CVEs have been assigned for security issues fixed in squid 3.5.18: http://openwall.com/lists/oss-security/2016/05/06/5 Advisory: ======================== Updated squid packages fix security vulnerabilities: Due to incorrect data validation of intercepted HTTP Request messages Squid is vulnerable to clients bypassing the protection against CVE-2009-0801 related issues. This leads to cache poisoning. This allows any client, including browser scripts, to bypass local security and poison the proxy cache and any downstream caches with content from an arbitrary source (CVE-2016-4553). Due to incorrect input validation Squid is vulnerable to a header smuggling attack leading to cache poisoning and to bypass of same-origin security policy in Squid and some client browsers (CVE-2016-4554). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4553 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4554 http://www.squid-cache.org/Advisories/SQUID-2016_7.txt http://www.squid-cache.org/Advisories/SQUID-2016_8.txt ======================== Updated packages in core/updates_testing: ======================== squid-3.5.18-1.mga5 squid-cachemgr-3.5.18-1.mga5 from squid-3.5.18-1.mga5.src.rpm
Testing hints: https://bugs.mageia.org/show_bug.cgi?id=14004#c3 https://bugs.mageia.org/show_bug.cgi?id=16304#c14
Whiteboard: (none) => has_procedure
This update also fixes SQUID-2016_9 (CVE-2015-4555 and CVE-2015-4556), but as I said in our last update, ESI is disabled in our package so we're not affected.
Working fine on our production Squid server at work (Mageia 5 x86_64) and my desktop and laptop (Mageia 5 i586).
Whiteboard: has_procedure => has_procedure MGA5-32-OK MGA5-64-OK
CVE-2016-4554 fix caused a regression, fixed in 3.5.19, building now. Updated packages in core/updates_testing: ======================== squid-3.5.19-1.mga5 squid-cachemgr-3.5.19-1.mga5 from squid-3.5.19-1.mga5.src.rpm
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure
3.5.19 working fine on our production Squid server at work, Mageia 5 x86_64.
Whiteboard: has_procedure => has_procedure MGA5-64-OK
Working fine on my workstation at home, Mageia 5 i586.
Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK
Validated. Advisory uploaded as per Comment 0.
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisoryCC: (none) => lewyssmith, sysadmin-bugs
URL: (none) => http://lwn.net/Vulnerabilities/687043/
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0171.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
LWN reference for CVE-2016-4553: http://lwn.net/Vulnerabilities/687234/