__________________________________________________________________ Squid Proxy Cache Security Update Advisory SQUID-2014:2 __________________________________________________________________ Advisory ID: SQUID-2014:2 Date: August 28, 2014 Summary: Denial of service in request processing Affected versions: Squid 3.x -> 3.3.12 Squid 3.4 -> 3.4.6 Fixed in version: Squid 3.3.13, 3.4.7 __________________________________________________________________ http://www.squid-cache.org/Advisories/SQUID-2014_2.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3609 __________________________________________________________________ Problem Description: Due to incorrect input validation in request parsing Squid is vulnerable to a denial of service attack when processing Range requests. __________________________________________________________________ Severity: This problem allows any trusted client to perform a denial of service attack on the Squid service. __________________________________________________________________ Updated Packages: This bug is fixed by Squid version 3.3.13 and 3.4.7 In addition, patches addressing this problem for stable releases can be found in our patch archives: Squid 3.0: http://www.squid-cache.org/Versions/v3/3.0/changesets/squid-3.0-9201.patch Squid 3.1: http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10488.patch Squid 3.2: http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11828.patch Squid 3.3: http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12680.patch Squid 3.4: http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13168.patch If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages. __________________________________________________________________ Determining if your version is vulnerable: Squid-3.x: All Squid-3.x versions up to and including 3.3.12 are vulnerable to the problem. Squid-3.4: All Squid-3.4 versions up to and including 3.4.6 are vulnerable to the problem. __________________________________________________________________ Workaround: Add the following access control lines to squid.conf above any http_access allow lines: acl validRange req_header Range \ ^bytes=([0-9]+\-[0-9]*|\-[0-9]+)(,([0-9]+\-[0-9]*|\-[0-9]+))*$ acl validRange req_header Request-Range \ ^bytes=([0-9]+\-[0-9]*|\-[0-9]+)(,([0-9]+\-[0-9]*|\-[0-9]+))*$ http_access deny !validRange __________________________________________________________________ Contact details for the Squid project: For installation / upgrade support on binary packaged versions of Squid: Your first point of contact should be your binary package vendor. If you install and build Squid from the original Squid sources then the squid-users@squid-cache.org mailing list is your primary support point. For subscription details see http://www.squid-cache.org/Support/mailing-lists.html. For reporting of non-security bugs in the latest release the squid bugzilla database should be used http://bugs.squid-cache.org/. For reporting of security sensitive bugs send an email to the squid-bugs@squid-cache.org mailing list. It's a closed list (though anyone can post) and security related bug reports are treated in confidence until the impact has been established. __________________________________________________________________ Credits: The vulnerability was discovered by Matthew Daley. __________________________________________________________________ Revision history: 2014-08-26 11:54 GMT Initial Report 2014-08-26 18:28 GMT CVE Assignment 2014-08-27 15:18 GMT Patches and Packages Released __________________________________________________________________ END