Package: squid3 Version: 3.4.8-5 Severity: grace Tags: patch upstream Upstream fixed an issue with NTLM and Negotiate authentication helpers that can result in excessive CPU and memory consumption.
-- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Init: sysvinit (via /sbin/init) Versions of packages squid3 depends on: ii adduser 3.113+nmu3 ii libc6 2.19-13 ii libcap2 1:2.24-6 ii libcomerr2 1.42.12-1 ii libdb5.3 5.3.28-9 ii libecap2 0.2.0-3 ii libexpat1 2.1.0-6+b3 ii libgcc1 1:4.9.2-10 ii libgssapi-krb5-2 1.12.1+dfsg-16 ii libk5crypto3 1.12.1+dfsg-16 ii libkrb5-3 1.12.1+dfsg-16 ii libldap-2.4-2 2.4.40-3 ii libltdl7 2.4.2-1.11 ii libnetfilter-conntrack3 1.0.4-1 ii libnettle4 2.7.1-5 ii libpam0g 1.1.8-3.1 ii libsasl2-2 2.1.26.dfsg1-12 ii libstdc++6 4.9.2-10 ii libxml2 2.9.2+dfsg1-1+b1 ii logrotate 3.8.7-1+b1 ii lsb-base 4.1+Debian13+nmu1 ii netbase 5.3 ii squid3-common 3.4.8-5 squid3 recommends no packages. Versions of packages squid3 suggests: pn resolvconf <none> ii smbclient 2:4.1.13+dfsg-4 pn squid-cgi <none> pn squid-purge <none> pn squidclient <none> pn ufw <none> pn winbindd <none> -- no debconf information
------------------------------------------------------------ revno: 13210 revision-id: squ...@treenet.co.nz-20150118110213-zbcrupnx78b4y9mq parent: squ...@treenet.co.nz-20150118081150-g92c3d0w5sbsccj1 fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=3997 author: Amos Jeffries <squ...@treenet.co.nz>, Steve Hill <st...@opendium.com> committer: Amos Jeffries <squ...@treenet.co.nz> branch nick: 3.4 timestamp: Sun 2015-01-18 03:02:13 -0800 message: Bug 3997: Excessive NTLM or Negotiate auth helper annotations With the transaction annotations feature added in Squid-3.4 auth helper response values get recorded as annotatiions. In the case of NTLM and Negotiate authentication the helper response contains a large credentials token which changes frequently. Also, user credentials state is cached. In the case of NTLM and Negotiate the active credentials are cached in the TCP connection state data, but also for the cache mgr helper reports make use of caching in a global username cache. When these two features are combined, the global username cache for mgr reporting accumulates all TCP connection specific token= values presented by the client on all its connections, and any changes to the token over its lifetime. The result is that for users performing either many transactions, or staying connected for long periods the memory consumption from unnecesarily stored tokens is excessive. When clients do both the machine memory can be consumed, and the CPU can reach 100% consumption just walking the annotations lists during regular operations. To fix this we drop the security credentials tokens from cached annotations list in NTLM and Negotiate. Digest is also included though its HA1 token value is static it has similar privacy issues related to storage. ------------------------------------------------------------ # Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: squ...@treenet.co.nz-20150118110213-zbcrupnx78b4y9mq # target_branch: http://bzr.squid-cache.org/bzr/squid3/3.4 # testament_sha1: a0115b5c42386ae4597d9e9c8e8842571c1fca1f # timestamp: 2015-01-18 11:50:54 +0000 # source_branch: http://bzr.squid-cache.org/bzr/squid3/3.4 # base_revision_id: squ...@treenet.co.nz-20150118081150-\ # g92c3d0w5sbsccj1 # # Begin patch === modified file 'src/Notes.cc' --- src/Notes.cc 2014-05-02 07:51:33 +0000 +++ src/Notes.cc 2015-01-18 11:02:13 +0000 @@ -189,6 +189,21 @@ } void +NotePairs::remove(const char *key) +{ + Vector<NotePairs::Entry *>::iterator i = entries.begin(); + while (i != entries.end()) { + if ((*i)->name.cmp(key) == 0) { + NotePairs::Entry *e = (*i); + entries.prune(e); + delete e; + i = entries.begin(); // vector changed underneath us + } else + ++i; + } +} + +void NotePairs::addStrList(const char *key, const char *values) { String strValues(values); === modified file 'src/Notes.h' --- src/Notes.h 2014-05-02 07:51:33 +0000 +++ src/Notes.h 2015-01-18 11:02:13 +0000 @@ -155,6 +155,11 @@ void add(const char *key, const char *value); /** + * Remove all notes with a given key. + */ + void remove(const char *key); + + /** * Adds a note key and values strList to the notes list. * If the key name already exists in list, add the new values to its set * of values. === modified file 'src/auth/digest/UserRequest.cc' --- src/auth/digest/UserRequest.cc 2014-03-05 02:48:25 +0000 +++ src/auth/digest/UserRequest.cc 2015-01-18 11:02:13 +0000 @@ -298,6 +298,8 @@ // add new helper kv-pair notes to the credentials object // so that any transaction using those credentials can access them auth_user_request->user()->notes.appendNewOnly(&reply.notes); + // remove any private credentials detail which got added. + auth_user_request->user()->notes.remove("ha1"); static bool oldHelperWarningDone = false; switch (reply.result) { === modified file 'src/auth/negotiate/UserRequest.cc' --- src/auth/negotiate/UserRequest.cc 2013-11-29 10:55:53 +0000 +++ src/auth/negotiate/UserRequest.cc 2015-01-18 11:02:13 +0000 @@ -229,6 +229,8 @@ // add new helper kv-pair notes to the credentials object // so that any transaction using those credentials can access them auth_user_request->user()->notes.appendNewOnly(&reply.notes); + // remove any private credentials detail which got added. + auth_user_request->user()->notes.remove("token"); Auth::Negotiate::UserRequest *lm_request = dynamic_cast<Auth::Negotiate::UserRequest *>(auth_user_request.getRaw()); assert(lm_request != NULL); === modified file 'src/auth/ntlm/UserRequest.cc' --- src/auth/ntlm/UserRequest.cc 2013-11-29 10:55:53 +0000 +++ src/auth/ntlm/UserRequest.cc 2015-01-18 11:02:13 +0000 @@ -223,6 +223,8 @@ // add new helper kv-pair notes to the credentials object // so that any transaction using those credentials can access them auth_user_request->user()->notes.appendNewOnly(&reply.notes); + // remove any private credentials detail which got added. + auth_user_request->user()->notes.remove("token"); Auth::Ntlm::UserRequest *lm_request = dynamic_cast<Auth::Ntlm::UserRequest *>(auth_user_request.getRaw()); assert(lm_request != NULL);
