SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Generic)  >  Squid Vendors:  Squid-cache.org
(Fedora Issues Fix for FC2) Squid Overflow in clientAbortBody() Lets Remote Users Crash the Proxy
SecurityTracker Alert ID:  1011729
SecurityTracker URL:  http://securitytracker.com/id?1011729
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
OSVDB Reference:  9801   (Links to External Site)
Updated:  Feb 24 2006
Original Entry Date:  Oct 16 2004
Impact:  Denial of service via network
Fix Available:  Yes   Vendor Confirmed:  Yes  
Version(s): 2.5.STABLE5 and prior versions
Description:  d3thStaR reported a vulnerability in Squid. A remote user can cause the proxy to crash.

It is reported that a remote user can trigger a segmentation fault due to a null pointer dereference in the clientAbortBody() function in 'client_side.c'.

The bug was originally reported to the vendor by M.A.Young.
Impact:  A remote user can cause the target proxy service to crash.
Solution:  Fedora has released a fix, available at:

http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/

7419c4a407998180020030c89f44fc87 SRPMS/squid-2.5.STABLE5-4.fc2.1.src.rpm
e2a0f29bbdbe44cff75f0ba644a7fbba x86_64/squid-2.5.STABLE5-4.fc2.1.x86_64.rpm
4cb91edbca411b00aef3008920ae9714 x86_64/debug/squid-debuginfo-2.5.STABLE5-4.fc2.1.x86_64.rpm
730574b7d98c1c77b33529591989f191 i386/squid-2.5.STABLE5-4.fc2.1.i386.rpm
a7a7f22361580f62f166ace5b5bc3316 i386/debug/squid-debuginfo-2.5.STABLE5-4.fc2.1.i386.rpm
Vendor URL:  www.squid-cache.org/bugs/show_bug.cgi?id=972 (Links to External Site)
Cause:  Boundary error
Underlying OS:  Linux (Red Hat Fedora)
Underlying OS Comments:  FC2
Reported By:  Jay Fenlason <fenlason@redhat.com>
Message History:   This archive entry is a follow-up to the message listed below.
Sep 11 2004 Squid Null Pointer Dereference in clientAbortBody() Lets Remote Users Crash the Proxy


 Source Message Contents
Date:  Thu, 7 Oct 2004 13:43:08 -0400
From:  Jay Fenlason <fenlason@redhat.com>
Subject:  [CORRECTED] [SECURITY] Fedora Core 2 Update:

 

Because of a typeo, the original announcement referred to the
squid-2.5.STABLE5-4.fc2 rpms instead of the
squid-2.5.STABLE5-4.fc2.1 ones.  This corrected advisory lists the
correct rpms and MD5 sums.

---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2004-330
2004-10-07
---------------------------------------------------------------------

Product     : Fedora Core 2
Name        : squid
Version     : 2.5.STABLE5                      
Release     : 4.fc2.1                  
Summary     : The Squid proxy caching server.
Description :
Squid is a high-performance proxy caching server for Web clients,
supporting FTP, gopher, and HTTP data objects. Unlike traditional
caching software, Squid handles all requests in a single,
non-blocking, I/O-driven process. Squid keeps meta data and especially
hot objects cached in RAM, caches DNS lookups, supports non-blocking
DNS lookups, and implements negative caching of failed requests.

Squid consists of a main server program squid, a Domain Name System
lookup program (dnsserver), a program for retrieving FTP data
(ftpget), and some management and client tools.

---------------------------------------------------------------------

This update fixes a potential DoS against squid that was reported by
Secunia.  See                                                       
http://secunia.com/advisories/12508/
for details.

* Fri Oct 01 2004 Jay Fenlason <fenlason@redhat.com> 7:2.5.STABLE3-4.fc2.1

- Modify the entry for /etc/squid.conf in this spec file to set the
  permissions to 640 owned by root:squid.  This will protect passwords
  stored in the file from prying eyes, and close #125007
- Include the -proxy-abuse patch, which closes #133970


---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/

7419c4a407998180020030c89f44fc87  SRPMS/squid-2.5.STABLE5-4.fc2.1.src.rpm
e2a0f29bbdbe44cff75f0ba644a7fbba  x86_64/squid-2.5.STABLE5-4.fc2.1.x86_64.rpm
4cb91edbca411b00aef3008920ae9714  x86_64/debug/squid-debuginfo-2.5.STABLE5-4.fc2.1.x86_64.rpm
730574b7d98c1c77b33529591989f191  i386/squid-2.5.STABLE5-4.fc2.1.i386.rpm
a7a7f22361580f62f166ace5b5bc3316  i386/debug/squid-debuginfo-2.5.STABLE5-4.fc2.1.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.  
---------------------------------------------------------------------


--
fedora-announce-list mailing list
fedora-announce-list@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-announce-list


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2006, SecurityGlobal.net LLC