Due to a Collapse of Data into Unsafe Value bug ,
Squid may be vulnerable to a Denial of Service
attack against HTTP header parsing.
Severity:
This problem allows a remote client or a remote server to
perform Denial of Service when sending oversized headers in
HTTP messages.
In versions of Squid prior to 6.5 this can be achieved if the
request_header_max_size or reply_header_max_size settings are
unchanged from the default.
In Squid version 6.5 and later, the default setting of these
parameters is safe. Squid will emit a critical warning in
cache.log if the administrator is setting these parameters to
unsafe values. Squid will not at this time prevent these settings
from being changed to unsafe values.
Updated Packages:
Hardening against this issue is added to Squid version 6.5.
In addition, patches addressing this problem for the stable
releases can be found in our patch archives:
Squid 6:
http://www.squid-cache.org/Versions/v6/SQUID-2024_2.patch
If you are using a prepackaged version of Squid then please refer
to the package vendor for availability information on updated
packages.
Determining if your version is vulnerable:
Run the following command to identify how (and whether)
your Squid has been configured with relevant settings:
`squid -k parse 2>&1 | grep header_max_size`
All Squid-3.0 up to and including 6.4 without header_max_size
settings are vulnerable.
All Squid-3.0 up to and including 6.4 with either header_max_size
setting over 21 KB are vulnerable.
All Squid-3.0 up to and including 6.4 with both header_max_size
settings below 21 KB are not vulnerable.
All Squid-6.5 and later without header_max_size configured
are not vulnerable.
All Squid-6.5 and later configured with both header_max_size
settings below 64 KB are not vulnerable.
All Squid-6.5 and later configured with either header_max_size
setting over 64 KB are vulnerable.
Workaround:
For Squid older than 6.5, add to squid.conf:
request_header_max_size 21 KB
reply_header_max_size 21 KB
For Squid 6.5 and later, remove request_header_max_size
and reply_header_max_size from squid.conf
Contact details for the Squid project:
For installation / upgrade support on binary packaged versions
of Squid: Your first point of contact should be your binary
package vendor.
If you install and build Squid from the original Squid sources
then the squid-users@lists.squid-cache.org mailing list is your
primary support point. For subscription details see
http://www.squid-cache.org/Support/mailing-lists.html.
For reporting of non-security bugs in the latest STABLE release
the squid bugzilla database should be used
https://bugs.squid-cache.org/.
For reporting of security sensitive bugs send an email to the
squid-bugs@lists.squid-cache.org mailing list. It's a closed
list (though anyone can post) and security related bug reports
are treated in confidence until the impact has been established.
Credits:
This vulnerability was discovered by Joshua Rogers of Opera
Software.
Fixed by The Measurement Factory.
Revision history:
2023-10-12 11:53:02 UTC Initial Report
2023-10-25 11:47:19 UTC Patches Released
END
Due to a Collapse of Data into Unsafe Value bug ,
Squid may be vulnerable to a Denial of Service
attack against HTTP header parsing.
Severity:
This problem allows a remote client or a remote server to
perform Denial of Service when sending oversized headers in
HTTP messages.
In versions of Squid prior to 6.5 this can be achieved if the
request_header_max_size or reply_header_max_size settings are
unchanged from the default.
In Squid version 6.5 and later, the default setting of these
parameters is safe. Squid will emit a critical warning in
cache.log if the administrator is setting these parameters to
unsafe values. Squid will not at this time prevent these settings
from being changed to unsafe values.
Updated Packages:
Hardening against this issue is added to Squid version 6.5.
In addition, patches addressing this problem for the stable
releases can be found in our patch archives:
Squid 6:
http://www.squid-cache.org/Versions/v6/SQUID-2024_2.patch
If you are using a prepackaged version of Squid then please refer
to the package vendor for availability information on updated
packages.
Determining if your version is vulnerable:
Run the following command to identify how (and whether)
your Squid has been configured with relevant settings:
All Squid-3.0 up to and including 6.4 without header_max_size
settings are vulnerable.
All Squid-3.0 up to and including 6.4 with either header_max_size
setting over 21 KB are vulnerable.
All Squid-3.0 up to and including 6.4 with both header_max_size
settings below 21 KB are not vulnerable.
All Squid-6.5 and later without header_max_size configured
are not vulnerable.
All Squid-6.5 and later configured with both header_max_size
settings below 64 KB are not vulnerable.
All Squid-6.5 and later configured with either header_max_size
setting over 64 KB are vulnerable.
Workaround:
For Squid older than 6.5, add to squid.conf:
For Squid 6.5 and later, remove
request_header_max_sizeand
reply_header_max_sizefrom squid.confContact details for the Squid project:
For installation / upgrade support on binary packaged versions
of Squid: Your first point of contact should be your binary
package vendor.
If you install and build Squid from the original Squid sources
then the squid-users@lists.squid-cache.org mailing list is your
primary support point. For subscription details see
http://www.squid-cache.org/Support/mailing-lists.html.
For reporting of non-security bugs in the latest STABLE release
the squid bugzilla database should be used
https://bugs.squid-cache.org/.
For reporting of security sensitive bugs send an email to the
squid-bugs@lists.squid-cache.org mailing list. It's a closed
list (though anyone can post) and security related bug reports
are treated in confidence until the impact has been established.
Credits:
This vulnerability was discovered by Joshua Rogers of Opera
Software.
Fixed by The Measurement Factory.
Revision history:
2023-10-12 11:53:02 UTC Initial Report
2023-10-25 11:47:19 UTC Patches Released
END