Upstream has issued advisories tomorrow (October 29): https://www.openwall.com/lists/oss-security/2018/10/28/1 http://www.squid-cache.org/Advisories/SQUID-2018_4.txt http://www.squid-cache.org/Advisories/SQUID-2018_5.txt Upstream patches are linked from the message above. Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Squid 4.4 has been released. I'm not sure if it contains the fixes.
Assigning to the registered maintainer.
Assignee: bugsquad => brunoCC: (none) => marja11
squid-3.5.26-1.2.mga6 on its way to mga6 updates
Status: NEW => ASSIGNED
Squid 4.4 contains the fixes. Working to integrate that version in cauldron.
Note that Cauldron update is still WIP. Advisory: ======================== Updated squid packages fix security vulnerabilities: Due to incorrect input handling, Squid is vulnerable to a Cross-Site Scripting vulnerability when generating HTTPS response messages about TLS errors (SQUID-2018:4). Due to a memory leak in SNMP query rejection code, Squid is vulnerable to a denial of service attack (SQUID-2018:5). References: http://www.squid-cache.org/Advisories/SQUID-2018_4.txt http://www.squid-cache.org/Advisories/SQUID-2018_5.txt ======================== Updated packages in core/updates_testing: ======================== squid-3.5.26-1.2.mga6 squid-cachemgr-3.5.26-1.2.mga6 from squid-3.5.26-1.2.mga6.src.rpm
Assignee: bruno => qa-bugsCC: (none) => brunoVersion: Cauldron => 6Whiteboard: MGA6TOO => (none)
cauldron updated with squid-4.4-1.mga7
MGA6-32 MATE on IBM Thinkpad R50e No installation issues. Ref to bug 22440, after installation made sure httpd runs, then systemctl start squid # systemctl -l status squid ● squid.service - LSB: Starts the squid daemon Loaded: loaded (/etc/rc.d/init.d/squid; generated; vendor preset: enabled) Active: active (running) since do 2018-11-08 11:38:14 CET; 4s ago Docs: man:systemd-sysv-generator(8) Process: 9727 ExecStart=/etc/rc.d/init.d/squid start (code=exited, status=0/SUCCESS) Main PID: 9758 (squid) CGroup: /system.slice/squid.service ├─9755 squid ├─9758 (squid-1) ├─9760 (logfile-daemon) /var/log/squid/access.log └─9762 (pinger) nov 08 11:38:10 mach6.hviaene.thuis systemd[1]: Starting LSB: Starts the squid daemon... nov 08 11:38:12 mach6.hviaene.thuis squid[9748]: Squid Parent: will start 1 kids nov 08 11:38:13 mach6.hviaene.thuis squid[9755]: Squid Parent: will start 1 kids nov 08 11:38:13 mach6.hviaene.thuis squid[9755]: Squid Parent: (squid-1) process 9758 started nov 08 11:38:14 mach6.hviaene.thuis squid[9727]: init_cache_dir /var/spool/squid... Starting squid: .[ OK nov 08 11:38:14 mach6.hviaene.thuis systemd[1]: squid.service: Supervising process 9758 which is not our c nov 08 11:38:14 mach6.hviaene.thuis systemd[1]: Started LSB: Starts the squid daemon. Pointed firefox to https://www.mageia.org and http://localhost/cgi-bin/cachemgr.cgi All work OK
CC: (none) => herman.viaeneWhiteboard: (none) => MGA6-32-OK
CVEs have been assigned: https://www.openwall.com/lists/oss-security/2018/11/09/1 Advisory: ======================== Updated squid packages fix security vulnerabilities: Due to incorrect input handling, Squid is vulnerable to a Cross-Site Scripting vulnerability when generating HTTPS response messages about TLS errors (CVE-2018-19131). Due to a memory leak in SNMP query rejection code, Squid is vulnerable to a denial of service attack (CVE-2018-19132). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19131 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19132 http://www.squid-cache.org/Advisories/SQUID-2018_4.txt http://www.squid-cache.org/Advisories/SQUID-2018_5.txt https://www.openwall.com/lists/oss-security/2018/11/09/1
Summary: squid new security issues fixed upstream => squid new security issues fixed upstream (CVE-2018-19131 and CVE-2018-19132)
Advisory done from comments 5 & 8. Cannot this be validated?
CC: (none) => lewyssmithKeywords: (none) => advisory
Testing M6/64 This was done to try to clarify & note squid testing procedure, since the notes in bug 22440 are scattered. With squid installed, using Firefox, I think it boils down to: - configure Firefox to use a proxy: -- Menu-General-Preferences-Network proxy-Configure-Manually --- I left SOCKSv5 selected, and cleared "localhost" from the SOCKS line - Did nothing re Squid config file. # systemctl restart httpd # systemctl [re]start squid # systemctl status squid
[continued] ● squid.service - LSB: Starts the squid daemon Loaded: loaded (/etc/rc.d/init.d/squid; generated; vendor preset: enabled) Active: active (running) since Gwe 2018-11-16 20:23:10 CET; 7s ago Both http://localhost/... and Internet access should work. BEFORE update: squid-3.5.26-1.1.mga6 squid-cachemgr-3.5.26-1.1.mga6 Installing Squid generated a 2048-bit RSA private key: /etc/pki/tls/private/squid.pem After procedure above, Firefox worked for localhost and Internet. # systemctl stop squid AFTER update: squid-3.5.26-1.2.mga6 squid-cachemgr-3.5.26-1.2.mga6 # systemctl restart httpd # systemctl stop squid # systemctl start squid # systemctl status squid ● squid.service - LSB: Starts the squid daemon Loaded: loaded (/etc/rc.d/init.d/squid; generated; vendor preset: enabled) Active: active (running) since Gwe 2018-11-16 20:41:25 CET; 4s ago Firefox worked for localhost and Internet. [Reverted Firefox NOT to use a proxy] Hoping the procedure is valid, OKing for x64.
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OKKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0458.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED