[prev in list] [next in list] [prev in thread] [next in thread]
List: squid-announce
Subject: [squid-announce] [ADVISORY] SQUID-2015:2 Improper Protection of Alternate Path
From: Amos Jeffries <squid3 () treenet ! co ! nz>
Date: 2015-07-09 3:39:29
Message-ID: 559DECF1.6050403 () treenet ! co ! nz
[Download RAW message or body]
__________________________________________________________________
Squid Proxy Cache Security Update Advisory SQUID-2015:2
__________________________________________________________________
Advisory ID: SQUID-2015:2
Date: July 06, 2015
Summary: Improper Protection of Alternate Path
Affected versions: Squid 0.x -> 3.5.5
Fixed in version: Squid 3.5.6
__________________________________________________________________
http://www.squid-cache.org/Advisories/SQUID-2015_2.txt
__________________________________________________________________
Problem Description:
Squid configured with cache_peer and operating on explicit proxy
traffic does not correctly handle CONNECT method peer responses.
__________________________________________________________________
Severity:
The bug is important because it allows remote clients to bypass
security in an explicit gateway proxy.
However, the bug is exploitable only if you have configured
cache_peer to receive CONNECT requests.
__________________________________________________________________
Updated Packages:
This bug is fixed by Squid version 3.5.6.
In addition, patches addressing this problem for stable releases
can be found in our patch archives:
Squid 3.4:
http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13225.patch
Squid 3.5:
http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13856.patch
If you are using a prepackaged version of Squid then please refer
to the package vendor for availability information on updated
packages.
__________________________________________________________________
Determining if your version is vulnerable:
All Squid versions with cache_peer omitted from squid.conf are
not vulnerable to the problem.
All Squid versions with squid.conf containing
"nonhierarchical_direct on" are not vulnerable to the problem.
All Squid-3.1 and later with nonhierarchical_direct omitted from
squid.conf are not vulnerable to the problem.
All other unpatched Squid configured to use a cache_peer without
the "originserver" option are vulnerable to the problem.
__________________________________________________________________
Workaround:
For Squid-3.0 and older ensure squid.conf contains
"nonhierarchical_direct on".
For Squid-3.1 and newer remove nonhierarchical_direct from
squid.conf.
__________________________________________________________________
Contact details for the Squid project:
For installation / upgrade support on binary packaged versions
of Squid: Your first point of contact should be your binary
package vendor.
If you install and build Squid from the original Squid sources
then the squid-users@lists.squid-cache.org mailing list is your
primary support point. For subscription details see
http://www.squid-cache.org/Support/mailing-lists.html.
For reporting of non-security bugs in the latest release
the squid bugzilla database should be used
http://bugs.squid-cache.org/.
For reporting of security sensitive bugs send an email to the
squid-bugs@lists.squid-cache.org mailing list. It's a closed
list (though anyone can post) and security related bug reports
are treated in confidence until the impact has been established.
__________________________________________________________________
Credits:
The vulnerability was reported and fixed by Alex Rousskov, The
Measurement Factory.
__________________________________________________________________
Revision history:
2015-06-16 16:54 GMT Initial Report and Patches Released
2015-05-03 15:37 GMT Packages Released
__________________________________________________________________
END
_______________________________________________
squid-announce mailing list
squid-announce@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic