Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 201209 (CVE-2007-6239)

Summary: net-proxy/squid < 2.6.17 Cache Update Denial of Service Vulnerability (CVE-2007-6239)
Product: Gentoo Security Reporter: Lars Hartmann <lars>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: net-proxy+disabled
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Lars Hartmann 2007-12-04 11:16:29 UTC
Problem Description:

 Due to incorrect bounds checking Squid is vulnerable to
 a denial of service check during some cache update reply


 This problem allows any client trusted to use the service to
 perform a denial of service attack on the Squid service.

Updated Packages:

 This bug is fixed by Squid version 2.6.STABLE17 and by the November
 28 snapshots of Squid-2 and Squid-3.

 In addition, a patch addressing this problem can be found in
 our patch archive for version Squid-2.6:

 And for Squid-3:

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated

Reproducible: Always
Comment 1 Lars Hartmann 2007-12-04 11:55:29 UTC
maintainers - please provide an updated ebuild
Comment 2 Alin Năstac (RETIRED) gentoo-dev 2007-12-04 13:10:10 UTC
I've added squid-2.6.17 to the tree and package masked version 3.0_rc1.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2007-12-04 14:26:15 UTC
Arches, please test and mark stable net-proxy/squid-2.6.17.
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Comment 4 Markus Rothe (RETIRED) gentoo-dev 2007-12-04 18:03:31 UTC
ppc64 stable
Comment 5 Tobias Scherbaum (RETIRED) gentoo-dev 2007-12-04 20:17:12 UTC
ppc stable
Comment 6 Christian Faulhammer (RETIRED) gentoo-dev 2007-12-04 20:23:31 UTC
x86 stable
Comment 7 Thomas Tuttle 2007-12-05 00:05:07 UTC
Compiles, merges, and works on amd64.

emerge --info:

Portage (default-linux/amd64/2007.0, gcc-4.1.2, glibc-2.6.1-r0, 2.6.22-gentoo-r9 x86_64)
System uname: 2.6.22-gentoo-r9 x86_64 Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz
Timestamp of tree: Tue, 04 Dec 2007 23:30:01 +0000
app-shells/bash:     3.2_p17
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python:     2.4.4-r6, 2.5.1-r4
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.9-r2
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.22-r2
CFLAGS="-O2 -pipe -fomit-frame-pointer -march=nocona"
CONFIG_PROTECT="/etc /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-O2 -pipe -fomit-frame-pointer -march=nocona"
FEATURES="collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test unmerge-orphans userfetch"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
USE="X a52 aac acl acpi alsa amd64 berkdb bitmap-fonts cli cracklib crypt cups dri flac fortran gdbm gif gpm iconv ipv6 isdnlog jpeg midi mmx mp3 mudflap ncurses nls nptl nptlonly ogg opengl openmp pam pcre perl png pppd python readline reflection session spl sse sse2 ssl tcpd test truetype-fonts type1-fonts unicode vorbis xorg xv zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="evdev keyboard mouse synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" USERLAND="GNU" VIDEO_CARDS="i810 vesa vga"
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2007-12-05 11:17:15 UTC
alpha/ia64/sparc stable
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2007-12-05 16:19:53 UTC
Stable for HPPA.
Comment 10 Steve Dibb (RETIRED) gentoo-dev 2007-12-06 02:32:15 UTC
amd64 stable
Comment 11 Lars Hartmann 2007-12-06 07:13:58 UTC
this one is ready for glsa decision
Comment 12 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-12-10 21:49:56 UTC
voting NO since only a trusted client can cause a DoS.
Comment 13 Robert Buchholz (RETIRED) gentoo-dev 2007-12-10 22:30:34 UTC
trusted client means any client that can is trusted to use the proxy, which usually is a lot of clients.

I vote YES here, even if it is only a memleak in the end. Proxy servers are designed to run for a while, and if one client can make my memory usage grow over time, until the server crashes, someone does have an issue.
Comment 14 Lars Hartmann 2007-12-19 09:29:34 UTC
i would suggest "Yes" because squid is often used to accellerate http-servers (you  can just put a squid in front of you httpd and let it process the requests), and in such installations this vuln does matter because anyone in the net is a "trusted client" in that case.
Comment 15 Alin Năstac (RETIRED) gentoo-dev 2007-12-20 10:26:55 UTC
FYI: squid-3.0.1 is now in the tree
Comment 16 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-01-05 21:43:52 UTC
(In reply to comment #14)
> i would suggest "Yes" because squid is often used to accellerate http-servers
> (you  can just put a squid in front of you httpd and let it process the
> requests), and in such installations this vuln does matter because anyone in
> the net is a "trusted client" in that case.

Thanks for the info, changing my vote to YES and request filed.
Comment 17 Robert Buchholz (RETIRED) gentoo-dev 2008-01-08 23:06:46 UTC
rerating B3 as it is a dos
Comment 18 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-01-09 22:22:53 UTC
GLSA 200801-05
Comment 19 Peter Volkov (RETIRED) gentoo-dev 2008-03-06 09:55:47 UTC
Does not affect current (2008.0) release. Removing release.