Univention Bugzilla – Bug 56964
squid: Multiple issues (5.0)
Last modified: 2024-01-14 09:50:35 CET
New Debian squid 4.6-1+deb10u9A~5.0.6.202401091025 fixes: This update addresses the following issues: 4.6-1+deb10u9 (Mon, 08 Jan 2024 23:02:12 +0100) * Non-maintainer upload by the LTS team. * Fix CVE-2023-50269, CVE-2023-49286, CVE-2023-49285, CVE-2023-46847, CVE-2023-46846. * Several security vulnerabilities have been discovered in Squid, a full featured web proxy cache. Due to programming errors in Squid's HTTP request parsing, remote attackers may be able to execute a denial of service attack by sending large X-Forwarded-For header or trigger a stack buffer overflow while performing HTTP Digest authentication. Other issues facilitate request smuggling past a firewall or a denial of service against Squid's Helper process management. In regard to CVE-2023-46728: Please note that support for the Gopher protocol has simply been removed in future Squid versions. There is no fix available. We recommend to reject all gopher URL requests instead.
--- mirror/ftp/pool/main/s/squid/squid_4.6-1+deb10u8A~5.0.2.202210170847.dsc +++ apt/ucs_5.0-0-errata5.0-6/source/squid_4.6-1+deb10u9A~5.0.6.202401091025.dsc @@ -1,8 +1,24 @@ -4.6-1+deb10u8A~5.0.2.202210170847 [Mon, 17 Oct 2022 08:51:59 +0200] Univention builddaemon <buildd@univention.de>: +4.6-1+deb10u9A~5.0.6.202401091025 [Tue, 09 Jan 2024 10:25:57 +0100] Univention builddaemon <buildd@univention.de>: * UCS auto build. The following patches have been applied to the original source package - 001-enable-ssl - 005-squid-4-14311 + 001-enable-ssl.patch + 005-squid-4-14311.quilt + +4.6-1+deb10u9 [Mon, 08 Jan 2024 23:02:12 +0100] Markus Koschany <apo@debian.org>: + + * Non-maintainer upload by the LTS team. + * Fix CVE-2023-50269, CVE-2023-49286, CVE-2023-49285, CVE-2023-46847, + CVE-2023-46846. + * Several security vulnerabilities have been discovered in Squid, a full + featured web proxy cache. Due to programming errors in Squid's HTTP request + parsing, remote attackers may be able to execute a denial of service attack + by sending large X-Forwarded-For header or trigger a stack buffer overflow + while performing HTTP Digest authentication. Other issues facilitate + request smuggling past a firewall or a denial of service against Squid's + Helper process management. + In regard to CVE-2023-46728: Please note that support for the Gopher + protocol has simply been removed in future Squid versions. There is no fix + available. We recommend to reject all gopher URL requests instead. 4.6-1+deb10u8 [Wed, 12 Oct 2022 15:56:25 +0530] Abhijith PA <abhijith@debian.org>: @@ -10,5 +26,5 @@ * Fix CVE-2022-41317: Exposure of Sensitive Information in Cache Manager * Fix CVE-2022-41318: Buffer Over Read in SSPI and SMB - Authentication + Authentication <http://piuparts.knut.univention.de/5.0-6/#7933396974188696711>
OK: bug OK: yaml OK: announce_errata OK: patch OK: piuparts [5.0-6] 0c6d84a163 Bug #56964: squid 4.6-1+deb10u9A~5.0.6.202401091025 doc/errata/staging/squid.yaml | 20 ++++++-------------- 1 file changed, 6 insertions(+), 14 deletions(-) [5.0-6] 8fec76c8c5 Bug #56964: squid 4.6-1+deb10u9A~5.0.6.202401091025 doc/errata/staging/squid.yaml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+)
https://errata.software-univention.de/#/?erratum=5.0x911