Date: Tue, 24 Aug 2010 19:38:19 +0200 From: Jan Lieskovsky <jlieskov@...hat.com> To: "Steven M. Christey" <coley@...us.mitre.org> CC: oss-security <oss-security@...ts.openwall.com>, Amos Jeffries <amosjeffries@...id-cache.org>, Stephen Thorne <stephen@...rne.id.au> Subject: CVE Request -- Squid v3.1.6 -- DoS (crash) while processing large DNS replies with no IPv6 resolver present Hi Steve, vendors, Stephen Thorne reported a buffer overread flaw in the way Squid proxy caching server processed large DNS replies in cases, when no IPv6 resolver was present. A remote attacker could provide DNS reply with large amount of data, leading to denial of service (squid server crash). Upstream bug report:  http://bugs.squid-cache.org/show_bug.cgi?id=3021 Relevant upstream changeset:  http://bazaar.launchpad.net/~squid/squid/3.1/revision/10072 References:  http://marc.info/?l=squid-users&m=128263555724981&w=2  https://bugzilla.redhat.com/show_bug.cgi?id=626927  http://bugs.gentoo.org/show_bug.cgi?id=334263 Could you allocate CVE id for this issue? Amos, Stephen please correct me, if some of  and  doesn't correspond to: "One regression introduced with 3.1.6 when contacting IPv4-only DNS resolvers opens a small but exploitable DoS vulnerability." issue mentioned in . Thanks && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ