CVE-2014-0128

Publication date 14 April 2014

Last updated 24 July 2024

Ubuntu priority

Squid 3.1 before 3.3.12 and 3.4 before 3.4.4, when SSL-Bump is enabled, allows remote attackers to cause a denial of service (assertion failure) via a crafted range request, related to state management.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
squid3	15.10 wily	Fixed 3.3.8-1ubuntu16.2
	14.04 LTS trusty	Fixed 3.3.8-1ubuntu6.6
	12.04 LTS precise	Fixed 3.1.19-1ubuntu3.12.04.6

Notes

seth-arnold

Flaw requires building the package with --enable-ssl; this flag is not used in Debian nor Ubuntu's builds.

mdeslaur

However, we should probably fix this anyway as rebuilding the Ubuntu package locally to enable ssl is a common scenario.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
squid3	Upstream: http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12677.patch Upstream: http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13104.patch