Summary: | <net-proxy/squid-3.1.8 Multiple vulnerabilities (CVE-2010-3072) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Eray Aslan <eras> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | craig, holger, net-proxy+disabled, ooblick |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://marc.info/?l=squid-users&m=128263555724981&w=2 | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Eray Aslan
2010-08-24 11:21:12 UTC
FYI I tried to bump this locally (risk assessment :) and the only necessary change was to drop squid-3.1.6-bug3011.patch, since this was fixed upstream. No other changes are necessary. Hope this helps and saves some time. net-proxy: Please bump. net-proxy/squid-3.1.8 is out with some security fixes: This release brings several very important bug fixes, security updates and some HTTP/1.1 improvements into 3.1. On the security front we have three major additions: * Fixes for the request processing vulnerability tagged SQUID-2010:3. http://www.squid-cache.org/Advisories/SQUID-2010_3.txt * A hardening of the DNS client against packet queueing approaches used to enable attacks. This completes the protection against attacks published by Yamaguchi late in 2009. * An HTTP request-line parser hardened against several categories of request attack. This greatly increasing the speed of detection and reducing resources used to detect these categories of attack. Several outstanding major bugs have also been identified and fixed: - Bug 3020: Segmentation fault: nameservers[vc->ns].vc = NULL - Bug 3005,2972: Locate LTDL headers correctly (again) - Bug 2872: leaking file descriptors - Bug 2583: pure virtual method called As you can see yet another attempt to get over the libtool / libltdl build issues has been made. If you are building Squid with a libtool 1.x version please try to do so first on these bundles without using any of the hacks and workarounds. For any libltdl or LoadableModules problems in this package please mention in the bug 2972 bugzilla report along with your libtool/libltdl versions. Due to the security enhancements all users of Squid-3 are urged to upgrade to this release as soon as possible. Please refer to the release notes at http://www.squid-cache.org/Versions/v3/3.1/RELEASENOTES.html if and when you are ready to make the switch to Squid-3.1 *** Bug 336217 has been marked as a duplicate of this bug. *** anyone cares? squid-3.1.8 has been added to the tree. Arches, please do your magic. amd64 done (In reply to comment #6) > squid-3.1.8 has been added to the tree. Arch teams, please test and mark stable: =net-proxy/squid-3.1.8 Target KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" Stable for PPC. arm stable x86 stable Stable on alpha. Stable for HPPA. ppc64 done CVE-2010-3072 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3072): The string-comparison functions in String.cci in Squid 3.x before 3.1.8 and 3.2.x before 3.2.0.2 allow remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted request. ia64/sparc stable In reverse mode (in front of public webserver/s) there is the possiblity of remote DOS by anyone worldwide. Squid will usually be a critical service. Also: " There are applications already in general public use which can trigger this problem for 3.1 and 3.2 on occasion without intended malice." So, I cancel voting hereby and directly say: GLSA request filed. (In reply to comment #18) > version bump! > http://www2.de.squid-cache.org/Versions/v3/3.1/changesets/SQUID_3_1_10.html > Please don't hijack other bugs, file a new bug instead. (In reply to comment #19) > (In reply to comment #18) > > version bump! > > http://www2.de.squid-cache.org/Versions/v3/3.1/changesets/SQUID_3_1_10.html > > > > Please don't hijack other bugs, file a new bug instead. > Sorry! It was already corrected. This issue was resolved and addressed in GLSA 201110-24 at http://security.gentoo.org/glsa/glsa-201110-24.xml by GLSA coordinator Tim Sammut (underling). |