From $URL :
Originally, Common Vulnerabilities and Exposures assigned an identifier CVE-2012-5643 (bug #887962)
to the following vulnerability:
Multiple memory leaks in tools/cachemgr.cc in cachemgr.cgi in Squid 2.x and 3.x before 3.1.22,
3.2.x before 3.2.4, and 3.3.x before 22.214.171.124 allow remote attackers to cause a denial of service
(memory consumption) via (1) invalid Content-Length headers, (2) long POST requests, or (3) crafted
Later it was found the upstream patch for CVE-2012-5643 issue to be incomplete, resulting in new
The CVE identifier of CVE-2013-0189 has been assigned to this new issue (and new patchset).
@security: We can stabilize =net-proxy/squid-3.1.23 which also has the additional fixes for CVE-2012-5643. Thank you.
(In reply to comment #1)
> @security: We can stabilize =net-proxy/squid-3.1.23 which also has the
> additional fixes for CVE-2012-5643. Thank you.
Arches, please test and mark stable:
Target KEYWORDS: "alpha amd64 arm hppa ia64 ~mips ppc ppc64 sparc x86 ~x86-fbsd"
Stable for HPPA.
cachemgr.cgi in Squid 3.1.x and 3.2.x, possibly 3.1.22, 3.2.4, and other
versions, allows remote attackers to cause a denial of service (resource
consumption) via a crafted request. NOTE: this issue is due to an incorrect
fix for CVE-2012-5643, possibly involving an incorrect order of arguments or
Adding to the existing GLSA draft that contains CVE-2012-5643, unless someone strongly disagrees.
This issue was resolved and addressed in
GLSA 201309-22 at http://security.gentoo.org/glsa/glsa-201309-22.xml
by GLSA coordinator Sergey Popov (pinkbyte).