Squid Proxy Cache Security Update Advisory SQUID-2009:1
Advisory ID: SQUID-2009:1 Date: February 02, 2009 Summary: Denial of service in request processing Affected versions: Squid 2.7 -> 2.7.STABLE5, Squid 3.0 -> 3.0.STABLE12, Squid 3.1 -> 184.108.40.206 Fixed in version: Squid 2.7.STABLE6, 3.0.STABLE13, 220.127.116.11
Due to an internal error Squid is vulnerable to a denial of service attack when processing specially crafted requests.
This problem allows any client to perform a denial of service attack on the Squid service.
This bug is fixed by Squid versions 2.7.STABLE6, 3.0.STABLE13, and 18.104.22.168.
In addition, patches addressing this problem can be found In our patch archives:
Squid 2.7: http://www.squid-cache.org/Versions/v2/2.7/changesets/12432.patch http://www.squid-cache.org/Versions/v2/2.7/changesets/12442.patch
Squid 3.0: http://www.squid-cache.org/Versions/v3/3.0/changesets/b8964.patch http://www.squid-cache.org/Versions/v3/3.0/changesets/b8965.patch
Squid 3.1: http://www.squid-cache.org/Versions/v3/3.1/changesets/b9414.patch http://www.squid-cache.org/Versions/v3/3.1/changesets/b9418.patch
If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages.
Determining if your version is vulnerable:
All Squid-2.7 versions up to, and including 2.7.STABLE5 are vulnerable.
All Squid-3.0 versions up to and including 3.0.STABLE12 are vulnerable.
All Squid-3.1 beta versions up to and including 22.214.171.124 are vulnerable.
Contact details for the Squid project:
For installation / upgrade support on binary packaged versions of Squid: Your first point of contact should be your binary package vendor.
If your install and build Squid from the original Squid sources then the email@example.com mailing list is your primary support point. For subscription details see <http://www.squid-cache.org/Support/mailing-lists.html>.
For reporting of non-security bugs in the latest STABLE release the squid bugzilla database should be used <http://www.squid-cache.org/bugs/>.
For reporting of security sensitive bugs send an email to the firstname.lastname@example.org mailing list. It's a closed list (though anyone can post) and security related bug reports are treated in confidence until the impact has been established.
The vulnerability was discovered by Joshua Morin, Mikko Varpiola and Jukka Taimisto from the CROSS project at Codenomicon Ltd.
2009-02-02 13:12 GMT Initial version