Squid Proxy Cache Security Update Advisory SQUID-2016:6

Advisory ID:        SQUID-2016:6
Date:               April 20, 2016
Summary:            Multiple issues in ESI processing.
Affected versions:  Squid 3.x -> 3.5.16
                    Squid 4.x -> 4.0.8
Fixed in version:   Squid 3.5.17, 4.0.9

    CESG REF: 56284998 / VULNERABILITY ID: 393536

Problem Description:

 Due to buffer overflow issues Squid is vulnerable to a denial
 of service attack when processing ESI responses.

 Due to incorrect input validation Squid is vulnerable to public
 information disclosure of the server stack layout when processing
 ESI responses.

 Due to incorrect input validation and buffer overflow Squid is
 vulnerable to remote code execution when processing ESI


 These problems allow ESI components to be used to perform a
 denial of service attack on the Squid service and all other
 services on the same machine.

 Under certain build conditions these problems allow remote
 clients to view large sections of the server memory.

 However, the bugs are exploitable only if you have built and
 configured the ESI features to be used by a reverse-proxy and if
 the ESI components being processed by Squid can be controlled by
 an attacker.

Updated Packages:

 These bugs are fixed by Squid version 3.5.17 and 4.0.9.

 In addition, patches addressing this problem for stable releases
 can be found in our patch archives:

Squid 3.2:

Squid 3.3:

Squid 3.4:

Squid 3.5:

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated


Determining if your version is vulnerable:

Use the command 'squid -v' to view version and build details of
your proxy;

 All Squid 2.x are not vulnerable.

 All Squid built with --disable-esi are not vulnerable.

 All Squid built without --enable-esi are not vulnerable.

Check squid.conf or use the (version 3.4+) command
  (squid -k parse 2>&1) | grep "Processing: http.*_port"
to view the active configuration settings for your proxy;

 Unpatched Squid 3.x and 4.x built with --enable-esi and
 configured with 'accel' or 'vhost' or 'defaultsite=' or
 'ssl-bump' on an http_port or https_port are vulnerable.

 All Squid configured without reverse-proxy or ssl-bump are
 not vulnerable.



 Build Squid with --disable-esi if ESI is not needed.


Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If you install and build Squid from the original Squid sources
 then the squid-us...@squid-cache.org mailing list is your
 primary support point. For subscription details see

 For reporting of non-security bugs in the latest release
 the squid bugzilla database should be used

 For reporting of security sensitive bugs send an email to the
 squid-b...@squid-cache.org mailing list. It is a closed list
 (though anyone can post) and security related bug reports are
 treated in confidence until the impact has been established.



 The vulnerability was reported by CESG.

 Fixed by Amos Jeffries, Treehouse Networks Ltd.


Revision history:

 2016-04-15 10:54:39 GMT Initial Report
 2016-04-20 03:54:54 GMT Patches Released
 2016-04-20 13:42:00 GMT Packages Released
 2016-04-20 15:47:01 GMT CVE Assigned
squid-announce mailing list

Reply via email to