[squid-users] Security

From: Fran Boudraux <squidlist@dont-contact.us>
Date: Thu, 28 Feb 2002 14:20:54 -0500

I use 2.4 stable1 and I want to upgrade to stable 4 cause there are the
following security concerns:
The Squid HTTP proxy server is vulnerable to a denial-of-service attack and
a buffer overflow that may be exploitable by a remote attacker to execute
arbitrary code with the permissions of the user executing Squid. The
denial-of-service attack vulnerability is in Squid's SNMP interface. The
buffer overflow is in the code that handles FTP URLs, and can also be used
in a denial-of-service attack. In addition, there is a bug in the HTCP
interface that prevents it from being disabled if it is disabled in the
squid.conf file. These vulnerabilities have been reported to affect versions
of Squid through 2.4.STABLE3.

The developers of Squid have released Squid-2.4.STABLE4 and it is
recommended that all users upgrade as soon as possible.

What I don't understand is the following: my squid is behind the firewall
and no incoming connections to squid are allowed. Am I still vulnerable with
stable1?

thx.
Received on Thu Feb 28 2002 - 12:22:10 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:06:34 MST