squid: incorrect input validation (CVE-2014-3609)
Squid Proxy Cache Security Update Advisory SQUID-2014:2
Advisory ID: SQUID-2014:2
Date: August 28, 2014
Summary: Denial of service in request processing
Affected versions: Squid 3.x ->3.3.12
Squid 3.4 ->3.4.6
Fixed in version: Squid 3.3.13, 3.4.7
Problem Description:
Due to incorrect input validation in request parsing Squid is vulnerable
to a denial of service attack when processing Range requests.
Severity:
This problem allows any trusted client to perform a denial of service
attack on the Squid service.
References:
http://www.squid-cache.org/Advisories/SQUID-2014\_2.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3609
Patches:
Squid 3.2:
http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11828.patch
Squid 3.3:
http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12680.patch
Squid 3.4:
http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13168.patch
(from redmine: issue id 3383, created on 2014-09-25, closed on 2014-10-01)
- Relations:
- child #3384 (closed)
- child #3385 (closed)
- child #3386 (closed)