Alex Masterov has reported a vulnerability in Squid, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an unspecified error in the "sslConnectTimeout()" function after handling malformed requests. This may be exploited to crash Squid. Solution: Apply patch for 2.5.STABLE10: http://www.squid-cache.org/Versi...STABLE10-sslConnectTimeout.patch
see bug #92254 for comments about GLSA
Fix is here: http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE10-sslConnectTimeout.patch Some of the other patches might also have security value, especially: http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE10-STORE_PENDING http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE10-statHistAssert
fixed in squid-2.5.10-r2, marked as stable on x86.
Arches please test and mark stable.
stable on ppc64
Stable on hppa
Stable on alpha
Stable on ppc.
Stable on amd64
Stable on SPARC.
All security supported arches stable, ready for GLSA vote. I tend to say yes because we've released other GLSAs for remote DoS for squid before but i wouldn't mind about no GLSA, though.
Stable on mips.
I tend to vote yes too.
I vote YES.
agreed, voting YES.
GLSA 200509-06
*** Bug 105166 has been marked as a duplicate of this bug. ***