Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 729760 (CVE-2020-15049)

Summary: <net-proxy/squid-4.12: Information disclosure vulnerability (CVE-2020-15049)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: hydrapolic, zlogene
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/squid-cache/squid/security/advisories/GHSA-qf3v-rc95-96j5
Whiteboard: B4 [noglsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 728768    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-06-26 17:48:51 UTC 
Description:

This problem allows a trusted client to perform request smuggling and poison the
HTTP cache contents with crafted HTTP(S) request messages.

This attack requires an upstream server to participate in the smuggling and
generate the poison response sequence. Most popular server software are not
vulnerable to participation in this attack.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-06-26 17:50:06 UTC 
Maintainer, please call for stabilization when ready.
Comment 2 Tomáš Mózes 2020-06-26 19:40:25 UTC 
Used in production, works fine on amd64.
Comment 3 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2020-06-29 18:16:00 UTC 
parent bug is noglsa, this one either.