From ${URL}: Problem Description: Due to incorrect input validation in request parsing Squid is vulnerable to a denial of service attack when processing Range requests. __________________________________________________________________ Severity: This problem allows any trusted client to perform a denial of service attack on the Squid service. __________________________________________________________________ Updated Packages: This bug is fixed by Squid version 3.3.13 and 3.4.7
Arches, please test and mark stable =net-proxy/squid-3.3.13. Thank you. Target Keywords: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Stable for HPPA.
amd64 stable
x86 stable
ppc stable
ppc64 stable
arm stable
alpha stable
ia64 stable
sparc stable. Maintainer(s), please cleanup. Security, please vote.
CVE-2014-3609 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3609): HttpHdrRange.cc in Squid 3.x before 3.3.12 and 3.4.x before 3.4.6 allows remote attackers to cause a denial of service (crash) via a request with crafted "Range headers with unidentifiable byte-range values."
Arches and Maintainer(s), Thank you for your work. GLSA Vote: Yes
GLSA vote: yes glsa request filed
This issue will not get a GLSA since users have already been advised to update to to Squid >= 3.3.13-r1 in GLSA 201411-11. Closing noglsa.