------------------------------------------------------------------------- Debian LTS Advisory DLA-3709-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany January 09, 2024 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : squid Version : 4.6-1+deb10u9 CVE ID : CVE-2023-46846 CVE-2023-46847 CVE-2023-49285 CVE-2023-49286 CVE-2023-50269 Debian Bug : 1054537 1055250 1058721 Several security vulnerabilities have been discovered in Squid, a full featured web proxy cache. Due to programming errors in Squid's HTTP request parsing, remote attackers may be able to execute a denial of service attack by sending large X-Forwarded-For header or trigger a stack buffer overflow while performing HTTP Digest authentication. Other issues facilitate request smuggling past a firewall or a denial of service against Squid's Helper process management. In regard to CVE-2023-46728: Please note that support for the Gopher protocol has simply been removed in future Squid versions. There are no plans by the upstream developers of Squid to fix this issue. We recommend to reject all Gopher URL requests instead. For Debian 10 buster, these problems have been fixed in version 4.6-1+deb10u9. We recommend that you upgrade your squid packages. For the detailed security status of squid please refer to its security tracker page at: https://security-tracker.debian.org/tracker/squid Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: This is a digitally signed message part