| Summary: | squid new security issues fixed upstream (CVE-2018-19131 and CVE-2018-19132) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | bruno, herman.viaene, lewyssmith, marja11, sysadmin-bugs |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-32-OK MGA6-64-OK | ||
| Source RPM: | squid-3.5.26-1.1.mga6.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2018-10-29 02:18:35 CET
David Walser
2018-10-29 02:18:43 CET
Whiteboard:
(none) =>
MGA6TOO Squid 4.4 has been released. I'm not sure if it contains the fixes. Assigning to the registered maintainer. Assignee:
bugsquad =>
bruno squid-3.5.26-1.2.mga6 on its way to mga6 updates Status:
NEW =>
ASSIGNED Squid 4.4 contains the fixes. Working to integrate that version in cauldron. Note that Cauldron update is still WIP. Advisory: ======================== Updated squid packages fix security vulnerabilities: Due to incorrect input handling, Squid is vulnerable to a Cross-Site Scripting vulnerability when generating HTTPS response messages about TLS errors (SQUID-2018:4). Due to a memory leak in SNMP query rejection code, Squid is vulnerable to a denial of service attack (SQUID-2018:5). References: http://www.squid-cache.org/Advisories/SQUID-2018_4.txt http://www.squid-cache.org/Advisories/SQUID-2018_5.txt ======================== Updated packages in core/updates_testing: ======================== squid-3.5.26-1.2.mga6 squid-cachemgr-3.5.26-1.2.mga6 from squid-3.5.26-1.2.mga6.src.rpm Assignee:
bruno =>
qa-bugs cauldron updated with squid-4.4-1.mga7 MGA6-32 MATE on IBM Thinkpad R50e No installation issues. Ref to bug 22440, after installation made sure httpd runs, then systemctl start squid # systemctl -l status squid ● squid.service - LSB: Starts the squid daemon Loaded: loaded (/etc/rc.d/init.d/squid; generated; vendor preset: enabled) Active: active (running) since do 2018-11-08 11:38:14 CET; 4s ago Docs: man:systemd-sysv-generator(8) Process: 9727 ExecStart=/etc/rc.d/init.d/squid start (code=exited, status=0/SUCCESS) Main PID: 9758 (squid) CGroup: /system.slice/squid.service ├─9755 squid ├─9758 (squid-1) ├─9760 (logfile-daemon) /var/log/squid/access.log └─9762 (pinger) nov 08 11:38:10 mach6.hviaene.thuis systemd[1]: Starting LSB: Starts the squid daemon... nov 08 11:38:12 mach6.hviaene.thuis squid[9748]: Squid Parent: will start 1 kids nov 08 11:38:13 mach6.hviaene.thuis squid[9755]: Squid Parent: will start 1 kids nov 08 11:38:13 mach6.hviaene.thuis squid[9755]: Squid Parent: (squid-1) process 9758 started nov 08 11:38:14 mach6.hviaene.thuis squid[9727]: init_cache_dir /var/spool/squid... Starting squid: .[ OK nov 08 11:38:14 mach6.hviaene.thuis systemd[1]: squid.service: Supervising process 9758 which is not our c nov 08 11:38:14 mach6.hviaene.thuis systemd[1]: Started LSB: Starts the squid daemon. Pointed firefox to https://www.mageia.org and http://localhost/cgi-bin/cachemgr.cgi All work OK CC:
(none) =>
herman.viaene CVEs have been assigned: https://www.openwall.com/lists/oss-security/2018/11/09/1 Advisory: ======================== Updated squid packages fix security vulnerabilities: Due to incorrect input handling, Squid is vulnerable to a Cross-Site Scripting vulnerability when generating HTTPS response messages about TLS errors (CVE-2018-19131). Due to a memory leak in SNMP query rejection code, Squid is vulnerable to a denial of service attack (CVE-2018-19132). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19131 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19132 http://www.squid-cache.org/Advisories/SQUID-2018_4.txt http://www.squid-cache.org/Advisories/SQUID-2018_5.txt https://www.openwall.com/lists/oss-security/2018/11/09/1 Summary:
squid new security issues fixed upstream =>
squid new security issues fixed upstream (CVE-2018-19131 and CVE-2018-19132) Advisory done from comments 5 & 8. Cannot this be validated? CC:
(none) =>
lewyssmith Testing M6/64 This was done to try to clarify & note squid testing procedure, since the notes in bug 22440 are scattered. With squid installed, using Firefox, I think it boils down to: - configure Firefox to use a proxy: -- Menu-General-Preferences-Network proxy-Configure-Manually --- I left SOCKSv5 selected, and cleared "localhost" from the SOCKS line - Did nothing re Squid config file. # systemctl restart httpd # systemctl [re]start squid # systemctl status squid [continued] ● squid.service - LSB: Starts the squid daemon Loaded: loaded (/etc/rc.d/init.d/squid; generated; vendor preset: enabled) Active: active (running) since Gwe 2018-11-16 20:23:10 CET; 7s ago Both http://localhost/... and Internet access should work. BEFORE update: squid-3.5.26-1.1.mga6 squid-cachemgr-3.5.26-1.1.mga6 Installing Squid generated a 2048-bit RSA private key: /etc/pki/tls/private/squid.pem After procedure above, Firefox worked for localhost and Internet. # systemctl stop squid AFTER update: squid-3.5.26-1.2.mga6 squid-cachemgr-3.5.26-1.2.mga6 # systemctl restart httpd # systemctl stop squid # systemctl start squid # systemctl status squid ● squid.service - LSB: Starts the squid daemon Loaded: loaded (/etc/rc.d/init.d/squid; generated; vendor preset: enabled) Active: active (running) since Gwe 2018-11-16 20:41:25 CET; 4s ago Firefox worked for localhost and Internet. [Reverted Firefox NOT to use a proxy] Hoping the procedure is valid, OKing for x64. Whiteboard:
MGA6-32-OK =>
MGA6-32-OK MGA6-64-OK An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0458.html Resolution:
(none) =>
FIXED |