group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #01014
[Bug 1547640] Re: proxy tries ipv6 and gets 503 when no ipv6 routes
This bug was fixed in the package squid3 - 3.1.19-1ubuntu3.12.04.6
---------------
squid3 (3.1.19-1ubuntu3.12.04.6) precise-security; urgency=medium
* SECURITY UPDATE: denial of service via crafted UDP SNMP request
- debian/patches/CVE-2014-6270.patch: fix off-by-one in
src/snmp_core.cc.
- CVE-2014-6270
* SECURITY UPDATE: error handling vulnerability
- debian/patches/CVE-2016-2571.patch: better handling of huge response
headers in src/http.cc.
- CVE-2016-2571
* Fix security issue that only applies when package is rebuilt with the
enable-ssl flag, which is not the case in the Ubuntu archive.
- debian/patches/CVE-2014-0128.patch: denial of service via a crafted
range request.
* debian/patches/increase-default-forward-max-tries.patch:
change the default setting of 'forward_max_tries' from 10
to 25. (LP: #1547640)
-- Marc Deslauriers <marc.deslauriers@xxxxxxxxxx> Fri, 04 Mar 2016
14:57:14 -0500
** Changed in: squid3 (Ubuntu Precise)
Status: Triaged => Fix Released
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-0128
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-6270
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-2571
** Changed in: squid3 (Ubuntu Wily)
Status: Triaged => Fix Released
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-3455
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1547640
Title:
proxy tries ipv6 and gets 503 when no ipv6 routes
Status in squid3 package in Ubuntu:
In Progress
Status in squid3 source package in Precise:
Fix Released
Status in squid3 source package in Trusty:
Fix Released
Status in squid3 source package in Wily:
Fix Released
Status in squid3 source package in Xenial:
In Progress
Bug description:
== Begin SRU Information ==
[Impact]
Users of squid3 as a proxy on a host without ipv6 connectivity will see http '503' errors if they attempt to access a url through that proxy that has greater than 9 ipv6 addresses associated with it.
The failure case is that affected ubuntu users specifically was:
a.) user uses squid from Ubuntu as a proxy
b.) security.ubuntu.com and archive.ubuntu.com had additional IPV6 addresses added to their dns, such that there were 10 ipv6 addresses for each.
c.) the squid system does not have access to the ipv6 addresses. Most likely that woudl be a result of having no routable ipv6 traffic.
The change as described in the upstream commit is:
| Update forward_max_tries to permit 25 server paths
|
| With cloud sites becoming more popular more CDN servers are producing
| long lists of IPv6 and IPv4 addresses. If there are not enough paths
| selected the IPv4 ones may never be reached.
[Test Case]
The attached 'lp-1547640.sh' can be run with:
./lp-1547640.sh setup
./lp-1547640.sh test
It installs squid3 and sets up dnsmasq to know about 10 ipv6 addresses
for a host, and then attempts to use that squid proxy.
[Regression Potential]
Likely scenarios to cause regression would be for hosts that have several ipv6 addresses. The change has been in squid3 upstream in trunk since 2013-08-21 and for quite a while though. It is released in squids 3.5 branch.
[Other Info]
After we saw and diagnosed this failure, Canonical's IS team removed one of the ipv6 addresses from security.ubuntu.com and archive.ubuntu.com, so that there are only 9 present now.
$ host archive.ubuntu.com | grep 'has IPv6'
archive.ubuntu.com has IPv6 address 2001:67c:1562::16
archive.ubuntu.com has IPv6 address 2001:67c:1360:8c01::19
archive.ubuntu.com has IPv6 address 2001:67c:1562::14
archive.ubuntu.com has IPv6 address 2001:67c:1560:8001::11
archive.ubuntu.com has IPv6 address 2001:67c:1360:8001::17
archive.ubuntu.com has IPv6 address 2001:67c:1560:8001::13
archive.ubuntu.com has IPv6 address 2001:67c:1562::17
archive.ubuntu.com has IPv6 address 2001:67c:1360:8c01::18
archive.ubuntu.com has IPv6 address 2001:67c:1562::15
There *were* 10 on the day this caused a problem. Canonical will hold
off on adding more ipv6 until this change is rolled out widely.
The fix for this bug will come to xenial through a merge with debian
under bug 1473691.
== End SRU Information ==
Many people run squid (squid-deb-proxy, or maas-proxy) to provide
ubuntu archive mirror caching and proxying. MAAS sets this up by
default for users with the 'maas-proxy' package.
On or about Friday February 19, this setup began to fail for many people.
Users would see 'apt-get update' returning 503 errors. For me, I saw 503 on security.ubuntu.com addresses.
The reason for the failure was that the DNS records for Ubuntu
reacheda threshold of 10 IPv6 entries. The squid proxy host did not
have ipv6 connectivity and with a limit of 10 retries the failover
does not reach any IPv4 addresses - thus would fail.
The fix/workaround is to add the following to your squid config:
# http://www.squid-cache.org/Doc/config/forward_max_tries/
forward_max_tries 25
The appropriate squid config file depends on what is running squid.
maas-proxy: /usr/share/maas/maas-proxy.conf
squid-deb-proxy: /etc/init/squid-deb-proxy.conf
I'm not sure how this previously worked, nor what change was made.
One change that was made in this time frame was a glibc update (2.19-0ubuntu6.6 to 2.19-0ubuntu6.7) for security (CVE-2013-7423 CVE-2014-9402 CVE-2015-1472 CVE-2015-1473). But it doesn't seem to make sense that that would change squid3 to start looking for AAAA records when it did not previously.
i can verify that as late as
Thu Feb 18 06:36:07 EST 2016
i was seeing entries in my squid logs with
1455713142.896 335 10.7.2.103 TCP_REFRESH_UNMODIFIED/200 82620 GET http://security.ubuntu.com/ubuntu/dists/xenial-security/InRelease - HIER_DIRECT/91.189.88.149 -
but now i get
1455879482.210 1 10.7.2.103 TCP_REFRESH_FAIL/200 635 GET http://security.ubuntu.com/ubuntu/dists/precise-security/main/i18n/Index - HIER_DIRECT/2001:67c:1562::14 -
Related Bugs:
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/squid3/+bug/1547640/+subscriptions
