[squid-announce] [ADVISORY] SQUID-2018:2 Denial of Service issue in HTTP Message processing

Amos Jeffries squid3 at treenet.co.nz
Sun Jan 21 07:52:24 UTC 2018


__________________________________________________________________

     Squid Proxy Cache Security Update Advisory SQUID-2018:2
__________________________________________________________________

Advisory ID:        SQUID-2018:2
Date:               Jan 19, 2018
Summary:            Denial of Service issue
                     in HTTP Message processing.
Affected versions:  Squid 3.x -> 3.5.27
                     Squid 4.x -> 4.0.22
Fixed in version:   Squid 4.0.23
__________________________________________________________________

     http://www.squid-cache.org/Advisories/SQUID-2018_2.txt
__________________________________________________________________

Problem Description:

  Due to incorrect pointer handling Squid is vulnerable to denial
  of service attack when processing ESI responses or downloading
  intermediate CA certificates.

__________________________________________________________________

Severity:

  This problem allows a remote client delivering certain HTTP
  requests in conjunction with certain trusted server responses to
  trigger a denial of service for all clients accessing the Squid
  service.

__________________________________________________________________

Updated Packages:

  This bug is fixed by Squid version 4.0.23.

  In addition, patches addressing this problem for the stable
  releases can be found in our patch archives:

Squid 3.5:
  <http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2018_2.patch>

Squid 4:
  <http://www.squid-cache.org/Versions/v4/changesets/SQUID-2018_2.patch>

  If you are using a prepackaged version of Squid then please refer
  to the package vendor for availability information on updated
  packages.

__________________________________________________________________

Determining if your version is vulnerable:

  All Squid configured with "log_uses_indirect_client off" are not
  vulnerable.

  All Squid-3.0 versions built with --enable-esi and being used for
  reverse-proxy with squid.conf containing
  "log_uses_indirect_client on" are vulnerable.

  All Squid-3.1 and later versions up to and including
  Squid-3.5.27 being used for reverse-proxy with squid.conf
  containing "log_uses_indirect_client on" are vulnerable.

  All Squid-4 up to and including Squid-4.0.22 being used for
  reverse-proxy with squid.conf containing
  "log_uses_indirect_client on" are vulnerable.

  All unpatched Squid-4 up to and including Squid-4.0.22 being
  used for TLS/HTTPS intercept proxy with squid.conf containing
  "log_uses_indirect_client on" are vulnerable.

__________________________________________________________________

Workarounds:

  Configure "log_uses_indirect_client off" in squid.conf

__________________________________________________________________

Contact details for the Squid project:

  For installation / upgrade support on binary packaged versions
  of Squid: Your first point of contact should be your binary
  package vendor.

  If your install and build Squid from the original Squid sources
  then the squid-users at lists.squid-cache.org mailing list is your
  primary support point. For subscription details see
  <http://www.squid-cache.org/Support/mailing-lists.html>.

  For reporting of non-security bugs in the latest STABLE release
  the squid bugzilla database should be used
  <http://bugs.squid-cache.org/>.

  For reporting of security sensitive bugs send an email to the
  squid-bugs at lists.squid-cache.org mailing list. It's a closed
  list (though anyone can post) and security related bug reports
  are treated in confidence until the impact has been established.

__________________________________________________________________

Credits:

  The initial issue was reported by Louis Dion-Marcil on behalf of
  GoSecure.

  Fixed by Amos Jeffries from Treehouse Networks Ltd.

__________________________________________________________________

Revision history:

  2017-12-13 20:09:30 UTC Initial Report
  2018-01-18 23:10:00 UTC Patches Released
  2018-01-21 07:45:00 UTC Advisory and fixed packages released
__________________________________________________________________
END


More information about the squid-announce mailing list