25812 – squid new security issues CVE-2019-1252[36] and CVE-2019-1867[6-9]

Bug 25812 - squid new security issues CVE-2019-1252[36] and CVE-2019-1867[6-9]

Summary: squid new security issues CVE-2019-1252[36] and CVE-2019-1867[6-9]

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	7
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA7-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2019-12-03 21:41 CET by David Walser
Modified:	2020-04-30 19:52 CEST (History)
CC List:	5 users (show)

See Also:
Source RPM:	squid-4.8-1.1.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2019-12-03 21:41:18 CET

Upstream has issued advisories on November 5:
http://www.squid-cache.org/Advisories/SQUID-2019_7.txt
http://www.squid-cache.org/Advisories/SQUID-2019_8.txt
http://www.squid-cache.org/Advisories/SQUID-2019_9.txt
http://www.squid-cache.org/Advisories/SQUID-2019_10.txt
http://www.squid-cache.org/Advisories/SQUID-2019_11.txt

The issues are fixed upstream in 4.9.

openSUSE has issued an advisory for this on 21:
https://lists.opensuse.org/opensuse-updates/2019-11/msg00119.html

David Walser 2019-12-03 21:41:35 CET

CC: (none) => geiger.david68210, lists.jjorge

Comment 1 Lewis Smith 2019-12-06 18:02:18 CET

Assigning to Bruno as registered maintainer; noted CC José as recent committer.

Assignee: bugsquad => bruno

Comment 2 José Jorge 2019-12-07 11:14:59 CET

Version 4.9 was already in cauldron, pushing it to 7/updates_testing.

Suggested advisory:
Several security issues were found in the Squid proxy. Upstream released version 4.9 with all the needed fixes.

Refs:
http://www.squid-cache.org/Advisories/SQUID-2019_7.txt
http://www.squid-cache.org/Advisories/SQUID-2019_8.txt
http://www.squid-cache.org/Advisories/SQUID-2019_9.txt
http://www.squid-cache.org/Advisories/SQUID-2019_10.txt
http://www.squid-cache.org/Advisories/SQUID-2019_11.txt

SRPM:
squid-4.9-1.mga7

RPMS:
squid-4.9-1.mga7
squid-cachemgr-4.9-1.mga7

Status: NEW => ASSIGNED
Assignee: bruno => qa-bugs

Comment 3 David Walser 2019-12-07 16:30:15 CET

Advisory:
========================

Updated squid packages fix security vulnerabilities:

Potential remote code execution during URN processing (CVE-2019-12526).

Multiple improper validations in URI processing (CVE-2019-12523,
CVE-2019-18676).

Cross-Site Request Forgery in HTTP Request processing (CVE-2019-18677).

Incorrect message parsing which could have led to HTTP request splitting
issue (CVE-2019-18678).

Information disclosure when processing HTTP Digest Authentication
(CVE-2019-18679).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12523
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12526
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1867
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1867
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1867
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1867
http://www.squid-cache.org/Advisories/SQUID-2019_7.txt
http://www.squid-cache.org/Advisories/SQUID-2019_8.txt
http://www.squid-cache.org/Advisories/SQUID-2019_9.txt
http://www.squid-cache.org/Advisories/SQUID-2019_10.txt
http://www.squid-cache.org/Advisories/SQUID-2019_11.txt
https://lists.opensuse.org/opensuse-updates/2019-11/msg00119.html

Comment 4 Herman Viaene 2019-12-10 10:33:43 CET

MGA7-64 Plasma on Lenovo B50
No installation issues.
Ref to bug 35637.
# systemctl restart httpd
[root@mach5 ~]# systemctl start squid
[root@mach5 ~]# systemctl -l status squid
● squid.service - LSB: Starts the squid daemon
   Loaded: loaded (/etc/rc.d/init.d/squid; generated)
   Active: active (running) since Tue 2019-12-10 10:22:16 CET; 14s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 31352 ExecStart=/etc/rc.d/init.d/squid start (code=exited, status=0/SUCCESS)
 Main PID: 31370 (squid)
   Memory: 13.9M
   CGroup: /system.slice/squid.service
           ├─31370 squid
           ├─31372 (squid-1) --kid squid-1
           ├─31377 (logfile-daemon) /var/log/squid/access.log
           └─31378 (pinger)

dec 10 10:22:16 mach5.hviaene.thuis systemd[1]: Starting LSB: Starts the squid daemon...
dec 10 10:22:16 mach5.hviaene.thuis squid[31365]: Squid Parent: will start 1 kids
dec 10 10:22:16 mach5.hviaene.thuis squid[31365]: Squid Parent: (squid-1) process 31367 started
dec 10 10:22:16 mach5.hviaene.thuis squid[31365]: Squid Parent: squid-1 process 31367 exited with status 0
dec 10 10:22:16 mach5.hviaene.thuis squid[31370]: Squid Parent: will start 1 kids
dec 10 10:22:16 mach5.hviaene.thuis squid[31370]: Squid Parent: (squid-1) process 31372 started
dec 10 10:22:16 mach5.hviaene.thuis squid[31352]: init_cache_dir /var/spool/squid... Starting squid: [  OK  ]
dec 10 10:22:16 mach5.hviaene.thuis systemd[1]: Started LSB: Starts the squid daemon.
Restarted firefox, pointed it to this update and to a fake internet address and checked both in /var/log/squid/access.log: all works OK
Note: the httpd used is the one from update 25316, both without the mod's that make this version to fail on this setup.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 5 Thomas Andrews 2019-12-10 20:09:34 CET

I'm going to let this one go. Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 6 Rémi Verschelde 2019-12-13 16:55:15 CET

Advisory uploaded.

Keywords: (none) => advisory

Comment 7 Mageia Robot 2019-12-13 19:27:16 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0382.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Comment 8 David Walser 2020-04-30 19:52:57 CEST

This update also fixed CVE-2019-18860:
http://lists.suse.com/pipermail/sle-security-updates/2020-April/006769.html

Note You need to log in before you can comment on or make changes to this bug.