Bug 30578 - squid new security issue CVE-2021-46784
Summary: squid new security issue CVE-2021-46784
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2022-06-23 16:23 CEST by David Walser
Modified: 2022-07-05 21:12 CEST (History)
5 users (show)

See Also:
Source RPM: squid-4.17-1.mga8.src.rpm
CVE: CVE-2021-46784
Status comment:


Description David Walser 2022-06-23 16:23:50 CEST
Ubuntu has issued an advisory on June 22:

The issue is fixed upstream in 5.6.

The upstream advisory links a patch for Squid 4.x:
David Walser 2022-06-23 16:23:58 CEST

Status comment: (none) => Patch available from upstream

Comment 1 Lewis Smith 2022-06-26 08:25:38 CEST
No obvious maintainer to assign this to, so doing so globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2022-06-28 14:40:16 CEST
Suggested advisory:

The updated packages fix a security vulnerability:

Denial of Service in Gopher Processing. (CVE-2021-46784)


Updated packages in core/updates_testing:

from SRPM:

CVE: (none) => CVE-2021-46784
CC: (none) => nicolas.salguero
Assignee: pkg-bugs => qa-bugs
Status comment: Patch available from upstream => (none)

Comment 3 Herman Viaene 2022-06-30 10:04:32 CEST
MGA8-64 Plasma on Acer Aspire 5253
No installation issues.
Ref bug 29524 Comment 13 and 14
# squid --v
Squid Cache: Version 4.17
Service Name: squid

This binary uses OpenSSL 1.1.1p  21 Jun 2022. For legal restrictions on distribution see https://www.openssl.org/source/license.html

configure options:  '--host=x86_64-mageia-linux-gnu' '

# systemctl start squid
# systemctl -l status squid
● squid.service - Squid Web Proxy Server
     Loaded: loaded (/usr/lib/systemd/system/squid.service; disabled; vendor preset: disabled)
     Active: active (running) since Thu 2022-06-30 09:44:24 CEST; 14s ago
       Docs: man:squid(8)
    Process: 6834 ExecStartPre=/usr/sbin/squid --foreground -z -F (code=exited, status=0/SUCCESS)
   Main PID: 6837 (squid)
      Tasks: 4 (limit: 4364)
     Memory: 12.5M
        CPU: 541ms
     CGroup: /system.slice/squid.service
             ├─6837 /usr/sbin/squid --foreground -sYC
             ├─6839 (squid-1) --kid squid-1 --foreground -sYC
             ├─6840 (logfile-daemon) /var/log/squid/access.log
             └─6841 (pinger)

Jun 30 09:44:24 mach7.hviaene.thuis squid[6839]: Using Least Load store dir selection
Jun 30 09:44:24 mach7.hviaene.thuis squid[6839]: Set Current Directory to /var/spool/squid
Jun 30 09:44:24 mach7.hviaene.thuis squid[6839]: Finished loading MIME types and icons.
Jun 30 09:44:24 mach7.hviaene.thuis squid[6839]: HTCP Disabled.
Jun 30 09:44:24 mach7.hviaene.thuis squid[6839]: Pinger socket opened on FD 14
Jun 30 09:44:24 mach7.hviaene.thuis squid[6839]: Squid plugin modules loaded: 0
Jun 30 09:44:24 mach7.hviaene.thuis squid[6839]: Adaptation support is off.
Jun 30 09:44:24 mach7.hviaene.thuis squid[6839]: Accepting HTTP Socket connections at local=[::]:3128 remote=[::] FD 12 flags=9
Jun 30 09:44:24 mach7.hviaene.thuis systemd[1]: Started Squid Web Proxy Server.
Jun 30 09:44:25 mach7.hviaene.thuis squid[6839]: storeLateRelease: released 0 objects

I now set localhost port 3128 as proxy in Firefox and restart Firefox, and update this bug, all seems to work.
On the contrary of Hugues , I don't see any reference to squid in the /var/log/squid/access.log, but I find the references in the /var/log/squid/cache.log

CC: (none) => herman.viaene

Comment 4 Herman Viaene 2022-06-30 10:08:07 CEST
Now stopped squid, set proxy in Firefox back to system, close and restart firefox and all works OK.

Whiteboard: (none) => MGA8-64-OK

Comment 5 Thomas Andrews 2022-07-01 15:56:46 CEST
Validating Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-07-04 23:38:29 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 6 Mageia Robot 2022-07-05 21:12:33 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.