Descriptioncachemgr.cgi in Squid 3.1.x and 3.2.x, possibly 3.1.22, 3.2.4, and other versions, allows remote attackers to cause a denial of service (resource consumption) via a crafted request. NOTE: this issue is due to an incorrect fix for CVE-2012-5643, possibly involving an incorrect order of arguments or incorrect comparison.
SourceCVE (at NVD; oss-sec, fulldisc, OSVDB, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, web search, more)
NVD severitymedium (attack range: remote)
Debian Bugs696187
Debian/oldoldstablenot vulnerable.
Debian/oldstablenot vulnerable.
Debian/stablenot vulnerable.
Debian/testingnot vulnerable.
Debian/unstablenot vulnerable.

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
squid (PTS)squeeze2.7.STABLE9-2.1fixed
squeeze (lts)2.7.STABLE9-2.1+deb6u1fixed
wheezy (security), wheezy2.7.STABLE9-4.1+deb7u1fixed
squid3 (PTS)squeeze, squeeze (security)3.1.6-1.2+squeeze3fixed
squeeze (lts)3.1.6-1.2+squeeze5fixed
wheezy (security), wheezy3.1.20-2.2+deb7u3fixed
jessie (security), jessie3.4.8-6+deb8u1fixed
stretch, sid3.5.12-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


squid-cgi was removed in 2.7.STABLE9-2
possible regression, see #701123

Search for package or bug name: Reporting problems