A denial of service flaw was found in Squid's Range header processing. An attacker could send crafted requests that would cause Squid to crash with an assertion. A patch is available from the following: http://www.squid-cache.org/Versions/v3/3.HEAD/changesets/squid-3-13555.patch For a workaround, upstream says to add the following to squid.conf above any "http_access allow" lines: acl validRange req_header Range \ ^bytes=([0-9]+\-[0-9]*|\-[0-9]+)(,([0-9]+\-[0-9]*|\-[0-9]+))*$ acl validRange req_header Request-Range \ ^bytes=([0-9]+\-[0-9]*|\-[0-9]+)(,([0-9]+\-[0-9]*|\-[0-9]+))*$ http_access deny !validRange External References: http://www.squid-cache.org/Advisories/SQUID-2014_2.txt Acknowledgements: Red Hat would like to thank the Squid project for reporting this issue. Upstream acknowledges Matthew Daley as the original reporter.
This issue is public now: http://www.squid-cache.org/Advisories/
Created squid tracking bugs for this issue: Affects: fedora-all [bug 1134658]
Upstream commit: http://bazaar.launchpad.net/~squid/squid/trunk/revision/13555
This issue causes squid to exit unexpectedly with an assertion failure after processing the malformed Range HTTP header. Terminated child process is re-spawned shortly by the master process, causing temporary service unavailability. If attacker is able to trigger these crashes frequently, they can cause squid to exit after multiple repeated restarts, causing a full service DoS. In addition to 3.x versions still supported upstream, this also affects older 2.x versions, such as the version shipped in Red Hat Enterprise Linux 5. The workaround from the upstream advisory (noted in comment 0) can also be used with the squid version shipped with Red Hat Enterprise Linux 5 to mitigate this issue.
IssueDescription: A flaw was found in the way Squid handled malformed HTTP Range headers. A remote attacker able to send HTTP requests to the Squid proxy could use this flaw to crash Squid.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2014:1148 https://rhn.redhat.com/errata/RHSA-2014-1148.html
This issue has been addressed in following products: Red Hat Enterprise Linux 7 Via RHSA-2014:1147 https://rhn.redhat.com/errata/RHSA-2014-1147.html
squid-3.3.13-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
squid-3.3.13-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
squid-3.4.7-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.