[squid-users] Is a workaround for SQUID-2023:9 to disable TRACE requests?
Alex Rousskov
rousskov at measurement-factory.com
Wed Jan 10 22:23:57 UTC 2024
On 2024-01-10 16:48, Dave Dykstra wrote:
> https://github.com/squid-cache/squid/security/advisories/GHSA-rj5h-46j6-q2g5.
> ... is another workaround to disable TRACE requests ...?
AFAICT, denying TRACE requests will not allow TRACE transactions to
reach the problematic code related to that Advisory (under the typical
conditions you probably care about). However, please note that the same
or similar bugs can probably be triggered using other requests, under
other conditions.
In other words, if you just want protection against a script kiddie
blindly following "Use-After-Free in TRACE Requests" instructions on how
to kill Squid, then denying TRACE requests should be sufficient. If you
want protection from somebody who understands the underlying problem and
spends the time on finding other ways to exploit it, then denying TRACE
requests (or even disabling collapsed forwarding) may not be enough IMO.
HTH,
Alex.
More information about the squid-users
mailing list