Due to an Improper Handling of Structural Elements
bug Squid is vulnerable to a Denial of Service
attack against HTTP and HTTPS clients.
Due to an Incomplete Filtering of Special Elements
bug Squid is vulnerable to a Denial of Service
attack against HTTP and HTTPS clients.
Severity:
The limits applied for validation of HTTP Response headers are
applied before caching. Different limits may be in place at the
later cache HIT usage of that response.
The limits applied for validation of HTTP Response headers are
applied to each received server response. Squid may grow a cached
HTTP Response header with HTTP 304 updates beyond the configured
maximum header size.
Subsequent parsing to de-serialize a large header from disk cache
can stall or crash the worker process. Resulting in Denial of
Service to all clients using the proxy.
CVSS Score of 9.6
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H&version=3.1
Updated Packages:
This bug is fixed by Squid version 6.4.
In addition, patches addressing this problem for the stable
releases can be found in our patch archives:
Squid 6:
http://www.squid-cache.org/Versions/v6/SQUID-2023_2.patch
http://www.squid-cache.org/Versions/v6/SQUID-2023_2_b.patch
http://www.squid-cache.org/Versions/v6/SQUID-2023_2_c.patch
If you are using a prepackaged version of Squid then please refer
to the package vendor for availability information on updated
packages.
Determining if your version is vulnerable:
Squid older than v5 have not been tested and are presumed
vulnerable.
Squid v5.x up to and including 5.9 are vulnerable.
Squid v6.x up to and including 6.3 are vulnerable.
Workaround:
Disable disk caching by removing all cache_dir directives from
squid.conf.
Contact details for the Squid project:
For installation / upgrade support on binary packaged versions
of Squid: Your first point of contact should be your binary
package vendor.
If you install and build Squid from the original Squid sources
then the [email protected] mailing list is your
primary support point. For subscription details see
http://www.squid-cache.org/Support/mailing-lists.html.
For reporting of non-security bugs in the latest STABLE release
the squid bugzilla database should be used
https://bugs.squid-cache.org/.
For reporting of security sensitive bugs send an email to the
[email protected] mailing list. It's a closed
list (though anyone can post) and security related bug reports
are treated in confidence until the impact has been established.
Credits:
This vulnerability was independently discovered by Joshua Rogers
of Opera Software and by The Measurement Factory.
Fixed by The Measurement Factory.
Revision history:
2019-09-11: Initial report of header growth caused by HTTP 304.
2021-03-04: Initial report of caching of huge response headers.
2023-04-28 02:40:03 UTC Initial patches released.
2023-11-01 22:28:57 UTC Additional Squid-6 patches released.
END
Due to an Improper Handling of Structural Elements
bug Squid is vulnerable to a Denial of Service
attack against HTTP and HTTPS clients.
Due to an Incomplete Filtering of Special Elements
bug Squid is vulnerable to a Denial of Service
attack against HTTP and HTTPS clients.
Severity:
The limits applied for validation of HTTP Response headers are
applied before caching. Different limits may be in place at the
later cache HIT usage of that response.
The limits applied for validation of HTTP Response headers are
applied to each received server response. Squid may grow a cached
HTTP Response header with HTTP 304 updates beyond the configured
maximum header size.
Subsequent parsing to de-serialize a large header from disk cache
can stall or crash the worker process. Resulting in Denial of
Service to all clients using the proxy.
CVSS Score of 9.6
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H&version=3.1
Updated Packages:
This bug is fixed by Squid version 6.4.
In addition, patches addressing this problem for the stable
releases can be found in our patch archives:
Squid 6:
http://www.squid-cache.org/Versions/v6/SQUID-2023_2.patch
http://www.squid-cache.org/Versions/v6/SQUID-2023_2_b.patch
http://www.squid-cache.org/Versions/v6/SQUID-2023_2_c.patch
If you are using a prepackaged version of Squid then please refer
to the package vendor for availability information on updated
packages.
Determining if your version is vulnerable:
Squid older than v5 have not been tested and are presumed
vulnerable.
Squid v5.x up to and including 5.9 are vulnerable.
Squid v6.x up to and including 6.3 are vulnerable.
Workaround:
Disable disk caching by removing all cache_dir directives from
squid.conf.
Contact details for the Squid project:
For installation / upgrade support on binary packaged versions
of Squid: Your first point of contact should be your binary
package vendor.
If you install and build Squid from the original Squid sources
then the [email protected] mailing list is your
primary support point. For subscription details see
http://www.squid-cache.org/Support/mailing-lists.html.
For reporting of non-security bugs in the latest STABLE release
the squid bugzilla database should be used
https://bugs.squid-cache.org/.
For reporting of security sensitive bugs send an email to the
[email protected] mailing list. It's a closed
list (though anyone can post) and security related bug reports
are treated in confidence until the impact has been established.
Credits:
This vulnerability was independently discovered by Joshua Rogers
of Opera Software and by The Measurement Factory.
Fixed by The Measurement Factory.
Revision history:
2019-09-11: Initial report of header growth caused by HTTP 304.
2021-03-04: Initial report of caching of huge response headers.
2023-04-28 02:40:03 UTC Initial patches released.
2023-11-01 22:28:57 UTC Additional Squid-6 patches released.
END