Re: Does anyone know anything about CERT Vulnerability note VU#435052?

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 24 Feb 2009 11:31:53 +1300 (NZDT)

> Hi all,
> was anyone contacted by CERT regarding the vulnerability in the
> subject?
> http://www.kb.cert.org/vuls/id/MAPG-7MWGZF asserts that Squid is
> vulnerable and that they didn't get any answers from us..
>
> --
> /kinkie
>

It's a very old issue. With no clear-cut fix yet.

Robert Auger has been in communication for some time about this to core,
Henrik and I both responded. CERT themselves I have no record of direct
contact from.

We were asked explicitly not to jump the gun before this CERT announcement.
Now that its out I suppose we can start discussing how or if to mitigate
the issue.

Henrik I get the idea maybe has knowledge of a patch to fix it. I have
some ideas on how to lock out attacks, but no code yet.

Amos
Received on Mon Feb 23 2009 - 22:32:34 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 24 2009 - 12:00:03 MST