|Summary:||SQUID-2019:4 Multiple Issues in HTTP Request processing|
|Product:||IPFire||Reporter:||Michael Tremer <michael.tremer>|
|Status:||CLOSED ERRATA||QA Contact:|
|Priority:||Will affect most users||CC:||peter.mueller|
Description Michael Tremer 2020-04-19 18:59:50 UTC
__________________________________________________________________ Squid Proxy Cache Security Update Advisory SQUID-2019:4 __________________________________________________________________ Advisory ID: SQUID-2019:4 Date: April 18, 2020 Summary: Multiple Issues in HTTP Request processing. Affected versions: Squid 3.5.18 -> 3.5.28 Squid 4.0.10 -> 4.7 Fixed in version: Squid 4.8 __________________________________________________________________ http://www.squid-cache.org/Advisories/SQUID-2019_4.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12520 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12524 __________________________________________________________________ Problem Description: Due to incorrect URL handling Squid is vulnerable to access control bypass, cache poisoning and cross-site scripting attacks when processing HTTP Request messages. __________________________________________________________________ Severity: A remote client can deliver crafted URLs to bypass cache manager security controls and retrieve confidential details about the proxy and traffic it is handling. A remote client can deliver crafted URLs which cause arbitrary content from one origin server to be stored in cache as URLs within another origin. This opens a window of opportunity for clients to be tricked into fetching and XSS execution of that content via side channels. __________________________________________________________________ Updated Packages: This bug is fixed by Squid version 4.8. In addition, patches addressing this problem for the stable releases can be found in our patch archives: Squid 4: <http://www.squid-cache.org/Versions/v4/changesets/SQUID-2019_4.patch> If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages. __________________________________________________________________ Determining if your version is vulnerable: All Squid-2.x are not vulnerable. All Squid-3.x up to and including 3.5.17 are not vulnerable. All Squid-3.5.18 up to and including 3.5.28 are vulnerable. All Squid-4.x up to and including 4.0.9 are not vulnerable. All Squid-4.x up to and including 4.7 without HTTPS support are not vulnerable. All Squid-4.0.10 up to and including 4.7 with HTTPS support are vulnerable. __________________________________________________________________ Workarounds: There are no workarounds for Squid-3.5. For Squid-4 build using --without-openssl --without-gnutls __________________________________________________________________ Contact details for the Squid project: For installation / upgrade support on binary packaged versions of Squid: Your first point of contact should be your binary package vendor. If your install and build Squid from the original Squid sources then the email@example.com mailing list is your primary support point. For subscription details see <http://www.squid-cache.org/Support/mailing-lists.html>. For reporting of non-security bugs in the latest STABLE release the squid bugzilla database should be used <http://bugs.squid-cache.org/>. For reporting of security sensitive bugs send an email to the firstname.lastname@example.org mailing list. It's a closed list (though anyone can post) and security related bug reports are treated in confidence until the impact has been established. __________________________________________________________________ Credits: This vulnerability was discovered by Jeriko One <email@example.com>. Fixed by Amos Jeffries of Treehouse Networks Ltd. __________________________________________________________________ Revision history: 2019-05-14 14:56:49 UTC Initial Report 2019-06-23 15:15:56 UTC Patches Released 2019-06-05 15:52:17 UTC CVE Assignment __________________________________________________________________ END _______________________________________________ squid-announce mailing list firstname.lastname@example.org http://lists.squid-cache.org/listinfo/squid-announce
Comment 1 Michael Tremer 2020-04-19 19:00:58 UTC
Who is up for this one?
Comment 2 Arne.F 2020-04-25 16:27:45 UTC
squid 4.8 was relased in July 2019. we are already on a newer version.