Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 152915

Summary: CAN-2005-0446 squid DoS
Product: [Retired] Fedora Legacy Reporter: Marc Deslauriers <marc.deslauriers>
Component: Package requestAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: pekkas
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0446
Whiteboard: LEGACY
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-02-21 19:08:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description David Lawrence 2005-03-30 23:31:54 UTC
A bug was found in the way Squid handles FQDN lookups. It was possible
to crash the Squid server by sending a carefully crafted DNS response to
an FQDN lookup. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2005-0446 to this issue. 

https://rhn.redhat.com/errata/RHSA-2005-173.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0446

Must base packages on the ones from bug 2150



------- Additional Comments From jpdalbec@ysu.edu 2005-03-11 03:58:58 ----

05.10.28 CVE: CAN-2005-0626
Platform: Cross Platform
Title: Squid Proxy Set-Cookie Information Disclosure
Description: Squid is web proxy software. It is affected by a remote
information disclosure problem. The issue presents itself when the
requested server employs the Netscape "Set-Cookie" specifications.
Squid Proxy versions 2.5 STABLE7 through version 2.5 STABLE9 are
affected.
Ref: http://www.securityfocus.com/advisories/8208 



------- Additional Comments From pekkas@netcore.fi 2005-03-18 09:26:01 ----

Because there haven't been any VERIFY votes for the previous squid version, I
guess it would make sense to fold this into the same mess.

I suggest we track this under #2150..



------- Additional Comments From marcdeslauriers@videotron.ca 2005-03-19 11:44:43 ----

Well, if we track it in 2150, we should close this one.

*** This bug has been marked as a duplicate of 2150 ***



------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:31 -------

This bug previously known as bug 2446 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2446
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.



Comment 1 Red Hat Bugzilla 2006-02-21 19:08:19 UTC
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.