Squid Proxy Cache Security Update Advisory SQUID-2020:1




  • Squid Proxy Cache Security Update Advisory SQUID-2020:1
    

    Advisory ID: SQUID-2020:1
    Date: February 03, 2020
    Summary: Improper Input Validation issues
    in HTTP Request processing.
    Affected versions: Squid 2.x -> 2.7.STABLE9
    Squid 3.x -> 3.5.28
    Squid 4.x -> 4.9
    Fixed in version: Squid 4.10


    http://www.squid-cache.org/Advisories/SQUID-2020_1.txt
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8449
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8450
    

    Problem Description:

    Due to incorrect input validation Squid can interpret crafted
    HTTP requests in unexpected ways to access server resources
    prohibited by earlier security filters.

    Due to incorrect buffer management a remote client can cause
    a buffer overflow in a Squid acting as reverse-proxy.


    Severity:

    This issue allows attackers to perform denial of service on the
    proxy and all clients using it.

    This issue potentially allows attackers to bypass security access
    controls in systems between client and proxy.

    This issue potentially allows remote code execution under the
    proxy low-privilege level. While restricted, it does have access
    to a wide range of information about the network structure and
    other clients using the proxy.

    This issue is limited to Squid acting as a reverse-proxy. Some
    effects also require allow_direct permissions.


    Updated Packages:

    This bug is fixed by Squid version 4.10.

    is update possible in the short term?


Log in to reply