Ubuntu Security Notice 4895-1 - Alex Rousskov and Amit Klein discovered that Squid incorrectly handled certain Content-Length headers. A remote attacker could possibly use this issue to perform an HTTP request smuggling attack, resulting in cache poisoning. This issue only affected Ubuntu 20.04 LTS. Jianjun Chen discovered that Squid incorrectly validated certain input. A remote attacker could use this issue to perform HTTP Request Smuggling and possibly access services forbidden by the security controls. Various other issues were also addressed.
44db1a9ed9280b583d1163a180317b1797d2efdfdfd15af23ab456423194a4c9
==========================================================================
Ubuntu Security Notice USN-4895-1
March 29, 2021
squid, squid3 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in Squid.
Software Description:
- squid: Web proxy cache server
- squid3: Web proxy cache server
Details:
Alex Rousskov and Amit Klein discovered that Squid incorrectly handled
certain Content-Length headers. A remote attacker could possibly use this
issue to perform an HTTP request smuggling attack, resulting in cache
poisoning. This issue only affected Ubuntu 20.04 LTS. (CVE-2020-15049)
Jianjun Chen discovered that Squid incorrectly validated certain input. A
remote attacker could use this issue to perform HTTP Request Smuggling and
possibly access services forbidden by the security controls.
(CVE-2020-25097)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.10:
squid 4.13-1ubuntu2.1
Ubuntu 20.04 LTS:
squid 4.10-1ubuntu1.3
Ubuntu 18.04 LTS:
squid 3.5.27-1ubuntu1.10
Ubuntu 16.04 LTS:
squid 3.5.12-1ubuntu7.16
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-4895-1
CVE-2020-15049, CVE-2020-25097
Package Information:
https://launchpad.net/ubuntu/+source/squid/4.13-1ubuntu2.1
https://launchpad.net/ubuntu/+source/squid/4.10-1ubuntu1.3
https://launchpad.net/ubuntu/+source/squid3/3.5.27-1ubuntu1.10
https://launchpad.net/ubuntu/+source/squid3/3.5.12-1ubuntu7.16