'Re: [oss-security] CVE Request -- SQUID-2012:1 / Squid: DoS (excessive resource consumption) via in'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request -- SQUID-2012:1 / Squid:  DoS (excessive resource consumption) via in
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2012-12-17 17:36:00
Message-ID: 50CF5800.3070705 () redhat ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/17/2012 10:27 AM, Jan Lieskovsky wrote:
> Hello Kurt, Steve, vendors,
> 
> A denial of service flaw was found in the way the CGI Cache Manager
> of the Squid proxy caching server processed certain requests. A
> remote attacker could this this flaw to cause the squid service to
> consume excessive amount of resources.
> 
> References: [1]
> http://www.squid-cache.org/Advisories/SQUID-2012_1.txt [2]
> https://bugs.gentoo.org/show_bug.cgi?id=447596 [3]
> https://secunia.com/advisories/51545/ [4]
> https://bugzilla.redhat.com/show_bug.cgi?id=887962
> 
> Upstream patches: [5]
> http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10479.patch
>
> 
(against the 3.1 branch)
> [6]
> http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11714.patch
>
> 
(against the 3.2 branch)
> 
> Could you allocate a CVE id for this?
> 
> Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
> Security Response Team
> 

Please use CVE-2012-5643 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQz1gAAAoJEBYNRVNeJnmTmbUP/3cyX/iTyq6kPMIy8E3k7And
M/zWoOucYMWO7Qy0kPxdt/lArzc5d/MUYKG2lU3Me3MBexMGO2vLERZCqHVnvCM0
O9aAFRzDGBYUoSW8cOSuLMRfO0rkxPKrixgU2pFxxdpwJ5zdmauzqmv8F9EWCIBx
8uVzbelum4qYwdDy3L+hlZMxB8BhezjurPPAoktDD4FtE3SfJ66kJ+sfaShryCII
ZROGbQeD4jZ2+vL4YO9bpcsz4RD8Me3Jj1Psyh0+p1uTk11gPuK5LDEoPXPBWpX5
qaQDfBiy1mP/fFiWPDnAXFJo7+KnLyFkbJC7ciPxvR7Bwt+6CApXRUGfpKoGw7W4
ie13JYn6jaeHrrV7AFIqfmcATrKibpcDQGXK2JhrYRWe70vMpQv7DqRezVRT7N37
3a+/C2QS51iwNr4n+FZrbvgbY6JIRqo9VDkjeSW43AeznswbercMobbHoMERJQ8J
X+FZZryV/UbzjNPN7QOp8oVxxF7CSsFgJgxUW7ppvb/YBQXtHRGPaaOzcN8MP0Ro
ch3dhqMfC/tS3qYjs3SjgIoB0MP31XlhREz0UYyPEmFXm+EsUaA4xkm/iPs8kD7W
DBXTD/AuzAYB3dTCsgwLlBOc8D8/bnOZDBxKQldlLgGLvL0a0gLhMdr4+BNYug4E
xD1Yx64330jpJBl5Raeh
=vCuD
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic