| Summary: | <net-proxy/squid-{3.3.13,3.4.7}: Denial of service in request processing (CVE-2014-3609) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Eray Aslan <eras> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | eras, net-proxy+disabled |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.squid-cache.org/Advisories/SQUID-2014_2.txt | ||
| Whiteboard: | B3 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
Arches, please test and mark stable =net-proxy/squid-3.3.13. Thank you. Target Keywords: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 Stable for HPPA. amd64 stable x86 stable ppc stable ppc64 stable arm stable alpha stable ia64 stable sparc stable. Maintainer(s), please cleanup. Security, please vote. CVE-2014-3609 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3609): HttpHdrRange.cc in Squid 3.x before 3.3.12 and 3.4.x before 3.4.6 allows remote attackers to cause a denial of service (crash) via a request with crafted "Range headers with unidentifiable byte-range values." Arches and Maintainer(s), Thank you for your work. GLSA Vote: Yes GLSA vote: yes glsa request filed This issue will not get a GLSA since users have already been advised to update to to Squid >= 3.3.13-r1 in GLSA 201411-11. Closing noglsa. |
From ${URL}: Problem Description: Due to incorrect input validation in request parsing Squid is vulnerable to a denial of service attack when processing Range requests. __________________________________________________________________ Severity: This problem allows any trusted client to perform a denial of service attack on the Squid service. __________________________________________________________________ Updated Packages: This bug is fixed by Squid version 3.3.13 and 3.4.7