Bug 28799 - squid new security issue CVE-2020-25097
Summary: squid new security issue CVE-2020-25097
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7TOO
Keywords:
Depends on:
Blocks:
 
Reported: 2021-04-18 00:37 CEST by David Walser
Modified: 2021-05-15 02:53 CEST (History)
1 user (show)

See Also:
Source RPM: squid-4.13-5.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2021-04-18 00:37:36 CEST
RedHat has issued an advisory on April 8:
https://access.redhat.com/errata/RHSA-2021:1135

The issue is fixed upstream in 4.14:
https://github.com/squid-cache/squid/commit/fa47a3bc4d382e28e7235d08750401b910e4b13a
https://github.com/squid-cache/squid/security/advisories/GHSA-jvf6-h9gj-pmj6

Mageia 7 and Mageia 8 are also affected.
David Walser 2021-04-18 00:37:54 CEST

Whiteboard: (none) => MGA8TOO, MGA7TOO
Status comment: (none) => Fixed upstream in 4.14

Comment 1 Lewis Smith 2021-04-18 08:41:15 CEST
This looks right to assign to Bruno.

Assignee: bugsquad => bruno

Comment 2 Nicolas Lécureuil 2021-04-26 00:20:36 CEST
pushed in mga7/8/9

src:
    - squid-4.13-1.1.mga7
    - squid-4.13-5.1.mga8

Version: Cauldron => 8
CC: (none) => mageia
Status comment: Fixed upstream in 4.14 => (none)
Assignee: bruno => qa-bugs
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO

Comment 3 David Walser 2021-04-26 01:07:38 CEST
Please update to 4.14, so we can get all of the bug fixes.
David Walser 2021-04-27 19:45:15 CEST

Keywords: (none) => feedback

David Walser 2021-05-14 00:50:31 CEST

Assignee: qa-bugs => pkg-bugs
Keywords: feedback => (none)

Comment 4 David Walser 2021-05-14 23:12:31 CEST
Update coming once the build system catches up.

Advisory:
========================

Updated squid packages fix security vulnerability:

Due to improper input validation Squid is vulnerable to an HTTP Request
Smuggling attack. This problem allows a trusted client to perform HTTP Request
Smuggling and access services otherwise forbidden by Squid security controls
(CVE-2020-25097).

The squid package has been updated to version 4.14, fixing this issue and other
bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25097
https://github.com/squid-cache/squid/security/advisories/GHSA-jvf6-h9gj-pmj6
https://github.com/squid-cache/squid/commit/fa47a3bc4d382e28e7235d08750401b910e4b13a
https://access.redhat.com/errata/RHSA-2021:1135
Comment 5 David Walser 2021-05-15 02:51:17 CEST
Advisory:
========================

Updated squid packages fix security vulnerability:

Due to improper input validation Squid is vulnerable to an HTTP Request
Smuggling attack. This problem allows a trusted client to perform HTTP Request
Smuggling and access services otherwise forbidden by Squid security controls
(CVE-2020-25097).

The squid package has been updated to version 4.15, fixing this issue and other
bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25097
https://github.com/squid-cache/squid/security/advisories/GHSA-jvf6-h9gj-pmj6
https://github.com/squid-cache/squid/commit/fa47a3bc4d382e28e7235d08750401b910e4b13a
https://github.com/squid-cache/squid/commit/648729b05673c6166c5d91c6ee4cda30cc164839
https://access.redhat.com/errata/RHSA-2021:1135
========================

Updated packages in core/updates_testing:
========================
squid-4.15-1.mga8
squid-cachemgr-4.15-1.mga8

from squid-4.15-1.mga8.src.rpm

Assignee: pkg-bugs => qa-bugs

Comment 6 David Walser 2021-05-15 02:53:53 CEST
Mageia 7 build was just submitted too.  Should be the following when done:
squid-4.15-1.mga7
squid-cachemgr-4.15-1.mga7

from squid-4.15-1.mga7.src.rpm

Note You need to log in before you can comment on or make changes to this bug.