oss-sec mailing list archives
Re: Squid Proxy multiple vulnerabilities
From: Amos Jeffries <squid3 () treenet co nz>
Date: Mon, 29 Oct 2018 06:10:02 +1300
On 29/10/18 5:13 AM, Amos Jeffries wrote:
Several vulnerabilities have recently been found in Squid HTTP proxy. CVE have been requested and awaiting assignment by the DWF project. * An Cross-Site Scripting vulnerability (CWE-74, CWE-79) has been found in the TLS error handling by Squid. Several fields of X.509 certificates can contain HTML syntax and were not being correctly quoted/encoded before inserting into HTML error pages generated by the proxy. This issue allows an attacker to craft a X.509 certificate that both triggers an error and alters how that error is displayed by a client such as a Browser. Affected Versions: Squid 3.1.12.1 -> 3.1.23
Apologies, these versions are also affected: Squid 3.2.0.4 -> 3.5.28
Squid 4.0 -> 4.3 Squid 3.1.12 and older including Squid-2.x are not vulnerable. The patch for Squid-3.5 should apply relatively cleanly to all v3.x affected versions. <http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-f1657a9decc820f748fa3aff68168d3145258031.patch> <http://www.squid-cache.org/Versions/v4/changesets/squid-4-828245b90206602014ce057c3db39fb80fcc4b08.patch> <http://www.squid-cache.org/Versions/v5/changesets/squid-5-6feeb15ff312f3e145763adf8d234ed6a0b3f11d.patch> <http://www.squid-cache.org/Advisories/SQUID-2018_4.txt>
Amos
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Squid Proxy multiple vulnerabilities Amos Jeffries (Oct 28)
- Re: Squid Proxy multiple vulnerabilities Amos Jeffries (Oct 28)
- Re: Squid Proxy multiple vulnerabilities Hanno Böck (Oct 28)
- Re: Squid Proxy multiple vulnerabilities Amos Jeffries (Oct 29)
- Re: Squid Proxy multiple vulnerabilities 面和毅 (Oct 29)
- Re: Squid Proxy multiple vulnerabilities Karol Babioch (Oct 31)
- Re: Squid Proxy multiple vulnerabilities Karol Babioch (Nov 09)