Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 17 Feb 2016 05:24:10 +1300
From: Amos Jeffries <squid3@...enet.co.nz>
To: oss-security@...ts.openwall.com
Subject: Re: Re: CVE request: Squid HTTP Caching Proxy 3.5.13,
 4.0.4, 4.0.5 denial of service

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 17/02/2016 3:45 a.m., cve-assign@...re.org wrote:
>> http://www.squid-cache.org/Advisories/SQUID-2016_1.txt
> 
>> Patch for 3.5 is
>> <http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-1398
1.patch>.
> 
>> Patch for 4.0 is
>> <http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-1398
1.patch>.
> 
> Is this correct or do you mean the 4.0 patch is
> http://www.squid-cache.org/Versions/v4/changesets/squid-4-14538.patch 
instead?
> 

Paste error on my part sorry.
The squid-4-14538.patch URL is correct for 4.0.

> 
>> A remotely triggerable denial of service has been found in Squid
>> proxy. The proxy incorrectly handles server TLS failure which almost
>> always results in crashing the entire proxy. Denying service for all
>> other clients using it.
> 
>>   Bug 4437: Fix Segfault on Certain SSL Handshake Errors
> 
>>   Squid after an unsuccessful try to connect to the remote server may
 make two
>>   concurrent retries to connect to the remote SSL server, calling twi
ce the
>>   FwdState::retryOrBail() method, which may result to unexpected beha
viour.
> 
>>   Prevent this by just closing the connection to the remote SSL serve
r inside
>>   FwdState::connectedToPeer method on error and instead of calling th
e
>>   FwdState::retryOrBail method, just allow comm_close handler to retr
y the
>>   connection if required.
> 
>> src/FwdState.cc
> 
> Use CVE-2016-2390.
> 
> 


Thank you.

Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQIcBAEBAgAGBQJWw00oAAoJEGvSOzfXE+nLo0sP/jD7YAY3hL0EF/WLtzLG9OYf
TIvltUwd28oVfjnqX8cqClEBebtc9hPZ0JSqzS9YNz2VhzsedaPmBNm2bPUcscyX
dWw72Uu3H42hfpO7Xsizm6RIyE9SfJqB6h0zXZFSotAc3XcirNREGSWqO2Jp3TyX
TpbbnkHpxGTo9gvyLrG++agsLECyDu03HAozz0Av4Jsgh8cJo8NSUQiGjTsmW8TS
Se2AMQcJhEVi22TfDVNCJfltaUy7BcWe/7f2EefbJ/fuVTBXOZiAglYZr/PaC/T4
MRUAI7Uh5CB5yVxvkrVZb6WP90+SdT1TnWFU1Z0kZxPgf4DXUaY3it0kmZJAlNDI
Y6j/Qudqk85LGkjjOCb1CACLnb9tP1qddHc6J9tHuZdmmThVZt+5OIjxHhj5scRC
yQI0WROC9fx7HSLtq+LEQEGEX9JQylhz8a9wZ2xiD1T7rAeEiEyrqadvya7g+nvu
RdAire5MgXtx0GjqRxw9SOClBXWfzPGh4yS46cFxqRZQXRcuJHqvNyEUNyShqbMa
2X6yWgrXcXskJnEgoJ42QZ7C7WE61C3h1pJ/2aITIWYop8l0/PcG3ZKvj7EFypVg
Mb9Ge0v0HVOuznhmsakpaKMTQ4l2nLldkiZfzRKRSeftce50dDdyYNWvdselnYvu
gdTyAHjGs0/Xtnzy59t2
=+pRN
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.