Squid Proxy Cache Security Update Advisory SQUID-2019:1

Advisory ID:        SQUID-2019:1
Date:               July 12, 2019
Summary:            Denial of Service issue
                    in cachemgr.cgi
Affected versions:  Squid 4.x -> 4.7
Fixed in version:   Squid 4.8


Problem Description:

 Due to incorrect string termination the cachemgr.cgi may access
 unallocated memory.

 On systems with memory access protections this can result in
 the CGI process terminating unexpectedly. Resulting in a
 denial of service for all clients using it.



 This problem allows a remote attacker with access to the Squid
 manager API to perform a denial of service on other clients.

 This problem is limited to the cachemgr CGI binary.

 Web servers which run per-client instances of CGI tools are
 affected by the issue, but the denial of service is not able to
 affect other clients.


Updated Packages:

 This bug is fixed by Squid version 4.8.

 In addition, patches addressing this problem for the stable
 releases can be found in our patch archives:

Squid 4:

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated


Determining if your version is vulnerable:

 All cachemgr.cgi 3.x and older versions are not vulnerable.

 All cachemgr.cgi 4.x versions up to and including 4.7 are

 All Squid-4.7 and older versions accessed via the http:// URL
 manager interface are not vulnerable.

To determine the version and interface, look at the footer of
manager reports for the "Generated by" string.




 Convert to exclusively using the HTTP manager interface until
 cachemgr.cgi can be upgraded to a fixed build.


 Deny all access with 'manager' ACL in squid.conf.

 This completely removes the vulnerability at cost of reduced
 management and monitoring capabilities.


Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If your install and build Squid from the original Squid sources
 then the squid-us...@lists.squid-cache.org mailing list is your
 primary support point. For subscription details see

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used

 For reporting of security sensitive bugs send an email to the
 squid-b...@lists.squid-cache.org mailing list. It's a closed
 list (though anyone can post) and security related bug reports
 are treated in confidence until the impact has been established.



 This vulnerability was discovered by Alex Rousskov of The
 Measurement Factory.

 Fixed by Amos Jeffries from Treehouse Networks Ltd.


Revision history:

 2019-04-10 21:13:50 UTC Initial Report
 2019-05-18 09:43:41 UTC Patch Released
 2019-06-16 10:52:51 UTC CVE Assignment
squid-announce mailing list

Reply via email to