Bug 33003

Unsure about this.
The Oracle links show v5.5-6.0.1.8 as fixing the CVEs; but our Cauldron version looks more recent, 5.9. For M9 also, squid-5.9-1.1.mga9.

Status comment: (none) => Fixed squid-5.5-6.0.1.el9_3.8
CC: (none) => lewyssmith

The Oracle version is meaningless as it has been patched.  Check for upstream advisories for these issues.

Thanks for the comment.
Back to Nicolas.

Debian has issued an advisory on March 8:
https://lists.debian.org/debian-security-announce/2024/msg00043.html

For Cauldron, we need to properly upgrade to version 6.8 (version 6.7 is not really put in our SVN).

For Mageia 9, we need the following patches:
http://www.squid-cache.org/Versions/v5/SQUID-2023_4.patch (CVE-2023-46724)
http://www.squid-cache.org/Versions/v5/SQUID-2023_7.patch (CVE-2023-49285)
https://sources.debian.org/src/squid/5.7-2%2Bdeb12u1/debian/patches/CVE-2023-49286.patch/ (CVE-2023-49286)
http://www.squid-cache.org/Versions/v5/SQUID-2023_10.patch (CVE-2023-50269)
http://www.squid-cache.org/Versions/v5/SQUID-2023_11.patch (CVE-2024-23638)
https://sources.debian.org/src/squid/5.7-2%2Bdeb12u1/debian/patches/CVE-2024-25111.patch/ (CVE-2024-25111)
https://sources.debian.org/src/squid/5.7-2%2Bdeb12u1/debian/patches/CVE-2024-25617.patch/ (CVE-2024-25617)

CVE: CVE-2023-50269, CVE-2024-25111, CVE-2024-25617 => CVE-2023-46724, CVE-2023-49285, CVE-2023-49286, CVE-2023-50269, CVE-2024-23638, CVE-2024-25111, CVE-2024-25617
Status comment: Fixed squid-5.5-6.0.1.el9_3.8 => Patches available from Debian and upstream
Summary: squid new security issues CVE-2023-50269, CVE-2024-25111 and CVE-2024-25617 => squid new security issues CVE-2023-46724, CVE-2023-4928[56], CVE-2023-50269, CVE-2024-23638, CVE-2024-25111 and CVE-2024-25617

Thank you for all that research & detail.
Different people have dealt with Squid, so assigning this globally.
CC'ing dlucio who recently put up v6.7.

Assignee: bugsquad => pkg-bugs
CC: lewyssmith => luis.daniel.lucio

For Cauldron, dlucio is currently upgrading squid to version 6.8.

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Due to an Improper Validation of Specified Index bug, Squid versions 3.3.0.1 through 5.9 and 6.0 prior to 6.4 compiled using `--with-openssl` are vulnerable to a Denial of Service attack against SSL Certificate validation. This problem allows a remote server to perform Denial of Service against Squid Proxy by initiating a TLS Handshake with a specially crafted SSL Certificate in a server certificate chain. This attack is limited to HTTPS and SSL-Bump. (CVE-2023-46724)

Due to a Buffer Overread bug Squid is vulnerable to a Denial of Service attack against Squid HTTP Message processing. (CVE-2023-49285)

Due to an Incorrect Check of Function Return Value bug Squid is vulnerable to a Denial of Service attack against its Helper process management. (CVE-2023-49286)

Due to an Uncontrolled Recursion bug in versions 2.6 through 2.7.STABLE9, versions 3.1 through 5.9, and versions 6.0.1 through 6.5, Squid may be vulnerable to a Denial of Service attack against HTTP Request parsing. This problem allows a remote client to perform Denial of Service attack by sending a large X-Forwarded-For header when the follow_x_forwarded_for feature is configured. (CVE-2023-50269)

Due to an expired pointer reference bug, Squid prior to version 6.6 is vulnerable to a Denial of Service attack against Cache Manager error responses. This problem allows a trusted client to perform Denial of Service when generating error pages for Client Manager reports. (CVE-2024-23638)

 Starting in version 3.5.27 and prior to version 6.8, Squid may be vulnerable to a Denial of Service attack against HTTP Chunked decoder due to an uncontrolled recursion bug. This problem allows a remote attacker to cause Denial of Service when sending a crafted, chunked, encoded HTTP Message. (CVE-2024-25111)

Due to a Collapse of Data into Unsafe Value bug ,Squid may be vulnerable to a Denial of Service attack against HTTP header parsing. This problem allows a remote client or a remote server to perform Denial of Service when sending oversized headers in HTTP messages. In versions of Squid prior to 6.5 this can be achieved if the request_header_max_size or reply_header_max_size settings are unchanged from the default. (CVE-2024-25617)

References:
https://lwn.net/Articles/966404/
https://lists.debian.org/debian-security-announce/2024/msg00043.html
========================

Updated packages in core/updates_testing:
========================
squid-5.9-1.2.mga9
squid-cachemgr-5.9-1.2.mga9

from SRPM:
squid-5.9-1.2.mga9.src.rpm

MGA-64 Plasma Wayland on HP-Pavillion
No installation issues
Ref bug 20883
# squid -v
Squid Cache: Version 5.9
Service Name: squid

This binary uses OpenSSL 3.0.12 24 Oct 2023. configure options:  '  etc.......

# systemctl start squid
# systemctl -l status squid
● squid.service - Squid caching proxy
     Loaded: loaded (/usr/lib/systemd/system/squid.service; disabled; preset: disabled)
     Active: active (running) since Fri 2024-03-29 15:27:05 CET; 21s ago
       Docs: man:squid(8)
    Process: 143319 ExecStartPre=/usr/libexec/squid/cache_swap.sh (code=exited, status=0/SUCCESS)
   Main PID: 143321 (squid)
      Tasks: 3 (limit: 4495)
     Memory: 15.0M
        CPU: 363ms
     CGroup: /system.slice/squid.service
             ├─143321 /usr/sbin/squid --foreground -f /etc/squid/squid.conf
             ├─143323 "(squid-1)" --kid squid-1 --foreground -f /etc/squid/squid.conf
             └─143324 "(logfile-daemon)" /var/log/squid/access.log

Mar 29 15:27:05 mach4.hviaene.thuis systemd[1]: Starting squid.service...
Mar 29 15:27:05 mach4.hviaene.thuis squid[143321]: Squid Parent: will start 1 kids
Mar 29 15:27:05 mach4.hviaene.thuis squid[143321]: Squid Parent: (squid-1) process 143323 started
Mar 29 15:27:05 mach4.hviaene.thuis systemd[1]: Started squid.service.
Closing to change proxy.

CC: (none) => herman.viaene

Restarted Firefox, access this update. Start youtube in another tab and looked up and played "Hugh Laurie on Belgians", works OK.
Removing proxy again.

# systemctl stop squid
# systemctl -l status squid
○ squid.service - Squid caching proxy
     Loaded: loaded (/usr/lib/systemd/system/squid.service; disabled; preset: disabled)
     Active: inactive (dead)
       Docs: man:squid(8)

Mar 29 15:27:05 mach4.hviaene.thuis systemd[1]: Starting squid.service...
Mar 29 15:27:05 mach4.hviaene.thuis squid[143321]: Squid Parent: will start 1 kids
Mar 29 15:27:05 mach4.hviaene.thuis squid[143321]: Squid Parent: (squid-1) process 143323 started
Mar 29 15:27:05 mach4.hviaene.thuis systemd[1]: Started squid.service.
Mar 29 15:48:32 mach4.hviaene.thuis systemd[1]: Stopping squid.service...
Mar 29 15:48:39 mach4.hviaene.thuis squid[143321]: Squid Parent: squid-1 process 143323 exited with status 0
Mar 29 15:48:39 mach4.hviaene.thuis systemd[1]: squid.service: Deactivated successfully.
Mar 29 15:48:39 mach4.hviaene.thuis systemd[1]: Stopped squid.service.

Restarted Firefox and do this update. All OK

Whiteboard: (none) => MGA9-64-OK

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0102.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED