__________________________________________________________________
Squid Proxy Cache Security Update Advisory SQUID-2010:3
__________________________________________________________________
Advisory ID: SQUID-2010:3
Date: September 03, 2010
Summary: Denial of service in request processing
Affected versions: Squid 3.0 -> 3.0.STABLE25
Squid 3.1 -> 3.1.7
Squid 3.2 -> 3.2.0.1
Fixed in version: Squid 3.1.8, 3.2.0.2
__________________________________________________________________
http://www.squid-cache.org/Advisories/SQUID-2010_3.txt
__________________________________________________________________
Problem Description:
Due to an internal error in string handling Squid is vulnerable
to a denial of service attack when processing specially crafted
requests.
__________________________________________________________________
Severity:
This problem allows any trusted client to perform a denial of
service attack on the Squid service.
There are applications already in general public use which can
trigger this problem for 3.1 and 3.2 on occasion without intended
malice.
__________________________________________________________________
Updated Packages:
This bug is fixed by Squid versions 3.1.8 and 3.2.0.2
In addition, patches addressing this problem for stable releases
can be found in our patch archives:
Squid 3.0:
http://www.squid-cache.org/Versions/v3/3.0/changesets/squid-3.0-9189.patch
Squid 3.1:
http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10090.patch
If you are using a prepackaged version of Squid then please refer
to the package vendor for availability information on updated
packages.
__________________________________________________________________
Determining if your version is vulnerable:
Squid-3.0:
All Squid-3.0 versions up to and including 3.0.STABLE25 have
some risk of being vulnerable to variations of the problem.
The particular 0-day tests currently known do not trigger it.
Squid-3.1:
All versions up to and including 3.1.7 are at some risk of being
vulnerable to the problem and its variations.
squid.conf containing with "ignore_expect_100 on" are vulnerable
to the known active 0-day.
Binaries built with --disable-http-violations are not vulnerable
to the known active 0-day.
Squid-3.2:
The 3.2.0.1 beta version is vulnerable under the same conditions
as for Squid-3.1.
__________________________________________________________________
Workarounds:
These workarounds apply only to the known active 0-day triggers.
1) Checking that ignore_expect_100 squid.conf option is set to
"off" (the default), or removed completely from squid.conf.
or,
2) Building Squid with --disable-http-violations.
__________________________________________________________________
Contact details for the Squid project:
For installation / upgrade support on binary packaged versions
of Squid: Your first point of contact should be your binary
package vendor.
If you install and build Squid from the original Squid sources
then the squid-users@xxxxxxxxxxxxxxx mailing list is your primary
support point. For subscription details see
http://www.squid-cache.org/Support/mailing-lists.html.
For reporting of non-security bugs in the latest release
the squid bugzilla database should be used
http://www.squid-cache.org/bugs/.
For reporting of security sensitive bugs send an email to the
squid-bugs@xxxxxxxxxxxxxxx mailing list. It's a closed list
(though anyone can post) and security related bug reports are
treated in confidence until the impact has been established.
__________________________________________________________________
Credits:
The vulnerability was discovered by Phil Oester.
__________________________________________________________________
Revision history:
2010-08-30 14:19 GMT Initial Report
2010-09-01 08:04 GMT Patches Released
2010-09-03 09:00 GMT Initial version
__________________________________________________________________
END
