[squid-announce] [ADVISORY] SQUID-2015:2 Improper Protection of Alternate Path
squid3 at treenet.co.nz
Thu Jul 9 03:39:29 UTC 2015
Squid Proxy Cache Security Update Advisory SQUID-2015:2
Advisory ID: SQUID-2015:2
Date: July 06, 2015
Summary: Improper Protection of Alternate Path
Affected versions: Squid 0.x -> 3.5.5
Fixed in version: Squid 3.5.6
Squid configured with cache_peer and operating on explicit proxy
traffic does not correctly handle CONNECT method peer responses.
The bug is important because it allows remote clients to bypass
security in an explicit gateway proxy.
However, the bug is exploitable only if you have configured
cache_peer to receive CONNECT requests.
This bug is fixed by Squid version 3.5.6.
In addition, patches addressing this problem for stable releases
can be found in our patch archives:
If you are using a prepackaged version of Squid then please refer
to the package vendor for availability information on updated
Determining if your version is vulnerable:
All Squid versions with cache_peer omitted from squid.conf are
not vulnerable to the problem.
All Squid versions with squid.conf containing
"nonhierarchical_direct on" are not vulnerable to the problem.
All Squid-3.1 and later with nonhierarchical_direct omitted from
squid.conf are not vulnerable to the problem.
All other unpatched Squid configured to use a cache_peer without
the "originserver" option are vulnerable to the problem.
For Squid-3.0 and older ensure squid.conf contains
For Squid-3.1 and newer remove nonhierarchical_direct from
Contact details for the Squid project:
For installation / upgrade support on binary packaged versions
of Squid: Your first point of contact should be your binary
If you install and build Squid from the original Squid sources
then the squid-users at lists.squid-cache.org mailing list is your
primary support point. For subscription details see
For reporting of non-security bugs in the latest release
the squid bugzilla database should be used
For reporting of security sensitive bugs send an email to the
squid-bugs at lists.squid-cache.org mailing list. It's a closed
list (though anyone can post) and security related bug reports
are treated in confidence until the impact has been established.
The vulnerability was reported and fixed by Alex Rousskov, The
2015-06-16 16:54 GMT Initial Report and Patches Released
2015-05-03 15:37 GMT Packages Released
More information about the squid-announce