__________________________________________________________________ Squid Proxy Cache Security Update Advisory SQUID-2013:1 __________________________________________________________________ Advisory ID: SQUID-2013:1 Date: March 14, 2013 Summary: Denial of Service in Language Negotiation Affected versions: Squid 3.2 -> 3.2.8 Squid 3.3 -> 3.3.2 Fixed in Version: Squid 3.2.9, 3.3.3 __________________________________________________________________ http://www.squid-cache.org/Advisories/SQUID-2013_1.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1839 __________________________________________________________________ Problem Description: A bug exists in the code that parses Accept-Language header for error response language negotiation. The bug results in a code loop that prevents Squid servicing any traffic. __________________________________________________________________ Severity: Specially crafted requests from any source will cause Squid to stop responding to all clients. __________________________________________________________________ Updated Packages: This bug is fixed by Squid versions 3.2.9 and 3.3.3. In addition, patches addressing this problem in the stable releases can be found in our patch archives. Squid-3.3: http://www.squid-cache.org/Versions/v3/3.3/changesets/SQUID-2013_1.patch Squid-3.2: http://www.squid-cache.org/Versions/v3/3.2/changesets/SQUID-2013_1.patch If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages. __________________________________________________________________ Determining if your version is vulnerable: All Squid-2.x versions are not vulnerable. All Squid-3.0 and Squid-3.1 versions are not vulnerable. All Squid configured with error_directory disabling negotiation are not vulnerable. All Squid built with --disable-auto-locale disabling negotiation are not vulnerable. Unpatched Squid-3.2 releases up to and including 3.2.8 are vulnerable. Unpatched Squid-3.3 releases up to and including 3.3.2 are vulnerable. __________________________________________________________________ Workarounds: Disabling language auto-negotiation. Either Configure error_directory directive to an explicit template directory to force that language instead of negotiation. Restart or reconfigure Squid after editing squid.conf. Or build Squid using ./configure --disable-auto-locale __________________________________________________________________ Contact details for the Squid project: For installation / upgrade support on binary packaged versions of Squid: Your first point of contact should be your binary package vendor. If your install and build Squid from the original Squid sources then the squid-users@squid-cache.org mailing list is your primary support point. For subscription details see . For reporting of non-security bugs in the latest STABLE release the squid bugzilla database should be used . For reporting of security sensitive bugs send an email to the squid-bugs@squid-cache.org mailing list. It's a closed list (though anyone can post) and security related bug reports are treated in confidence until the impact has been established. __________________________________________________________________ Credits: The vulnerability was reported by Kurt Seifried, Red Hat Security Response Team __________________________________________________________________ Revision history: 2013-03-05 20:53 GMT 0-day attack publication 2013-03-07 21:07 GMT Squid Project notification 2013-03-07 22:18 GMT Initial patch release 2013-03-13 23:52 GMT Initial release of this document __________________________________________________________________ END