---

Home Security

Squid Proxy Cache Security Update Advisory

By 
__________________________________________________________________
      Squid Proxy Cache Security Update Advisory SQUID-2002:2
__________________________________________________________________
Advisory ID:            SQUID-2002:2
Date:                   March 26, 2002
Affected versions:      Squid-2.x up to and including 2.4.STABLE4
Reported by:            zen-parse 
__________________________________________________________________
       http://www.squid-cache.org/Advisories/SQUID-2002_2.txt
__________________________________________________________________
Problem Description:
 A security issue has recently been found and fixed in the Squid-2.X
 releases up to and including 2.4.STABLE4.
 Error and boundary conditions were not checked when handling
 compressed DNS answer messages in the internal DNS code (lib/rfc1035.c).
 A malicous DNS server could craft a DNS reply that causes Squid
 to exit with a SIGSEGV.
 The relevant code exists in Squid-2.3, Squid-2.4, Squid-2.5 and
 Squid-2.6/Squid-HEAD, and is enabled by default.
__________________________________________________________________
Updated Packages:
 The Squid-2.4.STABLE6 release contains fixes for all these
 problems. You can download the Squid-2.4.STABLE6 release from
   ftp://ftp.squid-cache.org/pub/squid-2/STABLE/
   http://www.squid-cache.org/Versions/v2/2.4/
 or the mirrors (may take a while before all mirrors are updated).
 For a list of mirror sites see
   http://www.squid-cache.org/Mirrors/ftp-mirrors.html
   http://www.squid-cache.org/Mirrors/http-mirrors.html
 Individual patches to the mentioned issues can be found from our
 patch archive for version Squid-2.4.STABLE4
   http://www.squid-cache.org/Versions/v2/2.4/bugs/
 The patches should also apply with only a minimal effort to
 earlier Squid 2.4 versions if required.
 The Squid-2.5 and Squid-2.6/Squid-HEAD nightly snapshots contains
 the fixed DNS code.
__________________________________________________________________
Determining if your are vulnerable:
 You are vulnerable if you are running these versions of Squid
 with internal DNS queries:
 * Squid-2.4 version up to and including Squid-2.4.STABLE4
 * Squid-2.5 up to the fix date (Tuesday, March 12 2002 UTC)
 * Squid-2.6 / Squid-HEAD up to the fix date
   (Tuesday, March 12 2002 UTC)
 * Squid-2.3
 Squid uses the internal DNS implementation by default, and
 prints a line like this in cache.log when it is in use:
   DNS Socket created at 0.0.0.0, port 4345, FD 5
__________________________________________________________________
Workarounds:
 Squid-2.4, Squid-2.5 and Squid-2.6/Squid-HEAD can be recompiled
 to use the external DNS server support by running configure with
 the --disable-internal-dns option. There is no run-time configuration
 option to select between the internal/external DNS code.
 We recommend that you upgrade, rather than simply switch to external
 DNS lookups.  The external DNS implementation uses child processes
 and may negatively affect Squid's performance, especially for busy
 caches.
__________________________________________________________________

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis

Must Read

LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.

Our Brands

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.