Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 334263 (CVE-2010-3072) - <net-proxy/squid-3.1.8 Multiple vulnerabilities (CVE-2010-3072)
Summary: <net-proxy/squid-3.1.8 Multiple vulnerabilities (CVE-2010-3072)
Status: RESOLVED FIXED
Alias: CVE-2010-3072
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://marc.info/?l=squid-users&m=128...
Whiteboard: B3 [glsa]
Keywords:
: 336217 (view as bug list)
Depends on:
Blocks:
 
Reported: 2010-08-24 11:21 UTC by Eray Aslan
Modified: 2011-10-26 20:48 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Eray Aslan gentoo-dev 2010-08-24 11:21:12 UTC
The Squid HTTP Proxy team is very pleased to announce the
availability of the Squid-3.1.7 release!


This release fixes a number of bugs in the earlier Squid releases.

One regression introduced with 3.1.6 when contacting IPv4-only DNS resolvers opens a small but exploitable DoS vulnerability. All users of Squid-3.1.6 are urged to upgrade to this release as soon as possible.


Several HTTP/1.1 compliance bugs have been resolved. The most noticeable of these is that Squid is now more correctly operating connection keep-alive to clients.

 The fix for keep-alive has resolved several apparent bugs in NTLM and Negotiate authentication and brought to light a compatibility issue with the major modern browsers. The issue appears to end-users as multiple browser popups if for any reason they need to supply new NTLM/Negotiate credentials for a connection.  The default if unset for NTLM and Negotiate auth_param keep_alive has become OFF to avoid this.


The visible_hostname directive has been updated with several fixes to avoid killing Squid when the machine hostname is mis-configured or unavailable at startup. To retain consistency with existing distributions practice the value of "localhost" is used in the event of a lookup failure.


All users of Squid-3.1.6 are urged to upgrade to this release as soon as possible.

Users of other Squid-3.1 and 3.0 are encouraged to upgrade at their earliest convenience. 

Reproducible: Always
Comment 1 Holger Hoffstätte 2010-08-24 14:24:15 UTC
FYI I tried to bump this locally (risk assessment :) and the only necessary change was to drop squid-3.1.6-bug3011.patch, since this was fixed upstream. No other changes are necessary. Hope this helps and saves some time.

Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-08-24 18:49:16 UTC
net-proxy: Please bump.
Comment 3 Eray Aslan gentoo-dev 2010-09-06 12:48:06 UTC
net-proxy/squid-3.1.8 is out with some security fixes:


This release brings several very important bug fixes, security updates and some HTTP/1.1 improvements into 3.1.

On the security front we have three major additions:

 * Fixes for the request processing vulnerability tagged SQUID-2010:3.
   http://www.squid-cache.org/Advisories/SQUID-2010_3.txt

 * A hardening of the DNS client against packet queueing approaches used to enable attacks. This completes the protection against attacks published by Yamaguchi late in 2009.

 * An HTTP request-line parser hardened against several categories of request attack. This greatly increasing the speed of detection and reducing resources used to detect these categories of attack.


Several outstanding major bugs have also been identified and fixed:

  - Bug 3020: Segmentation fault: nameservers[vc->ns].vc = NULL
  - Bug 3005,2972: Locate LTDL headers correctly (again)
  - Bug 2872: leaking file descriptors
  - Bug 2583: pure virtual method called

As you can see yet another attempt to get over the libtool / libltdl build issues has been made. If you are building Squid with a libtool 1.x version please try to do so first on these bundles without using any of the hacks and workarounds. For any libltdl or LoadableModules problems in this package please mention in the bug 2972 bugzilla report along with your libtool/libltdl versions.


Due to the security enhancements all users of Squid-3 are urged to upgrade to this release as soon as possible.


Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.1/RELEASENOTES.html
if and when you are ready to make the switch to Squid-3.1 
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2010-09-07 19:22:53 UTC
*** Bug 336217 has been marked as a duplicate of this bug. ***
Comment 5 Matus UHLAR - fantomas 2010-09-23 15:50:35 UTC
anyone cares?
Comment 6 Alin Năstac (RETIRED) gentoo-dev 2010-09-23 22:31:31 UTC
squid-3.1.8 has been added to the tree.
Arches, please do your magic.
Comment 7 Markos Chandras (RETIRED) gentoo-dev 2010-09-24 07:37:31 UTC
amd64 done
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2010-09-24 16:39:38 UTC
(In reply to comment #6)
> squid-3.1.8 has been added to the tree.

Arch teams, please test and mark stable:
=net-proxy/squid-3.1.8
Target KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2010-09-25 05:37:57 UTC
Stable for PPC.
Comment 10 Markus Meier gentoo-dev 2010-09-25 13:57:41 UTC
arm stable
Comment 11 Markus Meier gentoo-dev 2010-09-26 09:18:30 UTC
x86 stable
Comment 12 Tobias Klausmann (RETIRED) gentoo-dev 2010-09-26 16:12:17 UTC
Stable on alpha.
Comment 13 Jeroen Roovers (RETIRED) gentoo-dev 2010-09-29 15:13:42 UTC
Stable for HPPA.
Comment 14 Brent Baude (RETIRED) gentoo-dev 2010-09-30 01:54:53 UTC
ppc64 done
Comment 15 Stefan Behte (RETIRED) gentoo-dev Security 2010-10-01 20:28:58 UTC
CVE-2010-3072 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3072):
  The string-comparison functions in String.cci in Squid 3.x before
  3.1.8 and 3.2.x before 3.2.0.2 allow remote attackers to cause a
  denial of service (NULL pointer dereference and daemon crash) via a
  crafted request.

Comment 16 Raúl Porcel (RETIRED) gentoo-dev 2010-10-09 16:34:32 UTC
ia64/sparc stable
Comment 17 Stefan Behte (RETIRED) gentoo-dev Security 2010-10-13 04:09:17 UTC
In reverse mode (in front of public webserver/s) there is the possiblity of remote DOS by anyone worldwide. Squid will usually be a critical service.

Also: " There are applications already in general public use which can
 trigger this problem for 3.1 and 3.2 on occasion without intended
 malice."

So, I cancel voting hereby and directly say: GLSA request filed.

Comment 19 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-12-24 13:44:57 UTC
(In reply to comment #18)
> version bump!
> http://www2.de.squid-cache.org/Versions/v3/3.1/changesets/SQUID_3_1_10.html
> 

Please don't hijack other bugs, file a new bug instead.
Comment 20 esc 2010-12-24 14:23:47 UTC
(In reply to comment #19)
> (In reply to comment #18)
> > version bump!
> > http://www2.de.squid-cache.org/Versions/v3/3.1/changesets/SQUID_3_1_10.html
> > 
> 
> Please don't hijack other bugs, file a new bug instead.
> 
Sorry! It was already corrected.
Comment 21 GLSAMaker/CVETool Bot gentoo-dev 2011-10-26 20:48:06 UTC
This issue was resolved and addressed in
 GLSA 201110-24 at http://security.gentoo.org/glsa/glsa-201110-24.xml
by GLSA coordinator Tim Sammut (underling).