Skip to content

OSG-SEC-2019-07-25 Vulnerability in Squid

Dear OSG Security Contacts,

The frontier-squid package has a publicly announced security vulnerability that can potentially enable remote code execution from any IP address that access control allows to use the squid. All sites that have frontier-squid-4.* versions should upgrade urgently, especially those that have squids that can be used from the internet.

IMPACTED VERSIONS:

frontier-squid-4.*

WHAT ARE THE VULNERABILITIES:

Due to incorrect buffer management, squid is vulnerable to a heap overflow and possible remote code execution attack when processing HTTP Authentication credentials. This happens when squid is asked to proxy ftp, which it allows by default.

WHAT YOU SHOULD DO:

If you have frontier-squid-4.* installed, upgrade to a version where the vulnerability is removed. OSG has released frontier-squid-4.4-2.1 which only adds a patch for this problem to version 4.4-1.1. Upstream had previously released 4.6 versions which are also vulnerable. The upstream frontier-squid-4.8-1.1 version fixes this problem in addition to including other features and bug fixes. So upgrade to either version OSG frontier-squid-4.4-2.1 or upstream 4.8-1.1.

REFERENCES

[1]. http://www.squid-cache.org/Advisories/SQUID-2019_5.txt [2]. http://frontier.cern.ch/dist/rpms/frontier-squidRELEASE_NOTES

Please contact the OSG security team at [email protected] if you have any questions or concerns.

OSG Security Team