Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 17 Dec 2012 10:36:00 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Jan Lieskovsky <jlieskov@...hat.com>,
        "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE Request -- SQUID-2012:1 / Squid:  DoS (excessive
 resource consumption) via invalid Content-Length headers or via memory leaks

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/17/2012 10:27 AM, Jan Lieskovsky wrote:
> Hello Kurt, Steve, vendors,
> 
> A denial of service flaw was found in the way the CGI Cache Manager
> of the Squid proxy caching server processed certain requests. A
> remote attacker could this this flaw to cause the squid service to
> consume excessive amount of resources.
> 
> References: [1]
> http://www.squid-cache.org/Advisories/SQUID-2012_1.txt [2]
> https://bugs.gentoo.org/show_bug.cgi?id=447596 [3]
> https://secunia.com/advisories/51545/ [4]
> https://bugzilla.redhat.com/show_bug.cgi?id=887962
> 
> Upstream patches: [5]
> http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10479.patch
>
> 
(against the 3.1 branch)
> [6]
> http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11714.patch
>
> 
(against the 3.2 branch)
> 
> Could you allocate a CVE id for this?
> 
> Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
> Security Response Team
> 

Please use CVE-2012-5643 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQz1gAAAoJEBYNRVNeJnmTmbUP/3cyX/iTyq6kPMIy8E3k7And
M/zWoOucYMWO7Qy0kPxdt/lArzc5d/MUYKG2lU3Me3MBexMGO2vLERZCqHVnvCM0
O9aAFRzDGBYUoSW8cOSuLMRfO0rkxPKrixgU2pFxxdpwJ5zdmauzqmv8F9EWCIBx
8uVzbelum4qYwdDy3L+hlZMxB8BhezjurPPAoktDD4FtE3SfJ66kJ+sfaShryCII
ZROGbQeD4jZ2+vL4YO9bpcsz4RD8Me3Jj1Psyh0+p1uTk11gPuK5LDEoPXPBWpX5
qaQDfBiy1mP/fFiWPDnAXFJo7+KnLyFkbJC7ciPxvR7Bwt+6CApXRUGfpKoGw7W4
ie13JYn6jaeHrrV7AFIqfmcATrKibpcDQGXK2JhrYRWe70vMpQv7DqRezVRT7N37
3a+/C2QS51iwNr4n+FZrbvgbY6JIRqo9VDkjeSW43AeznswbercMobbHoMERJQ8J
X+FZZryV/UbzjNPN7QOp8oVxxF7CSsFgJgxUW7ppvb/YBQXtHRGPaaOzcN8MP0Ro
ch3dhqMfC/tS3qYjs3SjgIoB0MP31XlhREz0UYyPEmFXm+EsUaA4xkm/iPs8kD7W
DBXTD/AuzAYB3dTCsgwLlBOc8D8/bnOZDBxKQldlLgGLvL0a0gLhMdr4+BNYug4E
xD1Yx64330jpJBl5Raeh
=vCuD
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ