Re: [squid-announce] [ADVISORY] SQUID-2019:4 Multiple Issues in HTTP Request processing

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: [squid-announce] [ADVISORY] SQUID-2019:4 Multiple Issues in HTTP Request processing

Marcus Kool
Amos,
The latest version of Squid is 4.10.  Do you mean "fixed in 4.10" instead of "fixed in 4.8" ?

Thanks,
Marcus

On 18/04/2020 14:10, Amos Jeffries wrote:

> __________________________________________________________________
>
>      Squid Proxy Cache Security Update Advisory SQUID-2019:4
> __________________________________________________________________
>
> Advisory ID:        SQUID-2019:4
> Date:               April 18, 2020
> Summary:            Multiple Issues
>                      in HTTP Request processing.
> Affected versions:  Squid 3.5.18 -> 3.5.28
>                      Squid 4.0.10 -> 4.7
> Fixed in version:   Squid 4.8
> __________________________________________________________________
>
>      http://www.squid-cache.org/Advisories/SQUID-2019_4.txt
>      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12520
>      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12524
> __________________________________________________________________
>
> Problem Description:
>
>   Due to incorrect URL handling Squid is vulnerable to access
>   control bypass, cache poisoning and cross-site scripting attacks
>   when processing HTTP Request messages.
>
> __________________________________________________________________
>
> Severity:
>
>   A remote client can deliver crafted URLs to bypass cache manager
>   security controls and retrieve confidential details about the
>   proxy and traffic it is handling.
>
>   A remote client can deliver crafted URLs which cause arbitrary
>   content from one origin server to be stored in cache as URLs
>   within another origin. This opens a window of opportunity for
>   clients to be tricked into fetching and XSS execution of that
>   content via side channels.
>
> __________________________________________________________________
>
> Updated Packages:
>
>   This bug is fixed by Squid version 4.8.
>
>   In addition, patches addressing this problem for the stable
>   releases can be found in our patch archives:
>
> Squid 4:
>   <http://www.squid-cache.org/Versions/v4/changesets/SQUID-2019_4.patch>
>
>   If you are using a prepackaged version of Squid then please refer
>   to the package vendor for availability information on updated
>   packages.
>
> __________________________________________________________________
>
> Determining if your version is vulnerable:
>
>   All Squid-2.x are not vulnerable.
>
>   All Squid-3.x up to and including 3.5.17 are not vulnerable.
>
>   All Squid-3.5.18 up to and including 3.5.28 are vulnerable.
>
>   All Squid-4.x up to and including 4.0.9 are not vulnerable.
>
>   All Squid-4.x up to and including 4.7 without HTTPS support are
>   not vulnerable.
>
>   All Squid-4.0.10 up to and including 4.7 with HTTPS support are
>   vulnerable.
>
> __________________________________________________________________
>
> Workarounds:
>
>   There are no workarounds for Squid-3.5.
>
>   For Squid-4 build using --without-openssl --without-gnutls
>
>
> __________________________________________________________________
>
> Contact details for the Squid project:
>
>   For installation / upgrade support on binary packaged versions
>   of Squid: Your first point of contact should be your binary
>   package vendor.
>
>   If your install and build Squid from the original Squid sources
>   then the [hidden email] mailing list is your
>   primary support point. For subscription details see
>   <http://www.squid-cache.org/Support/mailing-lists.html>.
>
>   For reporting of non-security bugs in the latest STABLE release
>   the squid bugzilla database should be used
>   <http://bugs.squid-cache.org/>.
>
>   For reporting of security sensitive bugs send an email to the
>   [hidden email] mailing list. It's a closed
>   list (though anyone can post) and security related bug reports
>   are treated in confidence until the impact has been established.
>
> __________________________________________________________________
>
> Credits:
>
>   This vulnerability was discovered by Jeriko One
>   <[hidden email]>.
>
>   Fixed by Amos Jeffries of Treehouse Networks Ltd.
>
> __________________________________________________________________
>
> Revision history:
>
>   2019-05-14 14:56:49 UTC Initial Report
>   2019-06-23 15:15:56 UTC Patches Released
>   2019-06-05 15:52:17 UTC CVE Assignment
> __________________________________________________________________
> END
> _______________________________________________
> squid-announce mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-announce
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: [squid-announce] [ADVISORY] SQUID-2019:4 Multiple Issues in HTTP Request processing

Amos Jeffries
Administrator

On 19/04/20 6:52 am, Marcus Kool wrote:
> Amos,
> The latest version of Squid is 4.10.  Do you mean "fixed in 4.10"
> instead of "fixed in 4.8" ?
>

No, these CVE were fixed in 4.8. The advisory was embargoed for another
issue, which is has taken too long and now going to be fixed in a later
release.

Amos



> Thanks,
> Marcus
>
> On 18/04/2020 14:10, Amos Jeffries wrote:
>> __________________________________________________________________
>>
>>      Squid Proxy Cache Security Update Advisory SQUID-2019:4
>> __________________________________________________________________
>>
>> Advisory ID:        SQUID-2019:4
>> Date:               April 18, 2020
>> Summary:            Multiple Issues
>>                      in HTTP Request processing.
>> Affected versions:  Squid 3.5.18 -> 3.5.28
>>                      Squid 4.0.10 -> 4.7
>> Fixed in version:   Squid 4.8
>> __________________________________________________________________
>>
>>      http://www.squid-cache.org/Advisories/SQUID-2019_4.txt
>>      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12520
>>      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12524
>> __________________________________________________________________
>>
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: [squid-announce] [ADVISORY] SQUID-2019:4 Multiple Issues in HTTP Request processing

TarotApprentice
I am not sure if you have any contact with the Debian maintainers. I raised a bug with Debian in March asking for 4.10 to get promoted to buster-backports on the grounds of security fixes. If we’re on the stable release (buster) we are stuck with 4.6 until the next stable release (up to 2 years), use the testing release which has other changes or we have to compile our own.


MarkJ 


On 19 Apr 2020, at 1:33 pm, Amos Jeffries <[hidden email]> wrote:


On 19/04/20 6:52 am, Marcus Kool wrote:
Amos,
The latest version of Squid is 4.10.  Do you mean "fixed in 4.10"
instead of "fixed in 4.8" ?


No, these CVE were fixed in 4.8. The advisory was embargoed for another
issue, which is has taken too long and now going to be fixed in a later
release.

Amos



Thanks,
Marcus

On 18/04/2020 14:10, Amos Jeffries wrote:
__________________________________________________________________

     Squid Proxy Cache Security Update Advisory SQUID-2019:4
__________________________________________________________________

Advisory ID:        SQUID-2019:4
Date:               April 18, 2020
Summary:            Multiple Issues
                     in HTTP Request processing.
Affected versions:  Squid 3.5.18 -> 3.5.28
                     Squid 4.0.10 -> 4.7
Fixed in version:   Squid 4.8
__________________________________________________________________

     http://www.squid-cache.org/Advisories/SQUID-2019_4.txt
     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12520
     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12524
__________________________________________________________________

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: [squid-announce] [ADVISORY] SQUID-2019:4 Multiple Issues in HTTP Request processing

Dmitry Melekhov


19.04.2020 12:18, TarotApprentice пишет:
I am not sure if you have any contact with the Debian maintainers. I raised a bug with Debian in March asking for 4.10 to get promoted to buster-backports on the grounds of security fixes. If we’re on the stable release (buster) we are stuck with 4.6 until the next stable release (up to 2 years), use the testing release which has other changes or we have to compile our own.




4.10 does not contain fix :-)



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: [squid-announce] [ADVISORY] SQUID-2019:4 Multiple Issues in HTTP Request processing

Amos Jeffries
Administrator
In reply to this post by TarotApprentice
On 19/04/20 8:18 pm, TarotApprentice wrote:
> I am not sure if you have any contact with the Debian maintainers. I
> raised a bug with Debian in March asking for 4.10 to get promoted to
> buster-backports on the grounds of security fixes. If we’re on the
> stable release (buster) we are stuck with 4.6 until the next stable
> release (up to 2 years), use the testing release which has other changes
> or we have to compile our own.

I am part of the Debian packaging team assisting Luigi. AFAIK this is in
the hands of the security team since it would be those grounds for backport.

Security have just been in contact after a review and update of the open
issues they are tracking against Debian Squid packages. Though I have
not heard if any decision has been made about this request.

What I do know is that many of the CVE with 4.x patches have had those
applied to the Debian package available in Buster. There are some which
do not backport easily, so not 100%, but the old package is not as
vulnerable as it may appear from just the number.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: [squid-announce] [ADVISORY] SQUID-2019:4 Multiple Issues in HTTP Request processing

Amos Jeffries
Administrator
In reply to this post by Dmitry Melekhov
On 19/04/20 8:22 pm, Dmitry Melekhov wrote:

>
> 19.04.2020 12:18, TarotApprentice пишет:
>> I am not sure if you have any contact with the Debian maintainers. I
>> raised a bug with Debian in March asking for 4.10 to get promoted to
>> buster-backports on the grounds of security fixes. If we’re on the
>> stable release (buster) we are stuck with 4.6 until the next stable
>> release (up to 2 years), use the testing release which has other
>> changes or we have to compile our own.
>>
>> Link to bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954488
>>
>
> 4.10 does not contain fix :-)
>

Which fix are you talking about?

 The bug TarotApprentice referenced is a publishing issue within Debian.
Requesting an event which has not happened yet.

 The bug this advisory is talking about definitely is fixed in Squid
4.10 code. The patch was added way back in 4.8 release.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: [squid-announce] [ADVISORY] SQUID-2019:4 Multiple Issues in HTTP Request processing

Dmitry Melekhov

19.04.2020 12:37, Amos Jeffries пишет:

> On 19/04/20 8:22 pm, Dmitry Melekhov wrote:
>> 19.04.2020 12:18, TarotApprentice пишет:
>>> I am not sure if you have any contact with the Debian maintainers. I
>>> raised a bug with Debian in March asking for 4.10 to get promoted to
>>> buster-backports on the grounds of security fixes. If we’re on the
>>> stable release (buster) we are stuck with 4.6 until the next stable
>>> release (up to 2 years), use the testing release which has other
>>> changes or we have to compile our own.
>>>
>>> Link to bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954488
>>>
>> 4.10 does not contain fix :-)
>>
> Which fix are you talking about?
>
>   The bug TarotApprentice referenced is a publishing issue within Debian.
> Requesting an event which has not happened yet.
>
>   The bug this advisory is talking about definitely is fixed in Squid
> 4.10 code. The patch was added way back in 4.8 release.


Affected versions:  Squid 3.5.18 -> 3.5.28
                     Squid 4.0.10 -> 4.7


Well, this announcement is extremely misleading then...


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: [squid-announce] [ADVISORY] SQUID-2019:4 Multiple Issues in HTTP Request processing

Antony Stone
On Sunday 19 April 2020 at 11:47:41, Dmitry Melekhov wrote:

> 19.04.2020 12:37, Amos Jeffries пишет:
> > On 19/04/20 8:22 pm, Dmitry Melekhov wrote:
> >
> > > 4.10 does not contain fix :-)
> >
> > Which fix are you talking about?
> >
> > The bug this advisory is talking about definitely is fixed in Squid
> > 4.10 code. The patch was added way back in 4.8 release.
>
> Affected versions:  Squid 3.5.18 -> 3.5.28
>                      Squid 4.0.10 -> 4.7

You omitted the next line:

Fixed in version:   Squid 4.8

> Well, this announcement is extremely misleading then...

What's misleading?

It's a standard security advisory telling us what the vulnerability is, which
versions are affected, and which version it is fixed from.


Regards,


Antony.

--
BASIC is to computer languages what Roman numerals are to arithmetic.

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: [squid-announce] [ADVISORY] SQUID-2019:4 Multiple Issues in HTTP Request processing

Dmitry Melekhov

19.04.2020 13:53, Antony Stone пишет:
>
> What's misleading?


Sorry, I read it wrong.

Thank you!



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users