1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
Candidate: CVE-2015-5400
PublicDate: 2015-09-28
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5400
http://www.squid-cache.org/Advisories/SQUID-2015_2.txt
http://www.openwall.com/lists/oss-security/2015/07/06/8
Description:
Squid before 3.5.6 does not properly handle CONNECT method peer responses
when configured with cache_peer, which allows remote attackers to bypass
intended restrictions and gain access to a backend proxy via a CONNECT
request.
Ubuntu-Description:
Notes:
mdeslaur> non-default configuration, and needs substantial backporting
mdeslaur> There are no current plans to fix this CVE in Ubuntu 12.04 LTS
mdeslaur> and Ubuntu 14.04 LTS.
Bugs:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=793128
Priority: low
Discovered-by: Alex Rousskov
Assigned-to:
Patches_squid3:
upstream: http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10494.patch (3.1)
upstream: http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13225.patch (3.4)
upstream_squid3: released (3.5.6-1)
precise_squid3: ignored
trusty_squid3: ignored
utopic_squid3: ignored (reached end-of-life)
vivid_squid3: ignored (reached end-of-life)
vivid/stable-phone-overlay_squid3: DNE
vivid/ubuntu-core_squid3: DNE
wily_squid3: ignored (reached end-of-life)
xenial_squid3: released (3.5.12-1ubuntu6)
devel_squid3: released (3.5.12-1ubuntu6)
|