squid:update to 6.4+ get fixes for CVEs

Bug #2041837 reported by gberche
266
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Ubuntu Docker Images
New
Undecided
Athos Ribeiro
squid (Ubuntu)
Status tracked in Noble
Focal
Confirmed
Undecided
Marc Deslauriers
Jammy
Confirmed
Undecided
Marc Deslauriers
Lunar
Confirmed
Undecided
Marc Deslauriers
Mantic
Confirmed
Undecided
Marc Deslauriers
Noble
Confirmed
Undecided
Marc Deslauriers

Bug Description

Squid 5.2.x is vulnerable to CVEs with CVSS scores of 9.6 to 9.9

Some fixes are available in 6.4.

Any chance to bump the squid version in the docker image?

https://megamansec.github.io/Squid-Security-Audit/
> Squid Caching Proxy Security Audit: 55 vulnerabilities and 35 0days

https://lists.squid-cache.org/pipermail/squid-announce/2023-October/000154.html
> This problem allows a remote client to perform buffer overflow
> attack writing up to 2 MB of arbitrary data to heap memory
> when Squid is configured to accept HTTP Digest Authentication.
>
> On machines with advanced memory protections this will result
> in a Denial of Service against all users of the Squid proxy.
>
> CVSS Score of 9.9
> <https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H&version=3.1>
> Fixed in version: | Squid 6.4

https://lists.squid-cache.org/pipermail/squid-announce/2023-October/000155.html
> Summary: | Multiple issues in HTTP response caching.
> Affected versions: | Squid 2.x -> 2.7.STABLE9
> | Squid 3.x -> 3.5.28
> | Squid 4.x -> 4.16
> | Squid 5.x -> 5.9
> | Squid 6.x -> 6.3
> Fixed in version: | Squid 6.4
> Due to an Incomplete Filtering of Special Elements
> bug Squid is vulnerable to a Denial of Service
> attack against HTTP and HTTPS clients.
> CVSS Score of 9.6
> <https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H&version=3.1>

Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

Hi gberche,

Thanks for reporting this bug.

Our images are based on the squid versions available in the Ubuntu archive. Once the fixes are available for the deb packages (which are potentially backported to the supported series depending on CVE severity and other factors determined by the security team) the images are re-built and re-tagged to include such fixes.

> Squid 5.2.x is vulnerable to CVEs with CVSS scores of 9.6 to 9.9

I suppose that the CVEs for the mentioned vulnerabilities were not release yet, is this right?

I could find no October 2023 entries in https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=squid

I am including tasks for the squid deb package as well since it seems to be affected.

I suppose there is no need for this to be private since the vulnerabilities have been disclosed upstream, but I will leave this to someone in the security team to assess.

Revision history for this message
gberche (guillaume-berche) wrote :

Thanks Athos for your prompt answer !

> I suppose that the CVEs for the mentioned vulnerabilities were not release yet, is this right?
>
> I could find no October 2023 entries in https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=squid

Yes, the reporter provides additional background on the official CVE reporting into
https://www.openwall.com/lists/oss-security/2023/10/11/3
> Although some of the issues have been fixed, the majority (35) remain
> valid. The majority have not been assigned CVEs, and no patches or
> workarounds are available.
>
> After two and a half years of waiting, I have decided to release the issues
> publicly. The Squid Project is aware of this release.

> I am including tasks for the squid deb package as well since it seems to be affected.
Would you have pointer to the task tracking the squid deb package updates ?

> I suppose there is no need for this to be private since the vulnerabilities have been disclosed upstream, but I will leave this to someone in the security team to assess.

+1 for making it public, sorry if I misqualified

Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

> Yes, the reporter provides additional background on the official CVE reporting into https://www.openwall.com/lists/oss-security/2023/10/11/3

Thanks for the pointers.

I am unsure on what the security team policy is regarding issues whose a CVE has not been assigned to. But If there are upstream backports of the issues for 5.x and 6.x, this may be something that would be fixed through our MRE process described in https://wiki.ubuntu.com/SquidUpdates.

> Would you have pointer to the task tracking the squid deb package updates?

I added one to this bug you filed (you can see that there is now a tracker for "Squid (Ubuntu)" here.

Revision history for this message
Mark Esler (eslerm) wrote :

Thank you for reporting this @gberche.

Ubuntu Security is monitoring upstream's conversation, and we will apply their security patches as they become available. Then, those updates can be applied to OCIs as @athos-riberio describes.

> Would you have pointer to the task tracking the squid deb package updates?

From Security's side, the Ubuntu CVE Tracker [0][1] will be most up to date. This requires CVE-IDs, but those may be on their way.

[0] https://ubuntu.com/security/cves
[1] https://code.launchpad.net/ubuntu-cve-tracker

information type: Private Security → Public Security
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :
Revision history for this message
gberche (guillaume-berche) wrote :

Thanks a lot @athos-ribeiro @eslerm and @mdeslaur !

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

These issues now have CVE numbers:

SQUID-2023:1 - CVE-2023-46846
SQUID-2023:3 - CVE-2023-46847
SQUID-2023:4 - CVE-2023-46724
SQUID-2023:5 - CVE-2023-46848

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

SQUID-2023:2 - CVE-2023-5824

Changed in squid (Ubuntu Focal):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in squid (Ubuntu Jammy):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in squid (Ubuntu Lunar):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in squid (Ubuntu Mantic):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in squid (Ubuntu Noble):
assignee: nobody → Marc Deslauriers (mdeslaur)
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Most of those CVEs were fixed here:

https://ubuntu.com/security/notices/USN-6500-1

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in squid (Ubuntu Focal):
status: New → Confirmed
Changed in squid (Ubuntu Jammy):
status: New → Confirmed
Changed in squid (Ubuntu Lunar):
status: New → Confirmed
Changed in squid (Ubuntu Mantic):
status: New → Confirmed
Changed in squid (Ubuntu):
status: New → Confirmed
Revision history for this message
David Cebula (ozsq0wbf) wrote :

The docker image for 6.1 - latest 6 days ago, does not have the fixes.

ubuntu/squid@sha256:f55eacd75ba44d4066873f2a2a245fe0b323a5e245a3715d106c770bb6fdc404

Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

I Just re-built and re-tagged those images.

This should have picked up all the fixes released so far.

Revision history for this message
David Cebula (ozsq0wbf) wrote :

Thank-you. The issue appears to be with Harbor and the scan it was doing on the docker image. Both the new image and previous show the fixed version:

>apt list --installed squid*
squid-common/mantic-updates,mantic-security,now 6.1-2ubuntu1.1 all [installed,automatic]
squid-langpack/mantic,now 20220130-1 all [installed,automatic]
squid/mantic-updates,mantic-security,now 6.1-2ubuntu1.1 amd64 [installed]

The scan in Harbor is apparently only looking at the 6.1 version number and flagging it.

I should have fully checked the versions before posting, I apologize for posting too quickly.

Changed in ubuntu-docker-images:
assignee: nobody → Athos Ribeiro (athos-ribeiro)
tags: added: server-todo
tags: removed: server-todo
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.