Bug 18231

Summary: squid new security issue CVE-2016-4051
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/685002/
Whiteboard: has_procedure advisory MGA5-64-OK
Source RPM: squid-3.5.16-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-04-21 15:49:33 CEST 
Upstream has issued an advisory on April 20:
http://www.squid-cache.org/Advisories/SQUID-2016_5.txt

Updated packages uploaded for Mageia 5 and Cauldron.

Note that SQUID-2016_6 (CVE-2016-405[2-4]) is also fixed, but doesn't affect us, since we disable ESI in our package.

Advisory:
========================

Updated squid packages fix security vulnerability:

Due to incorrect buffer management Squid cachemgr.cgi tool is vulnerable to a
buffer overflow when processing remotely supplied inputs relayed to it from
Squid. This problem allows any client to seed the Squid manager reports with
data that will cause a buffer overflow when processed by the cachemgr.cgi tool
(CVE-2016-4051).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4051
http://www.squid-cache.org/Advisories/SQUID-2016_5.txt
========================

Updated packages in core/updates_testing:
========================
squid-3.5.17-1.mga5
squid-cachemgr-3.5.17-1.mga5

from squid-3.5.17-1.mga5.src.rpm
Comment 1 David Walser 2016-04-21 15:50:13 CEST 
Testing hints:
https://bugs.mageia.org/show_bug.cgi?id=14004#c3
https://bugs.mageia.org/show_bug.cgi?id=16304#c14

Whiteboard: (none) => has_procedure

Comment 2 David Walser 2016-04-23 00:07:35 CEST 
Working fine on our production Squid server at work.

Whiteboard: has_procedure => has_procedure MGA5-64-OK

Comment 3 claire robinson 2016-04-23 14:50:05 CEST 
Thanks David.

Validating. Advisory uploaded.

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-64-OK => has_procedure advisory MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 4 Mageia Robot 2016-04-25 09:58:08 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0148.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2016-04-25 19:36:32 CEST

URL: (none) => http://lwn.net/Vulnerabilities/685002/