Bug 33091

Summary: squid new security issues CVE-2023-49288 and CVE-2023-5824
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, herman.viaene, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: squid-5.9-1.2.mga9.src.rpm CVE: CVE-2023-49288, CVE-2023-5824
Status comment:

Description Nicolas Salguero 2024-04-11 16:32:10 CEST 
Ubuntu has issued an advisory on April 10:
https://ubuntu.com/security/notices/USN-6728-1
Nicolas Salguero 2024-04-11 16:32:41 CEST

CVE: (none) => CVE-2023-49288, CVE-2023-5824
Status comment: (none) => Patches available from Ubuntu
Source RPM: (none) => squid-5.9-1.2.mga9.src.rpm

Comment 1 Nicolas Salguero 2024-04-11 17:10:34 CEST 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Affected versions of squid are subject to a a Use-After-Free bug which can lead to a Denial of Service attack via collapsed forwarding. All versions of Squid from 3.5 up to and including 5.9 configured with "collapsed_forwarding on" are vulnerable. Configurations with "collapsed_forwarding off" or without a "collapsed_forwarding" directive are not vulnerable. (CVE-2023-49288)

Squid is vulnerable to Denial of Service attack against HTTP and HTTPS clients due to an Improper Handling of Structural Elements bug. (CVE-2023-5824)

References:
https://ubuntu.com/security/notices/USN-6728-1
========================

Updated packages in core/updates_testing:
========================
squid-5.9-1.3.mga9
squid-cachemgr-5.9-1.3.mga9

from SRPM:
squid-5.9-1.3.mga9.src.rpm

Status: NEW => ASSIGNED
Status comment: Patches available from Ubuntu => (none)
Assignee: bugsquad => qa-bugs

katnatek 2024-04-12 01:08:06 CEST

Keywords: (none) => advisory

Comment 2 Herman Viaene 2024-04-12 11:57:15 CEST 
MGA-64 Plasma Wayland on HP-Pavillion
No installation issues
Ref bug 20883
# squid -v
Squid Cache: Version 5.9
Service Name: squid

This binary uses OpenSSL 3.0.12 24 Oct 2023. configure options:  .....
etc......
# systemctl start squid
# systemctl -l status squid
● squid.service - Squid caching proxy
     Loaded: loaded (/usr/lib/systemd/system/squid.service; disabled; preset: disabled)
     Active: active (running) since Fri 2024-04-12 11:55:31 CEST; 19s ago
       Docs: man:squid(8)
    Process: 104908 ExecStartPre=/usr/libexec/squid/cache_swap.sh (code=exited, status=0/SUCCESS)
   Main PID: 104910 (squid)
      Tasks: 3 (limit: 4495)
     Memory: 14.7M
        CPU: 350ms
     CGroup: /system.slice/squid.service
             ├─104910 /usr/sbin/squid --foreground -f /etc/squid/squid.conf
             ├─104912 "(squid-1)" --kid squid-1 --foreground -f /etc/squid/squid.conf
             └─104913 "(logfile-daemon)" /var/log/squid/access.log

Apr 12 11:55:30 mach4.hviaene.thuis systemd[1]: Starting squid.service...
Apr 12 11:55:30 mach4.hviaene.thuis squid[104910]: Squid Parent: will start 1 kids
Apr 12 11:55:30 mach4.hviaene.thuis squid[104910]: Squid Parent: (squid-1) process 104912 started
Apr 12 11:55:31 mach4.hviaene.thuis systemd[1]: Started squid.service.
Closing to change proxy.

CC: (none) => herman.viaene

Comment 3 Herman Viaene 2024-04-12 12:05:04 CEST 
Restarted Firefox and looked "What do Belgians think about the Dutch". Works OK
Returning to switch of squid.
Comment 4 Herman Viaene 2024-04-12 12:14:23 CEST 
Back on system proxy settings, all OK.

Whiteboard: (none) => MGA9-64-OK

Comment 5 Thomas Andrews 2024-04-12 14:27:28 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 6 Mageia Robot 2024-04-12 22:46:07 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0126.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED