oss-sec mailing list archives

Re: CVE Request - squid HTTP proxy multiple Information Disclosure issues

From: <cve-assign () mitre org>
Date: Sat, 17 Dec 2016 20:06:22 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

http://www.squid-cache.org/Advisories/SQUID-2016_11.txt

Incorrect processing of responses to If-None-Modified HTTP conditional
requests leads to client-specific Cookie data being leaked to other
clients. Attack requests can easily be crafted by a client to probe a
cache for this information.

the CVE critical leak was due to these lines in
src/client_side_reply.cc:

     bool matchedIfNoneMatch = false;
     if (r.header.has(HDR_IF_NONE_MATCH)) {
        if (!e->hasIfNoneMatchEtag(r)) {
...
-            http->logType = LOG_TCP_MISS;
-            sendMoreData(result);

This last line should have called "  processMiss(result); "


Use CVE-2016-10002.

http://www.squid-cache.org/Advisories/SQUID-2016_10.txt

Incorrect HTTP Request header comparison results in Collapsed
Forwarding feature mistakenly identifying some private responses as
being suitable for delivery to multiple clients.


Use CVE-2016-10003.

The current fix is not quite complete. However we believe the remaining
headers leaked are not a serious security issue.


If anyone needs a CVE ID for this issue (involving other headers) that
was not fixed in 3.5.23 and 4.0.17, please let us know.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYVdwRAAoJEHb/MwWLVhi2sBwP/33e42WWt+2xK8LMWIt2opxE
F8YSXBoIMKVh8V9i9dYeFrTcXPNMSOsNLawZgUaPIIdIzMy3ipKxfJ0dHlWjIUrk
3QIPAlri8tEOJiy0gR3x1xzdYaZUq5hLpBxWvUJz/GS4OPpvlMPO8VvSYzfKVYUi
Mxw9izK9E41WCUYFTCpzWhI+M248W4CCKYul8gHbDIaV1ED+3pRLkmfgaozP1TxW
ozAB8REzpOyG+Erl5rxZ3e8Zgpf3ox6Rmv260Ue4mhZLCsK2AWR72PJs9zXRK+LQ
1cwTROdWg78iMuoB4E77L77L98OEj5sSLlo6fc5mew8lyteq7QwbfaWjuCk3ga79
BVisJvqXW7dyzLxyZ5yiMGLmHJQd4C6FaKBM6D9xSlaUaicEPvLUU+zwNHtWi0dT
3KKI4GzvBk3x62c4bjjjGpNWoK0sNiDFK465MfA343XfeEjnA+URgrzNJO8ocvMI
booClyeDs7VKwv+yGVMI+3v+YQ/kUKjERdRr4StzSEWF45GPtXnWj7F7bj/JCR4m
/mwZ9237ED5Yhq81e5/OPfJ/dnduJYoI5vjcZmVekTxh3+3AUcLXH1JxfV7Rk6z4
+Tk+X443j3cuB//zMDR8oN7RCl64R2Cx29HwCFukU6nA+wL2hVLHBrVsR+mw6fQX
7LGySLYqm7FhLtuSKhQa
=GwOM
-----END PGP SIGNATURE-----

Current thread:

CVE Request - squid HTTP proxy multiple Information Disclosure issues Amos Jeffries (Dec 17)
- Re: CVE Request - squid HTTP proxy multiple Information Disclosure issues cve-assign (Dec 17)