+++ This bug was initially created as a clone of Bug #32486 +++ Squid has issued advisories on October 21: https://github.com/squid-cache/squid/security/advisories/GHSA-j83v-w3p4-5cqh https://github.com/squid-cache/squid/security/advisories/GHSA-phqj-m8gv-cq4g
Source RPM: squid-5.9-1.mga9.src.rpm => squid-4.17-1.2.mga8.src.rpm
Nicolas has already corrected these CVEs in Cauldron fro Squid 5 (M9): patches for CVE-2023-4684[6-8] (mga#32486) These issues are not correctable for Squid 4 (M8). We might have to issue an advisory with the workarounds (or not) as below; + a hint to move to Mageia 9: SQUID-2023:1 Request/Response smuggling in HTTP/1.1 and ICAP Squid older than 5.1 have not been tested and should be assumed to be vulnerable. All Squid-5.x up to and including 5.9 are vulnerable. All Squid-6.x up to and including 6.3 are vulnerable. Workaround: ICAP issues can be reduced by ensuring only trusted ICAP services are used, with TLS encrypted connections (ICAPS extension). There is no workaround for the HTTP Request Smuggling issue. SQUID-2023:3 Denial of Service in HTTP Digest Authentication Squid older than 5.0.5 have not been tested and should be assumed to be vulnerable. All Squid-5.0.6 up to and including 5.9 are vulnerable. All Squid-6.x up to and including 6.3 are vulnerable. Workaround: Disable HTTP Digest authentication until Squid can be upgraded or patched. Assigning this globally.
Assignee: bugsquad => pkg-bugs
Mageia 8 EOL
Status: NEW => RESOLVEDResolution: (none) => OLD