Bug 33363

Summary: squid new security issue CVE-2024-37894
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: squid-5.9-1.3.mga9.src.rpm CVE: CVE-2024-37894
Status comment:

Description Nicolas Salguero 2024-07-04 11:12:01 CEST 
SUSE has issued an advisory on July 2:
https://lwn.net/Articles/980547/

The problem is fixed in version 6.10 (for Cauldron) or with the following commit: https://github.com/squid-cache/squid/commit/67f5496f7b72e698ad0f5aa3512c83089424f27f

Mageia 9 is also affected.
Nicolas Salguero 2024-07-04 11:13:11 CEST

Status comment: (none) => Fixed upstream in 6.10 and patch available from upstream
Source RPM: (none) => squid-6.8-1.mga10.src.rpm, squid-5.9-1.3.mga9.src.rpm
Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2024-37894

Comment 1 Lewis Smith 2024-07-05 21:36:27 CEST 
I cannot see "version 6.10 (for Cauldron)", but believe it!
Various packagers maintain squid, so assigning this globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2024-07-08 14:18:14 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Due to an Out-of-bounds Write error when assigning ESI variables, Squid is susceptible to a Memory Corruption error. This error can lead to a Denial of Service attack. (CVE-2024-37894)

References:
https://lists.suse.com/pipermail/sle-security-updates/2024-July/018842.html
========================

Updated packages in core/updates_testing:
========================
squid-5.9-1.4.mga9
squid-cachemgr-5.9-1.4.mga9

from SRPM:
squid-5.9-1.4.mga9.src.rpm

Status comment: Fixed upstream in 6.10 and patch available from upstream => (none)
Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 9
Source RPM: squid-6.8-1.mga10.src.rpm, squid-5.9-1.3.mga9.src.rpm => squid-5.9-1.3.mga9.src.rpm
Whiteboard: MGA9TOO => (none)

katnatek 2024-07-08 19:45:51 CEST

Keywords: (none) => advisory

Comment 3 katnatek 2024-07-13 18:47:51 CEST 
RH mageia 9 x86_64

Reference bug#33091 comment#2

systemctl start squid.service 
systemctl status squid.service 
● squid.service - Squid caching proxy
     Loaded: loaded (/usr/lib/systemd/system/squid.service; disabled; preset: disabled)
     Active: active (running) since Sat 2024-07-13 10:31:21 CST; 10s ago
       Docs: man:squid(8)
    Process: 210753 ExecStartPre=/usr/libexec/squid/cache_swap.sh (code=exited, status=0/SUCCESS)
   Main PID: 210755 (squid)
      Tasks: 3 (limit: 6880)
     Memory: 14.8M
        CPU: 162ms
     CGroup: /system.slice/squid.service
             ├─210755 /usr/sbin/squid --foreground -f /etc/squid/squid.conf
             ├─210757 "(squid-1)" --kid squid-1 --foreground -f /etc/squid/squid.conf
             └─210758 "(logfile-daemon)" /var/log/squid/access.log

jul 13 10:31:20 jgrey.phoenix systemd[1]: Starting squid.service...
jul 13 10:31:20 jgrey.phoenix squid[210755]: Squid Parent: will start 1 kids
jul 13 10:31:20 jgrey.phoenix squid[210755]: Squid Parent: (squid-1) process 210757 started
jul 13 10:31:21 jgrey.phoenix systemd[1]: Started squid.service.

Configure the proxy in firefox , kill firefox and start again all the tabs were restored with a few delay due the catching 

Post this comment

Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm

Comment 4 Thomas Andrews 2024-07-14 02:42:48 CEST 
Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 5 Mageia Robot 2024-07-14 07:24:43 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0265.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED