| Summary: | squid new security issues CVE-2020-25097, CVE-2021-2865[12], CVE-2021-28662, CVE-2021-3180[6-8], CVE-2021-33620 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | andrewsfarm, bruno, herman.viaene, mageia, ouaurelien, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7TOO MGA8-64-OK MGA7-64-OK | ||
| Source RPM: | squid-4.13-5.mga8.src.rpm | CVE: | CVE-2020-25097 |
| Status comment: | |||
|
Description
David Walser
2021-04-18 00:37:36 CEST
David Walser
2021-04-18 00:37:54 CEST
Status comment:
(none) =>
Fixed upstream in 4.14 This looks right to assign to Bruno. Assignee:
bugsquad =>
bruno pushed in mga7/8/9
src:
- squid-4.13-1.1.mga7
- squid-4.13-5.1.mga8Version:
Cauldron =>
8 Please update to 4.14, so we can get all of the bug fixes.
David Walser
2021-04-27 19:45:15 CEST
Keywords:
(none) =>
feedback
David Walser
2021-05-14 00:50:31 CEST
Assignee:
qa-bugs =>
pkg-bugs Update coming once the build system catches up. Advisory: ======================== Updated squid packages fix security vulnerability: Due to improper input validation Squid is vulnerable to an HTTP Request Smuggling attack. This problem allows a trusted client to perform HTTP Request Smuggling and access services otherwise forbidden by Squid security controls (CVE-2020-25097). The squid package has been updated to version 4.14, fixing this issue and other bugs. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25097 https://github.com/squid-cache/squid/security/advisories/GHSA-jvf6-h9gj-pmj6 https://github.com/squid-cache/squid/commit/fa47a3bc4d382e28e7235d08750401b910e4b13a https://access.redhat.com/errata/RHSA-2021:1135 Advisory: ======================== Updated squid packages fix security vulnerability: Due to improper input validation Squid is vulnerable to an HTTP Request Smuggling attack. This problem allows a trusted client to perform HTTP Request Smuggling and access services otherwise forbidden by Squid security controls (CVE-2020-25097). The squid package has been updated to version 4.15, fixing this issue and other bugs. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25097 https://github.com/squid-cache/squid/security/advisories/GHSA-jvf6-h9gj-pmj6 https://github.com/squid-cache/squid/commit/fa47a3bc4d382e28e7235d08750401b910e4b13a https://github.com/squid-cache/squid/commit/648729b05673c6166c5d91c6ee4cda30cc164839 https://access.redhat.com/errata/RHSA-2021:1135 ======================== Updated packages in core/updates_testing: ======================== squid-4.15-1.mga8 squid-cachemgr-4.15-1.mga8 from squid-4.15-1.mga8.src.rpm Assignee:
pkg-bugs =>
qa-bugs Mageia 7 build was just submitted too. Should be the following when done: squid-4.15-1.mga7 squid-cachemgr-4.15-1.mga7 from squid-4.15-1.mga7.src.rpm MGA7-64 Plasma on Lenovo B50 Installing updates the existing packages. Following previous bug 26532 # systemctl restart httpd # systemctl -l status httpd ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled) Active: active (running) since Sat 2021-05-15 21:13:12 CEST; 22s ago Main PID: 8964 (httpd) Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0; Bytes served/sec: 0 B/sec" Tasks: 27 (limit: 4915) Memory: 21.8M CGroup: /system.slice/httpd.service ├─ 8964 /usr/sbin/httpd -DFOREGROUND ├─10509 /usr/sbin/httpd -DFOREGROUND ├─10510 /usr/sbin/httpd -DFOREGROUND ├─10515 /usr/sbin/httpd -DFOREGROUND ├─10520 /usr/sbin/httpd -DFOREGROUND ├─10525 /usr/sbin/httpd -DFOREGROUND └─10530 /usr/sbin/httpd -DFOREGROUND May 15 21:13:03 mach5.hviaene.thuis systemd[1]: Starting The Apache HTTP Server... May 15 21:13:12 mach5.hviaene.thuis systemd[1]: Started The Apache HTTP Server. # systemctl start squid Job for squid.service failed because the control process exited with error code. See "systemctl status squid.service" and "journalctl -xe" for details. [root@mach5 ~]# systemctl start squid Job for squid.service failed because the control process exited with error code. See "systemctl status squid.service" and "journalctl -xe" for details. [root@mach5 ~]# systemctl -l status squid ● squid.service - LSB: Starts the squid daemon Loaded: loaded (/etc/rc.d/init.d/squid; generated) Active: failed (Result: exit-code) since Sat 2021-05-15 21:18:45 CEST; 23s ago Docs: man:systemd-sysv-generator(8) Process: 3818 ExecStart=/etc/rc.d/init.d/squid start (code=exited, status=255/EXCEPTION) Googled on the error, found nothing that seemsto apply. In /var/log/squid/cache.log I get 2021/05/15 21:13:56| Removing PID file (/run/squid.pid) 2021/05/15 21:18:39| Created PID file (/run/squid.pid) 2021/05/15 21:18:45 kid1| Set Current Directory to /var/spool/squid 2021/05/15 21:18:45 kid1| Creating missing swap directories 2021/05/15 21:18:45 kid1| No cache_dir stores are configured. 2021/05/15 21:18:45| FATAL: Squid is already running: Found fresh instance PID file (/run/squid.pid) with PID 3846 exception location: Instance.cc(121) ThrowIfAlreadyRunningWith but I check with ps -ef, there is nothing squid-ish there, but retrying I keep getting the same error CC:
(none) =>
herman.viaene Known issue if you're testing Mageia 7 (see Bug 27211). I've seen that bug, but to me it looks like a discussion on compiling/building the package. I cann't get it where I would have to change what in which file???? Try using the systemd unit file here: https://bugs.mageia.org/show_bug.cgi?id=27211#c7 Install it in /etc/systemd/system/ and then run systemctl daemon-reload, so that systemd sees it. MGA8 x86_64
$ rpm -qa | grep squid
squid-4.15-1.mga8
Using squid as web proxy for a shared Internet Network to a local Network with "Share the Internet connection with the local machines" under Network section of Mageia Control Centre.
$ systemctl status squid
● squid.service - Squid Web Proxy Server
Loaded: loaded (/usr/lib/systemd/system/squid.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2021-05-23 17:03:48 CEST; 9min ago
Docs: man:squid(8)
Main PID: 10031 (squid)
Tasks: 6 (limit: 4693)
Memory: 51.1M
CPU: 3.994s
CGroup: /system.slice/squid.service
├─10031 /usr/sbin/squid --foreground -sYC
├─10033 (squid-1) --kid squid-1 --foreground -sYC
├─10034 (logfile-daemon) /var/log/squid/access.log
├─10035 (unlinkd)
├─10036 diskd 10273796 10273797 10273798
└─10037 (pinger)
mai 23 17:03:48 localhost squid[10033]: 0 Objects cancelled.
mai 23 17:03:48 localhost squid[10033]: 0 Duplicate URLs purged.
mai 23 17:03:48 localhost squid[10033]: 0 Swapfile clashes avoided.
mai 23 17:03:48 localhost squid[10033]: Took 0.01 seconds (3089.68 objects/sec).
mai 23 17:03:48 localhost squid[10033]: Beginning Validation Procedure
mai 23 17:03:48 localhost squid[10033]: Completed Validation Procedure
mai 23 17:03:48 localhost squid[10033]: Validated 41 Entries
mai 23 17:03:48 localhost squid[10033]: store_swap_size = 13708.00 KB
mai 23 17:03:49 localhost squid[10033]: storeLateRelease: released 0 objects
Work OK.CC:
(none) =>
ouaurelien
Aurelien Oudelet
2021-05-23 17:32:34 CEST
CVE:
(none) =>
CVE-2020-25097 Seems there is an updated version for mga7 as well - Current or newer revision(s) already exists in core/updates_testing for 7: 4.15-1.mga7 Status:
NEW =>
ASSIGNED Yes this already assigned to QA. Just awaiting validation. Debian has issued an advisory on June 1: https://www.debian.org/security/2021/dsa-4924 The issues are fixed upstream in 4.15 in this update. Summary:
squid new security issue CVE-2020-25097 =>
squid new security issues CVE-2020-25097, CVE-2021-2865[12], CVE-2021-28662, CVE-2021-3180[6-8] Advisory: ======================== Updated squid packages fix security vulnerability: Due to improper input validation Squid is vulnerable to an HTTP Request Smuggling attack. This problem allows a trusted client to perform HTTP Request Smuggling and access services otherwise forbidden by Squid security controls (CVE-2020-25097). Multiple denial of service vulnerabilities were discovered in the Squid proxy caching server (CVE-2021-28651, CVE-2021-28652, CVE-2021-28662, CVE-2021-31806, CVE-2021-31807, CVE-2021-31808). The squid package has been updated to version 4.15, fixing this issue and other bugs. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25097 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28651 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28652 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28662 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31806 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31807 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31808 https://github.com/squid-cache/squid/security/advisories/GHSA-jvf6-h9gj-pmj6 https://github.com/squid-cache/squid/security/advisories/GHSA-ch36-9jhx-phm4 https://github.com/squid-cache/squid/security/advisories/GHSA-m47m-9hvw-7447 https://github.com/squid-cache/squid/security/advisories/GHSA-jjq6-mh2h-g39h https://github.com/squid-cache/squid/security/advisories/GHSA-pxwq-f3qr-w2xf https://github.com/squid-cache/squid/commit/fa47a3bc4d382e28e7235d08750401b910e4b13a https://github.com/squid-cache/squid/commit/648729b05673c6166c5d91c6ee4cda30cc164839 https://access.redhat.com/errata/RHSA-2021:1135 https://www.debian.org/security/2021/dsa-4924 Ubuntu has issued an advisory on June 3: https://ubuntu.com/security/notices/USN-4981-1 It has one more CVE that was fixed in 4.15. Advisory: ======================== Updated squid packages fix security vulnerability: Due to improper input validation Squid is vulnerable to an HTTP Request Smuggling attack. This problem allows a trusted client to perform HTTP Request Smuggling and access services otherwise forbidden by Squid security controls (CVE-2020-25097). Joshua Rogers discovered that Squid incorrectly handled requests with the urn: scheme. A remote attacker could possibly use this issue to causeSquid to consume resources, leading to a denial of service (CVE-2021-28651). Joshua Rogers discovered that Squid incorrectly handled requests to the Cache Manager API. A remote attacker with access privileges could possibly use this issue to cause Squid to consume resources, leading to a denial of service (CVE-2021-28652). Joshua Rogers discovered that Squid incorrectly handled certain response headers. A remote attacker could possibly use this issue to cause Squid to crash, resulting in a denial of service (CVE-2021-28662). Joshua Rogers discovered that Squid incorrectly handled range request processing. A remote attacker could possibly use this issue to cause Squid to crash, resulting in a denial of service (CVE-2021-31806, CVE-2021-31807, CVE-2021-31808). Joshua Rogers discovered that Squid incorrectly handled certain HTTP responses. A remote attacker could possibly use this issue to cause Squid to crash, resulting in a denial of service (CVE-2021-33620). The squid package has been updated to version 4.15, fixing this issue and other bugs. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25097 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28651 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28652 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28662 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31806 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31807 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31808 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33620 https://github.com/squid-cache/squid/security/advisories/GHSA-jvf6-h9gj-pmj6 https://github.com/squid-cache/squid/security/advisories/GHSA-ch36-9jhx-phm4 https://github.com/squid-cache/squid/security/advisories/GHSA-m47m-9hvw-7447 https://github.com/squid-cache/squid/security/advisories/GHSA-jjq6-mh2h-g39h https://github.com/squid-cache/squid/security/advisories/GHSA-pxwq-f3qr-w2xf https://github.com/squid-cache/squid/security/advisories/GHSA-572g-rvwr-6c7f https://github.com/squid-cache/squid/commit/fa47a3bc4d382e28e7235d08750401b910e4b13a https://github.com/squid-cache/squid/commit/648729b05673c6166c5d91c6ee4cda30cc164839 https://access.redhat.com/errata/RHSA-2021:1135 https://ubuntu.com/security/notices/USN-4981-1 Summary:
squid new security issues CVE-2020-25097, CVE-2021-2865[12], CVE-2021-28662, CVE-2021-3180[6-8] =>
squid new security issues CVE-2020-25097, CVE-2021-2865[12], CVE-2021-28662, CVE-2021-3180[6-8], CVE-2021-33620 Tested again with recommandation from Comment 10, with a little guess that the file involved is squid.service (I didn't see that mentioned). Works OK now. One question remains for me: if anyone installs the version of squid as its first installation, will that person know this story of the squid.service file??? Whiteboard:
MGA7TOO MGA8-64-OK =>
MGA7TOO MGA8-64-OK MGA7-64-OK Only if they search Bugzilla. Oh well. We probably should have put something in the Errata. This one has been a long time coming. Validating. Several advisories here, but I believe the last, in Comment 16, is probably the correct one. CC:
(none) =>
andrewsfarm, sysadmin-bugs
Thomas Backlund
2021-06-08 16:55:58 CEST
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0237.html Status:
ASSIGNED =>
RESOLVED This apparently also fixed CVE-2021-28116: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T4EPIWUZDJAXADDHVOPKRBTQHPBR6H66/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28116 There's supposed to be an upstream advisory here, but it gives a 404: https://github.com/squid-cache/squid/security/advisories/GHSA-rgf3-9v3p-qp82 (In reply to David Walser from comment #21) > This apparently also fixed CVE-2021-28116: > https://lists.fedoraproject.org/archives/list/package-announce@lists. > fedoraproject.org/message/T4EPIWUZDJAXADDHVOPKRBTQHPBR6H66/ > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28116 > > There's supposed to be an upstream advisory here, but it gives a 404: > https://github.com/squid-cache/squid/security/advisories/GHSA-rgf3-9v3p-qp82 The above upstream advisory has finally been posted, and it is in fact not fixed until 4.17. Bug 29524 filed for this issue. |