Search squid archive

[squid-announce] [ADVISORY] SQUID-2018:2 Denial of Service issue in HTTP Message processing

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



__________________________________________________________________

    Squid Proxy Cache Security Update Advisory SQUID-2018:2
__________________________________________________________________

Advisory ID:        SQUID-2018:2
Date:               Jan 19, 2018
Summary:            Denial of Service issue
                    in HTTP Message processing.
Affected versions:  Squid 3.x -> 3.5.27
                    Squid 4.x -> 4.0.22
Fixed in version:   Squid 4.0.23
__________________________________________________________________

    http://www.squid-cache.org/Advisories/SQUID-2018_2.txt
__________________________________________________________________

Problem Description:

 Due to incorrect pointer handling Squid is vulnerable to denial
 of service attack when processing ESI responses or downloading
 intermediate CA certificates.

__________________________________________________________________

Severity:

 This problem allows a remote client delivering certain HTTP
 requests in conjunction with certain trusted server responses to
 trigger a denial of service for all clients accessing the Squid
 service.

__________________________________________________________________

Updated Packages:

 This bug is fixed by Squid version 4.0.23.

 In addition, patches addressing this problem for the stable
 releases can be found in our patch archives:

Squid 3.5:
 <http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2018_2.patch>

Squid 4:
 <http://www.squid-cache.org/Versions/v4/changesets/SQUID-2018_2.patch>

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__________________________________________________________________

Determining if your version is vulnerable:

 All Squid configured with "log_uses_indirect_client off" are not
 vulnerable.

 All Squid-3.0 versions built with --enable-esi and being used for
 reverse-proxy with squid.conf containing
 "log_uses_indirect_client on" are vulnerable.

 All Squid-3.1 and later versions up to and including
 Squid-3.5.27 being used for reverse-proxy with squid.conf
 containing "log_uses_indirect_client on" are vulnerable.

 All Squid-4 up to and including Squid-4.0.22 being used for
 reverse-proxy with squid.conf containing
 "log_uses_indirect_client on" are vulnerable.

 All unpatched Squid-4 up to and including Squid-4.0.22 being
 used for TLS/HTTPS intercept proxy with squid.conf containing
 "log_uses_indirect_client on" are vulnerable.

__________________________________________________________________

Workarounds:

 Configure "log_uses_indirect_client off" in squid.conf

__________________________________________________________________

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If your install and build Squid from the original Squid sources
 then the squid-users@xxxxxxxxxxxxxxxxxxxxx mailing list is your
 primary support point. For subscription details see
 <http://www.squid-cache.org/Support/mailing-lists.html>.

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used
 <http://bugs.squid-cache.org/>.

 For reporting of security sensitive bugs send an email to the
 squid-bugs@xxxxxxxxxxxxxxxxxxxxx mailing list. It's a closed
 list (though anyone can post) and security related bug reports
 are treated in confidence until the impact has been established.

__________________________________________________________________

Credits:

 The initial issue was reported by Louis Dion-Marcil on behalf of
 GoSecure.

 Fixed by Amos Jeffries from Treehouse Networks Ltd.

__________________________________________________________________

Revision history:

 2017-12-13 20:09:30 UTC Initial Report
 2018-01-18 23:10:00 UTC Patches Released
 2018-01-21 07:45:00 UTC Advisory and fixed packages released
__________________________________________________________________
END
_______________________________________________
squid-announce mailing list
squid-announce@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-announce




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux