Squid Proxy Cache Denial of Service in request handling

Type securityvulns
Reporter Securityvulns
Modified 2009-02-04T00:00:00


   Squid Proxy Cache Security Update Advisory SQUID-2009:1

Advisory ID: SQUID-2009:1 Date: February 02, 2009 Summary: Denial of service in request processing Affected versions: Squid 2.7 -> 2.7.STABLE5, Squid 3.0 -> 3.0.STABLE12, Squid 3.1 -> Fixed in version: Squid 2.7.STABLE6, 3.0.STABLE13,


Problem Description:

Due to an internal error Squid is vulnerable to a denial of service attack when processing specially crafted requests.


This problem allows any client to perform a denial of service attack on the Squid service.

Updated Packages:

This bug is fixed by Squid versions 2.7.STABLE6, 3.0.STABLE13, and

In addition, patches addressing this problem can be found In our patch archives:

Squid 2.7: http://www.squid-cache.org/Versions/v2/2.7/changesets/12432.patch http://www.squid-cache.org/Versions/v2/2.7/changesets/12442.patch

Squid 3.0: http://www.squid-cache.org/Versions/v3/3.0/changesets/b8964.patch http://www.squid-cache.org/Versions/v3/3.0/changesets/b8965.patch

Squid 3.1: http://www.squid-cache.org/Versions/v3/3.1/changesets/b9414.patch http://www.squid-cache.org/Versions/v3/3.1/changesets/b9418.patch

If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages.

Determining if your version is vulnerable:

All Squid-2.7 versions up to, and including 2.7.STABLE5 are vulnerable.

All Squid-3.0 versions up to and including 3.0.STABLE12 are vulnerable.

All Squid-3.1 beta versions up to and including are vulnerable.



Contact details for the Squid project:

For installation / upgrade support on binary packaged versions of Squid: Your first point of contact should be your binary package vendor.

If your install and build Squid from the original Squid sources then the squid-users@squid-cache.org mailing list is your primary support point. For subscription details see <http://www.squid-cache.org/Support/mailing-lists.html>.

For reporting of non-security bugs in the latest STABLE release the squid bugzilla database should be used <http://www.squid-cache.org/bugs/>.

For reporting of security sensitive bugs send an email to the squid-bugs@squid-cache.org mailing list. It's a closed list (though anyone can post) and security related bug reports are treated in confidence until the impact has been established.


The vulnerability was discovered by Joshua Morin, Mikko Varpiola and Jukka Taimisto from the CROSS project at Codenomicon Ltd.

Revision history:

2009-02-02 13:12 GMT Initial version