UbuntuUpdates.org

Package "squid"

Name: squid

Description:

Full featured Web Proxy cache (HTTP proxy)

Latest version: 4.10-1ubuntu1.13
Release: focal (20.04)
Level: security
Repository: main
Homepage: http://www.squid-cache.org

Links


Download "squid"


Other versions of "squid" in Focal

Repository Area Version
base main 4.10-1ubuntu1
security universe 4.10-1ubuntu1.13
updates main 4.10-1ubuntu1.13
updates universe 4.10-1ubuntu1.13

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 4.10-1ubuntu1.8 2023-11-21 16:09:07 UTC

  squid (4.10-1ubuntu1.8) focal-security; urgency=medium

  * SECURITY UPDATE: DoS via Gopher gateway
    - debian/patches/CVE-2023-46728.patch: disable gopher support in
      src/FwdState.cc, src/HttpRequest.cc, src/IoStats.h, src/Makefile.am,
      src/adaptation/ecap/Host.cc, src/adaptation/ecap/MessageRep.cc,
      src/anyp/ProtocolType.h, src/anyp/Uri.cc, src/anyp/UriScheme.cc,
      src/client_side_request.cc, src/err_type.h, src/HttpMsg.h,
      src/mgr/IoAction.cc, src/mgr/IoAction.h, src/stat.cc,
      src/Makefile.in.
    - CVE-2023-46728
  * SECURITY UPDATE: HTTP request smuggling, caused by chunked decoder
    lenience
    - debian/patches/CVE-2023-46846-pre1.patch: fix incremental parsing of
      chunked quoted extensions in src/adaptation/icap/ModXact.cc,
      src/adaptation/icap/ModXact.h, src/http/one/Parser.cc,
      src/http/one/Parser.h, src/http/one/RequestParser.cc,
      src/http/one/RequestParser.h, src/http/one/ResponseParser.cc,
      src/http/one/ResponseParser.h, src/http/one/TeChunkedParser.cc,
      src/http/one/TeChunkedParser.h, src/http/one/Tokenizer.cc,
      src/http/one/Tokenizer.h, src/http/one/forward.h,
      src/parser/BinaryTokenizer.h, src/parser/Makefile.am,
      src/parser/Tokenizer.cc, src/parser/Tokenizer.h,
      src/parser/forward.h.
    - debian/patches/CVE-2023-46846.patch: improve HTTP chunked encoding
      compliance in src/http/one/Parser.cc, src/http/one/Parser.h,
      src/http/one/TeChunkedParser.cc, src/parser/Tokenizer.cc,
      src/parser/Tokenizer.h.
    - CVE-2023-46846
  * SECURITY UPDATE: DoS via HTTP Digest Authentication
    - debian/patches/CVE-2023-46847.patch: fix stack buffer overflow when
      parsing Digest Authorization in src/auth/digest/Config.cc.
    - CVE-2023-46847

 -- Marc Deslauriers <email address hidden> Mon, 13 Nov 2023 10:13:50 -0500

Source diff to previous version
CVE-2023-46728 Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a NULL pointer dereference bug Squid is vulnerable to a Denial of
CVE-2023-46846 SQUID is vulnerable to HTTP request smuggling, caused by chunked decoder lenience, allows a remote attacker to perform Request/Response smuggling pas
CVE-2023-46847 Squid is vulnerable to a Denial of Service, where a remote attacker can perform buffer overflow attack by writing up to 2 MB of arbitrary data to he

Version: 4.10-1ubuntu1.7 2022-09-26 17:06:20 UTC

  squid (4.10-1ubuntu1.7) focal-security; urgency=medium

  * SECURITY UPDATE: Exposure of Sensitive Information in Cache Manager
    - debian/patches/CVE-2022-41317.patch: fix typo in ACL in
      src/cf.data.pre.
    - CVE-2022-41317
  * SECURITY UPDATE: Buffer Over Read in SSPI and SMB Authentication
    - debian/patches/CVE-2022-41318.patch: improve checks in
      lib/ntlmauth/ntlmauth.cc.
    - CVE-2022-41318

 -- Marc Deslauriers <email address hidden> Fri, 23 Sep 2022 08:07:31 -0400

Source diff to previous version
CVE-2022-41317 Exposure of Sensitive Information in Cache Manager
CVE-2022-41318 Buffer Over Read in SSPI and SMB Authentication

Version: 4.10-1ubuntu1.6 2022-06-22 16:06:22 UTC

  squid (4.10-1ubuntu1.6) focal-security; urgency=medium

  * SECURITY UPDATE: Denial of Service in Gopher Processing
    - debian/patches/CVE-2021-46784.patch: improve handling of Gopher
      responses in src/gopher.cc.
    - CVE-2021-46784

 -- Marc Deslauriers <email address hidden> Tue, 21 Jun 2022 13:44:13 -0400

Source diff to previous version

Version: 4.10-1ubuntu1.5 2021-10-05 16:06:31 UTC

  squid (4.10-1ubuntu1.5) focal-security; urgency=medium

  * SECURITY UPDATE: information disclosure via OOB read in WCCP protocol
    - debian/patches/CVE-2021-28116.patch: validate packets better in
      src/wccp2.cc.
    - CVE-2021-28116

 -- Marc Deslauriers <email address hidden> Mon, 04 Oct 2021 08:31:27 -0400

Source diff to previous version
CVE-2021-28116 Squid through 4.14 and 5.x through 5.0.5, in some configurations, allows information disclosure because of an out-of-bounds read in WCCP protocol dat

Version: 4.10-1ubuntu1.4 2021-06-03 17:06:21 UTC

  squid (4.10-1ubuntu1.4) focal-security; urgency=medium

  * SECURITY UPDATE: DoS via buffer-management bug
    - debian/patches/CVE-2021-28651.patch: fix memory leak in src/urn.cc.
    - CVE-2021-28651
  * SECURITY UPDATE: DoS via incorrect parser validation
    - debian/patches/CVE-2021-28652.patch: fix cache manager URL parsing in
      src/CacheManager.h, src/cache_manager.cc, src/mgr/QueryParams.cc,
      src/mgr/QueryParams.h, src/tests/stub_libmgr.cc,
      src/tests/testCacheManager.cc, src/tests/testCacheManager.h.
    - CVE-2021-28652
  * SECURITY UPDATE: DoS via certain response header
    - debian/patches/CVE-2021-28662.patch: limit
      HeaderLookupTable_t::lookup() to BadHdr and specific IDs in
      src/http/RegisteredHeaders.cc.
    - CVE-2021-28662
  * SECURITY UPDATE: DoS via HTTP Range request
    - debian/patches/CVE-2021-3180x.patch: handle more Range requests in
      src/HttpHdrRange.cc, src/HttpHeaderRange.h, src/client_side.cc,
      src/client_side_request.cc, src/client_side_request.h,
      src/http/Stream.cc.
    - CVE-2021-31806
    - CVE-2021-31807
    - CVE-2021-31808
  * SECURITY UPDATE: DoS via HTTP response
    - debian/patches/CVE-2021-33620.patch: handle more partial responses in
      src/HttpHdrContRange.cc, src/HttpHeaderRange.h,
      src/clients/Client.cc, src/http/Stream.cc.
    - CVE-2021-33620

 -- Marc Deslauriers <email address hidden> Wed, 02 Jun 2021 10:32:46 -0400

CVE-2021-28651 An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to a buffer-management bug, it allows a denial of service. When resolving a re
CVE-2021-28652 An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to incorrect parser validation, it allows a Denial of Service attack against t
CVE-2021-28662 An issue was discovered in Squid 4.x before 4.15 and 5.x before 5.0.6. If a remote server sends a certain response header over HTTP or HTTPS, there i
CVE-2021-3180 RESERVED
CVE-2021-31806 An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to a memory-management bug, it is vulnerable to a Denial of Service attack (ag
CVE-2021-31808 An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to an input-validation bug, it is vulnerable to a Denial of Service attack (ag
CVE-2021-33620 Squid before 4.15 and 5.x before 5.0.6 allows remote servers to cause a denial of service (affecting availability to all clients) via an HTTP respons



About   -   Send Feedback to @ubuntu_updates