Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 738724 (CVE-2020-15810, CVE-2020-15811, CVE-2020-24606, SQUID-2020-10, SQUID-2020-8, SQUID-2020-9)

Summary: <net-proxy/squid-4.13: Multiple vulnerabilities (SQUID-2020-{8,9,10})
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: hydrapolic, zlogene
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa cve]
Package list:
Runtime testing required: ---

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-23 15:35:34 UTC 
* SQUID-2020-8

Description:
"Due to incorrect data validation Squid is vulnerable to HTTP
Request Splitting attacks against HTTP and HTTPS traffic. This
leads to cache poisoning."

* SQUID-2020-9

Description:
"Due to Improper Input Validation Squid is vulnerable to a Denial
of Service attack against the machine operating Squid."

* SQUID-2020-10

Description:
"Due to incorrect data validation Squid is vulnerable to HTTP
Request Smuggling attacks against HTTP and HTTPS traffic. This
leads to cache poisoning."
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-23 15:36:43 UTC 
(In reply to Sam James from comment #0)
> * SQUID-2020-8
> 
> Description:
> "Due to incorrect data validation Squid is vulnerable to HTTP
> Request Splitting attacks against HTTP and HTTPS traffic. This
> leads to cache poisoning."
> 

https://github.com/squid-cache/squid/security/advisories/GHSA-c7p8-xqhm-49wv

> * SQUID-2020-9
> 
> Description:
> "Due to Improper Input Validation Squid is vulnerable to a Denial
> of Service attack against the machine operating Squid."
> 

https://github.com/squid-cache/squid/security/advisories/GHSA-vvj7-xjgq-g2jg

> * SQUID-2020-10
> 
> Description:
> "Due to incorrect data validation Squid is vulnerable to HTTP
> Request Smuggling attacks against HTTP and HTTPS traffic. This
> leads to cache poisoning."

https://github.com/squid-cache/squid/security/advisories/GHSA-3365-q9qx-f98m

----
Please bump to 4.13.
Comment 2 Tomáš Mózes 2020-08-24 08:56:46 UTC 
A copy of 4.12 seems to be working fine here.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-26 01:07:17 UTC 
(In reply to Sam James from comment #1)
> (In reply to Sam James from comment #0)
> > * SQUID-2020-8
> > 
> > Description:
> > "Due to incorrect data validation Squid is vulnerable to HTTP
> > Request Splitting attacks against HTTP and HTTPS traffic. This
> > leads to cache poisoning."
> > 
> 

CVE-2020-15811

> https://github.com/squid-cache/squid/security/advisories/GHSA-c7p8-xqhm-49wv
> 
> > * SQUID-2020-9
> > 
> > Description:
> > "Due to Improper Input Validation Squid is vulnerable to a Denial
> > of Service attack against the machine operating Squid."
> > 
> 

CVE-2020-24606

> https://github.com/squid-cache/squid/security/advisories/GHSA-vvj7-xjgq-g2jg
> 
> > * SQUID-2020-10
> > 
> > Description:
> > "Due to incorrect data validation Squid is vulnerable to HTTP
> > Request Smuggling attacks against HTTP and HTTPS traffic. This
> > leads to cache poisoning."
> 
> https://github.com/squid-cache/squid/security/advisories/GHSA-3365-q9qx-f98m
> 

CVE-2020-15810
Comment 4 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2020-08-27 19:44:53 UTC 
GLSA vote: no