On 2024-08-19 07:37, Guy Tzudkevitz wrote:
I'm running Squid on Ubuntu 22.04
I ran a vulnerability scan on this server and got a result from the
vendor that this version is vulnerable. See. Is there any way to fix it?
There is, but we cannot fix that scanner. Please contact the vendor that
provided you with that scanner. As far as Squid is concerned:
* Squid v6.10 is not vulnerable to some of the vulnerabilities listed
below. For example, Squid v6.10 is not vulnerable to "X-Forwarded-For
Stack Overflow" and "Chunked Encoding Stack Overflow". I only checked a
few, so I cannot give you an exact count of misleading "insight" entries
in the dump of vulnerability names you have shared.
* No reasonable Squid build/configuration is vulnerable to most of the
vulnerabilities listed below. For example, reasonable Squid builds
should not enable (or, in older Squid versions, should explicitly
disable) ESI support at ./configure time; reasonable Squid
configurations should not enable pipeline_prefetch. Just these two
(default in Squid v6.10!) precautions would address 15+ vulnerabilities.
* Certain Squid builds/configurations are still vulnerable to a few of
those reported vulnerabilities because nobody volunteered Squid changes
to address them. In most cases (e.g., ESI and pipeline_prefetch), nobody
who can develop (or pay for) a quality fix is affected by those
vulnerabilities. I do not know whether those vulnerabilities affect
_your_ Squid installations. If they do, please see
https://wiki.squid-cache.org/SquidFaq/AboutSquid#how-to-add-a-new-squid-feature-enhance-of-fix-something
* IMO, Squid Project has screwed up its official response to the
surprise publication of those vulnerabilities in 2023: AFAIK, there is
still no concise summary of vulnerabilities remaining in the latest
supported Squid release and their corresponding workarounds (if any).
There is some useful info at the URL below, but it is incomplete and
converting that info to such a summary requires significant effort:
https://github.com/squid-cache/squid/security/advisories/
HTH,
Alex.
Vulnerability Details
Name
Squid Multiple 0-Day Vulnerabilities (Oct 2023)
Found On
X.X.X.X
Insight
The following flaws have been reported in 2021 to the vendor and seems
to be not fixed yet: - Use-After-Free in TRACE Requests -
X-Forwarded-For Stack Overflow - Chunked Encoding Stack Overflow -
Use-After-Free in Cache Manager Errors - Memory Leak in HTTP Response
Parsing - Memory Leak in ESI Error Processing - 1-Byte Buffer OverRead
in RFC 1123 date/time Handling GHSA-8w9r-p88v-mmx9 - One-Byte Buffer
OverRead in HTTP Request Header Parsing - strlen(NULL) Crash Using
Digest Authentication GHSA-254c-93q9-cp53 - Assertion in ESI Header
Handling - Gopher Assertion Crash - Whois Assertion Crash - RFC 2141 /
2169 (URN) Assertion Crash - Assertion in Negotiate/NTLM Authentication
Using Pipeline Prefetching - Assertion on IPv6 Host Requests with
--disable-ipv6 - Assertion Crash on Unexpected 'HTTP/1.1 100 Continue'
Response Header - Pipeline Prefetch Assertion With Double
'Expect:100-continue' Request Headers - Pipeline Prefetch Assertion With
Invalid Headers - Assertion Crash in Deferred Requests - Assertion in
Digest Authentication - FTP Authentication Crash - Assertion Crash In
HTTP Response Headers Handling - Implicit Assertion in Stream Handling -
Use-After-Free in ESI 'Try' (and 'Choose') Processing - Use-After-Free
in ESI Expression Evaluation - Buffer Underflow in ESI
GHSA-wgvf-q977-9xjg - Assertion in Squid 'Helper' Process Creator
GHSA-xggx-9329-3c27 - Assertion Due to 0 ESI 'when' Checking
GHSA-4g88-277m-q89r - Assertion Using ESI's When Directive
GHSA-4g88-277m-q89r - Assertion in ESI Variable Assignment (String) -
Assertion in ESI Variable Assignment - Null Pointer Dereference In ESI's
esi:include and esi:when Note: Various GHSA advisories have been
provided by the security researcher but are not published / available yet.
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
