On 2024-01-10 16:48, Dave Dykstra wrote:
https://github.com/squid-cache/squid/security/advisories/GHSA-rj5h-46j6-q2g5.
... is another workaround to disable TRACE requests ...?
AFAICT, denying TRACE requests will not allow TRACE transactions to reach the problematic code related to that Advisory (under the typical conditions you probably care about). However, please note that the same or similar bugs can probably be triggered using other requests, under other conditions.
In other words, if you just want protection against a script kiddie blindly following "Use-After-Free in TRACE Requests" instructions on how to kill Squid, then denying TRACE requests should be sufficient. If you want protection from somebody who understands the underlying problem and spends the time on finding other ways to exploit it, then denying TRACE requests (or even disabling collapsed forwarding) may not be enough IMO.
HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx https://lists.squid-cache.org/listinfo/squid-users
