Upstream has issued advisories on February 3: http://www.squid-cache.org/Advisories/SQUID-2020_1.txt http://www.squid-cache.org/Advisories/SQUID-2020_2.txt http://www.squid-cache.org/Advisories/SQUID-2020_3.txt The issues are fixed upstream in 4.10. Ubuntu has issued an advisory for this today (February 20): https://usn.ubuntu.com/4289-1/
Status comment: (none) => Fixed upstream in 4.10
Assigning to Bruno as the apparent maintainer.
Assignee: bugsquad => bruno
Version 4.10 pushed to core/updates_testing.
CC: (none) => brunoAssignee: bruno => qa-bugsStatus: NEW => ASSIGNED
Advisory: ======================== Updated squid packages fix security vulnerabilities: Jeriko One discovered that Squid incorrectly handled memory when connected to an FTP server. A remote attacker could possibly use this issue to obtain sensitive information from Squid memory (CVE-2019-12528). Regis Leroy discovered that Squid incorrectly handled certain HTTP requests. A remote attacker could possibly use this issue to access server resources prohibited by earlier security filters (CVE-2020-8449). Guido Vranken discovered that Squid incorrectly handled certain buffer operations when acting as a reverse proxy. A remote attacker could use this issue to cause Squid to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2020-8450). Aaron Costello discovered that Squid incorrectly handled certain NTLM authentication credentials. A remote attacker could possibly use this issue to cause Squid to crash, resulting in a denial of service (CVE-2020-8517). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12528 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8449 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8450 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8517 http://www.squid-cache.org/Advisories/SQUID-2020_1.txt http://www.squid-cache.org/Advisories/SQUID-2020_2.txt http://www.squid-cache.org/Advisories/SQUID-2020_3.txt https://usn.ubuntu.com/4289-1/ ======================== Updated packages in core/updates_testing: ======================== squid-4.10-1.mga7 squid-cachemgr-4.10-1.mga7 from squid-4.10-1.mga7.src.rpm
Status comment: Fixed upstream in 4.10 => (none)
MGA7-64 Plasma on Lenovo B50 No innstallation issues Ref bug 25637 for testing # systemctl restart httpd # systemctl start squid # systemctl -l status squid ● squid.service - LSB: Starts the squid daemon Loaded: loaded (/etc/rc.d/init.d/squid; generated) Active: active (running) since Mon 2020-02-24 14:31:29 CET; 14s ago Docs: man:systemd-sysv-generator(8) Process: 6451 ExecStart=/etc/rc.d/init.d/squid start (code=exited, status=0/SUCCESS) Main PID: 6469 (squid) Memory: 13.9M CGroup: /system.slice/squid.service ├─6469 squid ├─6471 (squid-1) --kid squid-1 ├─6476 (logfile-daemon) /var/log/squid/access.log └─6477 (pinger) Feb 24 14:31:29 mach5.hviaene.thuis systemd[1]: Starting LSB: Starts the squid daemon... Feb 24 14:31:29 mach5.hviaene.thuis squid[6464]: Squid Parent: will start 1 kids Feb 24 14:31:29 mach5.hviaene.thuis squid[6464]: Squid Parent: (squid-1) process 6466 started Feb 24 14:31:29 mach5.hviaene.thuis squid[6464]: Squid Parent: squid-1 process 6466 exited with status 0 Feb 24 14:31:29 mach5.hviaene.thuis squid[6469]: Squid Parent: will start 1 kids Feb 24 14:31:29 mach5.hviaene.thuis squid[6469]: Squid Parent: (squid-1) process 6471 started Feb 24 14:31:29 mach5.hviaene.thuis squid[6451]: init_cache_dir /var/spool/squid... Starting squid: [ OK ] Feb 24 14:31:29 mach5.hviaene.thuis systemd[1]: Started LSB: Starts the squid daemon. Changed firefox to use localhost as proxy at port 3128. Pointed firefox to a valid and an invalid URL. These are found in /var/log/squid/access.log. All OK for me.
Whiteboard: (none) => MGA7-64-OKCC: (none) => herman.viaene
Validating. Advisory in Comment 3.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0106.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED