A CVE was requested for a security issue fixed upstream in Squid 3.5.6: http://openwall.com/lists/oss-security/2015/07/06/8 The patch for Squid 3.5 is here: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13856.patch No patch for Squid 3.3 or 3.4 is available yet, but they are apparently affected. Reproducible: Steps to Reproduce:
The upstream advisory will be posted here: http://www.squid-cache.org/Advisories/SQUID-2015_2.txt
Whiteboard: (none) => MGA4TOO
The CVE request is still pending. The upstream advisory and a patch for Squid 3.4 are now available. It does not apply for 3.3 and looks like re-diffing would be non-trivial. Fortunately, this issue is likely to affect nobody. It only exists if you have cache_peer enabled (for using a sibling or parent Squid proxy) and have set nonhierarchical_direct off in squid.conf (it's on by default).
CC: (none) => mageiaHardware: i586 => AllAssignee: bugsquad => bruno
Cauldron already has 3.5.6. SO I guess that's Ok. I've updated mga5 with the proposed patch. What should we do for mga4 ? upgrade to the same version as mga5 ? or ? For the moment I've not done the advisory pending the decision on that.
Status: NEW => ASSIGNED
Given the low impact of the issue, I think the safest course of action for Mageia 4 would be to leave it alone. If someone else backports a patch for Squid 3.3 later, we can add it.
Just FYI, you pushed the original Mageia 5 release build of Squid back to the build system in updates_testing. If you add the patch and add a subrel, the fixed build will replace it, so it's not a problem.
Oops, forgot to check in my modifications for 5. Now done.
CVE-2015-5400 has been assigned: http://www.openwall.com/lists/oss-security/2015/07/17/14
Summary: squid new security issue SQUID-2015_2 => squid new security issue SQUID-2015_2 (CVE-2015-5400)
URL: (none) => http://lwn.net/Vulnerabilities/652930/
Debian has issued an advisory for this on August 3: https://www.debian.org/security/2015/dsa-3327 Based on their patch (also committed upstream for 3.1) and the patch for 3.4, I cobbled together a patch for 3.3 that seems to work, now committed in Mageia 4 SVN.
Bruno, what's the status of this bug? Squid is now on its 4th warning and will be dropped soon if we have no progress here :/
We have patches in SVN for this, so this one isn't a stale bug like some of the others, nor is this package unmaintained like many others, as dlucio, bruno, and I have worked on it and kept it up to date. As I stated earlier in this bug, this is a really minor issue that likely doesn't affect anyone in practice, so I decided not to bother QA with this only for this. We'll undoubtedly have another Squid CVE in the future, so we will include this fix with that one. I suppose we could try to push something before Mageia 4 goes EOL, however.
Patched packages uploaded for Mageia 4 and Mageia 5. Advisory: ======================== Updated squid packages fix security vulnerability: Alex Rousskov discovered that Squid configured with cache_peer and operating on explicit proxy traffic does not correctly handle CONNECT method peer responses. In some configurations, it allows remote clients to bypass security in an explicit gateway proxy (CVE-2015-5400). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5400 http://www.squid-cache.org/Advisories/SQUID-2015_2.txt https://www.debian.org/security/2015/dsa-3327 ======================== Updated packages in core/updates_testing: ======================== squid-3.3.14-1.1.mga4 squid-cachemgr-3.3.14-1.1.mga4 squid-3.4.13-1.1.mga5 squid-cachemgr-3.4.13-1.1.mga5 from SRPMS: squid-3.3.14-1.1.mga4.src.rpm squid-3.4.13-1.1.mga5.src.rpm
CC: (none) => brunoAssignee: bruno => qa-bugs
For Mageia 4, this was a difficult backport, and it was a failure. Thunderbird can no longer load anything through the proxy, giving this error in /var/log/squid/cache.log: 2015/09/04 07:02:09 kid1| assertion failed: tunnel.cc:694: "tunnelState->waitingForConnectRequest()" which is coming from the patched code. Then, trying to downgrade the package, systemd was unable to restart the service. I had to kill the systemctl command running in post, couldn't manually start it afterward, and systemd completely hung trying to shut down the system so that I could reboot, so I had to hold the power button. So, cancelling this update for Mageia 4. Hopefully the Mageia 5 update works fine.
Whiteboard: MGA4TOO => (none)
Created attachment 6999 [details] squid.conf used to test v3.4.13-1.1
CC: (none) => vzawalin1
(In reply to Vladimir Zawalinski from comment #13) Installed squid 3.4.1 from normal repositories. Worked as expected with the squid.conf file as attached and firefox set to localhost:3128. > Created attachment 6999 [details] Uninstalled squid 3.4.1 mga 64bit and installed squid 3.4.1.1 mga5 64 bit. Forced firefox to use localhost:3128. Worked fine. 1441698956.302 3599 127.0.0.1 TCP_MISS/200 454587 GET http://www.mageia.org/g/5/background.png - HIER_DIRECT/212.85.158.146 image/png 1441698956.308 0 127.0.0.1 TCP_MEM_HIT/200 1572 GET http://www.mageia.org/g/favicon.png - HIER_NONE/- image/png Caching works. I did not test for the situations in comments 2, 11, 12.
Whiteboard: (none) => MGA5-64-OK
Validating. Advisory uploaded. Please push to 5 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA5-64-OK => MGA5-64-OK has_procedure advisoryCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0347.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED