Bugzilla – Bug 867533
VUL-0: CVE-2014-0128: squid: squid3: SQUID-2014:1 denial of service in https MitM state management
Last modified: 2014-09-02 21:00:11 UTC
not fully disclosed, via distros __________________________________________________________________ Squid Proxy Cache Security Update Advisory SQUID-2014:1 __________________________________________________________________ Advisory ID: SQUID-2014:1 Date: March 09, 2014 Summary: Denial of Service in SSL-Bump Affected versions: Squid 3.1 -> 3.3.11, Squid 3.4 -> 3.4.3 Fixed in version: Squid 3.3.12, 3.4.4 __________________________________________________________________ http://www.squid-cache.org/Advisories/SQUID-2014_1.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0128 __________________________________________________________________ Problem Description: Due to incorrect state management Squid is vulnerable to a denial of service attack when processing certain HTTPS requests. __________________________________________________________________ Severity: This problem allows any client who can generate HTTPS requests to perform a denial of service attack on the Squid service. There are popular client software implementations which generate HTTPS requests and triggering this vulnerability during their normal activities. __________________________________________________________________ Updated Packages: This bug is fixed by Squid versions 3.3.12 and 3.4.4. In addition, patches addressing this problem can be found in our patch archives. Squid 3.3: <http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12677.patch> Squid 3.4: <http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13104.patch> If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages. __________________________________________________________________ Determining if your version is vulnerable: All Squid versions without SSL-Bump feature configured are not vulnerable. All Squid-3.0 and older versions, including Squid-2 are not vulnerable. All unpatched Squid-3.1 versions are vulnerable. All unpatched Squid-3.2 versions are vulnerable. All unpatched Squid-3.3 versions up to and including 3.3.11 are vulnerable. All unpatched Squid-3.4 versions up to and including 3.4.3 are vulnerable. __________________________________________________________________ Workarounds: Either Disable SSL-bump for clients affected by adding "ssl_bump none" rule(s) at the top of the ssl_bump configuration directives. Or Disable SSL-bump featrue completely by removing ssl-bump option from all http_port and/or https_port configuration directives. Or Use TCP_RESET instead of all Squid-generated error pages. Note that this is only a partial workaround as some error pages cannot be overridden. __________________________________________________________________ Credits: The vulnerability was reported by Mathias Fischer and Fabian Hugelshofer from Open Systems AG. Fixes by Alex Rousskov from The Measurement Factory. __________________________________________________________________ Revision history: 2014-02-21 16:04 GMT Initial Report 2014-02-22 23:51 GMT Patch Provided 2014-03-09 00:14 GMT Packages Released __________________________________________________________________ END
bugbot adjusting priority
is public
The SWAMPID for this issue is 56658. This issue was rated as moderate. Please submit fixed packages until 2014-03-27. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
Affected packages: SLE-11-SP3: squid3
top of prio now. WIP.
package submitted for SLE11.
This is an autogenerated message for OBS integration: This bug (867533) was mentioned in https://build.opensuse.org/request/show/229517 13.1+12.3 / squid
This is an autogenerated message for OBS integration: This bug (867533) was mentioned in https://build.opensuse.org/request/show/229528 Evergreen:11.4 / squid3.openSUSE_Evergreen_11.4
openSUSE-SU-2014:0513-1: An update that fixes one vulnerability is now available. Category: security (low) Bug References: 867533 CVE References: CVE-2014-0128 Sources used: openSUSE 11.4 (src): squid3-3.1.23-23.1
Hello Roman, in the original patch the request itself is modified, not the orig_request. In your patch you remove statements for orig_request and add a line for request. - delete orig_request->range; - orig_request->range = NULL; + request->ignoreRange("want to request the whole object" Can you please have a look if this is correct?
you're right, the call parameters of HttpStateData::httpBuildRequestHeader() have changed, in 3.3 they are running against the "request" entity. Nice spotting! Munging with the flags of the incoming request to be able to set up an outgoing (client) request doesn't seem very smart after all. Packages are building, will submit if positive.
submitted against 11-SP1. Reassigned to security-team@ for shipping&handling. Thank you!
openSUSE-SU-2014:0559-1: An update that fixes one vulnerability is now available. Category: security (low) Bug References: 867533 CVE References: CVE-2014-0128 Sources used: openSUSE 13.1 (src): squid-3.3.8-2.4.2 openSUSE 12.3 (src): squid-3.2.11-3.12.1
Update released for: squid3, squid3-debuginfo, squid3-debugsource Products: SLE-DEBUGINFO 11-SP1-TERADATA (x86_64) SLE-SERVER 11-SP1-TERADATA (x86_64)
Update released for: squid3, squid3-debuginfo, squid3-debugsource Products: SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP3 (i386, x86_64)
SUSE-SU-2014:0569-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 677335,867533 CVE References: CVE-2014-0128 Sources used: SUSE Linux Enterprise Server 11 SP3 for VMware (src): squid3-3.1.12-8.16.18.1 SUSE Linux Enterprise Server 11 SP3 (src): squid3-3.1.12-8.16.18.1
SLES 12 still ships 3.3.11, please update.
squid in sle12 is 3.3.13 now