8453 – squid-cachemgr new security issue CVE-2012-5643

Bug 8453 - squid-cachemgr new security issue CVE-2012-5643

Summary: squid-cachemgr new security issue CVE-2012-5643

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	2
Hardware:	i586 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:

URL:	http://lwn.net/Vulnerabilities/530748/
Whiteboard:	has_procedure MGA2-64-OK MGA2-32-OK
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2012-12-20 18:33 CET by David Walser
Modified:	2013-01-03 16:45 CET (History)
CC List:	4 users (show)

See Also:
Source RPM:	squid-3.1.19-4.mga2.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2012-12-20 18:33:25 CET

Squid upstream has issued an advisory on December 17:
http://www.squid-cache.org/Advisories/SQUID-2012_1.txt

According to Oden, this is CVE-2012-5643.

It affects the squid-cachemgr subpackage from the squid SRPM.

Oden also says our package already ships with Apache access restrictions for cachemgr (as suggested in the upstream advisory), so this is low impact for us.

Patched package uploaded for Mageia 2.

Advisory:
========================

Updated squid packages fix security vulnerability:

Due to missing input validation, the Squid cachemgr.cgi tool in Squid before
3.1.22 and 3.2.4 is vulnerable to a denial of service attack when processing
specially crafted requests (CVE-2012-5643).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5643
http://www.squid-cache.org/Advisories/SQUID-2012_1.txt
========================

Updated packages in core/updates_testing:
========================
squid-3.1.19-4.1.mga2
squid-cachemgr-3.1.19-4.1.mga2

from squid-3.1.19-4.1.mga2.src.rpm

David Walser 2012-12-20 18:33:30 CET

CC: (none) => oe

Comment 1 claire robinson 2012-12-20 18:49:52 CET

More info: http://cxsecurity.com/cveshow/CVE-2012-5643

Comment 2 claire robinson 2012-12-21 13:18:02 CET

Procedure: https://bugs.mageia.org/show_bug.cgi?id=2778#c2

Whiteboard: (none) => has_procedure

David Walser 2012-12-27 00:31:10 CET

URL: (none) => http://lwn.net/Vulnerabilities/530748/

Comment 3 Dave Hodgins 2012-12-27 02:13:55 CET

No poc, that I can see, so just testing for regressions.  The depcheck
script doesn't show any new dependencies.

Testing complete on Mageia 2 i586 and x86-64.

Could someone from the sysadmin team push the srpm
squid-3.1.19-4.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated squid packages fix security vulnerability:

Due to missing input validation, the Squid cachemgr.cgi tool in Squid before
3.1.22 and 3.2.4 is vulnerable to a denial of service attack when processing
specially crafted requests (CVE-2012-5643).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5643
http://www.squid-cache.org/Advisories/SQUID-2012_1.txt

https://bugs.mageia.org/show_bug.cgi?id=8453

Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs
Whiteboard: has_procedure => has_procedure MGA2-64-OK MGA2-32-OK

Comment 4 Thomas Backlund 2012-12-27 23:44:58 CET

Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0368

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Comment 5 David Walser 2013-01-03 16:45:00 CET

Patch now checked into Mageia 1 SVN.

Note You need to log in before you can comment on or make changes to this bug.