ELSA-2024-1787

Опубликовано: 11 апр. 2024

Источник: oracle-oval

Платформа: Oracle Linux 7

Описание

ELSA-2024-1787: squid security update (IMPORTANT)

[7:3.5.20-17.0.1]

Mutiple CVE fixes for squid [Orabug: 33146289]
Resolves: CVE-2021-28651 squid: Bug 5104: Memory leak in RFC 2169 response parsing (#778)
Resolves: CVE-2021-28652 squid: Bug 5106: Broken cache manager URL parsing (#788)
Resolves: CVE-2021-31806,31807,31808 squid: Handle more Range requests (#790)
Resolves: CVE-2021-33620 squid: Handle more partial responses (#791)

[7:3.5.20-17.10]

Resolves: RHEL-16779 - squid: NULL pointer dereference in the gopher protocol code -- Remove support for Gopher protocol (CVE-2023-46728)
Resolves: RHEL-18176 - squid: Buffer over-read in the HTTP Message processing feature (CVE-2023-49285)
Resolves: RHEL-18171 - squid: Incorrect Check of Function Return Value In Helper Process management (CVE-2023-49286)
Resolves: RHEL-16758 - squid: Denial of Service in SSL Certificate validation (CVE-2023-46724)
Resolves: RHEL-19557 - squid: denial of service in HTTP request parsing (CVE-2023-50269)
Resolves: RHEL-26082 - squid: denial of service in HTTP header parser (CVE-2024-25617)

Обновленные пакеты

Oracle Linux 7

Oracle Linux aarch64

squid

3.5.20-17.0.1.el7_9.10

squid-migration-script

3.5.20-17.0.1.el7_9.10

squid-sysvinit

3.5.20-17.0.1.el7_9.10

Oracle Linux x86_64

squid

3.5.20-17.0.1.el7_9.10

squid-migration-script

3.5.20-17.0.1.el7_9.10

squid-sysvinit

3.5.20-17.0.1.el7_9.10

Связанные CVE

Ссылки на источники

Связанные уязвимости

ELSA-2024-0071

oracle-oval

больше 1 года назад

ELSA-2024-0071: squid security update (IMPORTANT)

ELSA-2024-0046

oracle-oval

больше 1 года назад

ELSA-2024-0046: squid:4 security update (IMPORTANT)

ELSA-2024-1376

oracle-oval

больше 1 года назад

ELSA-2024-1376: squid security update (IMPORTANT)

ELSA-2024-1375

oracle-oval

больше 1 года назад

ELSA-2024-1375: squid:4 security update (IMPORTANT)

CVE-2024-25617

CVSS3: 5.3

ubuntu

больше 1 года назад

Squid is an open source caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a Collapse of Data into Unsafe Value bug ,Squid may be vulnerable to a Denial of Service attack against HTTP header parsing. This problem allows a remote client or a remote server to perform Denial of Service when sending oversized headers in HTTP messages. In versions of Squid prior to 6.5 this can be achieved if the request_header_max_size or reply_header_max_size settings are unchanged from the default. In Squid version 6.5 and later, the default setting of these parameters is safe. Squid will emit a critical warning in cache.log if the administrator is setting these parameters to unsafe values. Squid will not at this time prevent these settings from being changed to unsafe values. Users are advised to upgrade to version 6.5. There are no known workarounds for this vulnerability. This issue is also tracked as SQUID-2024:2