漏洞信息详情

Squid数据验证错误导致拒绝服务漏洞

• CNNVD编号：CNNVD-200907-393
• 危害等级： 中危
  
• CVE编号： CVE-2009-2622
• 漏洞类型： 输入验证
• 发布时间： 2009-07-28
• 威胁类型： 远程
• 更新时间： 2009-08-12
• 厂        商： squid-cache
• 漏洞来源： Alex MontoanelliRo...

漏洞简介

Squid是一个高效的Web缓存及代理程序，最初是为Unix平台开发的，现在也被移植到Linux和大多数的Unix类系统中，最新的Squid可以运行在Windows平台下。

由于数据验证中的多个错误，如果Squid处理了特制的请求或响应，就可能导致拒绝服务的情况。漏洞请求包括：(1) \"missing or mismatched protocol identifier，\" (2) \"missing or negative status value，\" (3) \"missing version，\" 或 (4) \"missing or invalid status number，\" ，该漏洞相关程序(a) HttpMsg.cc和(b) HttpReply.cc.

漏洞公告

目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接：

Squid Web Proxy Cache 3.0.STABLE7

Squid b9070.patch

http://www.squid-cache.org/Versions/v3/3.0/changesets/b9070.patch

Squid b9074.patch

http://www.squid-cache.org/Versions/v3/3.0/changesets/b9074.patch

Squid b9075.patch

http://www.squid-cache.org/Versions/v3/3.0/changesets/b9075.patch

MandrakeSoft Linux Mandrake 2008.1 x86_64

Mandriva squid-3.0-1.2mdv2008.1.x86_64.rpm

http://www.mandriva.com/en/download/

Mandriva squid-3.0-1.3mdv2008.1.x86_64.rpm

http://www.mandriva.com/en/download/

Mandriva squid-cachemgr-3.0-1.2mdv2008.1.x86_64.rpm

http://www.mandriva.com/en/download/

Mandriva squid-cachemgr-3.0-1.3mdv2008.1.x86_64.rpm

http://www.mandriva.com/en/download/

MandrakeSoft Linux Mandrake 2008.1

Mandriva squid-3.0-1.2mdv2008.1.i586.rpm

http://www.mandriva.com/en/download/

Mandriva squid-3.0-1.3mdv2008.1.i586.rpm

http://www.mandriva.com/en/download/

Mandriva squid-cachemgr-3.0-1.2mdv2008.1.i586.rpm

http://www.mandriva.com/en/download/

Mandriva squid-cachemgr-3.0-1.3mdv2008.1.i586.rpm

http://www.mandriva.com/en/download/

Debian Linux 5.0 ia-64

Debian squid3-cgi_3.0.STABLE8-3+lenny1_ia64.deb

http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.S TABLE8-3+lenny1_ia64.deb

Debian squid3-cgi_3.0.STABLE8-3+lenny2_ia64.deb

http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.S TABLE8-3+lenny2_ia64.deb

Debian squid3-common_3.0.STABLE8-3+lenny1_all.deb

http://security.debian.org/pool/updates/main/s/squid3/squid3-common_3. 0.STABLE8-3+lenny1_all.deb

Debian squid3-common_3.0.STABLE8-3+lenny2_all.deb

http://security.debian.org/pool/updates/main/s/squid3/squid3-common_3. 0.STABLE8-3+lenny2_all.deb

Debian squid3_3.0.STABLE8-3+lenny1_ia64.deb

http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.STABL E8-3+lenny1_ia64.deb

Debian squid3_3.0.STABLE8-3+lenny2_ia64.deb

http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.STABL E8-3+lenny2_ia64.deb

Debian squidclient_3.0.STABLE8-3+lenny1_ia64.deb

http://security.debian.org/pool/updates/main/s/squid3/squidclient_3.0. STABLE8-3+lenny1_ia64.deb

Debian squidclient_3.0.STABLE8-3+lenny2_ia64.deb

http://security.debian.org/pool/updates/main/s/squid3/squidclient_3.0. STABLE8-3+lenny2_ia64.deb

MandrakeSoft Linux Mandrake 2009.1 x86_64

Mandriva squid-3.0-14.1mdv2009.1.x86_64.rpm

http://www.mandriva.com/en/download/

Mandriva squid-3.0-14.2mdv2009.1.x86_64.rpm

http://www.mandriva.com/en/download/

Mandriva squid-cachemgr-3.0-14.1mdv2009.1.x86_64.rpm

http://www.mandriva.com/en/download/

Mandriva squid-cachemgr-3.0-14.2mdv2009.1.x86_64.rpm

http://www.mandriva.com/en/download/

MandrakeSoft Enterprise Server 5 x86_64

Mandriva squid-3.0-8.2mdvmes5.x86_64.rpm

http://www.mandriva.com/en/download/

Mandriva squid-3.0-8.3mdvmes5.x86_64.rpm

http://www.mandriva.com/en/download/

Mandriva squid-cachemgr-3.0-8.2mdvmes5.x86_64.rpm

http://www.mandriva.com/en/download/

Mandriva squid-cachemgr-3.0-8.3mdvmes5.x86_64.rpm

http://www.mandriva.com/en/download/

Squid Web Proxy Cache 3.0.STABLE5

Squid b9070.patch

http://www.squid-cache.org/Versions/v3/3.0/changesets/b9070.patch

Squid b9074.patch

http://www.squid-cache.org/Versions/v3/3.0/changesets/b9074.patch

Squid b9075.patch

http://www.squid-cache.org/Versions/v3/3.0/changesets/b9075.patch

Squid Web Proxy Cache 3.0.STABLE2

Squid b9070.patch

http://www.squid-cache.org/Versions/v3/3.0/changesets/b9070.patch

Squid b9074.patch

http://www.squid-cache.org/Versions/v3/3.0/changesets/b9074.patch

Squid b9075.patch

http://www.squid-cache.org/Versions/v3/3.0/changesets/b9075.patch

Debian Linux 5.0 alpha

Debian squid3-cgi_3.0.STABLE8-3+lenny1_alpha.deb

http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.S TABLE8-3+lenny1_alpha.deb

Debian squid3-cgi_3.0.STABLE8-3+lenny2_alpha.deb

http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.S TABLE8-3+lenny2_alpha.deb

Debian squid3-common_3.0.STABLE8-3+lenny1_all.deb

http://security.debian.org/pool/updates/main/s/squid3/squid3-common_3. 0.ST

参考网址

来源: www.squid-cache.org

链接:http://www.squid-cache.org/Versions/v3/3.1/changesets/b9661.patch

来源: VUPEN

名称: ADV-2009-2013

链接:http://www.vupen.com/english/advisories/2009/2013

来源: www.squid-cache.org

链接:http://www.squid-cache.org/Advisories/SQUID-2009_2.txt

来源: SECTRACK

名称: 1022607

链接:http://www.securitytracker.com/id?1022607

来源: BID

名称: 35812

链接:http://www.securityfocus.com/bid/35812

来源: MANDRIVA

名称: MDVSA-2009:178

链接:http://www.mandriva.com/security/advisories?name=MDVSA-2009:178

来源: MANDRIVA

名称: MDVSA-2009:161

链接:http://www.mandriva.com/security/advisories?name=MDVSA-2009:161

来源: SECUNIA

名称: 36007

链接:http://secunia.com/advisories/36007

受影响实体

• Squid-Cache Squid:3.0:Stable1  
• Squid-Cache Squid:3.0:Stable10  
• Squid-Cache Squid:3.0:Stable11  
• Squid-Cache Squid:3.0:Stable12  
• Squid-Cache Squid:3.0:Stable2  

补丁

暂无