SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Web Server/CGI)  >   Squid Vendors:   Squid-cache.org
Squid HTTP Request Processing Error Lets Remote Users Deny Service
SecurityTracker Alert ID:  1021684
SecurityTracker URL:  http://securitytracker.com/id/1021684
CVE Reference:   CVE-2009-0478   (Links to External Site)
Updated:  Feb 11 2009
Original Entry Date:  Feb 4 2009
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.7, 3.0, 3.1
Description:   A vulnerability was reported in Squid. A remote user can cause denial of service conditions.

A remote user can send specially crafted requests to cause unspecified denial of service conditions.

Joshua Morin, Mikko Varpiola, and Jukka Taimisto from the CROSS project at Codenomicon Ltd. reported this vulnerability.

Impact:   A remote user can cause denial of service conditions.
Solution:   The vendor has issued a fix (2.7.STABLE6, 3.0.STABLE13, 3.1.0.5).

The following patches are also available.

Squid 2.7:
http://www.squid-cache.org/Versions/v2/2.7/changesets/12432.patch
http://www.squid-cache.org/Versions/v2/2.7/changesets/12442.patch

Squid 3.0:
http://www.squid-cache.org/Versions/v3/3.0/changesets/b8964.patch
http://www.squid-cache.org/Versions/v3/3.0/changesets/b8965.patch

Squid 3.1:
http://www.squid-cache.org/Versions/v3/3.1/changesets/b9414.patch
http://www.squid-cache.org/Versions/v3/3.1/changesets/b9418.patch

The vendor's advisory is available at:

http://www.squid-cache.org/Advisories/SQUID-2009_1.txt

Vendor URL:  www.squid-cache.org/Advisories/SQUID-2009_1.txt (Links to External Site)
Cause:   Not specified
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Date:  Thu, 05 Feb 2009 00:53:04 +1300
Subject:  Squid Proxy Cache Denial of Service in request handling

__________________________________________________________________

       Squid Proxy Cache Security Update Advisory SQUID-2009:1
__________________________________________________________________

Advisory ID:            SQUID-2009:1
Date:                   February 02, 2009
Summary:                Denial of service in request processing
Affected versions:      Squid 2.7 -> 2.7.STABLE5,
                         Squid 3.0 -> 3.0.STABLE12,
                         Squid 3.1 -> 3.1.0.4
Fixed in version:       Squid 2.7.STABLE6, 3.0.STABLE13, 3.1.0.5
__________________________________________________________________

      http://www.squid-cache.org/Advisories/SQUID-2009_1.txt
__________________________________________________________________

Problem Description:

  Due to an internal error Squid is vulnerable to a denial
  of service attack when processing specially crafted requests.

__________________________________________________________________

Severity:

  This problem allows any client to perform a denial of service
  attack on the Squid service.

__________________________________________________________________

Updated Packages:

  This bug is fixed by Squid versions 2.7.STABLE6, 3.0.STABLE13,
  and 3.1.0.5.

  In addition, patches addressing this problem can be found In
  our patch archives:

Squid 2.7:
    http://www.squid-cache.org/Versions/v2/2.7/changesets/12432.patch
    http://www.squid-cache.org/Versions/v2/2.7/changesets/12442.patch

Squid 3.0:
    http://www.squid-cache.org/Versions/v3/3.0/changesets/b8964.patch
    http://www.squid-cache.org/Versions/v3/3.0/changesets/b8965.patch

Squid 3.1:
    http://www.squid-cache.org/Versions/v3/3.1/changesets/b9414.patch
    http://www.squid-cache.org/Versions/v3/3.1/changesets/b9418.patch


  If you are using a prepackaged version of Squid then please refer
  to the package vendor for availability information on updated
  packages.

__________________________________________________________________

Determining if your version is vulnerable:

  All Squid-2.7 versions up to, and including 2.7.STABLE5 are
  vulnerable.

  All Squid-3.0 versions up to and including 3.0.STABLE12 are
  vulnerable.

  All Squid-3.1 beta versions up to and including 3.1.0.4 are
  vulnerable.

__________________________________________________________________

Workarounds:

  None.
__________________________________________________________________

Contact details for the Squid project:

  For installation / upgrade support on binary packaged versions
  of Squid: Your first point of contact should be your binary
  package vendor.

  If your install and build Squid from the original Squid sources
  then the squid-users@squid-cache.org mailing list is your primary
  support point. For subscription details see
  <http://www.squid-cache.org/Support/mailing-lists.html>.

  For reporting of non-security bugs in the latest STABLE release
  the squid bugzilla database should be used
  <http://www.squid-cache.org/bugs/>.

  For reporting of security sensitive bugs send an email to the
  squid-bugs@squid-cache.org mailing list. It's a closed list
  (though anyone can post) and security related bug reports are
  treated in confidence until the impact has been established.

__________________________________________________________________

Credits:

  The vulnerability was discovered by Joshua Morin, Mikko Varpiola
  and Jukka Taimisto from the CROSS project at Codenomicon Ltd.

__________________________________________________________________

Revision history:

  2009-02-02 13:12 GMT Initial version
__________________________________________________________________
END

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC