Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Squid 3.5.x < 3.5.23 / 4.0.x < 4.0.17 Multiple Information Disclosure

Medium

Synopsis

The remote proxy server is affected by multiple information disclosure attack vectors.

Description

Versions of Squid 4.0.x prior to 4.0.17, and 3.5.x prior to 3.5.18 are affected by multiple vulnerabilities :

- A flaw exists in the collapsed forwarding functionality in 'client_side_reply.cc' that is triggered as request headers are not properly compared, which can cause the program to deliver responses containing private data to clients it should not have reached. This may allow a remote attacker to gain access to potentially sensitive information from other sessions. (OSVDB 148952) - A flaw exists in 'client_side_reply.cc' that is triggered during the handling of HTTP conditional requests. This may allow a remote attacker to gain access to potentially sensitive information from other sessions. (OSVDB 148953)

Solution

Upgrade to Squid version 4.0.17 or later. If 4.0.x versions cannot be obtained, version 3.5.23 is also patched for these vulnerabilities.