Squid Proxy Cache Denial of Service in request handling

2009-02-04T00:00:00
ID SECURITYVULNS:DOC:21282
Type securityvulns
Reporter Securityvulns
Modified 2009-02-04T00:00:00

Description


   Squid Proxy Cache Security Update Advisory SQUID-2009:1

Advisory ID: SQUID-2009:1 Date: February 02, 2009 Summary: Denial of service in request processing Affected versions: Squid 2.7 -> 2.7.STABLE5, Squid 3.0 -> 3.0.STABLE12, Squid 3.1 -> 3.1.0.4 Fixed in version: Squid 2.7.STABLE6, 3.0.STABLE13, 3.1.0.5


  http://www.squid-cache.org/Advisories/SQUID-2009_1.txt

Problem Description:

Due to an internal error Squid is vulnerable to a denial of service attack when processing specially crafted requests.


Severity:

This problem allows any client to perform a denial of service attack on the Squid service.


Updated Packages:

This bug is fixed by Squid versions 2.7.STABLE6, 3.0.STABLE13, and 3.1.0.5.

In addition, patches addressing this problem can be found In our patch archives:

Squid 2.7: http://www.squid-cache.org/Versions/v2/2.7/changesets/12432.patch http://www.squid-cache.org/Versions/v2/2.7/changesets/12442.patch

Squid 3.0: http://www.squid-cache.org/Versions/v3/3.0/changesets/b8964.patch http://www.squid-cache.org/Versions/v3/3.0/changesets/b8965.patch

Squid 3.1: http://www.squid-cache.org/Versions/v3/3.1/changesets/b9414.patch http://www.squid-cache.org/Versions/v3/3.1/changesets/b9418.patch

If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages.


Determining if your version is vulnerable:

All Squid-2.7 versions up to, and including 2.7.STABLE5 are vulnerable.

All Squid-3.0 versions up to and including 3.0.STABLE12 are vulnerable.

All Squid-3.1 beta versions up to and including 3.1.0.4 are vulnerable.


Workarounds:

None.


Contact details for the Squid project:

For installation / upgrade support on binary packaged versions of Squid: Your first point of contact should be your binary package vendor.

If your install and build Squid from the original Squid sources then the squid-users@squid-cache.org mailing list is your primary support point. For subscription details see <http://www.squid-cache.org/Support/mailing-lists.html>.

For reporting of non-security bugs in the latest STABLE release the squid bugzilla database should be used <http://www.squid-cache.org/bugs/>.

For reporting of security sensitive bugs send an email to the squid-bugs@squid-cache.org mailing list. It's a closed list (though anyone can post) and security related bug reports are treated in confidence until the impact has been established.


Credits:

The vulnerability was discovered by Joshua Morin, Mikko Varpiola and Jukka Taimisto from the CROSS project at Codenomicon Ltd.


Revision history:

2009-02-02 13:12 GMT Initial version


END