squid-5.5-6.el9_3.5
エラータID: AXSA:2024-7340:01
リリース日:
2024/01/10 Wednesday - 05:33
題名:
squid-5.5-6.el9_3.5
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Squid には、"--with-openssl" オプションを有効にしてビルド
された環境下におけるインデックス値の検証に問題があるため、
リモートの攻撃者により、巧妙に細工されたサーバーの証明書
チェーン内の SSL 証明書を介して、サービス拒否攻撃を可能
とする脆弱性が存在します。(CVE-2023-46724)
- Squid の Gopher ゲートウェイ機能には、NULL ポインタ
デリファレンスの問題があるため、リモートの攻撃者により、
Gopher プロトコルによる URL のリクエストを介して、
サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2023-46728)
- Squid の HTTP プロトコルの処理には、バッファーオーバー
フローの問題があるため、リモートの攻撃者により、細工
された HTTP プロトコルのメッセージを介して、サービス
拒否攻撃を可能とする脆弱性が存在します。
(CVE-2023-49285)
- Squid のヘルパープロセスの管理機能には、関数の戻り値
のチェック処理に問題があるため、リモートの攻撃者により、
サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2023-49286)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2023-46724
Squid is a caching proxy for the Web. Due to an Improper Validation of Specified Index bug, Squid versions 3.3.0.1 through 5.9 and 6.0 prior to 6.4 compiled using `--with-openssl` are vulnerable to a Denial of Service attack against SSL Certificate validation. This problem allows a remote server to perform Denial of Service against Squid Proxy by initiating a TLS Handshake with a specially crafted SSL Certificate in a server certificate chain. This attack is limited to HTTPS and SSL-Bump. This bug is fixed in Squid version 6.4. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. Those who you use a prepackaged version of Squid should refer to the package vendor for availability information on updated packages.
Squid is a caching proxy for the Web. Due to an Improper Validation of Specified Index bug, Squid versions 3.3.0.1 through 5.9 and 6.0 prior to 6.4 compiled using `--with-openssl` are vulnerable to a Denial of Service attack against SSL Certificate validation. This problem allows a remote server to perform Denial of Service against Squid Proxy by initiating a TLS Handshake with a specially crafted SSL Certificate in a server certificate chain. This attack is limited to HTTPS and SSL-Bump. This bug is fixed in Squid version 6.4. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. Those who you use a prepackaged version of Squid should refer to the package vendor for availability information on updated packages.
CVE-2023-46728
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a NULL pointer dereference bug Squid is vulnerable to a Denial of Service attack against Squid's Gopher gateway. The gopher protocol is always available and enabled in Squid prior to Squid 6.0.1. Responses triggering this bug are possible to be received from any gopher server, even those without malicious intent. Gopher support has been removed in Squid version 6.0.1. Users are advised to upgrade. Users unable to upgrade should reject all gopher URL requests.
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a NULL pointer dereference bug Squid is vulnerable to a Denial of Service attack against Squid's Gopher gateway. The gopher protocol is always available and enabled in Squid prior to Squid 6.0.1. Responses triggering this bug are possible to be received from any gopher server, even those without malicious intent. Gopher support has been removed in Squid version 6.0.1. Users are advised to upgrade. Users unable to upgrade should reject all gopher URL requests.
CVE-2023-49285
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a Buffer Overread bug Squid is vulnerable to a Denial of Service attack against Squid HTTP Message processing. This bug is fixed by Squid version 6.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a Buffer Overread bug Squid is vulnerable to a Denial of Service attack against Squid HTTP Message processing. This bug is fixed by Squid version 6.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2023-49286
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to an Incorrect Check of Function Return Value bug Squid is vulnerable to a Denial of Service attack against its Helper process management. This bug is fixed by Squid version 6.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to an Incorrect Check of Function Return Value bug Squid is vulnerable to a Denial of Service attack against its Helper process management. This bug is fixed by Squid version 6.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.
追加情報:
N/A
ダウンロード:
SRPMS
- squid-5.5-6.el9_3.5.src.rpm
MD5: 1542037cffd7e388e9ff575afd913828
SHA-256: 7f85f39d6446c799262098103dddee98810d0c93d51d4931479692c5a3de8548
Size: 2.62 MB
Asianux Server 9 for x86_64
- squid-5.5-6.el9_3.5.x86_64.rpm
MD5: 3b4c6c08779b36d4863b2c338d9fff86
SHA-256: fbd4ec83b14175f8ea85cea655702a060fc46edd7b75a28ebea59c4c71595c05
Size: 3.43 MB