===================================================================== CERT-Renater Note d'Information No. 2007/VULN478 _____________________________________________________________________ DATE : 04/12/2007 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running Squid. ====================================================================== __________________________________________________________________ Squid Proxy Cache Security Update Advisory SQUID-2007:2 __________________________________________________________________ Advisory ID: SQUID-2007:2 Date: November 27, 2007 Summary: Denial of service in cache updates Affected versions: Squid 2.X (2.0 -> 2.6.STABLE16); Squid-3. Fixed in version: Squid 2.6.STABLE17; November 28 Squid-2 snapshot November 28 Squid-3 snapshot Author: Adrian Chadd Thanks: Wikimedia Foundation __________________________________________________________________ http://www.squid-cache.org/Advisories/SQUID-2007_2.txt __________________________________________________________________ Problem Description: Due to incorrect bounds checking Squid is vulnerable to a denial of service check during some cache update reply processing. __________________________________________________________________ Severity: This problem allows any client trusted to use the service to perform a denial of service attack on the Squid service. __________________________________________________________________ Updated Packages: This bug is fixed by Squid version 2.6.STABLE17 and by the November 28 snapshots of Squid-2 and Squid-3. In addition, a patch addressing this problem can be found in our patch archive for version Squid-2.6: http://www.squid-cache.org/Versions/v2/2.6/changesets/11780.patch And for Squid-3: http://www.squid-cache.org/Versions/v3/3.0/changesets/11211.patch If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages. __________________________________________________________________ Determining if your version is vulnerable: All Squid-2.X versions up to, and including 2.6.STABLE16 are vulnerable. All Squid-3 snapshots and prereleases up to the November 28 snapshot are vulnerable. __________________________________________________________________ Workarounds: There are no workarounds. __________________________________________________________________ Thanks to: Thanks go to the Wikimedia Foundation for helping identify the issue and testing the proposed resolution of the issue. Thanks to Adrian Chadd for the Squid-2 fix. Thanks to Henrik Nordstrom for the Squid-3 fix. __________________________________________________________________ Contact details for the Squid project: For installation / upgrade support on binary packaged versions of Squid: Your first point of contact should be your binary package vendor. If your install and build Squid from the original Squid sources then the squid-users@squid-cache.org mailing list is your primary support point. See for subscription details. For reporting of non-security bugs in the latest STABLE release the squid bugzilla database should be used . For reporting of security sensitive bugs send an email to the squid-bugs@squid-cache.org mailing list. It's a closed list (though anyone can post) and security related bug reports are treated in confidence until the impact has been established. __________________________________________________________________ Revision history: 2007-11-26 14:40 GMT+9 Initial version __________________________________________________________________ END ====================================================================== ========================================================= Les serveurs de re'fe'rence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================