Bug 25110

Summary: Squid 4.8 fixes security issues in cachemgr (CVE-2019-13345) and Squid itself (CVE-2019-1252[579], CVE-2019-12854)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, bruno.cornec, bruno, herman.viaene, marja11, qa-bugs, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6TOO MGA6-64-OK MGA7-64-OK
Source RPM: squid-4.7-2.mga7.src.rpm CVE:
Status comment:

Description David Walser 2019-07-11 14:52:30 CEST 
Squid 4.8 has been released on July 10:
http://www.squid-cache.org/Versions/v4/changesets/

It fixes some security issues in cachemgr, so we might want to update it for Mageia 7.
David Walser 2019-07-11 14:52:43 CEST

Whiteboard: (none) => MGA7TOO

Comment 1 Marja Van Waes 2019-07-12 18:04:12 CEST 
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => bruno

Comment 2 David Walser 2019-08-12 01:01:47 CEST 
Ubuntu has issued an advisory for this on July 17:
https://usn.ubuntu.com/4059-1/

Whiteboard: MGA7TOO => MGA7TOO, MGA6TOO
Summary: Squid 4.8 fixes security issues in cachemgr => Squid 4.8 fixes security issues in cachemgr (CVE-2019-13345)
Severity: normal => major

Comment 3 David Walser 2019-08-12 01:07:23 CEST 
Apparently 4.8 fixed issues in Squid itself too.

Ubuntu has issued an advisory on July 18:
https://usn.ubuntu.com/4065-1/

CVE-2019-12527 does not affect Mageia 6, the other issues do.

Summary: Squid 4.8 fixes security issues in cachemgr (CVE-2019-13345) => Squid 4.8 fixes security issues in cachemgr (CVE-2019-13345) and Squid itself (CVE-2019-1252[579])

Comment 4 Bruno Cornec 2019-08-13 01:47:31 CEST 
squid 4.8 pushed to cauldron and mga7 updates_testing.

Whiteboard: MGA7TOO, MGA6TOO => MGA6TOO
Status: NEW => ASSIGNED
Version: Cauldron => 7

Comment 5 Bruno Cornec 2019-08-13 02:00:16 CEST 
squid 3.5.27 pushed to mga6 updates_testing

Whiteboard: MGA6TOO => (none)
Assignee: bruno => qa-bugs

Comment 6 David Walser 2019-08-13 02:28:20 CEST 
Thanks.  Cauldron failed to build:
http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20190812234027.bcornec.duvel.5498/log/squid-4.8-1.mga8/build.0.20190812234107.log

Looks like newer GCC causing problems.

Be careful with the bugs, you accidentally wiped out the whiteboard in this bug and the ansible bug.

Whiteboard: (none) => MGA6TOO
CC: (none) => bruno.cornec

Comment 7 David Walser 2019-08-13 02:29:08 CEST 
I see the fix for the build issue right at the top here:
http://www.squid-cache.org/Versions/v4/changesets/
Comment 8 David Walser 2019-08-13 02:32:08 CEST 
CVE-2019-13345 isn't actually fixed in 3.5.27, so you'll need the patch from upstream or Ubuntu 18.04.

CC: (none) => qa-bugs
Assignee: qa-bugs => bruno.cornec

Comment 9 David Walser 2019-08-24 19:15:40 CEST 
squid-4.8-1.mga8 uploaded for Cauldron by Bruno.
Comment 10 David Walser 2019-08-28 22:17:43 CEST 
4.8 also fixed CVE-2019-12854 (only 4.x affected, so Mageia 6 is OK there):
https://security-tracker.debian.org/tracker/CVE-2019-12854

Debian has issued an advisory for this on August 24:
https://www.debian.org/security/2019/dsa-4507

Summary: Squid 4.8 fixes security issues in cachemgr (CVE-2019-13345) and Squid itself (CVE-2019-1252[579]) => Squid 4.8 fixes security issues in cachemgr (CVE-2019-13345) and Squid itself (CVE-2019-1252[579], CVE-2019-12854)

Comment 11 Bruno Cornec 2019-09-04 12:22:09 CEST 
Used a derived patch from Upstream https://github.com/squid-cache/squid/commit/5730c2b5cb56e7639dc423dd62651c8736a54e35
squid-3.5.27-1.2.mga6 submitted

Assignee: bruno.cornec => qa-bugs
CC: (none) => bruno

Comment 12 David Walser 2019-09-04 16:08:59 CEST 
Advisory (Mageia 6):
========================

Updated squid packages fix security vulnerabilities:

It was discovered that Squid incorrectly handled Digest authentication. A
remote attacker could possibly use this issue to cause Squid to crash,
resulting in a denial of service (CVE-2019-12525).

It was discovered that Squid incorrectly handled Basic authentication. A
remote attacker could possibly use this issue to cause Squid to crash,
resulting in a denial of service (CVE-2019-12529).

It was discovered that Squid incorrectly handled the cachemgr.cgi web module.
A remote attacker could possibly use this issue to conduct cross-site
scripting (XSS) attacks (CVE-2019-13345).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12525
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12529
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13345
https://usn.ubuntu.com/4059-1/
https://usn.ubuntu.com/4065-1/
========================

Updated packages in core/updates_testing:
========================
squid-3.5.27-1.2.mga6
squid-cachemgr-3.5.27-1.2.mga6

from squid-3.5.27-1.2.mga6.src.rpm


Advisory (Mageia 7):
========================

Updated squid packages fix security vulnerabilities:

It was discovered that Squid incorrectly handled Digest authentication. A
remote attacker could possibly use this issue to cause Squid to crash,
resulting in a denial of service (CVE-2019-12525).

It was discovered that Squid incorrectly handled Basic authentication. A
remote attacker could use this issue to cause Squid to crash, resulting in a
denial of service, or possibly execute arbitrary code (CVE-2019-12527).

It was discovered that Squid incorrectly handled Basic authentication. A
remote attacker could possibly use this issue to cause Squid to crash,
resulting in a denial of service (CVE-2019-12529).

Due to incorrect string termination, Squid cachemgr.cgi 4.0 through 4.7 may
access unallocated memory. On systems with memory access protections, this can
cause the CGI process to terminate unexpectedly, resulting in a denial of
service for all clients using it (CVE-2019-12854).

It was discovered that Squid incorrectly handled the cachemgr.cgi web module.
A remote attacker could possibly use this issue to conduct cross-site
scripting (XSS) attacks (CVE-2019-13345).

The squid package has been updated to version 4.8, fixing these issues and
other bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12525
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12527
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12529
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12854
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13345
https://usn.ubuntu.com/4059-1/
https://usn.ubuntu.com/4065-1/
https://www.debian.org/security/2019/dsa-4507
========================

Updated packages in core/updates_testing:
========================
squid-4.8-1.mga7
squid-cachemgr-4.8-1.mga7

from squid-4.8-1.mga7.src.rpm
Comment 13 Herman Viaene 2019-09-05 11:02:08 CEST 
MGA6-64 Plasma on Lenovo B50
No installation issues
After installation:
# systemctl restart httpd
# systemctl start squid
# systemctl -l status squid
● squid.service - LSB: Starts the squid daemon
   Loaded: loaded (/etc/rc.d/init.d/squid; generated; vendor preset: enabled)
   Active: active (running) since do 2019-09-05 10:44:02 CEST; 20s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 31649 ExecStart=/etc/rc.d/init.d/squid start (code=exited, status=0/SUCCESS)
 Main PID: 31667 (squid)
   CGroup: /system.slice/squid.service
           ├─31665 squid
           ├─31667 (squid-1)
           ├─31669 (logfile-daemon) /var/log/squid/access.log
           └─31670 (pinger)

sep 05 10:44:01 mach5.hviaene.thuis systemd[1]: Starting LSB: Starts the squid daemon...
sep 05 10:44:01 mach5.hviaene.thuis squid[31660]: Squid Parent: will start 1 kids
sep 05 10:44:01 mach5.hviaene.thuis squid[31660]: Squid Parent: (squid-1) process 31662 started
sep 05 10:44:01 mach5.hviaene.thuis squid[31660]: Squid Parent: (squid-1) process 31662 exited with status 0
sep 05 10:44:01 mach5.hviaene.thuis squid[31665]: Squid Parent: will start 1 kids
sep 05 10:44:01 mach5.hviaene.thuis squid[31665]: Squid Parent: (squid-1) process 31667 started
sep 05 10:44:02 mach5.hviaene.thuis squid[31649]: init_cache_dir /var/spool/squid... Starting squid: .[  OK  ]
sep 05 10:44:02 mach5.hviaene.thuis systemd[1]: squid.service: Supervising process 31667 which is not our child. We'll most likely not notice when it exits
sep 05 10:44:02 mach5.hviaene.thuis systemd[1]: Started LSB: Starts the squid daemon.
Ref to bug 23780 Comment 7 and 11:
Changed firefox to use localhost as proxy
Pointed firefox to https://www.mageia.org and http://localhost and http://localhost/cgi-bin/cachemgr.cgi
All work OK.

CC: (none) => herman.viaene
Whiteboard: MGA6TOO => MGA6TOO MGA6-64-OK

Comment 14 Herman Viaene 2019-09-09 13:45:49 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues.
I am not going to repeat the output of the test as it is the same as above Comment 13.
So OK for me.

Whiteboard: MGA6TOO MGA6-64-OK => MGA6TOO MGA6-64-OK MGA7-64-OK

Comment 15 Thomas Andrews 2019-09-09 14:51:14 CEST 
Validating. Advisory in Comment 12.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-09-12 18:53:51 CEST

CC: (none) => tmb
Keywords: (none) => advisory

Comment 16 Mageia Robot 2019-09-12 21:11:25 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0265.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Comment 17 Mageia Robot 2019-09-12 21:11:27 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0266.html
Comment 18 David Walser 2020-05-09 17:03:22 CEST 
The Mageia 7 update here also fixed CVE-2019-12520 and CVE-2019-12524:
http://www.squid-cache.org/Advisories/SQUID-2019_4.txt
https://www.debian.org/security/2020/dsa-4682