Bug 18757

Summary: squidguard new security issue CVE-2015-8936
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, herman.viaene, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/692518/
Whiteboard: MGA5-32-OK advisory
Source RPM: squidguard-1.4-21.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-06-22 00:59:52 CEST 
A CVE has been assigned for an XSS issue in the SquidGuard CGI:
http://openwall.com/lists/oss-security/2016/06/21/5

The exact CGI in question is only installed as documentation in a samples directory in our package, but we also include a different CGI that is installed in /var/www/cgi-bin.  This other CGI appears to actually be an older version of the same CGI program.  It's not clear why we're using this one instead of the one that ships with upstream.  It does appear that the one we ship is affected by the same issue, though.  I have patched both of them.

Advisory:
========================

Updated squidguard package fixes security vulnerability:

The squidGuard.cgi program is vulnerable to a reflected cross site scripting
vulnerability in the blocking script squidGuard.cgi. The vulnerability is
triggered when a user clicks a link to a blocked site where the url has
scripting instructions added (CVE-2015-8936).

In Mageia's squidguard package, both /var/www/cgi-bin/squidGuard.cgi and
/usr/share/squidGuard-1.4/samples/squidGuard.cgi were affected.

Note that it is highly recommended that any remaining users of this package
switch to ufdbguard, which has better compatibility with current versions of
Squid.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8936
http://openwall.com/lists/oss-security/2016/06/21/5
http://www.squidguard.org/Downloads/Patches/1.4/Readme.Patch-20150201
========================

Updated packages in core/updates_testing:
========================
squidguard-1.4-21.1.mga5

from squidguard-1.4-21.1.mga5.src.rpm
David Walser 2016-06-23 19:23:51 CEST

URL: (none) => http://lwn.net/Vulnerabilities/692518/

Comment 1 Herman Viaene 2016-07-04 16:56:06 CEST 
MGA55-32 on Acer D620 Xfce
No installation issues
Wondering how to test this, I found bug 11575 , so at CLI
# echo "http://www.example.com 192.168.0.1/- - GET" | squidGuard -c /etc/squid/squidGuard.conf -d
2016-07-04 16:51:38 [20465] New setting: dbhome: /usr/share/squidGuard
2016-07-04 16:51:38 [20465] syntax error in configfile /etc/squid/squidGuard.conf line 5
2016-07-04 16:51:38 [20465] Going into emergency mode

2016-07-04 16:51:38 [20465] ending emergency mode, stdin empty

Should be OK

CC: (none) => herman.viaene
Whiteboard: (none) => MGA5-32-OK

Dave Hodgins 2016-07-05 16:36:55 CEST

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK => MGA5-32-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 2 Mageia Robot 2016-07-05 17:48:08 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0237.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED