__________________________________________________________________

      Squid Proxy Cache Security Update Advisory SQUID-2010:1
__________________________________________________________________

Advisory ID:            SQUID-2010:1
Date:                   January 28, 2010
Summary:                Denial of Service issue in DNS handling
Affected versions:      Squid 2.x -> 2.6.STABLE24,
                        Squid 2.7 -> 2.7.STABLE8,
                        Squid 3.0 -> 3.0.STABLE22,
                        Squid 3.1 -> 3.1.0.15
Fixed in version:       Squid 2.6.STABLE24, 2.7.STABLE8
                        Squid 3.0.STABLE23, 3.1.0.16
__________________________________________________________________

     http://www.squid-cache.org/Advisories/SQUID-2010_1.txt
     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0308
__________________________________________________________________

Problem Description:

 Due to incorrect data validation Squid is vulnerable to a denial
 of service attack when processing specially crafted DNS packets.

__________________________________________________________________

Severity:

 This problem allows any trusted client or external server who can
 determine the squid receiving port to perform a short-term denial
 of service attack on the Squid service.

__________________________________________________________________

Updated Packages:

 This bug is fixed by Squid versions 2.6.STABLE24, 2.7.STABLE8,
 3.0.STABLE23 and 3.1.0.16.

 In addition, patches addressing these problems can be found In
 our patch archives.

Squid 2.x:
 http://www.squid-cache.org/Versions/v2/HEAD/changesets/12597.patch

Squid 3.0:
 http://www.squid-cache.org/Versions/v3/3.0/changesets/squid-3.0-9163.patch

Squid 3.1:
 http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-9853.patch

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__________________________________________________________________

Determining if your version is vulnerable:

 Squid still using the obsolete dnsserver are not vulnerable.

 The ignore_unknown_nameservers option affects the severity of
 this vulnerability. When set to "on" (the default) risk is low.
 When set to "off" the vulnerability risk is increased.

 All unpatched Squid-3.0 versions up to and including 3.0.STABLE22
 are vulnerable.

 All unpatched Squid-3.1 versions up to and including 3.1.0.15 are
 vulnerable.

 All unpatched Squid-2.7 versions up to and including 2.7.STABLE8
 are vulnerable.

 All unpatched Squid-2.x versions up to and including 2.6.STABLE24
 are vulnerable.

__________________________________________________________________

Workarounds:

 Using all of the following steps are required to protect a
 vulnerable Squid from this and other forms of DNS attack.

 * Ensuring the ignore_unknown_nameservers is turned on.

 * Ensuring that DNS packets cannot be sent to Squid from
   untrusted nameservers or other machines.

 The most secure implementation of these requirements is to use
 a nameserver running on the localhost IP dedicated for secure use
 by Squid and any other services on the Squid machine.
__________________________________________________________________

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If your install and build Squid from the original Squid sources
 then the squid-users@squid-cache.org mailing list is your primary
 support point. For subscription details see
 <http://www.squid-cache.org/Support/mailing-lists.html>.

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used
 <http://bugs.squid-cache.org/>.

 For reporting of security sensitive bugs send an email to the
 squid-bugs@squid-cache.org mailing list. It's a closed list
 (though anyone can post) and security related bug reports are
 treated in confidence until the impact has been established.

__________________________________________________________________

Credits:

 Zero-Day attributed to work by Fabian Yamaguchi.

 The vulnerability was reported by Tomas Hoger of RedHat.

__________________________________________________________________

Revision history:

 2010-01-14 18:05 GMT Initial Report
 2010-01-16 03:51 GMT Patches released.
 2010-02-01 04:49 GMT Squid-3 bundled fixes and advisory released.
 2010-02-02 07:42 GMT Updated 3.0 patch and bundle
 2010-02-06 02:35 GMT CVE-2010-0308 reference added.
 2010-09-16 07:05 GMT Reference link updates
 2011-04-12 02:05 GMT Updated info on 2.6 and 2.7 being patched
__________________________________________________________________
END