Package: squid Version: 3.5.23-5+deb9u2.1 Severity: important File: /usr/sbin/squid
Dear Maintainer, We installed the security update deb9u2 and learned that no more http-access (with icap) was possible. No problem with https because https is forwarded directly and with disabled icap feature http also no problem. In access.log I found: 1594709099.638 0 x.x.x.x ICAP_ERR_OTHER/000 0 RESPMOD (http://www.google.de/) 127.0.0.1 After downgrade to deb9u1 everything worked fine again. I enabled debugging (debug_options 93,3) and found some squid loglines: essential ICAP service is down after an options fetch failure: icap://127.0.0.1:1344/virus_scan [down,!opt] and ServiceRep.cc(534) noteAdaptationAnswer: failed to fetch options [down,!opt,fail1] With a tcpdump on lo interface I found a strange behaviour: squid -> icap: syn syn ack ack rst So squid is sending a rst package? I can provide the tracefile if desired. Furthermore the cache.log of squid with content of debug_options as above mentioned. I checked applied patches and after some tests and rebuilds I found that without patch CVE-2019-12523 it worked again. We have sev. stretch squids (with and without parent squids) and all have the same problem. Quite unsure why I can't find anything on mailing lists. -- System Information: Debian Release: 9.12 APT prefers oldstable-updates APT policy: (990, 'oldstable-updates'), (990, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-12-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages squid depends on: ii adduser 3.115 ii libc6 2.24-11+deb9u4 ii libcap2 1:2.25-1 ii libcomerr2 1.43.4-2+deb9u1 ii libdb5.3 5.3.28-12+deb9u1 ii libdbi-perl 1.636-1+b1 ii libecap3 1.0.1-3.2 ii libexpat1 2.2.0-2+deb9u3 ii libgcc1 1:6.3.0-18+deb9u1 ii libgssapi-krb5-2 1.15-1+deb9u1 ii libkrb5-3 1.15-1+deb9u1 ii libldap-2.4-2 2.4.44+dfsg-5+deb9u4 ii libltdl7 2.4.6-2 ii libnetfilter-conntrack3 1.0.6-2 ii libnettle6 3.3-1+b2 ii libpam0g 1.1.8-3.6 ii libsasl2-2 2.1.27~101-g0780600+dfsg-3+deb9u1 ii libstdc++6 6.3.0-18+deb9u1 ii libxml2 2.9.4+dfsg1-2.2+deb9u2 ii logrotate 3.11.0-0.1 ii lsb-base 9.20161125 ii netbase 5.4 ii squid-common 3.5.23-5+deb9u2 Versions of packages squid recommends: ii libcap2-bin 1:2.25-1 Versions of packages squid suggests: pn resolvconf <none> pn smbclient <none> pn squid-cgi <none> pn squid-purge <none> ii squidclient 3.5.23-5+deb9u2 pn ufw <none> pn winbindd <none> /etc/squid/squid.conf changed: .snip. logformat icap_squid-ext %ts.%03tu %6icap::tr %>a %icap::to/%03icap::Hs %icap::>st %icap::rm (%ru) %un %icap::<A icap_log syslog:local6.info icap_squid-ext icap_enable on icap_preview_enable on icap_preview_size 128 icap_send_client_ip on icap_service_failure_limit -1 icap_service service_resp_clamav respmode_precache bypass=0 icap://127.0.0.1:1344/virus_scan adaptation_service_chain service_resp_CHAIN service_resp_clamav adaptation_access service_resp_CHAIN deny CONNECT adaptation_access service_resp_CHAIN allow all cache_peer ... parent 8080 0 no-query no-digest sourcehash name=srv-proxy always_direct deny all never_direct allow all -- no debconf information Kind regards, Andreas Schulz
