Date: Fri, 6 May 2016 23:11:10 +1200 From: Amos Jeffries <squid3@...enet.co.nz> To: oss-security@...ts.openwall.com, cve-assign@...re.org Subject: CVE Request: Squid HTTP caching proxy Hi, several serious issues have been reported about the Squid proxy. (URLs below are now all public, but some of our mirrors may take a few more hours to pick up the changes). 1) Cache Poisoning issue in HTTP Request handling Incorrect input validation of HTTP Request messages lets clients use an absolute-URI on port 80 to bypass the protection previously added to Squid for CVE-2009-0801 and other related attack vectors. This can lead to cache poisoning of the Squid and browser caches, bypass of same-origin and sandbox protections in browsers. All Squid 2.x are not vulnerable. All Squid-3.x up to and including 184.108.40.206 are not vulnerable unless they have been patched for CVE-2009-0801. All Squid-220.127.116.11 and later up to and including 3.5.17 are vulnerable. All Squid-4.x up to and including 4.0.9 are vulnerable. Advisory at <http://www.squid-cache.org/Advisories/SQUID-2016_7.txt> Patch at <http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14039.patch> (patches for other versions are TBD.) 2) Header Smuggling issue in HTTP Request processing Incorrect input validation allows a client to smuggle Host header value past same-origin security protections to cause Squid operating as interception or reverse-proxy to contact the wrong origin server. Also poisoning any downstream cache which stores the response. However, the cache poisoning is only possible if the caching agent (browser or explicit/forward proxy) is not following RFC 7230 processing guidelines and lets the smuggled value through. NP: This appears to be an example of CWE-144, but smuggling just a specific header value instead of a whole message. The result is the same as documented for message smuggling but much harder to detect by observing log content - since there is no unexplained message or response corruption after the attack has happened. All 2.x versions up to and including 2.7.STABLE9 are vulnerable. All 3.x versions up to and including 3.5.17 are vulnerable. All 4.x versions are not vulnerable. Advisory at <http://www.squid-cache.org/Advisories/SQUID-2016_8.txt> Patches at: <http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10496.patch> <http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11842.patch> <http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12698.patch> <http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13236.patch> <http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14038.patch> 3) Multiple Denial of Service issues in ESI Response processing. Due to incorrect pointer handling and reference counting Squid is vulnerable to a denial of service attack when processing ESI responses. All Squid-2.x are not vulnerable. Squid-3.x up to and including 3.5.17 and 4.x up to and including 4.0.9 are affected. Vulnerability is configuration and build dependent. see the advisory for more detail if interested. Advisory at <http://www.squid-cache.org/Advisories/SQUID-2016_9.txt> Patches at: <http://www.squid-cache.org/Versions/v3/3.4/changesets/SQUID-2016_9.patch> <http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_9.patch> Thanks Amos Jeffries Squid Software Foundation Download attachment "signature.asc" of type "application/pgp-signature" (835 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.