Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 162364

Summary: net-proxy/squid FTP url DoS (CVE-2007-0247 CVE-2007-0248)
Product: Gentoo Security Reporter: Executioner <keith>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: mrness
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/23767/
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Executioner 2007-01-16 14:19:26 UTC 
Two vulnerabilities have been reported in Squid, which can be exploited by malicious people to cause a DoS (Denial of Service).

1) An error in the handling of certain FTP URL requests can be exploited to crash Squid by visiting a specially crafted FTP URL via the proxy.

2) An error in the external_acl queue can cause Squid to crash when it is under high load conditions.

The vulnerabilities are reported in version 2.6. Other versions may also be affected.

Solution:
Update to version 2.6.STABLE7.

Reproducible: Didn't try




http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE7-RELEASENOTES.html#s12
Comment 1 Jakub Moc (RETIRED) gentoo-dev 2007-01-16 14:20:40 UTC 
2.6.7 already in the tree; just needs to be stabilized...
Comment 2 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-01-16 18:51:29 UTC 
Hi arches, please test and mark stable squid-2.6.7 if possible, thanks
Comment 3 Raúl Porcel (RETIRED) gentoo-dev 2007-01-16 23:09:30 UTC 
x86 stable
Comment 4 Jason Wever (RETIRED) gentoo-dev 2007-01-16 23:41:17 UTC 
Stable on SPARC
Comment 5 Markus Rothe (RETIRED) gentoo-dev 2007-01-17 07:49:27 UTC 
ppc64 stable
Comment 6 Bryan Østergaard (RETIRED) gentoo-dev 2007-01-18 03:15:40 UTC 
Stable on Alpha.
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2007-01-18 08:07:10 UTC 
Marked stable for HPPA by killerfox.
Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2007-01-18 21:02:43 UTC 
ppc stable
Comment 9 Alexander Færøy 2007-01-19 18:37:06 UTC 
Stable on IA64.
Comment 10 Alexander Færøy 2007-01-20 16:48:44 UTC 
Stable on MIPS.
Comment 11 Alin Năstac (RETIRED) gentoo-dev 2007-01-21 07:34:15 UTC 
Marked stable on amd64.
Comment 12 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-01-22 12:58:35 UTC 
thanks arches

GLSA vote

I vote a full-yes since it's a squid DoS!!!
Comment 13 Matthias Geerdsen (RETIRED) gentoo-dev 2007-01-22 16:59:24 UTC 
voting yes, filing draft request
Comment 14 Matthias Geerdsen (RETIRED) gentoo-dev 2007-01-25 21:01:44 UTC 
GLSA 200701-22

thanks everyone