Bug 26224 - squid new security issues CVE-2019-12528, CVE-2020-8449, CVE-2020-8450, CVE-2020-8517
Summary: squid new security issues CVE-2019-12528, CVE-2020-8449, CVE-2020-8450, CVE-2...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-02-20 20:41 CET by David Walser
Modified: 2020-02-26 11:22 CET (History)
5 users (show)

See Also:
Source RPM: squid-4.9-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-02-20 20:41:40 CET
Upstream has issued advisories on February 3:
http://www.squid-cache.org/Advisories/SQUID-2020_1.txt
http://www.squid-cache.org/Advisories/SQUID-2020_2.txt
http://www.squid-cache.org/Advisories/SQUID-2020_3.txt

The issues are fixed upstream in 4.10.

Ubuntu has issued an advisory for this today (February 20):
https://usn.ubuntu.com/4289-1/
David Walser 2020-02-21 17:53:03 CET

Status comment: (none) => Fixed upstream in 4.10

Comment 1 Lewis Smith 2020-02-22 19:13:07 CET
Assigning to Bruno as the apparent maintainer.

Assignee: bugsquad => bruno

Comment 2 Bruno Cornec 2020-02-23 01:52:33 CET
Version 4.10 pushed to core/updates_testing.

CC: (none) => bruno
Assignee: bruno => qa-bugs
Status: NEW => ASSIGNED

Comment 3 David Walser 2020-02-23 18:05:46 CET
Advisory:
========================

Updated squid packages fix security vulnerabilities:

Jeriko One discovered that Squid incorrectly handled memory when connected to
an FTP server. A remote attacker could possibly use this issue to obtain
sensitive information from Squid memory (CVE-2019-12528).

Regis Leroy discovered that Squid incorrectly handled certain HTTP requests. A
remote attacker could possibly use this issue to access server resources
prohibited by earlier security filters (CVE-2020-8449).

Guido Vranken discovered that Squid incorrectly handled certain buffer
operations when acting as a reverse proxy. A remote attacker could use this
issue to cause Squid to crash, resulting in a denial of service, or possibly
execute arbitrary code (CVE-2020-8450).

Aaron Costello discovered that Squid incorrectly handled certain NTLM
authentication credentials. A remote attacker could possibly use this issue to
cause Squid to crash, resulting in a denial of service (CVE-2020-8517).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12528
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8449
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8450
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8517
http://www.squid-cache.org/Advisories/SQUID-2020_1.txt
http://www.squid-cache.org/Advisories/SQUID-2020_2.txt
http://www.squid-cache.org/Advisories/SQUID-2020_3.txt
https://usn.ubuntu.com/4289-1/
========================

Updated packages in core/updates_testing:
========================
squid-4.10-1.mga7
squid-cachemgr-4.10-1.mga7

from squid-4.10-1.mga7.src.rpm

Status comment: Fixed upstream in 4.10 => (none)

Comment 4 Herman Viaene 2020-02-24 14:40:03 CET
MGA7-64 Plasma on Lenovo B50
No innstallation issues
Ref bug 25637 for testing
# systemctl restart httpd
# systemctl start squid
# systemctl -l status squid
● squid.service - LSB: Starts the squid daemon
   Loaded: loaded (/etc/rc.d/init.d/squid; generated)
   Active: active (running) since Mon 2020-02-24 14:31:29 CET; 14s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 6451 ExecStart=/etc/rc.d/init.d/squid start (code=exited, status=0/SUCCESS)
 Main PID: 6469 (squid)
   Memory: 13.9M
   CGroup: /system.slice/squid.service
           ├─6469 squid
           ├─6471 (squid-1) --kid squid-1
           ├─6476 (logfile-daemon) /var/log/squid/access.log
           └─6477 (pinger)

Feb 24 14:31:29 mach5.hviaene.thuis systemd[1]: Starting LSB: Starts the squid daemon...
Feb 24 14:31:29 mach5.hviaene.thuis squid[6464]: Squid Parent: will start 1 kids
Feb 24 14:31:29 mach5.hviaene.thuis squid[6464]: Squid Parent: (squid-1) process 6466 started
Feb 24 14:31:29 mach5.hviaene.thuis squid[6464]: Squid Parent: squid-1 process 6466 exited with status 0
Feb 24 14:31:29 mach5.hviaene.thuis squid[6469]: Squid Parent: will start 1 kids
Feb 24 14:31:29 mach5.hviaene.thuis squid[6469]: Squid Parent: (squid-1) process 6471 started
Feb 24 14:31:29 mach5.hviaene.thuis squid[6451]: init_cache_dir /var/spool/squid... Starting squid: [  OK  ]
Feb 24 14:31:29 mach5.hviaene.thuis systemd[1]: Started LSB: Starts the squid daemon.
Changed firefox to use localhost as proxy at port 3128.
Pointed firefox to a valid and an invalid URL. These  are found in /var/log/squid/access.log.
All OK for me.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 5 Thomas Andrews 2020-02-25 00:12:20 CET
Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2020-02-26 10:46:22 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 6 Mageia Robot 2020-02-26 11:22:20 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0106.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.