Any plans to get this into Debian, or if they’ll apply the patch to 4.11? Cheers MarkJ > On 27 Jun 2020, at 2:45 am, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > > __________________________________________________________________ > > Squid Proxy Cache Security Update Advisory SQUID-2020:7 > __________________________________________________________________ > > Advisory ID: | SQUID-2020:7 > Date: | June 26, 2020 > Summary: | Cache Poisoning Issue > | in HTTP Request processing. > Affected versions: | Squid 2.x -> 2.7.STABLE9 > | Squid 3.x -> 3.5.28 > | Squid 4.x -> 4.11 > | Squid 5.x -> 5.0.2 > Fixed in version: | Squid 4.12 and 5.0.3 > __________________________________________________________________ > > <https://github.com/squid-cache/squid/security/advisories/GHSA-qf3v-rc95-96j5> > <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15049> > __________________________________________________________________ > > Problem Description: > > Due to incorrect input validation Squid is vulnerable to a > Request Smuggling and Poisoning attack against the HTTP cache. > > __________________________________________________________________ > > Severity: > > This problem allows a trusted client to perform request smuggling > and poison the HTTP cache contents with crafted HTTP(S) request > messages. > > This attack requires an upstream server to participate in the > smuggling and generate the poison response sequence. Most popular > server software are not vulnerable to participation in this > attack. > > CVSS Score of 9.3 > <https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:N/MAC:L/MPR:L/MUI:N/MS:C/MC:H/MI:H/MA:H&version=3.1> > > __________________________________________________________________ > > Updated Packages: > > This bug is fixed by Squid versions 4.12 and 5.0.3. > > In addition, patches addressing this problem for the stable > releases can be found in our patch archives: > > Squid 4: > <http://www.squid-cache.org/Versions/v4/changesets/squid-4-ea12a34d338b962707d5078d6d1fc7c6eb119a22.patch> > > Squid 5: > <http://www.squid-cache.org/Versions/v5/changesets/squid-5-485c9a7bb1bba88754e07ad0094647ea57a6eb8d.patch> > > If you are using a prepackaged version of Squid then please refer > to the package vendor for availability information on updated > packages. > > __________________________________________________________________ > > Determining if your version is vulnerable: > > All Squid-3.x up to and including 3.5.28 are vulnerable. > > All Squid-4.x up to and including 4.11 are vulnerable. > > Squid-5.0.1 and 5.0.2 are vulnerable. > > __________________________________________________________________ > > Workaround: > > There is no workaround for this vulnerability. > > __________________________________________________________________ > > Contact details for the Squid project: > > For installation / upgrade support on binary packaged versions > of Squid: Your first point of contact should be your binary > package vendor. > > If you install and build Squid from the original Squid sources > then the <squid-users@xxxxxxxxxxxxxxxxxxxxx> mailing list is your > primary support point. For subscription details see > <http://www.squid-cache.org/Support/mailing-lists.html>. > > For reporting of non-security bugs in the latest STABLE release > the squid bugzilla database should be used > <http://bugs.squid-cache.org/>. > > For reporting of security sensitive bugs send an email to the > <squid-bugs@xxxxxxxxxxxxxxxxxxxxx> mailing list. It's a closed > list (though anyone can post) and security related bug reports > are treated in confidence until the impact has been established. > > __________________________________________________________________ > > Credits: > > This vulnerability was discovered by Alex Rousskov of The > Measurement Factory. > > Independent discovery and replication reported by Amit Klein of > Safebreach. > > Fixed by Alex Rousskov of The Measurement Factory. > > __________________________________________________________________ > > Revision history: > > > 2016-09-06 02:45:20 UTC Initial Report > 2020-05-11 12:41:17 UTC Replication Reported > 2020-05-13 14:05:00 UTC Patch Released > 2020-06-25 11:15:10 UTC CVE Allocated > ______________________ > END > _______________________________________________ > squid-announce mailing list > squid-announce@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-announce > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
