Bug 484246 (CVE-2009-0478) - CVE-2009-0478 Squid denial of service flaw
Summary: CVE-2009-0478 Squid denial of service flaw
Status: CLOSED ERRATA
Alias: CVE-2009-0478
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
(Show other bugs)
Version: unspecified
Hardware: All Linux
low
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://www.squid-cache.org/Advisories...
Whiteboard: source=squid,reported=20090203,public...
Keywords:
Depends On: 484781 484782
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-02-05 16:24 UTC by Josh Bressers
Modified: 2009-02-13 13:17 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-02-13 13:17:08 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Josh Bressers 2009-02-05 16:24:59 UTC
A denial of service flaw was found in the way squid handles certain client initiated requests. A client who can connect to the squid server could leverage this flaw to cause the squid child process to terminate. This would prevent anyone from using the squid server until the process automatically restarts.

Comment 2 Josh Bressers 2009-02-05 16:40:18 UTC
The issue here is that a client request could be constructed in such a way that it triggers a call to assert() in the squid child process.  This then causes the child process to quit, stopping all current requests until the child process is restarted.

As this end up calling assert(), there is no potential for code execution from this particular flaw.

The code that triggers this flaw is only present in squid versions 2.7 and above.

Comment 5 Tomas Hoger 2009-02-11 07:31:51 UTC
Official Statement from Red Hat (02/09/2009)
    Not vulnerable. This issue did not affect the version of Squid as
    shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0478

Comment 6 Red Hat Product Security 2009-02-13 13:17:08 UTC
This issue was addressed in:

Fedora:
  https://admin.fedoraproject.org/updates/F10/FEDORA-2009-1526
  https://admin.fedoraproject.org/updates/F9/FEDORA-2009-1517


Note You need to log in before you can comment on or make changes to this bug.