Bug 514013 (CVE-2009-2621, CVE-2009-2622)
Summary: | CVE-2009-2621, CVE-2009-2622 squid: multiple vulnerabilities fixed in squid 3.0.STABLE17 | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | jskala, mbacovsk |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-08-24 07:43:48 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 514014 | ||
Bug Blocks: |
Description
Vincent Danen
2009-07-27 16:22:42 UTC
Created squid tracking bugs for this issue Affects: Fdevel [bug #514014] Note: these issues only affect squid 3.x, so only Fedora is affected by this. Red Hat Enterprise Linux 5 and earlier provide squid 2.x which is not affected by these issues. Common Vulnerabilities and Exposures assigned an identifier CVE-2009-2621 to the following vulnerability: Name: CVE-2009-2621 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2621 Assigned: 20090728 Reference: CONFIRM: http://www.squid-cache.org/Advisories/SQUID-2009_2.txt Reference: CONFIRM: http://www.squid-cache.org/Versions/v3/3.1/changesets/b9654.patch Squid 3.0 through 3.0.STABLE16 and 3.1 through 3.1.0.11 does not properly enforce "buffer limits and related bound checks," which allows remote attackers to cause a denial of service via (1) an incomplete request or (2) a request with a large header size, related to (a) HttpMsg.cc and (b) client_side.cc. Common Vulnerabilities and Exposures assigned an identifier CVE-2009-2622 to the following vulnerability: Name: CVE-2009-2622 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2622 Assigned: 20090728 Reference: CONFIRM: http://www.squid-cache.org/Advisories/SQUID-2009_2.txt Reference: CONFIRM: http://www.squid-cache.org/Versions/v3/3.1/changesets/b9661.patch Squid 3.0 through 3.0.STABLE16 and 3.1 through 3.1.0.11 allows remote attackers to cause a denial of service via malformed requests including (1) "missing or mismatched protocol identifier," (2) missing or negative status value," (3) "missing version," or (4) "missing or invalid status number," related to (a) HttpMsg.cc and (b) HttpReply.cc. squid-3.0.STABLE18-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. squid-3.0.STABLE18-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. |