CVE-2013-0189

Name	CVE-2013-0189
Description	cachemgr.cgi in Squid 3.1.x and 3.2.x, possibly 3.1.22, 3.2.4, and other versions, allows remote attackers to cause a denial of service (resource consumption) via a crafted request. NOTE: this issue is due to an incorrect fix for CVE-2012-5643, possibly involving an incorrect order of arguments or incorrect comparison.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
References	DSA-2631-1
NVD severity	medium (attack range: remote)
Debian Bugs	696187

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
squid (PTS)	buster, sid	4.2-2	fixed
squid3 (PTS)	jessie (security), jessie	3.4.8-6+deb8u5	fixed
	stretch (security), stretch	3.5.23-5+deb9u1	fixed
	sid	3.5.27-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
squid	source	(unstable)	2.7.STABLE9-2	medium
squid3	source	(unstable)	3.1.20-2.1	medium		696187
squid3	source	squeeze	3.1.6-1.2+squeeze3	medium	DSA-2631-1

squid-cgi was removed in 2.7.STABLE9-2
possible regression, see #701123