| Package | squid3 |
|---|---|
| Version | 3.5.23-5+deb8u7 (jessie), 3.5.23-5+deb9u10 (stretch) |
| Related CVEs | CVE-2023-46847 CVE-2023-49285 CVE-2023-49286 CVE-2023-50269 CVE-2024-23638 |
Several security vulnerabilities have been discovered in Squid, a full featured web proxy cache. Due to programming errors in Squid’s HTTP request parsing, remote attackers may be able to execute a denial of service attack by sending large X-Forwarded-For header or trigger a stack buffer overflow while performing HTTP Digest authentication. Other issues facilitate a denial of service attack against Squid’s Helper process management. In regard to CVE-2023-46728: Please note that support for the Gopher protocol has simply been removed in future Squid versions. There is no fix available. We recommend to reject all gopher URL requests instead.
For Debian 8 jessie, these problems have been fixed in version 3.5.23-5+deb8u7.
For Debian 9 stretch, these problems have been fixed in version 3.5.23-5+deb9u10.
We recommend that you upgrade your squid3 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.