Re: CVE-2009-2855

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 13 Oct 2009 12:40:46 +1300

On Tue, 13 Oct 2009 01:27:20 +0200, Henrik Nordstrom
<henrik_at_henriknordstrom.net> wrote:
> tis 2009-10-13 klockan 12:12 +1300 skrev Amos Jeffries:
>
>> Okay, I've asked the Debian reporter for access to details.
>> Lacking clear evidence of remote exploit I'll follow along with the
>> quiet
>> approach.
>
> The exploit is only possible if squid.conf is configured to extract
> cookies, i.e. for logging or external_acl purposes.
>
>> The CVE has reference to our bugs which are clearly closed. If there is
>> more to be done to notify anyone can you let me know what that is
please?
>
> A mail to cve_at_mitre.org mentioning that the Squid bug is fixed may
> work..
>
>> the other CVE from this year are in similar states of questionable
>> open/closed-ness.
>
> ?

Mitre still list them all as "Under Review".

>
> There has been 5 CVEs issued for Squid in 2009... I only classify this
> one low and the transparent ip interception mess CVE-2009-0801 as minor,
> the other 3 are all fairly major..
>

Aye. Major but closed with fixes released.

>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0478
> Squid 2.7 to 2.7.STABLE5, 3.0 to 3.0.STABLE12, and 3.1 to 3.1.0.4 allows
> remote attackers to cause a denial of service via an HTTP request with
> an invalid version number, which triggers a reachable assertion in (1)
> HttpMsg.c and (2) HttpStatusLine.c.
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0801
> Squid, when transparent interception mode is enabled, uses the HTTP Host
> header to determine the remote endpoint, which allows remote attackers
> to bypass access controls for Flash, Java, Silverlight, and probably
> other technologies, and possibly communicate with restricted intranet
> sites, via a crafted web page that causes a client to send HTTP requests
> with a modified Host header.
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2621
> Squid 3.0 through 3.0.STABLE16 and 3.1 through 3.1.0.11 does not
> properly enforce "buffer limits and related bound checks," which allows
> remote attackers to cause a denial of service via (1) an incomplete
> request or (2) a request with a large header size, related to (a)
> HttpMsg.cc and (b) client_side.cc.
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2622
> Squid 3.0 through 3.0.STABLE16 and 3.1 through 3.1.0.11 allows remote
> attackers to cause a denial of service via malformed requests including
> (1) "missing or mismatched protocol identifier," (2) missing or negative
> status value," (3) "missing version," or (4) "missing or invalid status
> number," related to (a) HttpMsg.cc and (b) HttpReply.cc.
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2855
> The strListGetItem function in src/HttpHeaderTools.c in Squid 2.7 allows
> remote attackers to cause a denial of service via a crafted auth header
> with certain comma delimiters that trigger an infinite loop of calls to
> the strcspn function.

Amos
Received on Mon Oct 12 2009 - 23:40:51 MDT

This archive was generated by hypermail 2.2.0 : Tue Oct 13 2009 - 12:00:06 MDT