Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1134209 - (CVE-2014-3609) CVE-2014-3609 squid: assertion failure in Range header processing (SQUID-2014:2)
CVE-2014-3609 squid: assertion failure in Range header processing (SQUID-2014:2)
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20140828,repo...
: Security
Depends On: 1134658 1134933 1134934 1134936 1134937 1134976 1134977
Blocks: 1134214
  Show dependency treegraph
 
Reported: 2014-08-27 02:47 EDT by Murray McAllister
Modified: 2015-11-25 05:10 EST (History)
4 users (show)

See Also:
Fixed In Version: squid 3.4.7, squid 3.3.13
Doc Type: Bug Fix
Doc Text:
A flaw was found in the way Squid handled malformed HTTP Range headers. A remote attacker able to send HTTP requests to the Squid proxy could use this flaw to crash Squid.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-09-04 04:01:51 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:1147 normal SHIPPED_LIVE Important: squid security update 2014-09-03 18:45:21 EDT
Red Hat Product Errata RHSA-2014:1148 normal SHIPPED_LIVE Important: squid security update 2014-09-03 17:43:04 EDT

  None (edit)
Description Murray McAllister 2014-08-27 02:47:49 EDT 
A denial of service flaw was found in Squid's Range header processing. An attacker could send crafted requests that would cause Squid to crash with an assertion.

A patch is available from the following:

http://www.squid-cache.org/Versions/v3/3.HEAD/changesets/squid-3-13555.patch

For a workaround, upstream says to add the following to squid.conf above any "http_access allow" lines:

 acl validRange req_header Range \
  ^bytes=([0-9]+\-[0-9]*|\-[0-9]+)(,([0-9]+\-[0-9]*|\-[0-9]+))*$

 acl validRange req_header Request-Range \
  ^bytes=([0-9]+\-[0-9]*|\-[0-9]+)(,([0-9]+\-[0-9]*|\-[0-9]+))*$

 http_access deny !validRange

External References:

http://www.squid-cache.org/Advisories/SQUID-2014_2.txt

Acknowledgements:

Red Hat would like to thank the Squid project for reporting this issue. Upstream acknowledges Matthew Daley as the original reporter.
Comment 2 Murray McAllister 2014-08-28 00:02:11 EDT 
This issue is public now:

http://www.squid-cache.org/Advisories/
Comment 3 Murray McAllister 2014-08-28 00:04:39 EDT 
Created squid tracking bugs for this issue:

Affects: fedora-all [bug 1134658]
Comment 4 Tomas Hoger 2014-08-28 05:35:15 EDT 
Upstream commit:
http://bazaar.launchpad.net/~squid/squid/trunk/revision/13555
Comment 5 Tomas Hoger 2014-08-28 08:38:04 EDT 
This issue causes squid to exit unexpectedly with an assertion failure after processing the malformed Range HTTP header.  Terminated child process is re-spawned shortly by the master process, causing temporary service unavailability.  If attacker is able to trigger these crashes frequently, they can cause squid to exit after multiple repeated restarts, causing a full service DoS.

In addition to 3.x versions still supported upstream, this also affects older 2.x versions, such as the version shipped in Red Hat Enterprise Linux 5.  The workaround from the upstream advisory (noted in comment 0) can also be used with the squid version shipped with Red Hat Enterprise Linux 5 to mitigate this issue.
Comment 11 Martin Prpič 2014-09-03 04:27:49 EDT 
IssueDescription:

A flaw was found in the way Squid handled malformed HTTP Range headers. A remote attacker able to send HTTP requests to the Squid proxy could use this flaw to crash Squid.
Comment 12 errata-xmlrpc 2014-09-03 13:43:21 EDT 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2014:1148 https://rhn.redhat.com/errata/RHSA-2014-1148.html
Comment 13 errata-xmlrpc 2014-09-03 14:45:40 EDT 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 7

Via RHSA-2014:1147 https://rhn.redhat.com/errata/RHSA-2014-1147.html
Comment 14 Fedora Update System 2014-09-05 18:21:15 EDT 
squid-3.3.13-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2014-09-10 09:26:11 EDT 
squid-3.3.13-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2014-09-23 00:45:38 EDT 
squid-3.4.7-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.