Debian Bug report logs -
#455910
CVE-2007-6239: Denial of service via HTTP headers
Reported by: Micah Anderson <micah@debian.org>
Date: Wed, 12 Dec 2007 14:33:04 UTC
Severity: important
Tags: fixed
Found in version squid/2.6.5-6
Done: Luigi Gangitano <luigi@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Luigi Gangitano <luigi@debian.org>:
Bug#455910; Package squid.
(full text, mbox, link).
Acknowledgement sent to Micah Anderson <micah@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Luigi Gangitano <luigi@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: squid
Version: 2.6.5-6
Severity: important
Hi,
The version of squid in sarge and etch is currently vulnerable[1] to
CVE-2007-6239[1] which is described as:
Due to incorrect bounds checking Squid is vulnerable to a denial of
service check during some cache update reply processing. This problem
allows any client trusted to use the service to perform a denial of
service attack on the Squid service.
A patch is available[3].
1. http://security-tracker.debian.net/tracker/CVE-2007-6239
2. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6239
3. http://www.squid-cache.org/Versions/v2/2.6/changesets/11780.patch
Thanks,
Micah
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.22-2-vserver-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages squid depends on:
ii adduser 3.105 add and remove users and groups
ii debconf [debconf-2.0] 1.5.17 Debian configuration management sy
ii libc6 2.7-4 GNU C Library: Shared libraries
ii libdb4.6 4.6.21-4 Berkeley v4.6 Database Libraries [
ii libldap2 2.1.30.dfsg-13.5 OpenLDAP libraries
ii libpam0g 0.99.7.1-5 Pluggable Authentication Modules l
ii logrotate 3.7.1-3 Log rotation utility
ii lsb-base 3.1-24 Linux Standard Base 3.1 init scrip
ii netbase 4.30 Basic TCP/IP networking system
ii squid-common 2.6.17-1 Internet object cache (WWW proxy c
squid recommends no packages.
-- debconf information excluded
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.22-2-vserver-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages squid depends on:
ii adduser 3.105 add and remove users and groups
ii debconf [debconf-2.0] 1.5.17 Debian configuration management sy
ii libc6 2.7-4 GNU C Library: Shared libraries
ii libdb4.6 4.6.21-4 Berkeley v4.6 Database Libraries [
ii libldap2 2.1.30.dfsg-13.5 OpenLDAP libraries
ii libpam0g 0.99.7.1-5 Pluggable Authentication Modules l
ii logrotate 3.7.1-3 Log rotation utility
ii lsb-base 3.1-24 Linux Standard Base 3.1 init scrip
ii netbase 4.30 Basic TCP/IP networking system
ii squid-common 2.6.17-1 Internet object cache (WWW proxy c
squid recommends no packages.
-- debconf information excluded
Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#455910; Package squid.
(full text, mbox, link).
Acknowledgement sent to Luigi Gangitano <luigi@debian.org>:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #10 received at 455910@bugs.debian.org (full text, mbox, reply):
tags 455910 +fixed +pending
thanks
Hi Micah,
thanks for you report. This has already been worked on, an updated
package is on the way.
Regards,
L
--
Luigi Gangitano -- <luigi@debian.org> -- <gangitano@lugroma3.org>
GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26
Tags added: fixed
Request was from Luigi Gangitano <luigi@debian.org>
to control@bugs.debian.org.
(Wed, 12 Dec 2007 22:48:10 GMT) (full text, mbox, link).
Tags added: pending
Request was from Luigi Gangitano <luigi@debian.org>
to control@bugs.debian.org.
(Wed, 12 Dec 2007 23:09:03 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#455910; Package squid.
(full text, mbox, link).
Acknowledgement sent to Luigi Gangitano <luigi@debian.org>:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #19 received at 455910@bugs.debian.org (full text, mbox, reply):
Version: 2.6.5-6etch4
This bug has been fixed in DSA-1482.
Regards,
L
--
Luigi Gangitano -- <luigi@debian.org> -- <gangitano@lugroma3.org>
GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26
Reply sent to Luigi Gangitano <luigi@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Micah Anderson <micah@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #24 received at 455910-done@bugs.debian.org (full text, mbox, reply):
Version: 2.6.5-6etch4
This bug has been fixed in DSA-1482.
Regards,
L
--
Luigi Gangitano -- <luigi@debian.org> -- <gangitano@lugroma3.org>
GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 28 Apr 2008 07:26:58 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:36:11 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon