Debian Bug report logs - #350308
DoS possible against adzapper making squid unusable

version graph

Package: adzapper; Maintainer for adzapper is (unknown);

Reported by: Thomas Reifferscheid <reiffert@student.physik.uni-mainz.de>

Date: Sat, 28 Jan 2006 19:18:02 UTC

Severity: important

Fixed in version adzapper/20060115-1

Done: Ludovic Drolez <ldrolez@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Ludovic Drolez <ldrolez@debian.org>:
Bug#350308; Package adzapper. (full text, mbox, link).


Acknowledgement sent to Thomas Reifferscheid <reiffert@student.physik.uni-mainz.de>:
New Bug report received and forwarded. Copy sent to Ludovic Drolez <ldrolez@debian.org>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Thomas Reifferscheid <reiffert@student.physik.uni-mainz.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: DoS possible against adzapper making squid unusable
Date: Sat, 28 Jan 2006 20:06:49 +0100
[Message part 1 (text/plain, inline)]
Package: adzapper
Severity: important

When you call an URL like e.g.
http://www.heise.de//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
(feel free to add more /'s)

then squid_redirect will last approx. 8 hours to return to a normal
state on a Pentium1-200Mhz and still some minutes on a Pentium4-2.8Ghz

If a user calls multiple URL's of that form, all squid_redirectors
are busy and cannot serve anymore for squid, so the whole squid becomes
unusable.



To fix this behaviour, I've written a patch, which you find
here http://134.93.168.49/~reiffert/squid_redirect.diff
and attached to this bugreport


It will treat the patterns and the URL request the same way,
with notable faster results, so calling the above URL, will last
0.5 secs on a Pentium1-200Mhz.



If you have any questions, feel free to contact me.

Kind regards,
Thomas Reifferscheid





-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C)
[squid_redirect.diff (text/plain, attachment)]

Reply sent to Ludovic Drolez <ldrolez@debian.org>:
You have taken responsibility. (full text, mbox, link).


Notification sent to Thomas Reifferscheid <reiffert@student.physik.uni-mainz.de>:
Bug acknowledged by developer. (full text, mbox, link).


Message #10 received at 350308-close@bugs.debian.org (full text, mbox, reply):

From: Ludovic Drolez <ldrolez@debian.org>
To: 350308-close@bugs.debian.org
Subject: Bug#350308: fixed in adzapper 20060115-1
Date: Fri, 03 Feb 2006 20:02:22 -0800
Source: adzapper
Source-Version: 20060115-1

We believe that the bug you reported is fixed in the latest version of
adzapper, which is due to be installed in the Debian FTP archive:

adzapper_20060115-1.diff.gz
  to pool/main/a/adzapper/adzapper_20060115-1.diff.gz
adzapper_20060115-1.dsc
  to pool/main/a/adzapper/adzapper_20060115-1.dsc
adzapper_20060115-1_all.deb
  to pool/main/a/adzapper/adzapper_20060115-1_all.deb
adzapper_20060115.orig.tar.gz
  to pool/main/a/adzapper/adzapper_20060115.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 350308@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ludovic Drolez <ldrolez@debian.org> (supplier of updated adzapper package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu,  2 Feb 2006 10:26:33 +0100
Source: adzapper
Binary: adzapper
Architecture: source all
Version: 20060115-1
Distribution: unstable
Urgency: high
Maintainer: Ludovic Drolez <ldrolez@debian.org>
Changed-By: Ludovic Drolez <ldrolez@debian.org>
Description: 
 adzapper   - proxy advertisement zapper add-on
Closes: 350308
Changes: 
 adzapper (20060115-1) unstable; urgency=high
 .
   * New upstream release
   * Applied patch by Thomas Reifferscheid and Cameron Simpson (upstream)
      to fix denial of service [scripts/squid_redirect, Bug#350308,
      CVE-2006-0046]. Closes: Bug#350308
Files: 
 5f6387c19e1d3a50dd62bb2ceca75814 581 web optional adzapper_20060115-1.dsc
 9ae2b4453f78709325f18693853a60f8 52443 web optional adzapper_20060115.orig.tar.gz
 5ca59472428a80370e8da8dc715b8c1b 6583 web optional adzapper_20060115-1.diff.gz
 4cb01affa017a39e2f44572c9c804075 57320 web optional adzapper_20060115-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFD48IOsRlQAP1GppgRAsc7AJ43puBPBjIoWf513trAFt0wq0akkQCfQ0wz
4/eweXV+bfcFScc97dyS6Jg=
=ifqD
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Jun 2007 12:49:35 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 07:19:31 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.