Re: CVE-2009-2855

From: Henrik Nordstrom <henrik_at_henriknordstrom.net>
Date: Tue, 13 Oct 2009 01:27:20 +0200

tis 2009-10-13 klockan 12:12 +1300 skrev Amos Jeffries:

> Okay, I've asked the Debian reporter for access to details.
> Lacking clear evidence of remote exploit I'll follow along with the quiet
> approach.

The exploit is only possible if squid.conf is configured to extract
cookies, i.e. for logging or external_acl purposes.

> The CVE has reference to our bugs which are clearly closed. If there is
> more to be done to notify anyone can you let me know what that is please?

A mail to cve_at_mitre.org mentioning that the Squid bug is fixed may
work..

> the other CVE from this year are in similar states of questionable
> open/closed-ness.

?

There has been 5 CVEs issued for Squid in 2009... I only classify this
one low and the transparent ip interception mess CVE-2009-0801 as minor,
the other 3 are all fairly major..

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0478
Squid 2.7 to 2.7.STABLE5, 3.0 to 3.0.STABLE12, and 3.1 to 3.1.0.4 allows
remote attackers to cause a denial of service via an HTTP request with
an invalid version number, which triggers a reachable assertion in (1)
HttpMsg.c and (2) HttpStatusLine.c.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0801
Squid, when transparent interception mode is enabled, uses the HTTP Host
header to determine the remote endpoint, which allows remote attackers
to bypass access controls for Flash, Java, Silverlight, and probably
other technologies, and possibly communicate with restricted intranet
sites, via a crafted web page that causes a client to send HTTP requests
with a modified Host header.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2621
Squid 3.0 through 3.0.STABLE16 and 3.1 through 3.1.0.11 does not
properly enforce "buffer limits and related bound checks," which allows
remote attackers to cause a denial of service via (1) an incomplete
request or (2) a request with a large header size, related to (a)
HttpMsg.cc and (b) client_side.cc.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2622
Squid 3.0 through 3.0.STABLE16 and 3.1 through 3.1.0.11 allows remote
attackers to cause a denial of service via malformed requests including
(1) "missing or mismatched protocol identifier," (2) missing or negative
status value," (3) "missing version," or (4) "missing or invalid status
number," related to (a) HttpMsg.cc and (b) HttpReply.cc.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2855
The strListGetItem function in src/HttpHeaderTools.c in Squid 2.7 allows
remote attackers to cause a denial of service via a crafted auth header
with certain comma delimiters that trigger an infinite loop of calls to
the strcspn function.
Received on Mon Oct 12 2009 - 23:27:24 MDT

This archive was generated by hypermail 2.2.0 : Tue Oct 13 2009 - 12:00:06 MDT