[squid-users] RPMs release due to [ADVISORY] SQUID-2016:1 Remote Denial of Service issue in SSL/TLS processing.

Eliezer Croitoru eliezer at ngtech.co.il
Wed Feb 17 07:12:20 UTC 2016


Due to the Security Update Advisory I am releasing RPMs for:
- SLES 12 SP1
- OpenSUSE Leap 42.1
- CentOS 6 + 7
- Oracle Linux 6 + 7

CentOS and Oracle Linux EL6 version includes RPMs only for the 3.5 tree 
and for both 64 and 32 bit.
All others was built only for 64 bit and also includes 4.0.6 RPMs.

Notice that in 4.0.6 there where couple important changes.
* SSL related helpers changed

This release adds two new ./configure options
   --enable-security-validators=
   --enable-security-generators=

These build options operate the same as external ACL and authentication
helper build options. But control whether the SSL certificate validator
and SSL-Bump certificate generator helper(s) are built.

As part of this change;

  - the ssl_crtd helper is renamed to security_file_certgen
    (built with --enable-security-generators=file), and

  - the cert_valid.pl helper is renamed to security_fake_certverify
    (built with --enable-security-validators=fake).


The RPMs and SRPMS for all builds are present at:
http://www1.ngtech.co.il/repo/

ordered by Linux distribution names and versions.

All The Bests,
Eliezer

On 16/02/2016 08:20, Amos Jeffries wrote:
> __________________________________________________________________
>
> Squid Proxy Cache Security Update Advisory SQUID-2016:1
> __________________________________________________________________
>
> Advisory ID:        SQUID-2016:1
> Date:               February 16, 2016
> Summary:            Remote Denial of Service issue
>                      in SSL/TLS processing.
> Affected versions:  Squid 3.5.13
>                      Squid 4.0.4 -> 4.0.5
> Fixed in version:   Squid 4.0.6, 3.5.14
> __________________________________________________________________
>
> http://www.squid-cache.org/Advisories/SQUID-2016_1.txt
> __________________________________________________________________
>
> Problem Description:
>
>   Due to incorrectly handling server errors Squid is vulnerable to
>   a denial of service attack when connecting to TLS or SSL servers.
>
> __________________________________________________________________
>
> Severity:
>
>   This problem allows any trusted client to perform a denial of
>   service attack on the Squid service regardless of whether TLS or
>   SSL is configured for use in the proxy.
>
>   Misconfigured client or server software may trigger this issue
>   to perform a denial of service unintentionally.
>
>   However, the bug is exploitable only if Squid is built using the
>   --with-openssl option.
>
> __________________________________________________________________
>
> Updated Packages:
>
>   These bugs are fixed by Squid version 3.5.14 and 4.0.6.
>
>
>   In addition, patches addressing this problem for stable releases
>   can be found in our patch archives:
>
> Squid 3.5:
>   http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13981.patch
>
>   If you are using a prepackaged version of Squid then please refer
>   to the package vendor for availability information on updated
>   packages.
>
> __________________________________________________________________
>
> Determining if your version is vulnerable:
>
>   All Squid-3.4 and older versions are not vulnerable.
>
>   All Squid-3.5.12 and older 3.5 versions are not vulnerable.
>
>   All Squid-3.5 built without OpenSSL support are not vulnerable.
>
>   All Squid-4.0.3 and older 4.0 versions are not vulnerable.
>
>   All Squid-4 built without OpenSSL support are not vulnerable.
>
>   All unpatched Squid-3.5.13, 4.0.4, and 4.0.5 built using
>   --with-openssl are vulnerable.
>
>   The following command can be used to easily determine if a
>   vulnerable build is being used:
>    squid -v
>
> __________________________________________________________________
>
> Workaround:
>
>   Disabling service for https:// URLs entirely at the top of the
>   squid.conf http_access rules fully protects against this
>   vulnerability:
>
>     acl HTTPS proto HTTPS
>     http_access deny HTTPS
>
> Or,
>
>   Relaying outbound HTTPS traffic through a non-vulnerable proxy
>   protects against the issue unless the SSL-bump splice feature is
>   being used.
>
> Or,
>
>   Disabling service for irregular HTTPS ports protects against the
>   simplest forms of attack while retaining most HTTPS service:
>
>     acl HTTPS proto HTTPS
>     http_access deny HTTPS !SSL_Ports
>
> __________________________________________________________________
>
> Contact details for the Squid project:
>
>   For installation / upgrade support on binary packaged versions
>   of Squid: Your first point of contact should be your binary
>   package vendor.
>
>   If your install and build Squid from the original Squid sources
>   then the squid-users at lists.squid-cache.org mailing list is your
>   primary support point. For subscription details see
>   <http://www.squid-cache.org/Support/mailing-lists.html>.
>
>   For reporting of non-security bugs in the latest STABLE release
>   the squid bugzilla database should be used
>   <http://bugs.squid-cache.org/>.
>
>   For reporting of security sensitive bugs send an email to the
>   squid-bugs at lists.squid-cache.org mailing list. It's a closed
>   list (though anyone can post) and security related bug reports
>   are treated in confidence until the impact has been established.
>
> __________________________________________________________________
>
> Credits:
>
>   The vulnerability was reported and fixed by Christos Tsantilas of
>   The Measurement Factory.
>
> __________________________________________________________________
>
> Revision history:
>
>   2016-02-12 17:50:38 GMT Initial Report
>   2016-02-12 18:05:44 GMT Patch Released
>   2016-02-15 17:15:00 GMT Packages Released
> __________________________________________________________________
> END
> _______________________________________________
> squid-announce mailing list
> squid-announce at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-announce
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>



More information about the squid-users mailing list