CAN-2005-0718: remote DoS from aborted connections
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
squid (Debian) |
Fix Released
|
Unknown
|
|||
squid (Ubuntu) |
Fix Released
|
High
|
Martin Pitt |
Bug Description
Automatically imported from Debian bug report #305605 http://
In Debian Bug tracker #305605, Gangitano (gangitano) wrote : Re: Bug #305605: CAN-2005-0718: remote DoS from aborted connections | #1 |
Debian Bug Importer (debzilla) wrote : | #2 |
Automatically imported from Debian bug report #305605 http://
Debian Bug Importer (debzilla) wrote : | #3 |
Message-Id: <email address hidden>
Date: Thu, 21 Apr 2005 12:05:39 +1000
From: "Geoff Crompton" <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: CAN-2005-0718: remote DoS from aborted connections
Package: squid
Severity: grave
Justification: user security hole
More info at http://
> A remote denial of service vulnerability affects the Squid Proxy.
> This issue is due to a failure of the application to properly handle
> exceptional network requests. The problem presents itself when a
> remote attacker prematurely aborts a connection during a PUT or POST
> request.
> A remote attacker may leverage this issue to crash the affected Squid
> Proxy, denying service to legitimate users.
Vulnerable versions listed at that site say that 2.4.6, and 2.5.9 are
both vulnerable, suggesting that Woody, Sarge, Sid are all exposed.
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686-smp
Locale: LANG=en_AU, LC_CTYPE=en_AU (charmap=
In Debian Bug tracker #305605, Christian Hammers (ch-westend) wrote : Re: CAN-2005-0718: remote DoS in Squid -- any progress? | #4 |
Hello
The bug has been reported more than a week ago and the last status from
the same date is that the Woody package is beeing investigated.
Are there any news regarding the vulnerability status of the Woody
package or the preparation of a DSA?
bye,
-christian-
--
Christian Hammers WESTEND GmbH | Internet-
Technik CISCO Systems Partner - Authorized Reseller
<email address hidden> D-52064 Aachen Fax 0241/911879
In Debian Bug tracker #305605, Martin Schulze (joey-infodrom) wrote : | #5 |
Christian Hammers wrote:
> Hello
>
> The bug has been reported more than a week ago and the last status from
> the same date is that the Woody package is beeing investigated.
>
> Are there any news regarding the vulnerability status of the Woody
> package or the preparation of a DSA?
Luigi is taking a look. It's not yet clear whether this problem even
exists in woody. Sid and sarge are fine. If you are able to fix the
package in woody, that would help a lot.
Regards,
Joey
--
There are lies, statistics and benchmarks.
Please always Cc to me when replying to me on the lists.
In Debian Bug tracker #305605, Christian Hammers (ch) wrote : | #6 |
On Fri, Apr 29, 2005 at 02:56:38PM +0200, Martin Schulze wrote:
> > Are there any news regarding the vulnerability status of the Woody
> > package or the preparation of a DSA?
>
> Luigi is taking a look. It's not yet clear whether this problem even
> exists in woody. Sid and sarge are fine. If you are able to fix the
> package in woody, that would help a lot.
Mandriva has fixed the bug in 2.4.STABLE7 (we have 2.4.STABLE6 in Woody)
and released an advisory today:
http://
Sadly I was just not able to find the following soruce package which
probably includes the patch. Does anybody know where they hide their
download server?
corporate/
md5sum: 715494248752557
bye,
-christian-
--
Christian Hammers WESTEND GmbH | Internet-
Technik CISCO Systems Partner - Authorized Reseller
<email address hidden> D-52064 Aachen Fax 0241/911879
In Debian Bug tracker #305605, Martin Schulze (joey-infodrom) wrote : | #7 |
Christian Hammers wrote:
> On Fri, Apr 29, 2005 at 02:56:38PM +0200, Martin Schulze wrote:
> > > Are there any news regarding the vulnerability status of the Woody
> > > package or the preparation of a DSA?
> >
> > Luigi is taking a look. It's not yet clear whether this problem even
> > exists in woody. Sid and sarge are fine. If you are able to fix the
> > package in woody, that would help a lot.
>
> Mandriva has fixed the bug in 2.4.STABLE7 (we have 2.4.STABLE6 in Woody)
> and released an advisory today:
>
> http://
>
> Sadly I was just not able to find the following soruce package which
> probably includes the patch. Does anybody know where they hide their
> download server?
>
> corporate/
> md5sum: 715494248752557
Regards,
Joey
--
There are lies, statistics and benchmarks.
Please always Cc to me when replying to me on the lists.
In Debian Bug tracker #305605, Luigi Gangitano (luigi) wrote : | #8 |
>> corporate/
>> md5sum: 715494248752557
>
> ftp://ftp.
Great! They didn't fix it (no post patch in it) and added the setcookie patch
that is not needed prior to 2.5.STABLE7.
Still looking for a proof o concept to test the woody package.
Regards,
L
-------
This message was sent using IMP, the Internet Messaging Program.
In Debian Bug tracker #305605, Christian Hammers (ch) wrote : | #9 |
Hello
On 2005-04-29 Luigi Gangitano wrote:
> >> corporate/
> >> md5sum: 715494248752557
> >
> > ftp://ftp.
>
> Great! They didn't fix it (no post patch in it) and added the setcookie
> patch that is not needed prior to 2.5.STABLE7.
>
> Still looking for a proof o concept to test the woody package.
I found the following sentence in the last changelog entry of the Mandriva
package and think it's interesting for those watching this bug:
* Wed Apr 27 2005 Stew Benedict <email address hidden>
2.4.
- CAN-2005-0718 - patch not relevant, segfault occurs in an unprotected
call to clientProcessBody, which isn't used in 2.4.STABLE7
In this case I can sleep better although it would be nice if you could get
this confirmed by the Squid developers. If you kindly ask they will probably
even test their PoC exploit against a Debian server even if they do not want
to release it to the public.
bye,
-christian-
In Debian Bug tracker #305605, Luigi Gangitano (luigi) wrote : CAN-2005-1345: fix for woody | #10 |
tags 305605 + security fixed pending
thanks
Hi Martin,
please find the updated stable package diff attached.
For sid this has been fixed in 2.5.9-8.
Regards,
L
Il giorno ven, 29/04/2005 alle 08.05 +0200, Martin Schulze ha scritto:
> http://
>
> Squid 2.5.STABLE9 and earlier does not trigger a fatal error when it
> identifies missing or invalid ACLs in the http_access configuration,
> which could lead to less restrictive ACLs than intended by the
> administrator.
>
> CAN-2005-1345
--
Luigi Gangitano -- <email address hidden> -- <email address hidden>
GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26
In Debian Bug tracker #305605, Luigi Gangitano (luigi) wrote : Wrong bug... | #11 |
tags 305605 - fixed pending
tags 307132 + woody fixed pending
thanks
--
Luigi Gangitano -- <email address hidden> -- <email address hidden>
GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26
In Debian Bug tracker #305605, Luigi Gangitano (luigi) wrote : Re: Bug#305605: CAN-2005-0718: remote DoS from aborted connections | #12 |
severity 305605 important
thanks
I'm downgrading severity of this bug from RC to important because (if it
exists at all), it only applies to woody, so is not 'release critical'
for sarge.
Regards,
--
Luigi Gangitano -- <email address hidden> -- <email address hidden>
GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26
In Debian Bug tracker #305605, Frank Lichtenheld (djpig) wrote : | #13 |
severity 305605 grave
thanks
On Fri, May 06, 2005 at 09:47:23PM +0200, Luigi Gangitano wrote:
> I'm downgrading severity of this bug from RC to important because (if it
> exists at all), it only applies to woody, so is not 'release critical'
> for sarge.
Hi.
Sorry, but please leave grave bugs that only affect woody at grave severity
and only tag them woody. That is exactly what the distribution tags are for.
Gruesse,
--
Frank Lichtenheld <email address hidden>
www: http://
Martin Pitt (pitti) wrote : | #14 |
Warty was fixed in USN-111-1. 2.5.8+ (as in Hoary and Breezy) are not affected.
In Debian Bug tracker #305605, Luigi Gangitano (luigi) wrote : BTS clean-up with new features | #15 |
found 305605 2.4.6-2woody1
close 305605 2.5.8-1
found 309504 2.4.6-2woody1
close 309504 2.5.9-9
close 309504 2.4.6-2woody9
thanks
--
Luigi Gangitano -- <email address hidden> -- <email address hidden>
GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26
Debian Bug Importer (debzilla) wrote : | #16 |
Message-ID: <email address hidden>
Date: Thu, 21 Apr 2005 10:49:52 +0200
From: <email address hidden>
To: <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: Bug #305605: CAN-2005-0718: remote DoS from aborted connections
tags 305605 +woody +security
thanks
As of
http://
http://
Squid 2.5.STABLE9 is not vulnerable (bug fixed in 2.5.STABLE8), so is the
package in sarge/sid.
I'm investigating the woody package.
Regards,
Luigi Gangitano
Debian Bug Importer (debzilla) wrote : | #17 |
Message-ID: <email address hidden>
Date: Fri, 29 Apr 2005 14:28:10 +0200
From: Christian Hammers <email address hidden>
To: <email address hidden>, <email address hidden>
Cc: <email address hidden>
Subject: Re: CAN-2005-0718: remote DoS in Squid -- any progress?
Hello
The bug has been reported more than a week ago and the last status from
the same date is that the Woody package is beeing investigated.
Are there any news regarding the vulnerability status of the Woody
package or the preparation of a DSA?
bye,
-christian-
--=20
Christian Hammers WESTEND GmbH | Internet-
Technik CISCO Systems Partner - Authorized Reseller
3-11
<email address hidden> D-52064 Aachen Fax 0241/911879
Debian Bug Importer (debzilla) wrote : | #18 |
Message-ID: <email address hidden>
Date: Fri, 29 Apr 2005 14:56:38 +0200
From: Martin Schulze <email address hidden>
To: Christian Hammers <email address hidden>
Cc: <email address hidden>, <email address hidden>,
<email address hidden>
Subject: Re: CAN-2005-0718: remote DoS in Squid -- any progress?
Christian Hammers wrote:
> Hello
>
> The bug has been reported more than a week ago and the last status from
> the same date is that the Woody package is beeing investigated.
>
> Are there any news regarding the vulnerability status of the Woody
> package or the preparation of a DSA?
Luigi is taking a look. It's not yet clear whether this problem even
exists in woody. Sid and sarge are fine. If you are able to fix the
package in woody, that would help a lot.
Regards,
Joey
--
There are lies, statistics and benchmarks.
Please always Cc to me when replying to me on the lists.
Debian Bug Importer (debzilla) wrote : | #19 |
Message-ID: <email address hidden>
Date: Fri, 29 Apr 2005 16:09:51 +0200
From: Christian Hammers <email address hidden>
To: Martin Schulze <email address hidden>
Cc: <email address hidden>, <email address hidden>,
<email address hidden>
Subject: Re: CAN-2005-0718: remote DoS in Squid -- any progress?
On Fri, Apr 29, 2005 at 02:56:38PM +0200, Martin Schulze wrote:
> > Are there any news regarding the vulnerability status of the Woody
> > package or the preparation of a DSA?
>=20
> Luigi is taking a look. It's not yet clear whether this problem even
> exists in woody. Sid and sarge are fine. If you are able to fix the
> package in woody, that would help a lot.
Mandriva has fixed the bug in 2.4.STABLE7 (we have 2.4.STABLE6 in Woody)
and released an advisory today:
http://
Sadly I was just not able to find the following soruce package which
probably includes the patch. Does anybody know where they hide their
download server?
corporate/
md5sum: 715494248752557
bye,
-christian-
--=20
Christian Hammers WESTEND GmbH | Internet-
Technik CISCO Systems Partner - Authorized Reseller
3-11
<email address hidden> D-52064 Aachen Fax 0241/911879
Debian Bug Importer (debzilla) wrote : | #20 |
Message-ID: <email address hidden>
Date: Fri, 29 Apr 2005 16:22:13 +0200
From: Martin Schulze <email address hidden>
To: Christian Hammers <email address hidden>
Cc: <email address hidden>, <email address hidden>,
<email address hidden>
Subject: Re: CAN-2005-0718: remote DoS in Squid -- any progress?
Christian Hammers wrote:
> On Fri, Apr 29, 2005 at 02:56:38PM +0200, Martin Schulze wrote:
> > > Are there any news regarding the vulnerability status of the Woody
> > > package or the preparation of a DSA?
> >
> > Luigi is taking a look. It's not yet clear whether this problem even
> > exists in woody. Sid and sarge are fine. If you are able to fix the
> > package in woody, that would help a lot.
>
> Mandriva has fixed the bug in 2.4.STABLE7 (we have 2.4.STABLE6 in Woody)
> and released an advisory today:
>
> http://
>
> Sadly I was just not able to find the following soruce package which
> probably includes the patch. Does anybody know where they hide their
> download server?
>
> corporate/
> md5sum: 715494248752557
Regards,
Joey
--
There are lies, statistics and benchmarks.
Please always Cc to me when replying to me on the lists.
Debian Bug Importer (debzilla) wrote : | #21 |
Message-ID: <email address hidden>
Date: Fri, 29 Apr 2005 16:52:02 +0200
From: Luigi Gangitano <email address hidden>
To: Martin Schulze <email address hidden>
Cc: Christian Hammers <email address hidden>, <email address hidden>,
<email address hidden>
Subject: Re: CAN-2005-0718: remote DoS in Squid -- any progress?
>> corporate/
>> md5sum: 715494248752557
>
> ftp://ftp.
Great! They didn't fix it (no post patch in it) and added the setcookie patch
that is not needed prior to 2.5.STABLE7.
Still looking for a proof o concept to test the woody package.
Regards,
L
-------
This message was sent using IMP, the Internet Messaging Program.
Debian Bug Importer (debzilla) wrote : | #22 |
Message-ID: <email address hidden>
Date: Fri, 29 Apr 2005 19:50:25 +0200
From: Christian Hammers <email address hidden>
To: Luigi Gangitano <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: CAN-2005-0718: remote DoS in Squid -- any progress?
Hello
On 2005-04-29 Luigi Gangitano wrote:
> >> corporate/
> >> md5sum: 715494248752557
> >
> > ftp://ftp.
>
> Great! They didn't fix it (no post patch in it) and added the setcookie
> patch that is not needed prior to 2.5.STABLE7.
>
> Still looking for a proof o concept to test the woody package.
I found the following sentence in the last changelog entry of the Mandriva
package and think it's interesting for those watching this bug:
* Wed Apr 27 2005 Stew Benedict <email address hidden>
2.4.
- CAN-2005-0718 - patch not relevant, segfault occurs in an unprotected
call to clientProcessBody, which isn't used in 2.4.STABLE7
In this case I can sleep better although it would be nice if you could get
this confirmed by the Squid developers. If you kindly ask they will probably
even test their PoC exploit against a Debian server even if they do not want
to release it to the public.
bye,
-christian-
Debian Bug Importer (debzilla) wrote : | #23 |
Message-Id: <1114991594.
Date: Mon, 02 May 2005 01:53:13 +0200
From: Luigi Gangitano <email address hidden>
To: <email address hidden>
Subject: Wrong bug...
--=-HdRZ9FMxsr9
Content-Type: text/plain
Content-
tags 305605 - fixed pending
tags 307132 + woody fixed pending
thanks
--=20
Luigi Gangitano -- <email address hidden> -- <email address hidden>
GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26
--=-HdRZ9FMxsr9
Content-Type: application/
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQBCdWvp8Zu
Z+2sRl6AuSigZn7
=nnIj
-----END PGP SIGNATURE-----
--=-HdRZ9FMxsr9
Debian Bug Importer (debzilla) wrote : | #24 |
Message-Id: <1115408844.
Date: Fri, 06 May 2005 21:47:23 +0200
From: Luigi Gangitano <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#305605: CAN-2005-0718: remote DoS from aborted connections
--=-rIq8SsiEVNF
Content-Type: text/plain
Content-
severity 305605 important
thanks
I'm downgrading severity of this bug from RC to important because (if it
exists at all), it only applies to woody, so is not 'release critical'
for sarge.
Regards,
--=20
Luigi Gangitano -- <email address hidden> -- <email address hidden>
GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26
--=-rIq8SsiEVNF
Content-Type: application/
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQBCe8nL8Zu
vw7sot3lLTzvHva
=HDer
-----END PGP SIGNATURE-----
--=-rIq8SsiEVNF
Debian Bug Importer (debzilla) wrote : | #25 |
Message-ID: <email address hidden>
Date: Sat, 7 May 2005 00:10:43 +0200
From: Frank Lichtenheld <email address hidden>
To: Luigi Gangitano <email address hidden>, <email address hidden>
Subject: Re: Bug#305605: CAN-2005-0718: remote DoS from aborted connections
severity 305605 grave
thanks
On Fri, May 06, 2005 at 09:47:23PM +0200, Luigi Gangitano wrote:
> I'm downgrading severity of this bug from RC to important because (if it
> exists at all), it only applies to woody, so is not 'release critical'
> for sarge.
Hi.
Sorry, but please leave grave bugs that only affect woody at grave severity
and only tag them woody. That is exactly what the distribution tags are for.
Gruesse,
--
Frank Lichtenheld <email address hidden>
www: http://
Debian Bug Importer (debzilla) wrote : | #26 |
Message-Id: <1121814436.
Date: Wed, 20 Jul 2005 01:07:16 +0200
From: Luigi Gangitano <email address hidden>
To: <email address hidden>
Subject: BTS clean-up with new features
--=-rP5TixRHlNC
Content-Type: text/plain
Content-
found 305605 2.4.6-2woody1
close 305605 2.5.8-1
found 309504 2.4.6-2woody1
close 309504 2.5.9-9
close 309504 2.4.6-2woody9
thanks
--=20
Luigi Gangitano -- <email address hidden> -- <email address hidden>
GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26
--=-rP5TixRHlNC
Content-Type: application/
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQBC3Yek8Zu
iIDshAN16+
=cczK
-----END PGP SIGNATURE-----
--=-rP5TixRHlNC
tags 305605 +woody +security
thanks
As of
http:// www.cve. mitre.org/ cgi-bin/ cvename. cgi?name= CAN-2005- 0718 www.squid- cache.org/ bugs/show_ bug.cgi? id=1224
http://
Squid 2.5.STABLE9 is not vulnerable (bug fixed in 2.5.STABLE8), so is the
package in sarge/sid.
I'm investigating the woody package.
Regards,
Luigi Gangitano