________________________________ Squid Proxy Cache Security Update Advisory SQUID-2024:3 ________________________________ Advisory ID: SQUID-2024:3 Date: Jun 10, 2024 Summary: Denial of Service in ESI processing Affected versions: Squid 3.0 -> 3.5.28 Squid 4.0 -> 4.16 Squid 5.0 -> 5.9 Squid 6.0 -> 6.9 Fixed in version:Squid 6.10 ________________________________ Problem Description: Due to an Out-of-bounds Write error when assigning ESI variables, Squid is susceptible to a Memory Corruption error, which can result in a Denial of Service. ________________________________ Severity: This problem allows a trusted server to perform a Denial of Service attack on Squid while processing ESI response content. This affects all domains being serviced by the proxy and all clients using it during the affected period. The trigger for this issue are values which clients might normally expect to use in valid ESI response content. As such admin should expect this issue to be already occurring without any malicious 0-day attack existing. This issue is limited to Squid acting as reverse proxy where ESI feature has been enabled at build time CVSS Score of 6.3 <https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H&version=3.1> ________________________________ Updated Packages: This bug is fixed by Squid version 6.10. In addition, patches addressing this problem for the stable releases can be found in our patch archives: Squid 3.x, 4, or 5: <https://github.com/squid-cache/squid/commit/f411fe7d75197852f0e5ee85027a06d58dd8df4c.patch> If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages. ________________________________ Determining if your version is vulnerable: All Squid built with --disable-esi are not vulnerable. All Squid-3.0 versions built without --enable-esi are not vulnerable. All Squid-3.x versions built with --enable-esi are vulnerable. All Squid-4.x built with --enable-esi are vulnerable. All Squid-5.x built with --enable-esi are vulnerable. All Squid-6.x up to and including 6.9 built with --enable-esi are vulnerable ________________________________ Workaround: * Build Squid with --disable-esi ________________________________ Contact details for the Squid project: For installation / upgrade support on binary packaged versions of Squid: Your first point of contact should be your binary package vendor. If you install and build Squid from the original Squid sources then the squid-users@xxxxxxxxxxxxxxxxxxxxx mailing list is your primary support point. For subscription details see http://www.squid-cache.org/Support/mailing-lists.html. For reporting of non-security bugs in the latest STABLE release the squid bugzilla database should be used http://bugs.squid-cache.org/. For reporting of security sensitive bugs send an email to the squid-bugs@xxxxxxxxxxxxxxxxxxxxx mailing list. It's a closed list (though anyone can post) and security related bug reports are treated in confidence until the impact has been established. ________________________________ Credits: This vulnerability was discovered by Joshua Rogers of Opera Software. Fixed by Francesco Chemolli ________________________________ Revision history: 2021-03-01 23:06:11 UTC Initial Report 2024-06-02 14:00:00 UTC Patches released 2024-06-10 14:00:00 UTC Fixed packages released ________________________________ END _______________________________________________ squid-announce mailing list squid-announce@xxxxxxxxxxxxxxxxxxxxx https://lists.squid-cache.org/listinfo/squid-announce