Squid Proxy Cache Security Update Advisory

__________________________________________________________________
      Squid Proxy Cache Security Update Advisory SQUID-2002:2
__________________________________________________________________
Advisory ID:            SQUID-2002:2
Date:                   March 26, 2002
Affected versions:      Squid-2.x up to and including 2.4.STABLE4
Reported by:            zen-parse 
__________________________________________________________________
       http://www.squid-cache.org/Advisories/SQUID-2002_2.txt
__________________________________________________________________
Problem Description:
 A security issue has recently been found and fixed in the Squid-2.X
 releases up to and including 2.4.STABLE4.
 Error and boundary conditions were not checked when handling
 compressed DNS answer messages in the internal DNS code (lib/rfc1035.c).
 A malicous DNS server could craft a DNS reply that causes Squid
 to exit with a SIGSEGV.
 The relevant code exists in Squid-2.3, Squid-2.4, Squid-2.5 and
 Squid-2.6/Squid-HEAD, and is enabled by default.
__________________________________________________________________
Updated Packages:
 The Squid-2.4.STABLE6 release contains fixes for all these
 problems. You can download the Squid-2.4.STABLE6 release from
   ftp://ftp.squid-cache.org/pub/squid-2/STABLE/
   http://www.squid-cache.org/Versions/v2/2.4/
 or the mirrors (may take a while before all mirrors are updated).
 For a list of mirror sites see
   http://www.squid-cache.org/Mirrors/ftp-mirrors.html
   http://www.squid-cache.org/Mirrors/http-mirrors.html
 Individual patches to the mentioned issues can be found from our
 patch archive for version Squid-2.4.STABLE4
   http://www.squid-cache.org/Versions/v2/2.4/bugs/
 The patches should also apply with only a minimal effort to
 earlier Squid 2.4 versions if required.
 The Squid-2.5 and Squid-2.6/Squid-HEAD nightly snapshots contains
 the fixed DNS code.
__________________________________________________________________
Determining if your are vulnerable:
 You are vulnerable if you are running these versions of Squid
 with internal DNS queries:
 * Squid-2.4 version up to and including Squid-2.4.STABLE4
 * Squid-2.5 up to the fix date (Tuesday, March 12 2002 UTC)
 * Squid-2.6 / Squid-HEAD up to the fix date
   (Tuesday, March 12 2002 UTC)
 * Squid-2.3
 Squid uses the internal DNS implementation by default, and
 prints a line like this in cache.log when it is in use:
   DNS Socket created at 0.0.0.0, port 4345, FD 5
__________________________________________________________________
Workarounds:
 Squid-2.4, Squid-2.5 and Squid-2.6/Squid-HEAD can be recompiled
 to use the external DNS server support by running configure with
 the --disable-internal-dns option. There is no run-time configuration
 option to select between the internal/external DNS code.
 We recommend that you upgrade, rather than simply switch to external
 DNS lookups.  The external DNS implementation uses child processes
 and may negatively affect Squid's performance, especially for busy
 caches.
__________________________________________________________________