From $URL : Originally, Common Vulnerabilities and Exposures assigned an identifier CVE-2012-5643 (bug #887962) to the following vulnerability: Multiple memory leaks in tools/cachemgr.cc in cachemgr.cgi in Squid 2.x and 3.x before 3.1.22, 3.2.x before 3.2.4, and 3.3.x before 3.3.0.2 allow remote attackers to cause a denial of service (memory consumption) via (1) invalid Content-Length headers, (2) long POST requests, or (3) crafted authentication credentials. Later it was found the upstream patch for CVE-2012-5643 issue to be incomplete, resulting in new patchset: [1] http://bazaar.launchpad.net/~squid/squid/3.2/revision/11743 [2] http://bazaar.launchpad.net/~squid/squid/3.2/revision/11744 The CVE identifier of CVE-2013-0189 has been assigned to this new issue (and new patchset).
@security: We can stabilize =net-proxy/squid-3.1.23 which also has the additional fixes for CVE-2012-5643. Thank you.
(In reply to comment #1) > @security: We can stabilize =net-proxy/squid-3.1.23 which also has the > additional fixes for CVE-2012-5643. Thank you. Thanks, Eray. Arches, please test and mark stable: =net-proxy/squid-3.1.23 Target KEYWORDS: "alpha amd64 arm hppa ia64 ~mips ppc ppc64 sparc x86 ~x86-fbsd"
amd64 stable
x86 stable
ppc done
Stable for HPPA.
CVE-2013-0189 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0189): cachemgr.cgi in Squid 3.1.x and 3.2.x, possibly 3.1.22, 3.2.4, and other versions, allows remote attackers to cause a denial of service (resource consumption) via a crafted request. NOTE: this issue is due to an incorrect fix for CVE-2012-5643, possibly involving an incorrect order of arguments or incorrect comparison.
arm stable
ppc64 stable
alpha stable
ia64 stable
sparc stable
Adding to the existing GLSA draft that contains CVE-2012-5643, unless someone strongly disagrees.
This issue was resolved and addressed in GLSA 201309-22 at http://security.gentoo.org/glsa/glsa-201309-22.xml by GLSA coordinator Sergey Popov (pinkbyte).