A CVE has been assigned for an XSS issue in the SquidGuard CGI: http://openwall.com/lists/oss-security/2016/06/21/5 The exact CGI in question is only installed as documentation in a samples directory in our package, but we also include a different CGI that is installed in /var/www/cgi-bin. This other CGI appears to actually be an older version of the same CGI program. It's not clear why we're using this one instead of the one that ships with upstream. It does appear that the one we ship is affected by the same issue, though. I have patched both of them. Advisory: ======================== Updated squidguard package fixes security vulnerability: The squidGuard.cgi program is vulnerable to a reflected cross site scripting vulnerability in the blocking script squidGuard.cgi. The vulnerability is triggered when a user clicks a link to a blocked site where the url has scripting instructions added (CVE-2015-8936). In Mageia's squidguard package, both /var/www/cgi-bin/squidGuard.cgi and /usr/share/squidGuard-1.4/samples/squidGuard.cgi were affected. Note that it is highly recommended that any remaining users of this package switch to ufdbguard, which has better compatibility with current versions of Squid. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8936 http://openwall.com/lists/oss-security/2016/06/21/5 http://www.squidguard.org/Downloads/Patches/1.4/Readme.Patch-20150201 ======================== Updated packages in core/updates_testing: ======================== squidguard-1.4-21.1.mga5 from squidguard-1.4-21.1.mga5.src.rpm
URL: (none) => http://lwn.net/Vulnerabilities/692518/
MGA55-32 on Acer D620 Xfce No installation issues Wondering how to test this, I found bug 11575 , so at CLI # echo "http://www.example.com 192.168.0.1/- - GET" | squidGuard -c /etc/squid/squidGuard.conf -d 2016-07-04 16:51:38 [20465] New setting: dbhome: /usr/share/squidGuard 2016-07-04 16:51:38 [20465] syntax error in configfile /etc/squid/squidGuard.conf line 5 2016-07-04 16:51:38 [20465] Going into emergency mode 2016-07-04 16:51:38 [20465] ending emergency mode, stdin empty Should be OK
CC: (none) => herman.viaeneWhiteboard: (none) => MGA5-32-OK
Keywords: (none) => validated_updateWhiteboard: MGA5-32-OK => MGA5-32-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0237.html
Status: NEW => RESOLVEDResolution: (none) => FIXED