Source: squid Version: 6.3-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for squid. CVE-2023-46724[0]: | Squid is a caching proxy for the Web. Due to an Improper Validation | of Specified Index bug, Squid versions 3.3.0.1 through 5.9 and 6.0 | prior to 6.4 compiled using `--with-openssl` are vulnerable to a | Denial of Service attack against SSL Certificate validation. This | problem allows a remote server to perform Denial of Service against | Squid Proxy by initiating a TLS Handshake with a specially crafted | SSL Certificate in a server certificate chain. This attack is | limited to HTTPS and SSL-Bump. This bug is fixed in Squid version | 6.4. In addition, patches addressing this problem for the stable | releases can be found in Squid's patch archives. Those who you use a | prepackaged version of Squid should refer to the package vendor for | availability information on updated packages. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-46724 https://www.cve.org/CVERecord?id=CVE-2023-46724 [1] https://github.com/squid-cache/squid/commit/792ef23e6e1c05780fe17f733859eef6eb8c8be3 [2] https://megamansec.github.io/Squid-Security-Audit/ssl-bufferunderread.html [3] https://github.com/squid-cache/squid/security/advisories/GHSA-73m6-jm96-c6r3 Please adjust the affected versions in the BTS as needed. Regards, Salvatore