Bug 26532 - squid new security issue CVE-2020-11945
Summary: squid new security issue CVE-2020-11945
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-04-23 21:36 CEST by David Walser
Modified: 2020-05-05 14:22 CEST (History)
4 users (show)

See Also:
Source RPM: squid-4.10-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-04-23 21:36:44 CEST
Upstream has released an advisory today (April 23):
http://www.squid-cache.org/Advisories/SQUID-2020_4.txt

The issue is fixed upstream in 4.11.

Advisory:
========================

Updated squid packages fix security vulnerability:

Due to an integer overflow bug Squid is vulnerable to credential replay and
remote code execution attacks against HTTP Digest Authentication tokens. When
memory pooling is used this problem allows a remote client to replay a sniffed
Digest Authentication nonce to gain access to resources that are otherwise
forbidden. When memory pooling is disabled this problem allows a remote client
to perform remote code execution through the free'd nonce credentials
(CVE-2020-11945).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11945
http://www.squid-cache.org/Advisories/SQUID-2020_4.txt
========================

Updated packages in core/updates_testing:
========================
squid-4.11-1.mga7
squid-cachemgr-4.11-1.mga7

from squid-4.11-1.mga7.src.rpm
Comment 1 Herman Viaene 2020-04-28 11:42:48 CEST
MGA7-64 Plasm aon Lenovo B50 
No installation issues.
At CLI:
# systemctl restart httpd
# systemctl start squid
# systemctl -l status squid
● squid.service - LSB: Starts the squid daemon
   Loaded: loaded (/etc/rc.d/init.d/squid; generated)
   Active: active (running) since Tue 2020-04-28 11:34:17 CEST; 1min 50s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 5361 ExecStart=/etc/rc.d/init.d/squid start (code=exited, status=0/SUCCESS)
 Main PID: 5379 (squid)
    Tasks: 4 (limit: 4915)
   Memory: 13.9M
   CGroup: /system.slice/squid.service
           ├─5379 squid
           ├─5381 (squid-1) --kid squid-1
           ├─5386 (logfile-daemon) /var/log/squid/access.log
           └─5387 (pinger)

Apr 28 11:34:16 mach5.hviaene.thuis systemd[1]: Starting LSB: Starts the squid daemon...
Apr 28 11:34:17 mach5.hviaene.thuis squid[5374]: Squid Parent: will start 1 kids
Apr 28 11:34:17 mach5.hviaene.thuis squid[5374]: Squid Parent: (squid-1) process 5376 started
Apr 28 11:34:17 mach5.hviaene.thuis squid[5374]: Squid Parent: squid-1 process 5376 exited with status 0
Apr 28 11:34:17 mach5.hviaene.thuis squid[5379]: Squid Parent: will start 1 kids
Apr 28 11:34:17 mach5.hviaene.thuis squid[5379]: Squid Parent: (squid-1) process 5381 started
Apr 28 11:34:17 mach5.hviaene.thuis squid[5361]: init_cache_dir /var/spool/squid... Starting squid: [  OK  ]
Apr 28 11:34:17 mach5.hviaene.thuis systemd[1]: Started LSB: Starts the squid daemon.

Changed firefox setting to point to localhost port 3128 as proxy server and surfed to a new site:all OK.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 2 Thomas Andrews 2020-04-29 14:43:16 CEST
Interesting. I looked at past updates yesterday, and found the above procedure had been used before. Seemed straightforward, even though I've never used squid and have no idea what it does, so I tried it. I only got as far as trying the second step. The squid service wouldn't start, citing an error I don't recall now. I'm assuming I did something wrong, or maybe something wasn't set up properly before I tried it. 

If that is the case, I would be happy to validate. But if in my ignorance I have stumbled onto a problem, it should be addressed. Somebody please let me know.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 3 Thomas Andrews 2020-04-29 14:47:09 CEST
Oops. Started to validate, then thought to ask my question, and forgot to clear it.

Keywords: validated_update => (none)

Comment 4 Herman Viaene 2020-04-29 14:55:30 CEST
Thomas,
Could you provide the error you encountered. I have done a number of squid updates before, but I cann't find any previous issue as the one you are hinting to.
Comment 5 Thomas Andrews 2020-04-29 15:19:39 CEST
# systemctl restart httpd
# systemctl start squid
Job for squid.service failed because the control process exited with error code.
See "systemctl status squid.service" and "journalctl -xe" for details.
# systemctl status squid.service
● squid.service - LSB: Starts the squid daemon
   Loaded: loaded (/etc/rc.d/init.d/squid; generated)
   Active: failed (Result: exit-code) since Wed 2020-04-29 09:09:48 EDT; 49s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 14913 ExecStart=/etc/rc.d/init.d/squid start (code=exited, status=255/EXCEPTION)

Apr 29 09:09:47 localhost.localdomain systemd[1]: Starting LSB: Starts the squid daemon...
Apr 29 09:09:48 localhost.localdomain squid[14926]: Squid Parent: will start 1 kids
Apr 29 09:09:48 localhost.localdomain squid[14926]: Squid Parent: (squid-1) process 14928 started
Apr 29 09:09:48 localhost.localdomain squid[14926]: Squid Parent: squid-1 process 14928 exited with status 0
Apr 29 09:09:48 localhost.localdomain squid[14913]: init_cache_dir /var/spool/squid... Starting squid: [FAILED]
Apr 29 09:09:48 localhost.localdomain systemd[1]: squid.service: Control process exited, code=exited, status=255/EXCEPTION
Apr 29 09:09:48 localhost.localdomain systemd[1]: squid.service: Failed with result 'exit-code'.
Apr 29 09:09:48 localhost.localdomain systemd[1]: Failed to start LSB: Starts the squid daemon.

I noticed that Apache is required for one of the squid packages. Apache is another of those packages that I don't use, and I didn't do anything with it aside from OKing its installation here. Wondering if that has anything to do with it. Also wondering if, because this was a new install of squid, perhaps a reboot or some other initialization that I didn't know about is required before it will start.
Comment 6 Herman Viaene 2020-04-29 15:31:15 CEST
Thomas,
Apache (httpd) is definitely needed to run squid. If you have it installed, it should run after the systemctl command above. Just check then by pointing your browser to http://localhost, it should tell you it works.
Comment 7 Thomas Andrews 2020-04-29 16:16:30 CEST
Indeed it does. And once I did that, squid started without incident.

Validating.

Keywords: (none) => validated_update

Comment 8 David Walser 2020-04-29 23:03:04 CEST
Apache is *not* needed to run Squid.  It is needed for cachemgr though.
Thomas Backlund 2020-05-05 11:44:56 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 9 Mageia Robot 2020-05-05 14:22:28 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0187.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.