|
1
|
The Squid Project apologizes for being late in responding to the
|
|
2
|
publication of 55 vulnerabilities disclosed by Joshua Rogers of Opera Software
|
|
3
|
at https://megamansec.github.io/Squid-Security-Audit/
|
|
4
|
|
|
5
|
We thank Joshua for discovering these bugs and sharing their details with us.
|
|
6
|
The surprise publication caught us off guard, but Squid
|
|
7
|
developers had worked on addressing some of the disclosed vulnerabilities
|
|
8
|
since before that publication. This message summarizes Squid's status on
|
|
9
|
October 9th, 2024.
|
|
10
|
|
|
11
|
As of Squid v6.8, the vast majority of high-impact vulnerabilities have been
|
|
12
|
addressed. The following disclosed vulnerabilities are still present:
|
|
13
|
|
|
14
|
|
|
15
|
### Vulnerability “strlen(NULL) Crash Using Digest Authentication”
|
|
16
|
|
|
17
|
This vulnerability is still present in Squid v6.11. A fix is expected in Squid
|
|
18
|
v6.12, due any day now.
|
|
19
|
Digest authentication is disabled by default; the current workaround is
|
|
20
|
to avoid Digest authentication.
|
|
21
|
|
|
22
|
To verify whether your Squid configuration is vulnerable, check whether it
|
|
23
|
contains "auth_param” directive. Configurations with auth_param directives
|
|
24
|
mentioning "digest" scheme may be vulnerable.
|
|
25
|
|
|
26
|
|
|
27
|
### pipeline_prefetch (HTTP pipelining of client-to-Squid requests)
|
|
28
|
|
|
29
|
All reported pipelining-related vulnerabilities may still be present in Squid
|
|
30
|
v6. Pipelining code will probably be removed in master branch and become
|
|
31
|
unavailable in Squid v7. Pipelining is disabled by default.
|
|
32
|
|
|
33
|
If you do not need pipelining (or do not know for sure that you need it), do
|
|
34
|
not enable that performance optimization.
|
|
35
|
|
|
36
|
To verify whether your Squid configuration is vulnerable, check whether it
|
|
37
|
contains a pipeline_prefetch directive. Configurations containing a
|
|
38
|
pipeline_prefetch directive set to a positive value may be vulnerable.
|
|
39
|
|
|
40
|
|
|
41
|
### ESI (Edge Side Includes)
|
|
42
|
|
|
43
|
Most reported ESI-related vulnerabilities are still present in Squid v6. ESI
|
|
44
|
code has been removed in the master branch and will not be available
|
|
45
|
in Squid v7.
|
|
46
|
ESI is disabled in the default build starting with Squid v6.10. In earlier
|
|
47
|
versions, ESI code is enabled by default, but the risk is moderate because
|
|
48
|
exploiting this family of vulnerabilities requires Squid to be
|
|
49
|
configured as a reverse proxy for a malicious origin server.
|
|
50
|
|
|
51
|
If you do not need ESI (or do not know whether you need it), disable it with
|
|
52
|
`--disable-esi` (default for Squid v6.10 and later).
|
|
53
|
|
|
54
|
To verify whether your Squid build is vulnerable, run `squid -v`. Squid v6.9
|
|
55
|
and earlier versions may be vulnerable unless the output contains
|
|
56
|
`--disable-esi`. Squid v6.10 and later versions may be vulnerable if the
|
|
57
|
output contains `--enable-esi`.
|
|
58
|
|
|
59
|
|
|
60
|
### Squid v5
|
|
61
|
|
|
62
|
Some fixes were backported to Squid v5, but we lack the resources necessary to
|
|
63
|
support that old version. Folks running Squid v5 and earlier versions should
|
|
64
|
either upgrade to the latest v6 release or rely on their
|
|
65
|
integrator/distributor for support.
|
|
66
|
|
|
67
|
--
|
|
68
|
Francesco Chemolli
|
|
69
|
Squid Software Foundation
|
|
70
|
_______________________________________________
|
|
71
|
squid-users mailing list
|
|
72
|
squid-users@lists.squid-cache.org
|
|
73
|
https://lists.squid-cache.org/listinfo/squid-users
|