[squid-users] Advisory Squid-2013:3 Denial of service in request processing

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 14 Jul 2013 04:31:19 +1200

__________________________________________________________________

       Squid Proxy Cache Security Update Advisory SQUID-2013:3
__________________________________________________________________

Advisory ID: SQUID-2013:3
Date: July 13, 2013
Summary: Denial of service in request processing
Affected versions: Squid 3.2 -> 3.2.12,
                         Squid 3.3 -> 3.3.7
Fixed in version: Squid 3.2.13, 3.3.8
__________________________________________________________________

     http://www.squid-cache.org/Advisories/SQUID-2013_3.txt
     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4123
__________________________________________________________________

Problem Description:

  Due to incorrect data validation Squid is vulnerable to a denial
  of service attack when processing specially crafted HTTP requests

__________________________________________________________________

Severity:

  This problem allows any client who can generate HTTP requests to
  perform a denial of service attack on the Squid service.

__________________________________________________________________

Updated Packages:

  This bug is fixed by Squid versions 3.2.13 and 3.3.8.

  In addition, patches addressing this problem can be found in
  our patch archives.

Squid 3.2:
  http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11826.patch

Squid 3.3:
  http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12591.patch

  If you are using a prepackaged version of Squid then please refer
  to the package vendor for availability information on updated
  packages.

__________________________________________________________________

Determining if your version is vulnerable:

  All Squid-3.1 and older versions, including Squid-2 are not
  vulnerable.

  All unpatched Squid-3.2 versions up to and including 3.2.12 are
  vulnerable.

  All unpatched Squid-3.3 versions up to and including 3.3.7 are
  vulnerable.

__________________________________________________________________

Workarounds:

  There are no workarounds for this issue.

__________________________________________________________________

Contact details for the Squid project:

  For installation / upgrade support on binary packaged versions
  of Squid: Your first point of contact should be your binary
  package vendor.

  If your install and build Squid from the original Squid sources
  then the squid-users_at_squid-cache.org mailing list is your primary
  support point. For subscription details see
  <http://www.squid-cache.org/Support/mailing-lists.html>.

  For reporting of non-security bugs in the latest STABLE release
  the squid bugzilla database should be used
  <http://bugs.squid-cache.org/>.

  For reporting of security sensitive bugs send an email to the
  squid-bugs_at_squid-cache.org mailing list. It's a closed list
  (though anyone can post) and security related bug reports are
  treated in confidence until the impact has been established.

__________________________________________________________________

Credits:

  The vulnerability was reported by Saran Neti, TELUS Security Labs

__________________________________________________________________

Revision history:

  2013-07-12 18:46 GMT Initial Report
__________________________________________________________________
END
Received on Sat Jul 13 2013 - 16:31:27 MDT

This archive was generated by hypermail 2.2.0 : Sat Jul 13 2013 - 12:00:05 MDT