Squid Proxy Cache Security Update Advisory SQUID-2024:2

Advisory ID:       | SQUID-2024:2
Date:              | Feb 15, 2024
Summary:           | Denial of Service in HTTP Header parser
Affected versions: | Squid 3.x -> 3.5.28
                   | Squid 4.x -> 4.17
                   | Squid 5.x -> 5.9
                   | Squid 6.x -> 6.4
Fixed in version:  | Squid 6.5

Problem Description:

 Due to a Collapse of Data into Unsafe Value bug,
 Squid may be vulnerable to a Denial of Service
 attack against HTTP header parsing.



 This problem allows a remote client or a remote server to
 perform Denial of Service when sending oversized headers in
 HTTP messages.

 In versions of Squid prior to 6.5 this can be achieved if the
 request_header_max_size or reply_header_max_size settings are
 unchanged from the default.

 In Squid version 6.5 and later, the default setting of these
 parameters is safe. Squid will emit a critical warning in
 cache.log if the administrator is setting these parameters to
 unsafe values. Squid will not at this time prevent these settings
 from being changed to unsafe values.


Updated Packages:

Hardening against this issue is added to Squid version 6.5.

 In addition, patches addressing this problem for the stable
 releases can be found in our patch archives:

Squid 6:

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated


Determining if your version is vulnerable:

 Run the following command to identify how (and whether)
 your Squid has been configured with relevant settings:

    squid -k parse 2>&1 | grep header_max_size

 All Squid-3.0 up to and including 6.4 without header_max_size
 settings are vulnerable.

 All Squid-3.0 up to and including 6.4 with either header_max_size
 setting over 21 KB are vulnerable.

 All Squid-3.0 up to and including 6.4 with both header_max_size
 settings below 21 KB are not vulnerable.

 All Squid-6.5 and later without header_max_size configured
 are not vulnerable.

 All Squid-6.5 and later configured with both header_max_size
 settings below 64 KB are not vulnerable.

 All Squid-6.5 and later configured with either header_max_size
 setting over 64 KB are vulnerable.



For Squid older than 6.5, add to squid.conf:

  request_header_max_size 21 KB
  reply_header_max_size 21 KB

For Squid 6.5 and later, remove request_header_max_size
 and reply_header_max_size from squid.conf


Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If you install and build Squid from the original Squid sources
 then the <squid-us...@lists.squid-cache.org> mailing list is your
 primary support point. For subscription details see

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used

 For reporting of security sensitive bugs send an email to the
 <squid-b...@lists.squid-cache.org> mailing list. It's a closed
 list (though anyone can post) and security related bug reports
 are treated in confidence until the impact has been established.



 This vulnerability was discovered by Joshua Rogers of Opera

 Fixed by The Measurement Factory.


Revision history:

 2023-10-12 11:53:02 UTC Initial Report
 2023-10-25 11:47:19 UTC Patches Released
squid-announce mailing list

Reply via email to