Squid upstream has issued an advisory on December 17: http://www.squid-cache.org/Advisories/SQUID-2012_1.txt According to Oden, this is CVE-2012-5643. It affects the squid-cachemgr subpackage from the squid SRPM. Oden also says our package already ships with Apache access restrictions for cachemgr (as suggested in the upstream advisory), so this is low impact for us. Patched package uploaded for Mageia 2. Advisory: ======================== Updated squid packages fix security vulnerability: Due to missing input validation, the Squid cachemgr.cgi tool in Squid before 3.1.22 and 3.2.4 is vulnerable to a denial of service attack when processing specially crafted requests (CVE-2012-5643). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5643 http://www.squid-cache.org/Advisories/SQUID-2012_1.txt ======================== Updated packages in core/updates_testing: ======================== squid-3.1.19-4.1.mga2 squid-cachemgr-3.1.19-4.1.mga2 from squid-3.1.19-4.1.mga2.src.rpm
CC: (none) => oe
More info: http://cxsecurity.com/cveshow/CVE-2012-5643
Procedure: https://bugs.mageia.org/show_bug.cgi?id=2778#c2
Whiteboard: (none) => has_procedure
URL: (none) => http://lwn.net/Vulnerabilities/530748/
No poc, that I can see, so just testing for regressions. The depcheck script doesn't show any new dependencies. Testing complete on Mageia 2 i586 and x86-64. Could someone from the sysadmin team push the srpm squid-3.1.19-4.1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. Advisory: Updated squid packages fix security vulnerability: Due to missing input validation, the Squid cachemgr.cgi tool in Squid before 3.1.22 and 3.2.4 is vulnerable to a denial of service attack when processing specially crafted requests (CVE-2012-5643). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5643 http://www.squid-cache.org/Advisories/SQUID-2012_1.txt https://bugs.mageia.org/show_bug.cgi?id=8453
Keywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugsWhiteboard: has_procedure => has_procedure MGA2-64-OK MGA2-32-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0368
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
Patch now checked into Mageia 1 SVN.