The Squid Proxy server contains a vulnerability that may allow an attacker to create a denial-of-service condition that affects the Squid server and systems that rely on it.
Squid Proxy Cache is a caching proxy that supports the HTTP, HTTPS, and FTP protocols. Squid can also be deployed as a reverse proxy.
From Squid Proxy Cache Security Update Advisory SQUID-2007:2
Due to incorrect bounds checking Squid is vulnerable to a denial of service check during some cache update reply processing.
This incorrect bounds checking occurs within the httpHeaderUpdate()
function when processing cache update replies.
An attacker who can access the Squid proxy may be able to cause the proxy server to crash. If the Squid proxy is deployed as a reverse proxy, the web servers relying on the proxy may also be affected.
Update
The Squid team has released patches 11780 and 11211 to address this issue. Administrators who obtain Squid from their operating system vendor should see the systems affected portion of this document for a partial list of affected vendors.
Restrict access
Restricting access to the Squid proxy via access control lists or firewall rules may prevent this vulnerability from being exploited by remote attackersβ¦
232881
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: December 10, 2007 Updated: December 11, 2007
Affected
In order to address this issue the IPCop team released version 1.4.18 on the 2nd of December. All users of IPCop should upgrade to version 1.4.18.
The vendor has not provided us with any further information regarding this vulnerability.
See http://ipcop.cvs.sourceforge.net/ipcop/ipcop/lfs/squid?view=log&pathrev=IPCOP_v1_4_0 for more details.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23232881 Feedback>).
Notified: December 10, 2007 Updated: December 11, 2007
Affected
This issue affects the Squid package as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5. The Red Hat Security Response Team has rated this issue as having moderate security impact. We are currently working on producing errata packages, when complete these will be available along with our advisory at the URL below.
<http://rhn.redhat.com/cve/CVE-2007-6239.html>
The vendor has not provided us with any further information regarding this vulnerability.
Notified: December 10, 2007 Updated: January 18, 2008
Affected
SUSE is affected by this problem, and we have released updated squid packages to fix it.
The vendor has not provided us with any further information regarding this vulnerability.
See <http://www.novell.com/linux/security/advisories/suse_security_announce_62.html> for more details.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23232881 Feedback>).
Updated: December 10, 2007
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
See <http://www.squid-cache.org/Advisories/SQUID-2007_2.txt> for more details.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23232881 Feedback>).
Notified: December 10, 2007 Updated: December 11, 2007
Not Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: December 10, 2007 Updated: December 11, 2007
Not Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: December 10, 2007 Updated: December 11, 2007
Not Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: December 10, 2007 Updated: December 11, 2007
Not Affected
Openwall GNU/*/Linux is not affected. We do not currently package Squid.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: December 10, 2007 Updated: December 10, 2007
Not Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: December 10, 2007 Updated: December 10, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: December 10, 2007 Updated: December 10, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: December 10, 2007 Updated: December 10, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: December 10, 2007 Updated: December 10, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: December 10, 2007 Updated: December 10, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: December 10, 2007 Updated: December 10, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: December 10, 2007 Updated: December 10, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: December 10, 2007 Updated: December 10, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: December 10, 2007 Updated: December 10, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: December 10, 2007 Updated: December 10, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: December 10, 2007 Updated: December 10, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: December 10, 2007 Updated: December 10, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: December 10, 2007 Updated: December 10, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: December 10, 2007 Updated: December 10, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: December 10, 2007 Updated: December 10, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: December 10, 2007 Updated: December 10, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: December 10, 2007 Updated: December 10, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: December 10, 2007 Updated: December 10, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: December 10, 2007 Updated: December 10, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: December 10, 2007 Updated: December 10, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: December 10, 2007 Updated: December 10, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: December 10, 2007 Updated: December 10, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: December 10, 2007 Updated: December 10, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: December 10, 2007 Updated: December 10, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: December 10, 2007 Updated: December 10, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: December 10, 2007 Updated: December 10, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: December 10, 2007 Updated: December 10, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: December 10, 2007 Updated: December 10, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: December 10, 2007 Updated: December 10, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: December 10, 2007 Updated: December 10, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: December 10, 2007 Updated: December 10, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: December 10, 2007 Updated: December 10, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: December 10, 2007 Updated: December 10, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: December 10, 2007 Updated: December 10, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
View all 43 vendors __View less vendors __
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
The Squid proxy team credits the Wikimedia Foundation for discovering this vulnerability. Adrian Chadd and Henrik Nordstrom are credited for authoring patches that address the issue.
This document was written by Ryan Giobbi.
CVE IDs: | CVE-2007-6239 |
---|---|
Severity Metric: | 7.51 Date Public: |