squid:4 security update
エラータID: AXSA:2024-7632:01
リリース日:
2024/03/25 Monday - 17:22
題名:
squid:4 security update
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Squid には、制限なく再帰処理が実行されてしまう問題がある
ため、リモートの攻撃者により、細工された X-Forwarded-For
ヘッダーの送信を介して、サービス拒否攻撃を可能とする脆弱性
が存在します。(CVE-2023-50269)
- Squid の HTTP チャンクデコーダーには、再帰処理の不備に
起因した無限ループの発生に至る問題があるため、リモートの
攻撃者により、巧妙に細工された HTTP メッセージの送信を
介して、サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2024-25111)
- Squid の HTTP ヘッダーの解析処理には、
request_header_max_size パラメーター、および
reply_header_max_size パラメーターがデフォルト値の場合に
おけるメモリ破壊の問題があるため、リモートの攻撃者により、
非常に大きなヘッダーを持つように細工された HTTP メッセージ
の送信を介して、サービス拒否攻撃を可能とする脆弱性が存在
します。(CVE-2024-25617)
Modularity name: squid
Stream name: 4
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2023-50269
Squid is a caching proxy for the Web. Due to an Uncontrolled Recursion bug in versions 2.6 through 2.7.STABLE9, versions 3.1 through 5.9, and versions 6.0.1 through 6.5, Squid may be vulnerable to a Denial of Service attack against HTTP Request parsing. This problem allows a remote client to perform Denial of Service attack by sending a large X-Forwarded-For header when the follow_x_forwarded_for feature is configured. This bug is fixed by Squid version 6.6. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives.
Squid is a caching proxy for the Web. Due to an Uncontrolled Recursion bug in versions 2.6 through 2.7.STABLE9, versions 3.1 through 5.9, and versions 6.0.1 through 6.5, Squid may be vulnerable to a Denial of Service attack against HTTP Request parsing. This problem allows a remote client to perform Denial of Service attack by sending a large X-Forwarded-For header when the follow_x_forwarded_for feature is configured. This bug is fixed by Squid version 6.6. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives.
CVE-2024-25111
Squid is a web proxy cache. Starting in version 3.5.27 and prior to version 6.8, Squid may be vulnerable to a Denial of Service attack against HTTP Chunked decoder due to an uncontrolled recursion bug. This problem allows a remote attacker to cause Denial of Service when sending a crafted, chunked, encoded HTTP Message. This bug is fixed in Squid version 6.8. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. There is no workaround for this issue.
Squid is a web proxy cache. Starting in version 3.5.27 and prior to version 6.8, Squid may be vulnerable to a Denial of Service attack against HTTP Chunked decoder due to an uncontrolled recursion bug. This problem allows a remote attacker to cause Denial of Service when sending a crafted, chunked, encoded HTTP Message. This bug is fixed in Squid version 6.8. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. There is no workaround for this issue.
CVE-2024-25617
Squid is an open source caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a Collapse of Data into Unsafe Value bug ,Squid may be vulnerable to a Denial of Service attack against HTTP header parsing. This problem allows a remote client or a remote server to perform Denial of Service when sending oversized headers in HTTP messages. In versions of Squid prior to 6.5 this can be achieved if the request_header_max_size or reply_header_max_size settings are unchanged from the default. In Squid version 6.5 and later, the default setting of these parameters is safe. Squid will emit a critical warning in cache.log if the administrator is setting these parameters to unsafe values. Squid will not at this time prevent these settings from being changed to unsafe values. Users are advised to upgrade to version 6.5. There are no known workarounds for this vulnerability. This issue is also tracked as SQUID-2024:2
Squid is an open source caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a Collapse of Data into Unsafe Value bug ,Squid may be vulnerable to a Denial of Service attack against HTTP header parsing. This problem allows a remote client or a remote server to perform Denial of Service when sending oversized headers in HTTP messages. In versions of Squid prior to 6.5 this can be achieved if the request_header_max_size or reply_header_max_size settings are unchanged from the default. In Squid version 6.5 and later, the default setting of these parameters is safe. Squid will emit a critical warning in cache.log if the administrator is setting these parameters to unsafe values. Squid will not at this time prevent these settings from being changed to unsafe values. Users are advised to upgrade to version 6.5. There are no known workarounds for this vulnerability. This issue is also tracked as SQUID-2024:2
追加情報:
N/A
ダウンロード:
SRPMS
- libecap-1.0.1-2.module+el8+1737+320ae55d.src.rpm
MD5: b95577716f6e34918af8876287ae8299
SHA-256: ca123cc283cfbdfd9a58c151a84f3be921f60336451ca80744ab569c2caad446
Size: 343.56 kB - squid-4.15-7.module+el8+1737+320ae55d.10.src.rpm
MD5: 37f6564f9130f18a58447f458e10305b
SHA-256: a38758458f5e83a1c7f9901d992641128ddbba65e5e9705591ef8e990a234694
Size: 2.51 MB
Asianux Server 8 for x86_64
- libecap-1.0.1-2.module+el8+1737+320ae55d.x86_64.rpm
MD5: 1de7bdf520689f2c0aa8990b4b92eef0
SHA-256: d7c1750bd4a98b9441a96a9ed4549773aef186a3fb6b67e7d3c4f3be4e906f7e
Size: 27.74 kB - libecap-debugsource-1.0.1-2.module+el8+1737+320ae55d.x86_64.rpm
MD5: 56384b598db02f5048d00e501897f242
SHA-256: 93b74415092b8c5f50f8dec81664e5ee8473a0f2a39182ea25d91b4bbc920d89
Size: 18.90 kB - libecap-devel-1.0.1-2.module+el8+1737+320ae55d.x86_64.rpm
MD5: b31c9b316482aa4b6d6fb9701067ff62
SHA-256: 023bfa1d11ed2c541f866cb16711c874dfbcf2cb66916f20190913d900cfc63c
Size: 20.44 kB - squid-4.15-7.module+el8+1737+320ae55d.10.x86_64.rpm
MD5: ad25563417c6431e4ee66f3e76bfc21f
SHA-256: 31dbfc4aff8f6508dc45fb4bd5ce4d19099ea1e33d20aa7b2379ed8ead903c95
Size: 3.47 MB - squid-debugsource-4.15-7.module+el8+1737+320ae55d.10.x86_64.rpm
MD5: c78d600c02745923e6c3da3d3dd42573
SHA-256: e79f92ca1b41872c6bf610decf0614b965b9614b33aec9b87791dbba46b578fd
Size: 1.75 MB
English