CVE-2014-3609
squid - security update
EPSS 56.2%
Description
HttpHdrRange.cc in Squid 3.x before 3.3.12 and 3.4.x before 3.4.6 allows remote attackers to cause a denial of service (crash) via a request with crafted "Range headers with unidentifiable byte-range values."
How to fix CVE-2014-3609
To remediate CVE-2014-3609, upgrade the affected package to a fixed version below.
- Debian/squid—upgrade to 2.7.STABLE9-5 or later
- Debian/squid—upgrade to 2.7.STABLE9-2.1+deb6u1 or later
- Debian/squid—upgrade to 2.7.STABLE9-4.1+deb7u1 or later
- —upgrade to 3.1.6-1.2+squeeze4 or later
- —upgrade to 3.1.20-2.2+deb7u2 or later
Is CVE-2014-3609 being exploited?
Likely — EPSS is 56.2%, placing CVE-2014-3609 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.
Affected packages (5)
- from 0, < 2.7.STABLE9-5
- from 0, < 2.7.STABLE9-2.1+deb6u1
- from 0, < 2.7.STABLE9-4.1+deb7u1
- from 0, < 3.1.6-1.2+squeeze4
- from 0, < 3.1.20-2.2+deb7u2