Fedora has issued an advisory on March 15: https://lists.fedoraproject.org/pipermail/package-announce/2014-April/130987.html The issue was fixed in 3.3.12 and 3.4.4. We already have 3.4.4 in Cauldron. We have 3.3.11 in Mageia 4, so I'll update that to 3.3.12. The specific commit to fix it is here: http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12677.patch Version 3.2.x is affected, and we have 3.2.10 in Mageia 3. However, looking at the code, it is not clear how to backport the changes from the above patch to Squid 3.2. I'll have to split this bug and maybe we can fix Mageia 3 at a later date if someone develops a patch. Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0128 http://www.squid-cache.org/Advisories/SQUID-2014_1.txt Reproducible: Steps to Reproduce:
Blocks: (none) => 13138
Updated package uploaded for Mageia 4. Advisory: ======================== Updated squid packages fix security vulnerability: Due to incorrect state management, Squid before 3.3.12 is vulnerable to a denial of service attack when processing certain HTTPS requests if the SSL-Bump feature is enabled (CVE-2014-0128). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0128 http://www.squid-cache.org/Advisories/SQUID-2014_1.txt http://www.squid-cache.org/mail-archive/squid-users/201403/0064.html https://lists.fedoraproject.org/pipermail/package-announce/2014-April/130987.html ======================== Updated packages in core/updates_testing: ======================== squid-3.3.12-1.mga4 squid-cachemgr-3.3.12-1.mga4 from squid-3.3.12-1.mga4.src.rpm
Assignee: bugsquad => qa-bugs
No PoC that I can find (some sources say there isn't one available), so just verify that HTTPS works through Squid. I verified this myself on Mageia 4 i586.
Testing complete mga4 64 Set browser to use http proxy at localhost on port 3128 and started squid service. Browsed the https web. Checked cachemgr at http://localhost/cgi-bin/cachemgr.cgi and various bits of data can be displayed. The top link though for 'Cache Manager Interface' shows this, Internal Error: Missing Template MGR_INDEX I didn't do any configuration beyond starting the service though and all the other links I tested display properly. Is this something missing David? I'll create a bug for it if so.
Whiteboard: (none) => has_procedure mga4-32-ok mga4-64-ok
(In reply to claire robinson from comment #3) > Checked cachemgr at http://localhost/cgi-bin/cachemgr.cgi and various bits > of data can be displayed. > > The top link though for 'Cache Manager Interface' shows this, > Internal Error: Missing Template MGR_INDEX > > I didn't do any configuration beyond starting the service though and all the > other links I tested display properly. > > Is this something missing David? I'll create a bug for it if so. I don't use the cache manager, so I don't know anything about it, but I wonder if that's somehow related to Bug 12914. I've fixed that one in Cauldron, so if one of us gets a chance to try it in a Cauldron install at some point, we can see. Feel free to file a bug for now.
It may well be, the data is displayed but as basic html, no theme. The mention of icons in bug 12914 seems to suggest there could/should be some kind of template. Bug 13173 created.
Advisory uploaded. Validating. Could sysadmin please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure mga4-32-ok mga4-64-ok => has_procedure advisory mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
http://advisories.mageia.org/MGASA-2014-0168.html
Status: NEW => RESOLVEDCC: (none) => mageiaResolution: (none) => FIXED