Your submission was sent successfully! Close

CVE-2015-5400

Published: 28 September 2015

Squid before 3.5.6 does not properly handle CONNECT method peer responses when configured with cache_peer, which allows remote attackers to bypass intended restrictions and gain access to a backend proxy via a CONNECT request.

Priority

Low

Status

Package Release Status
squid3
Launchpad, Ubuntu, Debian
Upstream
Released (3.5.6-1)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (3.5.12-1ubuntu6)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was ignored)
Patches:
Upstream: http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10494.patch (3.1)
Upstream: http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13225.patch (3.4)

Notes

AuthorNote
mdeslaur
non-default configuration, and needs substantial backporting
There are no current plans to fix this CVE in Ubuntu 12.04 LTS
and Ubuntu 14.04 LTS.

References

Bugs