Overview
The Squid Proxy server contains a vulnerability that may allow an attacker to create a denial-of-service condition that affects the Squid server and systems that rely on it.
Description
Squid Proxy Cache is a caching proxy that supports the HTTP, HTTPS, and FTP protocols. Squid can also be deployed as a reverse proxy. From Squid Proxy Cache Security Update Advisory SQUID-2007:2 |
Impact
An attacker who can access the Squid proxy may be able to cause the proxy server to crash. If the Squid proxy is deployed as a reverse proxy, the web servers relying on the proxy may also be affected. |
Solution
Update |
|
Vendor Information
IPCop Affected
Notified: December 10, 2007 Updated: December 11, 2007
Status
Affected
Vendor Statement
In order to address this issue the IPCop team released version 1.4.18 on the 2nd of December. All users of IPCop should upgrade to version 1.4.18.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
See http://ipcop.cvs.sourceforge.net/ipcop/ipcop/lfs/squid?view=log&pathrev=IPCOP_v1_4_0 for more details.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Red Hat, Inc. Affected
Notified: December 10, 2007 Updated: December 11, 2007
Status
Affected
Vendor Statement
This issue affects the Squid package as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5. The Red Hat Security Response Team has rated this issue as having moderate security impact. We are currently working on producing errata packages, when complete these will be available along with our advisory at the URL below.
http://rhn.redhat.com/cve/CVE-2007-6239.html
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
SUSE Linux Affected
Notified: December 10, 2007 Updated: January 18, 2008
Status
Affected
Vendor Statement
SUSE is affected by this problem, and we have released updated squid packages to fix it.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
See http://www.novell.com/linux/security/advisories/suse_security_announce_62.html for more details.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Squid Affected
Updated: December 10, 2007
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
See http://www.squid-cache.org/Advisories/SQUID-2007_2.txt for more details.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Apple Computer, Inc. Not Affected
Notified: December 10, 2007 Updated: December 11, 2007
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Microsoft Corporation Not Affected
Notified: December 10, 2007 Updated: December 11, 2007
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
NetBSD Not Affected
Notified: December 10, 2007 Updated: December 11, 2007
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Openwall GNU/*/Linux Not Affected
Notified: December 10, 2007 Updated: December 11, 2007
Status
Not Affected
Vendor Statement
Openwall GNU/*/Linux is not affected. We do not currently package Squid.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Slackware Linux Inc. Not Affected
Notified: December 10, 2007 Updated: December 10, 2007
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Conectiva Inc. Unknown
Notified: December 10, 2007 Updated: December 10, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Cray Inc. Unknown
Notified: December 10, 2007 Updated: December 10, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Debian GNU/Linux Unknown
Notified: December 10, 2007 Updated: December 10, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
EMC Corporation Unknown
Notified: December 10, 2007 Updated: December 10, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Engarde Secure Linux Unknown
Notified: December 10, 2007 Updated: December 10, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
F5 Networks, Inc. Unknown
Notified: December 10, 2007 Updated: December 10, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Fedora Project Unknown
Notified: December 10, 2007 Updated: December 10, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
FreeBSD, Inc. Unknown
Notified: December 10, 2007 Updated: December 10, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Fujitsu Unknown
Notified: December 10, 2007 Updated: December 10, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Gentoo Linux Unknown
Notified: December 10, 2007 Updated: December 10, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Hewlett-Packard Company Unknown
Notified: December 10, 2007 Updated: December 10, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Hitachi Unknown
Notified: December 10, 2007 Updated: December 10, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
IBM Corporation Unknown
Notified: December 10, 2007 Updated: December 10, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
IBM Corporation (zseries) Unknown
Notified: December 10, 2007 Updated: December 10, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
IBM eServer Unknown
Notified: December 10, 2007 Updated: December 10, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Ingrian Networks, Inc. Unknown
Notified: December 10, 2007 Updated: December 10, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Juniper Networks, Inc. Unknown
Notified: December 10, 2007 Updated: December 10, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Mandriva, Inc. Unknown
Notified: December 10, 2007 Updated: December 10, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
MontaVista Software, Inc. Unknown
Notified: December 10, 2007 Updated: December 10, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
NEC Corporation Unknown
Notified: December 10, 2007 Updated: December 10, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Nokia Unknown
Notified: December 10, 2007 Updated: December 10, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Novell, Inc. Unknown
Notified: December 10, 2007 Updated: December 10, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
OpenBSD Unknown
Notified: December 10, 2007 Updated: December 10, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
QNX, Software Systems, Inc. Unknown
Notified: December 10, 2007 Updated: December 10, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Silicon Graphics, Inc. Unknown
Notified: December 10, 2007 Updated: December 10, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
SmoothWall Unknown
Notified: December 10, 2007 Updated: December 10, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Sony Corporation Unknown
Notified: December 10, 2007 Updated: December 10, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Sun Microsystems, Inc. Unknown
Notified: December 10, 2007 Updated: December 10, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
The SCO Group Unknown
Notified: December 10, 2007 Updated: December 10, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Trustix Secure Linux Unknown
Notified: December 10, 2007 Updated: December 10, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Turbolinux Unknown
Notified: December 10, 2007 Updated: December 10, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Ubuntu Unknown
Notified: December 10, 2007 Updated: December 10, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Unisys Unknown
Notified: December 10, 2007 Updated: December 10, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Wind River Systems, Inc. Unknown
Notified: December 10, 2007 Updated: December 10, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
The Squid proxy team credits the Wikimedia Foundation for discovering this vulnerability. Adrian Chadd and Henrik Nordstrom are credited for authoring patches that address the issue.
This document was written by Ryan Giobbi.
Other Information
| CVE IDs: | CVE-2007-6239 |
| Severity Metric: | 7.51 |
| Date Public: | 2007-11-27 |
| Date First Published: | 2007-12-10 |
| Date Last Updated: | 2008-01-18 16:35 UTC |
| Document Revision: | 12 |