Bug 25110 - Squid 4.8 fixes security issues in cachemgr (CVE-2019-13345) and Squid itself (CVE-2019-1252[579], CVE-2019-12854)
Summary: Squid 4.8 fixes security issues in cachemgr (CVE-2019-13345) and Squid itself...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6TOO MGA6-64-OK MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-07-11 14:52 CEST by David Walser
Modified: 2019-09-12 21:11 CEST (History)
8 users (show)

See Also:
Source RPM: squid-4.7-2.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2019-07-11 14:52:30 CEST
Squid 4.8 has been released on July 10:
http://www.squid-cache.org/Versions/v4/changesets/

It fixes some security issues in cachemgr, so we might want to update it for Mageia 7.
David Walser 2019-07-11 14:52:43 CEST

Whiteboard: (none) => MGA7TOO

Comment 1 Marja Van Waes 2019-07-12 18:04:12 CEST
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => bruno

Comment 2 David Walser 2019-08-12 01:01:47 CEST
Ubuntu has issued an advisory for this on July 17:
https://usn.ubuntu.com/4059-1/

Whiteboard: MGA7TOO => MGA7TOO, MGA6TOO
Summary: Squid 4.8 fixes security issues in cachemgr => Squid 4.8 fixes security issues in cachemgr (CVE-2019-13345)
Severity: normal => major

Comment 3 David Walser 2019-08-12 01:07:23 CEST
Apparently 4.8 fixed issues in Squid itself too.

Ubuntu has issued an advisory on July 18:
https://usn.ubuntu.com/4065-1/

CVE-2019-12527 does not affect Mageia 6, the other issues do.

Summary: Squid 4.8 fixes security issues in cachemgr (CVE-2019-13345) => Squid 4.8 fixes security issues in cachemgr (CVE-2019-13345) and Squid itself (CVE-2019-1252[579])

Comment 4 Bruno Cornec 2019-08-13 01:47:31 CEST
squid 4.8 pushed to cauldron and mga7 updates_testing.

Status: NEW => ASSIGNED
Whiteboard: MGA7TOO, MGA6TOO => MGA6TOO
Version: Cauldron => 7

Comment 5 Bruno Cornec 2019-08-13 02:00:16 CEST
squid 3.5.27 pushed to mga6 updates_testing

Whiteboard: MGA6TOO => (none)
Assignee: bruno => qa-bugs

Comment 6 David Walser 2019-08-13 02:28:20 CEST
Thanks.  Cauldron failed to build:
http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20190812234027.bcornec.duvel.5498/log/squid-4.8-1.mga8/build.0.20190812234107.log

Looks like newer GCC causing problems.

Be careful with the bugs, you accidentally wiped out the whiteboard in this bug and the ansible bug.

CC: (none) => bruno.cornec
Whiteboard: (none) => MGA6TOO

Comment 7 David Walser 2019-08-13 02:29:08 CEST
I see the fix for the build issue right at the top here:
http://www.squid-cache.org/Versions/v4/changesets/
Comment 8 David Walser 2019-08-13 02:32:08 CEST
CVE-2019-13345 isn't actually fixed in 3.5.27, so you'll need the patch from upstream or Ubuntu 18.04.

CC: (none) => qa-bugs
Assignee: qa-bugs => bruno.cornec

Comment 9 David Walser 2019-08-24 19:15:40 CEST
squid-4.8-1.mga8 uploaded for Cauldron by Bruno.
Comment 10 David Walser 2019-08-28 22:17:43 CEST
4.8 also fixed CVE-2019-12854 (only 4.x affected, so Mageia 6 is OK there):
https://security-tracker.debian.org/tracker/CVE-2019-12854

Debian has issued an advisory for this on August 24:
https://www.debian.org/security/2019/dsa-4507

Summary: Squid 4.8 fixes security issues in cachemgr (CVE-2019-13345) and Squid itself (CVE-2019-1252[579]) => Squid 4.8 fixes security issues in cachemgr (CVE-2019-13345) and Squid itself (CVE-2019-1252[579], CVE-2019-12854)

Comment 11 Bruno Cornec 2019-09-04 12:22:09 CEST
Used a derived patch from Upstream https://github.com/squid-cache/squid/commit/5730c2b5cb56e7639dc423dd62651c8736a54e35
squid-3.5.27-1.2.mga6 submitted

CC: (none) => bruno
Assignee: bruno.cornec => qa-bugs

Comment 12 David Walser 2019-09-04 16:08:59 CEST
Advisory (Mageia 6):
========================

Updated squid packages fix security vulnerabilities:

It was discovered that Squid incorrectly handled Digest authentication. A
remote attacker could possibly use this issue to cause Squid to crash,
resulting in a denial of service (CVE-2019-12525).

It was discovered that Squid incorrectly handled Basic authentication. A
remote attacker could possibly use this issue to cause Squid to crash,
resulting in a denial of service (CVE-2019-12529).

It was discovered that Squid incorrectly handled the cachemgr.cgi web module.
A remote attacker could possibly use this issue to conduct cross-site
scripting (XSS) attacks (CVE-2019-13345).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12525
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12529
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13345
https://usn.ubuntu.com/4059-1/
https://usn.ubuntu.com/4065-1/
========================

Updated packages in core/updates_testing:
========================
squid-3.5.27-1.2.mga6
squid-cachemgr-3.5.27-1.2.mga6

from squid-3.5.27-1.2.mga6.src.rpm


Advisory (Mageia 7):
========================

Updated squid packages fix security vulnerabilities:

It was discovered that Squid incorrectly handled Digest authentication. A
remote attacker could possibly use this issue to cause Squid to crash,
resulting in a denial of service (CVE-2019-12525).

It was discovered that Squid incorrectly handled Basic authentication. A
remote attacker could use this issue to cause Squid to crash, resulting in a
denial of service, or possibly execute arbitrary code (CVE-2019-12527).

It was discovered that Squid incorrectly handled Basic authentication. A
remote attacker could possibly use this issue to cause Squid to crash,
resulting in a denial of service (CVE-2019-12529).

Due to incorrect string termination, Squid cachemgr.cgi 4.0 through 4.7 may
access unallocated memory. On systems with memory access protections, this can
cause the CGI process to terminate unexpectedly, resulting in a denial of
service for all clients using it (CVE-2019-12854).

It was discovered that Squid incorrectly handled the cachemgr.cgi web module.
A remote attacker could possibly use this issue to conduct cross-site
scripting (XSS) attacks (CVE-2019-13345).

The squid package has been updated to version 4.8, fixing these issues and
other bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12525
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12527
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12529
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12854
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13345
https://usn.ubuntu.com/4059-1/
https://usn.ubuntu.com/4065-1/
https://www.debian.org/security/2019/dsa-4507
========================

Updated packages in core/updates_testing:
========================
squid-4.8-1.mga7
squid-cachemgr-4.8-1.mga7

from squid-4.8-1.mga7.src.rpm
Comment 13 Herman Viaene 2019-09-05 11:02:08 CEST
MGA6-64 Plasma on Lenovo B50
No installation issues
After installation:
# systemctl restart httpd
# systemctl start squid
# systemctl -l status squid
● squid.service - LSB: Starts the squid daemon
   Loaded: loaded (/etc/rc.d/init.d/squid; generated; vendor preset: enabled)
   Active: active (running) since do 2019-09-05 10:44:02 CEST; 20s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 31649 ExecStart=/etc/rc.d/init.d/squid start (code=exited, status=0/SUCCESS)
 Main PID: 31667 (squid)
   CGroup: /system.slice/squid.service
           ├─31665 squid
           ├─31667 (squid-1)
           ├─31669 (logfile-daemon) /var/log/squid/access.log
           └─31670 (pinger)

sep 05 10:44:01 mach5.hviaene.thuis systemd[1]: Starting LSB: Starts the squid daemon...
sep 05 10:44:01 mach5.hviaene.thuis squid[31660]: Squid Parent: will start 1 kids
sep 05 10:44:01 mach5.hviaene.thuis squid[31660]: Squid Parent: (squid-1) process 31662 started
sep 05 10:44:01 mach5.hviaene.thuis squid[31660]: Squid Parent: (squid-1) process 31662 exited with status 0
sep 05 10:44:01 mach5.hviaene.thuis squid[31665]: Squid Parent: will start 1 kids
sep 05 10:44:01 mach5.hviaene.thuis squid[31665]: Squid Parent: (squid-1) process 31667 started
sep 05 10:44:02 mach5.hviaene.thuis squid[31649]: init_cache_dir /var/spool/squid... Starting squid: .[  OK  ]
sep 05 10:44:02 mach5.hviaene.thuis systemd[1]: squid.service: Supervising process 31667 which is not our child. We'll most likely not notice when it exits
sep 05 10:44:02 mach5.hviaene.thuis systemd[1]: Started LSB: Starts the squid daemon.
Ref to bug 23780 Comment 7 and 11:
Changed firefox to use localhost as proxy
Pointed firefox to https://www.mageia.org and http://localhost and http://localhost/cgi-bin/cachemgr.cgi
All work OK.

Whiteboard: MGA6TOO => MGA6TOO MGA6-64-OK
CC: (none) => herman.viaene

Comment 14 Herman Viaene 2019-09-09 13:45:49 CEST
MGA7-64 Plasma on Lenovo B50
No installation issues.
I am not going to repeat the output of the test as it is the same as above Comment 13.
So OK for me.

Whiteboard: MGA6TOO MGA6-64-OK => MGA6TOO MGA6-64-OK MGA7-64-OK

Comment 15 Thomas Andrews 2019-09-09 14:51:14 CEST
Validating. Advisory in Comment 12.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-09-12 18:53:51 CEST

CC: (none) => tmb
Keywords: (none) => advisory

Comment 16 Mageia Robot 2019-09-12 21:11:25 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0265.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Comment 17 Mageia Robot 2019-09-12 21:11:27 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0266.html

Note You need to log in before you can comment on or make changes to this bug.