Upstream has issued advisories on June 19 and June 26: https://github.com/squid-cache/squid/security/advisories/GHSA-qvf6-485q-vm57 https://github.com/squid-cache/squid/security/advisories/GHSA-qf3v-rc95-96j5 The issues are fixed upstream in 4.12.
Status comment: (none) => Fixed upstream in 4.12Version: Cauldron => 7
Assigning to Bruno, both registered & active maintainer.
Assignee: bugsquad => bruno
squid 4.12 pushed to mga 7 updates_testing
Status: NEW => ASSIGNED
Assignee: bruno => qa-bugs
QA, please make sure this one upgrades OK from the old one, as it looks like some files were moved between subpackages. Advisory: ======================== Updated squid packages fixes security vulnerabilities: Due to use of a potentially dangerous function Squid and the default certificate validation helper are vulnerable to a Denial of Service attack when processing TLS certificates. This attack is limited to Squid built with OpenSSL features and opening peer or server connections for HTTPS traffic and SSL-Bump server handshakes (CVE-2020-14058). Due to incorrect input validation Squid is vulnerable to a Request Smuggling and Poisoning attack against the HTTP cache. This attack requires an upstream server to participate in the smuggling and generate the poison response sequence. Most popular server software are not vulnerable to participation in this attack (CVE-2020-14059). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14058 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14059 http://www.squid-cache.org/Advisories/SQUID-2020_6.txt https://github.com/squid-cache/squid/security/advisories/GHSA-qf3v-rc95-96j5 ======================== Updated packages in core/updates_testing: ======================== squid-4.12-2.mga7 squid-cachemgr-4.12-2.mga7 from squid-4.12-2.mga7.src.rpm
CC: (none) => brunoStatus comment: Fixed upstream in 4.12 => (none)
MGA7-64 Plasma on Lenovo B50 No installation issues. Ref bug 26532 for testing. At CLI: # systemctl start squid # systemctl -l status squid ● squid.service - LSB: Starts the squid daemon Loaded: loaded (/etc/rc.d/init.d/squid; generated) Active: active (running) since Mon 2020-08-17 14:30:43 CEST; 18s ago Docs: man:systemd-sysv-generator(8) Process: 29008 ExecStart=/etc/rc.d/init.d/squid start (code=exited, status=0/SUCCESS) Main PID: 29026 (squid) Tasks: 4 (limit: 4915) Memory: 13.7M CGroup: /system.slice/squid.service ├─29026 squid ├─29028 (squid-1) --kid squid-1 ├─29033 (logfile-daemon) /var/log/squid/access.log └─29034 (pinger) Aug 17 14:30:43 mach5.hviaene.thuis systemd[1]: Starting LSB: Starts the squid daemon... Aug 17 14:30:43 mach5.hviaene.thuis squid[29021]: Squid Parent: will start 1 kids Aug 17 14:30:43 mach5.hviaene.thuis squid[29021]: Squid Parent: (squid-1) process 29023 started Aug 17 14:30:43 mach5.hviaene.thuis squid[29021]: Squid Parent: squid-1 process 29023 exited with status 0 Aug 17 14:30:43 mach5.hviaene.thuis squid[29026]: Squid Parent: will start 1 kids Aug 17 14:30:43 mach5.hviaene.thuis squid[29026]: Squid Parent: (squid-1) process 29028 started Aug 17 14:30:43 mach5.hviaene.thuis squid[29008]: init_cache_dir /var/spool/squid... Starting squid: [ OK ] Aug 17 14:30:43 mach5.hviaene.thuis systemd[1]: Started LSB: Starts the squid daemon. Then change the firefox preference network setting to point at localhost por 3128 as proxy, restarted firefox and used it this way to make this update. OK, works good.
CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK
Advisory and package list in Comment 3.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0332.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED