__________________________________________________________________ Squid Proxy Cache Security Update Advisory SQUID-2007:1 __________________________________________________________________ Advisory ID: SQUID-2007:1 Date: March 20, 2007 Summary: Denial of service in TRACE method processing Affected versions: Squid 2.6 Fixed in version: Squid 2.6.STABLE12 __________________________________________________________________ http://www.squid-cache.org/Advisories/SQUID-2007_1.txt __________________________________________________________________ Problem Description: Due to an internal error Squid-2.6 is vulnerable to a denial of service attack when processing the TRACE request method. __________________________________________________________________ Severity: This problem allows any client trusted to use the service to perform a denial of service attack on the Squid service. __________________________________________________________________ Updated Packages: This bug is fixed by Squid version 2.6.STABLE12 In addition, a patch addressing this problem can be found In our patch archive for version Squid-2.6: http://www.squid-cache.org/Versions/v2/2.6/changesets/11349.patch If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages. __________________________________________________________________ Determining if your version is vulnerable: All Squid-2.6 versions up to, and including 2.6.STABLE11 are vulnerable. __________________________________________________________________ Workarounds: To work around the problem deny access to using the TRACE method by inserting the following two lines before your first http_access rule acl TRACE method TRACE http_access deny TRACE __________________________________________________________________ Contact details for the Squid project: For installation / upgrade support on binary packaged versions of Squid: Your first point of contact should be your binary package vendor. If your install and build Squid from the original Squid sources then the squid-users@squid-cache.org mailing list is your primary support point. See for subscription details. For reporting of non-security bugs in the latest STABLE release the squid bugzilla database should be used . For reporting of security sensitive bugs send an email to the squid-bugs@squid-cache.org mailing list. It's a closed list (though anyone can post) and security related bug reports are treated in confidence until the impact has been established. __________________________________________________________________ Revision history: 2007-03-20 22:45 GMT Initial version 2010-09-16 07:05 GMT Reference link updates __________________________________________________________________ END