squid-2.5.STABLE6-ntlm_fetch_string.patch
I have just applied this patch on our production Squid box (thought I
had done it last week but that was on the dev box).
The reason I realised that I had not done it was that the squid
process shot to 99.9% cpu whilst I was in the process of monitoring it
- a look at the cache log revealed these entries:
ntlmGetString: insane: l:0 o:64
ntlmGetString: insane: l:0 o:64
FATAL: authenticateNTLMHandleReply: called with no result string
assertion failed: ntlm/auth_ntlm.c:123: "memPoolInUseCount(ntlm_user_pool) == 0"
Squid had died and respawned & that is why the CPU usage shot up for a moment.
I immediatley applied the patch and restarted squid - so far so good.
What I want to know is if those entries are evidence of a DOS on squid
taking advantage of the recently discovered bug. If it is, then I am
wondering how to go about tracking down where the attack is coming
from. The server is on a corporate network behind a firewall and can
only be connected to from an internal IP.
--- Regards, Rob HadfieldReceived on Mon Sep 06 2004 - 19:14:53 MDT
This archive was generated by hypermail pre-2.1.9 : Fri Oct 01 2004 - 12:00:02 MDT