Summary: | <net-proxy/squid-3.0.18 Multiple Remote Denial of service issues in header processing (CVE-2009-{2621,2622}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | henson, martin.holzer, net-proxy+disabled, ole+gentoo |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.squid-cache.org/Advisories/SQUID-2009_2.txt | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Robert Buchholz (RETIRED)
2009-07-27 19:31:37 UTC
any progress with 3.0.STABLE17 ? thank you CVE-2009-2621 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2621): Squid 3.0 through 3.0.STABLE16 and 3.1 through 3.1.0.11 does not properly enforce "buffer limits and related bound checks," which allows remote attackers to cause a denial of service via (1) an incomplete request or (2) a request with a large header size, related to (a) HttpMsg.cc and (b) client_side.cc. CVE-2009-2622 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2622): Squid 3.0 through 3.0.STABLE16 and 3.1 through 3.1.0.11 allows remote attackers to cause a denial of service via malformed requests including (1) "missing or mismatched protocol identifier," (2) missing or negative status value," (3) "missing version," or (4) "missing or invalid status number," related to (a) HttpMsg.cc and (b) HttpReply.cc. Version 3.0.18 is now in the tree. Arch teams, please do your thing. x86 stable ppc64 done (In reply to comment #3) > Version 3.0.18 is now in the tree. > Arch teams, please do your thing. That's =net-proxy/squid-3.0.18 then... Stable for HPPA. Stable on alpha. amd64 stable arm/ia64/sparc stable This will be added to the other HttpMsg.cc GLSA. could be closed, not more in cvs tree (In reply to comment #12) > could be closed, not more in cvs tree > The GLSA is still pending. Please don't post such comments in the future, thanks. This issue was resolved and addressed in GLSA 201110-24 at http://security.gentoo.org/glsa/glsa-201110-24.xml by GLSA coordinator Tim Sammut (underling). |