| Summary: | squid new security issues CVE-2013-4115 and CVE-2013-4123 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Denis Chupau <d.chupau> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, luigiwalser, luis.daniel.lucio, sysadmin-bugs, tmb |
| Version: | 3 | Keywords: | Triaged, validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/560027/ | ||
| Whiteboard: | MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64-OK MGA2-32-OK | ||
| Source RPM: | squid-3.2.10-1.mga3 | CVE: | |
| Status comment: | |||
|
Description
Denis Chupau
2013-06-13 10:48:07 CEST
Manuel Hiebel
2013-06-30 12:03:16 CEST
Keywords:
(none) =>
Triaged Since we selectively enable helpers and several of the helper names were changed in Squid 3.2 upstream: ftp://ftp.fu-berlin.de/unix/www/squid/archive/3.2/squid-3.2.0.9-RELEASENOTES.html#toc2.4 we lost some of them. I'm working on getting them enabled again. Once they are, there may be some configuration changes required, I'm not sure. Documentation for the helpers is available here: http://www.squid-cache.org/Doc/man/ Corrected packages uploaded for Mageia 3 and Cauldron. Here's the changes in the SPEC file for Mageia 3: http://svnweb.mageia.org/packages/updates/3/squid/current/SPECS/squid.spec?r1=419736&r2=448559 Unfortunately for Cauldron there is a problem with perl's pod2man command, which has caused the DB auth helper and DB log daemon to get disabled for now. This has been reported as Bug 10663. Advisory -------- Due to being renamed in Squid 3.2, the Squid external acl helpers for matching against IP addresses and LDAP groups were not selected to be built in the squid package for Mageia 3. This has been corrected and these helpers are now included. Additionally, the helpers for eDirectory IP address lookups and matching LDAP groups using Kerberos credentials have also been included. References: ftp://ftp.fu-berlin.de/unix/www/squid/archive/3.2/squid-3.2.0.9-RELEASENOTES.html#ss2.4 http://www.squid-cache.org/Doc/man/ ----------------------------------- Packages in core/updates_testing: ----------------------------------- squid-3.2.10-1.1.mga3 squid-cachemgr-3.2.10-1.1.mga3 from squid-3.2.10-1.1.mga3.src.rpm CC:
(none) =>
luis.daniel.lucio Denis can you please test the update candidate in core updates testing to make sure the bug is fixed and let us know which architecture you tested with (i586 or x86_64). Thanks. Hi, I'm on i586. - I tried to install the package from (as "testing" is not enabled on my test-server) : wget Mageia/distrib/3/i586/media/core/updates_testing/squid-3.2.10-1.1.mga3.i586.rpm - Installing : urpmi ./squid-3.2.10-1.1.mga3.i586.rpm Le paquetage demandé ne peut pas être installé : squid-3.2.10-1.1.mga3.i586 (car /bin/ksh est non satisfait) Désirez-vous tout de même continuer ? (O/n) o - Translated into english : The package can't be installed : squid-3.2.10-1.1.mga3.i586 (because /bin/ksh is not satisfied) Would you like to continue anyway ? (Y/n) y - verification : rpm -qa | grep squid squid-3.2.10-1.mga3 - what provides /bin/ksh ? urpmf /bin/ksh kshowmail:/usr/bin/kshowmail kshutdown:/usr/bin/kshutdown pdksh:/usr/bin/ksh kshisen:/usr/bin/kshisen kdelibs4-core:/usr/bin/kshell4 => no /bin/ksh So there may be a problem in the RPM : - there is no such file or directory in the "stable" repositories (core, non-free, contrib) - does it really need to depend on ksh ? redargs, Dag Hmm, this happened because it's now installing a script from one of the newly enabled helpers that starts with #!/bin/ksh: squid-3.2.9/helpers/external_acl/kerberos_ldap_group/cert_tool Looking at the script it's not immediately obvious why it uses ksh or that it needs to. Probably the easiest solution would be to remove the #!/bin/ksh from the top of it, or change it to bash. In fact I just ran it by hand with bash and it seemed to work. OK, I'm patching it to change it to bash. Someone should really change the pdksh package to provide /bin/ksh as well... Thanks for the report. Should be a new update candidate available soon. Advisory -------- Due to being renamed in Squid 3.2, the Squid external acl helpers for matching against IP addresses and LDAP groups were not selected to be built in the squid package for Mageia 3. This has been corrected and these helpers are now included. Additionally, the helpers for eDirectory IP address lookups and matching LDAP groups using Kerberos credentials have also been included. References: ftp://ftp.fu-berlin.de/unix/www/squid/archive/3.2/squid-3.2.0.9-RELEASENOTES.html#ss2.4 http://www.squid-cache.org/Doc/man/ ----------------------------------- Packages in core/updates_testing: ----------------------------------- squid-3.2.10-1.2.mga3 squid-cachemgr-3.2.10-1.2.mga3 from squid-3.2.10-1.2.mga3.src.rpm Upstream has released Squid 3.3.7 and 3.2.12 to fix a buffer overflow: http://www.squid-cache.org/Advisories/SQUID-2013_2.txt A patch for Squid 3.1 is also available. Everything is checked into SVN for Mageia 2, Mageia 3, and Cauldron. Updated builds are in progress. Component:
RPM Packages =>
Security Updated package uploaded for Cauldron. Patched packages uploaded for Mageia 2 and Mageia 3. Advisory: ======================== Updated squid packages fix security vulnerability: Due to incorrect data validation Squid is vulnerable to a buffer overflow attack when processing specially crafted HTTP requests. This problem allows any trusted client or client script who can generate HTTP requests to trigger a buffer overflow in Squid, resulting in a termination of the Squid service (SQUID-2013:2). Also, due to being renamed in Squid 3.2, the Squid external acl helpers for matching against IP addresses and LDAP groups were not selected to be built in the squid package for Mageia 3. This has been corrected and these helpers are now included. Additionally, the helpers for eDirectory IP address lookups and matching LDAP groups using Kerberos credentials have also been included. References: http://www.squid-cache.org/Advisories/SQUID-2013_2.txt ftp://ftp.fu-berlin.de/unix/www/squid/archive/3.2/squid-3.2.0.9-RELEASENOTES.html#ss2.4 http://www.squid-cache.org/Doc/man/ ======================== Updated packages in core/updates_testing: ======================== squid-3.1.19-4.4.mga2 squid-cachemgr-3.1.19-4.4.mga2 squid-3.2.10-1.3.mga3 squid-cachemgr-3.2.10-1.3.mga3 from SRPMS: squid-3.1.19-4.4.mga2.src.rpm squid-3.2.10-1.3.mga3.src.rpm FYI, a CVE has been requested for this security issue: http://openwall.com/lists/oss-security/2013/07/11/2 I'll update the advisory once the CVE is assigned. The CVE has been assigned: http://openwall.com/lists/oss-security/2013/07/11/8 Advisory: ======================== Updated squid packages fix security vulnerability: Due to incorrect data validation Squid is vulnerable to a buffer overflow attack when processing specially crafted HTTP requests. This problem allows any trusted client or client script who can generate HTTP requests to trigger a buffer overflow in Squid, resulting in a termination of the Squid service (CVE-2013-4115). Also, due to being renamed in Squid 3.2, the Squid external acl helpers for matching against IP addresses and LDAP groups were not selected to be built in the squid package for Mageia 3. This has been corrected and these helpers are now included. Additionally, the helpers for eDirectory IP address lookups and matching LDAP groups using Kerberos credentials have also been included. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4115 http://www.squid-cache.org/Advisories/SQUID-2013_2.txt ftp://ftp.fu-berlin.de/unix/www/squid/archive/3.2/squid-3.2.0.9-RELEASENOTES.html#ss2.4 http://www.squid-cache.org/Doc/man/ ======================== Updated packages in core/updates_testing: ======================== squid-3.1.19-4.4.mga2 squid-cachemgr-3.1.19-4.4.mga2 squid-3.2.10-1.3.mga3 squid-cachemgr-3.2.10-1.3.mga3 from SRPMS: squid-3.1.19-4.4.mga2.src.rpm squid-3.2.10-1.3.mga3.src.rpm Summary:
squid helper "squid_ldap_group" dropped ! =>
squid new security issue CVE-2013-4115 Maybe another one to do David. I noticed this on debian bug tracker. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=716743#12 http://www.squid-cache.org/Advisories/SQUID-2013_3.txt Thanks Claire. The new security advisory doesn't affect Squid 3.1 in Mageia 2. Here's a new advisory to use for Mageia 2. I'll post the Mageia 3 advisory next. Advisory (Mageia 2): ======================== Updated squid packages fix security vulnerability: Due to incorrect data validation Squid is vulnerable to a buffer overflow attack when processing specially crafted HTTP requests. This problem allows any trusted client or client script who can generate HTTP requests to trigger a buffer overflow in Squid, resulting in a termination of the Squid service (CVE-2013-4115). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4115 http://www.squid-cache.org/Advisories/SQUID-2013_2.txt ======================== Updated packages in core/updates_testing: ======================== squid-3.1.19-4.4.mga2 squid-cachemgr-3.1.19-4.4.mga2 from squid-3.1.19-4.4.mga2.src.rpm Updated package uploaded for Cauldron for SQUID-2013:3. Patched package uploaded for Mageia 3 for SQUID-2013:3. Advisory (Mageia 3): ======================== Updated squid packages fix security vulnerabilities: Due to incorrect data validation Squid is vulnerable to a buffer overflow attack when processing specially crafted HTTP requests. This problem allows any trusted client or client script who can generate HTTP requests to trigger a buffer overflow in Squid, resulting in a termination of the Squid service (CVE-2013-4115). Due to incorrect data validation Squid is vulnerable to a denial of service attack when processing specially crafted HTTP requests. This problem allows any client who can generate HTTP requests to perform a denial of service attack on the Squid service (CVE-2013-4123). Also, due to being renamed in Squid 3.2, the Squid external acl helpers for matching against IP addresses and LDAP groups were not selected to be built in the squid package for Mageia 3. This has been corrected and these helpers are now included. Additionally, the helpers for eDirectory IP address lookups and matching LDAP groups using Kerberos credentials have also been included. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4115 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4123 http://www.squid-cache.org/Advisories/SQUID-2013_2.txt http://www.squid-cache.org/Advisories/SQUID-2013_3.txt ftp://ftp.fu-berlin.de/unix/www/squid/archive/3.2/squid-3.2.0.9-RELEASENOTES.html#ss2.4 http://www.squid-cache.org/Doc/man/ ======================== Updated packages in core/updates_testing: ======================== squid-3.2.10-1.4.mga3 squid-cachemgr-3.2.10-1.4.mga3 from squid-3.2.10-1.4.mga3.src.rpm Summary:
squid new security issue CVE-2013-4115 =>
squid new security issues CVE-2013-4115 and CVE-2013-4123 10516.mga2.adv and 10516.mga3.adv uploaded. CC:
(none) =>
davidwhodgins Testing complete for squid using drakguard on both arches/releases. Could someone from the sysadmin team push 10516.mga2.adv and 10516.mga3.adv to updates. Keywords:
(none) =>
validated_update mga2 update pushed: http://advisories.mageia.org/MGASA-2013-0227.html mga3 update pushed: http://advisories.mageia.org/MGASA-2013-0228.html Status:
NEW =>
RESOLVED LWN references posted. CVE-2013-4115: http://lwn.net/Vulnerabilities/560027/ CVE-2013-4123: http://lwn.net/Vulnerabilities/560028/ URL:
(none) =>
http://lwn.net/Vulnerabilities/560027/ |