| Summary: | <net-proxy/squid-3.5.6: Information disclosure due to incorrect handling of peer responses in tunnel.cc (CVE-2015-5400) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Kristian Fiskerstrand (RETIRED) <k_f> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | eras |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://seclists.org/oss-sec/2015/q3/37 | ||
| Whiteboard: | B4 [noglsa cve] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | |||
| Bug Blocks: | 548228 | ||
3.5.6 is already in tree, is it ready for stabilization? Arches please test and mark stable =net-proxy/squid-3.5.6 Target Keywords: alpha amd64 arm hppa ia64 ppc ppc64 ~sparc x86 (In reply to Eray Aslan from comment #2) > Target Keywords: alpha amd64 arm hppa ia64 ppc ppc64 ~sparc x86 Should have read: Target Keywords: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 amd64 stable Stable for HPPA PPC64. x86 stable Stable on alpha. ia64 stable arm stable ppc stable sparc stable. Maintainer(s), please cleanup. Security, please vote. Arches and Maintainer(s), Thank you for your work. GLSA Vote: No GLSA Vote: No |
From ${URL}: Due to incorrect handling of peer responses in a hierarchy of 2 or more proxies remote clients (or scripts run on a client) are able to gain unrestricted access through a gateway proxy to its backend proxy. If the two proxies have differing levels of security this could lead to authentication bypass or unprivileged access to supposedly secure resources. All Squid up to and including 3.5.5 are vulnerable. Upstream patch: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13856.patch External References: http://www.squid-cache.org/Advisories/SQUID-2015_2.txt