[squid-users] Squid Security Advisory: Denial of service in cache updates

From: Adrian Chadd <adrian@dont-contact.us>
Date: Mon, 3 Dec 2007 19:53:41 -0700

__________________________________________________________________

      Squid Proxy Cache Security Update Advisory SQUID-2007:2
__________________________________________________________________

Advisory ID: SQUID-2007:2
Date: November 27, 2007
Summary: Denial of service in cache updates
Affected versions: Squid 2.X (2.0 -> 2.6.STABLE16); Squid-3.
Fixed in version: Squid 2.6.STABLE17;
                        November 28 Squid-2 snapshot
                        November 28 Squid-3 snapshot
Author: Adrian Chadd
Thanks: Wikimedia Foundation

__________________________________________________________________

     http://www.squid-cache.org/Advisories/SQUID-2007_2.txt
__________________________________________________________________

Problem Description:

 Due to incorrect bounds checking Squid is vulnerable to
 a denial of service check during some cache update reply
 processing.

__________________________________________________________________

Severity:

 This problem allows any client trusted to use the service to
 perform a denial of service attack on the Squid service.

__________________________________________________________________

Updated Packages:

 This bug is fixed by Squid version 2.6.STABLE17 and by the November
 28 snapshots of Squid-2 and Squid-3.

 In addition, a patch addressing this problem can be found in
 our patch archive for version Squid-2.6:

  http://www.squid-cache.org/Versions/v2/2.6/changesets/11780.patch

 And for Squid-3:

  http://www.squid-cache.org/Versions/v3/3.0/changesets/11211.patch

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__________________________________________________________________

Determining if your version is vulnerable:

 All Squid-2.X versions up to, and including 2.6.STABLE16 are
 vulnerable.

 All Squid-3 snapshots and prereleases up to the November 28
 snapshot are vulnerable.

__________________________________________________________________

Workarounds:

 There are no workarounds.

__________________________________________________________________

Thanks to:

 Thanks go to the Wikimedia Foundation for helping identify the issue
 and testing the proposed resolution of the issue.

 Thanks to Adrian Chadd for the Squid-2 fix.

 Thanks to Henrik Nordstrom for the Squid-3 fix.

__________________________________________________________________

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If your install and build Squid from the original Squid sources
 then the squid-users@squid-cache.org mailing list is your primary
 support point. See <http://www.squid-cache.org/mailing-lists.html>
 for subscription details.

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used
 <http://www.squid-cache.org/bugs/>.

 For reporting of security sensitive bugs send an email to the
 squid-bugs@squid-cache.org mailing list. It's a closed list
 (though anyone can post) and security related bug reports are
 treated in confidence until the impact has been established.

__________________________________________________________________

Revision history:

 2007-11-26 14:40 GMT+9 Initial version
__________________________________________________________________
END
Received on Mon Dec 03 2007 - 19:53:43 MST

This archive was generated by hypermail pre-2.1.9 : Tue Jan 01 2008 - 12:00:01 MST