oss-sec mailing list archives
Re: CVE-Request: squid pinger remote DoS
From: cve-assign () mitre org
Date: Tue, 16 Sep 2014 02:56:30 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I made a fix for squid 3.4.6 and request a CVE
https://bugzilla.novell.com/show_bug.cgi?id=891268
Regardless of the "what happens to squid itself" answer, is it known that the crash has a security impact? This message seemed to conclude with an implied request for more information, e.g., "it looks like you can," etc. An example of a security impact would be: the administrator wanted pinger to be running, and a crash means that pinger processes/threads are no longer available, and pinger is not automatically restarted. If there is a security impact, then the patch in Novell Bug 891268 would probably correspond to at least three CVE IDs, e.g., 1. "used to index into a string array" possibly corresponds to http://cwe.mitre.org/data/definitions/129.html for the modified default case after case 136, and approximately two other places in the patch 2. added "if (n <= 0)" code possibly corresponds to http://cwe.mitre.org/data/definitions/389.html 3. added "if (preply.psize) < 0" code apparently corresponds to a more general issue with missing data validation - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJUF95xAAoJEKllVAevmvmsMiMIAIM7LbYrQTVH8bgbKj34D0WI fHruTwHwpIXfs2YvmuSJLnvmMdtRyIe0Y5Nx6CLC9oL5mlaKCtiyGN3Y5tom37LS /ro/Q5nv10VzWf2B67s1gaOKHhVr36bzCUaRWjj2ispiANxIdYGoEhmdABN2atE+ 0IzkAXTsoPtfYBc3VHeLdLVnsrI0yV3c2btoaG0ABN39+5QGTCAct2m9rq19/HJ5 LMXjfIkjpwlzhhy0MCBevn6dFIn9iDFBsmeKXEnib284Re9TQ7kpM8lv1p0zvcFI c+AYJn4WEV2FE7i4rNY/08ykxSZ+jrNV/mZnTLNLqFfRsVIPIc3RbdN6LYTFofs= =mktA -----END PGP SIGNATURE-----
Current thread:
- CVE-Request: squid pinger remote DoS Sebastian Krahmer (Sep 09)
- Re: CVE-Request: squid pinger remote DoS Marcus Meissner (Sep 15)
- Re: CVE-Request: squid pinger remote DoS cve-assign (Sep 15)
- Re: CVE-Request: squid pinger remote DoS Sebastian Krahmer (Sep 16)
- Re: Re: CVE-Request: squid pinger remote DoS Amos Jeffries (Sep 16)
- Re: CVE-Request: squid pinger remote DoS cve-assign (Sep 21)