Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

squid3: CVE-2014-3609: Denial of service in request processing

Related Vulnerabilities: CVE-2014-3609  

Source

Debian Bug report logs - #759509
squid3: CVE-2014-3609: Denial of service in request processing

version graph

Package: src:squid3; Maintainer for src:squid3 is Luigi Gangitano <luigi@debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Wed, 27 Aug 2014 20:33:02 UTC

Severity: important

Tags: fixed-upstream, patch, security, upstream

Found in version squid3/3.1.6-1

Fixed in versions squid3/3.1.20-2.2+deb7u2, squid3/3.3.8-1.2

Done: Salvatore Bonaccorso <carnil@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Luigi Gangitano <luigi@debian.org>:
Bug#759509; Package src:squid3. (Wed, 27 Aug 2014 20:33:06 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Luigi Gangitano <luigi@debian.org>. (Wed, 27 Aug 2014 20:33:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: squid3: CVE-2014-3609: Denial of service in request processing
Date: Wed, 27 Aug 2014 22:30:05 +0200
Source: squid3
Version: 3.1.6-1
Severity: important
Tags: security upstream patch fixed-upstream

Hi

Squid3 is vulnerable to a denial of service attack when processing
Range requests, see [1].

 [1] http://www.squid-cache.org/Advisories/SQUID-2014_2.txt

Regards,
Salvatore

Marked as fixed in versions squid3/3.1.20-2.2+deb7u2. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 28 Aug 2014 15:39:24 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Luigi Gangitano <luigi@debian.org>:
Bug#759509; Package src:squid3. (Thu, 28 Aug 2014 16:27:09 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Luigi Gangitano <luigi@debian.org>. (Thu, 28 Aug 2014 16:27:09 GMT) (full text, mbox, link).

Message #12 received at 759509@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 759509@bugs.debian.org
Subject: squid3: diff for NMU version 3.3.8-1.2
Date: Thu, 28 Aug 2014 18:24:41 +0200
[Message part 1 (text/plain, inline)]
Control: tags 759509 + pending

Hi Luigi!

I will upload this directly with the upstream patch to resolve
CVE-2014-3609 (Denial of service in request processing).

Regards,
Salvatore

[squid3-3.3.8-1.2-nmu.diff (text/x-diff, attachment)]

Added tag(s) pending. Request was from Salvatore Bonaccorso <carnil@debian.org> to 759509-submit@bugs.debian.org. (Thu, 28 Aug 2014 16:27:09 GMT) (full text, mbox, link).

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Thu, 28 Aug 2014 16:39:52 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Thu, 28 Aug 2014 16:39:52 GMT) (full text, mbox, link).

Message #19 received at 759509-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 759509-close@bugs.debian.org
Subject: Bug#759509: fixed in squid3 3.3.8-1.2
Date: Thu, 28 Aug 2014 16:34:35 +0000
Source: squid3
Source-Version: 3.3.8-1.2

We believe that the bug you reported is fixed in the latest version of
squid3, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 759509@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated squid3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 28 Aug 2014 18:03:47 +0200
Source: squid3
Binary: squid3 squid3-dbg squid3-common squidclient squid-cgi squid-purge
Architecture: source all amd64
Version: 3.3.8-1.2
Distribution: unstable
Urgency: high
Maintainer: Luigi Gangitano <luigi@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
 squid-cgi  - Full featured Web Proxy cache (HTTP proxy) - control CGI
 squid-purge - Full featured Web Proxy cache (HTTP proxy) - control utility
 squid3     - Full featured Web Proxy cache (HTTP proxy)
 squid3-common - Full featured Web Proxy cache (HTTP proxy) - common files
 squid3-dbg - Full featured Web Proxy cache (HTTP proxy) - Debug symbols
 squidclient - Full featured Web Proxy cache (HTTP proxy) - control utility
Closes: 759509
Changes:
 squid3 (3.3.8-1.2) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Add CVE-2014-3609.patch patch.
     CVE-2014-3609: Denial of Service in Range header processing.
     Ignore Range headers with unidentifiable byte-range values. If squid is
     unable to determine the byte value for ranges, treat the header as
     invalid. (Closes: #759509)
Checksums-Sha1:
 17b4391fa00e33ad05ddb5c97f47c18efa7d06db 2214 squid3_3.3.8-1.2.dsc
 1de9fca2002f9a1013d17075f46405fa11ff8b68 19788 squid3_3.3.8-1.2.debian.tar.xz
 ffc654dae73ceaa0910a4f011753047a3bf723f9 245894 squid3-common_3.3.8-1.2_all.deb
 06bf58cc78326ed9f0195d52ebdeb52bafc615d6 1895306 squid3_3.3.8-1.2_amd64.deb
 9a23106ce382a4d2ecc5b1e22172f3ad1d8754ba 7851876 squid3-dbg_3.3.8-1.2_amd64.deb
 1313938d5e5109142e8cf0ba2ac7a57b54e33105 134518 squidclient_3.3.8-1.2_amd64.deb
 8c5c59c5afb493d5b4d7825a213356dad5f6f7db 137562 squid-cgi_3.3.8-1.2_amd64.deb
 03d66b646f960150c6d1d4d708bb9193e10a9232 128508 squid-purge_3.3.8-1.2_amd64.deb
Checksums-Sha256:
 592619d25f05c7aa198beb4b2cc3957bb2e498eb699859c14a6a102913b184c8 2214 squid3_3.3.8-1.2.dsc
 621ef790ff4e4821a9de0e71d353968f9f0b5e65b09935f075a4152b21be1779 19788 squid3_3.3.8-1.2.debian.tar.xz
 9dedd2a34a76692ec877fc27aa1367a9bbd59d0091e6ce78fa901ec906802e07 245894 squid3-common_3.3.8-1.2_all.deb
 f7f8885c5d33136e6a6b1f64d509f00ce05a8ed12acc8df3b17cb3152150e3db 1895306 squid3_3.3.8-1.2_amd64.deb
 e3564b6464724da5859207ba326e44aeb3646c121296b78a84502f5d273c65ab 7851876 squid3-dbg_3.3.8-1.2_amd64.deb
 48a750b340aeea2a6490904a7fa19e1c55168f073b58530e9af5456011eb0852 134518 squidclient_3.3.8-1.2_amd64.deb
 585ad16ca01519349904db347c1d35b910a56c25f43410527212b26597f2cfcf 137562 squid-cgi_3.3.8-1.2_amd64.deb
 0472755d7a46d03525cedf3bce754603f9ead57e96c6190e5aabdaf7548e9ba0 128508 squid-purge_3.3.8-1.2_amd64.deb
Files:
 6635ce5b9c3288c2081e97fb4dd9dee7 245894 web optional squid3-common_3.3.8-1.2_all.deb
 06a828133d6c01ceb7bfe1fa2f4a3a8b 1895306 web optional squid3_3.3.8-1.2_amd64.deb
 b932377469aa2928284b8e27652748c7 7851876 debug extra squid3-dbg_3.3.8-1.2_amd64.deb
 1f644a441c69a559e3bf5118b8f34db6 134518 web optional squidclient_3.3.8-1.2_amd64.deb
 0d4bfb6c86e2e9dd14149eac704ccb99 137562 web optional squid-cgi_3.3.8-1.2_amd64.deb
 c1da7f4b67b50d5413a995e118583357 128508 web optional squid-purge_3.3.8-1.2_amd64.deb
 8623f2eb1af472b9f3d24759bc9e3e76 2214 web optional squid3_3.3.8-1.2.dsc
 ecadd50aa05628efd6e3c7ca20bda4f5 19788 web optional squid3_3.3.8-1.2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJT/1UtAAoJEAVMuPMTQ89EJA4P/297atyTDXNPDKeqzEmMzXNi
d1AYRLj3q4/JrgcXmn213XwEwoO3M5ggStVOQ/3VHy/sQjsaXQcVQNhHy/fA4ARt
hshqIM6smaTXV868HBzl8nwlSHhn/Do/w31iFU1KEm0pruQAWWVqoVreBuQ5CsyY
npJoMpEXXjJuJa14JG1wYPKASB/XPUjb06eowmzG82KtTRngQjmLyvOFstwCOzZ9
R6LPFvwi32zSgExcUiCtcWJhH8JsFr6zINveR21WmGQ6e5cVH5BsGmjPOYHx3rV0
7LuC6E8qe0o97LkQjE3YC+RZuqldMQI/1HQMMOJ94y1jGSa2eoFmQRussQipoQYg
N1+YRYANqAKuFe69JzCFrzvmGK2mrQ6piTAy8cjH8CUE2slzTVKKKb2970o9GJLW
gRN8fuKg2EWu0FA+oefo2hRxKM47wC5y2msY0n/h4uAevwbmR6n6kCbOzhwfcjco
QkiQQ6FpR3GPtK7SZfd9MEbFV/l9drvelfP3tiOn7ce67ykxt/LH89IOJRAcaL96
9FWEGgWRWtaZ34NWturkrVLB9CD+AnMUXsm5o+ff4cDLZFwBZs5uzbIQgu36hgVr
6eFZehdhrRPL27o0dbCPgA1eT07P1AGU3HvEsUG3RNQjnc0qjzTLQ3aqpQXvgOIQ
eM/YKlu5Ey3IKMi/lYT0
=kTEv
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 28 Sep 2014 07:26:07 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 18:42:21 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started