[SECURITY] [DLA 4312-1] squid security update

To: <debian-lts-announce@lists.debian.org>
Subject: [SECURITY] [DLA 4312-1] squid security update
From: rouca@debian.org
Date: Sat, 27 Sep 2025 17:22:02 +0200
Message-id: <[🔎] a3d62950f2bcc1772632110ec3e223bc@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4312-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                   Bastien RoucariÃ¨s
September 27, 2025                            https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : squid
Version        : 4.13-10+deb11u5
CVE ID         : CVE-2023-5824 CVE-2023-46728 CVE-2025-54574
Debian Bug     : 1055249

Three security issues were discovered in the Squid proxy caching server,
which could result in the execution of arbitrary code, information
disclosure or denial of service.

CVE-2023-5824

    A flaw was found in Squid. The limits applied for validation of HTTP
    response headers are applied before caching. However,
    Squid may grow a cached HTTP response header beyond the configured
    maximum size, causing a stall or crash of the worker process when a
    large header is retrieved from the disk cache, resulting in a denial
    of service.

CVE-2023-46728

    Due to a NULL pointer dereference bug Squid is vulnerable to a
    Denial of Service attack against Squid's Gopher gateway.
    The obsolete gopher protocol, even if non functional,
    was always available and enabled.
    Responses triggering this bug are possible to be received
    from any gopher server, even those without malicious intent.
    Gopher support (already non functional) has been removed to fix
    this CVE.
    Note that gopher was deprecated and major browsers removed it,
    long time ago.

CVE-2025-54574

    Squid is vulnerable to a heap buffer overflow and possible remote
    code execution (RCE) attack when processing URN due to incorrect
    buffer management.

For Debian 11 bullseye, these problems have been fixed in version
4.13-10+deb11u5.

We recommend that you upgrade your squid packages.

For the detailed security status of squid please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/squid

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmjYARoACgkQADoaLapB
CF9y+Q//eXno0AWVaQlMZkLmY7Io/pJCTy1JaIWNY7SSAVI82oLwaFI2c1NJS0+2
msP+mS91m7WsfUocQDSjMwCP1xRQLNEsmlcfNSTXD1T9D94j2GJil129Cx7ZsxGm
9RjhXwrRP48dQp3mePSjKaLMSoBO6sALOdHEzsCE3qQaiJ0YEK5E80WC30aKHszC
LxS5L3ntPdp4aL4NGBgeqyY3l7mMiHA1j+XFH34MNFey+OjGV+oa6t40xvPmZ6tw
Mn6vNCzEEUCW6CI70pSllc/z+jgzr+M7+WJ+8S3Sz813sckJTPOBMjeRQpZnl1fo
VoHd2f1z5ko8lfThB/mTGcJQI6I3LP9TyxaOu42EKWmGp7vE6YYFbY/1RqTKamHD
0pxaL4i+mZFf0kt1gzpoc4AtArzZK+Dm0Uj3rjBQ6sijYvGdW4TCh364WHt6QnDv
352xCaFufp1JdMK/B7RDRY4020jTz/2uSf4wLn0WU5imqM3aneNk/sjJR5h+0JBt
6jhC8nkGLuNsoBP38EeAvJkXYw7wkcH19ier7qhxLfDfpaT/x05RyN/wloMzZppp
KpkJaG3QDd7ZUuAIM47+YhlSOXTXztQJVPJ7kQjGqeCqjccqypHkOQFSMMUf28Mu
Qb3DSkPsg0ehFlFaEbehzL/CP8rTh/c/h+fQJbR5qlKXBqfx1qA=
=62YA
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 4311-1] thunderbird security update
Next by Date: [SECURITY] [DLA 4313-1] node-tar-fs security update
Previous by thread: [SECURITY] [DLA 4311-1] thunderbird security update
Next by thread: [SECURITY] [DLA 4313-1] node-tar-fs security update
Index(es):
- Date
- Thread