__________________________________________________________________ Squid Proxy Cache Security Update Advisory SQUID-2009:1 __________________________________________________________________ Advisory ID: SQUID-2009:1 Date: February 02, 2009 Summary: Denial of service in request processing Affected versions: Squid 2.7 -> 2.7.STABLE5, Squid 3.0 -> 3.0.STABLE12, Squid 3.1 -> 3.1.0.4 Fixed in version: Squid 2.7.STABLE6, 3.0.STABLE13, 3.1.0.5 __________________________________________________________________ http://www.squid-cache.org/Advisories/SQUID-2009_1.txt __________________________________________________________________ Problem Description: Due to an internal error Squid is vulnerable to a denial of service attack when processing specially crafted requests. __________________________________________________________________ Severity: This problem allows any client to perform a denial of service attack on the Squid service. __________________________________________________________________ Updated Packages: This bug is fixed by Squid versions 2.7.STABLE6, 3.0.STABLE13, and 3.1.0.5. In addition, patches addressing this problem can be found In our patch archives: Squid 2.7: http://www.squid-cache.org/Versions/v2/2.7/changesets/12432.patch http://www.squid-cache.org/Versions/v2/2.7/changesets/12442.patch Squid 3.0: http://www.squid-cache.org/Versions/v3/3.0/changesets/b8964.patch http://www.squid-cache.org/Versions/v3/3.0/changesets/b8965.patch Squid 3.1: http://www.squid-cache.org/Versions/v3/3.1/changesets/b9414.patch http://www.squid-cache.org/Versions/v3/3.1/changesets/b9418.patch If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages. __________________________________________________________________ Determining if your version is vulnerable: All Squid-2.7 versions up to, and including 2.7.STABLE5 are vulnerable. All Squid-3.0 versions up to and including 3.0.STABLE12 are vulnerable. All Squid-3.1 beta versions up to and including 3.1.0.4 are vulnerable. __________________________________________________________________ Workarounds: None. __________________________________________________________________ Contact details for the Squid project: For installation / upgrade support on binary packaged versions of Squid: Your first point of contact should be your binary package vendor. If your install and build Squid from the original Squid sources then the squid-users@xxxxxxxxxxxxxxx mailing list is your primary support point. For subscription details see <http://www.squid-cache.org/Support/mailing-lists.html>. For reporting of non-security bugs in the latest STABLE release the squid bugzilla database should be used <http://www.squid-cache.org/bugs/>. For reporting of security sensitive bugs send an email to the squid-bugs@xxxxxxxxxxxxxxx mailing list. It's a closed list (though anyone can post) and security related bug reports are treated in confidence until the impact has been established. __________________________________________________________________ Credits: The vulnerability was discovered by Joshua Morin, Mikko Varpiola and Jukka Taimisto from the CROSS project at Codenomicon Ltd. __________________________________________________________________ Revision history: 2009-02-02 13:12 GMT Initial version __________________________________________________________________ END