AOH :: HP Unsorted S :: TB13724.HTM

SQUID-2007:2, Dec 4, 2007



SQUID-2007:2, Dec 4, 2007
SQUID-2007:2, Dec 4, 2007




__________________________________________________________________

      Squid Proxy Cache Security Update Advisory SQUID-2007:2
__________________________________________________________________

Advisory ID:            SQUID-2007:2
Date:                   November 27, 2007
Summary:                Denial of service in cache updates
Affected versions:      Squid 2.X (2.0 -> 2.6.STABLE16); Squid-3.
Fixed in version:       Squid 2.6.STABLE17;
			November 28 Squid-2 snapshot
			November 28 Squid-3 snapshot
Author:			Adrian Chadd
Thanks:			Wikimedia Foundation

__________________________________________________________________

http://www.squid-cache.org/Advisories/SQUID-2007_2.txt 
__________________________________________________________________

Problem Description:

 Due to incorrect bounds checking Squid is vulnerable to
 a denial of service check during some cache update reply
 processing.

__________________________________________________________________

Severity:

 This problem allows any client trusted to use the service to
 perform a denial of service attack on the Squid service.

__________________________________________________________________

Updated Packages:

 This bug is fixed by Squid version 2.6.STABLE17 and by the November
 28 snapshots of Squid-2 and Squid-3.

 In addition, a patch addressing this problem can be found in
 our patch archive for version Squid-2.6:

http://www.squid-cache.org/Versions/v2/2.6/changesets/11780.patch 

 And for Squid-3:

http://www.squid-cache.org/Versions/v3/3.0/changesets/11211.patch 

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__________________________________________________________________

Determining if your version is vulnerable:

 All Squid-2.X versions up to, and including 2.6.STABLE16 are
 vulnerable.

 All Squid-3 snapshots and prereleases up to the November 28
 snapshot are vulnerable.

__________________________________________________________________

Workarounds:

 There are no workarounds.

__________________________________________________________________

Thanks to:

 Thanks go to the Wikimedia Foundation for helping identify the issue
 and testing the proposed resolution of the issue.

 Thanks to Adrian Chadd for the Squid-2 fix.

 Thanks to Henrik Nordstrom for the Squid-3 fix.

__________________________________________________________________

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If your install and build Squid from the original Squid sources
then the squid-users@squid-cache.org mailing list is your primary 
support point. See  
 for subscription details.

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used
. 

 For reporting of security sensitive bugs send an email to the
squid-bugs@squid-cache.org mailing list. It's a closed list 
 (though anyone can post) and security related bug reports are
 treated in confidence until the impact has been established.

__________________________________________________________________

Revision history:

 2007-11-26 14:40 GMT+9 Initial version
__________________________________________________________________
END

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.