Due to Input Validation, Premature Release of Resource During
Expected Lifetime, and Missing Release of Resource after
Effective Lifetime bugs, Squid is vulnerable to Denial of Service
attacks by a trusted server against all clients using the proxy.
Vulnerabilities are present in:
- interpreting
<esi:when>. Original reports:
- interpreting
<esi:assign>. Original reports:
- interpreting
<esi:include>. Original report:
- interpreting
<esi:try> and <esi:choose>. Original report:
- processing errors. Original report:
- processing overlong headers. Original report:
Severity:
This problem allows a trusted server to perform a Denial of
Service when processing ESI response content. This effects all
domains being serviced by the proxy and all clients using it
during the affected period.
These issues are limited to Squid acting as reverse proxy where
ESI feature has been enabled at build time.
The ESI feature is enabled in the default configuration in all
Squid versions from 3.0 to 6.9, and disabled in the default
configuration since version 6.10.
Updated Packages:
This bug is fixed in the default build configuration of Squid
version 6.10
If you are using a prepackaged version of Squid then please refer
to the package vendor for availability information on updated
packages.
Determining if your version is vulnerable:
Run squid -v to determine the version number and build
configuration parameters.
Version 3.x, 4.x, 5.x, and 6.0.1 to 6.9 are vulnerable unless the
output contains the text '--disable-esi'.
Versions 6.10 and later are vulnerable if the output contains the
text '--enable-esi'.
Workaround:
Build affected Squid with --disable-esi.
Contact details for the Squid project:
For installation / upgrade support on binary packaged versions
of Squid: Your first point of contact should be your binary
package vendor.
If you install and build Squid from the original Squid sources
then the [email protected] mailing list is your
primary support point. For subscription details see
http://www.squid-cache.org/Support/mailing-lists.html.
For reporting of non-security bugs in the latest STABLE release
the squid bugzilla database should be used
https://bugs.squid-cache.org/.
For reporting of security sensitive bugs send an email to the
[email protected] mailing list. It's a closed
list (though anyone can post) and security related bug reports
are treated in confidence until the impact has been established.
Credits:
This vulnerability was discovered by Joshua Rogers of Opera
Software.
Revision history:
2021-02-28 05:25:48 UTC Initial Report
2024-03-13 08:01:12 UTC ESI disabled by default in v6
2024-06-08 13:28:58 UTC Squid 6.10 released with ESI disabled
END
MegaManSec Finder
Due to Input Validation, Premature Release of Resource During
Expected Lifetime, and Missing Release of Resource after
Effective Lifetime bugs, Squid is vulnerable to Denial of Service
attacks by a trusted server against all clients using the proxy.
Vulnerabilities are present in:
<esi:when>. Original reports:<esi:assign>. Original reports:<esi:include>. Original report:<esi:try>and<esi:choose>. Original report:Severity:
This problem allows a trusted server to perform a Denial of
Service when processing ESI response content. This effects all
domains being serviced by the proxy and all clients using it
during the affected period.
These issues are limited to Squid acting as reverse proxy where
ESI feature has been enabled at build time.
The ESI feature is enabled in the default configuration in all
Squid versions from 3.0 to 6.9, and disabled in the default
configuration since version 6.10.
Updated Packages:
This bug is fixed in the default build configuration of Squid
version 6.10
If you are using a prepackaged version of Squid then please refer
to the package vendor for availability information on updated
packages.
Determining if your version is vulnerable:
Run
squid -vto determine the version number and buildconfiguration parameters.
Version 3.x, 4.x, 5.x, and 6.0.1 to 6.9 are vulnerable unless the
output contains the text '--disable-esi'.
Versions 6.10 and later are vulnerable if the output contains the
text '--enable-esi'.
Workaround:
Build affected Squid with
--disable-esi.Contact details for the Squid project:
For installation / upgrade support on binary packaged versions
of Squid: Your first point of contact should be your binary
package vendor.
If you install and build Squid from the original Squid sources
then the [email protected] mailing list is your
primary support point. For subscription details see
http://www.squid-cache.org/Support/mailing-lists.html.
For reporting of non-security bugs in the latest STABLE release
the squid bugzilla database should be used
https://bugs.squid-cache.org/.
For reporting of security sensitive bugs send an email to the
[email protected] mailing list. It's a closed
list (though anyone can post) and security related bug reports
are treated in confidence until the impact has been established.
Credits:
This vulnerability was discovered by Joshua Rogers of Opera
Software.
Revision history:
2021-02-28 05:25:48 UTC Initial Report
2024-03-13 08:01:12 UTC ESI disabled by default in v6
2024-06-08 13:28:58 UTC Squid 6.10 released with ESI disabled
END