Description of problem: Trying to make squid search LDAP for user groups to make filtering based on user groups (stored in LDAP). Until now I was using /usr/lib/squid/squid_ldap_group. But it's unavailable for MGA3. Version-Release number of selected component (if applicable): 3.2.10-1.mga3 How reproducible: Always : component is missing Steps to Reproduce: 1. install squid (urpmi squid) 2. configure squid to use external_acl_type ldapGroup %LOGIN /usr/lib/squid/squid_ldap_group ... 3. there is no such file in /usr/lib/squid In case of a filename change, I checked if there were some files that could match the "squid_ldap_group" helper, but couldn't find any. It seems that it may have been dropped here : http://svnweb.mageia.org/packages/cauldron/squid/current/SPECS/squid.spec?view=markup&pathrev=289632 regards Dag Reproducible: Steps to Reproduce:
Keywords: (none) => TriagedCC: (none) => luigiwalserAssignee: bugsquad => luis.daniel.lucio
Since we selectively enable helpers and several of the helper names were changed in Squid 3.2 upstream: ftp://ftp.fu-berlin.de/unix/www/squid/archive/3.2/squid-3.2.0.9-RELEASENOTES.html#toc2.4 we lost some of them. I'm working on getting them enabled again. Once they are, there may be some configuration changes required, I'm not sure. Documentation for the helpers is available here: http://www.squid-cache.org/Doc/man/
Corrected packages uploaded for Mageia 3 and Cauldron. Here's the changes in the SPEC file for Mageia 3: http://svnweb.mageia.org/packages/updates/3/squid/current/SPECS/squid.spec?r1=419736&r2=448559 Unfortunately for Cauldron there is a problem with perl's pod2man command, which has caused the DB auth helper and DB log daemon to get disabled for now. This has been reported as Bug 10663. Advisory -------- Due to being renamed in Squid 3.2, the Squid external acl helpers for matching against IP addresses and LDAP groups were not selected to be built in the squid package for Mageia 3. This has been corrected and these helpers are now included. Additionally, the helpers for eDirectory IP address lookups and matching LDAP groups using Kerberos credentials have also been included. References: ftp://ftp.fu-berlin.de/unix/www/squid/archive/3.2/squid-3.2.0.9-RELEASENOTES.html#ss2.4 http://www.squid-cache.org/Doc/man/ ----------------------------------- Packages in core/updates_testing: ----------------------------------- squid-3.2.10-1.1.mga3 squid-cachemgr-3.2.10-1.1.mga3 from squid-3.2.10-1.1.mga3.src.rpm
CC: (none) => luis.daniel.lucioAssignee: luis.daniel.lucio => qa-bugs
Denis can you please test the update candidate in core updates testing to make sure the bug is fixed and let us know which architecture you tested with (i586 or x86_64). Thanks.
Hi, I'm on i586. - I tried to install the package from (as "testing" is not enabled on my test-server) : wget Mageia/distrib/3/i586/media/core/updates_testing/squid-3.2.10-1.1.mga3.i586.rpm - Installing : urpmi ./squid-3.2.10-1.1.mga3.i586.rpm Le paquetage demandé ne peut pas être installé : squid-3.2.10-1.1.mga3.i586 (car /bin/ksh est non satisfait) Désirez-vous tout de même continuer ? (O/n) o - Translated into english : The package can't be installed : squid-3.2.10-1.1.mga3.i586 (because /bin/ksh is not satisfied) Would you like to continue anyway ? (Y/n) y - verification : rpm -qa | grep squid squid-3.2.10-1.mga3 - what provides /bin/ksh ? urpmf /bin/ksh kshowmail:/usr/bin/kshowmail kshutdown:/usr/bin/kshutdown pdksh:/usr/bin/ksh kshisen:/usr/bin/kshisen kdelibs4-core:/usr/bin/kshell4 => no /bin/ksh So there may be a problem in the RPM : - there is no such file or directory in the "stable" repositories (core, non-free, contrib) - does it really need to depend on ksh ? redargs, Dag
Hmm, this happened because it's now installing a script from one of the newly enabled helpers that starts with #!/bin/ksh: squid-3.2.9/helpers/external_acl/kerberos_ldap_group/cert_tool Looking at the script it's not immediately obvious why it uses ksh or that it needs to. Probably the easiest solution would be to remove the #!/bin/ksh from the top of it, or change it to bash. In fact I just ran it by hand with bash and it seemed to work. OK, I'm patching it to change it to bash. Someone should really change the pdksh package to provide /bin/ksh as well... Thanks for the report. Should be a new update candidate available soon. Advisory -------- Due to being renamed in Squid 3.2, the Squid external acl helpers for matching against IP addresses and LDAP groups were not selected to be built in the squid package for Mageia 3. This has been corrected and these helpers are now included. Additionally, the helpers for eDirectory IP address lookups and matching LDAP groups using Kerberos credentials have also been included. References: ftp://ftp.fu-berlin.de/unix/www/squid/archive/3.2/squid-3.2.0.9-RELEASENOTES.html#ss2.4 http://www.squid-cache.org/Doc/man/ ----------------------------------- Packages in core/updates_testing: ----------------------------------- squid-3.2.10-1.2.mga3 squid-cachemgr-3.2.10-1.2.mga3 from squid-3.2.10-1.2.mga3.src.rpm
Upstream has released Squid 3.3.7 and 3.2.12 to fix a buffer overflow: http://www.squid-cache.org/Advisories/SQUID-2013_2.txt A patch for Squid 3.1 is also available. Everything is checked into SVN for Mageia 2, Mageia 3, and Cauldron. Updated builds are in progress.
Component: RPM Packages => SecurityQA Contact: (none) => security
Updated package uploaded for Cauldron. Patched packages uploaded for Mageia 2 and Mageia 3. Advisory: ======================== Updated squid packages fix security vulnerability: Due to incorrect data validation Squid is vulnerable to a buffer overflow attack when processing specially crafted HTTP requests. This problem allows any trusted client or client script who can generate HTTP requests to trigger a buffer overflow in Squid, resulting in a termination of the Squid service (SQUID-2013:2). Also, due to being renamed in Squid 3.2, the Squid external acl helpers for matching against IP addresses and LDAP groups were not selected to be built in the squid package for Mageia 3. This has been corrected and these helpers are now included. Additionally, the helpers for eDirectory IP address lookups and matching LDAP groups using Kerberos credentials have also been included. References: http://www.squid-cache.org/Advisories/SQUID-2013_2.txt ftp://ftp.fu-berlin.de/unix/www/squid/archive/3.2/squid-3.2.0.9-RELEASENOTES.html#ss2.4 http://www.squid-cache.org/Doc/man/ ======================== Updated packages in core/updates_testing: ======================== squid-3.1.19-4.4.mga2 squid-cachemgr-3.1.19-4.4.mga2 squid-3.2.10-1.3.mga3 squid-cachemgr-3.2.10-1.3.mga3 from SRPMS: squid-3.1.19-4.4.mga2.src.rpm squid-3.2.10-1.3.mga3.src.rpm
FYI, a CVE has been requested for this security issue: http://openwall.com/lists/oss-security/2013/07/11/2 I'll update the advisory once the CVE is assigned.
The CVE has been assigned: http://openwall.com/lists/oss-security/2013/07/11/8 Advisory: ======================== Updated squid packages fix security vulnerability: Due to incorrect data validation Squid is vulnerable to a buffer overflow attack when processing specially crafted HTTP requests. This problem allows any trusted client or client script who can generate HTTP requests to trigger a buffer overflow in Squid, resulting in a termination of the Squid service (CVE-2013-4115). Also, due to being renamed in Squid 3.2, the Squid external acl helpers for matching against IP addresses and LDAP groups were not selected to be built in the squid package for Mageia 3. This has been corrected and these helpers are now included. Additionally, the helpers for eDirectory IP address lookups and matching LDAP groups using Kerberos credentials have also been included. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4115 http://www.squid-cache.org/Advisories/SQUID-2013_2.txt ftp://ftp.fu-berlin.de/unix/www/squid/archive/3.2/squid-3.2.0.9-RELEASENOTES.html#ss2.4 http://www.squid-cache.org/Doc/man/ ======================== Updated packages in core/updates_testing: ======================== squid-3.1.19-4.4.mga2 squid-cachemgr-3.1.19-4.4.mga2 squid-3.2.10-1.3.mga3 squid-cachemgr-3.2.10-1.3.mga3 from SRPMS: squid-3.1.19-4.4.mga2.src.rpm squid-3.2.10-1.3.mga3.src.rpm
Summary: squid helper "squid_ldap_group" dropped ! => squid new security issue CVE-2013-4115
Maybe another one to do David. I noticed this on debian bug tracker. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=716743#12 http://www.squid-cache.org/Advisories/SQUID-2013_3.txt
Thanks Claire. The new security advisory doesn't affect Squid 3.1 in Mageia 2. Here's a new advisory to use for Mageia 2. I'll post the Mageia 3 advisory next. Advisory (Mageia 2): ======================== Updated squid packages fix security vulnerability: Due to incorrect data validation Squid is vulnerable to a buffer overflow attack when processing specially crafted HTTP requests. This problem allows any trusted client or client script who can generate HTTP requests to trigger a buffer overflow in Squid, resulting in a termination of the Squid service (CVE-2013-4115). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4115 http://www.squid-cache.org/Advisories/SQUID-2013_2.txt ======================== Updated packages in core/updates_testing: ======================== squid-3.1.19-4.4.mga2 squid-cachemgr-3.1.19-4.4.mga2 from squid-3.1.19-4.4.mga2.src.rpm
Updated package uploaded for Cauldron for SQUID-2013:3. Patched package uploaded for Mageia 3 for SQUID-2013:3. Advisory (Mageia 3): ======================== Updated squid packages fix security vulnerabilities: Due to incorrect data validation Squid is vulnerable to a buffer overflow attack when processing specially crafted HTTP requests. This problem allows any trusted client or client script who can generate HTTP requests to trigger a buffer overflow in Squid, resulting in a termination of the Squid service (CVE-2013-4115). Due to incorrect data validation Squid is vulnerable to a denial of service attack when processing specially crafted HTTP requests. This problem allows any client who can generate HTTP requests to perform a denial of service attack on the Squid service (CVE-2013-4123). Also, due to being renamed in Squid 3.2, the Squid external acl helpers for matching against IP addresses and LDAP groups were not selected to be built in the squid package for Mageia 3. This has been corrected and these helpers are now included. Additionally, the helpers for eDirectory IP address lookups and matching LDAP groups using Kerberos credentials have also been included. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4115 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4123 http://www.squid-cache.org/Advisories/SQUID-2013_2.txt http://www.squid-cache.org/Advisories/SQUID-2013_3.txt ftp://ftp.fu-berlin.de/unix/www/squid/archive/3.2/squid-3.2.0.9-RELEASENOTES.html#ss2.4 http://www.squid-cache.org/Doc/man/ ======================== Updated packages in core/updates_testing: ======================== squid-3.2.10-1.4.mga3 squid-cachemgr-3.2.10-1.4.mga3 from squid-3.2.10-1.4.mga3.src.rpm
Summary: squid new security issue CVE-2013-4115 => squid new security issues CVE-2013-4115 and CVE-2013-4123Whiteboard: (none) => MGA2TOO
10516.mga2.adv and 10516.mga3.adv uploaded.
CC: (none) => davidwhodgins
Testing complete for squid using drakguard on both arches/releases. Could someone from the sysadmin team push 10516.mga2.adv and 10516.mga3.adv to updates.
Keywords: (none) => validated_updateWhiteboard: MGA2TOO => MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64-OK MGA2-32-OKCC: (none) => sysadmin-bugs
mga2 update pushed: http://advisories.mageia.org/MGASA-2013-0227.html mga3 update pushed: http://advisories.mageia.org/MGASA-2013-0228.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
LWN references posted. CVE-2013-4115: http://lwn.net/Vulnerabilities/560027/ CVE-2013-4123: http://lwn.net/Vulnerabilities/560028/
URL: (none) => http://lwn.net/Vulnerabilities/560027/