SQUID-2007:2, Dec 4, 2007
__________________________________________________________________
Squid Proxy Cache Security Update Advisory SQUID-2007:2
__________________________________________________________________
Advisory ID: SQUID-2007:2
Date: November 27, 2007
Summary: Denial of service in cache updates
Affected versions: Squid 2.X (2.0 -> 2.6.STABLE16); Squid-3.
Fixed in version: Squid 2.6.STABLE17;
November 28 Squid-2 snapshot
November 28 Squid-3 snapshot
Author: Adrian Chadd
Thanks: Wikimedia Foundation
__________________________________________________________________
http://www.squid-cache.org/Advisories/SQUID-2007_2.txt
__________________________________________________________________
Problem Description:
Due to incorrect bounds checking Squid is vulnerable to
a denial of service check during some cache update reply
processing.
__________________________________________________________________
Severity:
This problem allows any client trusted to use the service to
perform a denial of service attack on the Squid service.
__________________________________________________________________
Updated Packages:
This bug is fixed by Squid version 2.6.STABLE17 and by the November
28 snapshots of Squid-2 and Squid-3.
In addition, a patch addressing this problem can be found in
our patch archive for version Squid-2.6:
http://www.squid-cache.org/Versions/v2/2.6/changesets/11780.patch
And for Squid-3:
http://www.squid-cache.org/Versions/v3/3.0/changesets/11211.patch
If you are using a prepackaged version of Squid then please refer
to the package vendor for availability information on updated
packages.
__________________________________________________________________
Determining if your version is vulnerable:
All Squid-2.X versions up to, and including 2.6.STABLE16 are
vulnerable.
All Squid-3 snapshots and prereleases up to the November 28
snapshot are vulnerable.
__________________________________________________________________
Workarounds:
There are no workarounds.
__________________________________________________________________
Thanks to:
Thanks go to the Wikimedia Foundation for helping identify the issue
and testing the proposed resolution of the issue.
Thanks to Adrian Chadd for the Squid-2 fix.
Thanks to Henrik Nordstrom for the Squid-3 fix.
__________________________________________________________________
Contact details for the Squid project:
For installation / upgrade support on binary packaged versions
of Squid: Your first point of contact should be your binary
package vendor.
If your install and build Squid from the original Squid sources
then the squid-users@xxxxxxxxxxxxxxx mailing list is your primary
support point. See <http://www.squid-cache.org/mailing-lists.html>
for subscription details.
For reporting of non-security bugs in the latest STABLE release
the squid bugzilla database should be used
<http://www.squid-cache.org/bugs/>.
For reporting of security sensitive bugs send an email to the
squid-bugs@xxxxxxxxxxxxxxx mailing list. It's a closed list
(though anyone can post) and security related bug reports are
treated in confidence until the impact has been established.
__________________________________________________________________
Revision history:
2007-11-26 14:40 GMT+9 Initial version
__________________________________________________________________
END