| Package | squid3 |
|---|---|
| Version | 3.5.23-5+deb8u5 (jessie), 3.5.23-5+deb9u8 (stretch) |
| Related CVEs | CVE-2021-28116 CVE-2021-46784 |
Two vulnerabilities were discovered in squid3, a popular HTTP caching proxy:
-
CVE-2021-28116: Squid through 4.14 and 5.x through 5.0.5, in some configurations, allows information disclosure because of an out-of-bounds read in WCCP protocol data. This can be leveraged as part of a chain for remote code execution as nobody.
-
CVE-2021-46784: In Squid 3.x through 3.5.28, 4.x through 4.17, and 5.x before 5.6, due to improper buffer management, a Denial of Service can occur when processing long Gopher server responses.
For Debian 8 jessie, these problems have been fixed in version 3.5.23-5+deb8u5.
For Debian 9 stretch, these problems have been fixed in version 3.5.23-5+deb9u8.
We recommend that you upgrade your squid3 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.