{"id":"MGASA-2024-0102","summary":"Updated squid packages fix security vulnerabilities","details":"Due to an Improper Validation of Specified Index bug, Squid versions\n3.3.0.1 through 5.9 and 6.0 prior to 6.4 compiled using `--with-openssl`\nare vulnerable to a Denial of Service attack against SSL Certificate\nvalidation. This problem allows a remote server to perform Denial of\nService against Squid Proxy by initiating a TLS Handshake with a\nspecially crafted SSL Certificate in a server certificate chain. This\nattack is limited to HTTPS and SSL-Bump. (CVE-2023-46724)\nDue to a Buffer Overread bug Squid is vulnerable to a Denial of Service\nattack against Squid HTTP Message processing. (CVE-2023-49285)\nDue to an Incorrect Check of Function Return Value bug Squid is\nvulnerable to a Denial of Service attack against its Helper process\nmanagement. (CVE-2023-49286)\nDue to an Uncontrolled Recursion bug in versions 2.6 through\n2.7.STABLE9, versions 3.1 through 5.9, and versions 6.0.1 through 6.5,\nSquid may be vulnerable to a Denial of Service attack against HTTP\nRequest parsing. This problem allows a remote client to perform Denial\nof Service attack by sending a large X-Forwarded-For header when the\nfollow_x_forwarded_for feature is configured. (CVE-2023-50269)\nDue to an expired pointer reference bug, Squid prior to version 6.6 is\nvulnerable to a Denial of Service attack against Cache Manager error\nresponses. This problem allows a trusted client to perform Denial of\nService when generating error pages for Client Manager reports.\n(CVE-2024-23638)\n Starting in version 3.5.27 and prior to version 6.8, Squid may be\nvulnerable to a Denial of Service attack against HTTP Chunked decoder\ndue to an uncontrolled recursion bug. This problem allows a remote\nattacker to cause Denial of Service when sending a crafted, chunked,\nencoded HTTP Message. (CVE-2024-25111)\nDue to a Collapse of Data into Unsafe Value bug ,Squid may be vulnerable\nto a Denial of Service attack against HTTP header parsing. This problem\nallows a remote client or a remote server to perform Denial of Service\nwhen sending oversized headers in HTTP messages. In versions of Squid\nprior to 6.5 this can be achieved if the request_header_max_size or\nreply_header_max_size settings are unchanged from the default.\n(CVE-2024-25617)\n","modified":"2026-04-16T04:42:22.006828055Z","published":"2024-03-31T03:27:58Z","upstream":["CVE-2023-46724","CVE-2023-49285","CVE-2023-49286","CVE-2023-50269","CVE-2024-23638","CVE-2024-25111","CVE-2024-25617"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2024-0102.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=33003"},{"type":"WEB","url":"https://lwn.net/Articles/966404/"},{"type":"WEB","url":"https://lists.debian.org/debian-security-announce/2024/msg00043.html"}],"affected":[{"package":{"name":"squid","ecosystem":"Mageia:9","purl":"pkg:rpm/mageia/squid?arch=source&distro=mageia-9"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.9-1.2.mga9"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2024-0102.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}