Date: Fri, 26 Feb 2016 01:45:42 -0500 (EST) From: cve-assign@...re.org To: squid3@...enet.co.nz Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE request: Squid HTTP Caching Proxy multiple denial of service issues -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > http://www.squid-cache.org/Advisories/SQUID-2016_2.txt > First issue; > the proxy contains a String object class with 64KB content limits. > Some code paths do not bounds check before appending to these String > and overflow leads to an assertion which terminates all client > transactions using the proxy, including those unrelated to the limit > being exceeded. > > A PoC has already been published for one attack vector using HTTP > "Vary" response header. When the Vary pattern presented by a server > expands to more than 64KB the DoS is triggered. For example: > Vary: Cookie,Cookie,Cookie,Cookie,... > However, there are currently 4 known distinct vectors (types of > remotely provided input) with varying degrees of difficulty to trigger > the assertion. > > Patch URLs that workaround 3 of those vectors (though not fully solve) > are: > http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13991.patch > http://www.squid-cache.org/Versions/v4/changesets/squid-4-14552.patch Use CVE-2016-2569 for both squid-3.5-13991.patch and squid-4-14552.patch. There is (currently) no CVE ID for the remaining unsolved problem associated with this "though not fully solve" statement. > This patch fixes the other related variant of the basic problem. > Though this instance is not triggerable from outside a controlled CDN > environment: > http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13993.patch > http://www.squid-cache.org/Versions/v4/changesets/squid-4-14549.patch Use CVE-2016-2570 for both squid-3.5-13993.patch and squid-4-14549.patch. > Error handling for malformed HTTP responses can lead to a second > assertion with the same effects as the first issue. It is not easily > triggered in Squid-3 or normally in Squid-4. > > However fixing the String issue makes it become easily triggerable in > Squid-4, and we do have a history of the assertion itself being > reported as occuring already but been unable to identify the vectors > code path to replicate it yet. So believe it can be achieved > independent of the String issues, even if we are unable so far to > identify how. > > Patch URLs for this are: > http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13990.patch > http://www.squid-cache.org/Versions/v4/changesets/squid-4-14548.patch For 'When we failed to parse a response, do not store the fake half-baked response (via a replaceHttpReply() call)' in squid-3.5-13990.patch and 'Do not store the fake half-baked response (via replaceHttpReply)' in squid-4-14548.patch, use CVE-2016-2571. For 'Do not use parsing leftovers, such as HTTP response status code' in squid-4-14548.patch, use CVE-2016-2572. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWz/QtAAoJEL54rhJi8gl5TPsQALWrHbXiNZ0QWpy9rdqQSNFa OAikawWt2yIudQ4Dozv2DtPU2lzOgb01wyyEs+Y9keUv2eYjxe34/4spJpT2mnOA HNmzKa7LuCF119D7R1tKwrfKox/9aOZN5AveHbXzg+/LZ/IC4IHz0FDAp4iJPSEi QJcjEGfOWkIPI/8k5FiimSQVlxlN60VePEB2lFippfDhBGA1c8y9Xyl20f7rrLVB mF5kFgz/jtiP0WZ03XdzQefKTlc19m/ypMoF5HRJDC41Y549XKwXLwrZIxh6mou+ cDFUWi3DpcwSxLAcoaA9QkqQu9DrH8Yix5d2/Y4GYJFPcKiHDxUn/oAIaAQm8zZU 2rJNtS1HCLrn1k4VV9Q4BYARvRA3tQzHd90hIZMISxN8LU51ck0PKgcgWcx2tyFX B4dIfH4mbI5/eZQJw8EyZpg/PvEGn2JVxFlJymAH82Hwvw/G/uXYRmaucbw9TaSU f2ohc7t+SBP1hjnsil8/YSOAoAaG8e74F5RicqwrxTnsNEUsDs9LKlKaCLAewQor BbSwLs5ktEysG+68+x4vkxm34CJnEZyedoGZhQbM0T+EAZh5y8vGjcYDzRvQ7DIt 7PH8Z/hQXa6GMPDRg8e7QJKwCgQCxU/Nfpg+jAEvfTelf9VMjiBixyf0pnyTvikt /Wg3iOrRSLlWAPp4xL9Z =Pghb -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.