Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 476960 (CVE-2013-4123)

Summary: <net-proxy/squid-3.2.13 : Denial of service when processing specially-crafted HTTP requests (CVE-2013-4123)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: eras, net-proxy+disabled
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=984632
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2013-07-15 18:39:47 UTC
From ${URL} :

A denial of service flaw was found in the way Squid, the proxy caching server, used to process port 
specific information, present in the HTTP Host: header of certain HTTP requests. A remote attacker 
could provide a specially-crafted HTTP request that, when processed would lead to Squid daemon 
termination (denial of service).

External References:

http://www.squid-cache.org/Advisories/SQUID-2013_3.txt


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Eray Aslan gentoo-dev 2013-07-15 20:06:29 UTC
@security:  Please stabilize =net-proxy/squid-3.2.13.  Thank you.
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2013-07-15 20:51:05 UTC
Arch teams, please test and mark stable:
=net-proxy/squid-3.2.13
Stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2013-07-16 01:17:11 UTC
Stable for HPPA.
Comment 4 Agostino Sarubbo gentoo-dev 2013-07-20 10:16:18 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-07-20 10:16:52 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-07-21 15:35:54 UTC
alpha stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-07-21 15:39:00 UTC
ia64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-07-21 16:05:21 UTC
ppc64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-07-21 17:23:19 UTC
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-07-21 17:27:56 UTC
arm stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-07-21 17:54:49 UTC
sparc stable
Comment 12 Sergey Popov gentoo-dev 2013-08-24 05:37:25 UTC
GLSA vote: yes
Comment 13 Tobias Heinlein (RETIRED) gentoo-dev 2013-09-03 17:22:23 UTC
Added to existing draft.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2013-09-17 22:39:53 UTC
CVE-2013-4123 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4123):
  client_side_request.cc in Squid 3.2.x before 3.2.13 and 3.3.x before 3.3.8
  allows remote attackers to cause a denial of service via a crafted port
  number in a HTTP Host header.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2013-09-27 09:52:20 UTC
This issue was resolved and addressed in
 GLSA 201309-22 at http://security.gentoo.org/glsa/glsa-201309-22.xml
by GLSA coordinator Sergey Popov (pinkbyte).