Advisory ID: SQUID-2019:1 Date: July 12, 2019 Summary: Denial of Service issue in Affected versions: Squid 4.x -> 4.7 Fixed in version: Squid 4.8 Problem Description Due to incorrect string termination, may access unallocated memory. On systems with memory access protections, this can result in the CGI process terminating unexpectedly, causing a denial of service for all clients using it. Severity This problem allows a remote attacker with access to the Squid manager API to perform a denial of service on other clients. The issue is limited to the binary. Web servers running per-client instances of CGI tools are affected, but the denial of service can't affect other clients. Updated Packages This bug is fixed in Squid version 4.8. Patches for stable releases are available here: SQUID-2019_1.patch Refer to package vendor for prepackaged Squid versions. Determining Vulnerability 3.x and older versions are not vulnerable. 4.x up to and including 4.7 are vulnerable. Squid 4.7 and older versions accessed via the HTTP manager interface are not vulnerable. Workarounds Convert to HTTP manager interface Deny all access with 'manager' ACL in This removes the vulnerability at the cost of reduced management and monitoring. Credits Vulnerability discovered by Alex Rousskov of The Measurement Factory. Fixed by Amos Jeffries from Treehouse Networks Ltd.