From ${URL} : A denial of service flaw was found in the way Squid, the proxy caching server, used to process port specific information, present in the HTTP Host: header of certain HTTP requests. A remote attacker could provide a specially-crafted HTTP request that, when processed would lead to Squid daemon termination (denial of service). External References: http://www.squid-cache.org/Advisories/SQUID-2013_3.txt @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
@security: Please stabilize =net-proxy/squid-3.2.13. Thank you.
Arch teams, please test and mark stable: =net-proxy/squid-3.2.13 Stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Stable for HPPA.
amd64 stable
x86 stable
alpha stable
ia64 stable
ppc64 stable
ppc stable
arm stable
sparc stable
GLSA vote: yes
Added to existing draft.
CVE-2013-4123 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4123): client_side_request.cc in Squid 3.2.x before 3.2.13 and 3.3.x before 3.3.8 allows remote attackers to cause a denial of service via a crafted port number in a HTTP Host header.
This issue was resolved and addressed in GLSA 201309-22 at http://security.gentoo.org/glsa/glsa-201309-22.xml by GLSA coordinator Sergey Popov (pinkbyte).