Bug 13137 - squid new security issue CVE-2014-0128
: squid new security issue CVE-2014-0128
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/592809/
: has_procedure advisory mga4-32-ok mga...
: validated_update
:
: 13138
  Show dependency treegraph
 
Reported: 2014-04-02 19:31 CEST by David Walser
Modified: 2014-04-09 07:37 CEST (History)
2 users (show)

See Also:
Source RPM: squid-3.3.11-1.mga4.src.rpm
CVE:


Attachments

Description David Walser 2014-04-02 19:31:39 CEST
Fedora has issued an advisory on March 15:
https://lists.fedoraproject.org/pipermail/package-announce/2014-April/130987.html

The issue was fixed in 3.3.12 and 3.4.4.

We already have 3.4.4 in Cauldron.

We have 3.3.11 in Mageia 4, so I'll update that to 3.3.12.

The specific commit to fix it is here:
http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12677.patch

Version 3.2.x is affected, and we have 3.2.10 in Mageia 3.  However, looking at the code, it is not clear how to backport the changes from the above patch to Squid 3.2.  I'll have to split this bug and maybe we can fix Mageia 3 at a later date if someone develops a patch.

Other references:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0128
http://www.squid-cache.org/Advisories/SQUID-2014_1.txt

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-04-02 19:49:30 CEST
Updated package uploaded for Mageia 4.

Advisory:
========================

Updated squid packages fix security vulnerability:

Due to incorrect state management, Squid before 3.3.12 is vulnerable to a
denial of service attack when processing certain HTTPS requests if the
SSL-Bump feature is enabled (CVE-2014-0128).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0128
http://www.squid-cache.org/Advisories/SQUID-2014_1.txt
http://www.squid-cache.org/mail-archive/squid-users/201403/0064.html
https://lists.fedoraproject.org/pipermail/package-announce/2014-April/130987.html
========================

Updated packages in core/updates_testing:
========================
squid-3.3.12-1.mga4
squid-cachemgr-3.3.12-1.mga4

from squid-3.3.12-1.mga4.src.rpm
Comment 2 David Walser 2014-04-03 21:04:34 CEST
No PoC that I can find (some sources say there isn't one available), so just verify that HTTPS works through Squid.  I verified this myself on Mageia 4 i586.
Comment 3 claire robinson 2014-04-08 14:31:47 CEST
Testing complete mga4 64

Set browser to use http proxy at localhost on port 3128 and started squid service.

Browsed the https web.

Checked cachemgr at http://localhost/cgi-bin/cachemgr.cgi and various bits of data can be displayed.

The top link though for 'Cache Manager Interface' shows this,
Internal Error: Missing Template MGR_INDEX

I didn't do any configuration beyond starting the service though and all the other links I tested display properly.

Is this something missing David? I'll create a bug for it if so.
Comment 4 David Walser 2014-04-08 14:35:54 CEST
(In reply to claire robinson from comment #3)
> Checked cachemgr at http://localhost/cgi-bin/cachemgr.cgi and various bits
> of data can be displayed.
> 
> The top link though for 'Cache Manager Interface' shows this,
> Internal Error: Missing Template MGR_INDEX
> 
> I didn't do any configuration beyond starting the service though and all the
> other links I tested display properly.
> 
> Is this something missing David? I'll create a bug for it if so.

I don't use the cache manager, so I don't know anything about it, but I wonder if that's somehow related to Bug 12914.  I've fixed that one in Cauldron, so if one of us gets a chance to try it in a Cauldron install at some point, we can see.  Feel free to file a bug for now.
Comment 5 claire robinson 2014-04-08 14:51:02 CEST
It may well be, the data is displayed but as basic html, no theme. The mention of icons in bug 12914 seems to suggest there could/should be some kind of template.

Bug 13173 created.
Comment 6 claire robinson 2014-04-08 14:55:08 CEST
Advisory uploaded. Validating.

Could sysadmin please push to 4 updates

Thanks
Comment 7 Damien Lallement 2014-04-09 07:37:33 CEST
http://advisories.mageia.org/MGASA-2014-0168.html

Note You need to log in before you can comment on or make changes to this bug.