Re: Squid Proxy multiple vulnerabilities

[Amos Jeffries <squid3 () treenet co nz>]

On 29/10/18 5:13 AM, Amos Jeffries wrote:
> Several vulnerabilities have recently been found in Squid HTTP proxy.
>
> CVE have been requested and awaiting assignment by the DWF project.
>
>
>
> * An Cross-Site Scripting vulnerability (CWE-74, CWE-79) has been found
> in the TLS error handling by Squid.
>
> Several fields of X.509 certificates can contain HTML syntax and were
> not being correctly quoted/encoded before inserting into HTML error
> pages generated by the proxy. This issue allows an attacker to craft a
> X.509 certificate that both triggers an error and alters how that error
> is displayed by a client such as a Browser.
>
> Affected Versions:
>  Squid 3.1.12.1 -> 3.1.23

Apologies, these versions are also affected:

  Squid 3.2.0.4 -> 3.5.28


>  Squid 4.0 -> 4.3
>
> Squid 3.1.12 and older including Squid-2.x are not vulnerable.
>
>
> The patch for Squid-3.5 should apply relatively cleanly to all v3.x
> affected versions.
>
> <http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-f1657a9decc820f748fa3aff68168d3145258031.patch>
>
> <http://www.squid-cache.org/Versions/v4/changesets/squid-4-828245b90206602014ce057c3db39fb80fcc4b08.patch>
>
> <http://www.squid-cache.org/Versions/v5/changesets/squid-5-6feeb15ff312f3e145763adf8d234ed6a0b3f11d.patch>
>
> <http://www.squid-cache.org/Advisories/SQUID-2018_4.txt>


Amos

Attachment: signature.asc
Description: OpenPGP digital signature