This issue allows attackers to smuggle HTTP requests through
frontend software to a Squid which splits the HTTP Request
pipeline differently. The resulting Response messages corrupt
caches between client and Squid with attacker controlled content
at arbitrary URLs..
Effects are isolated to software between the attacker client and
Squid. There are no effects on Squid itself, nor any upstream
For reporting of security sensitive bugs send an email to the
[hidden email] mailing list. It's a closed
list (though anyone can post) and security related bug reports
are treated in confidence until the impact has been established.
2019-07-24 11:52:51 UTC Initial Report
2019-09-11 02:52:52 UTC Patches Released
2019-11-04 13:43:22 UTC CVE Assignment
squid-announce mailing list
[hidden email] http://lists.squid-cache.org/listinfo/squid-announce