Re: [squid-announce] [ADVISORY] SQUID-2020:7 Cache Poisoning Issue in HTTP Request processing

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: [squid-announce] [ADVISORY] SQUID-2020:7 Cache Poisoning Issue in HTTP Request processing

TarotApprentice
Any plans to get this into Debian, or if they’ll apply the patch to 4.11?

Cheers
MarkJ

> On 27 Jun 2020, at 2:45 am, Amos Jeffries <[hidden email]> wrote:
>
> __________________________________________________________________
>
> Squid Proxy Cache Security Update Advisory SQUID-2020:7
> __________________________________________________________________
>
> Advisory ID:       | SQUID-2020:7
> Date:              | June 26, 2020
> Summary:           | Cache Poisoning Issue
>                    | in HTTP Request processing.
> Affected versions: | Squid 2.x -> 2.7.STABLE9
>                    | Squid 3.x -> 3.5.28
>                    | Squid 4.x -> 4.11
>                    | Squid 5.x -> 5.0.2
> Fixed in version:  | Squid 4.12 and 5.0.3
> __________________________________________________________________
>
> <https://github.com/squid-cache/squid/security/advisories/GHSA-qf3v-rc95-96j5>
> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15049>
> __________________________________________________________________
>
> Problem Description:
>
> Due to incorrect input validation Squid is vulnerable to a
> Request Smuggling and Poisoning attack against the HTTP cache.
>
> __________________________________________________________________
>
> Severity:
>
> This problem allows a trusted client to perform request smuggling
> and poison the HTTP cache contents with crafted HTTP(S) request
> messages.
>
> This attack requires an upstream server to participate in the
> smuggling and generate the poison response sequence. Most popular
> server software are not vulnerable to participation in this
> attack.
>
> CVSS Score of 9.3
> <https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:N/MAC:L/MPR:L/MUI:N/MS:C/MC:H/MI:H/MA:H&version=3.1>
>
> __________________________________________________________________
>
> Updated Packages:
>
> This bug is fixed by Squid versions 4.12 and 5.0.3.
>
> In addition, patches addressing this problem for the stable
> releases can be found in our patch archives:
>
> Squid 4:
> <http://www.squid-cache.org/Versions/v4/changesets/squid-4-ea12a34d338b962707d5078d6d1fc7c6eb119a22.patch>
>
> Squid 5:
> <http://www.squid-cache.org/Versions/v5/changesets/squid-5-485c9a7bb1bba88754e07ad0094647ea57a6eb8d.patch>
>
> If you are using a prepackaged version of Squid then please refer
> to the package vendor for availability information on updated
> packages.
>
> __________________________________________________________________
>
> Determining if your version is vulnerable:
>
> All Squid-3.x up to and including 3.5.28 are vulnerable.
>
> All Squid-4.x up to and including 4.11 are vulnerable.
>
> Squid-5.0.1 and 5.0.2 are vulnerable.
>
> __________________________________________________________________
>
> Workaround:
>
> There is no workaround for this vulnerability.
>
> __________________________________________________________________
>
> Contact details for the Squid project:
>
> For installation / upgrade support on binary packaged versions
> of Squid: Your first point of contact should be your binary
> package vendor.
>
> If you install and build Squid from the original Squid sources
> then the <[hidden email]> mailing list is your
> primary support point. For subscription details see
> <http://www.squid-cache.org/Support/mailing-lists.html>.
>
> For reporting of non-security bugs in the latest STABLE release
> the squid bugzilla database should be used
> <http://bugs.squid-cache.org/>.
>
> For reporting of security sensitive bugs send an email to the
> <[hidden email]> mailing list. It's a closed
> list (though anyone can post) and security related bug reports
> are treated in confidence until the impact has been established.
>
> __________________________________________________________________
>
> Credits:
>
> This vulnerability was discovered by Alex Rousskov of The
> Measurement Factory.
>
> Independent discovery and replication reported by Amit Klein of
> Safebreach.
>
> Fixed by Alex Rousskov of The Measurement Factory.
>
> __________________________________________________________________
>
> Revision history:
>
>
> 2016-09-06 02:45:20 UTC Initial Report
> 2020-05-11 12:41:17 UTC Replication Reported
> 2020-05-13 14:05:00 UTC Patch Released
> 2020-06-25 11:15:10 UTC CVE Allocated
> ______________________
> END
> _______________________________________________
> squid-announce mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-announce
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: [squid-announce] [ADVISORY] SQUID-2020:7 Cache Poisoning Issue in HTTP Request processing

Amos Jeffries
Administrator
On 28/06/20 2:27 am, TarotApprentice wrote:
> Any plans to get this into Debian, or if they’ll apply the patch to 4.11?
>

v4.12 package is already being worked on. I'm not sure of ETA though,
its already taken longer than usual.

Can't speak for the security team about the stable Debian packages.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: [squid-announce] [ADVISORY] SQUID-2020:7 Cache Poisoning Issue in HTTP Request processing

TarotApprentice
Debian bug 964283 raised. If you are talking to the Debian security team you might want to discuss pushing it into buster with one of their point releases.

MarkJ

> On 28 Jun 2020, at 12:57 am, Amos Jeffries <[hidden email]> wrote:
>
> On 28/06/20 2:27 am, TarotApprentice wrote:
>> Any plans to get this into Debian, or if they’ll apply the patch to 4.11?
>>
>
> v4.12 package is already being worked on. I'm not sure of ETA though,
> its already taken longer than usual.
>
> Can't speak for the security team about the stable Debian packages.
>
>
> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: [squid-announce] [ADVISORY] SQUID-2020:7 Cache Poisoning Issue in HTTP Request processing

Eliezer Croitoru-3
If someone need I can try to compile a Debian Buster compatible binary as a drop in replacement.

Eliezer

----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: [hidden email]

-----Original Message-----
From: squid-users [mailto:[hidden email]] On Behalf Of TarotApprentice
Sent: Sunday, July 5, 2020 4:31 AM
To: Squid Users
Subject: Re: [squid-users] [squid-announce] [ADVISORY] SQUID-2020:7 Cache Poisoning Issue in HTTP Request processing

Debian bug 964283 raised. If you are talking to the Debian security team you might want to discuss pushing it into buster with one of their point releases.

MarkJ

> On 28 Jun 2020, at 12:57 am, Amos Jeffries <[hidden email]> wrote:
>
> On 28/06/20 2:27 am, TarotApprentice wrote:
>> Any plans to get this into Debian, or if they’ll apply the patch to 4.11?
>>
>
> v4.12 package is already being worked on. I'm not sure of ETA though,
> its already taken longer than usual.
>
> Can't speak for the security team about the stable Debian packages.
>
>
> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: [squid-announce] [ADVISORY] SQUID-2020:7 Cache Poisoning Issue in HTTP Request processing

TarotApprentice
It seems they decided to patch the 4.6 they have in Debian Buster.

There is no update on my Debian bug regarding promoting 4.12 to buster-backports.

MarkJ

> On 7 Jul 2020, at 2:20 am, Eliezer Croitor <[hidden email]> wrote:
>
> If someone need I can try to compile a Debian Buster compatible binary as a drop in replacement.
>
> Eliezer
>
> ----
> Eliezer Croitoru
> Tech Support
> Mobile: +972-5-28704261
> Email: [hidden email]
>
> -----Original Message-----
> From: squid-users [mailto:[hidden email]] On Behalf Of TarotApprentice
> Sent: Sunday, July 5, 2020 4:31 AM
> To: Squid Users
> Subject: Re: [squid-users] [squid-announce] [ADVISORY] SQUID-2020:7 Cache Poisoning Issue in HTTP Request processing
>
> Debian bug 964283 raised. If you are talking to the Debian security team you might want to discuss pushing it into buster with one of their point releases.
>
> MarkJ
>
>>> On 28 Jun 2020, at 12:57 am, Amos Jeffries <[hidden email]> wrote:
>>>
>>> On 28/06/20 2:27 am, TarotApprentice wrote:
>>> Any plans to get this into Debian, or if they’ll apply the patch to 4.11?
>>>
>>
>> v4.12 package is already being worked on. I'm not sure of ETA though,
>> its already taken longer than usual.
>>
>> Can't speak for the security team about the stable Debian packages.
>>
>>
>> Amos
>> _______________________________________________
>> squid-users mailing list
>> [hidden email]
>> http://lists.squid-cache.org/listinfo/squid-users
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users