squid:4 security update

エラータID: AXSA:2023-6575:01

Release date: 
Friday, November 10, 2023 - 08:26
Subject: 
squid:4 security update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects.

Security Fix(es):

* SQUID-2023:3 squid: Denial of Service in HTTP Digest Authentication (CVE-2023-46847)
* SQUID-2023:1 squid: Request/Response smuggling in HTTP/1.1 and ICAP (CVE-2023-46846)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2023-46846
SQUID is vulnerable to HTTP request smuggling, caused by chunked decoder lenience, allows a remote attacker to perform Request/Response smuggling past firewall and frontend security systems.
CVE-2023-46847
Squid is vulnerable to a Denial of Service, where a remote attacker can perform buffer overflow attack by writing up to 2 MB of arbitrary data to heap memory when Squid is configured to accept HTTP Digest Authentication.

Modularity name: squid
Stream name: 4

Solution: 

Update packages.

CVEs: 
CVE-2023-46846
SQUID is vulnerable to HTTP request smuggling, caused by chunked decoder lenience, allows a remote attacker to perform Request/Response smuggling past firewall and frontend security systems.
CVE-2023-46847
Squid is vulnerable to a Denial of Service, where a remote attacker can perform buffer overflow attack by writing up to 2 MB of arbitrary data to heap memory when Squid is configured to accept HTTP Digest Authentication.
Additional Info: 

N/A

Download: 

SRPMS
  1. libecap-1.0.1-2.module+el8+1678+c7c1be35.src.rpm
    MD5: 8f1eefba46dc083f35ffdd74a1d4bdc6
    SHA-256: bb5b001f663da7318519e710a5b7ce0c7d26ed04dd6ed12b2d4192f6f8867084
    Size: 343.56 kB
  2. squid-4.15-6.module+el8+1678+c7c1be35.1.ML.1.src.rpm
    MD5: 3be929fa5f50237b1483f55f0a8878c4
    SHA-256: b0ba6b8c20d3c6eac6a5159016b004b28d4868fddb4e48685459f1070d32ae2b
    Size: 2.45 MB

Asianux Server 8 for x86_64
  1. libecap-1.0.1-2.module+el8+1678+c7c1be35.x86_64.rpm
    MD5: b14815c32d4308eece7639c5a083adda
    SHA-256: 3e0ce8065e9081cef3416baa152de2744de5c847a8345b92e808b379ff3ae231
    Size: 27.74 kB
  2. libecap-debugsource-1.0.1-2.module+el8+1678+c7c1be35.x86_64.rpm
    MD5: a1096ce8e764d29561e61fd7e5e339fb
    SHA-256: 15961109fa5cd8b0f2b40c8222a89b11ca01bec3d69a129e70616a7680976350
    Size: 18.90 kB
  3. libecap-devel-1.0.1-2.module+el8+1678+c7c1be35.x86_64.rpm
    MD5: c1fbce9bd7da4182c3c33f25513e6530
    SHA-256: f7e51842c5445878736deed9e733b0303030e92cd88b352f8f3b333ec96dc92d
    Size: 20.44 kB
  4. squid-4.15-6.module+el8+1678+c7c1be35.1.ML.1.x86_64.rpm
    MD5: 99ea9621f3b42b19a300826e948a1fb0
    SHA-256: 3afe8b1f4e6ce950767412cf6222d3e672a4dcb378cf34ead7e8845120422003
    Size: 3.57 MB
  5. squid-debugsource-4.15-6.module+el8+1678+c7c1be35.1.ML.1.x86_64.rpm
    MD5: 23d89495ca4839974d0a86d06e0739ba
    SHA-256: 89a67553acc24479a5f8f1e9aabfe1863af3f43f4a548164b017b950b4845552
    Size: 1.74 MB