RedHat has issued an advisory on April 8: https://access.redhat.com/errata/RHSA-2021:1135 The issue is fixed upstream in 4.14: https://github.com/squid-cache/squid/commit/fa47a3bc4d382e28e7235d08750401b910e4b13a https://github.com/squid-cache/squid/security/advisories/GHSA-jvf6-h9gj-pmj6 Mageia 7 and Mageia 8 are also affected.
Status comment: (none) => Fixed upstream in 4.14Whiteboard: (none) => MGA8TOO, MGA7TOO
This looks right to assign to Bruno.
Assignee: bugsquad => bruno
pushed in mga7/8/9 src: - squid-4.13-1.1.mga7 - squid-4.13-5.1.mga8
Version: Cauldron => 8Status comment: Fixed upstream in 4.14 => (none)CC: (none) => mageiaWhiteboard: MGA8TOO, MGA7TOO => MGA7TOOAssignee: bruno => qa-bugs
Please update to 4.14, so we can get all of the bug fixes.
Keywords: (none) => feedback
Assignee: qa-bugs => pkg-bugsKeywords: feedback => (none)
Update coming once the build system catches up. Advisory: ======================== Updated squid packages fix security vulnerability: Due to improper input validation Squid is vulnerable to an HTTP Request Smuggling attack. This problem allows a trusted client to perform HTTP Request Smuggling and access services otherwise forbidden by Squid security controls (CVE-2020-25097). The squid package has been updated to version 4.14, fixing this issue and other bugs. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25097 https://github.com/squid-cache/squid/security/advisories/GHSA-jvf6-h9gj-pmj6 https://github.com/squid-cache/squid/commit/fa47a3bc4d382e28e7235d08750401b910e4b13a https://access.redhat.com/errata/RHSA-2021:1135
Advisory: ======================== Updated squid packages fix security vulnerability: Due to improper input validation Squid is vulnerable to an HTTP Request Smuggling attack. This problem allows a trusted client to perform HTTP Request Smuggling and access services otherwise forbidden by Squid security controls (CVE-2020-25097). The squid package has been updated to version 4.15, fixing this issue and other bugs. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25097 https://github.com/squid-cache/squid/security/advisories/GHSA-jvf6-h9gj-pmj6 https://github.com/squid-cache/squid/commit/fa47a3bc4d382e28e7235d08750401b910e4b13a https://github.com/squid-cache/squid/commit/648729b05673c6166c5d91c6ee4cda30cc164839 https://access.redhat.com/errata/RHSA-2021:1135 ======================== Updated packages in core/updates_testing: ======================== squid-4.15-1.mga8 squid-cachemgr-4.15-1.mga8 from squid-4.15-1.mga8.src.rpm
Assignee: pkg-bugs => qa-bugs
Mageia 7 build was just submitted too. Should be the following when done: squid-4.15-1.mga7 squid-cachemgr-4.15-1.mga7 from squid-4.15-1.mga7.src.rpm
MGA7-64 Plasma on Lenovo B50 Installing updates the existing packages. Following previous bug 26532 # systemctl restart httpd # systemctl -l status httpd ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled) Active: active (running) since Sat 2021-05-15 21:13:12 CEST; 22s ago Main PID: 8964 (httpd) Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0; Bytes served/sec: 0 B/sec" Tasks: 27 (limit: 4915) Memory: 21.8M CGroup: /system.slice/httpd.service ├─ 8964 /usr/sbin/httpd -DFOREGROUND ├─10509 /usr/sbin/httpd -DFOREGROUND ├─10510 /usr/sbin/httpd -DFOREGROUND ├─10515 /usr/sbin/httpd -DFOREGROUND ├─10520 /usr/sbin/httpd -DFOREGROUND ├─10525 /usr/sbin/httpd -DFOREGROUND └─10530 /usr/sbin/httpd -DFOREGROUND May 15 21:13:03 mach5.hviaene.thuis systemd[1]: Starting The Apache HTTP Server... May 15 21:13:12 mach5.hviaene.thuis systemd[1]: Started The Apache HTTP Server. # systemctl start squid Job for squid.service failed because the control process exited with error code. See "systemctl status squid.service" and "journalctl -xe" for details. [root@mach5 ~]# systemctl start squid Job for squid.service failed because the control process exited with error code. See "systemctl status squid.service" and "journalctl -xe" for details. [root@mach5 ~]# systemctl -l status squid ● squid.service - LSB: Starts the squid daemon Loaded: loaded (/etc/rc.d/init.d/squid; generated) Active: failed (Result: exit-code) since Sat 2021-05-15 21:18:45 CEST; 23s ago Docs: man:systemd-sysv-generator(8) Process: 3818 ExecStart=/etc/rc.d/init.d/squid start (code=exited, status=255/EXCEPTION) Googled on the error, found nothing that seemsto apply. In /var/log/squid/cache.log I get 2021/05/15 21:13:56| Removing PID file (/run/squid.pid) 2021/05/15 21:18:39| Created PID file (/run/squid.pid) 2021/05/15 21:18:45 kid1| Set Current Directory to /var/spool/squid 2021/05/15 21:18:45 kid1| Creating missing swap directories 2021/05/15 21:18:45 kid1| No cache_dir stores are configured. 2021/05/15 21:18:45| FATAL: Squid is already running: Found fresh instance PID file (/run/squid.pid) with PID 3846 exception location: Instance.cc(121) ThrowIfAlreadyRunningWith but I check with ps -ef, there is nothing squid-ish there, but retrying I keep getting the same error
CC: (none) => herman.viaene
Known issue if you're testing Mageia 7 (see Bug 27211).
I've seen that bug, but to me it looks like a discussion on compiling/building the package. I cann't get it where I would have to change what in which file????
Try using the systemd unit file here: https://bugs.mageia.org/show_bug.cgi?id=27211#c7 Install it in /etc/systemd/system/ and then run systemctl daemon-reload, so that systemd sees it.
MGA8 x86_64 $ rpm -qa | grep squid squid-4.15-1.mga8 Using squid as web proxy for a shared Internet Network to a local Network with "Share the Internet connection with the local machines" under Network section of Mageia Control Centre. $ systemctl status squid ● squid.service - Squid Web Proxy Server Loaded: loaded (/usr/lib/systemd/system/squid.service; enabled; vendor preset: disabled) Active: active (running) since Sun 2021-05-23 17:03:48 CEST; 9min ago Docs: man:squid(8) Main PID: 10031 (squid) Tasks: 6 (limit: 4693) Memory: 51.1M CPU: 3.994s CGroup: /system.slice/squid.service ├─10031 /usr/sbin/squid --foreground -sYC ├─10033 (squid-1) --kid squid-1 --foreground -sYC ├─10034 (logfile-daemon) /var/log/squid/access.log ├─10035 (unlinkd) ├─10036 diskd 10273796 10273797 10273798 └─10037 (pinger) mai 23 17:03:48 localhost squid[10033]: 0 Objects cancelled. mai 23 17:03:48 localhost squid[10033]: 0 Duplicate URLs purged. mai 23 17:03:48 localhost squid[10033]: 0 Swapfile clashes avoided. mai 23 17:03:48 localhost squid[10033]: Took 0.01 seconds (3089.68 objects/sec). mai 23 17:03:48 localhost squid[10033]: Beginning Validation Procedure mai 23 17:03:48 localhost squid[10033]: Completed Validation Procedure mai 23 17:03:48 localhost squid[10033]: Validated 41 Entries mai 23 17:03:48 localhost squid[10033]: store_swap_size = 13708.00 KB mai 23 17:03:49 localhost squid[10033]: storeLateRelease: released 0 objects Work OK.
CC: (none) => ouaurelien
CVE: (none) => CVE-2020-25097Whiteboard: MGA7TOO => MGA7TOO MGA8-64-OK
Seems there is an updated version for mga7 as well - Current or newer revision(s) already exists in core/updates_testing for 7: 4.15-1.mga7
Status: NEW => ASSIGNEDCC: (none) => bruno
Yes this already assigned to QA. Just awaiting validation.
Debian has issued an advisory on June 1: https://www.debian.org/security/2021/dsa-4924 The issues are fixed upstream in 4.15 in this update.
Summary: squid new security issue CVE-2020-25097 => squid new security issues CVE-2020-25097, CVE-2021-2865[12], CVE-2021-28662, CVE-2021-3180[6-8]
Advisory: ======================== Updated squid packages fix security vulnerability: Due to improper input validation Squid is vulnerable to an HTTP Request Smuggling attack. This problem allows a trusted client to perform HTTP Request Smuggling and access services otherwise forbidden by Squid security controls (CVE-2020-25097). Multiple denial of service vulnerabilities were discovered in the Squid proxy caching server (CVE-2021-28651, CVE-2021-28652, CVE-2021-28662, CVE-2021-31806, CVE-2021-31807, CVE-2021-31808). The squid package has been updated to version 4.15, fixing this issue and other bugs. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25097 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28651 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28652 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28662 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31806 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31807 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31808 https://github.com/squid-cache/squid/security/advisories/GHSA-jvf6-h9gj-pmj6 https://github.com/squid-cache/squid/security/advisories/GHSA-ch36-9jhx-phm4 https://github.com/squid-cache/squid/security/advisories/GHSA-m47m-9hvw-7447 https://github.com/squid-cache/squid/security/advisories/GHSA-jjq6-mh2h-g39h https://github.com/squid-cache/squid/security/advisories/GHSA-pxwq-f3qr-w2xf https://github.com/squid-cache/squid/commit/fa47a3bc4d382e28e7235d08750401b910e4b13a https://github.com/squid-cache/squid/commit/648729b05673c6166c5d91c6ee4cda30cc164839 https://access.redhat.com/errata/RHSA-2021:1135 https://www.debian.org/security/2021/dsa-4924
Ubuntu has issued an advisory on June 3: https://ubuntu.com/security/notices/USN-4981-1 It has one more CVE that was fixed in 4.15. Advisory: ======================== Updated squid packages fix security vulnerability: Due to improper input validation Squid is vulnerable to an HTTP Request Smuggling attack. This problem allows a trusted client to perform HTTP Request Smuggling and access services otherwise forbidden by Squid security controls (CVE-2020-25097). Joshua Rogers discovered that Squid incorrectly handled requests with the urn: scheme. A remote attacker could possibly use this issue to causeSquid to consume resources, leading to a denial of service (CVE-2021-28651). Joshua Rogers discovered that Squid incorrectly handled requests to the Cache Manager API. A remote attacker with access privileges could possibly use this issue to cause Squid to consume resources, leading to a denial of service (CVE-2021-28652). Joshua Rogers discovered that Squid incorrectly handled certain response headers. A remote attacker could possibly use this issue to cause Squid to crash, resulting in a denial of service (CVE-2021-28662). Joshua Rogers discovered that Squid incorrectly handled range request processing. A remote attacker could possibly use this issue to cause Squid to crash, resulting in a denial of service (CVE-2021-31806, CVE-2021-31807, CVE-2021-31808). Joshua Rogers discovered that Squid incorrectly handled certain HTTP responses. A remote attacker could possibly use this issue to cause Squid to crash, resulting in a denial of service (CVE-2021-33620). The squid package has been updated to version 4.15, fixing this issue and other bugs. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25097 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28651 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28652 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28662 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31806 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31807 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31808 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33620 https://github.com/squid-cache/squid/security/advisories/GHSA-jvf6-h9gj-pmj6 https://github.com/squid-cache/squid/security/advisories/GHSA-ch36-9jhx-phm4 https://github.com/squid-cache/squid/security/advisories/GHSA-m47m-9hvw-7447 https://github.com/squid-cache/squid/security/advisories/GHSA-jjq6-mh2h-g39h https://github.com/squid-cache/squid/security/advisories/GHSA-pxwq-f3qr-w2xf https://github.com/squid-cache/squid/security/advisories/GHSA-572g-rvwr-6c7f https://github.com/squid-cache/squid/commit/fa47a3bc4d382e28e7235d08750401b910e4b13a https://github.com/squid-cache/squid/commit/648729b05673c6166c5d91c6ee4cda30cc164839 https://access.redhat.com/errata/RHSA-2021:1135 https://ubuntu.com/security/notices/USN-4981-1
Summary: squid new security issues CVE-2020-25097, CVE-2021-2865[12], CVE-2021-28662, CVE-2021-3180[6-8] => squid new security issues CVE-2020-25097, CVE-2021-2865[12], CVE-2021-28662, CVE-2021-3180[6-8], CVE-2021-33620
Tested again with recommandation from Comment 10, with a little guess that the file involved is squid.service (I didn't see that mentioned). Works OK now. One question remains for me: if anyone installs the version of squid as its first installation, will that person know this story of the squid.service file???
Whiteboard: MGA7TOO MGA8-64-OK => MGA7TOO MGA8-64-OK MGA7-64-OK
Only if they search Bugzilla. Oh well. We probably should have put something in the Errata.
This one has been a long time coming. Validating. Several advisories here, but I believe the last, in Comment 16, is probably the correct one.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0237.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
This apparently also fixed CVE-2021-28116: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T4EPIWUZDJAXADDHVOPKRBTQHPBR6H66/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28116 There's supposed to be an upstream advisory here, but it gives a 404: https://github.com/squid-cache/squid/security/advisories/GHSA-rgf3-9v3p-qp82
(In reply to David Walser from comment #21) > This apparently also fixed CVE-2021-28116: > https://lists.fedoraproject.org/archives/list/package-announce@lists. > fedoraproject.org/message/T4EPIWUZDJAXADDHVOPKRBTQHPBR6H66/ > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28116 > > There's supposed to be an upstream advisory here, but it gives a 404: > https://github.com/squid-cache/squid/security/advisories/GHSA-rgf3-9v3p-qp82 The above upstream advisory has finally been posted, and it is in fact not fixed until 4.17. Bug 29524 filed for this issue.