[squid-users] [squid-announce] [ADVISORY] SQUID-2016:10 - Information disclosure in Collapsed Forwarding
Amos Jeffries
squid3 at treenet.co.nz
Sat Dec 17 16:04:19 UTC 2016
__________________________________________________________________
Squid Proxy Cache Security Update Advisory SQUID-2016:10
__________________________________________________________________
Advisory ID: SQUID-2016:10
Date: Dec 16, 2016
Summary: Information disclosure
in Collapsed Forwarding.
Affected versions: Squid 3.5 -> 3.5.22
Squid 4.0 -> 4.0.16
Fixed in version: Squid 4.0.17, 3.5.23
__________________________________________________________________
http://www.squid-cache.org/Advisories/SQUID-2016_10.txt
__________________________________________________________________
Problem Description:
Due to incorrect comparsion of request headers Squid can deliver
responses containing private data to clients it should not have
reached.
__________________________________________________________________
Severity:
This problem allows a remote attacker to discover private and
sensitive information about another clients browsing session.
Potentially including credentials which allow access to further
sensitive resources.
This problem only affects Squid configured to use the Collapsed
Forwarding feature.
It is of particular importance for HTTPS reverse-proxy sites
with Collapsed Forwarding.
__________________________________________________________________
Updated Packages:
This bug is fixed by Squid version 3.5.23 and 4.0.17.
In addition, patches addressing this problem can be found in our
patch archives:
Squid 3.5 (excluding 3.5.22):
<http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_10_a.patch>
Squid 3.5.22:
<http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14127.patch>
Squid 4.0:
<http://www.squid-cache.org/Versions/v4/changesets/squid-4-14956.patch>
If you are using a prepackaged version of Squid then please refer
to the package vendor for availability information on updated
packages.
__________________________________________________________________
Determining if your version is vulnerable:
Squid-2.x have not been tested.
The following command can be used to determine if Squid-3 or
later have collapsed_forwarding in squid.conf:
(squid -k parse 2>&1) | grep collapsed_forwarding
All Squid-3.x versions without collapsed_forwarding configured
are not vulnerable.
All Squid-3.5 versions with 'collapsed_forwarding off'
configured are not vulnerable.
All Squid-3.5 versions up to and including Squid-3.5.22 with
'collapsed_forwarding on' configured are vulnerable.
All Squid-4.0 versions without collapsed_forwarding configured
are not vulnerable.
All Squid-4.0 versions with 'collapsed_forwarding off'
configured are not vulnerable.
All Squid-4.0 versions up to and including Squid-4.0.16 with
'collapsed_forwarding on' configured are vulnerable.
__________________________________________________________________
Workaround:
Remove all uses of 'collapsed_forwarding' from squid.conf and
included sub-files.
__________________________________________________________________
Contact details for the Squid project:
For installation / upgrade support on binary packaged versions
of Squid: Your first point of contact should be your binary
package vendor.
If your install and build Squid from the original Squid sources
then the squid-users at lists.squid-cache.org mailing list is your
primary support point. For subscription details see
<http://www.squid-cache.org/Support/mailing-lists.html>.
For reporting of non-security bugs in the latest STABLE release
the squid bugzilla database should be used
<http://bugs.squid-cache.org/>.
For reporting of security sensitive bugs send an email to the
squid-bugs at lists.squid-cache.org mailing list. It's a closed
list (though anyone can post) and security related bug reports
are treated in confidence until the impact has been established.
__________________________________________________________________
Credits:
This issue was reported by Felix Hassert from Sevenval
Technologies GmbH.
Fixed by Eduard Bagdasaryan from Measurement Factory.
__________________________________________________________________
Revision history:
2016-11-28 17:28:43 UTC Initial Report
2016-12-16 18:37:00 UTC Packages Released
__________________________________________________________________
END
_______________________________________________
squid-announce mailing list
squid-announce at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce
More information about the squid-users
mailing list