__________________________________________________________________ Squid Proxy Cache Security Update Advisory SQUID-2016:8 __________________________________________________________________ Advisory ID: SQUID-2016:8 Date: May 06, 2016 Summary: Header smuggling issue in HTTP Request processing Affected versions: Squid 1.x -> 3.5.17 Fixed in version: Squid 3.5.18 __________________________________________________________________ http://www.squid-cache.org/Advisories/SQUID-2016_8.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4554 __________________________________________________________________ Problem Description: Due to incorrect input validation Squid is vulnerable to a header smuggling attack leading to cache poisoning and to bypass of same-origin security policy in Squid and some client browsers. __________________________________________________________________ Severity: This problem allows a client to smuggle Host header value past same-origin security protections to cause Squid operating as interception or reverse-proxy to contact the wrong origin server. Also poisoning any downstream cache which stores the response. However, the cache poisoning is only possible if the caching agent (browser or explicit/forward proxy) is not following RFC 7230 processing guidelines and lets the smuggled value through. __________________________________________________________________ Updated Packages: This bug is fixed by Squid version 3.5.18 In addition, patches addressing this problem for stable releases can be found in our patch archives: Squid 3.1: Squid 3.2: Squid 3.3: Squid 3.4: Squid 3.5: If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages. __________________________________________________________________ Determining if your version is vulnerable: All 2.x versions up to and including 2.7.STABLE9 are vulnerable. All 3.x versions up to and including 3.5.17 are vulnerable. All 4.x versions are not vulnerable. __________________________________________________________________ Workaround: There are no workarounds for this problem. __________________________________________________________________ Contact details for the Squid project: For installation / upgrade support on binary packaged versions of Squid: Your first point of contact should be your binary package vendor. If you install and build Squid from the original Squid sources then the squid-users@squid-cache.org mailing list is your primary support point. For subscription details see http://www.squid-cache.org/Support/mailing-lists.html. For reporting of non-security bugs in the latest release the squid bugzilla database should be used http://bugs.squid-cache.org/. For reporting of security sensitive bugs send an email to the squid-bugs@squid-cache.org mailing list. It is a closed list (though anyone can post) and security related bug reports are treated in confidence until the impact has been established. __________________________________________________________________ Credits: The vulnerability was reported by Jianjun Chen from Tsinghua University. Fixed by Amos Jeffries from Treehouse Networks Ltd. __________________________________________________________________ Revision history: 2016-04-26 09:29:13 UTC Initial Report 2016-05-02 03:39:35 UTC Patches Released 2016-05-06 13:12:00 UTC Packages Released 2016-05-06 14:46:41 UTC CVE Assignment 2016-05-08 12:45:58 UTC Patches Updated __________________________________________________________________ END