Bug 32486

Summary: squid new security issues CVE-2023-4684[6-8]
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, herman.viaene, marja11, nicolas.salguero, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: squid-5.9-1.mga9.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 32501    

Description Nicolas Salguero 2023-11-03 15:24:09 CET 
Squid has issued advisories on October 21:
https://github.com/squid-cache/squid/security/advisories/GHSA-j83v-w3p4-5cqh
https://github.com/squid-cache/squid/security/advisories/GHSA-phqj-m8gv-cq4g
https://github.com/squid-cache/squid/security/advisories/GHSA-2g3c-pg7q-g59w

Mageia 9 is also affected by the 3 CVEs.

Mageia 8 is affected by CVE-2023-4684[67].
Nicolas Salguero 2023-11-03 15:24:34 CET

CC: (none) => nicolas.salguero
Whiteboard: (none) => MGA9TOO, MGA8TOO
Source RPM: (none) => squid-5.9-1.mga9.src.rpm

Comment 1 Lewis Smith 2023-11-05 21:00:51 CET 
From the given URLs, all 3 faults say:
"This bug is fixed by Squid version 6.4.   [Not us]

In addition, patches addressing this problem for the stable
releases can be found in our patch archives"

For Squid 5:
http://www.squid-cache.org/Versions/v5/SQUID-2023_1.patch
http://www.squid-cache.org/Versions/v5/SQUID-2023_3.patch
http://www.squid-cache.org/Versions/v5/SQUID-2023_5.patch

Assigning globally.

Assignee: bugsquad => pkg-bugs

Nicolas Salguero 2023-11-09 15:47:36 CET

Blocks: (none) => 32501

Comment 2 Nicolas Salguero 2023-11-09 15:48:36 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Request/Response smuggling in HTTP/1.1 and ICAP. (CVE-2023-46846)

Denial of Service in HTTP Digest Authentication. (CVE-2023-46847)

Denial of Service in FTP. (CVE-2023-46848)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46846
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46847
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46848
https://github.com/squid-cache/squid/security/advisories/GHSA-j83v-w3p4-5cqh
https://github.com/squid-cache/squid/security/advisories/GHSA-phqj-m8gv-cq4g
https://github.com/squid-cache/squid/security/advisories/GHSA-2g3c-pg7q-g59w
========================

Updated packages in core/updates_testing:
========================
squid-5.9-1.1.mga9
squid-cachemgr-5.9-1.1.mga9

from SRPM:
squid-5.9-1.1.mga9.src.rpm

Version: Cauldron => 9
Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED
Whiteboard: MGA9TOO, MGA8TOO => (none)

Comment 3 Herman Viaene 2023-11-09 16:54:03 CET 
MGA8-64 Xfce on Acer Aspire 5253
No installation issues
Ref bug 20883
# squid -v
Squid Cache: Version 5.9
Service Name: squid

This binary uses OpenSSL 3.0.12 24 Oct 2023. configure options:  '
etc..........
# systemctl start squid
# systemctl -l status squid
● squid.service - Squid caching proxy
     Loaded: loaded (/usr/lib/systemd/system/squid.service; disabled; preset: disabled)
     Active: active (running) since Thu 2023-11-09 15:49:56 CET; 20s ago
       Docs: man:squid(8)
    Process: 37549 ExecStartPre=/usr/libexec/squid/cache_swap.sh (code=exited, status=0/SUCCESS)
   Main PID: 37566 (squid)
      Tasks: 3 (limit: 4317)
     Memory: 14.7M
        CPU: 898ms
     CGroup: /system.slice/squid.service
             ├─37566 /usr/sbin/squid --foreground -f /etc/squid/squid.conf
             ├─37618 "(squid-1)" --kid squid-1 --foreground -f /etc/squid/squid.conf
             └─38392 "(logfile-daemon)" /var/log/squid/access.log

Nov 09 15:49:50 mach7.hviaene.thuis systemd[1]: Starting squid.service...
Nov 09 15:49:50 mach7.hviaene.thuis squid[37566]: Squid Parent: will start 1 kids
Nov 09 15:49:50 mach7.hviaene.thuis squid[37566]: Squid Parent: (squid-1) process 37618 started
Nov 09 15:49:56 mach7.hviaene.thuis systemd[1]: Started squid.service.
Closing to change proxy.

CC: (none) => herman.viaene

Comment 4 Herman Viaene 2023-11-09 17:04:34 CET 
Restarted Firefox, access this update. Start youtube in another tab and looked up and played Mister John, works OK.
Removing proxy again.
Comment 5 Herman Viaene 2023-11-09 17:08:13 CET 
# systemctl stop squid
# systemctl -l status squid
○ squid.service - Squid caching proxy
     Loaded: loaded (/usr/lib/systemd/system/squid.service; disabled; preset: disabled)
     Active: inactive (dead)
       Docs: man:squid(8)

Nov 09 15:49:50 mach7.hviaene.thuis systemd[1]: Starting squid.service...
Nov 09 15:49:50 mach7.hviaene.thuis squid[37566]: Squid Parent: will start 1 kids
Nov 09 15:49:50 mach7.hviaene.thuis squid[37566]: Squid Parent: (squid-1) process 37618 started
Nov 09 15:49:56 mach7.hviaene.thuis systemd[1]: Started squid.service.
Nov 09 16:05:44 mach7.hviaene.thuis systemd[1]: Stopping squid.service...
Nov 09 16:05:51 mach7.hviaene.thuis squid[37566]: Squid Parent: squid-1 process 37618 exited with status 0
Nov 09 16:05:51 mach7.hviaene.thuis systemd[1]: squid.service: Deactivated successfully.
Nov 09 16:05:51 mach7.hviaene.thuis systemd[1]: Stopped squid.service.
Nov 09 16:05:51 mach7.hviaene.thuis systemd[1]: squid.service: Consumed 1.391s CPU time.

Then restarted Firefox and do this update, all OK.

Whiteboard: (none) => MGA9-64-OK

Comment 6 Marja Van Waes 2023-11-09 18:52:31 CET 
Advisory from comment 2 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"

CC: (none) => marja11
Keywords: (none) => advisory

Comment 7 Thomas Andrews 2023-11-09 21:16:19 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 8 Mageia Robot 2023-11-10 01:39:28 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0315.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED