In association with heise online

02 February 2010, 11:28

Squid update fixes DoS vulnerability

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Squid Logo Specially crafted DNS packets can compromise the popular Squid web proxy/cache in such a way that it briefly fails to respond. The problem is caused by insufficiently checked DNS responses which Squid initially places in a queue. By sending packets that only contain a header, a queue overflow can be triggered which can apparently be exploited for Denial-of-Service (DoS) attacks.

The flaw can be exploited both from internal clients and from external DNS servers. The problem has been known since the most recent Chaos Communication Congress (26c3), where Fabian Yamaguchi described the details of this, as well as further flaws in other applications, in his presentation entitled "cat /proc/sys/net/ipv4/fuckups"PDF.

Versions 2.x, 3.0 up to and including 3.0.STABLE21, and Squid 3.1 up to and including are affected. In versions 3.0.STABLE22 and of Squid, the flaw has been fixed. A patch is also available.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit