Red Hat Bugzilla – Bug 1240741
CVE-2015-5400 squid: information disclosure due to incorrect handling of peer responses in tunnel.cc (SQUID-2015:2)
Last modified: 2016-05-06 15:54:28 EDT
Quoting the original report at http://seclists.org/oss-sec/2015/q3/37: """ Due to incorrect handling of peer responses in a hierarchy of 2 or more proxies remote clients (or scripts run on a client) are able to gain unrestricted access through a gateway proxy to its backend proxy. If the two proxies have differing levels of security this could lead to authentication bypass or unprivileged access to supposedly secure resources. All Squid up to and including 3.5.5 are vulnerable. """ Upstream patches: Squid 3.1: http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10494.patch Squid 3.4: http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13225.patch Squid 3.5: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13856.patch External References: http://www.squid-cache.org/Advisories/SQUID-2015_2.txt
Created squid tracking bugs for this issue: Affects: fedora-all [bug 1240744]
Quick check to see if your system is affected: If squid.conf (/etc/squid/squid.conf) does *not* contain "cache_peer" you are *not* affected by this issue. The default RHEL squid.conf files are not affected. Squid upstream lists some workarounds in their advisory [1]. However, please note that the currently described workarounds do not appear to offer a complete protection (certain settings like "never_direct allow all" may override the workaround, leaving the system in a vulnerable state). [1] http://www.squid-cache.org/Advisories/SQUID-2015_2.txt
libecap-1.0.0-1.fc22, squid-3.5.10-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.