Squid Proxy Cache Security Update Advisory SQUID-2020:1
-
Squid Proxy Cache Security Update Advisory SQUID-2020:1
Advisory ID: SQUID-2020:1
Date: February 03, 2020
Summary: Improper Input Validation issues
in HTTP Request processing.
Affected versions: Squid 2.x -> 2.7.STABLE9
Squid 3.x -> 3.5.28
Squid 4.x -> 4.9
Fixed in version: Squid 4.10
http://www.squid-cache.org/Advisories/SQUID-2020_1.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8449 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8450
Problem Description:
Due to incorrect input validation Squid can interpret crafted
HTTP requests in unexpected ways to access server resources
prohibited by earlier security filters.Due to incorrect buffer management a remote client can cause
a buffer overflow in a Squid acting as reverse-proxy.
Severity:
This issue allows attackers to perform denial of service on the
proxy and all clients using it.This issue potentially allows attackers to bypass security access
controls in systems between client and proxy.This issue potentially allows remote code execution under the
proxy low-privilege level. While restricted, it does have access
to a wide range of information about the network structure and
other clients using the proxy.This issue is limited to Squid acting as a reverse-proxy. Some
effects also require allow_direct permissions.
Updated Packages:
This bug is fixed by Squid version 4.10.
is update possible in the short term?