__________________________________________________________________ Squid Proxy Cache Security Update Advisory SQUID-2009:2 __________________________________________________________________ Advisory ID: SQUID-2009:2 Date: August 04, 2009 Summary: Multiple Remote Denial of service issues in header processing. Affected versions: Squid 3.0 -> 3.0.STABLE17, Squid 3.1 -> 3.1.0.12 Fixed in version: Squid 3.0.STABLE18, 3.1.0.13 __________________________________________________________________ http://www.squid-cache.org/Advisories/SQUID-2009_2.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-2621 http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-2622 __________________________________________________________________ Problem Description: Due to incorrect buffer limits and related bound checks Squid is vulnerable to a denial of service attack when processing specially crafted requests or responses. Due to incorrect data validation Squid is vulnerable to a denial of service attack when processing specially crafted responses. __________________________________________________________________ Severity: These problems allow any trusted client or external server to perform a denial of service attack on the Squid service. __________________________________________________________________ Updated Packages: Theses bugs are fixed by Squid versions 3.0.STABLE18 and 3.1.0.13 In addition, patches addressing these problems can be found In our patch archives. These need to be applied in sequence: Squid 3.0: http://www.squid-cache.org/Versions/v3/3.0/changesets/b9070.patch http://www.squid-cache.org/Versions/v3/3.0/changesets/b9074.patch http://www.squid-cache.org/Versions/v3/3.0/changesets/b9075.patch http://www.squid-cache.org/Versions/v3/3.0/changesets/b9081.patch http://www.squid-cache.org/Versions/v3/3.0/changesets/b9082.patch Squid 3.1: http://www.squid-cache.org/Versions/v3/3.1/changesets/b9654.patch http://www.squid-cache.org/Versions/v3/3.1/changesets/b9661.patch http://www.squid-cache.org/Versions/v3/3.1/changesets/b9668.patch http://www.squid-cache.org/Versions/v3/3.1/changesets/b9669.patch If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages. __________________________________________________________________ Determining if your version is vulnerable: All unpatched Squid-3.0 versions up to and including 3.0.STABLE17 are vulnerable. All unpatched Squid-3.1 versions up to and including 3.1.0.12 are vulnerable. Squid-2.x releases are not vulnerable. __________________________________________________________________ Workarounds: None currently known. __________________________________________________________________ Contact details for the Squid project: For installation / upgrade support on binary packaged versions of Squid: Your first point of contact should be your binary package vendor. If your install and build Squid from the original Squid sources then the squid-users@xxxxxxxxxxxxxxx mailing list is your primary support point. For subscription details see <http://www.squid-cache.org/Support/mailing-lists.html>. For reporting of non-security bugs in the latest STABLE release the squid bugzilla database should be used <http://www.squid-cache.org/bugs/>. For reporting of security sensitive bugs send an email to the squid-bugs@xxxxxxxxxxxxxxx mailing list. It's a closed list (though anyone can post) and security related bug reports are treated in confidence until the impact has been established. __________________________________________________________________ Credits: The request vulnerabilities were discovered by Alex Montoanelli of www.unetvale.net Some response vulnerabilities were discovered by Rob Middleton of Centenary Institute. Some response vulnerabilities were discovered by Tuomo Untinen, Ossi Herrala and Jukka Taimisto from the CROSS project at Codenomicon Ltd. __________________________________________________________________ Revision history: 2009-07-27 14:08 GMT Initial version 2009-08-02 08:15 GMT Add CVE references 2009-08-03 10:27 GMT Revision for additional flaws patched 2009-08-04 23:44 GMT Updated fix releases __________________________________________________________________ END