Squid Web代理缓存HTTP版本号解析拒绝服务漏洞

2009-02-11T00:00:00
ID SSV:4736
Type seebug
Reporter Root
Modified 2009-02-11T00:00:00

Description

BUGTRAQ ID: 33604 CVE(CAN) ID: CVE-2009-0478

Squid是一个高效的Web缓存及代理程序,最初是为Unix平台开发的,现在也被移植到Linux和大多数的Unix类系统中,最新的Squid可以运行在Windows平台下。

Squid没有正确地处理畸形的HTTP版本号,远程客户端可以向服务器发送特制请求导致拒绝服务的情况。

Squid Web Proxy Cache 3.1 Squid Web Proxy Cache 3.0 Squid Web Proxy Cache 2.7 厂商补丁:

Squid

目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

Squid 2.7: <a href=http://www.squid-cache.org/Versions/v2/2.7/changesets/12432.patch target=_blank rel=external nofollow>http://www.squid-cache.org/Versions/v2/2.7/changesets/12432.patch</a> <a href=http://www.squid-cache.org/Versions/v2/2.7/changesets/12442.patch target=_blank rel=external nofollow>http://www.squid-cache.org/Versions/v2/2.7/changesets/12442.patch</a>

Squid 3.0: <a href=http://www.squid-cache.org/Versions/v3/3.0/changesets/b8964.patch target=_blank rel=external nofollow>http://www.squid-cache.org/Versions/v3/3.0/changesets/b8964.patch</a> <a href=http://www.squid-cache.org/Versions/v3/3.0/changesets/b8965.patch target=_blank rel=external nofollow>http://www.squid-cache.org/Versions/v3/3.0/changesets/b8965.patch</a>

Squid 3.1: <a href=http://www.squid-cache.org/Versions/v3/3.1/changesets/b9414.patch target=_blank rel=external nofollow>http://www.squid-cache.org/Versions/v3/3.1/changesets/b9414.patch</a> <a href=http://www.squid-cache.org/Versions/v3/3.1/changesets/b9418.patch target=_blank rel=external nofollow>http://www.squid-cache.org/Versions/v3/3.1/changesets/b9418.patch</a>

                                        
                                            
                                                http://sebug.net/exploit/5729/