Ubuntu has issued an advisory on August 27: http://www.ubuntu.com/usn/usn-2327-1/ The issue is fixed upstream in 3.3.13 and 3.4.7 and there are patches. Updated packages uploaded for Mageia 4 and Cauldron. Patched package uploaded for Mageia 3. Advisory: ======================== Updated squid packages fix security vulnerability: Matthew Daley discovered that Squid 3 did not properly perform input validation in request parsing. A remote attacker could send crafted Range requests to cause a denial of service (CVE-2014-3609). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3609 http://www.squid-cache.org/Advisories/SQUID-2014_2.txt http://www.squid-cache.org/mail-archive/squid-users/201408/0286.html http://www.ubuntu.com/usn/usn-2327-1/ ======================== Updated packages in core/updates_testing: ======================== squid-3.2.10-1.7.mga3 squid-cachemgr-3.2.10-1.7.mga3 squid-3.3.13-1.mga4 squid-cachemgr-3.3.13-1.mga4 from SRPMS: squid-3.2.10-1.7.mga3.src.rpm squid-3.3.13-1.mga4.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=13137#c3
CC: (none) => remiWhiteboard: MGA3TOO => MGA3TOO has_procedure
Testing complete on Mageia 4 32bit following the procedure in comment 1. Don't forget to install squid-cachemgr to be able to follow the procedure.
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA4-32-OK
Step by step procedure based on the one linked in comment 1 (if you're not confident yet with systemctl and all): - Install squid and squid-cachemgr from core/updates_testing - In your web browser, set up a HTTP proxy on localhost, using port 3128. To do so in Firefox 24, go to Edit > Preferences > Advanced > Network > Settings... > Manual proxy configuration, and then configure as said previsouly. - Start the apache (httpd) server and the squid caching server with (as root): # systemctl start httpd # systemctl start squid - In your web browser, go to some websites using the HTTPS protocol, such as https://www.mageia.org - The browse to http://localhost/cgi-bin/cachemgr.cgi "Cache Manager Interface" should appear, asking for some information about your setup. - Click on "Continue...". You should now see lots of links. Click on a few links at random, and just check that there is some cached content in those links. - You're done :-)
Testing complete on Mageia 4 64bit, Mageia 3 32bit, Mageia3 64bit following the procedure. Rémi Verschelde also completed the testing on Mageia 4 32bit, so I'm validating the update. Could someone from the sysadmin team push this to updates Thanks :)
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure MGA4-32-OK => MGA3TOO has_procedure MGA4-32-OK MGA3-32-OK MGA3-64-OK MGA4-64-OKCC: (none) => damyan.dimitrov, sysadmin-bugs
Well done Damyan! Advisory uploaded.
Whiteboard: MGA3TOO has_procedure MGA4-32-OK MGA3-32-OK MGA3-64-OK MGA4-64-OK => MGA3TOO has_procedure advisory MGA4-32-OK MGA3-32-OK MGA3-64-OK MGA4-64-OK
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0369.html
Status: NEW => RESOLVEDResolution: (none) => FIXED