Bug 29524 - squid new security issue CVE-2021-28116
Summary: squid new security issue CVE-2021-28116
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-10-04 17:15 CEST by David Walser
Modified: 2021-10-31 12:13 CET (History)
8 users (show)

See Also:
Source RPM: squid-4.15-1.mga8.src.rpm
CVE:
Status comment:


Attachments
SquidAnalyzer-6.6 (193.24 KB, image/png)
2021-10-10 20:38 CEST, Alex Kotov
Details

Description David Walser 2021-10-04 17:15:46 CEST
Squid has issued an advisory on October 3:
https://github.com/squid-cache/squid/security/advisories/GHSA-rgf3-9v3p-qp82

The issue is fixed upstream in 4.17.
Comment 2 David Walser 2021-10-04 17:40:14 CEST
The issue is also fixed in 5.2, which doesn't build in Cauldron due to an issue with openssl 3.0.0:
http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20211004150607.luigiwalser.duvel.23396/log/squid-5.2-1.mga9/build.x86_64.0.20211004150713.log

Whiteboard: (none) => MGA8TOO
Version: 8 => Cauldron

Comment 3 Marja Van Waes 2021-10-05 22:13:18 CEST
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => bruno

Comment 4 David Walser 2021-10-06 17:03:23 CEST
Joseph fixed the build in Cauldron.

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)

Comment 5 Nicolas Lécureuil 2021-10-09 00:56:49 CEST
fixed in mga8

src:
    - squid-4.15-1.1.mga8

Assignee: bruno => qa-bugs
CC: (none) => bruno, mageia

Comment 6 David Walser 2021-10-09 01:02:55 CEST
Updating again to squid-4.17-1.mga8, building now.

Status comment: Fixed upstream in 4.17 => (none)

Comment 7 David Walser 2021-10-09 02:03:01 CEST
RPMS:
squid-4.17-1.mga8
squid-cachemgr-4.17-1.mga8
Comment 8 Alex Kotov 2021-10-10 16:22:12 CEST
Hello, friends. :)
Sorry to interfere with your "squid" update process. Since squid-4.17 is in your testing, I did not create a separate topic. Especially since all squids (4.13-4.17) work fine, including in HTTPS filtering mode, but there is such a thing in packages:

urpme squid

deleted squid-4.17-1.mga8.x86_64
error reading information about the service squid: No such file or directory
error: %preun(squid-4.17-1.mga8.x86_64) scriptlet failed, exit status 1
ERROR: 'script' failed for squid-4.17-1.mga8.x86_64
error: squid-4.17-1.mga8.x86_64: erasing failed

You can only delete a package using the "Marquis de Sade" method: rpm -e --noscripts squid

The reason is here:
---
%preun
%_preun_service squid
if [ $1 = 0 ] ; then
	rm -f %{_logdir}/squid/*
#        /sbin/chkconfig --del squid # The package is not being deleted because of this line!
fi

Could you additionally fix the package removal process? And one more question, if possible: why is there no "sarg" in the repositories? Thanks.

Sincerely,
Alex

CC: (none) => alex_q_2000

Comment 9 David Walser 2021-10-10 17:55:33 CEST
Thanks, line removed from SPEC in SVN, will be fixed by the next update.

sarg is a long-since dead project and has been replaced by squidanalyzer.
Comment 10 Alex Kotov 2021-10-10 19:18:17 CEST
Hi, David. I haven't set up squid for a long time, probably since sarg was relevant. )) But I have an urgent job for tomorrow, so I was at a loss with the choice of a log analyzer. Now I'll try to screw squidanalyzer. Thanks a lot for the advice.

Sincerely,
Alex
Comment 11 Alex Kotov 2021-10-10 20:38:17 CEST
Created attachment 12944 [details]
SquidAnalyzer-6.6

@David Walser
squidanalyzer...

Very, very good! I think that the client will be delighted: a large pile of graphs, tables by users. It is similar to Sarg, but feels a little cooler (screenshot in attachment). Possible, in squidanalyzer is clearly missing a file:

/etc/httpd/conf/conf.d/squidanalyzer.conf

Alias /squidreport /var/www/html/squidanalyzer
        <Directory /var/www/html/squidanalyzer>
            Options Indexes FollowSymLinks
            AllowOverride None
            Order deny,allow
            Deny from all
            Allow from 127.0.0.1
        </Directory>

Sarg had an initial node config, but these are small things. Thanks again, David. :)

Best regards,
Alex
Comment 12 David Walser 2021-10-10 20:57:31 CEST
Yeah it's more modern and efficient than sarg.  Your extra file is completely unnecessary.
Comment 13 Hugues Detavernier 2021-10-12 12:18:13 CEST
Mageia Gnome X64

No installation issues.

# squid --v
Squid Cache: Version 4.17
Service Name: squid

#systemctl start squid
#systemctl status squid
● squid.service - Squid Web Proxy Server
     Loaded: loaded (/usr/lib/systemd/system/squid.service; disabled; vendor pr>
     Active: active (running) since Tue 2021-10-12 12:01:28 CEST; 6s ago
       Docs: man:squid(8)
    Process: 11793 ExecStartPre=/usr/sbin/squid --foreground -z -F (code=exited>
   Main PID: 11796 (squid)
      Tasks: 4 (limit: 2320)
     Memory: 12.6M


# tail -f /var/log/squid/access.log
1634033569.280     68 192.168.1.30 TCP_MISS/200 1753 GET http://www.squid-cache.org/favicon.ico - HIER_DIRECT/2001:4310:f1::70 image/x-icon
1634033806.598     15 192.168.1.30 TCP_MISS/200 928 POST http://ocsp.digicert.com/ - HIER_DIRECT/93.184.220.29 application/ocsp-response

All seems to ok.

CC: (none) => hdetavernier

Comment 14 Herman Viaene 2021-10-12 15:26:28 CEST
MGA8-64 Plasma on Lenovo B50
No installation issues.
Ref bug 26884 Comment 4 for testing.
Hmmm, something fishy with the  default installation.
# systemctl start squid
[root@mach5 ~]# systemctl status squid
● squid.service - Squid Web Proxy Server
     Loaded: loaded (/usr/lib/systemd/system/squid.service; disabled; vendor preset: disabled)
     Active: active (running) since Tue 2021-10-12 15:12:33 CEST; 2s ago
       Docs: man:squid(8)
    Process: 8509 ExecStartPre=/usr/sbin/squid --foreground -z -F (code=exited, status=0/SUCCESS)
   Main PID: 8512 (squid)
      Tasks: 4 (limit: 9402)
     Memory: 12.4M
        CPU: 97ms
     CGroup: /system.slice/squid.service
             ├─8512 /usr/sbin/squid --foreground -sYC
             ├─8514 (squid-1) --kid squid-1 --foreground -sYC
             ├─8515 (logfile-daemon) /var/log/squid/access.log
             └─8516 (pinger)

okt 12 15:12:33 mach5.hviaene.thuis squid[8514]: Using Least Load store dir selection
okt 12 15:12:33 mach5.hviaene.thuis squid[8514]: Set Current Directory to /var/spool/squid
okt 12 15:12:33 mach5.hviaene.thuis squid[8514]: Finished loading MIME types and icons.
okt 12 15:12:33 mach5.hviaene.thuis squid[8514]: HTCP Disabled.
okt 12 15:12:33 mach5.hviaene.thuis squid[8514]: Pinger socket opened on FD 14
okt 12 15:12:33 mach5.hviaene.thuis squid[8514]: Squid plugin modules loaded: 0
okt 12 15:12:33 mach5.hviaene.thuis squid[8514]: Adaptation support is off.
okt 12 15:12:33 mach5.hviaene.thuis systemd[1]: Started Squid Web Proxy Server.
okt 12 15:12:33 mach5.hviaene.thuis squid[8514]: Accepting HTTP Socket connections at local=[::]:3128 remote=[::] FD 12 flags=9
okt 12 15:12:34 mach5.hviaene.thuis squid[8514]: storeLateRelease: released 0 objects
When I now set localhost port 3128 as proxy in Firefox and restart Firefox, I don't get the Google page as default, instead I get the message "Firefox connects to a proxy which refuses connetions". And more: I have on Firefox a second home page which is http://madb.mageia.org/tools/updates, and that one displays OK. But as soon as I try to open one of the bugs, I get the same message as above.

CC: (none) => herman.viaene

Comment 15 Hugues Detavernier 2021-10-12 17:19:13 CEST
Herman,

have you tried to set IP address instead of localhost?
I don't have problems with IP Address.
Comment 17 Bruno Cornec 2021-10-25 00:21:36 CEST
Is there still something preventing the release of 4.17 ?
Comment 18 David Walser 2021-10-25 00:29:53 CEST
Someone in QA needs to validate it.
Comment 19 Bruno Cornec 2021-10-25 00:37:00 CEST
Wasn't comment 13 enough ?
Comment 20 David Walser 2021-10-25 00:49:41 CEST
(In reply to Bruno Cornec from comment #19)
> Wasn't comment 13 enough ?

In my opinion, yes, I agree with you.
Comment 21 Alex Kotov 2021-10-26 22:45:53 CEST
@David Walser
By the way, squid-5.2-1.mga9.x86_64.rpm (Mageia-9) works fine. I made a "Bastion" on it for myself - an gateway-filter: https://github.com/AKotov-dev/bastion And an installation flash drive (IceWM-M9), so as not to waste time on deployment: https://drive.google.com/drive/folders/16xwTUpQzTASXkzXvCFaoQqByXgvP1XaE?usp=sharing 

I'll leave them here, maybe it will be useful to someone for experiments or squids testing.

p.s. I wonder how soon black smoke will come out of the server if 500+ users are connected through it. ))

With best wishes,
Alex
Comment 22 Thomas Andrews 2021-10-30 17:14:47 CEST
(In reply to David Walser from comment #20)
> (In reply to Bruno Cornec from comment #19)
> > Wasn't comment 13 enough ?
> 
> In my opinion, yes, I agree with you.

Comment 14 makes me uneasy, but sending this on, based on this opinion.

Validating. Needs an advisory.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2021-10-31 11:26:35 CET

Keywords: (none) => advisory

Comment 23 Mageia Robot 2021-10-31 12:13:43 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0499.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.