| Package | squid |
|---|---|
| Version | 4.6-1+deb10u11 (buster) |
| Related CVEs | CVE-2024-23638 CVE-2024-25111 CVE-2024-25617 CVE-2024-37894 CVE-2024-45802 |
Several security vulnerabilities have been discovered in Squid, a full featured web proxy cache.
CVE-2024-23638
A Denial of Service attack against Cache Manager error responses. This
problem allows a trusted client to perform Denial of Service when
generating error pages for Client Manager reports.
CVE-2024-25111
A possible Denial of Service attack against HTTP Chunked decoder due to an
uncontrolled recursion bug. This problem allows a remote attacker to cause
Denial of Service when sending a crafted, chunked, encoded HTTP Message.
CVE-2024-25617
A Denial of Service attack against HTTP header parsing. This problem allows
a remote client or a remote server to perform Denial of Service when
sending oversized headers in HTTP messages.
CVE-2024-37894
Due to an Out-of-bounds Write error when assigning ESI variables, Squid is
susceptible to a Memory Corruption error. This error can lead to a Denial
of Service attack.
CVE-2024-45802
Disable ESI feature support. Due to Input Validation, Premature Release of
Resource During Expected Lifetime, and Missing Release of Resource after
Effective Lifetime bugs, Squid is vulnerable to Denial of Service attacks
by a trusted server against all clients using the proxy. This problem is
fixed by changing the build configuration to specify the --disable-esi
option.
For Debian 10 buster, these problems have been fixed in version 4.6-1+deb10u11.
We recommend that you upgrade your squid packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.