Bug 8794 - squid new security issue: incomplete fix for CVE-2012-5643 (CVE-2013-0189)
: squid new security issue: incomplete fix for CVE-2012-5643 (CVE-2013-0189)
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/535428/
: has_procedure mga2-64-OK mga2-32-ok
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-01-23 17:08 CET by Oden Eriksson
Modified: 2013-02-06 23:03 CET (History)
3 users (show)

See Also:
Source RPM: squid-3.1.19-4.1.mga2.src.rpm
CVE:
Status comment:


Attachments

Description Oden Eriksson 2013-01-23 17:08:14 CET
https://bugzilla.redhat.com/show_bug.cgi?id=895972

"Jan Lieskovsky 2013-01-16 07:05:21 EST

Originally, Common Vulnerabilities and Exposures assigned an identifier CVE-2012-5643 (bug #887962) to the following vulnerability:

Multiple memory leaks in tools/cachemgr.cc in cachemgr.cgi in Squid 2.x and 3.x before 3.1.22, 3.2.x before 3.2.4, and 3.3.x before 3.3.0.2 allow remote attackers to cause a denial of service (memory consumption) via (1) invalid Content-Length headers, (2) long POST requests, or (3) crafted authentication credentials.

Later it was found the upstream patch for CVE-2012-5643 issue to be incomplete, resulting in new patchset:
[1] http://bazaar.launchpad.net/~squid/squid/3.2/revision/11743
[2] http://bazaar.launchpad.net/~squid/squid/3.2/revision/11744

The CVE identifier of CVE-2013-0189 has been assigned to this new issue (and new patchset)."
Comment 1 Oden Eriksson 2013-01-23 17:09:10 CET
fixed in r391672 (mga2, updates_testing, squid-3.1.19-4.2.mga2)
Comment 2 Oden Eriksson 2013-01-23 17:14:00 CET
squid-3.2.6 in cauldron is unaffected.
Comment 3 David Walser 2013-01-31 21:22:44 CET
Ubuntu has issued an advisory on January 30:
http://www.ubuntu.com/usn/usn-1713-1/

Advisory:
========================

Updated squid packages fix security vulnerability:

It was discovered that the patch for CVE-2012-5643 was incorrect. A
remote attacker could exploit this flaw to perform a denial of service
attack (CVE-2013-0189).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0189
http://www.ubuntu.com/usn/usn-1713-1/
========================

Updated packages in core/updates_testing:
========================
squid-3.1.19-4.2.mga2
squid-cachemgr-3.1.19-4.2.mga2

from squid-3.1.19-4.2.mga2.src.rpm
Comment 4 claire robinson 2013-02-01 14:24:38 CET
Procedure: https://bugs.mageia.org/show_bug.cgi?id=2778#c2
Comment 5 claire robinson 2013-02-01 14:28:25 CET
No PoC so just testing it works.

Testing mga2 64
Comment 6 claire robinson 2013-02-01 16:31:22 CET
Testing complete mga2 64
Comment 7 claire robinson 2013-02-01 17:45:07 CET
Testing complete mga2 32

Validating

Advisory & SRPM in comment 3

Can sysadmin please push from core/updates_testing to core/updates

Thanks!
Comment 8 David Walser 2013-02-05 20:40:00 CET
Forgot to mention, patch checked into Mageia 1 SVN.
Comment 9 Thomas Backlund 2013-02-06 23:03:35 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0029

Note You need to log in before you can comment on or make changes to this bug.