Bug 152778

Summary: CAN-2004-0832 Squid - malformed NTLMSSP packets NTLM helpers DOS
Product: [Retired] Fedora Legacy Reporter: Marc Deslauriers <marc.deslauriers>
Component: Package requestAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: botsch
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.squid-cache.org/bugs/show_bug.cgi?id=1045
Whiteboard: 1, LEGACY, QA, rh90
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-04-05 22:33:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Lawrence 2005-03-30 23:27:07 UTC 
Certain malformed NTLMSSP packets could crash the NTLM helpers 
provided by Squid.

http://www.squid-cache.org/bugs/show_bug.cgi?id=1045
http://www1.uk.squid-cache.org/squid/Versions/v2/2.5/bugs/#squid-2.5.STABLE6-ntlm_fetch_string
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=131750
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=131728

Not the same issue as bug 1532



------- Additional Comments From marcdeslauriers 2004-09-08 12:17:00 ----

Oups! Wrong bug number.

Not the same issue as bug 1732




------- Additional Comments From marcdeslauriers 2004-09-10 11:08:10 ----

squid in rh73 is not vulnerable to this issue.



------- Additional Comments From marcdeslauriers 2004-09-10 13:03:50 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are new packages to QA for rh9:

Changelog:
* Fri Sep 10 2004 Marc Deslauriers <marcdeslauriers>
7:2.5.STABLE1-5.9.legacy
- - CAN-2004-0832 security patch (malformed NTLMSSP packets crash NTLM helpers)

a0b08b4e699e70e08adbb9162bf6e9bb1f9ba60a  squid-2.5.STABLE1-5.9.legacy.i386.rpm
bd111d20ba40496d368c6a3d2d5e55df01425f20  squid-2.5.STABLE1-5.9.legacy.src.rpm

http://www.infostrategique.com/linuxrpms/legacy/9/squid-2.5.STABLE1-5.9.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/squid-2.5.STABLE1-5.9.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBQjLKLMAs/0C4zNoRAnCkAJ9TrxfPYXUukOdJnQoxWbvDzKo1wACgkxNz
CSCvwEvb79g0v4Cfnk/yWAU=
=U1d+
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2004-09-10 13:04:43 ----

This bug has obsoleted bug 1732



------- Additional Comments From dom 2004-09-30 13:49:48 ----

RHEL updates:
http://www.redhat.com/archives/enterprise-watch-list/2004-September/msg00018.html



------- Additional Comments From rob.myers.edu 2004-10-05 11:53:22 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
 
Packages to QA for FC1:
 
changelog:
* Tue Oct 05 2004 Rob Myers <rob.myers.edu> 7:2.5.STABLE3-1.fc1.1.legacy
- - apply patches from 2.5.STABLE3-1.fc1 RHEL3 for CAN-2004-0541
 
5ed8fe9d261163661e34917fbe97cb02956d8f5f 
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/squid-2.5.STABLE3-1.fc1.1.legacy.src.rpm
3ad99896fcef5bd2be7bbc32fc8965088d2352bf 
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/squid-2.5.STABLE3-1.fc1.1.legacy.i386.rpm
f0bfd2cb30e5ec3b7347b084d6410b7795a65dc0 
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/squid-debuginfo-2.5.STABLE3-1.fc1.1.legacy.i386.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
 
iD8DBQFBYxdltU2XAt1OWnsRAjd5AJ4/U3AWH6LtT1QQIyDt+8cDZrSGzQCg7Vdm
yEPCdtNAUSGDBimKBuM6Gww=
=7pKv
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2004-10-05 12:11:12 ----

Rob,

You've patched the wrong squid package. There is a more recent one available in
the FC1 updates:

http://download.fedoralegacy.org/fedora/1/updates/SRPMS/squid-2.5.STABLE3-2.fc1.src.rpm

Could you rebuild please.



------- Additional Comments From rob.myers.edu 2004-10-05 17:10:06 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Packages to QA for FC1 (to the correct package this time!):

changelog:
* Tue Oct 05 2004 Rob Myers <rob.myers.edu> 7:2.5.STABLE3-2.fc1.1.le
gacy
- - apply patch from 2.5.STABLE3-1.fc1 RHEL3 for CAN-2004-0541

http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/
1274234d30913bacc4e81e60acda2d0dd092d7b3  http://www.stl.gtri.gatech.edu/rmyers/
fedoralegacy/squid-2.5.STABLE3-2.fc1.1.legacy.i386.rpm
829e7fefaeeacc41a92d09404bd3c4bc7b36cb66  http://www.stl.gtri.gatech.edu/rmyers/
fedoralegacy/squid-2.5.STABLE3-2.fc1.1.legacy.src.rpm
0fd0de5c6786431b82f1aed5230f95d5bf2b3329  http://www.stl.gtri.gatech.edu/rmyers/
fedoralegacy/squid-debuginfo-2.5.STABLE3-2.fc1.1.legacy.i386.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFBY2HPtU2XAt1OWnsRAgAhAJ9I3TL0wW+fFHE6T9OKn7yLMh2MpgCeMNmQ
z78NgUsRmCpHviGaFXmWT7A=
=V3nc
-----END PGP SIGNATURE-----




------- Additional Comments From rob.myers.edu 2004-10-12 07:06:29 ----

superseded by newer squid bug #2150



------- Bug moved to this database by dkl 2005-03-30 18:27 -------

This bug previously known as bug 2053 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2053
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.
Comment 1 Marc Deslauriers 2005-04-05 22:33:13 UTC 

*** This bug has been marked as a duplicate of 152809 ***