Squid clientProcessRequest() function denial of service
| squid-clientprocessrequest-dos (33124) |  Low Risk |
Description:
Squid is vulnerable to a denial of service, caused by a vulnerability in the clientProcessRequest() function when processing TRACE requests. By sending a specially-crafted TRACE request, a remote authenticated attacker could cause the proxy service to crash.
Platforms Affected:
- Canonical, Ubuntu 6.10
- Gentoo, Linux
- MandrakeSoft, Mandrake Linux 2006
- MandrakeSoft, Mandrake Linux 2006 X86_64
- MandrakeSoft, Mandrake Linux 2007
- MandrakeSoft, Mandrake Linux 2007 X86_64
- MandrakeSoft, Mandrake Linux Corporate Server 3.0
- MandrakeSoft, Mandrake Linux Corporate Server 3.0 X86_64
- MandrakeSoft, Mandrake Linux Corporate Server 4.0 X86_64
- MandrakeSoft, Mandrake Linux Corporate Server 4.0
- MandrakeSoft, Mandrake Multi Network Firewall 2.0
- RedHat, Enterprise Linux 5
- RedHat, Enterprise Linux 5 Client Workstation
- Squid-Cache, Squid 2.6.STABLE1
- Squid-Cache, Squid 2.6.STABLE10
- Squid-Cache, Squid 2.6.STABLE11
- Squid-Cache, Squid 2.6.STABLE2
- Squid-Cache, Squid 2.6.STABLE3
- Squid-Cache, Squid 2.6.STABLE4
- Squid-Cache, Squid 2.6.STABLE5
- Squid-Cache, Squid 2.6.STABLE6
- Squid-Cache, Squid 2.6.STABLE7
- Squid-Cache, Squid 2.6.STABLE8
- Squid-Cache, Squid 2.6.STABLE9
- Turbolinux, Turbolinux 10 Server
- Turbolinux, Turbolinux 10 Server x64 Ed
- Turbolinux, Turbolinux 8 Server
- Turbolinux, Turbolinux Appliance Server 1.0 Hosting Ed
- Turbolinux, Turbolinux Appliance Server 1.0 Workgroup Ed
- Turbolinux, Turbolinux Appliance Server 2.0
Remedy:
Refer to SQUID-2007:1 for patch or upgrade information. See References.
For Red Hat Linux (squid):
Refer to RHSA-2007:0131 for patch, upgrade, or suggested workaround information. See References.
For Ubuntu Linux:
Refer to USN-441-1 for patch, upgrade, or suggested workaround information. See References.
For Gentoo Linux:
Refer to GLSA 200703-27 for patch, upgrade, or suggested workaround information. See References.
For Mandriva Linux (squid):
Refer to MDKSA-2007:068 for patch, upgrade, or suggested workaround information. See References.
For Turbolinux (Squid):
Refer to TLSA-2007-23 for patch, upgrade, or suggested workaround information. See References.
For other distributions:
Contact your vendor for upgrade or patch information.
Consequences:
Denial of Service
References:
- Squid Web site, Squid Web Proxy Cache at http://www.squid-cache.org/.
- SQUID-2007:1, Denial of service in TRACE method processing at http://www.squid-cache.org/Advisories/SQUID-2007_1.txt.
- ASA-2007-163: squid security update (RHSA-2007-0131)
- BID-23085: Squid Proxy TRACE Request Remote Denial of Service Vulnerability
- CVE-2007-1560: The clientProcessRequest() function in src/client_side.c in Squid 2.6 before 2.6.STABLE12 allows remote attackers to cause a denial of service (daemon crash) via crafted TRACE requests that trigger an assertion error.
- FrSIRT/ADV-2007-1035: Squid clientProcessRequest() TRACE Request Handling Denial of Service Vulnerability
- GLSA-200703-27: Squid: Denial of Service
- MDKSA-2007:068: Updated squid packages fix DoS vulnerability
- RHSA-2007-0131: Moderate: squid security update
- SA24611: Squid TRACE Request Denial of Service Vulnerability
- SECTRACK ID: 1017805: Squid TRACE Method Bug Lets Remote Users Deny Service
- SUSE-SR:2007:005: SUSE Security Summary Report
Reported:
Mar 20, 2007
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.
For corrections or additions please email xforce@iss.net