> Hi all, > was anyone contacted by CERT regarding the vulnerability in the > subject? > http://www.kb.cert.org/vuls/id/MAPG-7MWGZF asserts that Squid is > vulnerable and that they didn't get any answers from us.. > > -- > /kinkie >
It's a very old issue. With no clear-cut fix yet. Robert Auger has been in communication for some time about this to core, Henrik and I both responded. CERT themselves I have no record of direct contact from. We were asked explicitly not to jump the gun before this CERT announcement. Now that its out I suppose we can start discussing how or if to mitigate the issue. Henrik I get the idea maybe has knowledge of a patch to fix it. I have some ideas on how to lock out attacks, but no code yet. Amos
