__________________________________________________________________ Squid Proxy Cache Security Update Advisory SQUID-2007:2 __________________________________________________________________ Advisory ID: SQUID-2007:2 Date: November 27, 2007 Summary: Denial of service in cache updates Affected versions: Squid 2.X (2.0 -> 2.6.STABLE17); Squid-3 beta Fixed in version: Squid 2.6.STABLE18; Squid-2: November 28 snapshot + additional patch on January 09. Squid-3: November 28 snapshot Author: Adrian Chadd Thanks: Wikimedia Foundation __________________________________________________________________ http://www.squid-cache.org/Advisories/SQUID-2007_2.txt __________________________________________________________________ Problem Description: Due to incorrect bounds checking Squid is vulnerable to a denial of service check during some cache update reply processing. __________________________________________________________________ Severity: This problem allows any client trusted to use the service to perform a denial of service attack on the Squid service. __________________________________________________________________ Updated Packages: This bug is fixed by Squid version 2.6.STABLE18 and by the January 09 snapshots of Squid-2 and November 28 snapshot of Squid-3. In addition, the two patches addressing this problem can be found in our patch archive for version Squid-2.6: http://www.squid-cache.org/Versions/v2/2.6/changesets/11780.patch (Nov 28) http://www.squid-cache.org/Versions/v2/2.6/changesets/11882.patch (Jan 09) And the patch for Squid-3: http://www.squid-cache.org/Versions/v3/3.0/changesets/11211.patch (Nov 28) If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages. Note: Earlier version of this advisory said November 28 / 2.6.STABLE17 for Squid-2.6, but that patch was incomplete and did not fully address the issue. __________________________________________________________________ Determining if your version is vulnerable: All Squid-2.X versions up to, and including 2.6.STABLE17 are vulnerable. All Squid-3 snapshots and prereleases up to the November 28 snapshot are vulnerable. __________________________________________________________________ Workarounds: There are no workarounds. __________________________________________________________________ Thanks to: Thanks go to the Wikimedia Foundation for helping identify the issue and testing the proposed resolution of the issue. Thanks to Adrian Chadd for the Squid-2 fix. Thanks to Henrik Nordstrom for the Squid-3 fix. __________________________________________________________________ Contact details for the Squid project: For installation / upgrade support on binary packaged versions of Squid: Your first point of contact should be your binary package vendor. If your install and build Squid from the original Squid sources then the squid-users@squid-cache.org mailing list is your primary support point. See for subscription details. For reporting of non-security bugs in the latest STABLE release the squid bugzilla database should be used . For reporting of security sensitive bugs send an email to the squid-bugs@squid-cache.org mailing list. It's a closed list (though anyone can post) and security related bug reports are treated in confidence until the impact has been established. __________________________________________________________________ Revision history: 2007-11-26 14:40 GMT+9 Initial version 2008-03-21 23:55 GMT Squid-2.6.STABLE17 issue mentioned, bumping fixed to 2.6.STABLE18 2010-09-16 07:05 GMT Reference link updates __________________________________________________________________ END