[squid-users] SQUID 6.10 vulnerabilities
Alex Rousskov
rousskov at measurement-factory.com
Mon Aug 19 13:07:07 UTC 2024
On 2024-08-19 07:37, Guy Tzudkevitz wrote:
> I'm running Squid on Ubuntu 22.04
>
> I ran a vulnerability scan on this server and got a result from the
> vendor that this version is vulnerable. See. Is there any way to fix it?
There is, but we cannot fix that scanner. Please contact the vendor that
provided you with that scanner. As far as Squid is concerned:
* Squid v6.10 is not vulnerable to some of the vulnerabilities listed
below. For example, Squid v6.10 is not vulnerable to "X-Forwarded-For
Stack Overflow" and "Chunked Encoding Stack Overflow". I only checked a
few, so I cannot give you an exact count of misleading "insight" entries
in the dump of vulnerability names you have shared.
* No reasonable Squid build/configuration is vulnerable to most of the
vulnerabilities listed below. For example, reasonable Squid builds
should not enable (or, in older Squid versions, should explicitly
disable) ESI support at ./configure time; reasonable Squid
configurations should not enable pipeline_prefetch. Just these two
(default in Squid v6.10!) precautions would address 15+ vulnerabilities.
* Certain Squid builds/configurations are still vulnerable to a few of
those reported vulnerabilities because nobody volunteered Squid changes
to address them. In most cases (e.g., ESI and pipeline_prefetch), nobody
who can develop (or pay for) a quality fix is affected by those
vulnerabilities. I do not know whether those vulnerabilities affect
_your_ Squid installations. If they do, please see
https://wiki.squid-cache.org/SquidFaq/AboutSquid#how-to-add-a-new-squid-feature-enhance-of-fix-something
* IMO, Squid Project has screwed up its official response to the
surprise publication of those vulnerabilities in 2023: AFAIK, there is
still no concise summary of vulnerabilities remaining in the latest
supported Squid release and their corresponding workarounds (if any).
There is some useful info at the URL below, but it is incomplete and
converting that info to such a summary requires significant effort:
https://github.com/squid-cache/squid/security/advisories/
HTH,
Alex.
> Vulnerability Details
> Name
> Squid Multiple 0-Day Vulnerabilities (Oct 2023)
> Found On
> X.X.X.X
> Insight
>
>
> The following flaws have been reported in 2021 to the vendor and seems
> to be not fixed yet: - Use-After-Free in TRACE Requests -
> X-Forwarded-For Stack Overflow - Chunked Encoding Stack Overflow -
> Use-After-Free in Cache Manager Errors - Memory Leak in HTTP Response
> Parsing - Memory Leak in ESI Error Processing - 1-Byte Buffer OverRead
> in RFC 1123 date/time Handling GHSA-8w9r-p88v-mmx9 - One-Byte Buffer
> OverRead in HTTP Request Header Parsing - strlen(NULL) Crash Using
> Digest Authentication GHSA-254c-93q9-cp53 - Assertion in ESI Header
> Handling - Gopher Assertion Crash - Whois Assertion Crash - RFC 2141 /
> 2169 (URN) Assertion Crash - Assertion in Negotiate/NTLM Authentication
> Using Pipeline Prefetching - Assertion on IPv6 Host Requests with
> --disable-ipv6 - Assertion Crash on Unexpected 'HTTP/1.1 100 Continue'
> Response Header - Pipeline Prefetch Assertion With Double
> 'Expect:100-continue' Request Headers - Pipeline Prefetch Assertion With
> Invalid Headers - Assertion Crash in Deferred Requests - Assertion in
> Digest Authentication - FTP Authentication Crash - Assertion Crash In
> HTTP Response Headers Handling - Implicit Assertion in Stream Handling -
> Use-After-Free in ESI 'Try' (and 'Choose') Processing - Use-After-Free
> in ESI Expression Evaluation - Buffer Underflow in ESI
> GHSA-wgvf-q977-9xjg - Assertion in Squid 'Helper' Process Creator
> GHSA-xggx-9329-3c27 - Assertion Due to 0 ESI 'when' Checking
> GHSA-4g88-277m-q89r - Assertion Using ESI's When Directive
> GHSA-4g88-277m-q89r - Assertion in ESI Variable Assignment (String) -
> Assertion in ESI Variable Assignment - Null Pointer Dereference In ESI's
> esi:include and esi:when Note: Various GHSA advisories have been
> provided by the security researcher but are not published / available yet.
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list