Summary: | <net-proxy/squid-3.1.6-r1 DoS (CVE-2010-{0308,0639}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Clemente Aguiar <clemente.aguiar> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | bldewolf, henson, martin.holzer, net-proxy+disabled, ole+gentoo, trxman |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.squid-cache.org/Versions/v3/3.0/squid-3.0.STABLE21-RELEASENOTES.html | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Attachments: |
Description
Clemente Aguiar
2010-01-22 11:45:15 UTC
Actually version 3.0 STABLE22 is already out. There is a security issue with previous version: http://www.squid-cache.org/Advisories/SQUID-2010_1.txt The 2.7 branch also needs to be fixed and currently there is no new release available. Hopefully, there is a patch that can be added to a new ebuild: http://www.squid-cache.org/Versions/v2/HEAD/changesets/12597.patch Squid-3.0.STABLE23 has been released. This is a correction on 3.0.STABLE22 which has now been withdrawn from circulation. net-proxy: Can this go stable? Forget my last post. net-proxy: please provide updated ebuilds. Any ETA on a new ebuild to resolve this security issue? Thanks... CVE-2010-0308 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0308): lib/rfc1035.c in Squid 2.x, 3.0 through 3.0.STABLE22, and 3.1 through 3.1.0.15 allows remote attackers to cause a denial of service (assertion failure) via a crafted DNS packet that only contains a header. CVE-2010-0639 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0639): The htcpHandleTstRequest function in htcp.c in Squid 2.x and 3.0 through 3.0.STABLE23 allows remote attackers to cause a denial of service (crash) via crafted packets to the HTCP port, which triggers a NULL pointer dereference. net-proxy: ping! Squid 3.0.STABLE25 has been released... (In reply to comment #9) > Squid 3.0.STABLE25 has been released... > And 2.7.STABLE8! I took a shot at making an ebuild for 3.0.25. It looks fairly simple, renaming squid-3.0.20-r1.ebuild works, squid-3.0.20-gentoo.patch has one hunk that fails (it removes -Werror from a line and the line around the -Werror changed), and the other patches (squid-3.0.20-cross-compile.patch, squid-3.0.20-libmd5.patch, and squid-3.0.20-adapted-zph.patch) appear to apply with offsets. After the -gentoo patch is fixed, it compiles and installs fine. I have yet to place it in a test environment. Let me know if I should attach the updated patches to this ticket. Sure, that would be nice - I think the net-proxy herd will appreciate it. If you could test them - even better. :) Created attachment 225165 [details, diff]
Updated -gentoo patch, with fix for broken hunk
Created attachment 225167 [details, diff]
Updated cross-compile patch for offset changes
Created attachment 225169 [details, diff]
Updated libmd5 patch for offset changes
Created attachment 225171 [details, diff]
Updated adapted-zph patch for offset changes
*** Bug 311653 has been marked as a duplicate of this bug. *** @net-proxy: Can someone bump? FYI: 3.0.25 is out, but now considered "old". Squid 3.1.1 is out and "new stable". Maybe bumping to the 3.1 tree is prefered?! squid-2.7.9 and squid-3.1.6 were added to the tree. Arch teams, please stabilize both versions. (In reply to comment #19) > squid-2.7.9 and squid-3.1.6 were added to the tree. > Arch teams, please stabilize both versions. both x86 stable (In reply to comment #20) > (In reply to comment #19) > > squid-2.7.9 and squid-3.1.6 were added to the tree. > > Arch teams, please stabilize both versions. > > both x86 stable > You missed net-libs/libecap net-proxy/squid/squid-3.1.6.ebuild: x86(default/linux/x86/10.0) ['net-libs/libecap'] leading to broken deptree amd64 done (In reply to comment #21) > You missed net-libs/libecap > > net-proxy/squid/squid-3.1.6.ebuild: x86(default/linux/x86/10.0) > ['net-libs/libecap'] > > leading to broken deptree Fixed now, sorry. Not sure why my repoman didn't complain. Stable for HPPA. Stable for PPC. *** Bug 304751 has been marked as a duplicate of this bug. *** I had to add a new patch to fix bug 331965. Please resume stabilization process on net-proxy/squid-3.1.6-r1. Explicit request: Arches, please test and mark stable: =net-proxy/squid-3.1.6-r1 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" Already stabled : "amd64 hppa ppc x86" Missing keywords: "alpha arm ia64 ppc64 sparc" alpha/arm/ia64/sparc stable ppc64 done ppc64 done @ppc64 team: You forgot to stabilize squid-2.7.9. ppc64 done GLSA Vote: Yes, remote DoS from potentially unauthenticated attackers. YES, too. GLSA with #334263 could be closed, not more in cvs tree This issue was resolved and addressed in GLSA 201110-24 at http://security.gentoo.org/glsa/glsa-201110-24.xml by GLSA coordinator Tim Sammut (underling). |