Red Hat Bugzilla – Bug 514013
CVE-2009-2621, CVE-2009-2622 squid: multiple vulnerabilities fixed in squid 3.0.STABLE17
Last modified: 2009-08-24 03:43:48 EDT
The Squid project released squid 3.0.STABLE17 and 3.1.0.12 today [1], correcting the following issues (from their advisory): Due to incorrect buffer limits and related bound checks Squid is vulnerable to a denial of service attack when processing specially crafted requests or responses. Due to incorrect data validation Squid is vulnerable to a denial of service attack when processing specially crafted responses. These problems allow any trusted client or external server to perform a denial of service attack on the Squid service. [1] http://www.squid-cache.org/Advisories/SQUID-2009_2.txt
Created squid tracking bugs for this issue Affects: Fdevel [bug #514014]
Note: these issues only affect squid 3.x, so only Fedora is affected by this. Red Hat Enterprise Linux 5 and earlier provide squid 2.x which is not affected by these issues.
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-2621 to the following vulnerability: Name: CVE-2009-2621 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2621 Assigned: 20090728 Reference: CONFIRM: http://www.squid-cache.org/Advisories/SQUID-2009_2.txt Reference: CONFIRM: http://www.squid-cache.org/Versions/v3/3.1/changesets/b9654.patch Squid 3.0 through 3.0.STABLE16 and 3.1 through 3.1.0.11 does not properly enforce "buffer limits and related bound checks," which allows remote attackers to cause a denial of service via (1) an incomplete request or (2) a request with a large header size, related to (a) HttpMsg.cc and (b) client_side.cc. Common Vulnerabilities and Exposures assigned an identifier CVE-2009-2622 to the following vulnerability: Name: CVE-2009-2622 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2622 Assigned: 20090728 Reference: CONFIRM: http://www.squid-cache.org/Advisories/SQUID-2009_2.txt Reference: CONFIRM: http://www.squid-cache.org/Versions/v3/3.1/changesets/b9661.patch Squid 3.0 through 3.0.STABLE16 and 3.1 through 3.1.0.11 allows remote attackers to cause a denial of service via malformed requests including (1) "missing or mismatched protocol identifier," (2) missing or negative status value," (3) "missing version," or (4) "missing or invalid status number," related to (a) HttpMsg.cc and (b) HttpReply.cc.
squid-3.0.STABLE18-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
squid-3.0.STABLE18-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.