__________________________________________________________________ Squid Proxy Cache Security Update Advisory SQUID-2010:2 __________________________________________________________________ Advisory ID: SQUID-2010:2 CVE: CVE-2010-0639 Date: February 12, 2010 Summary: Remote Denial of Service issue in HTCP Affected versions: Squid 2.x prior to 2.7.STABLE8 Squid 3.0 -> 3.0.STABLE23 Fixed in version: Squid 3.0.STABLE24, 2.7.STABLE8, 2.6.STABLE24 __________________________________________________________________ http://www.squid-cache.org/Advisories/SQUID-2010_2.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0639 __________________________________________________________________ Problem Description: Due to incorrect processing Squid is vulnerable to a denial of service attack when receiving specially crafted HTCP packets. __________________________________________________________________ Severity: This problem allows any machine to perform a denial of service attack on the Squid service when its HTCP port is open. __________________________________________________________________ Updated Packages: This bug is fixed by Squid versions 3.0.STABLE24 In addition, patches addressing these problems can be found In our patch archives. Squid 2.7: http://www.squid-cache.org/Versions/v2/2.7/changesets/12600.patch Squid 3.0: http://www.squid-cache.org/Versions/v3/3.0/changesets/3.0-ADV-2010_2.patch If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages. __________________________________________________________________ Determining if your version is vulnerable: All Squid-3.0 releases without htcp_port in their configuration file (the default) are not vulnerable. Squid-3.1 releases are not vulnerable. For unpatched Squid-2.x and Squid-3.0 releases; if your cache.log contains a line with "Accepting HTCP messages on port" when run with debug level 1 ("debug_options ALL,1"). Your Squid is vulnerable. Alternatively; for unpatched Squid-2.x and Squid-3.0 releases. If the command squidclient mgr:config | grep "htcp_port" displays a non-zero HTCP port your Squid is vulnerable. __________________________________________________________________ Workarounds: For Squid-2.x: * Configuring "htcp_port 0" explicitly For Squid-3.0: * Ensuring that any unnecessary htcp_port setting left in squid.conf after upgrading to 3.0 are removed. __________________________________________________________________ Contact details for the Squid project: For installation / upgrade support on binary packaged versions of Squid: Your first point of contact should be your binary package vendor. If your install and build Squid from the original Squid sources then the squid-users@squid-cache.org mailing list is your primary support point. For subscription details see . For reporting of non-security bugs in the latest STABLE release the squid bugzilla database should be used . For reporting of security sensitive bugs send an email to the squid-bugs@squid-cache.org mailing list. It's a closed list (though anyone can post) and security related bug reports are treated in confidence until the impact has been established. __________________________________________________________________ Credits: The vulnerability was discovered by Kieran Whitbread. __________________________________________________________________ Revision history: 2010-02-12 14:11 GMT Initial Release 2010-02-15 18:17 GMT Updated 2.x status 2010-02-15 19:40 GMT CVE reference 2010-09-16 07:05 GMT Reference link updates __________________________________________________________________ END