squid:update to 6.4+ get fixes for CVEs
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu Docker Images |
New
|
Undecided
|
Athos Ribeiro | ||
squid (Ubuntu) |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
Focal |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
Jammy |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
Lunar |
Won't Fix
|
Undecided
|
Marc Deslauriers | ||
Mantic |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
Noble |
Fix Released
|
Undecided
|
Marc Deslauriers |
Bug Description
Squid 5.2.x is vulnerable to CVEs with CVSS scores of 9.6 to 9.9
Some fixes are available in 6.4.
Any chance to bump the squid version in the docker image?
https:/
> Squid Caching Proxy Security Audit: 55 vulnerabilities and 35 0days
https:/
> This problem allows a remote client to perform buffer overflow
> attack writing up to 2 MB of arbitrary data to heap memory
> when Squid is configured to accept HTTP Digest Authentication.
>
> On machines with advanced memory protections this will result
> in a Denial of Service against all users of the Squid proxy.
>
> CVSS Score of 9.9
> <https:/
> Fixed in version: | Squid 6.4
https:/
> Summary: | Multiple issues in HTTP response caching.
> Affected versions: | Squid 2.x -> 2.7.STABLE9
> | Squid 3.x -> 3.5.28
> | Squid 4.x -> 4.16
> | Squid 5.x -> 5.9
> | Squid 6.x -> 6.3
> Fixed in version: | Squid 6.4
> Due to an Incomplete Filtering of Special Elements
> bug Squid is vulnerable to a Denial of Service
> attack against HTTP and HTTPS clients.
> CVSS Score of 9.6
> <https:/
CVE References
Changed in squid (Ubuntu Focal): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in squid (Ubuntu Jammy): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in squid (Ubuntu Lunar): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in squid (Ubuntu Mantic): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in squid (Ubuntu Noble): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in ubuntu-docker-images: | |
assignee: | nobody → Athos Ribeiro (athos-ribeiro) |
tags: | added: server-todo |
tags: | removed: server-todo |
Hi gberche,
Thanks for reporting this bug.
Our images are based on the squid versions available in the Ubuntu archive. Once the fixes are available for the deb packages (which are potentially backported to the supported series depending on CVE severity and other factors determined by the security team) the images are re-built and re-tagged to include such fixes.
> Squid 5.2.x is vulnerable to CVEs with CVSS scores of 9.6 to 9.9
I suppose that the CVEs for the mentioned vulnerabilities were not release yet, is this right?
I could find no October 2023 entries in https:/ /cve.mitre. org/cgi- bin/cvekey. cgi?keyword= squid
I am including tasks for the squid deb package as well since it seems to be affected.
I suppose there is no need for this to be private since the vulnerabilities have been disclosed upstream, but I will leave this to someone in the security team to assess.