https://bugzilla.redhat.com/show_bug.cgi?id=895972 "Jan Lieskovsky 2013-01-16 07:05:21 EST Originally, Common Vulnerabilities and Exposures assigned an identifier CVE-2012-5643 (bug #887962) to the following vulnerability: Multiple memory leaks in tools/cachemgr.cc in cachemgr.cgi in Squid 2.x and 3.x before 3.1.22, 3.2.x before 3.2.4, and 3.3.x before 3.3.0.2 allow remote attackers to cause a denial of service (memory consumption) via (1) invalid Content-Length headers, (2) long POST requests, or (3) crafted authentication credentials. Later it was found the upstream patch for CVE-2012-5643 issue to be incomplete, resulting in new patchset: [1] http://bazaar.launchpad.net/~squid/squid/3.2/revision/11743 [2] http://bazaar.launchpad.net/~squid/squid/3.2/revision/11744 The CVE identifier of CVE-2013-0189 has been assigned to this new issue (and new patchset)."
fixed in r391672 (mga2, updates_testing, squid-3.1.19-4.2.mga2)
squid-3.2.6 in cauldron is unaffected.
Ubuntu has issued an advisory on January 30: http://www.ubuntu.com/usn/usn-1713-1/ Advisory: ======================== Updated squid packages fix security vulnerability: It was discovered that the patch for CVE-2012-5643 was incorrect. A remote attacker could exploit this flaw to perform a denial of service attack (CVE-2013-0189). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0189 http://www.ubuntu.com/usn/usn-1713-1/ ======================== Updated packages in core/updates_testing: ======================== squid-3.1.19-4.2.mga2 squid-cachemgr-3.1.19-4.2.mga2 from squid-3.1.19-4.2.mga2.src.rpm
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0189 => http://lwn.net/Vulnerabilities/535428/CC: (none) => luigiwalserAssignee: bugsquad => qa-bugs
Summary: CVE-2013-0189: squid - incomplete fix for CVE-2012-5643 => squid new security issue: incomplete fix for CVE-2012-5643 (CVE-2013-0189)Severity: normal => major
Procedure: https://bugs.mageia.org/show_bug.cgi?id=2778#c2
Whiteboard: (none) => has_procedure
No PoC so just testing it works. Testing mga2 64
Testing complete mga2 64
Whiteboard: has_procedure => has_procedure mga2-64-OK
Testing complete mga2 32 Validating Advisory & SRPM in comment 3 Can sysadmin please push from core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: has_procedure mga2-64-OK => has_procedure mga2-64-OK mga2-32-ok
Forgot to mention, patch checked into Mageia 1 SVN.
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0029
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED