Bug 18388

Summary: squid new security issues CVE-2016-4553 and CVE-2016-4554
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: lewyssmith, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/687043/
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK advisory
Source RPM: squid-3.5.17-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-05-06 23:55:21 CEST 
CVEs have been assigned for security issues fixed in squid 3.5.18:
http://openwall.com/lists/oss-security/2016/05/06/5

Advisory:
========================

Updated squid packages fix security vulnerabilities:

Due to incorrect data validation of intercepted HTTP Request messages Squid
is vulnerable to clients bypassing the protection against CVE-2009-0801
related issues. This leads to cache poisoning. This allows any client,
including browser scripts, to bypass local security and poison the proxy
cache and any downstream caches with content from an arbitrary source
(CVE-2016-4553).

Due to incorrect input validation Squid is vulnerable to a header smuggling
attack leading to cache poisoning and to bypass of same-origin security policy
in Squid and some client browsers (CVE-2016-4554).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4553
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4554
http://www.squid-cache.org/Advisories/SQUID-2016_7.txt
http://www.squid-cache.org/Advisories/SQUID-2016_8.txt
========================

Updated packages in core/updates_testing:
========================
squid-3.5.18-1.mga5
squid-cachemgr-3.5.18-1.mga5

from squid-3.5.18-1.mga5.src.rpm
Comment 1 David Walser 2016-05-06 23:55:33 CEST 
Testing hints:
https://bugs.mageia.org/show_bug.cgi?id=14004#c3
https://bugs.mageia.org/show_bug.cgi?id=16304#c14

Whiteboard: (none) => has_procedure

Comment 2 David Walser 2016-05-06 23:56:25 CEST 
This update also fixes SQUID-2016_9 (CVE-2015-4555 and CVE-2015-4556), but as I said in our last update, ESI is disabled in our package so we're not affected.
Comment 3 David Walser 2016-05-09 13:43:57 CEST 
Working fine on our production Squid server at work (Mageia 5 x86_64) and my desktop and laptop (Mageia 5 i586).

Whiteboard: has_procedure => has_procedure MGA5-32-OK MGA5-64-OK

Comment 4 David Walser 2016-05-09 14:47:21 CEST 
CVE-2016-4554 fix caused a regression, fixed in 3.5.19, building now.

Updated packages in core/updates_testing:
========================
squid-3.5.19-1.mga5
squid-cachemgr-3.5.19-1.mga5

from squid-3.5.19-1.mga5.src.rpm

Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure

Comment 5 David Walser 2016-05-09 15:16:37 CEST 
3.5.19 working fine on our production Squid server at work, Mageia 5 x86_64.

Whiteboard: has_procedure => has_procedure MGA5-64-OK

Comment 6 David Walser 2016-05-10 20:43:27 CEST 
Working fine on my workstation at home, Mageia 5 i586.

Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK

Comment 7 Lewis Smith 2016-05-11 13:37:28 CEST 
Validated.
Advisory uploaded as per Comment 0.

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory
CC: (none) => lewyssmith, sysadmin-bugs

David Walser 2016-05-11 21:07:19 CEST

URL: (none) => http://lwn.net/Vulnerabilities/687043/

Comment 8 Mageia Robot 2016-05-11 21:28:07 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0171.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 9 David Walser 2016-05-13 18:22:03 CEST 
LWN reference for CVE-2016-4553:
http://lwn.net/Vulnerabilities/687234/