Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 554168 - <net-proxy/squid-3.5.6: Information disclosure due to incorrect handling of peer responses in tunnel.cc (CVE-2015-5400)
Summary: <net-proxy/squid-3.5.6: Information disclosure due to incorrect handling of p...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://seclists.org/oss-sec/2015/q3/37
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks: CVE-2015-3455
  Show dependency tree
 
Reported: 2015-07-07 19:25 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2015-09-08 06:32 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-07-07 19:25:04 UTC 
From ${URL}:
Due to incorrect handling of peer responses in a hierarchy of 2 or
more proxies remote clients (or scripts run on a client) are able to
gain unrestricted access through a gateway proxy to its backend proxy.

If the two proxies have differing levels of security this could lead
to authentication bypass or unprivileged access to supposedly secure
resources.

All Squid up to and including 3.5.5 are vulnerable.


Upstream patch:
http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13856.patch

External References:

http://www.squid-cache.org/Advisories/SQUID-2015_2.txt
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-07-07 19:26:00 UTC 
3.5.6 is already in tree, is it ready for stabilization?
Comment 2 Eray Aslan gentoo-dev 2015-07-09 05:07:20 UTC 
Arches please test and mark stable
=net-proxy/squid-3.5.6

Target Keywords: alpha amd64 arm hppa ia64 ppc ppc64 ~sparc x86
Comment 3 Eray Aslan gentoo-dev 2015-07-09 05:08:10 UTC 
(In reply to Eray Aslan from comment #2)
> Target Keywords: alpha amd64 arm hppa ia64 ppc ppc64 ~sparc x86

Should have read:

Target Keywords: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 4 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-07-09 16:24:28 UTC 
amd64 stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2015-07-11 06:34:36 UTC 
Stable for HPPA PPC64.
Comment 6 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-07-11 20:10:24 UTC 
x86 stable
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2015-07-14 19:51:30 UTC 
Stable on alpha.
Comment 8 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-07-17 13:31:06 UTC 
ia64 stable
Comment 9 Markus Meier gentoo-dev 2015-07-19 18:30:48 UTC 
arm stable
Comment 10 Agostino Sarubbo gentoo-dev 2015-07-23 09:03:46 UTC 
ppc stable
Comment 11 Agostino Sarubbo gentoo-dev 2015-07-23 09:40:01 UTC 
sparc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 12 Yury German Gentoo Infrastructure gentoo-dev 2015-08-10 13:34:46 UTC 
Arches and Maintainer(s), Thank you for your work.

GLSA Vote: No
Comment 13 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-09-08 06:32:23 UTC 
GLSA Vote: No