Mageia Bugzilla – Bug 13137
squid new security issue CVE-2014-0128
Last modified: 2014-04-09 07:37:33 CEST
Fedora has issued an advisory on March 15:
The issue was fixed in 3.3.12 and 3.4.4.
We already have 3.4.4 in Cauldron.
We have 3.3.11 in Mageia 4, so I'll update that to 3.3.12.
The specific commit to fix it is here:
Version 3.2.x is affected, and we have 3.2.10 in Mageia 3. However, looking at the code, it is not clear how to backport the changes from the above patch to Squid 3.2. I'll have to split this bug and maybe we can fix Mageia 3 at a later date if someone develops a patch.
Steps to Reproduce:
Updated package uploaded for Mageia 4.
Updated squid packages fix security vulnerability:
Due to incorrect state management, Squid before 3.3.12 is vulnerable to a
denial of service attack when processing certain HTTPS requests if the
SSL-Bump feature is enabled (CVE-2014-0128).
Updated packages in core/updates_testing:
No PoC that I can find (some sources say there isn't one available), so just verify that HTTPS works through Squid. I verified this myself on Mageia 4 i586.
Testing complete mga4 64
Set browser to use http proxy at localhost on port 3128 and started squid service.
Browsed the https web.
Checked cachemgr at http://localhost/cgi-bin/cachemgr.cgi and various bits of data can be displayed.
The top link though for 'Cache Manager Interface' shows this,
Internal Error: Missing Template MGR_INDEX
I didn't do any configuration beyond starting the service though and all the other links I tested display properly.
Is this something missing David? I'll create a bug for it if so.
(In reply to claire robinson from comment #3)
> Checked cachemgr at http://localhost/cgi-bin/cachemgr.cgi and various bits
> of data can be displayed.
> The top link though for 'Cache Manager Interface' shows this,
> Internal Error: Missing Template MGR_INDEX
> I didn't do any configuration beyond starting the service though and all the
> other links I tested display properly.
> Is this something missing David? I'll create a bug for it if so.
I don't use the cache manager, so I don't know anything about it, but I wonder if that's somehow related to Bug 12914. I've fixed that one in Cauldron, so if one of us gets a chance to try it in a Cauldron install at some point, we can see. Feel free to file a bug for now.
It may well be, the data is displayed but as basic html, no theme. The mention of icons in bug 12914 seems to suggest there could/should be some kind of template.
Bug 13173 created.
Advisory uploaded. Validating.
Could sysadmin please push to 4 updates