-2016-4054

This issue is really quite nasty and has been rated 8.3 on the CVSS
scale. Upgrade or patching should be considered a very high priority.

At best it creates a denial of service. At worst it allows clients to
read contents of the Squid process stack and remote servers to inject
code into that stack for execution.

Most Squid-3 and Squid-4 configured as reverse-proxy or SSL-Bump'ing are
(Continue reading)

Amos Jeffries | 21 Apr 13:28 2016
Picon

[squid-announce] Squid 3.5.17 is available

The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.5.17 release!

This release is a security and bug fix release resolving several
vulnerabilities and issues found in the prior Squid releases.

The major changes to be aware of:

* SQUID-2016:5 - Buffer overflow in cachemgr.cgi

    http://www.squid-cache.org/Advisories/SQUID-2016_5.txt
    aka. CVE-2016-4051

Due to incorrect buffer management Squid cachemgr.cgi tool is
vulnerable to a buffer overflow when processing remotely supplied
inputs relayed to it from Squid.

* SQUID-2016:6 - Multiple issues in ESI processing.

    http://www.squid-cache.org/Advisories/SQUID-2016_6.txt
    aka. CVE-2016-4052, CVE-2016-4053, CVE-2016-4054

This issue is really quite nasty and has been rated 8.3 on the CVSS
scale. Upgrade or patching should be considered a very high priority.

At best it creates a denial of service. At worst it allows clients to
read contents of the Squid process stack and remote servers to inject
code into that stack for execution.

Most Squid-3 and Squid-4 configured as reverse-proxy or SSL-Bump'ing are
(Continue reading)

zodyo | 21 Apr 03:51 2016
Picon

Re: squid 2.7/lusca not work with web auth IIS

anybody here? im newbie and need some advice here, or how to bypass some
sites with auth

--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-2-7-lusca-not-work-with-web-auth-IIS-tp4677157p4677182.html
Sent from the Squid - Users mailing list archive at Nabble.com.
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Markey, Bruce | 20 Apr 22:18 2016

Cert authority invalid failures.

I’m curious as to why this is happening.

 

Proxy was implemented last week and since then I’ve been dealing with all the sites that don’t work. Not a problem, knew it was going to happen. I’d like to understand why the following is happening.

 

1.       User goes to https://www.whatever.com

2.       Browser, mostly chrome, gives the following error.   Connection not private. NET:ERR_CERT_AUTHORITY_INVALID 

3.       If you view the cert it shows the dynamic cert listed.

4.       Click the “Proceed to www.whatever.com (unsafe )

5.       Now I get a squid error.  Requested url could not be retrieved.  Access denied while trying to retrieve https:// some ip address/*

 

Thing is I don’t have an acl blocking that ip?   ( Small sub question here, is there a way to tell which acl blocks something? )

 

What I’ve had to do to get around this is add www.whatever.com to my broken_sites.acl.    Then add the ip to an allowed_ips.acl.

 

Then I http_access allow the ips list

 

And skip peeking at the broken site.

 

acl broken_sites ssl::server_name_regex "/etc/squid3/acls/http_broken.txt"

ssl_bump peek !broken_sites

ssl_bump splice all

 

I’m trying to understand why this is breaking and if I’m doing the right thing in fixing it.

 

 

The second error I’m getting is:

 

The following error was encountered while trying to retrieve the URL: https://*.agentimediaservices.com/*

Failed to establish a secure connection to 63.240.52.151

The system returned:

(71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)

SSL Certficate error: certificate issuer (CA) not known: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA

Same question.  From what I’ve read this means that I don’t have the correct root ca?  Is that correct?  If so is the fix to then go try to find the correct .crt and add it to the standard ca-cert store? ( I’m on debian so /usr/share/ca-certificates/Mozilla )

 

Again, is this correct as to what is going wrong and the correct fix?

 

Thank you

 

 

Bruce Markey | Network Security Analyst

STEINMAN COMMUNICATIONS

717.291.8758 (o) bmarkey <at> steinmancommunications.com

8 West King St | PO Box 1328, Lancaster, PA 17608-1328

 

_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
epytir | 20 Apr 17:39 2016
Picon

Squid 3.5.9 Problems with Teamviewer

Hey Squid Users,

Sorry for my bad english im learning it currently.

I got a little problem with my squid proxy.
I installed it with ufdbguard and squidclamav and everything works fine.

The users login with kerberos ntlm or normal username passowrt
authentication.

My Problem is when Users start Teamviewer (every Version) some time
teamviewer doing nothing then the message "no connection please check proxy
settings" appears. Then i klick nothing after 10 more seconds the teamviewer
is connected without changing anything.
So Teamviewer needs up to 1 minute to connect through the proxy without i
need like 5 seconds.

Teamviewer is not blocked for the users with the problems and it connects
but needs to much time. I have 1500 User so the normal user dont understand
that he must wait and dont klick on change settings or abort.

I log squid in database and every connect i see is not blocked:
| 23731740 |   1461164861.040 | 2016-04-20 | 17:07:41  | 48 | ip  | TCP_MISS 
| 200 | 15623 | GET | www.teamviewer.com     | Username| FIRSTUP_PARENT    |
NULL | NULL   |
| 23733412 |   1461165077.533 | 2016-04-20 | 17:11:18  |  11 | ip  |
TCP_MEM_HIT | 200  |   15631 | GET   | www.teamviewer.com  | Username|
HIER_NONE         | NULL           | NULL      |

The parent Proxy is not the problem cause our old proxy is tmg from
microsoft and use the same proxy without teamviewer problems. (we want to
shutdown tmg cause its extremly slow and squid is so fast :) ) 

Here are some information:
Squid 3.5.9
UFDB 1.31-16
Server Ubuntu 14.04 LTS

Squid config snip:
auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth  --ntlm 
/usr/lib/squid3/fakeauth_auth  --kerberos 
/usr/lib/squid3/negotiate_kerberos_auth -r -s GSS_C_NO_NA$
auth_param negotiate children 80
auth_param negotiate keep_alive on

auth_param ntlm program /usr/lib/squid3/fakeauth_auth x.x.x\DC
auth_param ntlm children 30
auth_param ntlm keep_alive off

#LDAP Authentication
auth_param basic program  /usr/lib/squid3/basic_ldap_auth -b
"dc=X,dc=X,dc=X" -D "XXX <at> X.X.X" -w "XXXXXXXXX" -v 3 -h ldaps://X.X.X
auth_param basic children 30
auth_param basic realm Domain-Internet-Proxy
auth_param basic credentialsttl 30 day  #How often ask for Login credentials
auth_param basic casesensitive off

acl ldap-auth proxy_auth REQUIRED # Rule authentication needed
never_direct allow all
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
#http_access allow CONNECT SSL_ports
http_access allow localnet
http_access allow localhost

#LDAP User are allowed to connect to the Internet
http_access allow ldap-auth
http_access allow CONNECT  SSL_ports ldap-auth

# And finally deny all other access to this proxy
http_access deny all
.
.
.

Normal ntlm dont work but we have some old programms that need ntlm so i use
fake tnlm for them browsers only use kerberos.

In squid log i see nothing no entrys for the connection time.

Hope someone got the same issues and solved it.

Greetings,

Epytir

--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-3-5-9-Problems-with-Teamviewer-tp4677176.html
Sent from the Squid - Users mailing list archive at Nabble.com.
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Odhiambo Washington | 20 Apr 16:16 2016
Picon

ssl_bump newbie troubles

Hi,

I am trying my hands on ssl_bump and it's almost working, but that's ish-ish.. because I have several problems.

I even wonder if this config is correct:

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

acl ssl_bump_broken_sites  dstdomain "/usr/local/etc/squid/ssl_bump_broken_sites.txt"
ssl_bump none ssl_bump_broken_sites


acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump stare step2
ssl_bump bump all

sslproxy_capath /etc/ssl/certs
sslproxy_cert_error allow all
#sslproxy_cert_error deny all
sslproxy_flags DONT_VERIFY_PEER
sslproxy_cafile /usr/local/share/certs/ca-root-nss.crt


<cut> 

The following error was encountered while trying to retrieve the URL: https://org.ke.m-pesa.com/*

Failed to establish a secure connection to 196.201.214.212

The system returned:

(92) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

Handshake with SSL server failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate

This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.

Your cache administrator is <odhiambo <at> gmail.com>.

</cut>



I thought I could mitigate that with the:

acl ssl_bump_broken_sites  dstdomain "/usr/local/etc/squid/ssl_bump_broken_sites.txt"
ssl_bump none ssl_bump_broken_sites

..but that doesn't do it...

Secondly, I had to import my CA to all devices (as a trusted CA) on the network so that they don't get the MITM notification. This is a challenge, because I have to do the same for smart phones too, and that is not easy. People don't like intrusive changes. For example on Android phone, you have to set screen security before you can import such a CA, and after you do, you cannot disable the screen security! Now, that is not something people want.

Another issue is that we allow guests who come in to the premises to use our Wi-Fi (on a different SSID). Without them importing the CA, they get the MITM notification and cannot browse. This is because they get assigned IPs in the same subnet we use in the office.


--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Veiko Kukk | 20 Apr 09:24 2016

Never expire any object Squid configuration

Hi,

We have a Squid between our server application and openstack swift 
backend in accel/reverse mode with store-id configuraton (to strip 
temporary authentication URL-s). We want that any object that has been 
stored in squid cache is never again fetched from source and never again 
checked if it is fresh. Well, never in this case could be one year.

Relevant section from current configuration:

refresh_pattern -i ^https:\/\/AUTH_.*squid.internal.* 526000 100% 526000 
override-expire ignore-reload ignore-no-store ignore-private store-stale 
max-stale=52

With this configuration, we still see lots of TCP_REFRESH_MODIFIED/200 
TCP_REFRESH_UNMODIFIED/200 and TCP_REFRESH_UNMODIFIED/304 in logs.

How must Squid be configured to completely disable any refreshes? Those 
objects never change after they have been created and we only want them 
to be pushed out from cache by cache replacement policy.

I read from old post 
http://www.squid-cache.org/mail-archive/squid-dev/201108/0029.html that 
if client requests object without etag and server sends with etag, then 
Squid fetches object again. How to disable this?

Best regards,
Veiko
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
nkingsquid | 19 Apr 20:16 2016
Picon

Routing Internally And/Or Externally?

Trying to figure out if I need to write a script for this or not... 
I am Brand new to Squid but have done a ton of searches and can't find this.

I have authenticated traffic coming to my squid server from the Internet
(Via a NetScaler).  If the request is for an INTERNAL resource I want it to
continue on its journey.  However, if it is anything else I want it
re-directed back to the internet via the netscaler.  (just going to list the
applicable portion and throw in example data)

acl localnetPAC src 192.168.0.0/24                        #resource within
my network
acl localnetPAC src internal.resources.com              #resource within my
network
acl localnetPAC src internal1.resources.com            #resource within my
network
acl localnetPAC src internal2.resources.com            #resource within my
network
acl localnetPAC src internal3.resources.com            #resource within my
network

acl InboundNet scr 10.24.62.51           #NetScaler
acl OutboundNet scr 10.24.62.51           #NetScaler

http_access allow localnetPAC                     #user will be let thru to
the local resources
InboundNet !localnetPAC allow OutboundNet    #this is what I WANT to do but
isn't working
                                                               #can anyone
steer me to the right track?

Thanks!

--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Routing-Internally-And-Or-Externally-tp4677152.html
Sent from the Squid - Users mailing list archive at Nabble.com.
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
cjwengler | 19 Apr 18:11 2016

New to proxies

I used to have someone in this forum make me proxies for sneakers and
shopping websites. I bought so many he would charge me $0.75 per proxy. I
was wondering if someone else could make these proxies for me or teach me
how to make them myself. Either way, I will pay you for your efforts.
Thanks.

--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/New-to-proxies-tp4677151.html
Sent from the Squid - Users mailing list archive at Nabble.com.
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Gmane