| Package | squid3 |
|---|---|
| Version | 3.5.23-5+deb8u8 (jessie), 3.5.23-5+deb9u11 (stretch) |
| Related CVEs | CVE-2024-25617 CVE-2024-37894 CVE-2024-45802 |
Several security vulnerabilities have been discovered in Squid, a full featured web proxy cache.
CVE-2024-25617
A Denial of Service attack against HTTP header parsing. This problem allows
a remote client or a remote server to perform Denial of Service when
sending oversized headers in HTTP messages.
CVE-2024-37894
Due to an Out-of-bounds Write error when assigning ESI variables, Squid is
susceptible to a Memory Corruption error. This error can lead to a Denial
of Service attack.
CVE-2024-45802
Disable ESI feature support. Due to Input Validation, Premature Release of
Resource During Expected Lifetime, and Missing Release of Resource after
Effective Lifetime bugs, Squid is vulnerable to Denial of Service attacks
by a trusted server against all clients using the proxy. This problem is
fixed by changing the build configuration to specify the --disable-esi
option.
For Debian 8 jessie, these problems have been fixed in version 3.5.23-5+deb8u8.
For Debian 9 stretch, these problems have been fixed in version 3.5.23-5+deb9u11.
We recommend that you upgrade your squid3 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.