Upstream has issued advisories on November 5: http://www.squid-cache.org/Advisories/SQUID-2019_7.txt http://www.squid-cache.org/Advisories/SQUID-2019_8.txt http://www.squid-cache.org/Advisories/SQUID-2019_9.txt http://www.squid-cache.org/Advisories/SQUID-2019_10.txt http://www.squid-cache.org/Advisories/SQUID-2019_11.txt The issues are fixed upstream in 4.9. openSUSE has issued an advisory for this on 21: https://lists.opensuse.org/opensuse-updates/2019-11/msg00119.html
CC: (none) => geiger.david68210, lists.jjorge
Assigning to Bruno as registered maintainer; noted CC José as recent committer.
Assignee: bugsquad => bruno
Version 4.9 was already in cauldron, pushing it to 7/updates_testing. Suggested advisory: Several security issues were found in the Squid proxy. Upstream released version 4.9 with all the needed fixes. Refs: http://www.squid-cache.org/Advisories/SQUID-2019_7.txt http://www.squid-cache.org/Advisories/SQUID-2019_8.txt http://www.squid-cache.org/Advisories/SQUID-2019_9.txt http://www.squid-cache.org/Advisories/SQUID-2019_10.txt http://www.squid-cache.org/Advisories/SQUID-2019_11.txt SRPM: squid-4.9-1.mga7 RPMS: squid-4.9-1.mga7 squid-cachemgr-4.9-1.mga7
Status: NEW => ASSIGNEDAssignee: bruno => qa-bugs
Advisory: ======================== Updated squid packages fix security vulnerabilities: Potential remote code execution during URN processing (CVE-2019-12526). Multiple improper validations in URI processing (CVE-2019-12523, CVE-2019-18676). Cross-Site Request Forgery in HTTP Request processing (CVE-2019-18677). Incorrect message parsing which could have led to HTTP request splitting issue (CVE-2019-18678). Information disclosure when processing HTTP Digest Authentication (CVE-2019-18679). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12523 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12526 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1867 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1867 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1867 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1867 http://www.squid-cache.org/Advisories/SQUID-2019_7.txt http://www.squid-cache.org/Advisories/SQUID-2019_8.txt http://www.squid-cache.org/Advisories/SQUID-2019_9.txt http://www.squid-cache.org/Advisories/SQUID-2019_10.txt http://www.squid-cache.org/Advisories/SQUID-2019_11.txt https://lists.opensuse.org/opensuse-updates/2019-11/msg00119.html
MGA7-64 Plasma on Lenovo B50 No installation issues. Ref to bug 35637. # systemctl restart httpd [root@mach5 ~]# systemctl start squid [root@mach5 ~]# systemctl -l status squid ● squid.service - LSB: Starts the squid daemon Loaded: loaded (/etc/rc.d/init.d/squid; generated) Active: active (running) since Tue 2019-12-10 10:22:16 CET; 14s ago Docs: man:systemd-sysv-generator(8) Process: 31352 ExecStart=/etc/rc.d/init.d/squid start (code=exited, status=0/SUCCESS) Main PID: 31370 (squid) Memory: 13.9M CGroup: /system.slice/squid.service ├─31370 squid ├─31372 (squid-1) --kid squid-1 ├─31377 (logfile-daemon) /var/log/squid/access.log └─31378 (pinger) dec 10 10:22:16 mach5.hviaene.thuis systemd[1]: Starting LSB: Starts the squid daemon... dec 10 10:22:16 mach5.hviaene.thuis squid[31365]: Squid Parent: will start 1 kids dec 10 10:22:16 mach5.hviaene.thuis squid[31365]: Squid Parent: (squid-1) process 31367 started dec 10 10:22:16 mach5.hviaene.thuis squid[31365]: Squid Parent: squid-1 process 31367 exited with status 0 dec 10 10:22:16 mach5.hviaene.thuis squid[31370]: Squid Parent: will start 1 kids dec 10 10:22:16 mach5.hviaene.thuis squid[31370]: Squid Parent: (squid-1) process 31372 started dec 10 10:22:16 mach5.hviaene.thuis squid[31352]: init_cache_dir /var/spool/squid... Starting squid: [ OK ] dec 10 10:22:16 mach5.hviaene.thuis systemd[1]: Started LSB: Starts the squid daemon. Restarted firefox, pointed it to this update and to a fake internet address and checked both in /var/log/squid/access.log: all works OK Note: the httpd used is the one from update 25316, both without the mod's that make this version to fail on this setup.
Whiteboard: (none) => MGA7-64-OKCC: (none) => herman.viaene
I'm going to let this one go. Validating. Advisory in Comment 3.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Advisory uploaded.
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0382.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
This update also fixed CVE-2019-18860: http://lists.suse.com/pipermail/sle-security-updates/2020-April/006769.html