Upstream has issued advisories today (January 22): http://www.squid-cache.org/Advisories/SQUID-2018_1.txt http://www.squid-cache.org/Advisories/SQUID-2018_2.txt CVEs have been requested but not yet assigned. Patched packages uploaded for Mageia 5, Mageia 6, and Cauldron. Premilinary advisory below (pending CVEs). Advisory: ======================== Updated squid packages fix security vulnerabilities: Due to incorrect pointer handling Squid is vulnerable to denial of service attack when processing ESI responses. This problem allows a remote server delivering certain ESI response syntax to trigger a denial of service for all clients accessing the Squid service (SQUID-2018:1). Due to incorrect pointer handling Squid is vulnerable to denial of service attack when processing ESI responses or downloading intermediate CA certificates. This problem allows a remote client delivering certain HTTP requests in conjunction with certain trusted server responses to trigger a denial of service for all clients accessing the Squid service (SQUID-2018:2). References: http://www.squid-cache.org/Advisories/SQUID-2018_1.txt http://www.squid-cache.org/Advisories/SQUID-2018_2.txt ======================== Updated packages in core/updates_testing: ======================== squid-3.5.23-1.1.mga5 squid-cachemgr-3.5.23-1.1.mga5 squid-3.5.26-1.1.mga6 squid-cachemgr-3.5.26-1.1.mga6 from SRPMS: squid-3.5.23-1.1.mga5.src.rpm squid-3.5.26-1.1.mga6.src.rpm
Testing hints: https://bugs.mageia.org/show_bug.cgi?id=14004#c3 https://bugs.mageia.org/show_bug.cgi?id=16304#c14
Keywords: (none) => has_procedureWhiteboard: (none) => MGA5TOO
Posting this through an updated Squid on Mageia 5 x86_64.
Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK
MGA5-32 on Dell Latitude D600 Xfce No installation issues I must be missing something Installed squid checked httpd is running started squid imported squid.conf from bug 16304 restarte5 squid Changed proxy settings in Firefox Surfing to https://www.magei.org gives me "The proxyserver refuses connection".
CC: (none) => herman.viaene
Don't use a squid.conf from an older Squid version. The one shipped with the package should work just fine.
I had the same problem with the default squid.conf, that's why I started hunting for more info.
Did you start the service?
Please David, read my Comment 3
You didn't give enough information for us to know what you did or to help diagnose it.
I have been trying this for Mageia 6 x86_64 and have hit similar problems. The 'refusing connection' message comes up only when squid is stopped. When it is enabled all sites time out. The only difference between the default config and the downloaded one is the line: http_access deny to_localhost which is commented out in the default. Switching back to the default makes no difference. After configuring the proxy settings in firefox restarted squid. Shorewall has ports 3128/tcp and 3128/udp enabled Oops - forgot to restart apache! Done that and restarted squid. firefox settings are: manual configuration -> localhost|127.0.0.1 -> port 3128 All internet connections time out.
CC: (none) => tarazed25
It should say refusing connections when Squid is stopped. It works when it's running, right?
Yes, correct. A slight advance, maybe. Went back into firefox and tried to wipe all the other settings, leaving just the manual ones. Switched from SOCKS v5 to SOCKS 4 (no idea what that means) but the SOCKS entry is blank. After that restarting squid allowed access to the internet.
Cool, it's working then. The SOCKS entry should indeed be blank.
Thanks David. So that is all that is needed? And, @Herman. Anything there which helps you?
Yes, if it works, it should be fine.
Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK
Booted this morning. Squid and httpd running, gives "The proxyserver refuses connection" (or whatever it might be in english, I am running dutch) Stopped squid, reinstated its original squid.conf, started squid again, still same message. Cleared the socks entry as Comment 11, refreshed the https page and now it comes thru. Then browsed to http://localhost/cgi-bin/cachemgr.cgi, all looks OK
Whiteboard: MGA5TOO MGA5-64-OK MGA6-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK MGA5-32-OK
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0095.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
CVE-2018-1000024 and CVE-2018-1000027 have been assigned: http://openwall.com/lists/oss-security/2018/01/29/1 http://openwall.com/lists/oss-security/2018/01/29/2
Summary: squid new security issues SQUID-2018:1 and SQUID-2018:2 => squid new security issues SQUID-2018:1 (CVE-2018-1000024) and SQUID-2018:2 (CVE-2018-1000027)