Bug 30883

Summary: squid new security issues CVE-2022-4131[78]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, bruno, davidwhodgins, herman.viaene, neoser10, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-32-OK MGA8-64-OK
Source RPM: squid-4.17-1.1.mga8.src.rpm CVE: CVE-2022-41317, CVE-2022-41318
Status comment:
Attachments: Squid/Webfilter OK Confirmation

Description David Walser 2022-09-23 18:01:48 CEST 
Squid has issued advisories today (September 23):
https://github.com/squid-cache/squid/security/advisories/GHSA-rcg9-7fqm-83mq
https://github.com/squid-cache/squid/security/advisories/GHSA-394c-rr7q-6g78

The issues are fixed upstream in 5.7 (already updated in Cauldron).

There are patches for 4.x linked from the advisories above.
David Walser 2022-09-23 18:02:05 CEST

Version: Cauldron => 8
Status comment: (none) => Patches available from upstream

Comment 1 Lewis Smith 2022-09-23 20:27:59 CEST 
All sorts of people have maintained this package, so assigning this update globally.
Despite which, CC'ing bcornec who is the registered maintainer.

CC: (none) => bruno
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2022-09-26 13:50:56 CEST 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Exposure of Sensitive Information in Cache Manager. (CVE-2022-41317)

Buffer Over Read in SSPI and SMB Authentication. (CVE-2022-41318)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41317
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41318
https://github.com/squid-cache/squid/security/advisories/GHSA-rcg9-7fqm-83mq
https://github.com/squid-cache/squid/security/advisories/GHSA-394c-rr7q-6g78
========================

Updated packages in core/updates_testing:
========================
squid-4.17-1.2.mga8
squid-cachemgr-4.17-1.2.mga8

from SRPM:
squid-4.17-1.2.mga8.src.rpm

CVE: (none) => CVE-2022-41317, CVE-2022-41318
Assignee: pkg-bugs => qa-bugs
Status comment: Patches available from upstream => (none)
CC: (none) => nicolas.salguero
Status: NEW => ASSIGNED

Comment 3 Herman Viaene 2022-09-26 16:41:44 CEST 
MGA8-64 MATE on Acer Aspire 5253
No installation issues
Ref bug 30578 for tests
# squid --v
Squid Cache: Version 4.17
Service Name: squid

This binary uses OpenSSL 1.1.1q  5 Jul 2022. For legal restrictions on distribution see https://www.openssl.org/source/license.html

configure options:  
and a load more .....
# systemctl start squid
[root@mach7 ~]# systemctl -l status squid
● squid.service - Squid Web Proxy Server
     Loaded: loaded (/usr/lib/systemd/system/squid.service; disabled; vendor preset: disabled)
     Active: active (running) since Mon 2022-09-26 16:34:10 CEST; 14s ago
       Docs: man:squid(8)
    Process: 8976 ExecStartPre=/usr/sbin/squid --foreground -z -F (code=exited, status=0/SUCCESS)
   Main PID: 8979 (squid)
      Tasks: 4 (limit: 4364)
     Memory: 12.5M
        CPU: 538ms
     CGroup: /system.slice/squid.service
             ├─8979 /usr/sbin/squid --foreground -sYC
             ├─8981 (squid-1) --kid squid-1 --foreground -sYC
             ├─8983 (logfile-daemon) /var/log/squid/access.log
             └─8984 (pinger)

Sep 26 16:34:10 mach7.hviaene.thuis squid[8981]: Using Least Load store dir selection
Sep 26 16:34:10 mach7.hviaene.thuis squid[8981]: Set Current Directory to /var/spool/squid
Sep 26 16:34:10 mach7.hviaene.thuis squid[8981]: Finished loading MIME types and icons.
Sep 26 16:34:10 mach7.hviaene.thuis squid[8981]: HTCP Disabled.
Sep 26 16:34:10 mach7.hviaene.thuis squid[8981]: Pinger socket opened on FD 14
Sep 26 16:34:10 mach7.hviaene.thuis squid[8981]: Squid plugin modules loaded: 0
Sep 26 16:34:10 mach7.hviaene.thuis squid[8981]: Adaptation support is off.
Sep 26 16:34:10 mach7.hviaene.thuis squid[8981]: Accepting HTTP Socket connections at local=[::]:3128 remote=[::] FD 12 fla>
Sep 26 16:34:10 mach7.hviaene.thuis systemd[1]: Started Squid Web Proxy Server.
Sep 26 16:34:11 mach7.hviaene.thuis squid[8981]: storeLateRelease: released 0 objects
Then set localhost as proxy in Firefox, restart it and update this bug running now.

CC: (none) => herman.viaene

Comment 4 Herman Viaene 2022-09-26 16:49:43 CEST 
Reset proxy in Firefox to system proxy (none in fact), restarted Firefox and doing this update.
All worked OK.
I find the references in the /var/log/squid/cache.log

Whiteboard: (none) => MGA8-64-OK

Comment 5 Mauricio Andrés Bustamante Viveros 2022-09-26 21:40:08 CEST 
Tested with MGA 32 bits
This proxy server is a proxy with content filtering
Installed the update and tested that firefox opens facebook.com and Youtube.com
Access is denied by ACL, the access rule is working as expected

Using a whitelisted domain (mail.yahoo.com) accessing as expected too

This update will be running in this VM until tomorrow to review the journal, after that review I confirm OK or not OK

CC: (none) => neoser10

Comment 6 David Walser 2022-09-27 00:03:57 CEST 
Ubuntu has issued an advisory for this today (September 26):
https://ubuntu.com/security/notices/USN-5641-1
Comment 7 Mauricio Andrés Bustamante Viveros 2022-09-27 03:45:10 CEST 
Created attachment 13402 [details]
Squid/Webfilter OK Confirmation

Squid from Updates Testing installed today, is working well

For me is an OK
Comment 8 Thomas Andrews 2022-09-28 04:52:03 CEST 
Validating. Advisory in Comment 2.

Whiteboard: MGA8-64-OK => MGA8-32-OK MGA8-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-10-01 16:27:54 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 9 Mageia Robot 2022-10-01 19:50:02 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0351.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED