Bugzilla – Bug 893649
VUL-0: CVE-2014-3609: squid: squid3: Denial of Service in Range header processing
Last modified: 2015-02-19 02:01:16 UTC
bugbot adjusting priority
squid 3.3.13 is in SLE12.
http://www.squid-cache.org/Advisories/SQUID-2014_2.txt Squid Proxy Cache Security Update Advisory SQUID-2014:2 __________________________________________________________________ Advisory ID: SQUID-2014:2 Date: August 28, 2014 Summary: Denial of service in request processing Affected versions: Squid 3.x -> 3.3.12 Squid 3.4 -> 3.4.6 Fixed in version: Squid 3.3.13, 3.4.7 __________________________________________________________________ http://www.squid-cache.org/Advisories/SQUID-2014_2.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3609 __________________________________________________________________ Problem Description: Due to incorrect input validation in request parsing Squid is vulnerable to a denial of service attack when processing Range requests. __________________________________________________________________ Severity: This problem allows any trusted client to perform a denial of service attack on the Squid service. __________________________________________________________________ Updated Packages: This bug is fixed by Squid version 3.3.13 and 3.4.7 In addition, patches addressing this problem for stable releases can be found in our patch archives: Squid 3.0: http://www.squid-cache.org/Versions/v3/3.0/changesets/squid-3.0-9201.patch Squid 3.1: http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10488.patch Squid 3.2: http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11828.patch Squid 3.3: http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12680.patch Squid 3.4: http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13168.patch If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages. __________________________________________________________________ Determining if your version is vulnerable: Squid-3.x: All Squid-3.x versions up to and including 3.3.12 are vulnerable to the problem. Squid-3.4: All Squid-3.4 versions up to and including 3.4.6 are vulnerable to the problem. __________________________________________________________________ Workaround: Add the following access control lines to squid.conf above any http_access allow lines: acl validRange req_header Range \ ^bytes=([0-9]+\-[0-9]*|\-[0-9]+)(,([0-9]+\-[0-9]*|\-[0-9]+))*$ acl validRange req_header Request-Range \ ^bytes=([0-9]+\-[0-9]*|\-[0-9]+)(,([0-9]+\-[0-9]*|\-[0-9]+))*$ http_access deny !validRange __________________________________________________________________ Contact details for the Squid project: For installation / upgrade support on binary packaged versions of Squid: Your first point of contact should be your binary package vendor. If you install and build Squid from the original Squid sources then the squid-users@squid-cache.org mailing list is your primary support point. For subscription details see http://www.squid-cache.org/Support/mailing-lists.html. For reporting of non-security bugs in the latest release the squid bugzilla database should be used http://bugs.squid-cache.org/. For reporting of security sensitive bugs send an email to the squid-bugs@squid-cache.org mailing list. It's a closed list (though anyone can post) and security related bug reports are treated in confidence until the impact has been established. __________________________________________________________________ Credits: The vulnerability was discovered by Matthew Daley. __________________________________________________________________ Revision history: 2014-08-26 11:54 GMT Initial Report 2014-08-26 18:28 GMT CVE Assignment 2014-08-27 15:18 GMT Patches and Packages Released __________________________________________________________________ END
cross checked , the code in our squid 2.7 is not affected, as it has different semantics in this function.
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2014-09-19. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/58952
Affected packages: SLE-11-SP1: squid3 SLE-11-SP3: squid3 SLE-11-SP3-PRODUCTS: squid3 SLE-11-SP3-UPTU: squid3
i submitted sle11-sp1/squid3 as roman is on vacation. christian, can you do opensuse?
yes, I can do opensuse .... ongoing work ...
Maintenance request submitted: https://build.opensuse.org/request/show/248983
released sle, opensuse will come soon too
SUSE-SU-2014:1140-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 893649 CVE References: CVE-2014-3609 Sources used: SUSE Linux Enterprise Server 11 SP3 for VMware (src): squid3-3.1.12-8.16.20.1 SUSE Linux Enterprise Server 11 SP3 (src): squid3-3.1.12-8.16.20.1
openSUSE-SU-2014:1144-1: An update that solves one vulnerability and has two fixes is now available. Category: security (moderate) Bug References: 893649,894636,894840 CVE References: CVE-2014-3609 Sources used: openSUSE 13.1 (src): squid-3.3.13-2.10.1 openSUSE 12.3 (src): squid-3.2.11-3.16.1