__________________________________________________________________

  Squid Proxy Cache Security Update Advisory SQUID-2023:2
__________________________________________________________________

Advisory ID:       | SQUID-2023:2
Date:              | October 22, 2023
Summary:           | Multiple issues in HTTP response caching.
Affected versions: | Squid 2.x -> 2.7.STABLE9
                   | Squid 3.x -> 3.5.28
                   | Squid 4.x -> 4.16
                   | Squid 5.x -> 5.9
                   | Squid 6.x -> 6.3
Fixed in version:  | Squid 6.4
__________________________________________________________________

Problem Description:

 Due to an Improper Handling of Structural Elements
 bug Squid is vulnerable to a Denial of Service
 attack against HTTP and HTTPS clients.

 Due to an Incomplete Filtering of Special Elements
 bug Squid is vulnerable to a Denial of Service
 attack against HTTP and HTTPS clients.

__________________________________________________________________

Severity:

 The limits applied for validation of HTTP Response headers are
 applied before caching. Different limits may be in place at the
 later cache HIT usage of that response.

 The limits applied for validation of HTTP Response headers are
 applied to each received server response. Squid may grow a cached
 HTTP Response header with HTTP 304 updates beyond the configured
 maximum header size.

 Subsequent parsing to de-serialize a large header from disk cache
 can stall or crash the worker process. Resulting in Denial of
 Service to all clients using the proxy.

CVSS Score of 9.6
<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H&version=3.1>

__________________________________________________________________

Updated Packages:

This bug is fixed by Squid version 6.4.

 In addition, patches addressing this problem for the stable
 releases can be found in our patch archives:

Squid 6:
 <http://www.squid-cache.org/Versions/v6/SQUID-2023_2.patch>

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__________________________________________________________________

Determining if your version is vulnerable:

 Squid older than v5 have not been tested and are presumed
 vulnerable.

 Squid v5.x up to and including 5.9 are vulnerable.

 Squid v6.x up to and including 6.3 are vulnerable.

__________________________________________________________________

Workaround:

 Disable disk caching by removing all cache_dir directives from
 squid.conf.

__________________________________________________________________

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If you install and build Squid from the original Squid sources
 then the <squid-us...@lists.squid-cache.org> mailing list is your
 primary support point. For subscription details see
 <http://www.squid-cache.org/Support/mailing-lists.html>.

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used
 <https://bugs.squid-cache.org/>.

 For reporting of security sensitive bugs send an email to the
 <squid-b...@lists.squid-cache.org> mailing list. It's a closed
 list (though anyone can post) and security related bug reports
 are treated in confidence until the impact has been established.

__________________________________________________________________

Credits:

 This vulnerability was independently discovered by Joshua Rogers
 of Opera Software and by The Measurement Factory.

 Fixed by The Measurement Factory.

__________________________________________________________________

Revision history:

2019-09-11: Initial report of header growth caused by HTTP 304.
2021-03-04: Initial report of caching of huge response headers.
2023-04-28 02:40:03 UTC Initial patches released.

_________________________________________________________________
END
_______________________________________________
squid-announce mailing list
squid-announce@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-announce

Reply via email to