Synopsis
The remote proxy server is affected by multiple information disclosure attack vectors.
Description
Versions of Squid 4.0.x prior to 4.0.17, and 3.5.x prior to 3.5.18 are affected by multiple vulnerabilities :
- A flaw exists in the collapsed forwarding functionality in 'client_side_reply.cc' that is triggered as request headers are not properly compared, which can cause the program to deliver responses containing private data to clients it should not have reached. This may allow a remote attacker to gain access to potentially sensitive information from other sessions.
- A flaw exists in 'client_side_reply.cc' that is triggered during the handling of HTTP conditional requests. This may allow a remote attacker to gain access to potentially sensitive information from other sessions.
Solution
Upgrade to Squid version 4.0.17 or later. If 4.0.x versions cannot be obtained, version 3.5.23 is also patched for these vulnerabilities.