squid-2.5.STABLE6-ntlm_fetch_string.patch I have just applied this patch on our production Squid box (thought I had done it last week but that was on the dev box).
The reason I realised that I had not done it was that the squid process shot to 99.9% cpu whilst I was in the process of monitoring it - a look at the cache log revealed these entries: ntlmGetString: insane: l:0 o:64 ntlmGetString: insane: l:0 o:64 FATAL: authenticateNTLMHandleReply: called with no result string assertion failed: ntlm/auth_ntlm.c:123: "memPoolInUseCount(ntlm_user_pool) == 0" Squid had died and respawned & that is why the CPU usage shot up for a moment. I immediatley applied the patch and restarted squid - so far so good. What I want to know is if those entries are evidence of a DOS on squid taking advantage of the recently discovered bug. If it is, then I am wondering how to go about tracking down where the attack is coming from. The server is on a corporate network behind a firewall and can only be connected to from an internal IP. --- Regards, Rob Hadfield
