Denial of Service issues in Squid Proxy

Posted on Posted in Uncategorized

Summary: Multiple Denial of Service issues in HTTP Response processing.
Affected versions:

  • Squid 3.x -> 3.5.16
  • Squid 4.x -> 4.0.7

Fixed in version:

  • Squid 4.0.7, 3.5.15

Problem Description:
Due to incorrect bounds checking Squid is vulnerable to a denial of service attack when processing HTTP responses.

Due to incorrect error handling Squid-4 is vulnerable to a denial of service attack when processing malformed HTTP responses.

These problems allow remote servers delivering certain unusual HTTP response syntax to trigger a denial of service for all clients accessing the Squid service.

HTTP responses containing malformed headers that trigger this issue are becoming common. We are not certain at this time if that is a sign of malware or just broken server scripting.

Details of a trivial attack are already circulating publicly.

Updated Packages:

These bugs are fixed by Squid version 3.5.15 and 4.0.7.

In addition, patches addressing these problems for the stable release can be found in our patch archives:

Squid 3.5:

If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages.

The origin URL: http://www.squid-cache.org/Advisories/SQUID-2016_2.txt

Leave a Reply

Your email address will not be published. Required fields are marked *