CVE-2012-5643
Published: 20 December 2012
Multiple memory leaks in tools/cachemgr.cc in cachemgr.cgi in Squid 2.x and 3.x before 3.1.22, 3.2.x before 3.2.4, and 3.3.x before 3.3.0.2 allow remote attackers to cause a denial of service (memory consumption) via (1) invalid Content-Length headers, (2) long POST requests, or (3) crafted authentication credentials.
Notes
Author | Note |
---|---|
jdstrand | please see also see CVE-2013-0189 which is a new CVE for the incomplete fix |
seth-arnold | The webserver should be configured to restrict access to cachemgr.cgi; this script shouldn't be exposed to untrusted users |
Priority
Status
Package | Release | Status |
---|---|---|
squid Launchpad, Ubuntu, Debian |
hardy |
Ignored
(end of life)
|
lucid |
Released
(2.7.STABLE7-1ubuntu12.6)
|
|
oneiric |
Not vulnerable
(binary built from squid3 source)
|
|
precise |
Does not exist
|
|
quantal |
Does not exist
|
|
raring |
Does not exist
|
|
upstream |
Released
(3.2.4, 3.3.0.2)
|
|
Patches: upstream: http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10479.patch (3.1) upstream: http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11714.patch (3.2) |
||
Binaries built from this source package are in Universe and so are supported by the community. | ||
squid3 Launchpad, Ubuntu, Debian |
hardy |
Ignored
(end of life)
|
lucid |
Ignored
(end of life)
|
|
oneiric |
Released
(3.1.14-1ubuntu0.3)
|
|
precise |
Released
(3.1.19-1ubuntu3.12.04.2)
|
|
quantal |
Released
(3.1.20-1ubuntu1.1)
|
|
raring |
Released
(3.1.20-1ubuntu2)
|
|
upstream |
Released
(3.2.4, 3.3.0.2)
|
|
Patches: upstream: http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10479.patch (3.1) upstream: http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11714.patch (3.2) |
||
Binaries built from this source package are in Universe and so are supported by the community. |