Search squid archive

Re: SQUID 6.10 vulnerabilities

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 19.08.24 11:37, Guy Tzudkevitz wrote:
I'm running Squid on Ubuntu 22.04
I ran a vulnerability scan on this server and got a result from the vendor that this version is vulnerable. See. Is there any way to fix it?

Ubuntu package developers and/or security team usually fix those bugs without raising version numbers.

these scanners usually use the version number reported by squid while knowing that the vulnerability may be fixed.

They often even notice you about it in scan results.

you can check if the particular bug is fixed in Ubuntu version on:
https://ubuntu.com/security/cves

e.g.
https://ubuntu.com/security/cves?q=&package=squid&version=jammy

Vulnerability Details
Name
Squid Multiple 0-Day Vulnerabilities (Oct 2023)
Found On
X.X.X.X
Insight

The following flaws have been reported in 2021 to the vendor and seems to be not fixed yet:
- Use-After-Free in TRACE Requests
- X-Forwarded-For Stack Overflow
- Chunked Encoding Stack Overflow
- Use-After-Free in Cache Manager Errors
- Memory Leak in HTTP Response Parsing
- Memory Leak in ESI Error Processing
- 1-Byte Buffer OverRead in RFC 1123 date/time Handling GHSA-8w9r-p88v-mmx9
- One-Byte Buffer OverRead in HTTP Request Header Parsing
- strlen(NULL) Crash Using Digest Authentication GHSA-254c-93q9-cp53
- Assertion in ESI Header Handling
- Gopher Assertion Crash
- Whois Assertion Crash
- RFC 2141 / 2169 (URN) Assertion Crash
- Assertion in Negotiate/NTLM Authentication Using Pipeline Prefetching
- Assertion on IPv6 Host Requests with
--disable-ipv6
- Assertion Crash on Unexpected 'HTTP/1.1 100 Continue' Response Header
- Pipeline Prefetch Assertion With Double 'Expect:100-continue' Request Headers
- Pipeline Prefetch Assertion With Invalid Headers
- Assertion Crash in Deferred Requests
- Assertion in Digest Authentication
- FTP Authentication Crash
- Assertion Crash In HTTP Response Headers Handling
- Implicit Assertion in Stream Handling
- Use-After-Free in ESI 'Try' (and 'Choose') Processing
- Use-After-Free in ESI Expression Evaluation
- Buffer Underflow in ESI GHSA-wgvf-q977-9xjg
- Assertion in Squid 'Helper' Process Creator GHSA-xggx-9329-3c27
- Assertion Due to 0 ESI 'when' Checking GHSA-4g88-277m-q89r
- Assertion Using ESI's When Directive GHSA-4g88-277m-q89r
- Assertion in ESI Variable Assignment (String)
- Assertion in ESI Variable Assignment
- Null Pointer Dereference In ESI's esi:include and esi:when Note: Various GHSA advisories have been provided by the security researcher but are not published / available yet.

--
Matus UHLAR - fantomas, uhlar@xxxxxxxxxxx ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
He who laughs last thinks slowest.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux