Summary: Multiple Denial of Service issues in HTTP Response processing.
- Squid 3.x -> 3.5.16
- Squid 4.x -> 4.0.7
Fixed in version:
- Squid 4.0.7, 3.5.15
Due to incorrect bounds checking Squid is vulnerable to a denial of service attack when processing HTTP responses.
Due to incorrect error handling Squid-4 is vulnerable to a denial of service attack when processing malformed HTTP responses.
These problems allow remote servers delivering certain unusual HTTP response syntax to trigger a denial of service for all clients accessing the Squid service.
HTTP responses containing malformed headers that trigger this issue are becoming common. We are not certain at this time if that is a sign of malware or just broken server scripting.
Details of a trivial attack are already circulating publicly.
These bugs are fixed by Squid version 3.5.15 and 4.0.7.
In addition, patches addressing these problems for the stable release can be found in our patch archives:
If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages.
The origin URL: http://www.squid-cache.org/Advisories/SQUID-2016_2.txt