Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 104603 - net-proxy/squid: "sslConnectTimeout()" Denial of Service Vulnerability
Summary: net-proxy/squid: "sslConnectTimeout()" Denial of Service Vulnerability
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.squid-cache.org/Versions/v...
Whiteboard: B3 [glsa] jaervosz
Keywords:
: 105166 (view as bug list)
Depends on:
Blocks:
 
Reported: 2005-09-02 08:01 UTC by Jean-François Brunette (RETIRED)
Modified: 2006-03-23 19:44 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jean-François Brunette (RETIRED) gentoo-dev 2005-09-02 08:01:39 UTC
Alex Masterov has reported a vulnerability in Squid, which potentially can be
exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an unspecified error in the
"sslConnectTimeout()" function after handling malformed requests. This may be
exploited to crash Squid.

Solution:
Apply patch for 2.5.STABLE10:
http://www.squid-cache.org/Versi...STABLE10-sslConnectTimeout.patch
Comment 1 Jean-François Brunette (RETIRED) gentoo-dev 2005-09-02 08:03:31 UTC
see bug #92254 for comments about GLSA
Comment 3 Alin Năstac (RETIRED) gentoo-dev 2005-09-02 14:54:47 UTC
fixed in squid-2.5.10-r2, marked as stable on x86.
Comment 4 Sune Kloppenborg Jeppesen gentoo-dev 2005-09-02 21:41:43 UTC
Arches please test and mark stable. 
Comment 5 Markus Rothe (RETIRED) gentoo-dev 2005-09-03 00:33:10 UTC
stable on ppc64
Comment 6 René Nussbaumer (RETIRED) gentoo-dev 2005-09-03 03:08:49 UTC
Stable on hppa
Comment 7 Fernando J. Pereda (RETIRED) gentoo-dev 2005-09-03 06:26:42 UTC
Stable on alpha
Comment 8 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-09-03 08:09:06 UTC
Stable on ppc.
Comment 9 Daniel Gryniewicz (RETIRED) gentoo-dev 2005-09-03 09:40:42 UTC
Stable on amd64
Comment 10 Jason Wever (RETIRED) gentoo-dev 2005-09-03 10:32:04 UTC
Stable on SPARC.
Comment 11 Stefan Cornelius (RETIRED) gentoo-dev 2005-09-03 10:42:33 UTC
All security supported arches stable, ready for GLSA vote. I tend to say yes
because we've released other GLSAs for remote DoS for squid before but i
wouldn't mind about no GLSA, though.
Comment 12 Hardave Riar (RETIRED) gentoo-dev 2005-09-04 00:30:19 UTC
Stable on mips.
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2005-09-04 10:59:39 UTC
I tend to vote yes too.
Comment 14 Sune Kloppenborg Jeppesen gentoo-dev 2005-09-05 01:18:20 UTC
I vote YES.  
Comment 15 Tavis Ormandy (RETIRED) gentoo-dev 2005-09-05 01:37:27 UTC
agreed, voting YES.
Comment 16 Sune Kloppenborg Jeppesen gentoo-dev 2005-09-07 08:55:52 UTC
GLSA 200509-06 
Comment 17 Jean-François Brunette (RETIRED) gentoo-dev 2005-09-07 10:51:44 UTC
*** Bug 105166 has been marked as a duplicate of this bug. ***