__________________________________________________________________ Squid Proxy Cache Security Update Advisory SQUID-2011:3 __________________________________________________________________ Advisory ID: SQUID-2011:3 Date: August 28, 2011 Summary: Buffer overflow in Gopher reply parser Affected versions: Squid 3.0 -> 3.0.STABLE25 Squid 3.1 -> 3.1.14 Squid 3.2 -> 3.2.0.10 Fixed in Version: Squid 3.0.STABLE26, 3.1.15, 3.2.0.11 __________________________________________________________________ http://www.squid-cache.org/Advisories/SQUID-2005_1.txt http://www.squid-cache.org/Advisories/SQUID-2011_3.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3205 __________________________________________________________________ Problem Description: A bug exists in the code that parses responses from Gopher servers. The bug results in a buffer overflow if a Gopher server returns a line longer than 4096 bytes. The overflow results in memory corruption and usually crashes Squid. This is an extension of SQUID-2005:1 which has been opened in the Squid 3.x version code due to increased packet read sizes. __________________________________________________________________ Severity: A malicious user may set up a fake Gopher server and forward requests to it through Squid. Specially crafted responses from that server may cause Squid to restart. __________________________________________________________________ Updated Packages: This bug is fixed by Squid versions 3.2.0.11, 3.1.15, and 3.0.STABLE26. In addition, patches addressing this problem can be found in our patch archives. Squid-3.0: http://www.squid-cache.org/Versions/v3/3.0/changesets/squid-3.0-9193.patch Squid-3.1: http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10363.patch Squid-3.2: http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11294.patch If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages. __________________________________________________________________ Determining if your version is vulnerable: All Squid-2.x versions are not vulnerable. This problem is limited to Squid-3.x versions with large read buffer sizes. Unpatched Squid-3.0 releases up to and including 3.0.STABLE25 are vulnerable. Unpatched Squid-3.1 releases up to and including 3.1.14 are vulnerable. Unpatched Squid-3.2 releases up to and including 3.2.0.10 are vulnerable. __________________________________________________________________ Workarounds: Since real Gopher servers are extremely rare these days, there is almost no reason for Squid to contact a Gopher server. You can add a simple access control rule to deny all Gopher requests to Squid: acl Gopher proto Gopher http_access deny Gopher Restart or reconfigure Squid after editing squid.conf. Test your access controls with a simple request: % squidclient gopher://127.0.0.1/ You should see an "Access Denied" message. __________________________________________________________________ Contact details for the Squid project: For installation / upgrade support on binary packaged versions of Squid: Your first point of contact should be your binary package vendor. If your install and build Squid from the original Squid sources then the squid-users@squid-cache.org mailing list is your primary support point. For subscription details see . For reporting of non-security bugs in the latest STABLE release the squid bugzilla database should be used . For reporting of security sensitive bugs send an email to the squid-bugs@squid-cache.org mailing list. It's a closed list (though anyone can post) and security related bug reports are treated in confidence until the impact has been established. __________________________________________________________________ Credits: The vulnerability was found by Ben Hawkes, Google Security Team __________________________________________________________________ Revision history: 2011-08-28 12:29 GMT Initial release of this document 2011-08-31 07:25 Update for CVE-2011-3205 assignment __________________________________________________________________ END