Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 504176 (CVE-2014-0128) - <net-proxy/squid-{3.3.12,3.4.3}: denial of service when using SSL-Bump (CVE-2014-0128)
Summary: <net-proxy/squid-{3.3.12,3.4.3}: denial of service when using SSL-Bump (CVE-2...
Status: RESOLVED FIXED
Alias: CVE-2014-0128
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-03-11 08:21 UTC by Agostino Sarubbo
Modified: 2014-11-27 14:48 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-03-11 08:21:06 UTC
From ${URL} :

A denial of service flaw was found in Squid when SSL-Bump[1] was used. When SSL-Bump is enabled, an 
attacker could send crafted requests that would cause Squid to crash with an assertion.

This issue affects versions 3.1 and later. Versions 3.0 and older, and version 2, are not vulnerable. The 
issue was fixed in versions 3.3.12 and 3.4.4.

[1] http://wiki.squid-cache.org/Features/SslBump

Upstream patches:
http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12677.patch
http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13104.patch

External References:

http://www.squid-cache.org/Advisories/SQUID-2014_1.txt


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Eray Aslan gentoo-dev 2014-03-11 20:52:35 UTC
+*squid-3.4.4 (11 Mar 2014)
+*squid-3.3.12 (11 Mar 2014)
+
+  11 Mar 2014; Eray Aslan <eras@gentoo.org> +squid-3.3.12.ebuild,
+  +squid-3.4.4.ebuild:
+  Security bump - bug #504176
+

@security:  Please stabilize =net-proxy/squid-3.3.12.  Thank you.
Comment 2 Sergey Popov gentoo-dev 2014-04-04 11:34:32 UTC
@eras, it seems that you forgot to CC arch teams

Arches, please test and mark stable =net-proxy/squid-3.3.12

Target keywords: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2014-04-05 14:13:11 UTC
Stable for HPPA.
Comment 4 Agostino Sarubbo gentoo-dev 2014-04-05 22:01:13 UTC
amd64 stable
Comment 5 Markus Meier gentoo-dev 2014-04-07 19:40:24 UTC
arm stable
Comment 6 Agostino Sarubbo gentoo-dev 2014-04-12 09:35:30 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-04-13 11:08:04 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2014-04-21 10:51:00 UTC
alpha stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-05-11 08:10:13 UTC
ppc64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-05-13 15:21:32 UTC
ia64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-05-14 16:14:30 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 12 Yury German Gentoo Infrastructure gentoo-dev 2014-05-20 03:37:19 UTC
Arches and Maintainer(s), Thank you for your work!

Security please Vote!
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2014-06-16 04:50:22 UTC
CVE-2014-0128 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0128):
  Squid 3.1 before 3.3.12 and 3.4 before 3.4.4, when SSL-Bump is enabled,
  allows remote attackers to cause a denial of service (assertion failure) via
  a crafted range request, related to state management.
Comment 14 Yury German Gentoo Infrastructure gentoo-dev 2014-06-16 04:51:23 UTC
Maintainer(s), Thank you for cleanup!

GLSA Vote: Yes
Comment 15 Tobias Heinlein (RETIRED) gentoo-dev 2014-08-04 19:12:24 UTC
YES too, request filed.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2014-11-27 14:48:28 UTC
This issue was resolved and addressed in
 GLSA 201411-11 at http://security.gentoo.org/glsa/glsa-201411-11.xml
by GLSA coordinator Sergey Popov (pinkbyte).