Control: tags 759509 + pending Hi Luigi!
I will upload this directly with the upstream patch to resolve CVE-2014-3609 (Denial of service in request processing). Regards, Salvatore
diff -Nru squid3-3.3.8/debian/changelog squid3-3.3.8/debian/changelog --- squid3-3.3.8/debian/changelog 2013-11-23 21:05:12.000000000 +0100 +++ squid3-3.3.8/debian/changelog 2014-08-28 18:04:07.000000000 +0200 @@ -1,3 +1,14 @@ +squid3 (3.3.8-1.2) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * Add CVE-2014-3609.patch patch. + CVE-2014-3609: Denial of Service in Range header processing. + Ignore Range headers with unidentifiable byte-range values. If squid is + unable to determine the byte value for ranges, treat the header as + invalid. (Closes: #759509) + + -- Salvatore Bonaccorso <car...@debian.org> Thu, 28 Aug 2014 18:03:47 +0200 + squid3 (3.3.8-1.1) unstable; urgency=low * Non-maintainer upload. diff -Nru squid3-3.3.8/debian/patches/CVE-2014-3609.patch squid3-3.3.8/debian/patches/CVE-2014-3609.patch --- squid3-3.3.8/debian/patches/CVE-2014-3609.patch 1970-01-01 01:00:00.000000000 +0100 +++ squid3-3.3.8/debian/patches/CVE-2014-3609.patch 2014-08-28 18:04:07.000000000 +0200 @@ -0,0 +1,39 @@ +Description: Ignore Range headers with unidentifiable byte-range values + If squid is unable to determine the byte value for ranges, treat the + header as invalid. +Origin: upstream, http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12680.patch +Bug-Debian: https://bugs.debian.org/759509 +Author: Amos Jeffries <squ...@treenet.co.nz> +Last-Update: 2014-08-28 +Applied-Upstream: 3.3.13, 3.4.7 + +=== modified file 'src/HttpHdrRange.cc' +--- a/src/HttpHdrRange.cc ++++ b/src/HttpHdrRange.cc +@@ -92,7 +92,7 @@ HttpHdrRangeSpec::parseInit(const char * + + /* is it a suffix-byte-range-spec ? */ + if (*field == '-') { +- if (!httpHeaderParseOffset(field + 1, &length)) ++ if (!httpHeaderParseOffset(field + 1, &length) || !known_spec(length)) + return false; + } else + /* must have a '-' somewhere in _this_ field */ +@@ -100,7 +100,7 @@ HttpHdrRangeSpec::parseInit(const char * + debugs(64, 2, "invalid (missing '-') range-spec near: '" << field << "'"); + return false; + } else { +- if (!httpHeaderParseOffset(field, &offset)) ++ if (!httpHeaderParseOffset(field, &offset) || !known_spec(offset)) + return false; + + ++p; +@@ -109,7 +109,7 @@ HttpHdrRangeSpec::parseInit(const char * + if (p - field < flen) { + int64_t last_pos; + +- if (!httpHeaderParseOffset(p, &last_pos)) ++ if (!httpHeaderParseOffset(p, &last_pos) || !known_spec(last_pos)) + return false; + + // RFC 2616 s14.35.1 MUST: last-byte-pos >= first-byte-pos diff -Nru squid3-3.3.8/debian/patches/series squid3-3.3.8/debian/patches/series --- squid3-3.3.8/debian/patches/series 2013-10-25 23:07:04.000000000 +0200 +++ squid3-3.3.8/debian/patches/series 2014-08-28 18:04:07.000000000 +0200 @@ -3,3 +3,4 @@ 15-cachemgr-default-config.patch 16-ipc-statedir.patch 17-pod2man-check.patch +CVE-2014-3609.patch
