Squid Proxy Cache Security Update Advisory Date: Tuesday, March 26 2002 Topic: Security Squid Proxy Cache Security Update Advisory SQUID-2002:2 __________________________________________________________________ Advisory ID:            SQUID-2002:2 Date:                   March 26, 2002 Affected versions:      Squid-2.x up to and including 2.4.STABLE4 Reported by:            zen-parse __________________________________________________________________        http://www.squid-cache.org/Advisories/SQUID-2002_2.txt __________________________________________________________________ Problem Description: A security issue has recently been found and fixed in the Squid-2.X releases up to and including 2.4.STABLE4. Error and boundary conditions were not checked when handling compressed DNS answer messages in the internal DNS code (lib/rfc1035.c). A malicous DNS server could craft a DNS reply that causes Squid to exit with a SIGSEGV. The relevant code exists in Squid-2.3, Squid-2.4, Squid-2.5 and Squid-2.6/Squid-HEAD, and is enabled by default. __________________________________________________________________ Updated Packages: The Squid-2.4.STABLE6 release contains fixes for all these problems. You can download the Squid-2.4.STABLE6 release from    ftp://ftp.squid-cache.org/pub/squid-2/STABLE/    http://www.squid-cache.org/Versions/v2/2.4/ or the mirrors (may take a while before all mirrors are updated). For a list of mirror sites see    http://www.squid-cache.org/Mirrors/ftp-mirrors.html    http://www.squid-cache.org/Mirrors/http-mirrors.html Individual patches to the mentioned issues can be found from our patch archive for version Squid-2.4.STABLE4    http://www.squid-cache.org/Versions/v2/2.4/bugs/ The patches should also apply with only a minimal effort to earlier Squid 2.4 versions if required. The Squid-2.5 and Squid-2.6/Squid-HEAD nightly snapshots contains the fixed DNS code. __________________________________________________________________ Determining if your are vulnerable: You are vulnerable if you are running these versions of Squid with internal DNS queries: * Squid-2.4 version up to and including Squid-2.4.STABLE4 * Squid-2.5 up to the fix date (Tuesday, March 12 2002 UTC) * Squid-2.6 / Squid-HEAD up to the fix date    (Tuesday, March 12 2002 UTC) * Squid-2.3 Squid uses the internal DNS implementation by default, and prints a line like this in cache.log when it is in use:    DNS Socket created at 0.0.0.0, port 4345, FD 5 This article comes from osforge.com http://www.osforge.com The URL for this story is: http://www.osforge.com/news/00643.html