| Summary: | squid new security issue CVE-2014-0128 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | sysadmin-bugs, tmb |
| Version: | 3 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/592809/ | ||
| Whiteboard: | has_procedure advisory mga3-32-ok mga3-64-ok | ||
| Source RPM: | squid-3.2.10-1.4.mga3.src.rpm | CVE: | |
| Status comment: | |||
| Bug Depends on: | 13137 | ||
| Bug Blocks: | |||
|
Description
David Walser
2014-04-02 19:32:18 CEST
David Walser
2014-04-02 19:32:37 CEST
Source RPM:
squid-3.3.11-1.mga4.src.rpm =>
squid-3.2.10-1.4.mga3.src.rpm OpenSuSE has issued an advisory for this today (April 11): http://lists.opensuse.org/opensuse-updates/2014-04/msg00030.html So they would have backported the patch to Squid 3.1, which would probably be helpful, except I can't find Source RPMs for OpenSuSE 11.4 anywhere. Fedora just backported 3.3.12 from Fedora 20 to Fedora 19 where they had 3.2.x: https://lists.fedoraproject.org/pipermail/package-announce/2014-April/131477.html I've obtained OpenSuSE's patch and re-diffed it for Squid 3.2. Hopefully it works. Advisory: ======================== Updated squid packages fix security vulnerability: Due to incorrect state management, Squid before 3.3.12 is vulnerable to a denial of service attack when processing certain HTTPS requests if the SSL-Bump feature is enabled (CVE-2014-0128). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0128 http://www.squid-cache.org/Advisories/SQUID-2014_1.txt http://www.squid-cache.org/mail-archive/squid-users/201403/0064.html https://lists.fedoraproject.org/pipermail/package-announce/2014-April/130987.html http://lists.opensuse.org/opensuse-updates/2014-04/msg00030.html ======================== Updated packages in core/updates_testing: ======================== squid-3.2.10-1.5.mga3 squid-cachemgr-3.2.10-1.5.mga3 from squid-3.2.10-1.5.mga3.src.rpm Assignee:
bugsquad =>
qa-bugs OpenSuSE has issued an advisory for OpenSuSE 12.3, which has Squid 3.2.x: http://lists.opensuse.org/opensuse-updates/2014-04/msg00060.html Adding feedback marker until I get a chance to double-check their patch for that version against what I added. Whiteboard:
(none) =>
feedback I only found one minor difference in a debug print call in their patch (the other differences were whitespace only), but I went ahead and switched to their patch and rebuilt it. Advisory: ======================== Updated squid packages fix security vulnerability: Due to incorrect state management, Squid before 3.3.12 is vulnerable to a denial of service attack when processing certain HTTPS requests if the SSL-Bump feature is enabled (CVE-2014-0128). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0128 http://www.squid-cache.org/Advisories/SQUID-2014_1.txt http://www.squid-cache.org/mail-archive/squid-users/201403/0064.html https://lists.fedoraproject.org/pipermail/package-announce/2014-April/130987.html http://lists.opensuse.org/opensuse-updates/2014-04/msg00060.html ======================== Updated packages in core/updates_testing: ======================== squid-3.2.10-1.6.mga3 squid-cachemgr-3.2.10-1.6.mga3 from squid-3.2.10-1.6.mga3.src.rpm Whiteboard:
feedback =>
(none) Testing complete mga3 32 Whiteboard:
has_procedure =>
has_procedure mga3-32-ok Testing complete mga3 64 Whiteboard:
has_procedure mga3-32-ok =>
has_procedure mga3-32-ok mga3-64-ok Validating. Advisory uploaded. Could sysadmin please push to 3 updates Thanks Keywords:
(none) =>
validated_update Update pushed: http://advisories.mageia.org/MGASA-2014-0192.html Status:
NEW =>
RESOLVED |