| Summary: | squid new security issue CVE-2014-0128 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | mageia, sysadmin-bugs |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/592809/ | ||
| Whiteboard: | has_procedure advisory mga4-32-ok mga4-64-ok | ||
| Source RPM: | squid-3.3.11-1.mga4.src.rpm | CVE: | |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 13138 | ||
|
Description
David Walser
2014-04-02 19:31:39 CEST
David Walser
2014-04-02 19:32:18 CEST
Blocks:
(none) =>
13138 Updated package uploaded for Mageia 4. Advisory: ======================== Updated squid packages fix security vulnerability: Due to incorrect state management, Squid before 3.3.12 is vulnerable to a denial of service attack when processing certain HTTPS requests if the SSL-Bump feature is enabled (CVE-2014-0128). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0128 http://www.squid-cache.org/Advisories/SQUID-2014_1.txt http://www.squid-cache.org/mail-archive/squid-users/201403/0064.html https://lists.fedoraproject.org/pipermail/package-announce/2014-April/130987.html ======================== Updated packages in core/updates_testing: ======================== squid-3.3.12-1.mga4 squid-cachemgr-3.3.12-1.mga4 from squid-3.3.12-1.mga4.src.rpm Assignee:
bugsquad =>
qa-bugs No PoC that I can find (some sources say there isn't one available), so just verify that HTTPS works through Squid. I verified this myself on Mageia 4 i586. Testing complete mga4 64 Set browser to use http proxy at localhost on port 3128 and started squid service. Browsed the https web. Checked cachemgr at http://localhost/cgi-bin/cachemgr.cgi and various bits of data can be displayed. The top link though for 'Cache Manager Interface' shows this, Internal Error: Missing Template MGR_INDEX I didn't do any configuration beyond starting the service though and all the other links I tested display properly. Is this something missing David? I'll create a bug for it if so. Whiteboard:
(none) =>
has_procedure mga4-32-ok mga4-64-ok (In reply to claire robinson from comment #3) > Checked cachemgr at http://localhost/cgi-bin/cachemgr.cgi and various bits > of data can be displayed. > > The top link though for 'Cache Manager Interface' shows this, > Internal Error: Missing Template MGR_INDEX > > I didn't do any configuration beyond starting the service though and all the > other links I tested display properly. > > Is this something missing David? I'll create a bug for it if so. I don't use the cache manager, so I don't know anything about it, but I wonder if that's somehow related to Bug 12914. I've fixed that one in Cauldron, so if one of us gets a chance to try it in a Cauldron install at some point, we can see. Feel free to file a bug for now. It may well be, the data is displayed but as basic html, no theme. The mention of icons in bug 12914 seems to suggest there could/should be some kind of template. Bug 13173 created. Advisory uploaded. Validating. Could sysadmin please push to 4 updates Thanks Keywords:
(none) =>
validated_update http://advisories.mageia.org/MGASA-2014-0168.html Status:
NEW =>
RESOLVED |