From ${URL} : A denial of service flaw was found in Squid when SSL-Bump[1] was used. When SSL-Bump is enabled, an attacker could send crafted requests that would cause Squid to crash with an assertion. This issue affects versions 3.1 and later. Versions 3.0 and older, and version 2, are not vulnerable. The issue was fixed in versions 3.3.12 and 3.4.4. [1] http://wiki.squid-cache.org/Features/SslBump Upstream patches: http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12677.patch http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13104.patch External References: http://www.squid-cache.org/Advisories/SQUID-2014_1.txt @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
+*squid-3.4.4 (11 Mar 2014) +*squid-3.3.12 (11 Mar 2014) + + 11 Mar 2014; Eray Aslan <eras@gentoo.org> +squid-3.3.12.ebuild, + +squid-3.4.4.ebuild: + Security bump - bug #504176 + @security: Please stabilize =net-proxy/squid-3.3.12. Thank you.
@eras, it seems that you forgot to CC arch teams Arches, please test and mark stable =net-proxy/squid-3.3.12 Target keywords: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Stable for HPPA.
amd64 stable
arm stable
x86 stable
ppc stable
alpha stable
ppc64 stable
ia64 stable
sparc stable. Maintainer(s), please cleanup. Security, please vote.
Arches and Maintainer(s), Thank you for your work! Security please Vote!
CVE-2014-0128 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0128): Squid 3.1 before 3.3.12 and 3.4 before 3.4.4, when SSL-Bump is enabled, allows remote attackers to cause a denial of service (assertion failure) via a crafted range request, related to state management.
Maintainer(s), Thank you for cleanup! GLSA Vote: Yes
YES too, request filed.
This issue was resolved and addressed in GLSA 201411-11 at http://security.gentoo.org/glsa/glsa-201411-11.xml by GLSA coordinator Sergey Popov (pinkbyte).