Bug 19970

Summary: squid new security issues fixed upstream in 3.5.23 (CVE-2016-1000[23])
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: lewyssmith, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://lwn.net/Vulnerabilities/710087/
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK advisory
Source RPM: squid-3.5.19-1.mga5.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 18269    

Description David Walser 2016-12-17 18:20:20 CET 
CVEs have been requested for security issues fixed in Squid 3.5.23:
http://openwall.com/lists/oss-security/2016/12/17/1

Freeze push request sent for Cauldron.  I will update Mageia 5 soon.
David Walser 2016-12-17 18:20:50 CET

Blocks: (none) => 18269
Assignee: bugsquad => luigiwalser

David Walser 2016-12-17 18:21:21 CET

Severity: normal => major

Comment 1 David Walser 2016-12-18 02:30:51 CET 
CVE-2016-1000[23] assigned:
http://openwall.com/lists/oss-security/2016/12/18/1

Testing hints:
https://bugs.mageia.org/show_bug.cgi?id=14004#c3
https://bugs.mageia.org/show_bug.cgi?id=16304#c14

Advisory for upcoming update below.

Advisory:
========================

Updated squid packages fix security vulnerabilities:

Incorrect processing of responses to If-None-Modified HTTP conditional requests
leads to client-specific Cookie data being leaked to other clients. Attack
requests can easily be crafted by a client to probe a cache for this information
(CVE-2016-10002).

Incorrect HTTP Request header comparison results in Collapsed Forwarding feature
mistakenly identifying some private responses as being suitable for delivery to
multiple clients (CVE-2016-10003).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10002
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10003
http://www.squid-cache.org/Advisories/SQUID-2016_10.txt
http://www.squid-cache.org/Advisories/SQUID-2016_11.txt
http://openwall.com/lists/oss-security/2016/12/18/1
========================

Updated packages in core/updates_testing:
========================
squid-3.5.23-1.mga5
squid-cachemgr-3.5.23-1.mga5

from squid-3.5.23-1.mga5.src.rpm

Summary: squid new security issues fixed upstream in 3.5.23 => squid new security issues fixed upstream in 3.5.23 (CVE-2016-1000[23])
Whiteboard: (none) => has_procedure

Comment 2 David Walser 2016-12-18 16:56:37 CET 
Updated package uploaded for Mageia 5.

Advisory and package list in Comment 1, as well as testing hints.

I've posted this message through the updated squid on Mageia 5 x86_64, so it obviously works fine :o).

Assignee: luigiwalser => qa-bugs
Whiteboard: has_procedure => has_procedure MGA5-64-OK

Comment 3 David Walser 2016-12-20 03:44:29 CET 
Also working fine on Mageia 5 i586.

Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK

Comment 4 Lewis Smith 2016-12-22 21:01:21 CET 
Thanks David.
Validating & advisory uploaded.

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory
CC: (none) => lewyssmith, sysadmin-bugs

Comment 5 Mageia Robot 2016-12-22 22:42:12 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0423.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2016-12-23 21:02:55 CET

URL: (none) => https://lwn.net/Vulnerabilities/710087/