Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid Proxy Cache Security Update Advisory SQUID-2020:1

    Scheduled Pinned Locked Moved Cache/Proxy
    1 Posts 1 Posters 230 Views 1 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      argenis27g
      last edited by


      Squid Proxy Cache Security Update Advisory SQUID-2020:1
      

      Advisory ID: SQUID-2020:1
      Date: February 03, 2020
      Summary: Improper Input Validation issues
      in HTTP Request processing.
      Affected versions: Squid 2.x -> 2.7.STABLE9
      Squid 3.x -> 3.5.28
      Squid 4.x -> 4.9
      Fixed in version: Squid 4.10


      http://www.squid-cache.org/Advisories/SQUID-2020_1.txt
      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8449
      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8450
      

      Problem Description:

      Due to incorrect input validation Squid can interpret crafted
      HTTP requests in unexpected ways to access server resources
      prohibited by earlier security filters.

      Due to incorrect buffer management a remote client can cause
      a buffer overflow in a Squid acting as reverse-proxy.


      Severity:

      This issue allows attackers to perform denial of service on the
      proxy and all clients using it.

      This issue potentially allows attackers to bypass security access
      controls in systems between client and proxy.

      This issue potentially allows remote code execution under the
      proxy low-privilege level. While restricted, it does have access
      to a wide range of information about the network structure and
      other clients using the proxy.

      This issue is limited to Squid acting as a reverse-proxy. Some
      effects also require allow_direct permissions.


      Updated Packages:

      This bug is fixed by Squid version 4.10.

      is update possible in the short term?

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.