Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 81997 - www-proxy/squid: FQDN Lookup Denial of Service Vulnerability
Summary: www-proxy/squid: FQDN Lookup Denial of Service Vulnerability
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa] jaervosz
Depends on:
Reported: 2005-02-14 07:00 UTC by Jean-François Brunette (RETIRED)
Modified: 2006-03-23 19:34 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Jean-François Brunette (RETIRED) gentoo-dev 2005-02-14 07:00:38 UTC
A vulnerability has been reported in Squid, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an assertion error when performing FQDN lookups and can be exploited to crash Squid by returning a specially crafted DNS response.

The vulnerability has been reported in Squid-2.5.STABLE5 through 2.5.STABLE8.

NOTE: The risk is reportedly reduced with "log_fqdn off" (default setting).

Apply patch for 2.5.STABLE8:

Original Advisory:
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-02-14 07:07:04 UTC
Andrew or new Squid Daddy please bump.
Comment 2 Alin Năstac (RETIRED) gentoo-dev 2005-02-15 13:15:17 UTC
version bumped.
it needs to be marked as stable by arch maintainers.
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-02-15 13:42:41 UTC
Thx Alin,

Arches please test and mark 2.5.8 stable.
Comment 4 Jan Brinkmann (RETIRED) gentoo-dev 2005-02-15 14:00:50 UTC
stable on amd64.
Comment 5 Jason Wever (RETIRED) gentoo-dev 2005-02-15 18:22:27 UTC
Note: the URLs in the original description are invalid (generate 404s here).
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-02-16 02:00:25 UTC
This is CAN-2005-0446
Comment 7 Markus Rothe (RETIRED) gentoo-dev 2005-02-16 11:09:10 UTC
stable on ppc64
Comment 8 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-02-16 11:39:53 UTC
Stable on ppc.
Comment 9 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-02-16 12:52:38 UTC
Stable on hppa.
Comment 10 Jason Wever (RETIRED) gentoo-dev 2005-02-16 16:10:54 UTC
Stable on SPARC.
Comment 11 Olivier Crete (RETIRED) gentoo-dev 2005-02-16 16:23:44 UTC
x86 is already there
Comment 12 Bryan Østergaard (RETIRED) gentoo-dev 2005-02-17 14:46:01 UTC
Stable on alpha.
Comment 13 Hardave Riar (RETIRED) gentoo-dev 2005-02-17 23:38:09 UTC
Stable on mips.
Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-02-18 08:06:29 UTC
Thx Alin.

GLSA 200502-25

ia64 please remember to mark stable.