19970 – squid new security issues fixed upstream in 3.5.23 (CVE-2016-1000[23])

Bug 19970 - squid new security issues fixed upstream in 3.5.23 (CVE-2016-1000[23])

Summary: squid new security issues fixed upstream in 3.5.23 (CVE-2016-1000[23])

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	https://lwn.net/Vulnerabilities/710087/
Whiteboard:	has_procedure MGA5-32-OK MGA5-64-OK a...
Keywords:	validated_update

Depends on:
Blocks:	18269
	Show dependency tree / graph

Reported:	2016-12-17 18:20 CET by David Walser
Modified:	2016-12-23 21:02 CET (History)
CC List:	2 users (show)

See Also:
Source RPM:	squid-3.5.19-1.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2016-12-17 18:20:20 CET

CVEs have been requested for security issues fixed in Squid 3.5.23:
http://openwall.com/lists/oss-security/2016/12/17/1

Freeze push request sent for Cauldron.  I will update Mageia 5 soon.

David Walser 2016-12-17 18:20:50 CET

Blocks: (none) => 18269
Assignee: bugsquad => luigiwalser

David Walser 2016-12-17 18:21:21 CET

Severity: normal => major

Comment 1 David Walser 2016-12-18 02:30:51 CET

CVE-2016-1000[23] assigned:
http://openwall.com/lists/oss-security/2016/12/18/1

Testing hints:
https://bugs.mageia.org/show_bug.cgi?id=14004#c3
https://bugs.mageia.org/show_bug.cgi?id=16304#c14

Advisory for upcoming update below.

Advisory:
========================

Updated squid packages fix security vulnerabilities:

Incorrect processing of responses to If-None-Modified HTTP conditional requests
leads to client-specific Cookie data being leaked to other clients. Attack
requests can easily be crafted by a client to probe a cache for this information
(CVE-2016-10002).

Incorrect HTTP Request header comparison results in Collapsed Forwarding feature
mistakenly identifying some private responses as being suitable for delivery to
multiple clients (CVE-2016-10003).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10002
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10003
http://www.squid-cache.org/Advisories/SQUID-2016_10.txt
http://www.squid-cache.org/Advisories/SQUID-2016_11.txt
http://openwall.com/lists/oss-security/2016/12/18/1
========================

Updated packages in core/updates_testing:
========================
squid-3.5.23-1.mga5
squid-cachemgr-3.5.23-1.mga5

from squid-3.5.23-1.mga5.src.rpm

Summary: squid new security issues fixed upstream in 3.5.23 => squid new security issues fixed upstream in 3.5.23 (CVE-2016-1000[23])
Whiteboard: (none) => has_procedure

Comment 2 David Walser 2016-12-18 16:56:37 CET

Updated package uploaded for Mageia 5.

Advisory and package list in Comment 1, as well as testing hints.

I've posted this message through the updated squid on Mageia 5 x86_64, so it obviously works fine :o).

Assignee: luigiwalser => qa-bugs
Whiteboard: has_procedure => has_procedure MGA5-64-OK

Comment 3 David Walser 2016-12-20 03:44:29 CET

Also working fine on Mageia 5 i586.

Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK

Comment 4 Lewis Smith 2016-12-22 21:01:21 CET

Thanks David.
Validating & advisory uploaded.

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory
CC: (none) => lewyssmith, sysadmin-bugs

Comment 5 Mageia Robot 2016-12-22 22:42:12 CET

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0423.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2016-12-23 21:02:55 CET

URL: (none) => https://lwn.net/Vulnerabilities/710087/

Note You need to log in before you can comment on or make changes to this bug.