The bugs have been published, partially without CVEs, at https://joshua.hu/squid-security-audit-35-0days-45-exploits. Squid 6.4 fixes several potential RCE, see also https://github.com/squid-cache/squid/security/advisories Reproducible: Always
Also, since the homepage is currently in a weird state: http://static.squid-cache.org/Versions/v6/
Thanks for this and the PR. AFAIK only a subset of the vulns are fixed by this, so even once 6.4 lands we'll still have multiple vulnerabilities. But fewer, so that's an improvement...
As a p-m I can't merge this, but I've been testing locally and I'm +1 on it
CVE-2023-46846 (https://github.com/squid-cache/squid/security/advisories/GHSA-j83v-w3p4-5cqh): SQUID is vulnerable to HTTP request smuggling, caused by chunked decoder lenience, allows a remote attacker to perform Request/Response smuggling past firewall and frontend security systems. CVE-2023-46847 (https://github.com/squid-cache/squid/security/advisories/GHSA-phqj-m8gv-cq4g): Squid is vulnerable to a Denial of Service, where a remote attacker can perform buffer overflow attack by writing up to 2 MB of arbitrary data to heap memory when Squid is configured to accept HTTP Digest Authentication. CVE-2023-46848 (https://github.com/squid-cache/squid/security/advisories/GHSA-2g3c-pg7q-g59w): Squid is vulnerable to Denial of Service, where a remote attacker can perform DoS by sending ftp:// URLs in HTTP Request messages or constructing ftp:// URLs from FTP Native input. CVE-2023-5824 (https://github.com/squid-cache/squid/security/advisories/GHSA-543m-w2m2-g255): Squid is vulnerable to Denial of Service attack against HTTP and HTTPS clients due to an Improper Handling of Structural Elements bug. Looks like all except CVE-2023-5824 are fixed in 6.4. CVE-2023-5824 is fixed in 6.5. Looks like patches are available for the 5.0 branch too, which we might want to add if 6.x isn't ready for stabilization yet. I'm a bit surprised to see that the worst severity here (of the CVEs fixed in 6.4-6.5) seems to be denial of service, while the CVSS scores might have indicated otherwise. Setting this bug's severity accordingly as those are what we're tracking here.
https://github.com/squid-cache/squid/security/advisories/GHSA-73m6-jm96-c6r3 CVE-2023-46724 Due to an Improper Validation of Specified Index bug Squid is vulnerable to a denial of Service attack against SSL Certificate validation. This problem allows a remote server to perform Denial of Service against Squid Proxy by initiating a TLS Handshake with a specially crafted SSL Certificate in a server certificate chain. This attack is limited to HTTPS and SSL-Bump. Affected versions 3.3.0.1 - 5.9 and 6.0 - 6.3 This vulnerability has been patched in 6.4 but there are patches for other versions as well: Squid 5: http://www.squid-cache.org/Versions/v5/SQUID-2023_4.patch Squid 6: http://www.squid-cache.org/Versions/v6/SQUID-2023_4.patch
*** Bug 917474 has been marked as a duplicate of this bug. ***
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3b6385397f2b9875e0d37383cbe10b1a2c8a289c commit 3b6385397f2b9875e0d37383cbe10b1a2c8a289c Author: Sam James <sam@gentoo.org> AuthorDate: 2023-11-17 15:06:53 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-11-17 15:07:23 +0000 net-proxy/squid: add 6.5 Bug: https://bugs.gentoo.org/914255 Bug: https://bugs.gentoo.org/916334 Signed-off-by: Sam James <sam@gentoo.org> net-proxy/squid/Manifest | 1 + net-proxy/squid/squid-6.5.ebuild | 386 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 387 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c5e33355221588cc51b736cc575ac400e9374341 commit c5e33355221588cc51b736cc575ac400e9374341 Author: Christian Schmidt <gentoo@digadd.de> AuthorDate: 2023-10-27 14:03:13 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-11-17 15:07:23 +0000 net-proxy/squid: add 6.4 Updated source download URL to a working one. Bug: https://bugs.gentoo.org/916334 Closes: https://bugs.gentoo.org/914255 Closes: https://github.com/gentoo/gentoo/pull/33546 Signed-off-by: Christian Schmidt <gentoo@digadd.de> Signed-off-by: Sam James <sam@gentoo.org> net-proxy/squid/Manifest | 1 + net-proxy/squid/squid-6.4.ebuild | 383 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 384 insertions(+)
SQUID-2023:4: Denial of Service in SSL Certificate validation Fixed in 6.4. SQUID-2023:7: Denial of Service in HTTP Message Processing Fixed in 6.5. SQUID-2023:8: Denial of Service in Helper Process management Fixed in 6.5. SQUID-2023:9: Denial of Service in HTTP Collapsed Forwarding Fixed in 6.0.1.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2a2b11bf740e489bd7f00271bc26c1d1bdba27de commit 2a2b11bf740e489bd7f00271bc26c1d1bdba27de Author: Hank Leininger <hlein@korelogic.com> AuthorDate: 2023-12-03 17:39:07 +0000 Commit: Arthur Zamarin <arthurzam@gentoo.org> CommitDate: 2023-12-07 06:20:54 +0000 net-proxy/squid: drop 5.7-r1, 5.8, 5.9, 6.2, 6.4 Signed-off-by: Hank Leininger <hlein@korelogic.com> Bug: https://bugs.gentoo.org/917615 Bug: https://bugs.gentoo.org/916334 Closes: https://github.com/gentoo/gentoo/pull/34106 Signed-off-by: Arthur Zamarin <arthurzam@gentoo.org> net-proxy/squid/Manifest | 5 - net-proxy/squid/files/squid-5.3-gentoo.patch | 87 ------ net-proxy/squid/files/squid.initd-r5 | 125 --------- net-proxy/squid/squid-5.7-r1.ebuild | 380 -------------------------- net-proxy/squid/squid-5.8.ebuild | 382 -------------------------- net-proxy/squid/squid-5.9.ebuild | 382 -------------------------- net-proxy/squid/squid-6.2.ebuild | 383 -------------------------- net-proxy/squid/squid-6.4.ebuild | 386 --------------------------- 8 files changed, 2130 deletions(-)
It's worth us GLSAing this one, I think.
