__________________________________________________________________ Squid Proxy Cache Security Update Advisory SQUID-2010:3 __________________________________________________________________ Advisory ID: SQUID-2010:3 Date: September 03, 2010 Summary: Denial of service in request processing Affected versions: Squid 3.0 -> 3.0.STABLE25 Squid 3.1 -> 3.1.7 Squid 3.2 -> 3.2.0.1 Fixed in version: Squid 3.1.8, 3.2.0.2 __________________________________________________________________ http://www.squid-cache.org/Advisories/SQUID-2010_3.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3072 __________________________________________________________________ Problem Description: Due to an internal error in string handling Squid is vulnerable to a denial of service attack when processing specially crafted requests. __________________________________________________________________ Severity: This problem allows any trusted client to perform a denial of service attack on the Squid service. There are applications already in general public use which can trigger this problem for 3.1 and 3.2 on occasion without intended malice. __________________________________________________________________ Updated Packages: This bug is fixed by Squid versions 3.1.8 and 3.2.0.2 In addition, patches addressing this problem for stable releases can be found in our patch archives: Squid 3.0: http://www.squid-cache.org/Versions/v3/3.0/changesets/squid-3.0-9189.patch Squid 3.1: http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10090.patch If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages. __________________________________________________________________ Determining if your version is vulnerable: Squid-3.0: All Squid-3.0 versions up to and including 3.0.STABLE25 have some risk of being vulnerable to variations of the problem. The particular 0-day tests currently known do not trigger it. Squid-3.1: All versions up to and including 3.1.7 are at some risk of being vulnerable to the problem and its variations. squid.conf containing with "ignore_expect_100 on" are vulnerable to the known active 0-day. Binaries built with --disable-http-violations are not vulnerable to the known active 0-day. Squid-3.2: The 3.2.0.1 beta version is vulnerable under the same conditions as for Squid-3.1. __________________________________________________________________ Workarounds: These workarounds apply only to the known active 0-day triggers. 1) Checking that ignore_expect_100 squid.conf option is set to "off" (the default), or removed completely from squid.conf. or, 2) Building Squid with --disable-http-violations. __________________________________________________________________ Contact details for the Squid project: For installation / upgrade support on binary packaged versions of Squid: Your first point of contact should be your binary package vendor. If you install and build Squid from the original Squid sources then the squid-users@squid-cache.org mailing list is your primary support point. For subscription details see http://www.squid-cache.org/Support/mailing-lists.html. For reporting of non-security bugs in the latest release the squid bugzilla database should be used http://bugs.squid-cache.org/. For reporting of security sensitive bugs send an email to the squid-bugs@squid-cache.org mailing list. It's a closed list (though anyone can post) and security related bug reports are treated in confidence until the impact has been established. __________________________________________________________________ Credits: The vulnerability was discovered by Phil Oester. __________________________________________________________________ Revision history: 2010-08-30 14:19 GMT Initial Report 2010-09-01 08:04 GMT Patches Released 2010-09-03 09:00 GMT Initial version 2010-09-16 07:05 GMT Reference link updates 2011-02-13 09:30 GMT CVE reference update __________________________________________________________________ END