Headline
Ubuntu Security Notice USN-6500-1
Ubuntu Security Notice 6500-1 - Joshua Rogers discovered that Squid incorrectly handled validating certain SSL certificates. A remote attacker could possibly use this issue to cause Squid to crash, resulting in a denial of service. This issue only affected Ubuntu 22.04 LTS, Ubuntu 23.04, and Ubuntu 23.10. Joshua Rogers discovered that Squid incorrectly handled the Gopher protocol. A remote attacker could possibly use this issue to cause Squid to crash, resulting in a denial of service. Gopher support has been disabled in this update. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.04.
==========================================================================Ubuntu Security Notice USN-6500-1November 21, 2023squid vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 23.10- Ubuntu 23.04- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in Squid.Software Description:- squid: Web proxy cache serverDetails:Joshua Rogers discovered that Squid incorrectly handled validating certainSSL certificates. A remote attacker could possibly use this issue to causeSquid to crash, resulting in a denial of service. This issue only affectedUbuntu 22.04 LTS, Ubuntu 23.04, and Ubuntu 23.10. (CVE-2023-46724)Joshua Rogers discovered that Squid incorrectly handled the Gopherprotocol. A remote attacker could possibly use this issue to cause Squid tocrash, resulting in a denial of service. Gopher support has been disabledin this update. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04LTS, and Ubuntu 23.04. (CVE-2023-46728)Keran Mu and Jianjun Chen discovered that Squid incorrectly handled thechunked decoder. A remote attacker could possibly use this issue to performHTTP request smuggling attacks. (CVE-2023-46846)Joshua Rogers discovered that Squid incorrectly handled HTTP DigestAuthentication. A remote attacker could possibly use this issue to causeSquid to crash, resulting in a denial of service. (CVE-2023-46847)Joshua Rogers discovered that Squid incorrectly handled certain FTP urls.A remote attacker could possibly use this issue to cause Squid to crash,resulting in a denial of service. (CVE-2023-46848)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 23.10: squid 6.1-2ubuntu1.1Ubuntu 23.04: squid 5.7-1ubuntu3.1Ubuntu 22.04 LTS: squid 5.7-0ubuntu0.22.04.2Ubuntu 20.04 LTS: squid 4.10-1ubuntu1.8In general, a standard system update will make all the necessary changes.References: https://ubuntu.com/security/notices/USN-6500-1 CVE-2023-46724, CVE-2023-46728, CVE-2023-46846, CVE-2023-46847, CVE-2023-46848Package Information: https://launchpad.net/ubuntu/+source/squid/6.1-2ubuntu1.1 https://launchpad.net/ubuntu/+source/squid/5.7-1ubuntu3.1 https://launchpad.net/ubuntu/+source/squid/5.7-0ubuntu0.22.04.2 https://launchpad.net/ubuntu/+source/squid/4.10-1ubuntu1.8
Related news
Red Hat Security Advisory 2024-1787-03 - An update for squid is now available for Red Hat Enterprise Linux 7. Issues addressed include buffer over-read, denial of service, and null pointer vulnerabilities.
Debian Linux Security Advisory 5637-1 - Several security vulnerabilities have been discovered in Squid, a full featured web proxy cache. Due to programming errors in Squid's HTTP request parsing, remote attackers may be able to execute a denial of service attack by sending large X-Forwarded-For header or trigger a stack buffer overflow while performing HTTP Digest authentication. Other issues facilitate request smuggling past a firewall or a denial of service against Squid's Helper process management.
Red Hat Security Advisory 2024-1153-03 - An update for squid is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Issues addressed include buffer over-read, denial of service, and null pointer vulnerabilities.
Red Hat Security Advisory 2024-0773-03 - An update for the squid:4 module is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include buffer over-read, denial of service, and null pointer vulnerabilities.
Red Hat Security Advisory 2024-0772-03 - An update for the squid:4 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Issues addressed include buffer over-read, denial of service, and null pointer vulnerabilities.
Red Hat Security Advisory 2024-0771-03 - An update for the squid:4 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include buffer over-read, denial of service, and null pointer vulnerabilities.
Red Hat Security Advisory 2024-0397-03 - An update for the squid:4 module is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include buffer over-read, denial of service, and null pointer vulnerabilities.
Red Hat Security Advisory 2024-0072-03 - An update for squid is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include buffer over-read, denial of service, and null pointer vulnerabilities.
Red Hat Security Advisory 2024-0071-03 - An update for squid is now available for Red Hat Enterprise Linux 9. Issues addressed include buffer over-read, denial of service, and null pointer vulnerabilities.
Red Hat Security Advisory 2024-0046-03 - An update for the squid:4 module is now available for Red Hat Enterprise Linux 8. Issues addressed include buffer over-read, denial of service, and null pointer vulnerabilities.
Ubuntu Security Notice 6500-2 - USN-6500-1 fixed several vulnerabilities in Squid. This update provides the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. Joshua Rogers discovered that Squid incorrectly handled the Gopher protocol. A remote attacker could possibly use this issue to cause Squid to crash, resulting in a denial of service. Gopher support has been disabled in this update.
Red Hat Security Advisory 2023-7578-01 - An update for squid is now available for Red Hat Enterprise Linux 7.6 Advanced Update Support. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-7576-01 - An update for squid is now available for Red Hat Enterprise Linux 7.7 Advanced Update Support. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-7213-01 - An update for the squid:4 module is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-7213-01 - An update for the squid:4 module is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a NULL pointer dereference bug Squid is vulnerable to a Denial of Service attack against Squid's Gopher gateway. The gopher protocol is always available and enabled in Squid prior to Squid 6.0.1. Responses triggering this bug are possible to be received from any gopher server, even those without malicious intent. Gopher support has been removed in Squid version 6.0.1. Users are advised to upgrade. Users unable to upgrade should reject all gopher URL requests.
Squid is vulnerable to Denial of Service, where a remote attacker can perform DoS by sending ftp:// URLs in HTTP Request messages or constructing ftp:// URLs from FTP Native input.
Squid is vulnerable to Denial of Service, where a remote attacker can perform DoS by sending ftp:// URLs in HTTP Request messages or constructing ftp:// URLs from FTP Native input.
Squid is vulnerable to Denial of Service, where a remote attacker can perform DoS by sending ftp:// URLs in HTTP Request messages or constructing ftp:// URLs from FTP Native input.
Squid is a caching proxy for the Web. Due to an Improper Validation of Specified Index bug, Squid versions 3.3.0.1 through 5.9 and 6.0 prior to 6.4 compiled using `--with-openssl` are vulnerable to a Denial of Service attack against SSL Certificate validation. This problem allows a remote server to perform Denial of Service against Squid Proxy by initiating a TLS Handshake with a specially crafted SSL Certificate in a server certificate chain. This attack is limited to HTTPS and SSL-Bump. This bug is fixed in Squid version 6.4. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. Those who you use a prepackaged version of Squid should refer to the package vendor for availability information on updated packages.