Bug 15802 - squid new security issue CVE-2015-3455
Summary: squid new security issue CVE-2015-3455
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/643131/
Whiteboard: has_procedure advisory MGA4-32-OK MGA...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-04-30 18:31 CEST by David Walser
Modified: 2015-05-05 19:04 CEST (History)
2 users (show)

See Also:
Source RPM: squid-3.4.12-1.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-04-30 18:31:40 CEST
A CVE has been assigned for a security issue which will be fixed soon in Squid:
http://openwall.com/lists/oss-security/2015/04/30/4

New 3.3.x and 3.4.x releases will be issued.

Reproducible: 

Steps to Reproduce:
David Walser 2015-04-30 18:31:49 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-05-01 17:01:39 CEST
Updates checked into Mageia 4 and Cauldron SVN.  Freeze push requested.
Comment 2 David Walser 2015-05-01 20:44:53 CEST
Upstream advisory with full details:
http://www.squid-cache.org/Advisories/SQUID-2015_1.txt
Comment 3 David Walser 2015-05-01 21:38:44 CEST
Updated packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated squid packages fix security vulnerability:

Squid configured with client-first SSL-bump does not correctly validate X509
server certificate domain / hostname fields (CVE-2015-3455).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3455
http://www.squid-cache.org/Advisories/SQUID-2015_1.txt
========================

Updated packages in core/updates_testing:
========================
squid-3.3.14-1.mga4
squid-cachemgr-3.3.14-1.mga4

from squid-3.3.14-1.mga4.src.rpm

Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => (none)

Comment 4 claire robinson 2015-05-02 20:58:43 CEST
Procedure: https://bugs.mageia.org/show_bug.cgi?id=14004#c3

Whiteboard: (none) => has_procedure

Comment 5 Vladimir Zawalinski 2015-05-03 12:45:13 CEST
Testing MGA4.1  32 and 64 bit, Vbox hardware

CC: (none) => vzawalin1

Comment 6 David Walser 2015-05-04 16:24:10 CEST
Working fine on Mageia 4 i586.

Whiteboard: has_procedure => has_procedure MGA4-32-OK

Comment 7 Vladimir Zawalinski 2015-05-05 04:26:18 CEST
Tested 3.3.14-1.mga4.x86_64 on MGA4.1 64 bit VBOX-guest.
ACL works
Cache works

Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK

Comment 8 claire robinson 2015-05-05 10:56:23 CEST
Well done Vlad!

Validating. Advisory uploaded.

Please push to 4 updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2015-05-05 15:37:41 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0191.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-05-05 19:04:44 CEST

URL: (none) => http://lwn.net/Vulnerabilities/643131/


Note You need to log in before you can comment on or make changes to this bug.