Bug 14004

Summary: squid new security issue CVE-2014-3609
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: damyan.dimitrov, rverschelde, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/609836/
Whiteboard: MGA3TOO has_procedure advisory MGA4-32-OK MGA3-32-OK MGA3-64-OK MGA4-64-OK
Source RPM: squid-3.3.12-1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-08-28 18:50:08 CEST 
Ubuntu has issued an advisory on August 27:
http://www.ubuntu.com/usn/usn-2327-1/

The issue is fixed upstream in 3.3.13 and 3.4.7 and there are patches.

Updated packages uploaded for Mageia 4 and Cauldron.

Patched package uploaded for Mageia 3.

Advisory:
========================

Updated squid packages fix security vulnerability:

Matthew Daley discovered that Squid 3 did not properly perform input
validation in request parsing. A remote attacker could send crafted Range
requests to cause a denial of service (CVE-2014-3609).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3609
http://www.squid-cache.org/Advisories/SQUID-2014_2.txt
http://www.squid-cache.org/mail-archive/squid-users/201408/0286.html
http://www.ubuntu.com/usn/usn-2327-1/
========================

Updated packages in core/updates_testing:
========================
squid-3.2.10-1.7.mga3
squid-cachemgr-3.2.10-1.7.mga3
squid-3.3.13-1.mga4
squid-cachemgr-3.3.13-1.mga4

from SRPMS:
squid-3.2.10-1.7.mga3.src.rpm
squid-3.3.13-1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-08-28 18:50:21 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 Rémi Verschelde 2014-08-28 19:17:51 CEST 
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=13137#c3

CC: (none) => remi
Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 2 Rémi Verschelde 2014-08-28 20:20:05 CEST 
Testing complete on Mageia 4 32bit following the procedure in comment 1. Don't forget to install squid-cachemgr to be able to follow the procedure.

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA4-32-OK

Comment 3 Rémi Verschelde 2014-08-28 22:30:57 CEST 
Step by step procedure based on the one linked in comment 1 (if you're not confident yet with systemctl and all):

- Install squid and squid-cachemgr from core/updates_testing

- In your web browser, set up a HTTP proxy on localhost, using port 3128.
To do so in Firefox 24, go to Edit > Preferences > 
Advanced > Network > Settings... > Manual proxy configuration, and then configure as said previsouly.

- Start the apache (httpd) server and the squid caching server with (as root):
# systemctl start httpd
# systemctl start squid

- In your web browser, go to some websites using the HTTPS protocol, such as https://www.mageia.org

- The browse to http://localhost/cgi-bin/cachemgr.cgi
"Cache Manager Interface" should appear, asking for some information about your setup.

- Click on "Continue...". You should now see lots of links. Click on a few links at random, and just check that there is some cached content in those links.

- You're done :-)
Comment 4 Damyan Dimitrov 2014-09-01 14:05:40 CEST 
Testing complete on Mageia 4 64bit, Mageia 3 32bit, Mageia3 64bit following the procedure.

Rémi Verschelde also completed the testing on Mageia 4 32bit, so I'm validating the update.

Could someone from the sysadmin team push this to updates

Thanks :)

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure MGA4-32-OK => MGA3TOO has_procedure MGA4-32-OK MGA3-32-OK MGA3-64-OK MGA4-64-OK
CC: (none) => damyan.dimitrov, sysadmin-bugs

Comment 5 claire robinson 2014-09-01 15:52:42 CEST 
Well done Damyan!

Advisory uploaded.

Whiteboard: MGA3TOO has_procedure MGA4-32-OK MGA3-32-OK MGA3-64-OK MGA4-64-OK => MGA3TOO has_procedure advisory MGA4-32-OK MGA3-32-OK MGA3-64-OK MGA4-64-OK

Comment 6 Mageia Robot 2014-09-05 11:08:41 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0369.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED