Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 257585 (CVE-2009-0478) - net-proxy/squid <2.7.6 <3.0.13 <3.1.0.5 DoS in request processing (CVE-2009-0478)
Summary: net-proxy/squid <2.7.6 <3.0.13 <3.1.0.5 DoS in request processing (CVE-2009-0...
Status: RESOLVED FIXED
Alias: CVE-2009-0478
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.squid-cache.org/Advisories...
Whiteboard: B4 [glsa]
Keywords:
: 255962 257586 258107 (view as bug list)
Depends on:
Blocks:
 
Reported: 2009-02-04 11:50 UTC by Eray Aslan
Modified: 2019-07-31 01:26 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Eray Aslan gentoo-dev 2009-02-04 11:50:55 UTC
"Due to an internal error Squid is vulnerable to a denial
 of service attack when processing specially crafted requests.
 This problem allows any client to perform a denial of service
 attack on the Squid service."

Patches and problem description:
http://www.squid-cache.org/Advisories/SQUID-2009_1.txt

Reproducible: Always
Comment 1 Eray Aslan gentoo-dev 2009-02-04 12:13:36 UTC
*** Bug 257586 has been marked as a duplicate of this bug. ***
Comment 3 Peter Alfredsen (RETIRED) gentoo-dev 2009-02-11 01:19:01 UTC
*** Bug 258107 has been marked as a duplicate of this bug. ***
Comment 4 Alin Năstac (RETIRED) gentoo-dev 2009-02-16 23:43:54 UTC
Both major versions have been bumped to 2.7.6 respectively 3.0.13.

Arches please mark net-proxy/squid-2.7.6 as stable (don't touch squid-3 
keywords).
Comment 5 Alin Năstac (RETIRED) gentoo-dev 2009-02-16 23:45:32 UTC
*** Bug 255962 has been marked as a duplicate of this bug. ***
Comment 6 Brent Baude (RETIRED) gentoo-dev 2009-02-17 14:17:03 UTC
ppc64 done
Comment 7 Jeroen Roovers gentoo-dev 2009-02-17 18:03:27 UTC
Stable for HPPA.
Comment 8 Tobias Klausmann gentoo-dev 2009-02-18 18:34:01 UTC
Stable on alpha (this comment made through Squid™).
Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev 2009-02-19 18:29:58 UTC
ppc stable
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2009-02-20 17:57:44 UTC
ia64/sparc/x86 stable
Comment 11 Markus Meier gentoo-dev 2009-02-25 20:39:31 UTC
amd64 stable, all arches done.
Comment 12 Stefan Behte (RETIRED) gentoo-dev Security 2009-03-04 18:39:09 UTC
Re-Rating B4 as it's not a "Global service compromise"

Read to vote, I vote YES (because squid is a network accessible service and often used in accelerator setups for HTTP - if I was using squid in a datacenter, I'd really appreciate getting a warning about this issue!)
Comment 13 Robert Buchholz (RETIRED) gentoo-dev 2009-03-09 14:13:49 UTC
YES too
Comment 14 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-03-24 21:46:18 UTC
GLSA 200903-38