Squid 4.8 has been released on July 10: http://www.squid-cache.org/Versions/v4/changesets/ It fixes some security issues in cachemgr, so we might want to update it for Mageia 7.
Whiteboard: (none) => MGA7TOO
Assigning to the registered maintainer.
CC: (none) => marja11Assignee: bugsquad => bruno
Ubuntu has issued an advisory for this on July 17: https://usn.ubuntu.com/4059-1/
Whiteboard: MGA7TOO => MGA7TOO, MGA6TOOSummary: Squid 4.8 fixes security issues in cachemgr => Squid 4.8 fixes security issues in cachemgr (CVE-2019-13345)Severity: normal => major
Apparently 4.8 fixed issues in Squid itself too. Ubuntu has issued an advisory on July 18: https://usn.ubuntu.com/4065-1/ CVE-2019-12527 does not affect Mageia 6, the other issues do.
Summary: Squid 4.8 fixes security issues in cachemgr (CVE-2019-13345) => Squid 4.8 fixes security issues in cachemgr (CVE-2019-13345) and Squid itself (CVE-2019-1252[579])
squid 4.8 pushed to cauldron and mga7 updates_testing.
Whiteboard: MGA7TOO, MGA6TOO => MGA6TOOStatus: NEW => ASSIGNEDVersion: Cauldron => 7
squid 3.5.27 pushed to mga6 updates_testing
Whiteboard: MGA6TOO => (none)Assignee: bruno => qa-bugs
Thanks. Cauldron failed to build: http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20190812234027.bcornec.duvel.5498/log/squid-4.8-1.mga8/build.0.20190812234107.log Looks like newer GCC causing problems. Be careful with the bugs, you accidentally wiped out the whiteboard in this bug and the ansible bug.
Whiteboard: (none) => MGA6TOOCC: (none) => bruno.cornec
I see the fix for the build issue right at the top here: http://www.squid-cache.org/Versions/v4/changesets/
CVE-2019-13345 isn't actually fixed in 3.5.27, so you'll need the patch from upstream or Ubuntu 18.04.
CC: (none) => qa-bugsAssignee: qa-bugs => bruno.cornec
squid-4.8-1.mga8 uploaded for Cauldron by Bruno.
4.8 also fixed CVE-2019-12854 (only 4.x affected, so Mageia 6 is OK there): https://security-tracker.debian.org/tracker/CVE-2019-12854 Debian has issued an advisory for this on August 24: https://www.debian.org/security/2019/dsa-4507
Summary: Squid 4.8 fixes security issues in cachemgr (CVE-2019-13345) and Squid itself (CVE-2019-1252[579]) => Squid 4.8 fixes security issues in cachemgr (CVE-2019-13345) and Squid itself (CVE-2019-1252[579], CVE-2019-12854)
Used a derived patch from Upstream https://github.com/squid-cache/squid/commit/5730c2b5cb56e7639dc423dd62651c8736a54e35 squid-3.5.27-1.2.mga6 submitted
Assignee: bruno.cornec => qa-bugsCC: (none) => bruno
Advisory (Mageia 6): ======================== Updated squid packages fix security vulnerabilities: It was discovered that Squid incorrectly handled Digest authentication. A remote attacker could possibly use this issue to cause Squid to crash, resulting in a denial of service (CVE-2019-12525). It was discovered that Squid incorrectly handled Basic authentication. A remote attacker could possibly use this issue to cause Squid to crash, resulting in a denial of service (CVE-2019-12529). It was discovered that Squid incorrectly handled the cachemgr.cgi web module. A remote attacker could possibly use this issue to conduct cross-site scripting (XSS) attacks (CVE-2019-13345). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12525 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12529 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13345 https://usn.ubuntu.com/4059-1/ https://usn.ubuntu.com/4065-1/ ======================== Updated packages in core/updates_testing: ======================== squid-3.5.27-1.2.mga6 squid-cachemgr-3.5.27-1.2.mga6 from squid-3.5.27-1.2.mga6.src.rpm Advisory (Mageia 7): ======================== Updated squid packages fix security vulnerabilities: It was discovered that Squid incorrectly handled Digest authentication. A remote attacker could possibly use this issue to cause Squid to crash, resulting in a denial of service (CVE-2019-12525). It was discovered that Squid incorrectly handled Basic authentication. A remote attacker could use this issue to cause Squid to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2019-12527). It was discovered that Squid incorrectly handled Basic authentication. A remote attacker could possibly use this issue to cause Squid to crash, resulting in a denial of service (CVE-2019-12529). Due to incorrect string termination, Squid cachemgr.cgi 4.0 through 4.7 may access unallocated memory. On systems with memory access protections, this can cause the CGI process to terminate unexpectedly, resulting in a denial of service for all clients using it (CVE-2019-12854). It was discovered that Squid incorrectly handled the cachemgr.cgi web module. A remote attacker could possibly use this issue to conduct cross-site scripting (XSS) attacks (CVE-2019-13345). The squid package has been updated to version 4.8, fixing these issues and other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12525 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12527 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12529 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12854 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13345 https://usn.ubuntu.com/4059-1/ https://usn.ubuntu.com/4065-1/ https://www.debian.org/security/2019/dsa-4507 ======================== Updated packages in core/updates_testing: ======================== squid-4.8-1.mga7 squid-cachemgr-4.8-1.mga7 from squid-4.8-1.mga7.src.rpm
MGA6-64 Plasma on Lenovo B50 No installation issues After installation: # systemctl restart httpd # systemctl start squid # systemctl -l status squid ● squid.service - LSB: Starts the squid daemon Loaded: loaded (/etc/rc.d/init.d/squid; generated; vendor preset: enabled) Active: active (running) since do 2019-09-05 10:44:02 CEST; 20s ago Docs: man:systemd-sysv-generator(8) Process: 31649 ExecStart=/etc/rc.d/init.d/squid start (code=exited, status=0/SUCCESS) Main PID: 31667 (squid) CGroup: /system.slice/squid.service ├─31665 squid ├─31667 (squid-1) ├─31669 (logfile-daemon) /var/log/squid/access.log └─31670 (pinger) sep 05 10:44:01 mach5.hviaene.thuis systemd[1]: Starting LSB: Starts the squid daemon... sep 05 10:44:01 mach5.hviaene.thuis squid[31660]: Squid Parent: will start 1 kids sep 05 10:44:01 mach5.hviaene.thuis squid[31660]: Squid Parent: (squid-1) process 31662 started sep 05 10:44:01 mach5.hviaene.thuis squid[31660]: Squid Parent: (squid-1) process 31662 exited with status 0 sep 05 10:44:01 mach5.hviaene.thuis squid[31665]: Squid Parent: will start 1 kids sep 05 10:44:01 mach5.hviaene.thuis squid[31665]: Squid Parent: (squid-1) process 31667 started sep 05 10:44:02 mach5.hviaene.thuis squid[31649]: init_cache_dir /var/spool/squid... Starting squid: .[ OK ] sep 05 10:44:02 mach5.hviaene.thuis systemd[1]: squid.service: Supervising process 31667 which is not our child. We'll most likely not notice when it exits sep 05 10:44:02 mach5.hviaene.thuis systemd[1]: Started LSB: Starts the squid daemon. Ref to bug 23780 Comment 7 and 11: Changed firefox to use localhost as proxy Pointed firefox to https://www.mageia.org and http://localhost and http://localhost/cgi-bin/cachemgr.cgi All work OK.
CC: (none) => herman.viaeneWhiteboard: MGA6TOO => MGA6TOO MGA6-64-OK
MGA7-64 Plasma on Lenovo B50 No installation issues. I am not going to repeat the output of the test as it is the same as above Comment 13. So OK for me.
Whiteboard: MGA6TOO MGA6-64-OK => MGA6TOO MGA6-64-OK MGA7-64-OK
Validating. Advisory in Comment 12.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0265.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0266.html
The Mageia 7 update here also fixed CVE-2019-12520 and CVE-2019-12524: http://www.squid-cache.org/Advisories/SQUID-2019_4.txt https://www.debian.org/security/2020/dsa-4682