UbuntuUpdates.org

Package "squid-cgi"

Name: squid-cgi

Description:

Full featured Web Proxy cache (HTTP proxy) - control CGI

Latest version: 5.7-0ubuntu0.22.04.3
Release: jammy (22.04)
Level: updates
Repository: universe
Head package: squid
Homepage: http://www.squid-cache.org

Links


Download "squid-cgi"


Other versions of "squid-cgi" in Jammy

Repository Area Version
base universe 5.2-1ubuntu4
security universe 5.7-0ubuntu0.22.04.3

Changelog

Version: 5.7-0ubuntu0.22.04.3 2024-01-23 05:11:14 UTC

  squid (5.7-0ubuntu0.22.04.3) jammy-security; urgency=medium

  * SECURITY UPDATE: denial of service in HTTP message processing
    - debian/patches/CVE-2023-49285.patch: additional parsing checks added to
      fix buffer overread in lib/rfc1123.c.
    - CVE-2023-49285
  * SECURITY UPDATE: denial of service in helper process management
    - debian/patches/CVE-2023-49286.patch: improved error handling included
      for helper process initialisation in src/ipc.cc.
    - CVE-2023-49286
  * SECURITY UPDATE: denial of service in HTTP request parsing
    - debian/patches/CVE-2023-50269.patch: limit x-forwarded-for hops and log
      limit as error when exceeded in src/ClientRequestContext.h,
      src/client_side_request.cc.
    - CVE-2023-50269

 -- Evan Caville <email address hidden> Wed, 17 Jan 2024 14:01:57 +1000

Source diff to previous version
CVE-2023-49285 Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a Buffer Overread bug Squid is vulnerable to a Denial of Service a
CVE-2023-49286 Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to an Incorrect Check of Function Return Value bug Squid is vulnerabl
CVE-2023-50269 Squid is a caching proxy for the Web. Due to an Uncontrolled Recursion bug in versions 2.6 through 2.7.STABLE9, versions 3.1 through 5.9, and version

Version: 5.7-0ubuntu0.22.04.2 2023-11-21 18:07:10 UTC

  squid (5.7-0ubuntu0.22.04.2) jammy-security; urgency=medium

  * SECURITY UPDATE: DoS against certificate validation
    - debian/patches/CVE-2023-46724.patch: fix validation of certificates
      with CN=* in src/anyp/Uri.cc.
    - CVE-2023-46724
  * SECURITY UPDATE: DoS via Gopher gateway
    - debian/patches/CVE-2023-46728.patch: disable gopher support in
      src/FwdState.cc, src/HttpRequest.cc, src/IoStats.h, src/Makefile.am,
      src/adaptation/ecap/Host.cc, src/adaptation/ecap/MessageRep.cc,
      src/anyp/ProtocolType.h, src/anyp/Uri.cc, src/anyp/UriScheme.cc,
      src/client_side_request.cc, src/error/forward.h, src/http/Message.h,
      src/mgr/IoAction.cc, src/mgr/IoAction.h, src/stat.cc,
      src/tests/Stub.am.
    - CVE-2023-46728
  * SECURITY UPDATE: HTTP request smuggling, caused by chunked decoder
    lenience
    - debian/patches/CVE-2023-46846.patch: improve HTTP chunked encoding
      compliance in src/http/one/Parser.cc, src/http/one/Parser.h,
      src/http/one/TeChunkedParser.cc, src/parser/Tokenizer.cc,
      src/parser/Tokenizer.h.
    - CVE-2023-46846
  * SECURITY UPDATE: DoS via HTTP Digest Authentication
    - debian/patches/CVE-2023-46847.patch: fix stack buffer overflow when
      parsing Digest Authorization in src/auth/digest/Config.cc.
    - CVE-2023-46847
  * SECURITY UPDATE: DoS via ftp:// URLs
    - debian/patches/CVE-2023-46848.patch: fix userinfo percent-encoding in
      src/acl/external/eDirectory_userip/ext_edirectory_userip_acl.cc,
      src/anyp/Uri.cc.
    - CVE-2023-46848

 -- Marc Deslauriers <email address hidden> Mon, 13 Nov 2023 09:20:05 -0500

Source diff to previous version
CVE-2023-46724 Squid is a caching proxy for the Web. Due to an Improper Validation of Specified Index bug, Squid versions 3.3.0.1 through 5.9 and 6.0 prior to 6.4
CVE-2023-46728 Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a NULL pointer dereference bug Squid is vulnerable to a Denial of
CVE-2023-46846 SQUID is vulnerable to HTTP request smuggling, caused by chunked decoder lenience, allows a remote attacker to perform Request/Response smuggling pas
CVE-2023-46847 Squid is vulnerable to a Denial of Service, where a remote attacker can perform buffer overflow attack by writing up to 2 MB of arbitrary data to he
CVE-2023-46848 Squid is vulnerable to Denial of Service, where a remote attacker can perform DoS by sending ftp:// URLs in HTTP Request messages or constructing ft

Version: 5.7-0ubuntu0.22.04.1 2023-08-31 21:07:01 UTC

  squid (5.7-0ubuntu0.22.04.1) jammy; urgency=medium

  * New upstream version. (LP: #2013423):
    - Fix FATAL FwdState::noteDestinationsEnd exception. (LP: #1975399)
    - Fix regression that made the default value for the esi_parser
      configuration directive behave differently from its documented behavior.
      It now correctly uses libxml2 if available and falls back to libexpat
      otherwise.
    - Fix unexpected dispatch of client CA certificates to https_port clients
      when OpenSSL SSL_MODE_NO_AUTO_CHAIN mode is on.
    - Add OpenSSL 3.0 support for features that were already supported by
      squid. No new OpenSSL 3.0 feature support added at this time.
    - The configuration directive ssl_engine is no longer recognized. Since
      this option is not implemented for the OpenSSL 3 used in Ubuntu 22.04
      LTS, this is not a functional regression. Now, instead of failing with
      "FATAL: Your OpenSSL has no SSL engine support", it fails with "FATAL:
      bad configuration: Cannot use ssl_engine in Squid built with OpenSSL 3.0
      or newer".
    - For a comprehensive list of changes, please see
      http://www.squid-cache.org/Versions/v5/ChangeLog.html.
  * d/p/close-tunnel-if-to-server-conn-closes-after-client.patch: remove
    upstreamed patch.
    [ Fixed in 5.4 ]
  * d/p/0004-Change-default-Makefiles-for-debian.patch: remove upstreamed
    patch.
    [ Fixed in 5.5 ]
  * d/p/CVE-2021-46784.patch: remove upstreamed patch.
    [ Fixed in 5.6 ]
  * d/p/CVE-2022-41317.patch: drop patch to fix typo in manager ACL.
    [ Fixed in 5.7 ]
  * d/p/CVE-2022-41318.patch: drop patch to fix NTLM decoder truncated strings.
    [ Fixed in 5.7 ]
  * d/p/openssl3-*.patch: drop downstream OpenSSL 3 support patch.
    [ Fixed in 5.7 ]
  * d/p/99-ubuntu-ssl-cert-snakeoil.patch: refresh patch.

Source diff to previous version
2013423 Upstream microrelease 5.7
1975399 FATAL FwdState::noteDestinationsEnd exception: opening()
CVE-2021-46784 In Squid 3.x through 3.5.28, 4.x through 4.17, and 5.x before 5.6, due to improper buffer management, a Denial of Service can occur when processing l
CVE-2022-41317 Exposure of Sensitive Information in Cache Manager
CVE-2022-41318 Buffer Over Read in SSPI and SMB Authentication

Version: 5.2-1ubuntu4.3 2023-02-16 13:07:14 UTC

  squid (5.2-1ubuntu4.3) jammy; urgency=medium

  * d/p/close-tunnel-if-to-server-conn-closes-after-client.patch:
    Close tunnel "job" after to-server client connection closes,
    fixing memory leak. (LP: #1989380)

 -- Sergio Durigan Junior <email address hidden> Thu, 05 Jan 2023 15:50:48 -0500

Source diff to previous version
1989380 Memory leak when a blind CONNECT tunnel job is closed

Version: 5.2-1ubuntu4.2 2022-09-26 18:07:13 UTC

  squid (5.2-1ubuntu4.2) jammy-security; urgency=medium

  * SECURITY UPDATE: Exposure of Sensitive Information in Cache Manager
    - debian/patches/CVE-2022-41317.patch: fix typo in ACL in
      src/cf.data.pre.
    - CVE-2022-41317
  * SECURITY UPDATE: Buffer Over Read in SSPI and SMB Authentication
    - debian/patches/CVE-2022-41318.patch: improve checks in
      lib/ntlmauth/ntlmauth.cc.
    - CVE-2022-41318

 -- Marc Deslauriers <email address hidden> Fri, 23 Sep 2022 08:06:42 -0400

CVE-2022-41317 Exposure of Sensitive Information in Cache Manager
CVE-2022-41318 Buffer Over Read in SSPI and SMB Authentication



About   -   Send Feedback to @ubuntu_updates