Due to an Improper Validation of Specified Index bug Squid is vulnerable to a denial of Service attack against SSL Certificate validation. This problem allows a remote server to perform Denial of Service against Squid Proxy by initiating a TLS Handshake with a specially crafted SSL Certificate in a server certificate chain. This attack is limited to HTTPS and SSL-Bump. Affected versions 3.3.0.1 - 5.9 and 6.0 - 6.3 Current stable version in Gentoo tree is 5.7-r1 and latest unstable is 6.2. This vulnerability has been patched in 6.4 but there are patches for other versions as well: Patches addressing this problem for the stable releases can be found in our patch archives: Squid 5: http://www.squid-cache.org/Versions/v5/SQUID-2023_4.patch Squid 6: http://www.squid-cache.org/Versions/v6/SQUID-2023_4.patch
There were more vulnerabilities that are affecting versions below 6.4. https://github.com/squid-cache/squid/security/advisories/GHSA-2g3c-pg7q-g59w Affected versions: 5.0.3-5.9, 6.0-6.3 Due to an Incorrect Conversion between Numeric Types bug Squid is vulnerable to a Denial of Service attack against FTP Native Relay input validation. Due to an Incorrect Conversion between Numeric Types bug Squid is vulnerable to a Denial of Service attack against ftp:// URL validation and access control. https://github.com/squid-cache/squid/security/advisories/GHSA-j83v-w3p4-5cqh Affected versions: 2.6-6.3 Due to chunked decoder lenience Squid is vulnerable to Request/Response smuggling attacks when parsing HTTP/1.1 and ICAP messages. This problem allows a remote attacker to perform Request/Response smuggling past firewall and frontend security systems when the upstream server interprets the chunked encoding syntax differently from Squid. This attack is limited to the HTTP/1.1 and ICAP protocols which support receiving Transfer-Encoding:chunked. https://github.com/squid-cache/squid/security/advisories/GHSA-phqj-m8gv-cq4g Affected versions: 3.2.0.1-5.9, 6.0-6.3 Due to a buffer overflow bug Squid is vulnerable to a Denial of Service attack against HTTP Digest Authentication. This problem allows a remote client to perform buffer overflow attack writing up to 2 MB of arbitrary data to heap memory when Squid is configured to accept HTTP Digest Authentication. On machines with advanced memory protections this will result in a Denial of Service against all users of the Squid proxy.
*** This bug has been marked as a duplicate of bug 916334 ***
Marked as duplicate since there was already a collection of vulnerabilities related to net-proxy/squid. Added this one as a comment.
(In reply to Jarkko Suominen from comment #3) > Marked as duplicate since there was already a collection of vulnerabilities > related to net-proxy/squid. Added this one as a comment. Moving the CVE alias then.