Linux Today: Linux News On Internet Time.

More on LinuxToday

Squid Proxy Cache Security Update Advisory

Mar 26, 2002, 18:55 (0 Talkback[s])

WEBINAR: On-demand Event

Replace Oracle with the NoSQL Engagement Database: Why and how leading companies are making the switch REGISTER >

      Squid Proxy Cache Security Update Advisory SQUID-2002:2
Advisory ID:            SQUID-2002:2
Date:                   March 26, 2002
Affected versions:      Squid-2.x up to and including 2.4.STABLE4
Reported by:            zen-parse 
Problem Description:
 A security issue has recently been found and fixed in the Squid-2.X
 releases up to and including 2.4.STABLE4.
 Error and boundary conditions were not checked when handling
 compressed DNS answer messages in the internal DNS code (lib/rfc1035.c).
 A malicous DNS server could craft a DNS reply that causes Squid
 to exit with a SIGSEGV.
 The relevant code exists in Squid-2.3, Squid-2.4, Squid-2.5 and
 Squid-2.6/Squid-HEAD, and is enabled by default.
Updated Packages:
 The Squid-2.4.STABLE6 release contains fixes for all these
 problems. You can download the Squid-2.4.STABLE6 release from
 or the mirrors (may take a while before all mirrors are updated).
 For a list of mirror sites see
 Individual patches to the mentioned issues can be found from our
 patch archive for version Squid-2.4.STABLE4
 The patches should also apply with only a minimal effort to
 earlier Squid 2.4 versions if required.
 The Squid-2.5 and Squid-2.6/Squid-HEAD nightly snapshots contains
 the fixed DNS code.
Determining if your are vulnerable:
 You are vulnerable if you are running these versions of Squid
 with internal DNS queries:
 * Squid-2.4 version up to and including Squid-2.4.STABLE4
 * Squid-2.5 up to the fix date (Tuesday, March 12 2002 UTC)
 * Squid-2.6 / Squid-HEAD up to the fix date
   (Tuesday, March 12 2002 UTC)
 * Squid-2.3
 Squid uses the internal DNS implementation by default, and
 prints a line like this in cache.log when it is in use:
   DNS Socket created at, port 4345, FD 5
 Squid-2.4, Squid-2.5 and Squid-2.6/Squid-HEAD can be recompiled
 to use the external DNS server support by running configure with
 the --disable-internal-dns option. There is no run-time configuration
 option to select between the internal/external DNS code.
 We recommend that you upgrade, rather than simply switch to external
 DNS lookups.  The external DNS implementation uses child processes
 and may negatively affect Squid's performance, especially for busy