| Summary: | squid new security issues CVE-2023-4684[67] | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Nicolas Salguero <nicolas.salguero> |
| Component: | Security | Assignee: | All Packagers <pkg-bugs> |
| Status: | RESOLVED OLD | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | nicolas.salguero, pkg-bugs, security |
| Version: | 8 | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Source RPM: | squid-4.17-1.2.mga8.src.rpm | CVE: | |
| Status comment: | |||
| Bug Depends on: | 32486 | ||
| Bug Blocks: | |||
|
Description
Nicolas Salguero
2023-11-09 15:47:36 CET
Nicolas Salguero
2023-11-09 15:48:05 CET
Source RPM:
squid-5.9-1.mga9.src.rpm =>
squid-4.17-1.2.mga8.src.rpm Nicolas has already corrected these CVEs in Cauldron fro Squid 5 (M9): patches for CVE-2023-4684[6-8] (mga#32486) These issues are not correctable for Squid 4 (M8). We might have to issue an advisory with the workarounds (or not) as below; + a hint to move to Mageia 9: SQUID-2023:1 Request/Response smuggling in HTTP/1.1 and ICAP Squid older than 5.1 have not been tested and should be assumed to be vulnerable. All Squid-5.x up to and including 5.9 are vulnerable. All Squid-6.x up to and including 6.3 are vulnerable. Workaround: ICAP issues can be reduced by ensuring only trusted ICAP services are used, with TLS encrypted connections (ICAPS extension). There is no workaround for the HTTP Request Smuggling issue. SQUID-2023:3 Denial of Service in HTTP Digest Authentication Squid older than 5.0.5 have not been tested and should be assumed to be vulnerable. All Squid-5.0.6 up to and including 5.9 are vulnerable. All Squid-6.x up to and including 6.3 are vulnerable. Workaround: Disable HTTP Digest authentication until Squid can be upgraded or patched. Assigning this globally. Assignee:
bugsquad =>
pkg-bugs Mageia 8 EOL Status:
NEW =>
RESOLVED |