[squid-users] SQUID 6.10 vulnerabilities
Guy Tzudkevitz
guyt at silverfort.com
Mon Aug 19 11:37:14 UTC 2024
Hi
I'm running Squid on Ubuntu 22.04
I ran a vulnerability scan on this server and got a result from the vendor that this version is vulnerable. See. Is there any way to fix it?
Vulnerability Details
Name
Squid Multiple 0-Day Vulnerabilities (Oct 2023)
Found On
X.X.X.X
Insight
The following flaws have been reported in 2021 to the vendor and seems to be not fixed yet: - Use-After-Free in TRACE Requests - X-Forwarded-For Stack Overflow - Chunked Encoding Stack Overflow - Use-After-Free in Cache Manager Errors - Memory Leak in HTTP Response Parsing - Memory Leak in ESI Error Processing - 1-Byte Buffer OverRead in RFC 1123 date/time Handling GHSA-8w9r-p88v-mmx9 - One-Byte Buffer OverRead in HTTP Request Header Parsing - strlen(NULL) Crash Using Digest Authentication GHSA-254c-93q9-cp53 - Assertion in ESI Header Handling - Gopher Assertion Crash - Whois Assertion Crash - RFC 2141 / 2169 (URN) Assertion Crash - Assertion in Negotiate/NTLM Authentication Using Pipeline Prefetching - Assertion on IPv6 Host Requests with --disable-ipv6 - Assertion Crash on Unexpected 'HTTP/1.1 100 Continue' Response Header - Pipeline Prefetch Assertion With Double 'Expect:100-continue' Request Headers - Pipeline Prefetch Assertion With Invalid Headers - Assertion Crash in Deferred Requests - Assertion in Digest Authentication - FTP Authentication Crash - Assertion Crash In HTTP Response Headers Handling - Implicit Assertion in Stream Handling - Use-After-Free in ESI 'Try' (and 'Choose') Processing - Use-After-Free in ESI Expression Evaluation - Buffer Underflow in ESI GHSA-wgvf-q977-9xjg - Assertion in Squid 'Helper' Process Creator GHSA-xggx-9329-3c27 - Assertion Due to 0 ESI 'when' Checking GHSA-4g88-277m-q89r - Assertion Using ESI's When Directive GHSA-4g88-277m-q89r - Assertion in ESI Variable Assignment (String) - Assertion in ESI Variable Assignment - Null Pointer Dereference In ESI's esi:include and esi:when Note: Various GHSA advisories have been provided by the security researcher but are not published / available yet.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20240819/a5bd75ff/attachment.htm>
More information about the squid-users
mailing list