Date: Fri, 10 Jul 2015 15:33:28 +1200 From: Amos Jeffries <squid3@...enet.co.nz> To: oss-security@...ts.openwall.com Subject: Re: Squid HTTP proxy CVE request -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/07/2015 8:47 a.m., Reed Black wrote: > As I read this, issue #1 allows CONNECT requests to proceed that > shouldn't otherwise. Is unsetting AllowTcpForwarding also > sufficient for the "Determining if your version is vulnerable" > section? Short answer is no. Lonng answer: Since the only reference I can find for AllowTcpForwarding is TLS/SSL related it looks like you are falling into the common misbelief that HTTP CONNECT messages mean HTTPS (TLS). CONNECT is a generic instruction for the proxy to setup a TCP tunnel. Once such a tunnel exists it can be used for any TCP based protocol. HTTP over TLS is just one usage So no, the breakage happens at the plain-text HTTP layer below any TLS that might be used to secure whatever the tunnelled protocol is. Amos > > On Mon, Jul 6, 2015 at 4:26 AM, Amos Jeffries > <squid3@...enet.co.nz> wrote: > > Greetings, > > This months release of Squid HTTP proxy, version 3.5.6, contains > fixes for two security issues. > > > Issue #1: > > Due to incorrect handling of peer responses in a hierarchy of 2 or > more proxies remote clients (or scripts run on a client) are able > to gain unrestricted access through a gateway proxy to its backend > proxy. > > If the two proxies have differing levels of security this could > lead to authentication bypass or unprivileged access to supposedly > secure resources. > > <http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13856 .p > > atch> > > All Squid up to and including 3.5.5 are vulnerable. > > (when published the advisory for this will be > <http://www.squid-cache.org/Advisories/SQUID-2015_2.txt>) > > > Issue #2: > > This is somewhat more obscure, and I am seeking clarification > perhapse more than assignment. > > Squid up to and including 3.5.5 are apparently vulnerable to DoS > attack from malicious clients using repeated TLS renegotiation > messages. This has not been verified as it also seems to require > outdated (0.9.8l and older) OpenSSL libraries. > > <http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13849 .p > > atch> > > CVE-2009-3555 was mentioned by the submitter, but that was clearly > assigned for server-initiated renegotiation. This Squid change is > specifically for the client-initiated renegotiation part of the > TLS protocol flaw. > > There may be some relevant CVE already assigned, although I've > been unable to find it. Only CVE-2011-1473 which is for the library > itself and disputed. > > So, is server software being assigned specific CVE (or a shared > generic one) for resolving this flaw? Please indicate which CVE > Squid announcements should mention (if any). > > > Thanks, Amos Jeffries Squid Software Foundation >> > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQIcBAEBAgAGBQJVnz0IAAoJEGvSOzfXE+nLTk8QAIg6hY8UOhuwVYxdEKYm71jd i28X64kWfthKBtACRjzuzbC/OFDOd9EQjuXg07dmKcMDh8UFfr+C62GELwSqQqfH uHDD26WfiiSZh3ik4PXd3yRuybioLuiWTvVf+aXWz49ozItuHkMCVe+2LYp7H+0I 7Rykv19MvgVCeI5jb2jGprka7A+AAlBkGRWWISHpNzvLZzE6OEZD/kYwHfo8Litm tZvTMXIiMZVdEzgXd4IqlqDSRL2+dWdIbrrQ4qd5Q+XIFttdYBMbs1PBYm/zH6Wa morDPDd178LULqCpW45DscRX+GY0MpLDv3xA6LJRwxjmoOqDOnyQUeSNyKrZ9x0N qiAP/Doqj97bB0HH5pX/0lbabUIayPmQA/AY1QCYZpuv8DH8snfFT0ySD31vhqyQ 2tgW4PhVcovXBfZ9mRRtnH/E+4NmX1m7lZMn0Re6aPXPQir6dEy+NyoaYd//IL0D ZHVtAnYuKs2AIuHxJWwfG86Ko/xqYcQot+KzplSBB/N5/qLdHTuHI+mlybFoaaaE q4HpLIT6K0aBwRdURsnuc85KVQNZNpoFKftK8bz4lWhQdE/mJu5SqVUWkXlYNYUW l8Pkg5cglcGpz8da2TWy6gVJHBNZIjhSRs4tpoUyL+8z4x6pcpSNzzAKzkzxyPt4 Y5tdS0d1dUzDYEt4HKBC =6miD -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ