162364 – net-proxy/squid FTP url DoS (CVE-2007-0247 CVE-2007-0248)

Bug 162364 - net-proxy/squid FTP url DoS (CVE-2007-0247 CVE-2007-0248)

Summary: net-proxy/squid FTP url DoS (CVE-2007-0247 CVE-2007-0248)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	http://secunia.com/advisories/23767/
Whiteboard:	B3 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2007-01-16 14:19 UTC by Executioner
Modified:	2007-01-25 21:01 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Executioner 2007-01-16 14:19:26 UTC

Two vulnerabilities have been reported in Squid, which can be exploited by malicious people to cause a DoS (Denial of Service).

1) An error in the handling of certain FTP URL requests can be exploited to crash Squid by visiting a specially crafted FTP URL via the proxy.

2) An error in the external_acl queue can cause Squid to crash when it is under high load conditions.

The vulnerabilities are reported in version 2.6. Other versions may also be affected.

Solution:
Update to version 2.6.STABLE7.

Reproducible: Didn't try




http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE7-RELEASENOTES.html#s12

Comment 1 Jakub Moc (RETIRED) gentoo-dev

2007-01-16 14:20:40 UTC

2.6.7 already in the tree; just needs to be stabilized...

Comment 2 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2007-01-16 18:51:29 UTC

Hi arches, please test and mark stable squid-2.6.7 if possible, thanks

Comment 3 Raúl Porcel (RETIRED) gentoo-dev

2007-01-16 23:09:30 UTC

x86 stable

Comment 4 Jason Wever (RETIRED) gentoo-dev

2007-01-16 23:41:17 UTC

Stable on SPARC

Comment 5 Markus Rothe (RETIRED) gentoo-dev

2007-01-17 07:49:27 UTC

ppc64 stable

Comment 6 Bryan Østergaard (RETIRED) gentoo-dev

2007-01-18 03:15:40 UTC

Stable on Alpha.

Comment 7 Jeroen Roovers (RETIRED) gentoo-dev

2007-01-18 08:07:10 UTC

Marked stable for HPPA by killerfox.

Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev

2007-01-18 21:02:43 UTC

ppc stable

Comment 9 Alexander Færøy 2007-01-19 18:37:06 UTC

Stable on IA64.

Comment 10 Alexander Færøy 2007-01-20 16:48:44 UTC

Stable on MIPS.

Comment 11 Alin Năstac (RETIRED) gentoo-dev

2007-01-21 07:34:15 UTC

Marked stable on amd64.

Comment 12 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2007-01-22 12:58:35 UTC

thanks arches

GLSA vote

I vote a full-yes since it's a squid DoS!!!

Comment 13 Matthias Geerdsen (RETIRED) gentoo-dev

2007-01-22 16:59:24 UTC

voting yes, filing draft request

Comment 14 Matthias Geerdsen (RETIRED) gentoo-dev

2007-01-25 21:01:44 UTC

GLSA 200701-22

thanks everyone