Squid Proxy Cache Security Update Advisory SQUID-2009:2
Advisory ID: SQUID-2009:2
Date: July 27, 2009
Summary: Multiple Remote Denial of service issues
in header processing.
Affected versions: Squid 3.0 -> 3.0.STABLE16,
Squid 3.1 -> 184.108.40.206
Fixed in version: Squid 3.0.STABLE17, 220.127.116.11
Due to incorrect buffer limits and related bound checks Squid
is vulnerable to a denial of service attack when processing
specially crafted requests or responses.
Due to incorrect data validation Squid is vulnerable to a denial
of service attack when processing specially crafted responses.
These problems allow any trusted client or external server to
perform a denial of service attack on the Squid service.
Theses bugs are fixed by Squid versions 3.0.STABLE17 and 18.104.22.168
In addition, patches addressing these problems can be found In
our patch archives:
If you are using a prepackaged version of Squid then please refer
to the package vendor for availability information on updated
Determining if your version is vulnerable:
All unpatched Squid-3.0 versions up to and including 3.0.STABLE16
All unpatched Squid-3.1 versions up to and including 22.214.171.124 are
Squid-2.x releases are not vulnerable.
None currently known.
Contact details for the Squid project:
For installation / upgrade support on binary packaged versions
of Squid: Your first point of contact should be your binary
If your install and build Squid from the original Squid sources
then the firstname.lastname@example.org mailing list is your primary
support point. For subscription details see
For reporting of non-security bugs in the latest STABLE release
the squid bugzilla database should be used
For reporting of security sensitive bugs send an email to the
email@example.com mailing list. It's a closed list
(though anyone can post) and security related bug reports are
treated in confidence until the impact has been established.
The request vulnerabilities were discovered by Alex Montoanelli
Some response vulnerabilities were discovered by Rob Middleton
of Centenary Institute.
Some response vulnerabilities were discovered by Tuomo Untinen,
Ossi Herrala and Jukka Taimisto from the CROSS project at
2009-07-27 14:08 GMT Initial version
any progress with 3.0.STABLE17 ?
Squid 3.0 through 3.0.STABLE16 and 3.1 through 126.96.36.199 does not
properly enforce "buffer limits and related bound checks," which
allows remote attackers to cause a denial of service via (1) an
incomplete request or (2) a request with a large header size, related
to (a) HttpMsg.cc and (b) client_side.cc.
Squid 3.0 through 3.0.STABLE16 and 3.1 through 188.8.131.52 allows remote
attackers to cause a denial of service via malformed requests
including (1) "missing or mismatched protocol identifier," (2)
missing or negative status value," (3) "missing version," or (4)
"missing or invalid status number," related to (a) HttpMsg.cc and (b)
Version 3.0.18 is now in the tree.
Arch teams, please do your thing.
(In reply to comment #3)
> Version 3.0.18 is now in the tree.
> Arch teams, please do your thing.
That's =net-proxy/squid-3.0.18 then...
Stable for HPPA.
Stable on alpha.
This will be added to the other HttpMsg.cc GLSA.
could be closed, not more in cvs tree
(In reply to comment #12)
> could be closed, not more in cvs tree
The GLSA is still pending. Please don't post such comments in the future, thanks.
This issue was resolved and addressed in
GLSA 201110-24 at http://security.gentoo.org/glsa/glsa-201110-24.xml
by GLSA coordinator Tim Sammut (underling).