Bug 15802

Summary: squid new security issue CVE-2015-3455
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: sysadmin-bugs, vzawalin1
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/643131/
Whiteboard: has_procedure advisory MGA4-32-OK MGA4-64-OK
Source RPM: squid-3.4.12-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-04-30 18:31:40 CEST 
A CVE has been assigned for a security issue which will be fixed soon in Squid:
http://openwall.com/lists/oss-security/2015/04/30/4

New 3.3.x and 3.4.x releases will be issued.

Reproducible: 

Steps to Reproduce:
David Walser 2015-04-30 18:31:49 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-05-01 17:01:39 CEST 
Updates checked into Mageia 4 and Cauldron SVN.  Freeze push requested.
Comment 2 David Walser 2015-05-01 20:44:53 CEST 
Upstream advisory with full details:
http://www.squid-cache.org/Advisories/SQUID-2015_1.txt
Comment 3 David Walser 2015-05-01 21:38:44 CEST 
Updated packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated squid packages fix security vulnerability:

Squid configured with client-first SSL-bump does not correctly validate X509
server certificate domain / hostname fields (CVE-2015-3455).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3455
http://www.squid-cache.org/Advisories/SQUID-2015_1.txt
========================

Updated packages in core/updates_testing:
========================
squid-3.3.14-1.mga4
squid-cachemgr-3.3.14-1.mga4

from squid-3.3.14-1.mga4.src.rpm

Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => (none)

Comment 4 claire robinson 2015-05-02 20:58:43 CEST 
Procedure: https://bugs.mageia.org/show_bug.cgi?id=14004#c3

Whiteboard: (none) => has_procedure

Comment 5 Vladimir Zawalinski 2015-05-03 12:45:13 CEST 
Testing MGA4.1  32 and 64 bit, Vbox hardware

CC: (none) => vzawalin1

Comment 6 David Walser 2015-05-04 16:24:10 CEST 
Working fine on Mageia 4 i586.

Whiteboard: has_procedure => has_procedure MGA4-32-OK

Comment 7 Vladimir Zawalinski 2015-05-05 04:26:18 CEST 
Tested 3.3.14-1.mga4.x86_64 on MGA4.1 64 bit VBOX-guest.
ACL works
Cache works

Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK

Comment 8 claire robinson 2015-05-05 10:56:23 CEST 
Well done Vlad!

Validating. Advisory uploaded.

Please push to 4 updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2015-05-05 15:37:41 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0191.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-05-05 19:04:44 CEST

URL: (none) => http://lwn.net/Vulnerabilities/643131/