[squid-users] Advisory SQUID-2010:3 Denial of service in request processing

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 05 Sep 2010 00:48:38 +1200

__________________________________________________________________

     Squid Proxy Cache Security Update Advisory SQUID-2010:3
__________________________________________________________________

Advisory ID: SQUID-2010:3
Date: September 03, 2010
Summary: Denial of service in request processing
Affected versions: Squid 3.0 -> 3.0.STABLE25
                         Squid 3.1 -> 3.1.7
                         Squid 3.2 -> 3.2.0.1
Fixed in version: Squid 3.1.8, 3.2.0.2
__________________________________________________________________

      http://www.squid-cache.org/Advisories/SQUID-2010_3.txt
__________________________________________________________________

Problem Description:

  Due to an internal error in string handling Squid is vulnerable
  to a denial of service attack when processing specially crafted
  requests.

__________________________________________________________________

Severity:

  This problem allows any trusted client to perform a denial of
  service attack on the Squid service.

  There are applications already in general public use which can
  trigger this problem for 3.1 and 3.2 on occasion without intended
  malice.

__________________________________________________________________

Updated Packages:

  This bug is fixed by Squid versions 3.1.8 and 3.2.0.2

  In addition, patches addressing this problem for stable releases
  can be found in our patch archives:

Squid 3.0:
http://www.squid-cache.org/Versions/v3/3.0/changesets/squid-3.0-9189.patch

Squid 3.1:
http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10090.patch

  If you are using a prepackaged version of Squid then please refer
  to the package vendor for availability information on updated
  packages.

__________________________________________________________________

Determining if your version is vulnerable:

Squid-3.0:

  All Squid-3.0 versions up to and including 3.0.STABLE25 have
  some risk of being vulnerable to variations of the problem.
  The particular 0-day tests currently known do not trigger it.

Squid-3.1:

  All versions up to and including 3.1.7 are at some risk of being
  vulnerable to the problem and its variations.

  squid.conf containing with "ignore_expect_100 on" are vulnerable
  to the known active 0-day.

  Binaries built with --disable-http-violations are not vulnerable
  to the known active 0-day.

Squid-3.2:

  The 3.2.0.1 beta version is vulnerable under the same conditions
  as for Squid-3.1.

__________________________________________________________________

Workarounds:

  These workarounds apply only to the known active 0-day triggers.

  1) Checking that ignore_expect_100 squid.conf option is set to
     "off" (the default), or removed completely from squid.conf.

or,

  2) Building Squid with --disable-http-violations.

__________________________________________________________________

Contact details for the Squid project:

  For installation / upgrade support on binary packaged versions
  of Squid: Your first point of contact should be your binary
  package vendor.

  If you install and build Squid from the original Squid sources
  then the squid-users_at_squid-cache.org mailing list is your primary
  support point. For subscription details see
  http://www.squid-cache.org/Support/mailing-lists.html.

  For reporting of non-security bugs in the latest release
  the squid bugzilla database should be used
  http://www.squid-cache.org/bugs/.

  For reporting of security sensitive bugs send an email to the
  squid-bugs_at_squid-cache.org mailing list. It's a closed list
  (though anyone can post) and security related bug reports are
  treated in confidence until the impact has been established.

__________________________________________________________________

Credits:

  The vulnerability was discovered by Phil Oester.

__________________________________________________________________

Revision history:

  2010-08-30 14:19 GMT Initial Report
  2010-09-01 08:04 GMT Patches Released
  2010-09-03 09:00 GMT Initial version
__________________________________________________________________
END
Received on Sat Sep 04 2010 - 12:48:45 MDT

This archive was generated by hypermail 2.2.0 : Sun Sep 05 2010 - 12:00:02 MDT