Fixed in 6.6, newest version in tree is 6.5. https://nvd.nist.gov/vuln/detail/CVE-2023-50269 https://github.com/squid-cache/squid/security/advisories/GHSA-wgq4-4cfg-c4x3 Description: Due to an Uncontrolled Recursion bug, Squid may be vulnerable to a Denial of Service attack against HTTP Request parsing. Severity: This problem allows a remote client to perform Denial of Service attack by sending a large X-Forwarded-For header when the follow_x_forwarded_for feature is configured. Updated Packages: This bug is fixed by Squid version 6.6. Patches: Squid 5: http://www.squid-cache.org/Versions/v5/SQUID-2023_10.patch Squid 6: http://www.squid-cache.org/Versions/v6/SQUID-2023_10.patch
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2002cec99bd8545a4d143ed30e44a5df755d4bf9 commit 2002cec99bd8545a4d143ed30e44a5df755d4bf9 Author: Hank Leininger <hlein@korelogic.com> AuthorDate: 2023-12-16 10:04:15 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-02-06 09:45:04 +0000 net-proxy/squid: add 6.6 Signed-off-by: Hank Leininger <hlein@korelogic.com> Bug: https://bugs.gentoo.org/920101 Closes: https://bugs.gentoo.org/923842 Closes: https://github.com/gentoo/gentoo/pull/34310 Signed-off-by: Sam James <sam@gentoo.org> net-proxy/squid/Manifest | 1 + net-proxy/squid/squid-6.6.ebuild | 386 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 387 insertions(+)
