__________________________________________________________________ Squid Proxy Cache Security Update Advisory SQUID-2016:9 __________________________________________________________________ Advisory ID: SQUID-2016:9 Date: May 06, 2016 Summary: Multiple Denial of Service issues in ESI Response processing. Affected versions: Squid 3.x -> 3.5.17 Squid 4.x -> 4.0.9 Fixed in version: Squid 4.0.10, 3.5.18 __________________________________________________________________ http://www.squid-cache.org/Advisories/SQUID-2016_9.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4555 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4556 __________________________________________________________________ Problem Description: Due to incorrect pointer handling and reference counting Squid is vulnerable to a denial of service attack when processing ESI responses. __________________________________________________________________ Severity: These problems allow a remote server delivering certain ESI response syntax to trigger a denial of service for all clients accessing the Squid service. Due to unrelated changes Squid-3.5 has become vulnerable to some regular ESI server responses also triggering one or more of these issues. __________________________________________________________________ Updated Packages: This bug is fixed by Squid version 3.5.18 and 4.0.10. In addition, patches addressing this problem for the stable releases can be found in our patch archives: Squid 3.4: <http://www.squid-cache.org/Versions/v3/3.4/changesets/SQUID-2016_9.patch> Squid 3.5: <http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_9.patch> If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages. __________________________________________________________________ Determining if your version is vulnerable: All Squid-2.x are not vulnerable. All Squid built with --disable-esi are not vulnerable. All Squid-3.0 versions built without --enable-esi are not vulnerable. All Squid-3.0 versions built with --enable-esi and used for reverse-proxy are vulnerable. All Squid-3.1 and later versions up to and including Squid-3.5.17 being used for reverse-proxy are vulnerable. All Squid-3.1 and later versions up to and including Squid-3.5.17 being used for TLS / HTTPS interception are vulnerable. All unpatched Squid-4.0 up to and including Squid-4.0.9 being used as reverse-proxy are vulnerable. All unpatched Squid-4.0 up to and including Squid-4.0.9 being used as TLS/HTTPS intercept proxy are vulnerable. __________________________________________________________________ Workaround: Build Squid with --disable-esi __________________________________________________________________ Contact details for the Squid project: For installation / upgrade support on binary packaged versions of Squid: Your first point of contact should be your binary package vendor. If your install and build Squid from the original Squid sources then the squid-users@xxxxxxxxxxxxxxxxxxxxx mailing list is your primary support point. For subscription details see <http://www.squid-cache.org/Support/mailing-lists.html>. For reporting of non-security bugs in the latest STABLE release the squid bugzilla database should be used <http://bugs.squid-cache.org/>. For reporting of security sensitive bugs send an email to the squid-bugs@xxxxxxxxxxxxxxxxxxxxx mailing list. It's a closed list (though anyone can post) and security related bug reports are treated in confidence until the impact has been established. __________________________________________________________________ Credits: The initial issue was reported by "bfek-18". Additional issues and attack vector was reported by "@vftable". Fixed by Amos Jeffries from Treehouse Networks Ltd. __________________________________________________________________ Revision history: 2016-03-02 15:12:12 UTC Initial Report 2016-05-01 23:48:27 UTC Additional Issue Report 2016-05-06 09:39:48 UTC Patches Released 2016-05-06 13:12:00 UTC Packages Released 2016-05-06 14:46:41 UTC CVE Assignment __________________________________________________________________ END _______________________________________________ squid-announce mailing list squid-announce@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-announce