Bug 23780 - squid new security issues fixed upstream (CVE-2018-19131 and CVE-2018-19132)
Summary: squid new security issues fixed upstream (CVE-2018-19131 and CVE-2018-19132)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-10-29 02:18 CET by David Walser
Modified: 2018-11-17 23:24 CET (History)
5 users (show)

See Also:
Source RPM: squid-3.5.26-1.1.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-10-29 02:18:35 CET
Upstream has issued advisories tomorrow (October 29):
https://www.openwall.com/lists/oss-security/2018/10/28/1
http://www.squid-cache.org/Advisories/SQUID-2018_4.txt
http://www.squid-cache.org/Advisories/SQUID-2018_5.txt

Upstream patches are linked from the message above.

Mageia 6 is also affected.
David Walser 2018-10-29 02:18:43 CET

Whiteboard: (none) => MGA6TOO

Comment 1 David Walser 2018-10-29 02:19:52 CET
Squid 4.4 has been released.  I'm not sure if it contains the fixes.
Comment 2 Marja Van Waes 2018-10-29 08:41:18 CET
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => bruno

Comment 3 Bruno Cornec 2018-10-30 00:42:40 CET
squid-3.5.26-1.2.mga6 on its way to mga6 updates

Status: NEW => ASSIGNED

Comment 4 Bruno Cornec 2018-10-30 00:43:40 CET
Squid 4.4 contains the fixes. Working to integrate that version in cauldron.
Comment 5 David Walser 2018-10-30 12:08:08 CET
Note that Cauldron update is still WIP.

Advisory:
========================

Updated squid packages fix security vulnerabilities:

Due to incorrect input handling, Squid is vulnerable to a Cross-Site Scripting
vulnerability when generating HTTPS response messages about TLS errors
(SQUID-2018:4).

Due to a memory leak in SNMP query rejection code, Squid is vulnerable to a
denial of service attack (SQUID-2018:5).

References:
http://www.squid-cache.org/Advisories/SQUID-2018_4.txt
http://www.squid-cache.org/Advisories/SQUID-2018_5.txt
========================

Updated packages in core/updates_testing:
========================
squid-3.5.26-1.2.mga6
squid-cachemgr-3.5.26-1.2.mga6

from squid-3.5.26-1.2.mga6.src.rpm

Whiteboard: MGA6TOO => (none)
Assignee: bruno => qa-bugs
CC: (none) => bruno
Version: Cauldron => 6

Comment 6 Bruno Cornec 2018-10-30 19:49:54 CET
cauldron updated with squid-4.4-1.mga7
Comment 7 Herman Viaene 2018-11-08 11:44:59 CET
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
Ref to bug 22440, after installation made sure httpd runs, then
systemctl start squid
# systemctl -l status squid
● squid.service - LSB: Starts the squid daemon
   Loaded: loaded (/etc/rc.d/init.d/squid; generated; vendor preset: enabled)
   Active: active (running) since do 2018-11-08 11:38:14 CET; 4s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 9727 ExecStart=/etc/rc.d/init.d/squid start (code=exited, status=0/SUCCESS)
 Main PID: 9758 (squid)
   CGroup: /system.slice/squid.service
           ├─9755 squid
           ├─9758 (squid-1)
           ├─9760 (logfile-daemon) /var/log/squid/access.log
           └─9762 (pinger)

nov 08 11:38:10 mach6.hviaene.thuis systemd[1]: Starting LSB: Starts the squid daemon...
nov 08 11:38:12 mach6.hviaene.thuis squid[9748]: Squid Parent: will start 1 kids
nov 08 11:38:13 mach6.hviaene.thuis squid[9755]: Squid Parent: will start 1 kids
nov 08 11:38:13 mach6.hviaene.thuis squid[9755]: Squid Parent: (squid-1) process 9758 started
nov 08 11:38:14 mach6.hviaene.thuis squid[9727]: init_cache_dir /var/spool/squid... Starting squid: .[  OK
nov 08 11:38:14 mach6.hviaene.thuis systemd[1]: squid.service: Supervising process 9758 which is not our c
nov 08 11:38:14 mach6.hviaene.thuis systemd[1]: Started LSB: Starts the squid daemon.

Pointed firefox to https://www.mageia.org and http://localhost/cgi-bin/cachemgr.cgi
All work OK

CC: (none) => herman.viaene
Whiteboard: (none) => MGA6-32-OK

Comment 8 David Walser 2018-11-09 17:58:12 CET
CVEs have been assigned:
https://www.openwall.com/lists/oss-security/2018/11/09/1

Advisory:
========================

Updated squid packages fix security vulnerabilities:

Due to incorrect input handling, Squid is vulnerable to a Cross-Site Scripting
vulnerability when generating HTTPS response messages about TLS errors
(CVE-2018-19131).

Due to a memory leak in SNMP query rejection code, Squid is vulnerable to a
denial of service attack (CVE-2018-19132).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19131
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19132
http://www.squid-cache.org/Advisories/SQUID-2018_4.txt
http://www.squid-cache.org/Advisories/SQUID-2018_5.txt
https://www.openwall.com/lists/oss-security/2018/11/09/1

Summary: squid new security issues fixed upstream => squid new security issues fixed upstream (CVE-2018-19131 and CVE-2018-19132)

Comment 9 Lewis Smith 2018-11-11 21:53:43 CET
Advisory done from comments 5 & 8.
Cannot this be validated?

CC: (none) => lewyssmith
Keywords: (none) => advisory

Comment 10 Lewis Smith 2018-11-16 20:53:44 CET
Testing M6/64
This was done to try to clarify & note squid testing procedure, since the notes in bug 22440 are scattered. With squid installed, using Firefox, I think it boils down to:
- configure Firefox to use a proxy:
-- Menu-General-Preferences-Network proxy-Configure-Manually
--- I left SOCKSv5 selected, and cleared "localhost" from the SOCKS line
- Did nothing re Squid config file.
 # systemctl restart httpd
 # systemctl [re]start squid
 # systemctl status squid
Comment 11 Lewis Smith 2018-11-16 21:13:50 CET
[continued]
● squid.service - LSB: Starts the squid daemon
   Loaded: loaded (/etc/rc.d/init.d/squid; generated; vendor preset: enabled)
   Active: active (running) since Gwe 2018-11-16 20:23:10 CET; 7s ago
Both http://localhost/... and Internet access should work.

BEFORE update:
 squid-3.5.26-1.1.mga6
 squid-cachemgr-3.5.26-1.1.mga6
Installing Squid generated a 2048-bit RSA private key:
 /etc/pki/tls/private/squid.pem
After procedure above, Firefox worked for localhost and Internet.
 # systemctl stop squid

AFTER update:
 squid-3.5.26-1.2.mga6
 squid-cachemgr-3.5.26-1.2.mga6
 # systemctl restart httpd
 # systemctl stop squid
 # systemctl start squid
 # systemctl status squid
● squid.service - LSB: Starts the squid daemon
   Loaded: loaded (/etc/rc.d/init.d/squid; generated; vendor preset: enabled)
   Active: active (running) since Gwe 2018-11-16 20:41:25 CET; 4s ago
Firefox worked for localhost and Internet.
[Reverted Firefox NOT to use a proxy]

Hoping the procedure is valid, OKing for x64.

CC: (none) => sysadmin-bugs
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
Keywords: (none) => validated_update

Comment 12 Mageia Robot 2018-11-17 23:24:35 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0458.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.