104603 – net-proxy/squid: "sslConnectTimeout()" Denial of Service Vulnerability

Bug 104603 - net-proxy/squid: "sslConnectTimeout()" Denial of Service Vulnerability

Summary: net-proxy/squid: "sslConnectTimeout()" Denial of Service Vulnerability

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	http://www.squid-cache.org/Versions/v...
Whiteboard:	B3 [glsa] jaervosz
Keywords:

Duplicates (1):	105166 (view as bug list)
Depends on:
Blocks:

Reported:	2005-09-02 08:01 UTC by Jean-François Brunette (RETIRED)
Modified:	2006-03-23 19:44 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jean-François Brunette (RETIRED) gentoo-dev

2005-09-02 08:01:39 UTC

Alex Masterov has reported a vulnerability in Squid, which potentially can be
exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an unspecified error in the
"sslConnectTimeout()" function after handling malformed requests. This may be
exploited to crash Squid.

Solution:
Apply patch for 2.5.STABLE10:
http://www.squid-cache.org/Versi...STABLE10-sslConnectTimeout.patch

Comment 1 Jean-François Brunette (RETIRED) gentoo-dev

2005-09-02 08:03:31 UTC

see bug #92254 for comments about GLSA

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-09-02 09:34:14 UTC

Fix is here:   
   
http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE10-sslConnectTimeout.patch  
  
Some of the other patches might also have security value, especially:  
http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE10-STORE_PENDING 
http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE10-statHistAssert

Comment 3 Alin Năstac (RETIRED) gentoo-dev

2005-09-02 14:54:47 UTC

fixed in squid-2.5.10-r2, marked as stable on x86.

Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-09-02 21:41:43 UTC

Arches please test and mark stable.

Comment 5 Markus Rothe (RETIRED) gentoo-dev

2005-09-03 00:33:10 UTC

stable on ppc64

Comment 6 René Nussbaumer (RETIRED) gentoo-dev

2005-09-03 03:08:49 UTC

Stable on hppa

Comment 7 Fernando J. Pereda (RETIRED) gentoo-dev

2005-09-03 06:26:42 UTC

Stable on alpha

Comment 8 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev

2005-09-03 08:09:06 UTC

Stable on ppc.

Comment 9 Daniel Gryniewicz (RETIRED) gentoo-dev

2005-09-03 09:40:42 UTC

Stable on amd64

Comment 10 Jason Wever (RETIRED) gentoo-dev

2005-09-03 10:32:04 UTC

Stable on SPARC.

Comment 11 Stefan Cornelius (RETIRED) gentoo-dev

2005-09-03 10:42:33 UTC

All security supported arches stable, ready for GLSA vote. I tend to say yes
because we've released other GLSAs for remote DoS for squid before but i
wouldn't mind about no GLSA, though.

Comment 12 Hardave Riar (RETIRED) gentoo-dev

2005-09-04 00:30:19 UTC

Stable on mips.

Comment 13 Thierry Carrez (RETIRED) gentoo-dev

2005-09-04 10:59:39 UTC

I tend to vote yes too.

Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-09-05 01:18:20 UTC

I vote YES.

Comment 15 Tavis Ormandy (RETIRED) gentoo-dev

2005-09-05 01:37:27 UTC

agreed, voting YES.

Comment 16 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-09-07 08:55:52 UTC

GLSA 200509-06

Comment 17 Jean-François Brunette (RETIRED) gentoo-dev

2005-09-07 10:51:44 UTC

*** Bug 105166 has been marked as a duplicate of this bug. ***