[Fwd: Squid 2.6 ICAP]

From: Henrik Nordström <henrik@dont-contact.us>
Date: Sun, 13 Jan 2008 21:21:35 +0100

attached mail follows:


Hello.

While testing for CVE-2007-6239 I found a small memory leak introduced by
the ICAP patch as included in Mandriva squid 2.6 package, taken from here:
<http://devel.squid-cache.org/cgi-bin/diff2/icap-2.6.patch>.

Although small, I could trigger a DoS with the same procedure which would
trigger a DoS for CVE-2007-6239 in ICAP-unpatched & unfixed Squid.

The fix for the leak can be found here:
<http://svn.mandriva.com/cgi-bin/viewvc.cgi/packages/cooker/squid/current/SOURCES/>

File 'squid-2.6.STABLE16-icap-fixleak.patch'.

I sure don't believe this is the better fix, but it was enough for us.

cya

Received on Sun Jan 13 2008 - 13:22:06 MST

This archive was generated by hypermail pre-2.1.9 : Wed Jan 30 2008 - 12:00:09 MST