squid:update to 6.4+ get fixes for CVEs

Hi gberche,

Thanks for reporting this bug.

Our images are based on the squid versions available in the Ubuntu archive. Once the fixes are available for the deb packages (which are potentially backported to the supported series depending on CVE severity and other factors determined by the security team) the images are re-built and re-tagged to include such fixes.

> Squid 5.2.x is vulnerable to CVEs with CVSS scores of 9.6 to 9.9

I suppose that the CVEs for the mentioned vulnerabilities were not release yet, is this right?

I could find no October 2023 entries in https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=squid

I am including tasks for the squid deb package as well since it seems to be affected.

I suppose there is no need for this to be private since the vulnerabilities have been disclosed upstream, but I will leave this to someone in the security team to assess.

Thanks Athos for your prompt answer !

> I suppose that the CVEs for the mentioned vulnerabilities were not release yet, is this right?
>
> I could find no October 2023 entries in https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=squid

Yes, the reporter provides additional background on the official CVE reporting into
https://www.openwall.com/lists/oss-security/2023/10/11/3
> Although some of the issues have been fixed, the majority (35) remain
> valid. The majority have not been assigned CVEs, and no patches or
> workarounds are available.
>
> After two and a half years of waiting, I have decided to release the issues
> publicly. The Squid Project is aware of this release.

> I am including tasks for the squid deb package as well since it seems to be affected.
Would you have pointer to the task tracking the squid deb package updates ?

> I suppose there is no need for this to be private since the vulnerabilities have been disclosed upstream, but I will leave this to someone in the security team to assess.

+1 for making it public, sorry if I misqualified

> Yes, the reporter provides additional background on the official CVE reporting into https://www.openwall.com/lists/oss-security/2023/10/11/3

Thanks for the pointers.

I am unsure on what the security team policy is regarding issues whose a CVE has not been assigned to. But If there are upstream backports of the issues for 5.x and 6.x, this may be something that would be fixed through our MRE process described in https://wiki.ubuntu.com/SquidUpdates.

> Would you have pointer to the task tracking the squid deb package updates?

I added one to this bug you filed (you can see that there is now a tracker for "Squid (Ubuntu)" here.

Thank you for reporting this @gberche.

Ubuntu Security is monitoring upstream's conversation, and we will apply their security patches as they become available. Then, those updates can be applied to OCIs as @athos-riberio describes.

> Would you have pointer to the task tracking the squid deb package updates?

From Security's side, the Ubuntu CVE Tracker [0][1] will be most up to date. This requires CVE-IDs, but those may be on their way.

[0] https://ubuntu.com/security/cves
[1] https://code.launchpad.net/ubuntu-cve-tracker

All the patch links seem to be broken in the upstream advisories...this is what I believe are the links to the commits so far:

SQUID-2023:5 Denial of Service in FTP
https://github.com/squid-cache/squid/security/advisories/GHSA-2g3c-pg7q-g59w
https://lists.squid-cache.org/pipermail/squid-announce/2023-October/000157.html
https://megamansec.github.io/Squid-Security-Audit/ftp-assert.html
https://github.com/squid-cache/squid/commit/7de01969a793b2fdb476e354a9fcda272d400d27

SQUID-2023:1 Request/Response smuggling in HTTP(S) and ICAP
https://github.com/squid-cache/squid/security/advisories/GHSA-j83v-w3p4-5cqh
https://lists.squid-cache.org/pipermail/squid-announce/2023-October/000156.html
https://github.com/squid-cache/squid/commit/6cfa10d94ca15a764a1d975597d8024582ef19be

SQUID-2023:3 Denial of Service in HTTP Digest Authentication
https://github.com/squid-cache/squid/security/advisories/GHSA-phqj-m8gv-cq4g
https://lists.squid-cache.org/pipermail/squid-announce/2023-October/000154.html
https://megamansec.github.io/Squid-Security-Audit/digest-overflow.html
https://github.com/squid-cache/squid/commit/dc0e10bec3334053c1a5297e50dd7052ea18aef0

SQUID-2023:2 Multiple issues in HTTP response caching
https://lists.squid-cache.org/pipermail/squid-announce/2023-October/000155.html
Commits TBD

SQUID-????
https://megamansec.github.io/Squid-Security-Audit/ssl-bufferunderread.html
https://github.com/squid-cache/squid/commit/12b8efc07ff74548d5582c4890f8bdb9057a1bb3

Thanks a lot @athos-ribeiro @eslerm and @mdeslaur !

These issues now have CVE numbers:

SQUID-2023:1 - CVE-2023-46846
SQUID-2023:3 - CVE-2023-46847
SQUID-2023:4 - CVE-2023-46724
SQUID-2023:5 - CVE-2023-46848

SQUID-2023:2 - CVE-2023-5824

Most of those CVEs were fixed here:

https://ubuntu.com/security/notices/USN-6500-1

Status changed to 'Confirmed' because the bug affects multiple users.

The docker image for 6.1 - latest 6 days ago, does not have the fixes.

ubuntu/squid@sha256:f55eacd75ba44d4066873f2a2a245fe0b323a5e245a3715d106c770bb6fdc404

I Just re-built and re-tagged those images.

This should have picked up all the fixes released so far.

Thank-you. The issue appears to be with Harbor and the scan it was doing on the docker image. Both the new image and previous show the fixed version:

>apt list --installed squid*
squid-common/mantic-updates,mantic-security,now 6.1-2ubuntu1.1 all [installed,automatic]
squid-langpack/mantic,now 20220130-1 all [installed,automatic]
squid/mantic-updates,mantic-security,now 6.1-2ubuntu1.1 amd64 [installed]

The scan in Harbor is apparently only looking at the 6.1 version number and flagging it.

I should have fully checked the versions before posting, I apologize for posting too quickly.

More CVE fixes have gone in here:

https://ubuntu.com/security/notices/USN-6728-1

I believe there are no more open CVEs for Squid, so I am closing this bug. Thanks!