Bug 28799 - squid new security issues CVE-2020-25097, CVE-2021-2865[12], CVE-2021-28662, CVE-2021-3180[6-8], CVE-2021-33620
Summary: squid new security issues CVE-2020-25097, CVE-2021-2865[12], CVE-2021-28662, ...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7TOO MGA8-64-OK MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-04-18 00:37 CEST by David Walser
Modified: 2021-10-04 17:16 CEST (History)
6 users (show)

See Also:
Source RPM: squid-4.13-5.mga8.src.rpm
CVE: CVE-2020-25097
Status comment:


Attachments

Description David Walser 2021-04-18 00:37:36 CEST
RedHat has issued an advisory on April 8:
https://access.redhat.com/errata/RHSA-2021:1135

The issue is fixed upstream in 4.14:
https://github.com/squid-cache/squid/commit/fa47a3bc4d382e28e7235d08750401b910e4b13a
https://github.com/squid-cache/squid/security/advisories/GHSA-jvf6-h9gj-pmj6

Mageia 7 and Mageia 8 are also affected.
David Walser 2021-04-18 00:37:54 CEST

Status comment: (none) => Fixed upstream in 4.14
Whiteboard: (none) => MGA8TOO, MGA7TOO

Comment 1 Lewis Smith 2021-04-18 08:41:15 CEST
This looks right to assign to Bruno.

Assignee: bugsquad => bruno

Comment 2 Nicolas Lécureuil 2021-04-26 00:20:36 CEST
pushed in mga7/8/9

src:
    - squid-4.13-1.1.mga7
    - squid-4.13-5.1.mga8

Version: Cauldron => 8
Status comment: Fixed upstream in 4.14 => (none)
CC: (none) => mageia
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Assignee: bruno => qa-bugs

Comment 3 David Walser 2021-04-26 01:07:38 CEST
Please update to 4.14, so we can get all of the bug fixes.
David Walser 2021-04-27 19:45:15 CEST

Keywords: (none) => feedback

David Walser 2021-05-14 00:50:31 CEST

Assignee: qa-bugs => pkg-bugs
Keywords: feedback => (none)

Comment 4 David Walser 2021-05-14 23:12:31 CEST
Update coming once the build system catches up.

Advisory:
========================

Updated squid packages fix security vulnerability:

Due to improper input validation Squid is vulnerable to an HTTP Request
Smuggling attack. This problem allows a trusted client to perform HTTP Request
Smuggling and access services otherwise forbidden by Squid security controls
(CVE-2020-25097).

The squid package has been updated to version 4.14, fixing this issue and other
bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25097
https://github.com/squid-cache/squid/security/advisories/GHSA-jvf6-h9gj-pmj6
https://github.com/squid-cache/squid/commit/fa47a3bc4d382e28e7235d08750401b910e4b13a
https://access.redhat.com/errata/RHSA-2021:1135
Comment 5 David Walser 2021-05-15 02:51:17 CEST
Advisory:
========================

Updated squid packages fix security vulnerability:

Due to improper input validation Squid is vulnerable to an HTTP Request
Smuggling attack. This problem allows a trusted client to perform HTTP Request
Smuggling and access services otherwise forbidden by Squid security controls
(CVE-2020-25097).

The squid package has been updated to version 4.15, fixing this issue and other
bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25097
https://github.com/squid-cache/squid/security/advisories/GHSA-jvf6-h9gj-pmj6
https://github.com/squid-cache/squid/commit/fa47a3bc4d382e28e7235d08750401b910e4b13a
https://github.com/squid-cache/squid/commit/648729b05673c6166c5d91c6ee4cda30cc164839
https://access.redhat.com/errata/RHSA-2021:1135
========================

Updated packages in core/updates_testing:
========================
squid-4.15-1.mga8
squid-cachemgr-4.15-1.mga8

from squid-4.15-1.mga8.src.rpm

Assignee: pkg-bugs => qa-bugs

Comment 6 David Walser 2021-05-15 02:53:53 CEST
Mageia 7 build was just submitted too.  Should be the following when done:
squid-4.15-1.mga7
squid-cachemgr-4.15-1.mga7

from squid-4.15-1.mga7.src.rpm
Comment 7 Herman Viaene 2021-05-15 21:33:09 CEST
MGA7-64 Plasma on Lenovo B50
Installing updates the existing packages.
Following previous bug 26532
# systemctl restart httpd
# systemctl -l status httpd
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2021-05-15 21:13:12 CEST; 22s ago
 Main PID: 8964 (httpd)
   Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0; Bytes served/sec:   0 B/sec"
    Tasks: 27 (limit: 4915)
   Memory: 21.8M
   CGroup: /system.slice/httpd.service
           ├─ 8964 /usr/sbin/httpd -DFOREGROUND
           ├─10509 /usr/sbin/httpd -DFOREGROUND
           ├─10510 /usr/sbin/httpd -DFOREGROUND
           ├─10515 /usr/sbin/httpd -DFOREGROUND
           ├─10520 /usr/sbin/httpd -DFOREGROUND
           ├─10525 /usr/sbin/httpd -DFOREGROUND
           └─10530 /usr/sbin/httpd -DFOREGROUND

May 15 21:13:03 mach5.hviaene.thuis systemd[1]: Starting The Apache HTTP Server...
May 15 21:13:12 mach5.hviaene.thuis systemd[1]: Started The Apache HTTP Server.

# systemctl start squid
Job for squid.service failed because the control process exited with error code.
See "systemctl status squid.service" and "journalctl -xe" for details.
[root@mach5 ~]# systemctl start squid
Job for squid.service failed because the control process exited with error code.
See "systemctl status squid.service" and "journalctl -xe" for details.
[root@mach5 ~]# systemctl -l status squid
● squid.service - LSB: Starts the squid daemon
   Loaded: loaded (/etc/rc.d/init.d/squid; generated)
   Active: failed (Result: exit-code) since Sat 2021-05-15 21:18:45 CEST; 23s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 3818 ExecStart=/etc/rc.d/init.d/squid start (code=exited, status=255/EXCEPTION)

Googled on the error, found nothing that seemsto apply.

In /var/log/squid/cache.log I get
2021/05/15 21:13:56| Removing PID file (/run/squid.pid)
2021/05/15 21:18:39| Created PID file (/run/squid.pid)
2021/05/15 21:18:45 kid1| Set Current Directory to /var/spool/squid
2021/05/15 21:18:45 kid1| Creating missing swap directories
2021/05/15 21:18:45 kid1| No cache_dir stores are configured.
2021/05/15 21:18:45| FATAL: Squid is already running: Found fresh instance PID file (/run/squid.pid) with PID 3846
    exception location: Instance.cc(121) ThrowIfAlreadyRunningWith

but I check with ps -ef, there is nothing squid-ish there, but retrying I keep getting the same error

CC: (none) => herman.viaene

Comment 8 David Walser 2021-05-15 22:13:16 CEST
Known issue if you're testing Mageia 7 (see Bug 27211).
Comment 9 Herman Viaene 2021-05-16 14:36:07 CEST
I've seen that bug, but to me it looks like a discussion on compiling/building the package. I cann't get it where I would have to change what in which file????
Comment 10 David Walser 2021-05-16 15:51:25 CEST
Try using the systemd unit file here:
https://bugs.mageia.org/show_bug.cgi?id=27211#c7

Install it in /etc/systemd/system/ and then run systemctl daemon-reload, so that systemd sees it.
Comment 11 Aurelien Oudelet 2021-05-23 17:32:13 CEST
MGA8 x86_64

$ rpm -qa | grep squid
squid-4.15-1.mga8

Using squid as web proxy for a shared Internet Network to a local Network with "Share the Internet connection with the local machines" under Network section of Mageia Control Centre.

$ systemctl status squid
● squid.service - Squid Web Proxy Server
     Loaded: loaded (/usr/lib/systemd/system/squid.service; enabled; vendor preset: disabled)
     Active: active (running) since Sun 2021-05-23 17:03:48 CEST; 9min ago
       Docs: man:squid(8)
   Main PID: 10031 (squid)
      Tasks: 6 (limit: 4693)
     Memory: 51.1M
        CPU: 3.994s
     CGroup: /system.slice/squid.service
             ├─10031 /usr/sbin/squid --foreground -sYC
             ├─10033 (squid-1) --kid squid-1 --foreground -sYC
             ├─10034 (logfile-daemon) /var/log/squid/access.log
             ├─10035 (unlinkd)
             ├─10036 diskd 10273796 10273797 10273798
             └─10037 (pinger)

mai 23 17:03:48 localhost squid[10033]:         0 Objects cancelled.
mai 23 17:03:48 localhost squid[10033]:         0 Duplicate URLs purged.
mai 23 17:03:48 localhost squid[10033]:         0 Swapfile clashes avoided.
mai 23 17:03:48 localhost squid[10033]:   Took 0.01 seconds (3089.68 objects/sec).
mai 23 17:03:48 localhost squid[10033]: Beginning Validation Procedure
mai 23 17:03:48 localhost squid[10033]:   Completed Validation Procedure
mai 23 17:03:48 localhost squid[10033]:   Validated 41 Entries
mai 23 17:03:48 localhost squid[10033]:   store_swap_size = 13708.00 KB
mai 23 17:03:49 localhost squid[10033]: storeLateRelease: released 0 objects

Work OK.

CC: (none) => ouaurelien

Aurelien Oudelet 2021-05-23 17:32:34 CEST

CVE: (none) => CVE-2020-25097
Whiteboard: MGA7TOO => MGA7TOO MGA8-64-OK

Comment 12 Bruno Cornec 2021-05-29 00:28:37 CEST
Seems there is an updated version for mga7 as well
 - Current or newer revision(s) already exists in core/updates_testing for 7: 4.15-1.mga7

Status: NEW => ASSIGNED
CC: (none) => bruno

Comment 13 David Walser 2021-05-29 01:19:19 CEST
Yes this already assigned to QA.  Just awaiting validation.
Comment 14 David Walser 2021-06-06 19:31:17 CEST
Debian has issued an advisory on June 1:
https://www.debian.org/security/2021/dsa-4924

The issues are fixed upstream in 4.15 in this update.

Summary: squid new security issue CVE-2020-25097 => squid new security issues CVE-2020-25097, CVE-2021-2865[12], CVE-2021-28662, CVE-2021-3180[6-8]

Comment 15 David Walser 2021-06-06 19:34:04 CEST
Advisory:
========================

Updated squid packages fix security vulnerability:

Due to improper input validation Squid is vulnerable to an HTTP Request
Smuggling attack. This problem allows a trusted client to perform HTTP Request
Smuggling and access services otherwise forbidden by Squid security controls
(CVE-2020-25097).

Multiple denial of service vulnerabilities were discovered in the Squid proxy
caching server (CVE-2021-28651, CVE-2021-28652, CVE-2021-28662, CVE-2021-31806,
CVE-2021-31807, CVE-2021-31808).

The squid package has been updated to version 4.15, fixing this issue and other
bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25097
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28651
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28652
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28662
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31806
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31807
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31808
https://github.com/squid-cache/squid/security/advisories/GHSA-jvf6-h9gj-pmj6
https://github.com/squid-cache/squid/security/advisories/GHSA-ch36-9jhx-phm4
https://github.com/squid-cache/squid/security/advisories/GHSA-m47m-9hvw-7447
https://github.com/squid-cache/squid/security/advisories/GHSA-jjq6-mh2h-g39h
https://github.com/squid-cache/squid/security/advisories/GHSA-pxwq-f3qr-w2xf
https://github.com/squid-cache/squid/commit/fa47a3bc4d382e28e7235d08750401b910e4b13a
https://github.com/squid-cache/squid/commit/648729b05673c6166c5d91c6ee4cda30cc164839
https://access.redhat.com/errata/RHSA-2021:1135
https://www.debian.org/security/2021/dsa-4924
Comment 16 David Walser 2021-06-06 19:47:25 CEST
Ubuntu has issued an advisory on June 3:
https://ubuntu.com/security/notices/USN-4981-1

It has one more CVE that was fixed in 4.15.

Advisory:
========================

Updated squid packages fix security vulnerability:

Due to improper input validation Squid is vulnerable to an HTTP Request
Smuggling attack. This problem allows a trusted client to perform HTTP Request
Smuggling and access services otherwise forbidden by Squid security controls
(CVE-2020-25097).

Joshua Rogers discovered that Squid incorrectly handled requests with the urn:
scheme. A remote attacker could possibly use this issue to causeSquid to
consume resources, leading to a denial of service (CVE-2021-28651).

Joshua Rogers discovered that Squid incorrectly handled requests to the Cache
Manager API. A remote attacker with access privileges could possibly use this
issue to cause Squid to consume resources, leading to a denial of service
(CVE-2021-28652).

Joshua Rogers discovered that Squid incorrectly handled certain response
headers. A remote attacker could possibly use this issue to cause Squid to
crash, resulting in a denial of service (CVE-2021-28662).

Joshua Rogers discovered that Squid incorrectly handled range request
processing. A remote attacker could possibly use this issue to cause Squid to
crash, resulting in a denial of service (CVE-2021-31806, CVE-2021-31807,
CVE-2021-31808).

Joshua Rogers discovered that Squid incorrectly handled certain HTTP
responses. A remote attacker could possibly use this issue to cause Squid to
crash, resulting in a denial of service (CVE-2021-33620).

The squid package has been updated to version 4.15, fixing this issue and other
bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25097
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28651
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28652
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28662
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31806
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31807
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31808
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33620
https://github.com/squid-cache/squid/security/advisories/GHSA-jvf6-h9gj-pmj6
https://github.com/squid-cache/squid/security/advisories/GHSA-ch36-9jhx-phm4
https://github.com/squid-cache/squid/security/advisories/GHSA-m47m-9hvw-7447
https://github.com/squid-cache/squid/security/advisories/GHSA-jjq6-mh2h-g39h
https://github.com/squid-cache/squid/security/advisories/GHSA-pxwq-f3qr-w2xf
https://github.com/squid-cache/squid/security/advisories/GHSA-572g-rvwr-6c7f
https://github.com/squid-cache/squid/commit/fa47a3bc4d382e28e7235d08750401b910e4b13a
https://github.com/squid-cache/squid/commit/648729b05673c6166c5d91c6ee4cda30cc164839
https://access.redhat.com/errata/RHSA-2021:1135
https://ubuntu.com/security/notices/USN-4981-1

Summary: squid new security issues CVE-2020-25097, CVE-2021-2865[12], CVE-2021-28662, CVE-2021-3180[6-8] => squid new security issues CVE-2020-25097, CVE-2021-2865[12], CVE-2021-28662, CVE-2021-3180[6-8], CVE-2021-33620

Comment 17 Herman Viaene 2021-06-07 15:38:58 CEST
Tested again with recommandation from Comment 10, with a little guess that the file involved is squid.service (I didn't see that mentioned). Works OK now.

One question remains for me: if anyone installs the version of squid as its first installation, will that person know this story of the squid.service file???

Whiteboard: MGA7TOO MGA8-64-OK => MGA7TOO MGA8-64-OK MGA7-64-OK

Comment 18 David Walser 2021-06-07 15:43:53 CEST
Only if they search Bugzilla.  Oh well.  We probably should have put something in the Errata.
Comment 19 Thomas Andrews 2021-06-08 14:22:38 CEST
This one has been a long time coming. Validating. Several advisories here, but I believe the last, in Comment 16, is probably the correct one.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2021-06-08 16:55:58 CEST

Keywords: (none) => advisory

Comment 20 Mageia Robot 2021-06-08 18:47:21 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0237.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Comment 22 David Walser 2021-10-04 17:16:30 CEST
(In reply to David Walser from comment #21)
> This apparently also fixed CVE-2021-28116:
> https://lists.fedoraproject.org/archives/list/package-announce@lists.
> fedoraproject.org/message/T4EPIWUZDJAXADDHVOPKRBTQHPBR6H66/
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28116
> 
> There's supposed to be an upstream advisory here, but it gives a 404:
> https://github.com/squid-cache/squid/security/advisories/GHSA-rgf3-9v3p-qp82

The above upstream advisory has finally been posted, and it is in fact not fixed until 4.17.  Bug 29524 filed for this issue.

Note You need to log in before you can comment on or make changes to this bug.