Debian
squid package

[CVE-2007-6239] squid-2.X and squid-3.x are vulnerable

Bug #174352 reported by Stephan Rügamer
256
Affects Status Importance Assigned to Milestone
squid (Debian)
Fix Released
Unknown
squid (Ubuntu)
Fix Released
Undecided
Unassigned
Declined for Dapper by Chuck Short
Edgy
Invalid
Undecided
Unassigned
Feisty
Fix Released
Undecided
Unassigned
Gutsy
Fix Released
Undecided
Unassigned
squid3 (Ubuntu)
Invalid
Undecided
Unassigned
Declined for Dapper by Chuck Short
Edgy
Invalid
Undecided
Unassigned
Feisty
Fix Released
Undecided
Unassigned
Gutsy
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: squid

Dear colleagues,

squid-2.X and squid-3.x are vulnerable.

Message from NVD:

The "cache update reply processing" functionality in Squid 2.x before 2.6.STABLE17 and Squid 3.0 allows remote attackers to cause a denial of service (crash) via unknown vectors related to HTTP headers.

This applies to all squid packages in our supported releases.

Severity: (from upstream: http://www.squid-cache.org/Advisories/SQUID-2007_2.txt)

This problem allows any client trusted to use the service to
 perform a denial of service attack on the Squid service.

See original description

CVE References

Stephan Rügamer (sruegamer)
description: updated
Bug Watch Updater (bug-watch-updater)
Changed in squid:
status: Unknown → Fix Committed
Revision history for this message
Chuck Short (zulcss) wrote :

This is fixed by http://www.ubuntu.com/usn/usn-565-1.

Thanks
chuck

Changed in squid3:
status: New → Invalid
Changed in squid:
status: New → Fix Released
Revision history for this message
Chuck Short (zulcss) wrote :

Whoops

Changed in squid:
status: New → Invalid
Revision history for this message
Chuck Short (zulcss) wrote :

Im in the process of backporting the fix.

Regards
chuck

Revision history for this message
Chuck Short (zulcss) wrote :

I have attached a debdiff for feisty.

Revision history for this message
Chuck Short (zulcss) wrote :

I have attached a debdiff for gutsy as well.

Regards
chuck

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

http://www.ubuntu.com/usn/usn-565-1

Changed in squid3:
status: New → Fix Committed
status: New → Fix Committed
Changed in squid:
status: New → Fix Released
status: New → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Hardy not affected (fixed in 3.0.RC1-3).

Changed in squid3:
status: New → Invalid
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

squid3 (3.0.PRE5-5ubuntu0.1) feisty-security; urgency=low

  [ Chuck Short ]
  * SECURITY UPDATE: Clean up squid cache correctly.
  * Add CVE-2007-6239.dpatch
  * References:
    CVE-2007-6239

  [ Jamie Strandboge ]
  * Modify Maintainer value to match the DebianMaintainerField
    specification.

 -- Jamie Strandboge <email address hidden> Fri, 1 Feb 2008 17:37:35 +0000

Changed in squid3:
status: Fix Committed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

squid3 (3.0.PRE6-1ubuntu0.1) gutsy-security; urgency=low

  [ Chuck Short ]
  * SECURITY UPDATE: Clean up squid cache correctly.
  * Add CVE-2007-6239.dpatch
  * References:
    CVE-2007-6239

  [ Jamie Strandboge ]
  * Modify Maintainer value to match the DebianMaintainerField
    specification.

 -- Jamie Strandboge <email address hidden> Fri, 01 Feb 2008 17:36:16 +0000

Changed in squid3:
status: Fix Committed → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in squid:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.