[squid-users] Is a workaround for SQUID-2023:9 to disable TRACE requests?
Dave Dykstra
dwd at fnal.gov
Wed Jan 10 21:48:05 UTC 2024
We currently are unable to upgrade to squid6 due to a serious problem we found with collapsed_forwarding (https://bugs.squid-cache.org/show_bug.cgi?id=5332), and our applications need collapsed_forwarding for reasonable performance.
So we want to build a version of squid5 with as many vulnerabilities patched as we can. All the posted 2023 vulnerabilities we care about include squid5 patches except one: https://github.com/squid-cache/squid/security/advisories/GHSA-rj5h-46j6-q2g5. That is listed only as being patched in version 6.0.1, which is not an option.
I'm pretty sure based on the "Patches Released" date listed at the bottom of the advisory that this was fixed in https://github.com/squid-cache/squid/pull/1127. A further corroboration is that Joshua's vulnerability list at
https://megamansec.github.io/Squid-Security-Audit/
lists that GHSA as a fix for "Use-After-Free in TRACE requests" and the description at
https://megamansec.github.io/Squid-Security-Audit/trace-uaf.html
points to a bit of code that was deleted in the above PR.
So, my question is: since Joshua said the vulnerability was in the TRACE request, is another workaround to disable TRACE requests rather than disabling collapsed_forwarding? That's something we can do, where disabling collapsed_forwarding is not something we can do.
Dave
More information about the squid-users
mailing list