Bug 18757 - squidguard new security issue CVE-2015-8936
Summary: squidguard new security issue CVE-2015-8936
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/692518/
Whiteboard: MGA5-32-OK advisory
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-06-22 00:59 CEST by David Walser
Modified: 2016-07-05 17:48 CEST (History)
3 users (show)

See Also:
Source RPM: squidguard-1.4-21.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2016-06-22 00:59:52 CEST 
A CVE has been assigned for an XSS issue in the SquidGuard CGI:
http://openwall.com/lists/oss-security/2016/06/21/5

The exact CGI in question is only installed as documentation in a samples directory in our package, but we also include a different CGI that is installed in /var/www/cgi-bin.  This other CGI appears to actually be an older version of the same CGI program.  It's not clear why we're using this one instead of the one that ships with upstream.  It does appear that the one we ship is affected by the same issue, though.  I have patched both of them.

Advisory:
========================

Updated squidguard package fixes security vulnerability:

The squidGuard.cgi program is vulnerable to a reflected cross site scripting
vulnerability in the blocking script squidGuard.cgi. The vulnerability is
triggered when a user clicks a link to a blocked site where the url has
scripting instructions added (CVE-2015-8936).

In Mageia's squidguard package, both /var/www/cgi-bin/squidGuard.cgi and
/usr/share/squidGuard-1.4/samples/squidGuard.cgi were affected.

Note that it is highly recommended that any remaining users of this package
switch to ufdbguard, which has better compatibility with current versions of
Squid.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8936
http://openwall.com/lists/oss-security/2016/06/21/5
http://www.squidguard.org/Downloads/Patches/1.4/Readme.Patch-20150201
========================

Updated packages in core/updates_testing:
========================
squidguard-1.4-21.1.mga5

from squidguard-1.4-21.1.mga5.src.rpm
David Walser 2016-06-23 19:23:51 CEST

URL: (none) => http://lwn.net/Vulnerabilities/692518/

Comment 1 Herman Viaene 2016-07-04 16:56:06 CEST 
MGA55-32 on Acer D620 Xfce
No installation issues
Wondering how to test this, I found bug 11575 , so at CLI
# echo "http://www.example.com 192.168.0.1/- - GET" | squidGuard -c /etc/squid/squidGuard.conf -d
2016-07-04 16:51:38 [20465] New setting: dbhome: /usr/share/squidGuard
2016-07-04 16:51:38 [20465] syntax error in configfile /etc/squid/squidGuard.conf line 5
2016-07-04 16:51:38 [20465] Going into emergency mode

2016-07-04 16:51:38 [20465] ending emergency mode, stdin empty

Should be OK

CC: (none) => herman.viaene
Whiteboard: (none) => MGA5-32-OK

Dave Hodgins 2016-07-05 16:36:55 CEST

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK => MGA5-32-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 2 Mageia Robot 2016-07-05 17:48:08 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0237.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.