| Summary: | squid new security issues CVE-2019-1252[36] and CVE-2019-1867[6-9] | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, geiger.david68210, herman.viaene, lists.jjorge, sysadmin-bugs |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | squid-4.8-1.1.mga7.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2019-12-03 21:41:18 CET
David Walser
2019-12-03 21:41:35 CET
CC:
(none) =>
geiger.david68210, lists.jjorge Assigning to Bruno as registered maintainer; noted CC José as recent committer. Assignee:
bugsquad =>
bruno Version 4.9 was already in cauldron, pushing it to 7/updates_testing. Suggested advisory: Several security issues were found in the Squid proxy. Upstream released version 4.9 with all the needed fixes. Refs: http://www.squid-cache.org/Advisories/SQUID-2019_7.txt http://www.squid-cache.org/Advisories/SQUID-2019_8.txt http://www.squid-cache.org/Advisories/SQUID-2019_9.txt http://www.squid-cache.org/Advisories/SQUID-2019_10.txt http://www.squid-cache.org/Advisories/SQUID-2019_11.txt SRPM: squid-4.9-1.mga7 RPMS: squid-4.9-1.mga7 squid-cachemgr-4.9-1.mga7 Status:
NEW =>
ASSIGNED Advisory: ======================== Updated squid packages fix security vulnerabilities: Potential remote code execution during URN processing (CVE-2019-12526). Multiple improper validations in URI processing (CVE-2019-12523, CVE-2019-18676). Cross-Site Request Forgery in HTTP Request processing (CVE-2019-18677). Incorrect message parsing which could have led to HTTP request splitting issue (CVE-2019-18678). Information disclosure when processing HTTP Digest Authentication (CVE-2019-18679). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12523 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12526 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1867 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1867 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1867 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1867 http://www.squid-cache.org/Advisories/SQUID-2019_7.txt http://www.squid-cache.org/Advisories/SQUID-2019_8.txt http://www.squid-cache.org/Advisories/SQUID-2019_9.txt http://www.squid-cache.org/Advisories/SQUID-2019_10.txt http://www.squid-cache.org/Advisories/SQUID-2019_11.txt https://lists.opensuse.org/opensuse-updates/2019-11/msg00119.html MGA7-64 Plasma on Lenovo B50
No installation issues.
Ref to bug 35637.
# systemctl restart httpd
[root@mach5 ~]# systemctl start squid
[root@mach5 ~]# systemctl -l status squid
● squid.service - LSB: Starts the squid daemon
Loaded: loaded (/etc/rc.d/init.d/squid; generated)
Active: active (running) since Tue 2019-12-10 10:22:16 CET; 14s ago
Docs: man:systemd-sysv-generator(8)
Process: 31352 ExecStart=/etc/rc.d/init.d/squid start (code=exited, status=0/SUCCESS)
Main PID: 31370 (squid)
Memory: 13.9M
CGroup: /system.slice/squid.service
├─31370 squid
├─31372 (squid-1) --kid squid-1
├─31377 (logfile-daemon) /var/log/squid/access.log
└─31378 (pinger)
dec 10 10:22:16 mach5.hviaene.thuis systemd[1]: Starting LSB: Starts the squid daemon...
dec 10 10:22:16 mach5.hviaene.thuis squid[31365]: Squid Parent: will start 1 kids
dec 10 10:22:16 mach5.hviaene.thuis squid[31365]: Squid Parent: (squid-1) process 31367 started
dec 10 10:22:16 mach5.hviaene.thuis squid[31365]: Squid Parent: squid-1 process 31367 exited with status 0
dec 10 10:22:16 mach5.hviaene.thuis squid[31370]: Squid Parent: will start 1 kids
dec 10 10:22:16 mach5.hviaene.thuis squid[31370]: Squid Parent: (squid-1) process 31372 started
dec 10 10:22:16 mach5.hviaene.thuis squid[31352]: init_cache_dir /var/spool/squid... Starting squid: [ OK ]
dec 10 10:22:16 mach5.hviaene.thuis systemd[1]: Started LSB: Starts the squid daemon.
Restarted firefox, pointed it to this update and to a fake internet address and checked both in /var/log/squid/access.log: all works OK
Note: the httpd used is the one from update 25316, both without the mod's that make this version to fail on this setup.Whiteboard:
(none) =>
MGA7-64-OK I'm going to let this one go. Validating. Advisory in Comment 3. Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0382.html Status:
ASSIGNED =>
RESOLVED This update also fixed CVE-2019-18860: http://lists.suse.com/pipermail/sle-security-updates/2020-April/006769.html |