Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 738724 (CVE-2020-15810, CVE-2020-15811, CVE-2020-24606, SQUID-2020-10, SQUID-2020-8, SQUID-2020-9) - <net-proxy/squid-4.13: Multiple vulnerabilities (SQUID-2020-{8,9,10})
Summary: <net-proxy/squid-4.13: Multiple vulnerabilities (SQUID-2020-{8,9,10})
Status: RESOLVED FIXED
Alias: CVE-2020-15810, CVE-2020-15811, CVE-2020-24606, SQUID-2020-10, SQUID-2020-8, SQUID-2020-9
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-08-23 15:35 UTC by Sam James
Modified: 2020-08-27 19:44 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-23 15:35:34 UTC
* SQUID-2020-8

Description:
"Due to incorrect data validation Squid is vulnerable to HTTP
Request Splitting attacks against HTTP and HTTPS traffic. This
leads to cache poisoning."

* SQUID-2020-9

Description:
"Due to Improper Input Validation Squid is vulnerable to a Denial
of Service attack against the machine operating Squid."

* SQUID-2020-10

Description:
"Due to incorrect data validation Squid is vulnerable to HTTP
Request Smuggling attacks against HTTP and HTTPS traffic. This
leads to cache poisoning."
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-23 15:36:43 UTC
(In reply to Sam James from comment #0)
> * SQUID-2020-8
> 
> Description:
> "Due to incorrect data validation Squid is vulnerable to HTTP
> Request Splitting attacks against HTTP and HTTPS traffic. This
> leads to cache poisoning."
> 

https://github.com/squid-cache/squid/security/advisories/GHSA-c7p8-xqhm-49wv

> * SQUID-2020-9
> 
> Description:
> "Due to Improper Input Validation Squid is vulnerable to a Denial
> of Service attack against the machine operating Squid."
> 

https://github.com/squid-cache/squid/security/advisories/GHSA-vvj7-xjgq-g2jg

> * SQUID-2020-10
> 
> Description:
> "Due to incorrect data validation Squid is vulnerable to HTTP
> Request Smuggling attacks against HTTP and HTTPS traffic. This
> leads to cache poisoning."

https://github.com/squid-cache/squid/security/advisories/GHSA-3365-q9qx-f98m

----
Please bump to 4.13.
Comment 2 Tomáš Mózes 2020-08-24 08:56:46 UTC
A copy of 4.12 seems to be working fine here.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-26 01:07:17 UTC
(In reply to Sam James from comment #1)
> (In reply to Sam James from comment #0)
> > * SQUID-2020-8
> > 
> > Description:
> > "Due to incorrect data validation Squid is vulnerable to HTTP
> > Request Splitting attacks against HTTP and HTTPS traffic. This
> > leads to cache poisoning."
> > 
> 

CVE-2020-15811

> https://github.com/squid-cache/squid/security/advisories/GHSA-c7p8-xqhm-49wv
> 
> > * SQUID-2020-9
> > 
> > Description:
> > "Due to Improper Input Validation Squid is vulnerable to a Denial
> > of Service attack against the machine operating Squid."
> > 
> 

CVE-2020-24606

> https://github.com/squid-cache/squid/security/advisories/GHSA-vvj7-xjgq-g2jg
> 
> > * SQUID-2020-10
> > 
> > Description:
> > "Due to incorrect data validation Squid is vulnerable to HTTP
> > Request Smuggling attacks against HTTP and HTTPS traffic. This
> > leads to cache poisoning."
> 
> https://github.com/squid-cache/squid/security/advisories/GHSA-3365-q9qx-f98m
> 

CVE-2020-15810
Comment 4 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2020-08-27 19:44:53 UTC
GLSA vote: no