Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 574868 (CVE-2016-2390) - <net-proxy/squid-3.5.14: Denial of Service (CVE-2016-2390)
Summary: <net-proxy/squid-3.5.14: Denial of Service (CVE-2016-2390)
Status: RESOLVED FIXED
Alias: CVE-2016-2390
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.squid-cache.org/Advisories...
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-02-16 09:18 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2016-02-17 08:23 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-02-16 09:18:14 UTC
From ${URL}:

Hi,

A remotely triggerable denial of service has been found in Squid
proxy. The proxy incorrectly handles server TLS failure which almost
always results in crashing the entire proxy. Denying service for all
other clients using it.

Our Advisory will be at:
<http://www.squid-cache.org/Advisories/SQUID-2016_1.txt>
"
 This problem allows any trusted client to perform a denial of
 service attack on the Squid service regardless of whether TLS or
 SSL is configured for use in the prfoxy.

 Misconfigured client or server software may trigger this issue
 to perform a denial of service unintentionally.

 However, the bug is exploitable only if Squid is built using the
 --with-openssl option.
"

Versions 3.5.13, 4.0.4 and 4.0.5 are affected.

Patch for 3.5 is
<http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13981.p
atch>.

Patch for 4.0 is
<http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13981.p
atch>.
Though as a beta release we would prefer people update straight to the
new package.
Comment 1 Eray Aslan gentoo-dev 2016-02-16 12:34:24 UTC
=net-proxy/squid-3.5.14 in the tree.  I am guessing no fast stabilization is necessary since no vulnerable version was stable at any point.  Please let me know if I am mistaken.
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2016-02-16 12:40:25 UTC
You are correct, however, once all versions have a patched ebuild in the tree we will move on to cleanup.  This is where any vulnerable versions should be purged from the tree.

https://wiki.gentoo.org/wiki/Project:Security/GLSA_Coordinator_Guide#Bugs_in_.5Bcleanup.5D_status
Comment 3 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-02-16 12:47:36 UTC
(In reply to Eray Aslan from comment #1)
> =net-proxy/squid-3.5.14 in the tree.  I am guessing no fast stabilization is
> necessary since no vulnerable version was stable at any point.  Please let
> me know if I am mistaken.

Correct, the full advisory states 3.5.12 and lower as unaffected and this is last stable, so changed rating to reflect that.

3.5.13 needs to be removed from tree during cleanup , after which the bug can be closed as [noglsa]
Comment 4 Eray Aslan gentoo-dev 2016-02-17 05:58:11 UTC
=net-proxy/squid-3.5.13 punted from the tree.  Cleanup done.
Comment 5 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-02-17 08:23:31 UTC
(In reply to Eray Aslan from comment #4)
> =net-proxy/squid-3.5.13 punted from the tree.  Cleanup done.

Thanks