漏洞信息详情
Squid Web Proxy Cache HTTP Version Number Parsing 拒绝服务漏洞
- CNNVD编号:CNNVD-200902-156
- 危害等级: 中危
- CVE编号: CVE-2009-0478
- 漏洞类型: 输入验证
- 发布时间: 2009-02-08
- 威胁类型: 远程
- 更新时间: 2009-04-02
- 厂 商: squid
- 漏洞来源: Joshua Morin, Mikk...
漏洞简介
Squid是WEB缓存代理程序。
Squid 2.7到2.7.STABLE5,3.0到3.0.STABLE12以及3.1到3.1.0.4版本允许远程攻击者借助一个带有无效的版本编号的HTTP请求,引起拒绝服务攻击。该请求会在(1)HttpMsg.c和(2) HttpStatusLine.c.中触发一个可达成的主张。
漏洞公告
目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
MandrakeSoft Linux Mandrake 2008.1 x86_64
Mandriva squid-3.0-1.1mdv2008.1.x86_64.rpm
http://www.mandriva.com/en/download/
Debian Linux 4.0 arm
Debian squid3-cgi_3.0.PRE5-5+etch1_arm.deb
http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.PRE5-5+etch1_arm.deb
Debian squid3-client_3.0.PRE5-5+etch1_arm.deb
http://security.debian.org/pool/updates/main/s/squid3/squid3-client_3.0.PRE5-5+etch1_arm.deb
Debian squid3-common_3.0.PRE5-5+etch1_all.deb
http://security.debian.org/pool/updates/main/s/squid3/squid3-common_3.0.PRE5-5+etch1_all.deb
Debian squid3_3.0.PRE5-5+etch1_arm.deb
http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.PRE5-5+etch1_arm.deb
MandrakeSoft Linux Mandrake 2008.1
Mandriva squid-3.0-1.1mdv2008.1.i586.rpm
http://www.mandriva.com/en/download/">http://www.mandriva.com/en/download/
Mandriva squid-cachemgr-3.0-1.1mdv2008.1.i586.rpm
http://www.mandriva.com/en/download/
Ubuntu Ubuntu Linux 8.10 powerpc
Ubuntu squid-cgi_2.7.STABLE3-1ubuntu2.1_powerpc.deb
http://ports.ubuntu.com/pool/universe/s/squid/squid-cgi_2.7.STABLE3-1ubuntu2.1_powerpc.deb
Ubuntu squid_2.7.STABLE3-1ubuntu2.1_powerpc.deb
http://ports.ubuntu.com/pool/main/s/squid/squid_2.7.STABLE3-1ubuntu2.1_powerpc.deb
Debian Linux 4.0 powerpc
Debian squid3-cgi_3.0.PRE5-5+etch1_powerpc.deb
http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.PRE5-5+etch1_powerpc.deb
Debian squid3-client_3.0.PRE5-5+etch1_powerpc.deb
http://security.debian.org/pool/updates/main/s/squid3/squid3-client_3.0.PRE5-5+etch1_powerpc.deb
Debian squid3-common_3.0.PRE5-5+etch1_all.deb
http://security.debian.org/pool/updates/main/s/squid3/squid3-common_3.0.PRE5-5+etch1_all.deb">http://security.debian.org/pool/updates/main/s/squid3/squid3-common_3.
Debian squid3_3.0.PRE5-5+etch1_powerpc.deb
http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.PRE5-5+etch1_powerpc.deb
Ubuntu Ubuntu Linux 8.10 i386
Ubuntu squid-cgi_2.7.STABLE3-1ubuntu2.1_i386.deb
http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.7.STABLE3-1ubuntu2.1_i386.deb
Ubuntu squid_2.7.STABLE3-1ubuntu2.1_i386.deb
http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE3-1ubuntu2.1_i386.deb
Debian Linux 4.0 m68k
Debian squid3-common_3.0.PRE5-5+etch1_all.deb
http://security.debian.org/pool/updates/main/s/squid3/squid3-common_3.0.PRE5-5+etch1_all.deb
Ubuntu Ubuntu Linux 8.10 lpia
Ubuntu squid-cgi_2.7.STABLE3-1ubuntu2.1_lpia.deb
http://ports.ubuntu.com/pool/universe/s/squid/squid-cgi_2.7.STABLE3-1ubuntu2.1_lpia.deb
Ubuntu squid_2.7.STABLE3-1ubuntu2.1_lpia.deb
http://ports.ubuntu.com/pool/main/s/squid/squid_2.7.STABLE3-1ubuntu2.1_lpia.deb_lpia.deb
Debian Linux 4.0 amd64
Debian squid3-cgi_3.0.PRE5-5+etch1_amd64.deb
http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.PRE5-5+etch1_amd64.deb
Debian squid3-client_3.0.PRE5-5+etch1_amd64.deb
http://security.debian.org/pool/updates/main/s/squid3/squid3-client_3.0.PRE5-5+etch1_amd64.deb
Debian squid3-common_3.0.PRE5-5+etch1_all.deb
http://security.debian.org/pool/updates/main/s/squid3/squid3-common_3.0.PRE5-5+etch1_all.deb
Debian squid3_3.0.PRE5-5+etch1_amd64.deb
http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.PRE5-5+etch1_amd64.deb">http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.PRE5-
Debian Linux 4.0 ia-32
http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.PRE5-5+etch1_i386.deb
http://security.debian.org/pool/updates/main/s/squid3/squid3-client_3.0.PRE5-5+etch1_i386.deb
http://security.debian.org/pool/updates/main/s/squid3/squid3-common_3.0.PRE5-5+etch1_all.deb
http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.PRE5-5+etch1_i386.deb
Debian Linux 4.0 hppa
http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.PRE5-5+etch1_hppa.deb"
Debian squid3-client_3.0.PRE5-5+etch1_hppa.deb
http://security.debian.org/pool/updates/main/s/squid3/squid3-client_3.0.PRE5-5+etch1_hppa.deb
Debia
参考网址
来源: BID
名称: 33604
链接:http://www.securityfocus.com/bid/33604
来源: bugzilla.redhat.com
链接:https://bugzilla.redhat.com/show_bug.cgi?id=484246
来源: www.squid-cache.org
链接:http://www.squid-cache.org/Versions/v2/2.7/changesets/12432.patch
来源: www.squid-cache.org
链接:http://www.squid-cache.org/Advisories/SQUID-2009_1.txt
来源: SECTRACK
名称: 1021684
链接:http://www.securitytracker.com/id?1021684
来源: BUGTRAQ
名称: 20090204 Squid Proxy Cache Denial of Service in request handling
链接:http://www.securityfocus.com/archive/1/archive/1/500653/100/0/threaded
来源: MILW0RM
名称: 8021
链接:http://www.milw0rm.com/exploits/8021
来源: MANDRIVA
名称: MDVSA-2009:034
链接:http://www.mandriva.com/security/advisories?name=MDVSA-2009:034
来源: GENTOO
名称: GLSA-200903-38
链接:http://security.gentoo.org/glsa/glsa-200903-38.xml
来源: SECUNIA
名称: 34467
链接:http://secunia.com/advisories/34467
来源: SECUNIA
名称: 33731
链接:http://secunia.com/advisories/33731
来源: SUSE
名称: SUSE-SR:2009:005
链接:http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00000.HTML
受影响实体
- Squid Squid:3.1.0.4
- Squid Squid:3.1.0.3
- Squid Squid:3.1.0.2
- Squid Squid:3.1.0.1
- Squid Squid:3.1
补丁
暂无
评论