[SECURITY] squid version 2.4.STABLE4 relased

Michal Kochanowicz michal at michal.waw.pl
Thu Feb 21 18:02:13 CET 2002 

New release (2.4.STABLE4) of squid is available. It fixes several
security issues. Bellow is ithe original announcement.

Package spec has been updated and it is suggested to update your
installation ASAP.

----- Forwarded message from Henrik Nordstrom <hno at marasystems.com> -----

> Old-Content-Type: text/plain;
>   charset="iso-8859-1"
> From: Henrik Nordstrom <hno at marasystems.com>
> Organization: MARA Systems AB
> To: squid-announce at squid-cache.org
> Subject: Squid Security Update Advisory 2002:1
> Date: Thu, 21 Feb 2002 10:51:37 +0100
> Cc: Squid Users <squid-users at squid-cache.org>
> 
> __________________________________________________________________
> 
>       Squid Proxy Cache Security Update Advisory SQUID-2002:1
> __________________________________________________________________
> 
> Advisory ID:            SQUID-2002:1
> Date:                   February 21, 2002
> Affected versions:      Squid-2.x up to and including 2.4.STABLE3
> __________________________________________________________________
> 
>        http://www.squid-cache.org/Advisories/SQUID-2002_1.txt
> __________________________________________________________________
> 
> Problem Description:
> 
>  Three security issues have recently been found in the Squid-2.X
>  releases up to and including 2.4.STABLE3.
> 
>  a) A memory leak in the optional SNMP interface to Squid,
>  allowing an malicious user who can send packets to the Squid SNMP
>  port to possibly perform an denial of service attack on the Squid
>  proxy service if the SNMP interface has been enabled (disabled by
>  default).
> 
>  b) A buffer overflow in the implementation of ftp:// URLs where
>  users who are allowed to proxy ftp:// URLs via Squid can perform
>  an denial of service on the proxy service, and possibly even
>  trigger remote execution of code (not yet confirmed).
> 
>  c) The optional HTCP interface cannot be properly disabled from
>  squid.conf even if the documentation claims it can. The HTCP
>  interface to Squid is not enabled by default, but can be enabled
>  at compile time using the --enable-htcp configure option and some
>  vendors distribute Squid binaries with HTCP enabled.
> 
> __________________________________________________________________
> 
> Updated Packages:
> 
>  The Squid-2.4.STABLE4 release contains fixes for all these
>  problems. The Squid-2.4.STABLE4 release can be found from
> 
>    ftp://ftp.squid-cache.org/pub/squid-2/STABLE/
>    http://www.squid-cache.org/Versions/v2/2.4/
> 
>  or the mirrors (may take a while before all mirrors are updated).
>  For a list of mirror sites see
> 
>    http://www.squid-cache.org/Mirrors/ftp-mirrors.html
>    http://www.squid-cache.org/Mirrors/http-mirrors.html
>    
>  Individual patches to the mentioned issues can be found from our
>  patch archive for version Squid-2.4.STABLE3
> 
>    http://www.squid-cache.org/Versions/v2/2.4/bugs/
> 
>  The patches should also apply with only a minimal effort to
>  earlier Squid versions if required.
> 
> __________________________________________________________________
> 
> Determining if your are vulnerable:
> 
>  You are vulnerable to the SNMP issue if you are running any 2.x
>  version of squid up to squid-2.4.STABLE3 which has the SNMP agent
>  code compiled in (--enable-snmp configure option) and enabled in
>  squid.conf (snmp_port option). You can check to see whether the
>  SNMP code is enabled by looking for the following message in
>  cache.log when Squid is started:
> 
>    'Accepting SNMP messages on port'
> 
>  Similarly for the HTCP issue, but looking for the message
>   
>    'Accepting HTCP messages on port'
> 
>  The ftp:// issue cannot be verified as easily, but if you are
>  running Squid-2.3 or Squid-2.4 up to and including
>  Squid-2.4.STABLE3 then you are most likely vulnerable to the
>  ftp:// issue unless you have taken action. 
> 
> __________________________________________________________________
> 
> Workarounds:
> 
>  For the SNMP issue, make sure the SNMP port cannot be reached by
>  malicious users. The safest method is to disable the SNMP support
>  entirely in the configuration file squid.conf if SNMP has been
>  enabled in your binary
> 
>    snmp_port 0
> 
>  Or at least restrict it to only listen for SNMP on a trusted
>  interfaces such as localhost by using the snmp_incoming_address
>  directive
> 
>    snmp_incoming_address 127.0.0.1
> 
> 
>  The FTP issue can be worked around by denying access to
>  non-anonymous FTP via Squid. Insert the following two lines at
>  the top of your squid.conf:
> 
>    acl non-anonymous-ftp url_regex -i ^ftp://[^/@]*@
>    http_access deny non-anonymous-ftp
> 
> 
>  The HTCP issue cannot be worked around fully by configuration
>  alone, but you can restrict which IP address HTCP is listening
>  for messages on by using the udp_incoming_address directive. Make
>  sure your binary isn't compiled with support for HTCP unless you
>  have a reason to use HTCP.
> 
> 
>  We also encourage you to take advantage of packet filtering
>  features of your operating system (e.g, ipchains, iptables,
>  ipfw, pf) and/or routers/firewalls to discard Squid SNMP (UDP
>  port 3401) or HTCP (UDP port 4827) queries from hosts outside
>  of your organization unless specifically authorized to use these
>  protocols.
> 
> __________________________________________________________________
> END
> 

----- End forwarded message -----

-- 
--= Michal Kochanowicz==--==--==BOFH==--==--==michal at michal.waw.pl =--
--= finger me for PGP public key or visit http://michal.waw.pl/PGP =--
--==--==--==--==--==-- Vodka. Connecting people.--==--==--==--==--==--
A chodzenie po górach SSIE!!!

More information about the pld-devel-en mailing list