Squid: Multiple Denial of Service vulnerabilities
1.
Gentoo Linux Security Advisory
Version Information
| Advisory Reference |
GLSA 200903-38 / Squid |
| Release Date |
March 24, 2009 |
| Latest Revision |
March 24, 2009: 01 |
| Impact |
normal |
| Exploitable |
remote |
| Package |
Vulnerable versions |
Unaffected versions |
Architecture(s) |
| net-proxy/squid |
<
2.7.6 |
>=
2.7.6 |
All supported architectures
|
Related bugreports:
#216319, #257585
Synopsis
Multiple vulnerabilities have been found in Squid which allow for remote
Denial of Service attacks.
2.
Impact Information
Background
Squid is a full-featured web proxy cache.
Description
- The arrayShrink function in lib/Array.c can cause an array to
shrink to 0 entries, which triggers an assert error. NOTE: this issue
is due to an incorrect fix for CVE-2007-6239 (CVE-2008-1612).
- An invalid version number in a HTTP request may trigger an
assertion in HttpMsg.c and HttpStatusLine.c (CVE-2009-0478).
Impact
The issues allows for Denial of Service attacks against the service via
an HTTP request with an invalid version number and other specially
crafted requests.
3.
Resolution Information
Workaround
There is no known workaround at this time.
Resolution
All Squid users should upgrade to the latest version:
Code Listing 3.1: Resolution |
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-proxy/squid-2.7.6"
|
4.
References
|
