Bug 514013 (CVE-2009-2621, CVE-2009-2622)

Summary: CVE-2009-2621, CVE-2009-2622 squid: multiple vulnerabilities fixed in squid 3.0.STABLE17
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: jskala, mbacovsk
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-08-24 07:43:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 514014    
Bug Blocks:    

Description Vincent Danen 2009-07-27 16:22:42 UTC 
The Squid project released squid 3.0.STABLE17 and 3.1.0.12 today [1], correcting the following issues (from their advisory):

Due to incorrect buffer limits and related bound checks Squid
is vulnerable to a denial of service attack when processing
specially crafted requests or responses.

Due to incorrect data validation Squid is vulnerable to a denial
of service attack when processing specially crafted responses.

These problems allow any trusted client or external server to
perform a denial of service attack on the Squid service.

[1] http://www.squid-cache.org/Advisories/SQUID-2009_2.txt
Comment 1 Vincent Danen 2009-07-27 16:22:56 UTC 
Created squid tracking bugs for this issue

Affects: Fdevel [bug #514014]
Comment 2 Vincent Danen 2009-07-27 16:24:57 UTC 
Note: these issues only affect squid 3.x, so only Fedora is affected by this.  Red Hat Enterprise Linux 5 and earlier provide squid 2.x which is not affected by these issues.
Comment 3 Vincent Danen 2009-07-28 17:12:11 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-2621 to
the following vulnerability:

Name: CVE-2009-2621
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2621
Assigned: 20090728
Reference: CONFIRM: http://www.squid-cache.org/Advisories/SQUID-2009_2.txt
Reference: CONFIRM: http://www.squid-cache.org/Versions/v3/3.1/changesets/b9654.patch

Squid 3.0 through 3.0.STABLE16 and 3.1 through 3.1.0.11 does not
properly enforce "buffer limits and related bound checks," which
allows remote attackers to cause a denial of service via (1) an
incomplete request or (2) a request with a large header size, related
to (a) HttpMsg.cc and (b) client_side.cc.


Common Vulnerabilities and Exposures assigned an identifier CVE-2009-2622 to
the following vulnerability:

Name: CVE-2009-2622
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2622
Assigned: 20090728
Reference: CONFIRM: http://www.squid-cache.org/Advisories/SQUID-2009_2.txt
Reference: CONFIRM: http://www.squid-cache.org/Versions/v3/3.1/changesets/b9661.patch

Squid 3.0 through 3.0.STABLE16 and 3.1 through 3.1.0.11 allows remote
attackers to cause a denial of service via malformed requests
including (1) "missing or mismatched protocol identifier," (2) missing
or negative status value," (3) "missing version," or (4) "missing or
invalid status number," related to (a) HttpMsg.cc and (b)
HttpReply.cc.
Comment 4 Fedora Update System 2009-08-17 21:56:50 UTC 
squid-3.0.STABLE18-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2009-08-17 21:59:20 UTC 
squid-3.0.STABLE18-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.