Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 279379 (CVE-2009-2621) - <net-proxy/squid-3.0.18 Multiple Remote Denial of service issues in header processing (CVE-2009-{2621,2622})
Summary: <net-proxy/squid-3.0.18 Multiple Remote Denial of service issues in header pr...
Status: RESOLVED FIXED
Alias: CVE-2009-2621
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.squid-cache.org/Advisories...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-07-27 19:31 UTC by Robert Buchholz (RETIRED)
Modified: 2011-10-26 20:47 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-07-27 19:31:37 UTC
__________________________________________________________________

      Squid Proxy Cache Security Update Advisory SQUID-2009:2
__________________________________________________________________

Advisory ID:            SQUID-2009:2
Date:                   July 27, 2009
Summary:                Multiple Remote Denial of service issues
                        in header processing.
Affected versions:      Squid 3.0 -> 3.0.STABLE16,
                        Squid 3.1 -> 3.1.0.11
Fixed in version:       Squid 3.0.STABLE17, 3.1.0.12
__________________________________________________________________

     http://www.squid-cache.org/Advisories/SQUID-2009_2.txt
__________________________________________________________________

Problem Description:

 Due to incorrect buffer limits and related bound checks Squid
 is vulnerable to a denial of service attack when processing
 specially crafted requests or responses.

 Due to incorrect data validation Squid is vulnerable to a denial
 of service attack when processing specially crafted responses.

__________________________________________________________________

Severity:

 These problems allow any trusted client or external server to
 perform a denial of service attack on the Squid service.

__________________________________________________________________

Updated Packages:

 Theses bugs are fixed by Squid versions 3.0.STABLE17 and 3.1.0.12

 In addition, patches addressing these problems can be found In
 our patch archives:

Squid 3.0:
 http://www.squid-cache.org/Versions/v3/3.0/changesets/b9070.patch
 http://www.squid-cache.org/Versions/v3/3.0/changesets/b9074.patch
 http://www.squid-cache.org/Versions/v3/3.0/changesets/b9075.patch

Squid 3.1:
 http://www.squid-cache.org/Versions/v3/3.1/changesets/b9654.patch
 http://www.squid-cache.org/Versions/v3/3.1/changesets/b9661.patch


 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__________________________________________________________________

Determining if your version is vulnerable:

 All unpatched Squid-3.0 versions up to and including 3.0.STABLE16
 are vulnerable.

 All unpatched Squid-3.1 versions up to and including 3.1.0.11 are
 vulnerable.

 Squid-2.x releases are not vulnerable.

__________________________________________________________________

Workarounds:

 None currently known.
__________________________________________________________________

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If your install and build Squid from the original Squid sources
 then the squid-users@squid-cache.org mailing list is your primary
 support point. For subscription details see
 <http://www.squid-cache.org/Support/mailing-lists.html>.

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used
 <http://www.squid-cache.org/bugs/>.

 For reporting of security sensitive bugs send an email to the
 squid-bugs@squid-cache.org mailing list. It's a closed list
 (though anyone can post) and security related bug reports are
 treated in confidence until the impact has been established.

__________________________________________________________________

Credits:

 The request vulnerabilities were discovered by Alex Montoanelli
 of www.unetvale.net

 Some response vulnerabilities were discovered by Rob Middleton
 of Centenary Institute.

 Some response vulnerabilities were discovered by Tuomo Untinen,
 Ossi Herrala and Jukka Taimisto from the CROSS project at
 Codenomicon Ltd.

__________________________________________________________________

Revision history:

 2009-07-27 14:08 GMT Initial version
__________________________________________________________________
END
Comment 1 Matus UHLAR - fantomas 2009-07-30 08:24:18 UTC
any progress with 3.0.STABLE17 ?
thank you
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2009-08-03 22:32:03 UTC
CVE-2009-2621 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2621):
  Squid 3.0 through 3.0.STABLE16 and 3.1 through 3.1.0.11 does not
  properly enforce "buffer limits and related bound checks," which
  allows remote attackers to cause a denial of service via (1) an
  incomplete request or (2) a request with a large header size, related
  to (a) HttpMsg.cc and (b) client_side.cc.

CVE-2009-2622 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2622):
  Squid 3.0 through 3.0.STABLE16 and 3.1 through 3.1.0.11 allows remote
  attackers to cause a denial of service via malformed requests
  including (1) "missing or mismatched protocol identifier," (2)
  missing or negative status value," (3) "missing version," or (4)
  "missing or invalid status number," related to (a) HttpMsg.cc and (b)
  HttpReply.cc.

Comment 3 Alin Năstac (RETIRED) gentoo-dev 2009-08-06 22:55:15 UTC
Version 3.0.18 is now in the tree. 
Arch teams, please do your thing.
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2009-08-07 17:13:57 UTC
x86 stable
Comment 5 Brent Baude (RETIRED) gentoo-dev 2009-08-08 15:01:30 UTC
ppc64 done
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2009-08-08 15:26:44 UTC
(In reply to comment #3)
> Version 3.0.18 is now in the tree. 
> Arch teams, please do your thing.

That's =net-proxy/squid-3.0.18 then...
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2009-08-09 19:05:48 UTC
Stable for HPPA.
Comment 8 Tobias Klausmann (RETIRED) gentoo-dev 2009-08-10 15:59:21 UTC
Stable on alpha.
Comment 9 Markus Meier gentoo-dev 2009-08-10 22:21:13 UTC
amd64 stable
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2009-08-14 14:11:37 UTC
arm/ia64/sparc stable
Comment 11 Stefan Behte (RETIRED) gentoo-dev Security 2009-09-14 21:58:32 UTC
This will be added to the other HttpMsg.cc GLSA.
Comment 12 martin holzer 2011-01-17 15:42:02 UTC
could be closed, not more in cvs tree
Comment 13 Alex Legler (RETIRED) archtester gentoo-dev Security 2011-01-17 15:57:48 UTC
(In reply to comment #12)
> could be closed, not more in cvs tree
> 

The GLSA is still pending. Please don't post such comments in the future, thanks.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2011-10-26 20:47:50 UTC
This issue was resolved and addressed in
 GLSA 201110-24 at http://security.gentoo.org/glsa/glsa-201110-24.xml
by GLSA coordinator Tim Sammut (underling).