From ${URL} : > On 6/03/2013 9:53 a.m., tytusromekiatomek@...hmail.com wrote: >> ################################################################ >> # DoS (loop, 100% cpu) strHdrAcptLangGetItem() at errorpage.cc # >> ################################################################ >> # # Authors: # # 22733db72ab3ed94b5f8a1ffcde850251fe6f466 # >> c8e74ebd8392fda4788179f9a02bb49337638e7b # AKAT-1 # >> ####################################### >> >> # Versions: 3.2.5, 3.2.7 > > Thank you very much for reporting this to us upstream and ensuring > a patch was available before publishing it publicly *cough*. This > has now been fixed. > > Would you care to do better on the other ones before someone else > has a chance to mail your exploit to our bugs@ address and grab all > the discovery glory?
+*squid-3.3.3 (14 Mar 2013) +*squid-3.2.9 (14 Mar 2013) + + 14 Mar 2013; Eray Aslan <eras@gentoo.org> +squid-3.2.9.ebuild, + +squid-3.3.3.ebuild: + Security bump - bug #461492 + @security: We can stabilize =net-proxy/squid-3.2.9. Thank you.
Arches, please test and mark stable: =net-proxy/squid-3.2.9 Target KEYWORDS: "alpha amd64 arm hppa ia64 ~mips ppc ppc64 sparc x86 ~x86-fbsd"
amd64 stable
x86 stable
ppc stable
ppc64 stable
Stable for HPPA.
arm stable
sparc stable
alpha stable
Added to existing draft.
ia64 stable
This issue was resolved and addressed in GLSA 201309-22 at http://security.gentoo.org/glsa/glsa-201309-22.xml by GLSA coordinator Sergey Popov (pinkbyte).
CVE-2013-1839 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1839): The strHdrAcptLangGetItem function in errorpage.cc in Squid 3.2.x before 3.2.9 and 3.3.x before 3.3.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a "," character in an Accept-Language header.