Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 16 Feb 2016 09:45:01 -0500 (EST)
From: cve-assign@...re.org
To: squid3@...enet.co.nz
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: Squid HTTP Caching Proxy 3.5.13, 4.0.4, 4.0.5 denial of service

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> http://www.squid-cache.org/Advisories/SQUID-2016_1.txt

> Patch for 3.5 is
> <http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13981.patch>.
> 
> Patch for 4.0 is
> <http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13981.patch>.

Is this correct or do you mean the 4.0 patch is
http://www.squid-cache.org/Versions/v4/changesets/squid-4-14538.patch instead?


> A remotely triggerable denial of service has been found in Squid
> proxy. The proxy incorrectly handles server TLS failure which almost
> always results in crashing the entire proxy. Denying service for all
> other clients using it.

>   Bug 4437: Fix Segfault on Certain SSL Handshake Errors
>   
>   Squid after an unsuccessful try to connect to the remote server may make two
>   concurrent retries to connect to the remote SSL server, calling twice the
>   FwdState::retryOrBail() method, which may result to unexpected behaviour.
>   
>   Prevent this by just closing the connection to the remote SSL server inside
>   FwdState::connectedToPeer method on error and instead of calling the
>   FwdState::retryOrBail method, just allow comm_close handler to retry the
>   connection if required.
> 
> src/FwdState.cc

Use CVE-2016-2390.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWwzVEAAoJEL54rhJi8gl5CEcQAJnr/8JJbM4e1Q/o8w3AVYk0
FUPc250Qj0z4l5Nq8j8OSx5GsLIx9uVe3NnLe50uPYlF0bdM+AEEbi4e6EJSvtdx
772jj6N/QArkrbf4qTKWtXS812mxLW6CPewOIk+ldMeAKMKUIh3ePuST3RByxJqi
3oZGzyQbo2MoDQgXVRQFH6uXo1+4dHqmZfOQjLiaXNEFark248mK+DELCM5P5tB6
F9ATtcaXuqxj5jwGKm9gZUk5uDP9Ed15Wn020fi5saWDYiFJXF3XeaeURzvTnrS2
AaKgC0Kvw6gwOams+FIxp8NQtP4XSZMefqRNeoAZdeuV76xZOXWLV9ki2RAEIsWF
p8qfV1bvdY/+seQ4QUqkm/VmRKc3gHecBSSsnmV+YNa213fzcGXYBfP2nTIFTgwF
cQ7ycLbMEAGwHWava8t6TJF8mE1+oWNejKBwOMPkJMI9v+mCe364V401+KIYms+a
6qSbk3iuBoHVm3H7Z1ikcJRW92XKX9LaXTVx5JH5B9p+DRryB9u+zgC8VKAWLOAn
5t4W3JrliAZluSpc7++6TTqOuFOBEsfJ6l66UEv5Xgoj3BhRBEFkflbYedOLfCap
apjOXQhV5G1H48Pm6bVStDyRE3JQEbxefGkCwOJDAYOWVqULQ0yACpmng14TjQOR
RVX4OJ1VZboeNcSMFh4H
=evrD
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.