Upstream has issued advisories on April 2: http://www.squid-cache.org/Advisories/SQUID-2016_3.txt http://www.squid-cache.org/Advisories/SQUID-2016_4.txt Updated packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated squid packages fix security vulnerabilities: Due to a buffer overrun, the Squid pinger binary in Squid before 3.5.16 is vulnerable to a denial of service or information leak attack when processing ICMPv6 packets. This bug also permits the server response to manipulate other ICMP and ICMPv6 queries processing to cause information leaks (CVE-2016-3947). Due to incorrect bounds checking, Squid before 3.5.16 is vulnerable to a denial of service attack when processing HTTP responses (CVE-2016-3948). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3947 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3948 http://www.squid-cache.org/Advisories/SQUID-2016_3.txt http://www.squid-cache.org/Advisories/SQUID-2016_4.txt ======================== Updated packages in core/updates_testing: ======================== squid-3.5.16-1.mga5 squid-cachemgr-3.5.16-1.mga5 from squid-3.5.16-1.mga5.src.rpm
Testing hints: https://bugs.mageia.org/show_bug.cgi?id=14004#c3 https://bugs.mageia.org/show_bug.cgi?id=16304#c14
Whiteboard: (none) => has_procedure
URL: (none) => http://lwn.net/Vulnerabilities/682384/
Working fine on our production proxy at work, Mageia 5 i586.
Whiteboard: has_procedure => has_procedure MGA5-32-OK
validating
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
advisory uploaded
Whiteboard: has_procedure MGA5-32-OK => has_procedure advisory MGA5-32-OK
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0133.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
LWN reference for CVE-2016-3948: http://lwn.net/Vulnerabilities/682760/