Openwall GNU/*/Linux 3.0 - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 4 Aug 2009 19:48:13 +0200
From: Nico Golde <oss-security+ml@...lde.de>
To: oss-security@...ts.openwall.com
Subject: Re: squid DoS in external auth header parser

Hi,
* Vincent Danen <vdanen@...hat.com> [2009-08-04 17:20]:
> * [2009-08-04 12:13:29 +0200] Nico Golde wrote:
[...] 
> >CVE-2009-2622
> >CVE-2009-2621
> 
> Are you sure?
> 
> According to MITRE's descriptions, CVE-2009-2621 deals with a lack of
> enforcing "buffer limites and related bound checks", and CVE-2009-2622
> deals with malformed requests.  When I was looking, it didn't seem like
> either of these were the issue noted in the Debian bug.  Bug #2704 on
> the squid site is still UNCONFIRMED with no additional comments made to
> it, so I don't think this is fixed in the latest upstream release (and
> wouldn't fall under one of these CVE's).
> 
> I don't think a CVE has been assigned to this issue, and I don't think
> it has been fixed.

Oergs sorry, yes you are right. I mixed up the issues here.
Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@...ber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ