Squid HTTP Request Splitting Vulnerability (SQUID-2019:10) Advisory

Critical Vulnerability Information Vulnerability ID SQUID-2019:10 Release Date November 5, 2019 Vulnerability Description HTTP Request Splitting Issue: - Due to incorrect message parsing, Squid has an HTTP request splitting issue during HTTP message processing. Affected Versions Squid 3.0 - 3.5.28 Squid 4.x - 4.8 Fixed Versions Squid 4.9 Severity Allows attackers to smuggle HTTP requests through front-end software to Squid, splitting the HTTP request pipeline. This leads to response messages being cached between the client and Squid, and between arbitrary URLs containing attacker-controlled content. Impact is limited to software between the attacker’s client and Squid. Update Packages This vulnerability is fixed in Squid version 4.9. - Squid 4: Determining Vulnerable Versions All Squid-3.x versions up to 3.5.28 are vulnerable. All Squid-4.x versions up to 4.8 are vulnerable. Mitigation No workaround is available for this vulnerability. Reporting and Contact Contact the Squid Project: - When using a released version of Squid, contact the package vendor to inquire about available updates. - When building Squid from original Squid source, contact the squid-users@lists.squid-cache.org mailing list. - Security-sensitive vulnerabilities should be reported via the squid-bugs@lists.squid-cache.org mailing list. Acknowledgments This vulnerability was discovered by Rãfãçgis Leroy (regilero at Makina Corpus). Fixed by Amos Jeffries of Treehouse Networks Ltd.

Goal Reached Thanks to every supporter — we hit 100%!

Squid HTTP Request Splitting Vulnerability (SQUID-2019:10) Advisory