Upstream has issued an advisory on April 20: http://www.squid-cache.org/Advisories/SQUID-2016_5.txt Updated packages uploaded for Mageia 5 and Cauldron. Note that SQUID-2016_6 (CVE-2016-405[2-4]) is also fixed, but doesn't affect us, since we disable ESI in our package. Advisory: ======================== Updated squid packages fix security vulnerability: Due to incorrect buffer management Squid cachemgr.cgi tool is vulnerable to a buffer overflow when processing remotely supplied inputs relayed to it from Squid. This problem allows any client to seed the Squid manager reports with data that will cause a buffer overflow when processed by the cachemgr.cgi tool (CVE-2016-4051). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4051 http://www.squid-cache.org/Advisories/SQUID-2016_5.txt ======================== Updated packages in core/updates_testing: ======================== squid-3.5.17-1.mga5 squid-cachemgr-3.5.17-1.mga5 from squid-3.5.17-1.mga5.src.rpm
Testing hints: https://bugs.mageia.org/show_bug.cgi?id=14004#c3 https://bugs.mageia.org/show_bug.cgi?id=16304#c14
Whiteboard: (none) => has_procedure
Working fine on our production Squid server at work.
Whiteboard: has_procedure => has_procedure MGA5-64-OK
Thanks David. Validating. Advisory uploaded.
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-64-OK => has_procedure advisory MGA5-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0148.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/685002/