Squid update fixes DoS vulnerability
Specially crafted DNS packets can compromise the popular Squid web proxy/cache in such a way that it briefly fails to respond. The problem is caused by insufficiently checked DNS responses which Squid initially places in a queue. By sending packets that only contain a header, a queue overflow can be triggered which can apparently be exploited for Denial-of-Service (DoS) attacks.
The flaw can be exploited both from internal clients and from external DNS servers. The problem has been known since the most recent Chaos Communication Congress (26c3), where Fabian Yamaguchi described the details of this, as well as further flaws in other applications, in his presentation entitled "cat /proc/sys/net/ipv4/fuckups".
Versions 2.x, 3.0 up to and including 3.0.STABLE21, and Squid 3.1 up to and including 220.127.116.11 are affected. In versions 3.0.STABLE22 and 18.104.22.168 of Squid, the flaw has been fixed. A patch is also available.
- Denial of Service issue in DNS handling, security advisory from Squid.org.