Upstream has issued an advisory on February 23: http://www.squid-cache.org/Advisories/SQUID-2016_2.txt The first upstream patch for 3.5 applies fine to 3.4, but in the second, a few file names have changed and there are some failing hunks. Upstream hasn't backported fixes for 3.4. Cauldron has been updated to 3.5.15.
Created attachment 7493 [details] Patch squid-3.5-13990.patch backported to 3.4
CC: (none) => nicolas.salguero
Created attachment 7494 [details] Patch squid-3.5-13991.patch backported to 3.4 Hi, I think I was able to backport the two patches from 3.5 to 3.4. Best regards, Nico.
Thanks Nicolas! Patched package uploaded for Mageia 5. Advisory: ======================== Updated squid packages fix security vulnerability: Due to incorrect bounds checking Squid is vulnerable to a denial of service attack when processing HTTP responses (CVE-2016-2569, CVE-2016-2570, CVE-2016-2571). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2569 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2570 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2571 http://www.squid-cache.org/Advisories/SQUID-2016_2.txt http://openwall.com/lists/oss-security/2016/02/26/2 ======================== Updated packages in core/updates_testing: ======================== squid-3.4.13-1.4.mga5 squid-cachemgr-3.4.13-1.4.mga5 from squid-3.4.13-1.4.mga5.src.rpm
Assignee: bugsquad => qa-bugs
URL: (none) => http://lwn.net/Vulnerabilities/678151/
Advisory uploaded. For testing see.. https://bugs.mageia.org/show_bug.cgi?id=14004#c3 https://bugs.mageia.org/show_bug.cgi?id=16304#c14
Whiteboard: (none) => has_procedure advisory
Working fine on our main proxy at work, Mageia 5 i586.
Whiteboard: has_procedure advisory => has_procedure advisory MGA5-32-OK
Testing x64 using pre-proxy-configured Firefox Installed squid & squid-cachemgr from issue repos, and used the good instructions in https://bugs.mageia.org/show_bug.cgi?id=14004#c3 to set things up for Firefox. *Remember* the admin username & password you first define! Browsed a little, then tried many of the Cache Manager Menu links, via: http://localhost/cgi-bin/cachemgr.cgi The first one, Cache Manager Interface, gave an error: "Internal Error: Missing Template MGR_INDEX". Updated to: squid-3.4.13-1.4.mga5 squid-cachemgr-3.4.13-1.4.mga5 Stopped & re-started squid & httpd from MCC System/Services. More browsing, re-tried some Cache Manager Menu links. No evident misbehaviour except the first 'Interface' item as prior to the update, so this I deem OK.
Whiteboard: has_procedure advisory MGA5-32-OK => has_procedure advisory MGA5-32-OK MGA4-64-OKCC: (none) => lewyssmith
Whiteboard: has_procedure advisory MGA5-32-OK MGA4-64-OK => has_procedure advisory MGA5-32-OK MGA5-64-OK
Validating.
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0095.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
LWN reference for CVE-2016-2570: http://lwn.net/Vulnerabilities/679130/
Added that to the advisory.
(In reply to Lewis Smith from comment #10) > Added that to the advisory. Ahh, no, we don't add the LWN references to our references. Their vulnerability references list distro advisories that fixed a certain vulnerability or set of vulnerabilities, and it can be helpful (to me, mostly) to be able to look at those sometimes. If I want you to add something to our advisory (which happens occasionally) I'll be more explicit about asking for it to be added. I've reverted this change in SVN.