squid/squid3 -- denial of service

2010-02-04T00:00:00
ID DSA-1991
Type debian
Reporter Debian
Modified 2010-02-04T00:00:00

Description

Two denial of service vulnerabilities have been discovered in squid and squid3, a web proxy. The Common Vulnerabilities and Exposures project identifies the following problems:

Bastian Blank discovered that it is possible to cause a denial of service via a crafted auth header with certain comma delimiters.

Tomas Hoger discovered that it is possible to cause a denial of service via invalid DNS header-only packets.

For the stable distribution (lenny), these problems have been fixed in version 2.7.STABLE3-4.1lenny1 of the squid package and version 3.0.STABLE8-3+lenny3 of the squid3 package.

For the oldstable distribution (etch), these problems have been fixed in version 2.6.5-6etch5 of the squid package and version 3.0.PRE5-5+etch2 of the squid3 package.

For the testing distribution (squeeze) and the unstable distribution (sid), these problems will be fixed soon.

We recommend that you upgrade your squid/squid3 packages.