Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 61280 - www-proxy/squid NTLM authentication denial of service Squid 2.5STABLE6
Summary: www-proxy/squid NTLM authentication denial of service Squid 2.5STABLE6
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa] jaervosz
: 64165 (view as bug list)
Depends on:
Reported: 2004-08-22 11:41 UTC by Andrew Bevitt
Modified: 2011-10-30 22:39 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bevitt 2004-08-22 11:41:37 UTC
Certain malformed NTLMSSP packets could crash the NTLM helpers provided by Squid.

I have updated the squid patchset to include the patch provided on the bug release website; Just here for notification and publication if necessary.

Effected users www-proxy/squid-2.5.*
Remedy, upgrade to >=www-proxy/squid-2.5.6-r2

Reproducible: Always
Steps to Reproduce:
Comment 1 Jason Wever (RETIRED) gentoo-dev 2004-08-22 17:14:25 UTC
So like how do we test to make sure these fixes work?
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-22 22:26:59 UTC
Andrew could you provide a testcase to assist the arches mark stable?
Comment 3 Andrew Bevitt 2004-08-23 00:39:11 UTC
Honestly... I am not sure how. 
Details the initial reporting of the problem; in as much as what the problem is described as being the patch definately fixes. ie (o > 0);
Comment 4 Chris White (RETIRED) gentoo-dev 2004-08-23 07:34:49 UTC
Once I get back from school I'll try and get a nice test case up based
on the squid getting started guide.  The one avaliable from upstream is
decent enough for testing, but it needs to be tweaked for Gentoo specific
files, build process.
Comment 5 Chris White (RETIRED) gentoo-dev 2004-08-24 23:47:49 UTC
While trying to create the test case, I ran into a circular dep issue.
Changing this back to ebuild status.

net-mail / robbat2:

There are circular dep issues with openldap and cyrus-sasl which results
in the following:

bash-2.05b# emerge -p cyrus-sasl | grep ebuild
[ebuild  N    ] net-nds/openldap-2.1.30-r1
[ebuild  N    ] dev-libs/cyrus-sasl-2.1.18-r2

bash-2.05b# emerge -p openldap | grep ebuild
[ebuild  N    ] dev-libs/cyrus-sasl-2.1.18-r2
[ebuild  N    ] net-nds/openldap-2.1.30-r1

This prevents proper installation of squid with sasl and ldap USE flags
enabled, and the above libraries not being installed.  Thanks ahead of time
for any comments/suggestions!
Comment 6 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2004-08-24 23:52:30 UTC
chriswhite: see bug #32394 for the circular dep.
it's one that is not really solvable.

openldap needs cyrus-sasl to provide SASL auth [widely used]
cyrus-sasl has an ldap backend, that needs to link against the openldap libs (which in turn may be linked to the sasl libs ;-)
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-26 08:31:48 UTC
Arches please mark stable.
Comment 8 Bryan Østergaard (RETIRED) gentoo-dev 2004-08-26 13:44:40 UTC
Stable on alpha.
Comment 9 Martin Holzer (RETIRED) gentoo-dev 2004-08-27 10:10:52 UTC
x86 stable now
Comment 10 Jason Wever (RETIRED) gentoo-dev 2004-08-27 18:48:42 UTC
Stable on sparc
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2004-09-01 02:51:36 UTC
Fixing status whiteboard to only include supported arches.

Waiting for amd64 to issue a GLSA on this.
hppa ia64 mips ppc64 s390 : don't forget to mark stable to benefit from GLSA.
Comment 12 Travis Tilley (RETIRED) gentoo-dev 2004-09-01 09:30:18 UTC
stable on amd64
Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-09-01 09:41:24 UTC
Security this one is ready for GLSA, please draft.
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2004-09-02 13:31:01 UTC
GLSA 200409-04 is out.
hppa ia64 mips ppc64 s390 : don't forget to mark stable to benefit.
Comment 15 Guy Martin (RETIRED) gentoo-dev 2004-09-15 02:30:08 UTC
HPPA stable.
Comment 16 Matthias Geerdsen (RETIRED) gentoo-dev 2004-09-15 13:31:19 UTC
*** Bug 64165 has been marked as a duplicate of this bug. ***
Comment 17 Tom Gall (RETIRED) gentoo-dev 2004-09-26 20:58:33 UTC
stable on ppc64
Comment 18 Hardave Riar (RETIRED) gentoo-dev 2004-10-17 21:56:22 UTC
Stable on mips.