Squid has issued advisories today (September 23): https://github.com/squid-cache/squid/security/advisories/GHSA-rcg9-7fqm-83mq https://github.com/squid-cache/squid/security/advisories/GHSA-394c-rr7q-6g78 The issues are fixed upstream in 5.7 (already updated in Cauldron). There are patches for 4.x linked from the advisories above.
Version: Cauldron => 8Status comment: (none) => Patches available from upstream
All sorts of people have maintained this package, so assigning this update globally. Despite which, CC'ing bcornec who is the registered maintainer.
CC: (none) => brunoAssignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Exposure of Sensitive Information in Cache Manager. (CVE-2022-41317) Buffer Over Read in SSPI and SMB Authentication. (CVE-2022-41318) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41317 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41318 https://github.com/squid-cache/squid/security/advisories/GHSA-rcg9-7fqm-83mq https://github.com/squid-cache/squid/security/advisories/GHSA-394c-rr7q-6g78 ======================== Updated packages in core/updates_testing: ======================== squid-4.17-1.2.mga8 squid-cachemgr-4.17-1.2.mga8 from SRPM: squid-4.17-1.2.mga8.src.rpm
CVE: (none) => CVE-2022-41317, CVE-2022-41318Assignee: pkg-bugs => qa-bugsStatus comment: Patches available from upstream => (none)CC: (none) => nicolas.salgueroStatus: NEW => ASSIGNED
MGA8-64 MATE on Acer Aspire 5253 No installation issues Ref bug 30578 for tests # squid --v Squid Cache: Version 4.17 Service Name: squid This binary uses OpenSSL 1.1.1q 5 Jul 2022. For legal restrictions on distribution see https://www.openssl.org/source/license.html configure options: and a load more ..... # systemctl start squid [root@mach7 ~]# systemctl -l status squid ● squid.service - Squid Web Proxy Server Loaded: loaded (/usr/lib/systemd/system/squid.service; disabled; vendor preset: disabled) Active: active (running) since Mon 2022-09-26 16:34:10 CEST; 14s ago Docs: man:squid(8) Process: 8976 ExecStartPre=/usr/sbin/squid --foreground -z -F (code=exited, status=0/SUCCESS) Main PID: 8979 (squid) Tasks: 4 (limit: 4364) Memory: 12.5M CPU: 538ms CGroup: /system.slice/squid.service ├─8979 /usr/sbin/squid --foreground -sYC ├─8981 (squid-1) --kid squid-1 --foreground -sYC ├─8983 (logfile-daemon) /var/log/squid/access.log └─8984 (pinger) Sep 26 16:34:10 mach7.hviaene.thuis squid[8981]: Using Least Load store dir selection Sep 26 16:34:10 mach7.hviaene.thuis squid[8981]: Set Current Directory to /var/spool/squid Sep 26 16:34:10 mach7.hviaene.thuis squid[8981]: Finished loading MIME types and icons. Sep 26 16:34:10 mach7.hviaene.thuis squid[8981]: HTCP Disabled. Sep 26 16:34:10 mach7.hviaene.thuis squid[8981]: Pinger socket opened on FD 14 Sep 26 16:34:10 mach7.hviaene.thuis squid[8981]: Squid plugin modules loaded: 0 Sep 26 16:34:10 mach7.hviaene.thuis squid[8981]: Adaptation support is off. Sep 26 16:34:10 mach7.hviaene.thuis squid[8981]: Accepting HTTP Socket connections at local=[::]:3128 remote=[::] FD 12 fla> Sep 26 16:34:10 mach7.hviaene.thuis systemd[1]: Started Squid Web Proxy Server. Sep 26 16:34:11 mach7.hviaene.thuis squid[8981]: storeLateRelease: released 0 objects Then set localhost as proxy in Firefox, restart it and update this bug running now.
CC: (none) => herman.viaene
Reset proxy in Firefox to system proxy (none in fact), restarted Firefox and doing this update. All worked OK. I find the references in the /var/log/squid/cache.log
Whiteboard: (none) => MGA8-64-OK
Tested with MGA 32 bits This proxy server is a proxy with content filtering Installed the update and tested that firefox opens facebook.com and Youtube.com Access is denied by ACL, the access rule is working as expected Using a whitelisted domain (mail.yahoo.com) accessing as expected too This update will be running in this VM until tomorrow to review the journal, after that review I confirm OK or not OK
CC: (none) => neoser10
Ubuntu has issued an advisory for this today (September 26): https://ubuntu.com/security/notices/USN-5641-1
Created attachment 13402 [details] Squid/Webfilter OK Confirmation Squid from Updates Testing installed today, is working well For me is an OK
Validating. Advisory in Comment 2.
Whiteboard: MGA8-64-OK => MGA8-32-OK MGA8-64-OKKeywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0351.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED