Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 




      :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] Fwd: SQUID-2007:2, Dec 4, 2007

--This is a forwarded message
From: Adrian Chadd <adrian@xxxxxxxxxxxxxxx>
To: bugtraq@xxxxxxxxxxxxxxxxx <bugtraq@xxxxxxxxxxxxxxxxx>
Date: Thursday, December 6, 2007, 2:24:22 PM
Subject: SQUID-2007:2, Dec 4, 2007

===8<==============Original message text===============


      Squid Proxy Cache Security Update Advisory SQUID-2007:2

Advisory ID:            SQUID-2007:2
Date:                   November 27, 2007
Summary:                Denial of service in cache updates
Affected versions:      Squid 2.X (2.0 -> 2.6.STABLE16); Squid-3.
Fixed in version:       Squid 2.6.STABLE17;
                        November 28 Squid-2 snapshot
                        November 28 Squid-3 snapshot
Author:                 Adrian Chadd
Thanks:                 Wikimedia Foundation



Problem Description:

 Due to incorrect bounds checking Squid is vulnerable to
 a denial of service check during some cache update reply



 This problem allows any client trusted to use the service to
 perform a denial of service attack on the Squid service.


Updated Packages:

 This bug is fixed by Squid version 2.6.STABLE17 and by the November
 28 snapshots of Squid-2 and Squid-3.

 In addition, a patch addressing this problem can be found in
 our patch archive for version Squid-2.6:


 And for Squid-3:


 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated


Determining if your version is vulnerable:

 All Squid-2.X versions up to, and including 2.6.STABLE16 are

 All Squid-3 snapshots and prereleases up to the November 28
 snapshot are vulnerable.



 There are no workarounds.


Thanks to:

 Thanks go to the Wikimedia Foundation for helping identify the issue
 and testing the proposed resolution of the issue.

 Thanks to Adrian Chadd for the Squid-2 fix.

 Thanks to Henrik Nordstrom for the Squid-3 fix.


Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If your install and build Squid from the original Squid sources
 then the squid-users@xxxxxxxxxxxxxxx mailing list is your primary
 support point. See <http://www.squid-cache.org/mailing-lists.html>
 for subscription details.

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used

 For reporting of security sensitive bugs send an email to the
 squid-bugs@xxxxxxxxxxxxxxx mailing list. It's a closed list
 (though anyone can post) and security related bug reports are
 treated in confidence until the impact has been established.


Revision history:

 2007-11-26 14:40 GMT+9 Initial version
===8<===========End of original message text===========

    ,    .  ()


Copyright © Lexa Software, 1996-2009.