| Summary: | <net-proxy/squid-3.5.14: Denial of Service (CVE-2016-2390) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Kristian Fiskerstrand (RETIRED) <k_f> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | eras |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.squid-cache.org/Advisories/SQUID-2016_1.txt | ||
| Whiteboard: | ~3 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
=net-proxy/squid-3.5.14 in the tree. I am guessing no fast stabilization is necessary since no vulnerable version was stable at any point. Please let me know if I am mistaken. You are correct, however, once all versions have a patched ebuild in the tree we will move on to cleanup. This is where any vulnerable versions should be purged from the tree. https://wiki.gentoo.org/wiki/Project:Security/GLSA_Coordinator_Guide#Bugs_in_.5Bcleanup.5D_status (In reply to Eray Aslan from comment #1) > =net-proxy/squid-3.5.14 in the tree. I am guessing no fast stabilization is > necessary since no vulnerable version was stable at any point. Please let > me know if I am mistaken. Correct, the full advisory states 3.5.12 and lower as unaffected and this is last stable, so changed rating to reflect that. 3.5.13 needs to be removed from tree during cleanup , after which the bug can be closed as [noglsa] =net-proxy/squid-3.5.13 punted from the tree. Cleanup done. (In reply to Eray Aslan from comment #4) > =net-proxy/squid-3.5.13 punted from the tree. Cleanup done. Thanks |
From ${URL}: Hi, A remotely triggerable denial of service has been found in Squid proxy. The proxy incorrectly handles server TLS failure which almost always results in crashing the entire proxy. Denying service for all other clients using it. Our Advisory will be at: <http://www.squid-cache.org/Advisories/SQUID-2016_1.txt> " This problem allows any trusted client to perform a denial of service attack on the Squid service regardless of whether TLS or SSL is configured for use in the prfoxy. Misconfigured client or server software may trigger this issue to perform a denial of service unintentionally. However, the bug is exploitable only if Squid is built using the --with-openssl option. " Versions 3.5.13, 4.0.4 and 4.0.5 are affected. Patch for 3.5 is <http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13981.p atch>. Patch for 4.0 is <http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13981.p atch>. Though as a beta release we would prefer people update straight to the new package.