Vendors have not issued updates yet for a vulnerability just reported by the Squid Project. "Under some conditions Squid may forward the proxy authentication credentails. This can happen if you normally require your users to log in to use the proxy, but allow some sites to be reached without needing to log in.". . .
Vendors have not issued updates yet for a vulnerability just reported by the Squid Project. "Under some conditions Squid may forward the proxy authentication credentails. This can happen if you normally require your users to log in to use the proxy, but allow some sites to be reached without needing to log in."
| synopsis | under some conditions Squid may forward the proxy authentication credentails. This can happen if you normally require your users to log in to use the proxy, but allow some sites to be reached without needing to log in.
This patch restricts such forwarding to only your configured cache_peers. If you need to further control the credentials forwarding then upgrading to Squid-2.5 is recommended as the forwarding is controlled per cache_peer in Squid-2.5 and later. |
| versions | 2.4.STABLE6 and earlier |
| platforms | All |
| reported by | Hernan Otero |
| configuration | if a mixture of proxy authentication and sites not requiring authentication is used. |
| patch | squid-2.4.STABLE6-proxy_auth.patch |
| workaround | If you use proxy authentication, make sure to use it on all requests. Do not allow access to some sites without the need to log in. |
