Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <8bdd9c52-ec43-0828-0d7d-0d7b0542a9d4@treenet.co.nz>
Date: Mon, 29 Oct 2018 06:10:02 +1300
From: Amos Jeffries <squid3@...enet.co.nz>
To: oss-security@...ts.openwall.com
Subject: Re: Squid Proxy multiple vulnerabilities


On 29/10/18 5:13 AM, Amos Jeffries wrote:
> Several vulnerabilities have recently been found in Squid HTTP proxy.
> 
> CVE have been requested and awaiting assignment by the DWF project.
> 
> 
> 
> * An Cross-Site Scripting vulnerability (CWE-74, CWE-79) has been found
> in the TLS error handling by Squid.
> 
> Several fields of X.509 certificates can contain HTML syntax and were
> not being correctly quoted/encoded before inserting into HTML error
> pages generated by the proxy. This issue allows an attacker to craft a
> X.509 certificate that both triggers an error and alters how that error
> is displayed by a client such as a Browser.
> 
> Affected Versions:
>  Squid 3.1.12.1 -> 3.1.23

Apologies, these versions are also affected:

  Squid 3.2.0.4 -> 3.5.28


>  Squid 4.0 -> 4.3
> 
> Squid 3.1.12 and older including Squid-2.x are not vulnerable.
> 
> 
> The patch for Squid-3.5 should apply relatively cleanly to all v3.x
> affected versions.
> 
> <http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-f1657a9decc820f748fa3aff68168d3145258031.patch>
> 
> <http://www.squid-cache.org/Versions/v4/changesets/squid-4-828245b90206602014ce057c3db39fb80fcc4b08.patch>
> 
> <http://www.squid-cache.org/Versions/v5/changesets/squid-5-6feeb15ff312f3e145763adf8d234ed6a0b3f11d.patch>
> 
> <http://www.squid-cache.org/Advisories/SQUID-2018_4.txt>
> 
> 


Amos



Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.