Bug 26224

Assigning to Bruno as the apparent maintainer.

Assignee: bugsquad => bruno

Version 4.10 pushed to core/updates_testing.

CC: (none) => bruno
Assignee: bruno => qa-bugs
Status: NEW => ASSIGNED

Advisory:
========================

Updated squid packages fix security vulnerabilities:

Jeriko One discovered that Squid incorrectly handled memory when connected to
an FTP server. A remote attacker could possibly use this issue to obtain
sensitive information from Squid memory (CVE-2019-12528).

Regis Leroy discovered that Squid incorrectly handled certain HTTP requests. A
remote attacker could possibly use this issue to access server resources
prohibited by earlier security filters (CVE-2020-8449).

Guido Vranken discovered that Squid incorrectly handled certain buffer
operations when acting as a reverse proxy. A remote attacker could use this
issue to cause Squid to crash, resulting in a denial of service, or possibly
execute arbitrary code (CVE-2020-8450).

Aaron Costello discovered that Squid incorrectly handled certain NTLM
authentication credentials. A remote attacker could possibly use this issue to
cause Squid to crash, resulting in a denial of service (CVE-2020-8517).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12528
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8449
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8450
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8517
http://www.squid-cache.org/Advisories/SQUID-2020_1.txt
http://www.squid-cache.org/Advisories/SQUID-2020_2.txt
http://www.squid-cache.org/Advisories/SQUID-2020_3.txt
https://usn.ubuntu.com/4289-1/
========================

Updated packages in core/updates_testing:
========================
squid-4.10-1.mga7
squid-cachemgr-4.10-1.mga7

from squid-4.10-1.mga7.src.rpm

Status comment: Fixed upstream in 4.10 => (none)

MGA7-64 Plasma on Lenovo B50
No innstallation issues
Ref bug 25637 for testing
# systemctl restart httpd
# systemctl start squid
# systemctl -l status squid
● squid.service - LSB: Starts the squid daemon
   Loaded: loaded (/etc/rc.d/init.d/squid; generated)
   Active: active (running) since Mon 2020-02-24 14:31:29 CET; 14s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 6451 ExecStart=/etc/rc.d/init.d/squid start (code=exited, status=0/SUCCESS)
 Main PID: 6469 (squid)
   Memory: 13.9M
   CGroup: /system.slice/squid.service
           ├─6469 squid
           ├─6471 (squid-1) --kid squid-1
           ├─6476 (logfile-daemon) /var/log/squid/access.log
           └─6477 (pinger)

Feb 24 14:31:29 mach5.hviaene.thuis systemd[1]: Starting LSB: Starts the squid daemon...
Feb 24 14:31:29 mach5.hviaene.thuis squid[6464]: Squid Parent: will start 1 kids
Feb 24 14:31:29 mach5.hviaene.thuis squid[6464]: Squid Parent: (squid-1) process 6466 started
Feb 24 14:31:29 mach5.hviaene.thuis squid[6464]: Squid Parent: squid-1 process 6466 exited with status 0
Feb 24 14:31:29 mach5.hviaene.thuis squid[6469]: Squid Parent: will start 1 kids
Feb 24 14:31:29 mach5.hviaene.thuis squid[6469]: Squid Parent: (squid-1) process 6471 started
Feb 24 14:31:29 mach5.hviaene.thuis squid[6451]: init_cache_dir /var/spool/squid... Starting squid: [  OK  ]
Feb 24 14:31:29 mach5.hviaene.thuis systemd[1]: Started LSB: Starts the squid daemon.
Changed firefox to use localhost as proxy at port 3128.
Pointed firefox to a valid and an invalid URL. These  are found in /var/log/squid/access.log.
All OK for me.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0106.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED