[squid-dev] CVE-2023-49288 - fix commit
Andrea Mattiazzo
andrea.mattiazzo at suse.com
Tue Jan 23 14:46:33 UTC 2024
Hello,
I'm a security engineer at SUSE. I'm looking at the following security
advisory [0] but I'm not able to identify the correct commit that fix
the issue CVE-2023-49288 in squid 6.0.1.
I also looked at the report published at [1], the security advisory is
linked to a "Use-After-Free in Trace Requests" vulnerability [2] but the
mitigation suggested ("collapsed_forwarding off") for squid before 6.0.1
doesn't prevent the crash of squid with the poc provided (this makes me
wondering if the link between the two source are correct or they refer
to two different bugs) (tried with squid 5.7).
[0]
https://github.com/squid-cache/squid/security/advisories/GHSA-rj5h-46j6-q2g5
[1] https://megamansec.github.io/Squid-Security-Audit/
[2] https://megamansec.github.io/Squid-Security-Audit/trace-uaf.html
Thanks a lot,
Have a nice day,
Andrea
More information about the squid-dev
mailing list