On Tue, 13 Oct 2009 01:27:20 +0200, Henrik Nordstrom <[email protected]> wrote: > tis 2009-10-13 klockan 12:12 +1300 skrev Amos Jeffries: > >> Okay, I've asked the Debian reporter for access to details. >> Lacking clear evidence of remote exploit I'll follow along with the >> quiet >> approach. > > The exploit is only possible if squid.conf is configured to extract > cookies, i.e. for logging or external_acl purposes. > >> The CVE has reference to our bugs which are clearly closed. If there is >> more to be done to notify anyone can you let me know what that is please? > > A mail to [email protected] mentioning that the Squid bug is fixed may > work.. > >> the other CVE from this year are in similar states of questionable >> open/closed-ness. > > ?
Mitre still list them all as "Under Review". > > There has been 5 CVEs issued for Squid in 2009... I only classify this > one low and the transparent ip interception mess CVE-2009-0801 as minor, > the other 3 are all fairly major.. > Aye. Major but closed with fixes released. > > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0478 > Squid 2.7 to 2.7.STABLE5, 3.0 to 3.0.STABLE12, and 3.1 to 3.1.0.4 allows > remote attackers to cause a denial of service via an HTTP request with > an invalid version number, which triggers a reachable assertion in (1) > HttpMsg.c and (2) HttpStatusLine.c. > > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0801 > Squid, when transparent interception mode is enabled, uses the HTTP Host > header to determine the remote endpoint, which allows remote attackers > to bypass access controls for Flash, Java, Silverlight, and probably > other technologies, and possibly communicate with restricted intranet > sites, via a crafted web page that causes a client to send HTTP requests > with a modified Host header. > > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2621 > Squid 3.0 through 3.0.STABLE16 and 3.1 through 3.1.0.11 does not > properly enforce "buffer limits and related bound checks," which allows > remote attackers to cause a denial of service via (1) an incomplete > request or (2) a request with a large header size, related to (a) > HttpMsg.cc and (b) client_side.cc. > > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2622 > Squid 3.0 through 3.0.STABLE16 and 3.1 through 3.1.0.11 allows remote > attackers to cause a denial of service via malformed requests including > (1) "missing or mismatched protocol identifier," (2) missing or negative > status value," (3) "missing version," or (4) "missing or invalid status > number," related to (a) HttpMsg.cc and (b) HttpReply.cc. > > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2855 > The strListGetItem function in src/HttpHeaderTools.c in Squid 2.7 allows > remote attackers to cause a denial of service via a crafted auth header > with certain comma delimiters that trigger an infinite loop of calls to > the strcspn function. Amos
