+++ This bug was initially created as a clone of Bug #13137 +++ Fedora has issued an advisory on March 15: https://lists.fedoraproject.org/pipermail/package-announce/2014-April/130987.html The issue was fixed in 3.3.12 and 3.4.4. We already have 3.4.4 in Cauldron. We have 3.3.11 in Mageia 4, so I'll update that to 3.3.12. The specific commit to fix it is here: http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12677.patch Version 3.2.x is affected, and we have 3.2.10 in Mageia 3. However, looking at the code, it is not clear how to backport the changes from the above patch to Squid 3.2. I'll have to split this bug and maybe we can fix Mageia 3 at a later date if someone develops a patch. Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0128 http://www.squid-cache.org/Advisories/SQUID-2014_1.txt
Source RPM: squid-3.3.11-1.mga4.src.rpm => squid-3.2.10-1.4.mga3.src.rpm
OpenSuSE has issued an advisory for this today (April 11): http://lists.opensuse.org/opensuse-updates/2014-04/msg00030.html So they would have backported the patch to Squid 3.1, which would probably be helpful, except I can't find Source RPMs for OpenSuSE 11.4 anywhere.
Fedora just backported 3.3.12 from Fedora 20 to Fedora 19 where they had 3.2.x: https://lists.fedoraproject.org/pipermail/package-announce/2014-April/131477.html
I've obtained OpenSuSE's patch and re-diffed it for Squid 3.2. Hopefully it works. Advisory: ======================== Updated squid packages fix security vulnerability: Due to incorrect state management, Squid before 3.3.12 is vulnerable to a denial of service attack when processing certain HTTPS requests if the SSL-Bump feature is enabled (CVE-2014-0128). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0128 http://www.squid-cache.org/Advisories/SQUID-2014_1.txt http://www.squid-cache.org/mail-archive/squid-users/201403/0064.html https://lists.fedoraproject.org/pipermail/package-announce/2014-April/130987.html http://lists.opensuse.org/opensuse-updates/2014-04/msg00030.html ======================== Updated packages in core/updates_testing: ======================== squid-3.2.10-1.5.mga3 squid-cachemgr-3.2.10-1.5.mga3 from squid-3.2.10-1.5.mga3.src.rpm
Assignee: bugsquad => qa-bugs
OpenSuSE has issued an advisory for OpenSuSE 12.3, which has Squid 3.2.x: http://lists.opensuse.org/opensuse-updates/2014-04/msg00060.html Adding feedback marker until I get a chance to double-check their patch for that version against what I added.
Whiteboard: (none) => feedback
I only found one minor difference in a debug print call in their patch (the other differences were whitespace only), but I went ahead and switched to their patch and rebuilt it. Advisory: ======================== Updated squid packages fix security vulnerability: Due to incorrect state management, Squid before 3.3.12 is vulnerable to a denial of service attack when processing certain HTTPS requests if the SSL-Bump feature is enabled (CVE-2014-0128). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0128 http://www.squid-cache.org/Advisories/SQUID-2014_1.txt http://www.squid-cache.org/mail-archive/squid-users/201403/0064.html https://lists.fedoraproject.org/pipermail/package-announce/2014-April/130987.html http://lists.opensuse.org/opensuse-updates/2014-04/msg00060.html ======================== Updated packages in core/updates_testing: ======================== squid-3.2.10-1.6.mga3 squid-cachemgr-3.2.10-1.6.mga3 from squid-3.2.10-1.6.mga3.src.rpm
Whiteboard: feedback => (none)
Procedure: https://bugs.mageia.org/show_bug.cgi?id=13137#c3
Whiteboard: (none) => has_procedure
Testing complete mga3 32
Whiteboard: has_procedure => has_procedure mga3-32-ok
Testing complete mga3 64
Whiteboard: has_procedure mga3-32-ok => has_procedure mga3-32-ok mga3-64-ok
Validating. Advisory uploaded. Could sysadmin please push to 3 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure mga3-32-ok mga3-64-ok => has_procedure advisory mga3-32-ok mga3-64-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0192.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED