This page contains official patches to Squid 2.4
See also Bugzilla Database Entries for Squid version 2.4
| synopsis | If certain malformed URLs is received then a buffer overrun may occur. The exact risk of this buffer overrun has not yet been fully evaluated but it is not believed to be easily exploitable |
| versions | 2.4.STABLE7 and earlier |
| platforms | All |
| patch | squid-2.4.STABLE7-url_escape.patch |
| workaround | none |
| synopsis | If certain malformed URLs is received and the configuration has been altered not to use the Safe_ports acl check found in the default configuration then Squid will abort with an assertion failure. |
| versions | 2.4.STABLE7 and earlier |
| platforms | All |
| patch | squid-2.4.STABLE7-url_port.patch |
| workaround | Make sure any attempts to access port 0 is disallowed. The default configuration shipped with Squid should be safe, but if you have manually changed the use of Safe_ports then you may be at risk. |
| synopsis | The recent fixes to msnt_auth broke it's allowusers/denyusers functionality |
| versions | 2.4.STABLE7 / msntauth-v2.0.3-squid.1 |
| platforms | All |
| reported by | Marco Berizzi |
| configuration | Configurations using the allowusers/denyusers feature of the msnt_auth authentication helper |
| patch | squid-2.4.STABLE7-msntauth.patch / msntauth-v2.0.3-squid.2.tar.gz |
| synopsis |
This patch is a minor HTTP compliance update to make Squid drop
any requests using transfer-encoding. Squid is a HTTP/1.0 proxy
and as such do not support the use of transfer-encoding.
The primary reason to this patch is a security issue in how Apache deals with malformed chunked transfer encoding in requests. While not really a Squid problem, Squid is often used as a reverse proxy infront of Apache servers. |
| versions | 2.4.STABLE6 and earlier |
| platforms | All |
| reported by | Henrik Nordström (MARA Systems AB) |
| configuration | mainly reverse proxies |
| patch | squid-2.4.STABLE6-deny_transfer_encoding.patch (older versions) |
| synopsis | Buffer overflows have been found in the MSTN auth helper (msnt_auth) when configured to use denyusers or allowusers access control files |
| versions | 2.4.STABLE6 and earlier |
| platforms | All |
| reported by | DER#11 |
| configuration | configurations using msntauth for authentication with msntauth configured to use allowusers and/or denyusers access control files |
| patch | msntauth-v2.0.3-squid.1.tar.gz |
| synopsis |
under some conditions Squid may forward the proxy authentication
credentails. This can happen if you normally require your users
to log in to use the proxy, but allow some sites to be reached
without needing to log in.
This patch restricts such forwarding to only your configured cache_peers. If you need to further control the credentials forwarding then upgrading to Squid-2.5 is recommended as the forwarding is controlled per cache_peer in Squid-2.5 and later. |
| versions | 2.4.STABLE6 and earlier |
| platforms | All |
| reported by | Hernan Otero |
| configuration | if a mixture of proxy authentication and sites not requiring authentication is used. |
| patch | squid-2.4.STABLE6-proxy_auth.patch |
| workaround | If you use proxy authentication, make sure to use it on all requests. Do not allow access to some sites without the need to log in. |
| synopsis | Squid-2.4.STABLE6 fails to compile on MAC OS X due to a conflict with a system header |
| versions | 2.4.STABLE6 and earlier |
| platforms | Apple MAC OS X |
| patch | squid-2.4.STABLE6-apple.patch |
| synopsis | update of autoconf config.guess to support additional platforms |
| versions | 2.4.STABLE6 and earlier |
| platforms | All |
| patch | squid-2.4.STABLE6-autoconf.patch |
| synopsis | Documentation update of the cache_mem parameter |
| versions | 2.4.STABLE6 and earlier |
| platforms | All |
| patch | squid-2.4.STABLE6-cache_mem_doc.patch |
| synopsis | Contrary to what was claimed in the documentation the client test/diagnostics program did not implement a -T option for setting the timeout. |
| versions | 2.4.STABLE6 and earlier |
| platforms | All |
| patch | squid-2.4.STABLE6-client-T.patch |
| synopsis | If HTCP was enabled (--enable-htcp) then "squid -k reconfigure" crashes with a segmentation fault. |
| versions | 2.4.STABLE6 and earlier |
| platforms | All |
| patch | squid-2.4.STABLE6-htcp.patch |
| workaround | Compile Squid without --enable-htcp |
| synopsis | Several buffer overflows have been found in Squids Gopher client used for fetching goper:// URLs via Squid. |
| versions | 2.4.STABLE6 and earlier |
| platforms | All |
| reported by | Olaf Kirch @ Caldera |
| configuration | any configuration allowing proxying of gopher:// URLs |
| patch | squid-2.4.STABLE6-gopher.patch (older versions) |
| synopsis |
Squid's FTP client did not check the validity of FTP data channel
addresses, possibly allowing abuse of the FTP proxy functionality
to bypass firewall rules or injection of false FTP replies.
This patch makes Squid only accept FTP data chanels to/from the same IP address as the control channel was opened. This new check can be disabled by the new ftp_sanitycheck directive if needed, but it is stronly recommended to keep this at the default "on" value and rather fix the FTP server to use the same IP address for both the control and data channels. |
| versions | 2.4.STABLE6 and earlier |
| platforms | All |
| reported by | Olaf Kirch @ Caldera |
| configuration | any configuration allowing proxying of FTP requests from untrusted clients |
| patch | squid-2.4.STABLE6-ftp_sanitycheck.patch (older versions) |
| synopsis | several possible buffer overflows in the code parsing FTP directories have been found. |
| versions | 2.4.STABLE6 and earlier |
| platforms | All |
| reported by | Olaf Kirch @ Caldera |
| configuration | any configuration allowing proxying of FTP requests to untrusted servers |
| patch | squid-2.4.STABLE6-ftp_directories.patch (older versions) |
| synopsis | rfc1035NameUnpack() handles so-called ``compression'' in DNS reply reply messages, but does not perform bounds checking on certain values. A malicous DNS server could generate a bogus reply that causes Squid to corrupt its stack and crash. |
| versions | 2.4.STABLE4 and earlier |
| platforms | All |
| reported by | zen-parse |
| configuration | when using Internal DNS queries (the default) |
| patch | squid-2.4.STABLE4-rfc1035_compressed_reply.patch |
| status | Fixed |
| synopsis | "htcp_port 0" fails to completely disable the HTCP port as documented in squid.conf, instead HTCP will be listening on a random port number. |
| versions | 2.4.STABLE3 and earlier |
| platforms | All |
| reported by | Miquel van Smoorenburg, Markus Friedl |
| configuration | --enable-htcp, htcp_port 0 |
| patch | squid-2.4.STABLE3-htcp_off.patch |
| status | Fixed |
| synopsis | If certain constructed ftp:// style URL's are received then squid crashes, causing a denial of service and maybe even remote execution of code |
| versions | 2.4.STABLE3 and earlier |
| platforms | All |
| reported by |
Jouko Pynnonen |
| configuration | All |
| patch | squid-2.4.STABLE3-ftp_coredump.patch |
| status | Fixed |
| workaround |
Deny forwarding of non-anonymous FTP URLs by inserting the following
rules at the top of squid.conf, prior to any http_access allow lines acl non_anonymous_ftp url_regex -i ftp://[^/@]*@ http_access deny non_anonymous_ftp |
| synopsis | The SNMP implementation in Squid had several memory leaks possibly causing an denial of service. |
| versions | 2.4.STABLE3 and earlier |
| platforms | All |
| reported by | Henrik Nordstrom (hno at squid-cache dot org) |
| configuration | --enable-snmp |
| patch | squid-2.4.STABLE3-SNMP_memory_leaks.patch |
| status | Fixed |
| workaround | Disable the SNMP port if enabled by using "snmp_port 0" in squid.conf. Or if you only use SNMP for MRTG data collection running on the same host then use "snmp_incoming_address 127.0.0.1" to limit reachability of the SNMP port to only localhost or some other trusted network. |
| synopsis | Squid crashes on CONNECT requests that are allowed by http_access but denied by miss_access. |
| bugzilla | #255 |
| versions | 2.4.STABLE1, 2.4.STABLE2, maybe earlier |
| patch | squid-2.4.STABLE2-CONNECT_miss_access_core.patch |
| synopsis | On-disk swap meta information is created wrongly, possibly causing problems on slow cache rebuilds where swap.state has been manually deleted. |
| bugzilla | #246 |
| versions | 2.4.STABLE1, 2.4.STABLE2 |
| patch | squid-2.4.STABLE2-swap_meta.patch |
| synopsis | squid_ldap_auth failed to verify users with spaces in their passwords. This is caused by a shortcoming of the protocol used between Squid and it's authentication helpers. If there is spaces then it is impossible to tell if it belongs to the username or to the password. This patch makes squid_ldap_auth behave like most other authentication helpers, assuming the space is in the password. |
| bugzilla | #243 |
| versions | 2.4.STABLE2, maybe earlier |
| patch | squid-2.4.STABLE2-ldap_auth_password_spaces.patch |
| synopsis | Fixes a coredump when creating FTP directories |
| bugzilla | N/A |
| versions | Squid-2.3.something to Squid-2.4.STABLE2 |
| patch | squid-2.4.STABLE2-ftp_create_directory.patch |
| synopsis | some compilers are more picky than others and complains on a slight prototype mismatch of statHistDump |
| bugzilla | N/A |
| versions | probably long time back |
| platforms | Some compilers |
| patch | squid-2.4.STABLE2-statHistDump_prototype.patch |
| synopsis | Fixes a coredump on snmpwalk in certain configurations |
| bugzilla | N/A |
| versions | probably long time back |
| patch | squid-2.4.STABLE2-snmpwalk_coredump.patch |
| synopsis | Fixes a filedescriptor leakage in the "aufs" cache_dir store implementation. |
| bugzilla | #229 |
| versions | Squid-2.4.STABLE1, Squid-2.4.STABLE2 |
| platforms | All |
| patch | squid-2.4.STABLE2-aufs_fd_leak.patch |
| synopsis | A sign was incorrect in a recent patch committed just before squid-2.4.STABLE1 was released which prevented negative entry->timestamp values. |
| versions | 2.4.STABLE1 |
| platforms | All |
| reported by | Duane Wessels (wessels at squid-cache dot org) |
| configuration | N/A |
| patch | squid-2.4.stable1-wrong_sign_on_timestamp_check |
| status | Fixed |
| synopsis | Squid could use all avaliable CPU when cleaning up some peering information. This was due to an int being used in place of a double, which could have resulted in a practically-zero wait between cleanups. This zero-wait would have caused squid to use up all the avaliable CPU time. |
| versions | 2.4.STABLE1 |
| platforms | All |
| reported by | Juergen Sandner (juergen dot sandner at baypol dot bayern dot de) |
| configuration | Only when cache peers are used |
| patch | squid-2.4.stable1-high_cpu_with_peers |
| status | Fixed |
| synopsis |
Squid could exit with a SIGFPE signifying an invalid Arithmetic expression.
In this case it was a divide-by-zero error:
Program received signal SIGFPE, Arithmetic exception. 0x8086c07 in storeDirUpdateSwapSize (SD=0x81fa450, size=585, sign=1) at store_dir.c:265 265 int blks = (size + SD->fs.blksize - 1) / SD->fs.blksize;The filesystem blocksize is not always avaliable. Squid did not check for this. The patch forces squid to use a default of 2k for the filesystem blocksize. Note that this is only used to calculate a more accurate indication of usage and free space in the filesystem. |
| versions | 2.4.STABLE1 |
| platforms | All |
| reported by | Dr Chris Richardson (foop at icr dot ac dot uk) |
| configuration | Redhat 6.0 install ufs cache_dir on an ext2 filesystem |
| patch | squid-2.4.stable1-force_valid_blksize |
| status | Fixed |
| synopsis | If the running squid process is killed with a SIGKILL, make sure the parent dies with it. Otherwise, the parent will start a new copy of squid, making it difficult to stop squid. |
| versions | 2.4.STABLE1 |
| platforms | All |
| reported by | Duane Wessels (wessels at squid-cache dot org) |
| configuration | All |
| patch | squid-2.4.stable1-kill_parent_on_child_sigkill |
| status | Fixed |
| synopsis | In htcpHandleData() the check for htcp.opcode misses the case when opcode equals HTCP_END. This causes an assertion later in the function. |
| versions | Squid-2.4.STABLE1 |
| platforms | All |
| reported by | Duane Wessels (wessels at squid-cache dot org) |
| configuration | Using HTCP to control squid |
| patch | squid-2.4.stable1-htcp_assertion_fix |
| status | Fixed |
| synopsis | The diskd binary was moved into the libexec dir, but the path was hard-coded into the source. If the libexecdir is changed during configure, squid can not find diskd. |
| versions | 2.4.STABLE1 |
| platforms | All |
| reported by | Adrian Chadd (adrian at squid-cache dot org) |
| configuration | N/A |
| patch | squid-2.4.stable1-diskd_fixed_path |
| status | Fixed |
| synopsis | The per-fs replacement functions were looking at the global cache size parameters. This was a known problem documented in the comments. It causes low-numbered cache dirs to get more objects than the high ones. When using truncate instead of unlink, it can cause the filesystem to run out of inodes. |
| versions | 2.4.DEVEL4 |
| platforms | All |
| configuration | Only a problem with multi-cache_dir configurations. |
| patch | squid-2.4.devel4-cachedir_imbalance.patch |
| status | Fixed |
| synopsis |
gcc -g -O2 -Wall -I. -I../include -I../include -c dns.c -o dns.o
dns.c: In function `dnsInit': dns.c:52: structure has no member named `dnsserver' dns.c:56: structure has no member named `dnsChildren' dns.c:59: structure has no member named `dnsserver' dns.c:60: structure has no member named `res_defnames' make[1]: *** [dns.o] Error 1 make[1]: Leaving directory `/home/liny/squid-2.4.DEVEL4/src' make: *** [all] Error 1 |
| versions | 2.4.DEVEL4 |
| platforms | All |
| reported by | Li Ni (liny at nets dot com dot cn) |
| configuration | --disable-internal-dns |
| patch | squid-2.4.devel4-use_dnsservers |
| status | Fixed |
| synopsis | The code that scans ACL tokens for IP addresses and hostnames couldn't tell that "123.foo.com" is a hostname rather than an IP address. |
| versions | 2.4.DEVEL4 |
| platforms | all |
| reported by | Zeev Meloch (zeev at iec dot co dot il) |
| patch | squid-2.4.devel4-invalid_ip_acl_entry.patch |
| status | Fixed Thu Aug 10 21:38:12 GMT 2000 |
| synopsis | The configure script uses "==" when it should use "=" for /bin/test. |
| versions | 2.4.DEVEL4 |
| platforms | All |
| reported by | Dan Larsson (dl at tyfon dot net) |
| configuration | --enable-ipf-transparent |
| patch | squid-2.4.devel4-ipfw_configure.patch |
| status | Fixed Thu Aug 10 06:18:17 GMT 2000 |
| synopsis | Missing a newline on cachemgr output |
| versions | 2.4.DEVEL4 |
| platforms | ALL |
| reported by | Steve Snyder (swsnyder at home dot com) |
| patch | squid-2.4.devel4-internal_dns_rcode_table_formatting.patch |
| status | Fixed Sat Jul 22 18:03:01 GMT 2000 |
| synopsis |
cache.log shows messages like:
2000/07/20 09:49:19| internalStart: unknown request: There was a change in 2.4.DEVEL4 that was supposed to cause FTP icons and other "internal" objects to always be cached, regardless of the 'minimum_object_size' setting. Instead it always caused them to NOT be cached. |
| versions | 2.4.DEVEL4 |
| platforms | All |
| reported by |
Reuben Farrelly (reuben-squid at reub dot net)
Ulrich Seidl (uis at Regent dot E-Technik dot TU-Muenchen dot DE) Krzysztof Czuma (czuma at Elektron dot pl) |
| patch | squid-2.4.devel4-ftp_icon_not_found.patch |
| status | Fixed |
| synopsis | When disk usage is near the store high water mark, the storeMaintainSwapSpace event runs very frequently because it breaks from the scanning loop unless usage is above the high water mark. This patch changes it to break when below the low water mark instead. |
| versions | 2.4.DEVEL2 |
| platforms | All |
| reported by | Reuben Farrelly (reuben at reub dot net) |
| patch | squid-2.4.devel2-storeMaintainSwapSpace_water_mark.patch |
| status | Fixed for 2.4.DEVEL3 |
| synopsis | If a 'cache_dir' partition fills up so that write fails with "No space left on device," you'll get an assertion in storeDirDiskFull() because we pass an invalid swap file number. |
| versions | 2.4.DEVEL2 |
| platforms | All |
| reported by | Reuben Farrelly (reuben at reub dot net) |
| patch | squid-2.4.devel2-storeDirDiskFull_assertion.patch |
| status | Fixed for 2.4.DEVEL3 |
| synopsis | A significant change from 2.3 to 2.4 was made in the replacement code. Currently this works only for LRU replacement. Heap-based replacement will not compile. |
| versions | 2.4.DEVEL2 |
| platforms | All |
| reported by | Reuben Farrelly (reuben at reub dot net) |
| configuration | --enable-heap-replacement |
| patch | Not Yet |
| status | Reported |
Collection of stack traces for unidentified bugs.