SUSE has issued an advisory on July 2: https://lwn.net/Articles/980547/ The problem is fixed in version 6.10 (for Cauldron) or with the following commit: https://github.com/squid-cache/squid/commit/67f5496f7b72e698ad0f5aa3512c83089424f27f Mageia 9 is also affected.
Status comment: (none) => Fixed upstream in 6.10 and patch available from upstreamSource RPM: (none) => squid-6.8-1.mga10.src.rpm, squid-5.9-1.3.mga9.src.rpmWhiteboard: (none) => MGA9TOOCVE: (none) => CVE-2024-37894
I cannot see "version 6.10 (for Cauldron)", but believe it! Various packagers maintain squid, so assigning this globally.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix a security vulnerability: Due to an Out-of-bounds Write error when assigning ESI variables, Squid is susceptible to a Memory Corruption error. This error can lead to a Denial of Service attack. (CVE-2024-37894) References: https://lists.suse.com/pipermail/sle-security-updates/2024-July/018842.html ======================== Updated packages in core/updates_testing: ======================== squid-5.9-1.4.mga9 squid-cachemgr-5.9-1.4.mga9 from SRPM: squid-5.9-1.4.mga9.src.rpm
Status comment: Fixed upstream in 6.10 and patch available from upstream => (none)Status: NEW => ASSIGNEDAssignee: pkg-bugs => qa-bugsVersion: Cauldron => 9Source RPM: squid-6.8-1.mga10.src.rpm, squid-5.9-1.3.mga9.src.rpm => squid-5.9-1.3.mga9.src.rpmWhiteboard: MGA9TOO => (none)
Keywords: (none) => advisory
RH mageia 9 x86_64 Reference bug#33091 comment#2 systemctl start squid.service systemctl status squid.service ● squid.service - Squid caching proxy Loaded: loaded (/usr/lib/systemd/system/squid.service; disabled; preset: disabled) Active: active (running) since Sat 2024-07-13 10:31:21 CST; 10s ago Docs: man:squid(8) Process: 210753 ExecStartPre=/usr/libexec/squid/cache_swap.sh (code=exited, status=0/SUCCESS) Main PID: 210755 (squid) Tasks: 3 (limit: 6880) Memory: 14.8M CPU: 162ms CGroup: /system.slice/squid.service ├─210755 /usr/sbin/squid --foreground -f /etc/squid/squid.conf ├─210757 "(squid-1)" --kid squid-1 --foreground -f /etc/squid/squid.conf └─210758 "(logfile-daemon)" /var/log/squid/access.log jul 13 10:31:20 jgrey.phoenix systemd[1]: Starting squid.service... jul 13 10:31:20 jgrey.phoenix squid[210755]: Squid Parent: will start 1 kids jul 13 10:31:20 jgrey.phoenix squid[210755]: Squid Parent: (squid-1) process 210757 started jul 13 10:31:21 jgrey.phoenix systemd[1]: Started squid.service. Configure the proxy in firefox , kill firefox and start again all the tabs were restored with a few delay due the catching Post this comment
Whiteboard: (none) => MGA9-64-OKCC: (none) => andrewsfarm
Validating.
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0265.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED