| Summary: | squid new security issue SQUID-2016_2 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | lewyssmith, nicolas.salguero, sysadmin-bugs |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/678151/ | ||
| Whiteboard: | has_procedure advisory MGA5-32-OK MGA5-64-OK | ||
| Source RPM: | squid-3.4.13-1.2.mga5.src.rpm | CVE: | |
| Status comment: | |||
| Attachments: |
Patch squid-3.5-13990.patch backported to 3.4
Patch squid-3.5-13991.patch backported to 3.4 |
||
|
Description
David Walser
2016-02-24 22:55:15 CET
Created attachment 7493 [details]
Patch squid-3.5-13990.patch backported to 3.4CC:
(none) =>
nicolas.salguero Created attachment 7494 [details]
Patch squid-3.5-13991.patch backported to 3.4
Hi,
I think I was able to backport the two patches from 3.5 to 3.4.
Best regards,
Nico.
Thanks Nicolas! Patched package uploaded for Mageia 5. Advisory: ======================== Updated squid packages fix security vulnerability: Due to incorrect bounds checking Squid is vulnerable to a denial of service attack when processing HTTP responses (CVE-2016-2569, CVE-2016-2570, CVE-2016-2571). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2569 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2570 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2571 http://www.squid-cache.org/Advisories/SQUID-2016_2.txt http://openwall.com/lists/oss-security/2016/02/26/2 ======================== Updated packages in core/updates_testing: ======================== squid-3.4.13-1.4.mga5 squid-cachemgr-3.4.13-1.4.mga5 from squid-3.4.13-1.4.mga5.src.rpm Assignee:
bugsquad =>
qa-bugs
David Walser
2016-03-01 19:31:43 CET
URL:
(none) =>
http://lwn.net/Vulnerabilities/678151/ Advisory uploaded. For testing see.. https://bugs.mageia.org/show_bug.cgi?id=14004#c3 https://bugs.mageia.org/show_bug.cgi?id=16304#c14 Whiteboard:
(none) =>
has_procedure advisory Working fine on our main proxy at work, Mageia 5 i586. Whiteboard:
has_procedure advisory =>
has_procedure advisory MGA5-32-OK Testing x64 using pre-proxy-configured Firefox Installed squid & squid-cachemgr from issue repos, and used the good instructions in https://bugs.mageia.org/show_bug.cgi?id=14004#c3 to set things up for Firefox. *Remember* the admin username & password you first define! Browsed a little, then tried many of the Cache Manager Menu links, via: http://localhost/cgi-bin/cachemgr.cgi The first one, Cache Manager Interface, gave an error: "Internal Error: Missing Template MGR_INDEX". Updated to: squid-3.4.13-1.4.mga5 squid-cachemgr-3.4.13-1.4.mga5 Stopped & re-started squid & httpd from MCC System/Services. More browsing, re-tried some Cache Manager Menu links. No evident misbehaviour except the first 'Interface' item as prior to the update, so this I deem OK. Whiteboard:
has_procedure advisory MGA5-32-OK =>
has_procedure advisory MGA5-32-OK MGA4-64-OK
Lewis Smith
2016-03-04 15:08:19 CET
Whiteboard:
has_procedure advisory MGA5-32-OK MGA4-64-OK =>
has_procedure advisory MGA5-32-OK MGA5-64-OK Validating. CC:
(none) =>
sysadmin-bugs An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0095.html Resolution:
(none) =>
FIXED LWN reference for CVE-2016-2570: http://lwn.net/Vulnerabilities/679130/ Added that to the advisory. (In reply to Lewis Smith from comment #10) > Added that to the advisory. Ahh, no, we don't add the LWN references to our references. Their vulnerability references list distro advisories that fixed a certain vulnerability or set of vulnerabilities, and it can be helpful (to me, mostly) to be able to look at those sometimes. If I want you to add something to our advisory (which happens occasionally) I'll be more explicit about asking for it to be added. I've reverted this change in SVN. |