oss-sec mailing list archives

Re: CVE Request -- SQUID-2012:1 / Squid: DoS (excessive resource consumption) via invalid Content-Length headers or via memory leaks

From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 17 Dec 2012 10:36:00 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/17/2012 10:27 AM, Jan Lieskovsky wrote:

Hello Kurt, Steve, vendors,

A denial of service flaw was found in the way the CGI Cache Manager
of the Squid proxy caching server processed certain requests. A
remote attacker could this this flaw to cause the squid service to
consume excessive amount of resources.

References: [1]
http://www.squid-cache.org/Advisories/SQUID-2012_1.txt [2]
https://bugs.gentoo.org/show_bug.cgi?id=447596 [3]
https://secunia.com/advisories/51545/ [4]
https://bugzilla.redhat.com/show_bug.cgi?id=887962

Upstream patches: [5]
http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10479.patch

(against the 3.1 branch)

[6]
http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11714.patch

(against the 3.2 branch)


Could you allocate a CVE id for this?

Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
Security Response Team


Please use CVE-2012-5643 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQz1gAAAoJEBYNRVNeJnmTmbUP/3cyX/iTyq6kPMIy8E3k7And
M/zWoOucYMWO7Qy0kPxdt/lArzc5d/MUYKG2lU3Me3MBexMGO2vLERZCqHVnvCM0
O9aAFRzDGBYUoSW8cOSuLMRfO0rkxPKrixgU2pFxxdpwJ5zdmauzqmv8F9EWCIBx
8uVzbelum4qYwdDy3L+hlZMxB8BhezjurPPAoktDD4FtE3SfJ66kJ+sfaShryCII
ZROGbQeD4jZ2+vL4YO9bpcsz4RD8Me3Jj1Psyh0+p1uTk11gPuK5LDEoPXPBWpX5
qaQDfBiy1mP/fFiWPDnAXFJo7+KnLyFkbJC7ciPxvR7Bwt+6CApXRUGfpKoGw7W4
ie13JYn6jaeHrrV7AFIqfmcATrKibpcDQGXK2JhrYRWe70vMpQv7DqRezVRT7N37
3a+/C2QS51iwNr4n+FZrbvgbY6JIRqo9VDkjeSW43AeznswbercMobbHoMERJQ8J
X+FZZryV/UbzjNPN7QOp8oVxxF7CSsFgJgxUW7ppvb/YBQXtHRGPaaOzcN8MP0Ro
ch3dhqMfC/tS3qYjs3SjgIoB0MP31XlhREz0UYyPEmFXm+EsUaA4xkm/iPs8kD7W
DBXTD/AuzAYB3dTCsgwLlBOc8D8/bnOZDBxKQldlLgGLvL0a0gLhMdr4+BNYug4E
xD1Yx64330jpJBl5Raeh
=vCuD
-----END PGP SIGNATURE-----

Current thread:

CVE Request -- SQUID-2012:1 / Squid: DoS (excessive resource consumption) via invalid Content-Length headers or via memory leaks Jan Lieskovsky (Dec 17)
- Re: CVE Request -- SQUID-2012:1 / Squid: DoS (excessive resource consumption) via invalid Content-Length headers or via memory leaks Kurt Seifried (Dec 17)