Hi all,
the following just went out to bugtraq, and has been posted on
the website.
Hope it doesnt spoil any religious celebrations you may have
this weekend.
__________________________________________________________________
Squid Proxy Cache Security Update Advisory SQUID-2002:2
__________________________________________________________________
Advisory ID: SQUID-2002:2
Date: March 21, 2002
Affected versions: Squid-2.x up to and including 2.4.STABLE4
Reported by: zen-parse <zen-parse@gmx.net>
__________________________________________________________________
http://www.squid-cache.org/Advisories/SQUID-2002_2.txt
__________________________________________________________________
Problem Description:
A security issue has recently been found and fixed in the Squid-2.X
releases up to and including 2.4.STABLE4.
Error and boundary conditions were not checked when handling
compressed DNS answer messages in the internal DNS code (lib/rfc1035.c).
A malicous DNS server could craft a DNS reply that causes Squid
to exit with a SIGSEGV.
The relevant code exists in Squid-2.3, Squid-2.4, Squid-2.5 and
Squid-2.6/Squid-HEAD, and is enabled by default.
__________________________________________________________________
Updated Packages:
The Squid-2.4.STABLE5 release contains fixes for all these
problems. You can download the Squid-2.4.STABLE5 release from
ftp://ftp.squid-cache.org/pub/squid-2/STABLE/
http://www.squid-cache.org/Versions/v2/2.4/
or the mirrors (may take a while before all mirrors are updated).
For a list of mirror sites see
http://www.squid-cache.org/Mirrors/ftp-mirrors.html
http://www.squid-cache.org/Mirrors/http-mirrors.html
Individual patches to the mentioned issues can be found from our
patch archive for version Squid-2.4.STABLE4
http://www.squid-cache.org/Versions/v2/2.4/bugs/
The patches should also apply with only a minimal effort to
earlier Squid 2.4 versions if required.
The Squid-2.5 and Squid-2.6/Squid-HEAD nightly snapshots contains
the fixed DNS code.
__________________________________________________________________
Determining if your are vulnerable:
You are vulnerable if you are running these versions of Squid
with internal DNS queries:
* Squid-2.4 version up to and including Squid-2.4.STABLE4
* Squid-2.5 up to the fix date (Tuesday, March 12 2002 UTC)
* Squid-2.6 / Squid-HEAD up to the fix date
(Tuesday, March 12 2002 UTC)
* Squid-2.3
Squid uses the internal DNS implementation by default, and
prints a line like this in cache.log when it is in use:
DNS Socket created at 0.0.0.0, port 4345, FD 5
__________________________________________________________________
Workarounds:
Squid-2.4, Squid-2.5 and Squid-2.6/Squid-HEAD can be recompiled
to use the external DNS server support by running configure with
the --disable-internal-dns option. There is no run-time configuration
option to select between the internal/external DNS code.
We recommend that you upgrade, rather than simply switch to external
DNS lookups. The external DNS implementation uses child processes
and may negatively affect Squid's performance, especially for busy
caches.
__________________________________________________________________
END
Received on Tue Mar 26 2002 - 08:54:38 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:07:06 MST