updated squid advisory

From: Adrian Chadd (adrianat_private)
Date: Tue Mar 26 2002 - 08:02:40 PST

  • Next message: Anton Rager: "Security contact for Network Associates?" 

    Apologies - it should be stable6, not stable5.


Here's the updated one:


__________________________________________________________________

      Squid Proxy Cache Security Update Advisory SQUID-2002:2
__________________________________________________________________

Advisory ID:            SQUID-2002:2
Date:                   March 26, 2002
Affected versions:      Squid-2.x up to and including 2.4.STABLE4
Reported by:            zen-parse <zen-parseat_private>
__________________________________________________________________

       http://www.squid-cache.org/Advisories/SQUID-2002_2.txt
__________________________________________________________________

Problem Description:
 A security issue has recently been found and fixed in the Squid-2.X
 releases up to and including 2.4.STABLE4.

 Error and boundary conditions were not checked when handling
 compressed DNS answer messages in the internal DNS code (lib/rfc1035.c).
 A malicous DNS server could craft a DNS reply that causes Squid
 to exit with a SIGSEGV.

 The relevant code exists in Squid-2.3, Squid-2.4, Squid-2.5 and
 Squid-2.6/Squid-HEAD, and is enabled by default.

__________________________________________________________________

Updated Packages:

 The Squid-2.4.STABLE6 release contains fixes for all these
 problems. You can download the Squid-2.4.STABLE6 release from

   ftp://ftp.squid-cache.org/pub/squid-2/STABLE/
   http://www.squid-cache.org/Versions/v2/2.4/

 or the mirrors (may take a while before all mirrors are updated).
 For a list of mirror sites see

   http://www.squid-cache.org/Mirrors/ftp-mirrors.html
   http://www.squid-cache.org/Mirrors/http-mirrors.html
   
 Individual patches to the mentioned issues can be found from our
 patch archive for version Squid-2.4.STABLE4

   http://www.squid-cache.org/Versions/v2/2.4/bugs/

 The patches should also apply with only a minimal effort to
 earlier Squid 2.4 versions if required.

 The Squid-2.5 and Squid-2.6/Squid-HEAD nightly snapshots contains
 the fixed DNS code.

__________________________________________________________________

Determining if your are vulnerable:

 You are vulnerable if you are running these versions of Squid
 with internal DNS queries:

 * Squid-2.4 version up to and including Squid-2.4.STABLE4
 * Squid-2.5 up to the fix date (Tuesday, March 12 2002 UTC)
 * Squid-2.6 / Squid-HEAD up to the fix date
   (Tuesday, March 12 2002 UTC)
 * Squid-2.3

 Squid uses the internal DNS implementation by default, and
 prints a line like this in cache.log when it is in use:

   DNS Socket created at 0.0.0.0, port 4345, FD 5

__________________________________________________________________

Workarounds:

 Squid-2.4, Squid-2.5 and Squid-2.6/Squid-HEAD can be recompiled
 to use the external DNS server support by running configure with
 the --disable-internal-dns option. There is no run-time configuration
 option to select between the internal/external DNS code.

 We recommend that you upgrade, rather than simply switch to external
 DNS lookups.  The external DNS implementation uses child processes
 and may negatively affect Squid's performance, especially for busy
 caches.

__________________________________________________________________
END

    This archive was generated by hypermail 2b30 : Tue Mar 26 2002 - 09:52:23 PST