Debian DLA-445-2 : squid3 regression update

2016-03-0100:00:00

www.tenable.com

The backported patch to solve CVE-2016-2569 yielded to failed assertions that made squid3 to crash when closing connections. The fix for this CVE strongly relies on exception handling present in more recent versions of squid3, that I failed to identify in the previous update. I have reverted the patch to take the safest position, taking into account that Squeeze users should migrate to a supported version of Debian. This post-EOL update is intended to keep a functional squid3 package in the archive.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory DLA-445-2. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(89045);
  script_version("2.12");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/11");

  script_cve_id("CVE-2016-2569");

  script_name(english:"Debian DLA-445-2 : squid3 regression update");
  script_summary(english:"Checks dpkg output for the updated packages.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The backported patch to solve CVE-2016-2569 yielded to failed
assertions that made squid3 to crash when closing connections. The fix
for this CVE strongly relies on exception handling present in more
recent versions of squid3, that I failed to identify in the previous
update. I have reverted the patch to take the safest position, taking
into account that Squeeze users should migrate to a supported version
of Debian. This post-EOL update is intended to keep a functional
squid3 package in the archive.

NOTE: Tenable Network Security has extracted the preceding description
block directly from the DLA security advisory. Tenable has attempted
to automatically clean and format it as much as possible without
introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://lists.debian.org/debian-lts-announce/2016/03/msg00001.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://packages.debian.org/source/squeeze-lts/squid3"
  );
  script_set_attribute(attribute:"solution", value:"Upgrade the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:squid-cgi");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:squid3");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:squid3-common");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:squid3-dbg");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:squidclient");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:6.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2016/03/03");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/01");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"6.0", prefix:"squid-cgi", reference:"3.1.6-1.2+squeeze7")) flag++;
if (deb_check(release:"6.0", prefix:"squid3", reference:"3.1.6-1.2+squeeze7")) flag++;
if (deb_check(release:"6.0", prefix:"squid3-common", reference:"3.1.6-1.2+squeeze7")) flag++;
if (deb_check(release:"6.0", prefix:"squid3-dbg", reference:"3.1.6-1.2+squeeze7")) flag++;
if (deb_check(release:"6.0", prefix:"squidclient", reference:"3.1.6-1.2+squeeze7")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
  else security_warning(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

VendorProductVersionCPE
debiandebian_linuxsquid-cgip-cpe:/a:debian:debian_linux:squid-cgi
debiandebian_linuxsquid3p-cpe:/a:debian:debian_linux:squid3
debiandebian_linuxsquid3-commonp-cpe:/a:debian:debian_linux:squid3-common
debiandebian_linuxsquid3-dbgp-cpe:/a:debian:debian_linux:squid3-dbg
debiandebian_linuxsquidclientp-cpe:/a:debian:debian_linux:squidclient
debiandebian_linux6.0cpe:/o:debian:debian_linux:6.0

Vendor	Product	Version	CPE
debian	debian_linux	squid-cgi	p-cpe:/a:debian:debian_linux:squid-cgi
debian	debian_linux	squid3	p-cpe:/a:debian:debian_linux:squid3
debian	debian_linux	squid3-common	p-cpe:/a:debian:debian_linux:squid3-common
debian	debian_linux	squid3-dbg	p-cpe:/a:debian:debian_linux:squid3-dbg
debian	debian_linux	squidclient	p-cpe:/a:debian:debian_linux:squidclient
debian	debian_linux	6.0	cpe:/o:debian:debian_linux:6.0