oss-sec mailing list archives
Re: squid DoS in external auth header parser
From: Vincent Danen <vdanen () redhat com>
Date: Tue, 4 Aug 2009 09:10:46 -0600
* [2009-08-04 12:13:29 +0200] Nico Golde wrote:
* Vincent Danen <vdanen () redhat com> [2009-07-20 19:48]:I noticed this on Debian's bts [1] and also on upstream's bugzilla [2] but no CVE has been assigned (not sure if one has been requested or not, but I've not seen a request come through here). By the initial looks of things, it seems to be a fairly low severity issue and may not be easy to duplicate/trigger. The reporter didn't really provide much in the way of a reproducer or relevant configs (and the reference to zope auths makes me not even want to touch it). Has anyone taken a look at this or has a CVE been requested for it?CVE-2009-2622 CVE-2009-2621
Are you sure? According to MITRE's descriptions, CVE-2009-2621 deals with a lack of enforcing "buffer limites and related bound checks", and CVE-2009-2622 deals with malformed requests. When I was looking, it didn't seem like either of these were the issue noted in the Debian bug. Bug #2704 on the squid site is still UNCONFIRMED with no additional comments made to it, so I don't think this is fixed in the latest upstream release (and wouldn't fall under one of these CVE's). I don't think a CVE has been assigned to this issue, and I don't think it has been fixed. --Vincent Danen / Red Hat Security Response Team
Current thread:
- squid DoS in external auth header parser Vincent Danen (Jul 20)
- Re: squid DoS in external auth header parser security curmudgeon (Aug 03)
- Re: squid DoS in external auth header parser Nico Golde (Aug 04)
- Re: squid DoS in external auth header parser Vincent Danen (Aug 04)
- Re: squid DoS in external auth header parser Nico Golde (Aug 04)
- Re: squid DoS in external auth header parser Vincent Danen (Aug 04)
- Re: squid DoS in external auth header parser Steven M. Christey (Aug 18)