Squid Proxy Cache Security Update Advisory SQUID-2007:2
Advisory ID: SQUID-2007:2
Date: November 27, 2007
Summary: Denial of service in cache updates
Affected versions: Squid 2.X (2.0 -> 2.6.STABLE16); Squid-3.
Fixed in version: Squid 2.6.STABLE17;
November 28 Squid-2 snapshot
November 28 Squid-3 snapshot
Author: Adrian Chadd
Thanks: Wikimedia Foundation
http://www.squid-cache.org/Advisories/SQUID-2007_2.txt
Problem Description:
Due to incorrect bounds checking Squid is vulnerable to
a denial of service check during some cache update reply
processing.
Severity:
This problem allows any client trusted to use the service to
perform a denial of service attack on the Squid service.
Updated Packages:
This bug is fixed by Squid version 2.6.STABLE17 and by the November
28 snapshots of Squid-2 and Squid-3.
In addition, a patch addressing this problem can be found in
our patch archive for version Squid-2.6:
http://www.squid-cache.org/Versions/v2/2.6/changesets/11780.patch
And for Squid-3:
http://www.squid-cache.org/Versions/v3/3.0/changesets/11211.patch
If you are using a prepackaged version of Squid then please refer
to the package vendor for availability information on updated
packages.
Determining if your version is vulnerable:
All Squid-2.X versions up to, and including 2.6.STABLE16 are
vulnerable.
All Squid-3 snapshots and prereleases up to the November 28
snapshot are vulnerable.
Workarounds:
There are no workarounds.
Thanks to:
Thanks go to the Wikimedia Foundation for helping identify the issue
and testing the proposed resolution of the issue.
Thanks to Adrian Chadd for the Squid-2 fix.
Thanks to Henrik Nordstrom for the Squid-3 fix.
Contact details for the Squid project:
For installation / upgrade support on binary packaged versions
of Squid: Your first point of contact should be your binary
package vendor.
If your install and build Squid from the original Squid sources
then the [email protected] mailing list is your primary
support point. See <http://www.squid-cache.org/mailing-lists.html>
for subscription details.
For reporting of non-security bugs in the latest STABLE release
the squid bugzilla database should be used
<http://www.squid-cache.org/bugs/>.
For reporting of security sensitive bugs send an email to the
[email protected] mailing list. It's a closed list
(though anyone can post) and security related bug reports are
treated in confidence until the impact has been established.
Revision history:
2007-11-26 14:40 GMT+9 Initial version
END