-------------------------------------------------------------------------
Debian LTS Advisory DLA-4083-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Jochen Sprickerhof
March 11, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : squid
Version : 4.13-10+deb11u4
CVE ID : CVE-2024-25111 CVE-2024-37894 CVE-2024-45802
Debian Bug :
Several security vulnerabilities have been discovered in Squid, a full featured
web proxy cache.
CVE-2024-25111
A possible Denial of Service attack against HTTP Chunked decoder due
to an uncontrolled recursion bug. This problem allows a remote
attacker to cause Denial of Service when sending a crafted, chunked,
encoded HTTP Message.
CVE-2024-37894
Due to an Out-of-bounds Write error when assigning ESI variables,
Squid is susceptible to a Memory Corruption error. This error can
lead to a Denial of Service attack.
CVE-2024-45802
Disable ESI feature support.
- Due to Input Validation, Premature Release of Resource During Expected
Lifetime, and Missing Release of Resource after Effective Lifetime bugs,
Squid is vulnerable to Denial of Service attacks by a trusted server
against all clients using the proxy. This problem is fixed by changing
the build configuration to specify the --disable-esi option.
For Debian 11 bullseye, these problems have been fixed in version
4.13-10+deb11u4.
We recommend that you upgrade your squid packages.
For the detailed security status of squid please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/squid
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature