Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 104603

Summary: net-proxy/squid: "sslConnectTimeout()" Denial of Service Vulnerability
Product: Gentoo Security Reporter: Jean-François Brunette (RETIRED) <formula7>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: net-proxy+disabled
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.squid-cache.org/Versions/v2/2.5/bugs/
Whiteboard: B3 [glsa] jaervosz
Package list:
Runtime testing required: ---

Description Jean-François Brunette (RETIRED) gentoo-dev 2005-09-02 08:01:39 UTC 
Alex Masterov has reported a vulnerability in Squid, which potentially can be
exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an unspecified error in the
"sslConnectTimeout()" function after handling malformed requests. This may be
exploited to crash Squid.

Solution:
Apply patch for 2.5.STABLE10:
http://www.squid-cache.org/Versi...STABLE10-sslConnectTimeout.patch
Comment 1 Jean-François Brunette (RETIRED) gentoo-dev 2005-09-02 08:03:31 UTC 
see bug #92254 for comments about GLSA
Comment 3 Alin Năstac (RETIRED) gentoo-dev 2005-09-02 14:54:47 UTC 
fixed in squid-2.5.10-r2, marked as stable on x86.
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-09-02 21:41:43 UTC 
Arches please test and mark stable.
Comment 5 Markus Rothe (RETIRED) gentoo-dev 2005-09-03 00:33:10 UTC 
stable on ppc64
Comment 6 René Nussbaumer (RETIRED) gentoo-dev 2005-09-03 03:08:49 UTC 
Stable on hppa
Comment 7 Fernando J. Pereda (RETIRED) gentoo-dev 2005-09-03 06:26:42 UTC 
Stable on alpha
Comment 8 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-09-03 08:09:06 UTC 
Stable on ppc.
Comment 9 Daniel Gryniewicz (RETIRED) gentoo-dev 2005-09-03 09:40:42 UTC 
Stable on amd64
Comment 10 Jason Wever (RETIRED) gentoo-dev 2005-09-03 10:32:04 UTC 
Stable on SPARC.
Comment 11 Stefan Cornelius (RETIRED) gentoo-dev 2005-09-03 10:42:33 UTC 
All security supported arches stable, ready for GLSA vote. I tend to say yes
because we've released other GLSAs for remote DoS for squid before but i
wouldn't mind about no GLSA, though.
Comment 12 Hardave Riar (RETIRED) gentoo-dev 2005-09-04 00:30:19 UTC 
Stable on mips.
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2005-09-04 10:59:39 UTC 
I tend to vote yes too.
Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-09-05 01:18:20 UTC 
I vote YES.
Comment 15 Tavis Ormandy (RETIRED) gentoo-dev 2005-09-05 01:37:27 UTC 
agreed, voting YES.
Comment 16 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-09-07 08:55:52 UTC 
GLSA 200509-06
Comment 17 Jean-François Brunette (RETIRED) gentoo-dev 2005-09-07 10:51:44 UTC 
*** Bug 105166 has been marked as a duplicate of this bug. ***