Bug 1077006 - (CVE-2018-1000027) VUL-0: CVE-2018-1000027: squid,squid3: SQUID-2018_2 Denial of Service issue in HTTP Message processing.
(CVE-2018-1000027)
VUL-0: CVE-2018-1000027: squid,squid3: SQUID-2018_2 Denial of Service issue i...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/198738/
CVSSv3:SUSE:CVE-2018-1000027:5.4:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-01-22 10:45 UTC by Marcus Meissner
Modified: 2020-06-12 20:51 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2018-01-22 10:45:50 UTC
SQUID-2018_2

http://www.squid-cache.org/Advisories/SQUID-2018_2.txt

__________________________________________________________________

    Squid Proxy Cache Security Update Advisory SQUID-2018:2
__________________________________________________________________

Advisory ID:        SQUID-2018:2
Date:               Jan 19, 2018
Summary:            Denial of Service issue
                    in HTTP Message processing.
Affected versions:  Squid 3.x -> 3.5.27
                    Squid 4.x -> 4.0.22
Fixed in version:   Squid 4.0.23
__________________________________________________________________

    http://www.squid-cache.org/Advisories/SQUID-2018_2.txt
__________________________________________________________________

Problem Description:

 Due to incorrect pointer handling Squid is vulnerable to denial
 of service attack when processing ESI responses or downloading
 intermediate CA certificates.

__________________________________________________________________

Severity:

 This problem allows a remote client delivering certain HTTP
 requests in conjunction with certain trusted server responses to
 trigger a denial of service for all clients accessing the Squid
 service.

__________________________________________________________________

Updated Packages:

 This bug is fixed by Squid version 4.0.23.

 In addition, patches addressing this problem for the stable
 releases can be found in our patch archives:

Squid 3.5:
 <http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2018_2.patch>

Squid 4:
 <http://www.squid-cache.org/Versions/v4/changesets/SQUID-2018_2.patch>

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__________________________________________________________________

Determining if your version is vulnerable:

 All Squid configured with "log_uses_indirect_client off" are not
 vulnerable.

 All Squid-3.0 versions built with --enable-esi and being used for
 reverse-proxy with squid.conf containing
 "log_uses_indirect_client on" are vulnerable.

 All Squid-3.1 and later versions up to and including
 Squid-3.5.27 being used for reverse-proxy with squid.conf
 containing "log_uses_indirect_client on" are vulnerable.

 All Squid-4 up to and including Squid-4.0.22 being used for
 reverse-proxy with squid.conf containing
 "log_uses_indirect_client on" are vulnerable.

 All unpatched Squid-4 up to and including Squid-4.0.22 being
 used for TLS/HTTPS intercept proxy with squid.conf containing
 "log_uses_indirect_client on" are vulnerable.

__________________________________________________________________

Workarounds:

 Configure "log_uses_indirect_client off" in squid.conf

__________________________________________________________________

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If your install and build Squid from the original Squid sources
 then the squid-users@lists.squid-cache.org mailing list is your
 primary support point. For subscription details see
 <http://www.squid-cache.org/Support/mailing-lists.html>.

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used
 <http://bugs.squid-cache.org/>.

 For reporting of security sensitive bugs send an email to the
 squid-bugs@lists.squid-cache.org mailing list. It's a closed
 list (though anyone can post) and security related bug reports
 are treated in confidence until the impact has been established.

__________________________________________________________________

Credits:

 The initial issue was reported by Louis Dion-Marcil on behalf of
 GoSecure.

 Fixed by Amos Jeffries from Treehouse Networks Ltd.

__________________________________________________________________

Revision history:

 2017-12-13 20:09:30 UTC Initial Report
 2018-01-18 23:10:00 UTC Patches Released
 2018-01-21 07:45:00 UTC Advisory and fixed packages released
__________________________________________________________________
END


References:
http://www.squid-cache.org/Advisories/SQUID-2018_2.txt
Comment 1 Marcus Meissner 2018-01-29 06:05:57 UTC
CVE-2018-1000027
Comment 2 Swamp Workflow Management 2018-02-05 09:50:11 UTC
This is an autogenerated message for OBS integration:
This bug (1077006) was mentioned in
https://build.opensuse.org/request/show/572519 Factory / squid
Comment 5 Swamp Workflow Management 2018-03-08 20:09:07 UTC
SUSE-SU-2018:0636-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1077003,1077006
CVE References: CVE-2018-1000024,CVE-2018-1000027
Sources used:
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    squid-3.5.21-26.6.1
SUSE Linux Enterprise Server 12-SP3 (src):    squid-3.5.21-26.6.1
SUSE Linux Enterprise Server 12-SP2 (src):    squid-3.5.21-26.6.1
Comment 6 Swamp Workflow Management 2018-03-09 11:12:24 UTC
openSUSE-SU-2018:0647-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1077003,1077006
CVE References: CVE-2018-1000024,CVE-2018-1000027
Sources used:
openSUSE Leap 42.3 (src):    squid-3.5.21-12.1
Comment 7 Swamp Workflow Management 2018-03-21 14:08:09 UTC
SUSE-SU-2018:0752-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1077003,1077006
CVE References: CVE-2018-1000024,CVE-2018-1000027
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    squid3-3.1.23-8.16.37.3.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    squid3-3.1.23-8.16.37.3.1
Comment 8 Adam Majer 2018-08-29 11:33:34 UTC
All affected codestreams release. Re-assigning to security team.
Comment 9 Marcus Meissner 2018-08-29 11:54:19 UTC
done