__________________________________________________________________
Squid Proxy Cache Security Update Advisory SQUID-2013:1
__________________________________________________________________
Advisory ID: SQUID-2013:1
Date: March 14, 2013
Summary: Denial of Service in Language Negotiation
Affected versions: Squid 3.2 -> 3.2.8
Squid 3.3 -> 3.3.2
Fixed in Version: Squid 3.2.9, 3.3.3
__________________________________________________________________
http://www.squid-cache.org/Advisories/SQUID-2013_1.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-1839
__________________________________________________________________
Problem Description:
A bug exists in the code that parses Accept-Language header for
error response language negotiation. The bug results in a code
loop that prevents Squid servicing any traffic.
__________________________________________________________________
Severity:
Specially crafted requests from any source will cause Squid to
stop responding to all clients.
__________________________________________________________________
Updated Packages:
This bug is fixed by Squid versions 3.2.9 and 3.3.3.
In addition, patches addressing this problem in the stable
releases can be found in our patch archives.
Squid-3.3:
http://www.squid-cache.org/Versions/v3/3.3/changesets/SQUID-2013_1.patch
Squid-3.2:
http://www.squid-cache.org/Versions/v3/3.2/changesets/SQUID-2013_1.patch
If you are using a prepackaged version of Squid then please refer
to the package vendor for availability information on updated
packages.
__________________________________________________________________
Determining if your version is vulnerable:
All Squid-2.x versions are not vulnerable.
All Squid-3.0 and Squid-3.1 versions are not vulnerable.
All Squid configured with error_directory disabling negotiation
are not vulnerable.
All Squid built with --disable-auto-locale disabling negotiation
are not vulnerable.
Unpatched Squid-3.2 releases up to and including 3.2.8 are
vulnerable.
Unpatched Squid-3.3 releases up to and including 3.3.2 are
vulnerable.
__________________________________________________________________
Workarounds:
Disabling language auto-negotiation.
Either
Configure error_directory directive to an explicit template
directory to force that language instead of negotiation.
Restart or reconfigure Squid after editing squid.conf.
Or
build Squid using ./configure --disable-auto-locale
__________________________________________________________________
Contact details for the Squid project:
For installation / upgrade support on binary packaged versions
of Squid: Your first point of contact should be your binary
package vendor.
If your install and build Squid from the original Squid sources
then the squid-users@xxxxxxxxxxxxxxx mailing list is your primary
support point. For subscription details see
<http://www.squid-cache.org/Support/mailing-lists.html>.
For reporting of non-security bugs in the latest STABLE release
the squid bugzilla database should be used
<http://bugs.squid-cache.org/>.
For reporting of security sensitive bugs send an email to the
squid-bugs@xxxxxxxxxxxxxxx mailing list. It's a closed list
(though anyone can post) and security related bug reports are
treated in confidence until the impact has been established.
__________________________________________________________________
Credits:
The vulnerability was reported by Kurt Seifried, Red Hat Security
Response Team
__________________________________________________________________
Revision history:
2013-03-05 20:53 GMT 0-day attack publication
2013-03-07 21:07 GMT Squid Project notification
2013-03-07 22:18 GMT Initial patch release
2013-03-13 23:52 GMT Initial release of this document
__________________________________________________________________
END
