Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 521338 (CVE-2014-3609) - <net-proxy/squid-{3.3.13,3.4.7}: Denial of service in request processing (CVE-2014-3609)
Summary: <net-proxy/squid-{3.3.13,3.4.7}: Denial of service in request processing (CVE...
Status: RESOLVED FIXED
Alias: CVE-2014-3609
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.squid-cache.org/Advisories...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-08-28 08:16 UTC by Eray Aslan
Modified: 2015-01-01 21:23 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Eray Aslan gentoo-dev 2014-08-28 08:16:40 UTC
From ${URL}:

Problem Description:

 Due to incorrect input validation in request parsing Squid is
 vulnerable to a denial of service attack when processing
 Range requests.

__________________________________________________________________

Severity:

 This problem allows any trusted client to perform a denial of
 service attack on the Squid service.

__________________________________________________________________

Updated Packages:

 This bug is fixed by Squid version 3.3.13 and 3.4.7
Comment 1 Eray Aslan gentoo-dev 2014-08-28 08:19:50 UTC
Arches, please test and mark stable =net-proxy/squid-3.3.13.  Thank you.

Target Keywords: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2014-08-28 13:49:23 UTC
Stable for HPPA.
Comment 3 Agostino Sarubbo gentoo-dev 2014-08-29 13:31:32 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2014-08-29 13:32:00 UTC
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2014-08-30 16:59:45 UTC
ppc stable
Comment 6 Agostino Sarubbo gentoo-dev 2014-08-30 17:00:13 UTC
ppc64 stable
Comment 7 Markus Meier gentoo-dev 2014-09-09 19:02:32 UTC
arm stable
Comment 8 Agostino Sarubbo gentoo-dev 2014-09-13 17:35:37 UTC
alpha stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-09-13 17:39:00 UTC
ia64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-09-19 10:34:59 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2014-10-04 21:51:47 UTC
CVE-2014-3609 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3609):
  HttpHdrRange.cc in Squid 3.x before 3.3.12 and 3.4.x before 3.4.6 allows
  remote attackers to cause a denial of service (crash) via a request with
  crafted "Range headers with unidentifiable byte-range values."
Comment 12 Yury German Gentoo Infrastructure gentoo-dev 2014-10-05 00:20:10 UTC
Arches and Maintainer(s), Thank you for your work.

GLSA Vote: Yes
Comment 13 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-12-28 22:42:47 UTC
GLSA vote: yes

glsa request filed
Comment 14 Sean Amoss (RETIRED) gentoo-dev Security 2015-01-01 21:23:15 UTC
This issue will not get a GLSA since users have already been advised to update to to Squid >= 3.3.13-r1 in GLSA 201411-11. 

Closing noglsa.