CVEs have been requested for security issues fixed in Squid 3.5.23: http://openwall.com/lists/oss-security/2016/12/17/1 Freeze push request sent for Cauldron. I will update Mageia 5 soon.
Blocks: (none) => 18269Assignee: bugsquad => luigiwalser
Severity: normal => major
CVE-2016-1000[23] assigned: http://openwall.com/lists/oss-security/2016/12/18/1 Testing hints: https://bugs.mageia.org/show_bug.cgi?id=14004#c3 https://bugs.mageia.org/show_bug.cgi?id=16304#c14 Advisory for upcoming update below. Advisory: ======================== Updated squid packages fix security vulnerabilities: Incorrect processing of responses to If-None-Modified HTTP conditional requests leads to client-specific Cookie data being leaked to other clients. Attack requests can easily be crafted by a client to probe a cache for this information (CVE-2016-10002). Incorrect HTTP Request header comparison results in Collapsed Forwarding feature mistakenly identifying some private responses as being suitable for delivery to multiple clients (CVE-2016-10003). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10002 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10003 http://www.squid-cache.org/Advisories/SQUID-2016_10.txt http://www.squid-cache.org/Advisories/SQUID-2016_11.txt http://openwall.com/lists/oss-security/2016/12/18/1 ======================== Updated packages in core/updates_testing: ======================== squid-3.5.23-1.mga5 squid-cachemgr-3.5.23-1.mga5 from squid-3.5.23-1.mga5.src.rpm
Summary: squid new security issues fixed upstream in 3.5.23 => squid new security issues fixed upstream in 3.5.23 (CVE-2016-1000[23])Whiteboard: (none) => has_procedure
Updated package uploaded for Mageia 5. Advisory and package list in Comment 1, as well as testing hints. I've posted this message through the updated squid on Mageia 5 x86_64, so it obviously works fine :o).
Assignee: luigiwalser => qa-bugsWhiteboard: has_procedure => has_procedure MGA5-64-OK
Also working fine on Mageia 5 i586.
Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK
Thanks David. Validating & advisory uploaded.
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisoryCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0423.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => https://lwn.net/Vulnerabilities/710087/