Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 104603 - net-proxy/squid: "sslConnectTimeout()" Denial of Service Vulnerability
Summary: net-proxy/squid: "sslConnectTimeout()" Denial of Service Vulnerability
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa] jaervosz
: 105166 (view as bug list)
Depends on:
Reported: 2005-09-02 08:01 UTC by Jean-François Brunette (RETIRED)
Modified: 2006-03-23 19:44 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Jean-François Brunette (RETIRED) gentoo-dev 2005-09-02 08:01:39 UTC
Alex Masterov has reported a vulnerability in Squid, which potentially can be
exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an unspecified error in the
"sslConnectTimeout()" function after handling malformed requests. This may be
exploited to crash Squid.

Apply patch for 2.5.STABLE10:
Comment 1 Jean-François Brunette (RETIRED) gentoo-dev 2005-09-02 08:03:31 UTC
see bug #92254 for comments about GLSA
Comment 3 Alin Năstac (RETIRED) gentoo-dev 2005-09-02 14:54:47 UTC
fixed in squid-2.5.10-r2, marked as stable on x86.
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-09-02 21:41:43 UTC
Arches please test and mark stable. 
Comment 5 Markus Rothe (RETIRED) gentoo-dev 2005-09-03 00:33:10 UTC
stable on ppc64
Comment 6 René Nussbaumer (RETIRED) gentoo-dev 2005-09-03 03:08:49 UTC
Stable on hppa
Comment 7 Fernando J. Pereda (RETIRED) gentoo-dev 2005-09-03 06:26:42 UTC
Stable on alpha
Comment 8 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-09-03 08:09:06 UTC
Stable on ppc.
Comment 9 Daniel Gryniewicz (RETIRED) gentoo-dev 2005-09-03 09:40:42 UTC
Stable on amd64
Comment 10 Jason Wever (RETIRED) gentoo-dev 2005-09-03 10:32:04 UTC
Stable on SPARC.
Comment 11 Stefan Cornelius (RETIRED) gentoo-dev 2005-09-03 10:42:33 UTC
All security supported arches stable, ready for GLSA vote. I tend to say yes
because we've released other GLSAs for remote DoS for squid before but i
wouldn't mind about no GLSA, though.
Comment 12 Hardave Riar (RETIRED) gentoo-dev 2005-09-04 00:30:19 UTC
Stable on mips.
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2005-09-04 10:59:39 UTC
I tend to vote yes too.
Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-09-05 01:18:20 UTC
I vote YES.  
Comment 15 Tavis Ormandy (RETIRED) gentoo-dev 2005-09-05 01:37:27 UTC
agreed, voting YES.
Comment 16 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-09-07 08:55:52 UTC
GLSA 200509-06 
Comment 17 Jean-François Brunette (RETIRED) gentoo-dev 2005-09-07 10:51:44 UTC
*** Bug 105166 has been marked as a duplicate of this bug. ***