81997 – www-proxy/squid: FQDN Lookup Denial of Service Vulnerability

Bug 81997 - www-proxy/squid: FQDN Lookup Denial of Service Vulnerability

Summary: www-proxy/squid: FQDN Lookup Denial of Service Vulnerability

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All All

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://www.squid-cache.org/Versions/v...
Whiteboard:	A3 [glsa] jaervosz
Keywords:

Depends on:
Blocks:

Reported:	2005-02-14 07:00 UTC by Jean-François Brunette (RETIRED)
Modified:	2006-03-23 19:34 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jean-François Brunette (RETIRED) gentoo-dev

2005-02-14 07:00:38 UTC

Description:
A vulnerability has been reported in Squid, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an assertion error when performing FQDN lookups and can be exploited to crash Squid by returning a specially crafted DNS response.

The vulnerability has been reported in Squid-2.5.STABLE5 through 2.5.STABLE8.

NOTE: The risk is reportedly reduced with "log_fqdn off" (default setting).

Solution:
Apply patch for 2.5.STABLE8:
http://www.squid-cache.org/Versi...uid-2.5.STABLE8-dns_assert.patch

Original Advisory:
http://www.squid-cache.org/Versi...gs/#squid-2.5.STABLE8-dns_assert

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-02-14 07:07:04 UTC

Andrew or new Squid Daddy please bump.

Comment 2 Alin Năstac (RETIRED) gentoo-dev

2005-02-15 13:15:17 UTC

version bumped.
it needs to be marked as stable by arch maintainers.

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-02-15 13:42:41 UTC

Thx Alin,

Arches please test and mark 2.5.8 stable.

Comment 4 Jan Brinkmann (RETIRED) gentoo-dev

2005-02-15 14:00:50 UTC

stable on amd64.

Comment 5 Jason Wever (RETIRED) gentoo-dev

2005-02-15 18:22:27 UTC

Note: the URLs in the original description are invalid (generate 404s here).

Comment 6 Thierry Carrez (RETIRED) gentoo-dev

2005-02-16 02:00:25 UTC

This is CAN-2005-0446

Comment 7 Markus Rothe (RETIRED) gentoo-dev

2005-02-16 11:09:10 UTC

stable on ppc64

Comment 8 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev

2005-02-16 11:39:53 UTC

Stable on ppc.

Comment 9 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev

2005-02-16 12:52:38 UTC

Stable on hppa.

Comment 10 Jason Wever (RETIRED) gentoo-dev

2005-02-16 16:10:54 UTC

Stable on SPARC.

Comment 11 Olivier Crete (RETIRED) gentoo-dev

2005-02-16 16:23:44 UTC

x86 is already there

Comment 12 Bryan Østergaard (RETIRED) gentoo-dev

2005-02-17 14:46:01 UTC

Stable on alpha.

Comment 13 Hardave Riar (RETIRED) gentoo-dev

2005-02-17 23:38:09 UTC

Stable on mips.

Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-02-18 08:06:29 UTC

Thx Alin.

GLSA 200502-25

ia64 please remember to mark stable.