tis 2009-10-13 klockan 12:12 +1300 skrev Amos Jeffries: > Okay, I've asked the Debian reporter for access to details. > Lacking clear evidence of remote exploit I'll follow along with the quiet > approach.
The exploit is only possible if squid.conf is configured to extract cookies, i.e. for logging or external_acl purposes. > The CVE has reference to our bugs which are clearly closed. If there is > more to be done to notify anyone can you let me know what that is please? A mail to [email protected] mentioning that the Squid bug is fixed may work.. > the other CVE from this year are in similar states of questionable > open/closed-ness. ? There has been 5 CVEs issued for Squid in 2009... I only classify this one low and the transparent ip interception mess CVE-2009-0801 as minor, the other 3 are all fairly major.. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0478 Squid 2.7 to 2.7.STABLE5, 3.0 to 3.0.STABLE12, and 3.1 to 3.1.0.4 allows remote attackers to cause a denial of service via an HTTP request with an invalid version number, which triggers a reachable assertion in (1) HttpMsg.c and (2) HttpStatusLine.c. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0801 Squid, when transparent interception mode is enabled, uses the HTTP Host header to determine the remote endpoint, which allows remote attackers to bypass access controls for Flash, Java, Silverlight, and probably other technologies, and possibly communicate with restricted intranet sites, via a crafted web page that causes a client to send HTTP requests with a modified Host header. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2621 Squid 3.0 through 3.0.STABLE16 and 3.1 through 3.1.0.11 does not properly enforce "buffer limits and related bound checks," which allows remote attackers to cause a denial of service via (1) an incomplete request or (2) a request with a large header size, related to (a) HttpMsg.cc and (b) client_side.cc. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2622 Squid 3.0 through 3.0.STABLE16 and 3.1 through 3.1.0.11 allows remote attackers to cause a denial of service via malformed requests including (1) "missing or mismatched protocol identifier," (2) missing or negative status value," (3) "missing version," or (4) "missing or invalid status number," related to (a) HttpMsg.cc and (b) HttpReply.cc. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2855 The strListGetItem function in src/HttpHeaderTools.c in Squid 2.7 allows remote attackers to cause a denial of service via a crafted auth header with certain comma delimiters that trigger an infinite loop of calls to the strcspn function.
