Search squid archive

RPMs release due to [ADVISORY] SQUID-2016:1 Remote Denial of Service issue in SSL/TLS processing.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Due to the Security Update Advisory I am releasing RPMs for:
- SLES 12 SP1
- OpenSUSE Leap 42.1
- CentOS 6 + 7
- Oracle Linux 6 + 7

CentOS and Oracle Linux EL6 version includes RPMs only for the 3.5 tree and for both 64 and 32 bit.
All others was built only for 64 bit and also includes 4.0.6 RPMs.

Notice that in 4.0.6 there where couple important changes.
* SSL related helpers changed

This release adds two new ./configure options
  --enable-security-validators=
  --enable-security-generators=

These build options operate the same as external ACL and authentication
helper build options. But control whether the SSL certificate validator
and SSL-Bump certificate generator helper(s) are built.

As part of this change;

 - the ssl_crtd helper is renamed to security_file_certgen
   (built with --enable-security-generators=file), and

 - the cert_valid.pl helper is renamed to security_fake_certverify
   (built with --enable-security-validators=fake).


The RPMs and SRPMS for all builds are present at:
http://www1.ngtech.co.il/repo/

ordered by Linux distribution names and versions.

All The Bests,
Eliezer

On 16/02/2016 08:20, Amos Jeffries wrote:
__________________________________________________________________

Squid Proxy Cache Security Update Advisory SQUID-2016:1
__________________________________________________________________

Advisory ID:        SQUID-2016:1
Date:               February 16, 2016
Summary:            Remote Denial of Service issue
                     in SSL/TLS processing.
Affected versions:  Squid 3.5.13
                     Squid 4.0.4 -> 4.0.5
Fixed in version:   Squid 4.0.6, 3.5.14
__________________________________________________________________

http://www.squid-cache.org/Advisories/SQUID-2016_1.txt
__________________________________________________________________

Problem Description:

  Due to incorrectly handling server errors Squid is vulnerable to
  a denial of service attack when connecting to TLS or SSL servers.

__________________________________________________________________

Severity:

  This problem allows any trusted client to perform a denial of
  service attack on the Squid service regardless of whether TLS or
  SSL is configured for use in the proxy.

  Misconfigured client or server software may trigger this issue
  to perform a denial of service unintentionally.

  However, the bug is exploitable only if Squid is built using the
  --with-openssl option.

__________________________________________________________________

Updated Packages:

  These bugs are fixed by Squid version 3.5.14 and 4.0.6.


  In addition, patches addressing this problem for stable releases
  can be found in our patch archives:

Squid 3.5:
  http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13981.patch

  If you are using a prepackaged version of Squid then please refer
  to the package vendor for availability information on updated
  packages.

__________________________________________________________________

Determining if your version is vulnerable:

  All Squid-3.4 and older versions are not vulnerable.

  All Squid-3.5.12 and older 3.5 versions are not vulnerable.

  All Squid-3.5 built without OpenSSL support are not vulnerable.

  All Squid-4.0.3 and older 4.0 versions are not vulnerable.

  All Squid-4 built without OpenSSL support are not vulnerable.

  All unpatched Squid-3.5.13, 4.0.4, and 4.0.5 built using
  --with-openssl are vulnerable.

  The following command can be used to easily determine if a
  vulnerable build is being used:
   squid -v

__________________________________________________________________

Workaround:

  Disabling service for https:// URLs entirely at the top of the
  squid.conf http_access rules fully protects against this
  vulnerability:

    acl HTTPS proto HTTPS
    http_access deny HTTPS

Or,

  Relaying outbound HTTPS traffic through a non-vulnerable proxy
  protects against the issue unless the SSL-bump splice feature is
  being used.

Or,

  Disabling service for irregular HTTPS ports protects against the
  simplest forms of attack while retaining most HTTPS service:

    acl HTTPS proto HTTPS
    http_access deny HTTPS !SSL_Ports

__________________________________________________________________

Contact details for the Squid project:

  For installation / upgrade support on binary packaged versions
  of Squid: Your first point of contact should be your binary
  package vendor.

  If your install and build Squid from the original Squid sources
  then the squid-users@xxxxxxxxxxxxxxxxxxxxx mailing list is your
  primary support point. For subscription details see
  <http://www.squid-cache.org/Support/mailing-lists.html>.

  For reporting of non-security bugs in the latest STABLE release
  the squid bugzilla database should be used
  <http://bugs.squid-cache.org/>.

  For reporting of security sensitive bugs send an email to the
  squid-bugs@xxxxxxxxxxxxxxxxxxxxx mailing list. It's a closed
  list (though anyone can post) and security related bug reports
  are treated in confidence until the impact has been established.

__________________________________________________________________

Credits:

  The vulnerability was reported and fixed by Christos Tsantilas of
  The Measurement Factory.

__________________________________________________________________

Revision history:

  2016-02-12 17:50:38 GMT Initial Report
  2016-02-12 18:05:44 GMT Patch Released
  2016-02-15 17:15:00 GMT Packages Released
__________________________________________________________________
END
_______________________________________________
squid-announce mailing list
squid-announce@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-announce
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux