| Package | squid |
|---|---|
| Version | 4.13-10+deb11u6~deb10u1 (buster) |
| Related CVEs | CVE-2023-5824 CVE-2023-46728 CVE-2025-54574 CVE-2025-59362 CVE-2025-62168 |
Multiple vulnerabilities were reported in Squid, a popular proxy server.
The changes required to fix all the open vulnerabilities, especially CVE-2025-62168, were too invasive to be backported individually, and the risk of regressions was too high due to large amount of source code that needed to be modified or rewritten, including the internal C++ library.
After carrying out a risk analysis, it was determined that the best available solution was to backport the version from Debian 11 “bullseye” to Debian 10. This decision means that, upon installing this update, users of Squid in Debian 10 will be moving from Squid version 4.6 to 4.13.
Please note that to remediate CVE-2025-62168, users need to review their Squid
configuration and disable the insecure email_err_data setting if it was
previously enabled. The CVE-2025-62168 patch disables this configuration by
default, but it does not override existing insecure administrator-defined
settings.
CVE-2023-5824:
The limits applied for validation of HTTP response headers are applied before caching. However, Squid may grow a cached HTTP response header beyond the configured maximum size, causing a stall or crash of the worker process when a large header is retrieved from the disk cache, resulting in a denial of service.
CVE-2023-46728:
Due to a NULL pointer dereference bug Squid is vulnerable to a Denial of Service attack against Squid's Gopher gateway. The gopher protocol support was enabled by default in previous Squid versions. Responses triggering this bug can be received from any gopher server, even those without malicious intent.
Gopher support has been removed.
CVE-2025-54574:
Squid is vulnerable to a heap buffer overflow and possible remote code execution attack when processing URN due to incorrect buffer management.
CVE-2025-59362:
Squid mishandles ASN.1 encoding of long SNMP OIDs. This occurs in `asn_build_objid` in `lib/snmplib/asn1.c`.
CVE-2025-62168:
Failure to redact HTTP authentication credentials in error handling allows information disclosure. The vulnerability allows a malicious actor to bypass browser security protections and learn the credentials a trusted client uses to authenticate. This potentially allows a remote client to identify security tokens or credentials used internally by a web application using Squid for backend load balancing. These attacks do not require Squid to be configured with HTTP authentication.
For Debian 10 buster, these problems have been fixed in version 4.13-10+deb11u6~deb10u1.
We recommend that you upgrade your squid packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.