squid3: pinger remote DoS (CVE-2014-7141 CVE-214-7142)

Debian Bug report logs - #760999
squid3: pinger remote DoS (CVE-2014-7141 CVE-214-7142)

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: squid3: pinger remote DoS

Date: Tue, 09 Sep 2014 20:53:08 +0200

Source: squid3
Version: 3.1.6-1.2
Severity: normal
Tags: security upstream patch

Hi

See [1] for a remote DoS reported by Sebastian Krahmer.

 [1] https://bugzilla.novell.com/show_bug.cgi?id=891268

> The pinger code that checks for nodes being alive doesnt
> properly validate ICMP and ICMPv6 replies, in particular
> icmp6 types which are used to index into a string array.
> This could cause crashes when the index is OOB.
[...]

No CVE is assigned yet for this issue.

Regards,
Salvatore

Message #12 received at 760999-close@bugs.debian.org (full text, mbox, reply):

From: Luigi Gangitano <luigi@debian.org>

To: 760999-close@bugs.debian.org

Subject: Bug#760999: fixed in squid3 3.4.8-1

Date: Thu, 16 Oct 2014 22:51:42 +0000

Source: squid3
Source-Version: 3.4.8-1

We believe that the bug you reported is fixed in the latest version of
squid3, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 760999@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luigi Gangitano <luigi@debian.org> (supplier of updated squid3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 17 Oct 2014 00:10:00 +1300
Source: squid3
Binary: squid3 squid3-dbg squid3-common squidclient squid-cgi squid-purge
Architecture: source all i386
Version: 3.4.8-1
Distribution: unstable
Urgency: high
Maintainer: Luigi Gangitano <luigi@debian.org>
Changed-By: Luigi Gangitano <luigi@debian.org>
Description:
 squid-cgi  - Full featured Web Proxy cache (HTTP proxy) - control CGI
 squid-purge - Full featured Web Proxy cache (HTTP proxy) - control utility
 squid3     - Full featured Web Proxy cache (HTTP proxy)
 squid3-common - Full featured Web Proxy cache (HTTP proxy) - common files
 squid3-dbg - Full featured Web Proxy cache (HTTP proxy) - Debug symbols
 squidclient - Full featured Web Proxy cache (HTTP proxy) - control utility
Closes: 693905 737008 741312 760999 761002
Changes:
 squid3 (3.4.8-1) unstable; urgency=high
 .
   * Urgency high due to security fixes
 .
   [ Amos Jeffries <amosjeffries@squid-cache.org> ]
   * New upstream release (Closes: #737008)
     - Fixes CVE-2014-6270: off by one in snmp subsystem (Closes: #761002)
     - Fixes CVE-2014-CVE-2014-7141 and CVE-214-7142 (Closes: #760999)
       + pinger remote DoS vulnerabilities
     - Fixes CVE-2014-0128: Denial of Service in SSL-Bump (Closes: #741312)
 .
   * debian/patches/
     - remove CVE-2014-3609.patch included upstream
     - remove 17-pod2man-check.patch obsoleted by new version
     - add upstream patch 21-squid-3.4-13176-memoryleak.patch:
       memory leak in external_acl_type helper with cache=0 or ttl=0
 .
   * debian/rules
     - add --disable-arch-native to build with portable CPU support
 .
   * debian/control
     - libecap API support is specific to version 0.2.0
     - use nettle for crypto library
 .
   * debian/watch
     - updated watch pattern for upstream major series
 .
   * debian/rules
     - Remove obsolete --enable-underscores (Closes: #693905)
 .
   [ Luigi Gangitano <luigi@debian.org> ]
   * debian/patches/
     - refreshed all patches to match 3.4.8
 .
   * debian/control
     - Added dependency for missing intepreter ksh
     - Bumped Standard-Version to 3.9.6, no change needed
     - Added XS-Vcs-Git Header pointing to Alioth repository
Checksums-Sha1:
 d4390420a925f2994f44a1d832c607eb33b78b0d 2290 squid3_3.4.8-1.dsc
 4a5fec155d91f3d9eedf16ea474970e293699cc9 3042254 squid3_3.4.8.orig.tar.bz2
 eb20e5fcf3d365455b80bcf3e5aa901e8d292042 22864 squid3_3.4.8-1.debian.tar.xz
 8d2d05bd187bbbd56c8ecf6b13b2a6b73b45d7ae 257188 squid3-common_3.4.8-1_all.deb
 4c6909afc5def2164034a0443129e9ec8a67bb28 2088018 squid3_3.4.8-1_i386.deb
 7a9303a3fa4dbacf417537ff31b6723fc82ca12b 7355936 squid3-dbg_3.4.8-1_i386.deb
 4bc5d2c8653d522b72c214b795556d1097047cbc 140686 squidclient_3.4.8-1_i386.deb
 bf02ea63e7d9f2999f3507a50109fd85c9414dc5 144134 squid-cgi_3.4.8-1_i386.deb
 2c5e5fb043c5012db0a677706e0b1660794fa98f 135224 squid-purge_3.4.8-1_i386.deb
Checksums-Sha256:
 f1e96545dc4f47d2a0df8ee49ca224503d73a50db7971def624a3e0c053581a7 2290 squid3_3.4.8-1.dsc
 d0534c1cb6ad7de9e2c9f3fc192df92d4c454e3e4c5e00c5086997709153c455 3042254 squid3_3.4.8.orig.tar.bz2
 7da43831936b9ab317555530276bd27dc0b86a1d1e26c2eeb6b209323fe6a3e3 22864 squid3_3.4.8-1.debian.tar.xz
 76ddce7b2ae33e0a88d257b66ff2ceb273cff45a6e4f5433b9e0c2cd2115dc9f 257188 squid3-common_3.4.8-1_all.deb
 4399915091fcec77964e53a8c61befd4fd91846b2a12d809eb5033ec43011a4c 2088018 squid3_3.4.8-1_i386.deb
 1e424b76fa85d2e35fd3800b623914c51e0ffb3fad0e9f4367c5dcb32ba9e699 7355936 squid3-dbg_3.4.8-1_i386.deb
 d584de8dfd6a6896863d7361c300278f09084ced207a9813152b204533ec064d 140686 squidclient_3.4.8-1_i386.deb
 27ecef64d458eab72f1924b02ff92fdf60015b74dcda921e075e6d7ae84c23f4 144134 squid-cgi_3.4.8-1_i386.deb
 e09d9fbd4c2d3abac2aa0a52822539e9c0145a1b8a1972ed1ee0e361b61a693d 135224 squid-purge_3.4.8-1_i386.deb
Files:
 860724771dd3c46d316c23f6058cc6d9 2290 web optional squid3_3.4.8-1.dsc
 094bd5f974d13485d51d02e93ec6027b 3042254 web optional squid3_3.4.8.orig.tar.bz2
 f348f67256e38ebdf379d8dbeaba95be 22864 web optional squid3_3.4.8-1.debian.tar.xz
 e3e44b8fd0d53bf2990ddb10a645abe3 257188 web optional squid3-common_3.4.8-1_all.deb
 cd0eca532368a4ed89c84c55499322fb 2088018 web optional squid3_3.4.8-1_i386.deb
 e9a9c86383c5e55783cc362481f4bbfb 7355936 debug extra squid3-dbg_3.4.8-1_i386.deb
 b3a62bdf60d653eed2e8b349b22f52aa 140686 web optional squidclient_3.4.8-1_i386.deb
 bd8c0668d08d5399a656900c35ba0623 144134 web optional squid-cgi_3.4.8-1_i386.deb
 cc92e5a5c168f27d8f16d1d3abea5941 135224 web optional squid-purge_3.4.8-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJUQEQGAAoJEAKE8gwrqXztS+0P/iTYT7MDMVv3fGfaimN+Me74
fsssWIutQt91KZLhh5inlpWOQgKnFSF09qeJ3g43s/lb+dXQTexWyC/gjnL3gH9i
zWX/TOMaXaUQmqZyVWZQN6OLPOzvOWNp4sx6ygmY2LRnMNtJVPb2+hYKDGKT5dtv
LtwAAiXoBZf39elN7zx1YTiemYb1OeXhszsO35aGde3ncQ9RYVAfEKqgk5IEKiuG
X+jZgD4DMXD5xssSwbOH/3m99t47yTa61L5HkT4UBz3iPY0BLf++wKF4x9ah6F3E
JKNyh4l3cX67mR35cUDwmzXgqXs4pr2sGPKGq+0f0NnOv1MEFwD6VdZ7cDUAcS1s
T3PukP4AdFsEqjarkMD1uA2KRcFUKsaUvcm977T0ziV+0FJ7/eVRm5qNGoTv9YGQ
7ebDt0c8M1YQrahZ5htSXgSd6H+bG4ayWx5aOeKBG7jyRASLLbLcp5j1bJjl0oRs
DZAg5Q33NqAidk5m7D7+Yn5g02DqkwNdNdLyhqo5COKkj7N6v0GAo6hLELYsuZUz
L5kwacgB5FbT6mMK2xRrdLrd6awQjVjoGFNOpPamODXvakQ5Vj2jv9XpFukuBRAm
I2ymSkrJIfMoZHvnOYC3zPPeEOTRh4FEFBof4FSDaFnkm1qlKyKJGIJaklNx6tjq
nxGDKbP8KKUTO6cbQ/YQ
=sxRD
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.