__________________________________________________________________ Squid Proxy Cache Security Update Advisory SQUID-2002:2 __________________________________________________________________ Advisory ID: SQUID-2002:2 Date: March 26, 2002 Affected versions: Squid-2.x up to and including 2.4.STABLE4 Reported by: zen-parse __________________________________________________________________ http://www.squid-cache.org/Advisories/SQUID-2002_2.txt __________________________________________________________________ Problem Description: A security issue has recently been found and fixed in the Squid-2.X releases up to and including 2.4.STABLE4. Error and boundary conditions were not checked when handling compressed DNS answer messages in the internal DNS code (lib/rfc1035.c). A malicous DNS server could craft a DNS reply that causes Squid to exit with a SIGSEGV. The relevant code exists in Squid-2.3, Squid-2.4, Squid-2.5 and Squid-2.6/Squid-HEAD, and is enabled by default. __________________________________________________________________ Updated Packages: The Squid-2.4.STABLE6 release contains fixes for all these problems. You can download the Squid-2.4.STABLE6 release from ftp://ftp.squid-cache.org/pub/archive/2.4/ http://www.squid-cache.org/Versions/v2/2.4/ or the mirrors (may take a while before all mirrors are updated). For a list of mirror sites see http://www.squid-cache.org/Download/ftp-mirrors.html http://www.squid-cache.org/Download/http-mirrors.html Individual patches to the mentioned issues can be found from our patch archive for version Squid-2.4.STABLE4 http://www.squid-cache.org/Versions/v2/2.4/bugs/ The patches should also apply with only a minimal effort to earlier Squid 2.4 versions if required. The Squid-2.5 and Squid-2.6/Squid-HEAD nightly snapshots contains the fixed DNS code. __________________________________________________________________ Determining if your are vulnerable: You are vulnerable if you are running these versions of Squid with internal DNS queries: * Squid-2.4 version up to and including Squid-2.4.STABLE4 * Squid-2.5 up to the fix date (Tuesday, March 12 2002 UTC) * Squid-2.6 / Squid-HEAD up to the fix date (Tuesday, March 12 2002 UTC) * Squid-2.3 Squid uses the internal DNS implementation by default, and prints a line like this in cache.log when it is in use: DNS Socket created at 0.0.0.0, port 4345, FD 5 __________________________________________________________________ Workarounds: Squid-2.4, Squid-2.5 and Squid-2.6/Squid-HEAD can be recompiled to use the external DNS server support by running configure with the --disable-internal-dns option. There is no run-time configuration option to select between the internal/external DNS code. We recommend that you upgrade, rather than simply switch to external DNS lookups. The external DNS implementation uses child processes and may negatively affect Squid's performance, especially for busy caches. __________________________________________________________________ Revision History: 2010-09-16 07:05 GMT Reference link updates __________________________________________________________________ END