http://www.squid-cache.org/Advisories/SQUID-2007_2.txt
 
__________________________________________________________________
 
      Squid Proxy Cache Security Update Advisory SQUID-2007:2
__________________________________________________________________
 
Advisory ID:            SQUID-2007:2
Date:                   November 27, 2007
Summary:                Denial of service in cache updates
Affected versions:      Squid 2.X (2.0 -> 2.6.STABLE16); Squid-3.
Fixed in version:       Squid 2.6.STABLE17;
			November 28 Squid-2 snapshot
			November 28 Squid-3 snapshot
Author:			Adrian Chadd
Thanks:			Wikimedia Foundation
 
__________________________________________________________________
 
     http://www.squid-cache.org/Advisories/SQUID-2007_2.txt
__________________________________________________________________
 
Problem Description:
 
 Due to incorrect bounds checking Squid is vulnerable to
 a denial of service check during some cache update reply
 processing.
 
__________________________________________________________________
 
Severity:
 
 This problem allows any client trusted to use the service to
 perform a denial of service attack on the Squid service.
 
__________________________________________________________________
 
Updated Packages:
 
 This bug is fixed by Squid version 2.6.STABLE17 and by the November
 28 snapshots of Squid-2 and Squid-3.
 
 In addition, a patch addressing this problem can be found in
 our patch archive for version Squid-2.6:
 
  http://www.squid-cache.org/Versions/v2/2.6/changesets/11780.patch
 
 And for Squid-3:
 
  http://www.squid-cache.org/Versions/v3/3.0/changesets/11211.patch
 
 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.
 
__________________________________________________________________
 
Determining if your version is vulnerable:
 
 All Squid-2.X versions up to, and including 2.6.STABLE16 are
 vulnerable.
 
 All Squid-3 snapshots and prereleases up to the November 28
 snapshot are vulnerable.
 
__________________________________________________________________
 
Workarounds:
 
 There are no workarounds.
 
__________________________________________________________________
 
Thanks to:
 
 Thanks go to the Wikimedia Foundation for helping identify the issue
 and testing the proposed resolution of the issue.
 
 Thanks to Adrian Chadd for the Squid-2 fix.
 
 Thanks to Henrik Nordstrom for the Squid-3 fix.
 
__________________________________________________________________
 
Contact details for the Squid project:
 
 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.
 
 If your install and build Squid from the original Squid sources
 then the squid-users@squid-cache.org mailing list is your primary
 support point. See <http://www.squid-cache.org/mailing-lists.html>
 for subscription details.
 
 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used
 <http://www.squid-cache.org/bugs/>.
 
 For reporting of security sensitive bugs send an email to the
 squid-bugs@squid-cache.org mailing list. It's a closed list
 (though anyone can post) and security related bug reports are
 treated in confidence until the impact has been established.
 
__________________________________________________________________
 
Revision history:
 
 2007-11-26 14:40 GMT+9 Initial version
__________________________________________________________________
END