Due to improper input validation Squid is vulnerable to security bypass attacks. Attacker can gain access to restricted HTTP servers.
Created squid tracking bugs for this issue:
Affects: fedora-all [bug 1770372]
Upstream patch: http://www.squid-cache.org/Versions/v4/changesets/squid-4-fbbdf75efd7a5cc244b4886a9d42ea458c5a3a73.patch
Access to manager services can be prevented by enabling the Via header: (in /etc/squid/squid.conf)
There are no reliable workarounds to prevent access to restricted upstream servers.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2020:4743 https://access.redhat.com/errata/RHSA-2020:4743