Date: Mon, 29 Oct 2018 05:13:40 +1300 From: Amos Jeffries <squid3@...enet.co.nz> To: oss-security@...ts.openwall.com Subject: Squid Proxy multiple vulnerabilities Several vulnerabilities have recently been found in Squid HTTP proxy. CVE have been requested and awaiting assignment by the DWF project. * An Cross-Site Scripting vulnerability (CWE-74, CWE-79) has been found in the TLS error handling by Squid. Several fields of X.509 certificates can contain HTML syntax and were not being correctly quoted/encoded before inserting into HTML error pages generated by the proxy. This issue allows an attacker to craft a X.509 certificate that both triggers an error and alters how that error is displayed by a client such as a Browser. Affected Versions: Squid 184.108.40.206 -> 3.1.23 Squid 4.0 -> 4.3 Squid 3.1.12 and older including Squid-2.x are not vulnerable. The patch for Squid-3.5 should apply relatively cleanly to all v3.x affected versions. <http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-f1657a9decc820f748fa3aff68168d3145258031.patch> <http://www.squid-cache.org/Versions/v4/changesets/squid-4-828245b90206602014ce057c3db39fb80fcc4b08.patch> <http://www.squid-cache.org/Versions/v5/changesets/squid-5-6feeb15ff312f3e145763adf8d234ed6a0b3f11d.patch> <http://www.squid-cache.org/Advisories/SQUID-2018_4.txt> * A small memory leak (CWE-400, CWE-401, CWE-772) in processing of SNMP packets can be abused by remote attackers to consume large amounts of memory over a short time. Under testing this lead to Squid crashing and direct denial of service to clients using the proxy. Also, in Linux environments with default virtual memory allocation policies it lead to complete consumption of the machines available memory and denial of service to other applications using the same server. In these latter situations a hard restart of the server may be necessary to recover. Affected versions: Squid 220.127.116.11 -> 3.5.28 Squid 4.x -> 4.3 Squid 18.104.22.168 and older (including Squid-2.x) are not vulnerable. This issue is limited to Squid receiving SNMP traffic. So builds using --disable-snmp are not at all vulnerable. Builds not configured to receive SNMP (default, absent, or '0' values for snmp_port) are not immediately vulnerable, but may becomes so with simple configuration changes. The patch for Squid-3.5 should apply relatively cleanly to all v3.x affected versions. <http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-bc9786119f058a76ddf0625424bc33d36460b9a2.patch> <http://www.squid-cache.org/Versions/v4/changesets/squid-4-983c5c36e5f109512ed1af38a329d0b5d0967498.patch> <http://www.squid-cache.org/Versions/v5/changesets/squid-5-644131ff1e00c1895d77561f561d29c104ba6b11.patch> <http://www.squid-cache.org/Advisories/SQUID-2018_5.txt> Amos Jeffries The Squid Software Foundation Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.