squid-3.5.20-17.el7.10
エラータID: AXSA:2024-7673:03
リリース日:
2024/04/12 Friday - 02:48
題名:
squid-3.5.20-17.el7.10
影響のあるチャネル:
Asianux Server 7 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Squid には、"--with-openssl" オプションを有効にしてビルド
された環境下におけるインデックス値の検証に問題がある
ため、リモートの攻撃者により、巧妙に細工されたサーバー
の証明書チェーン内の SSL 証明書を介して、サービス拒否
攻撃を可能とする脆弱性が存在します。(CVE-2023-46724)
- Squid の Gopher ゲートウェイ機能には、NULL ポインタ
デリファレンスの問題があるため、リモートの攻撃者により、
Gopher プロトコルによる URL のリクエストを介して、
サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2023-46728)
- Squid の HTTP プロトコルの処理には、バッファーオーバー
フローの問題があるため、リモートの攻撃者により、細工
された HTTP プロトコルのメッセージを介して、サービス
拒否攻撃を可能とする脆弱性が存在します。
(CVE-2023-49285)
- Squid のヘルパープロセスの管理機能には、関数の戻り値
のチェック処理に問題があるため、リモートの攻撃者により、
サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2023-49286)
- Squid には、制限なく再帰処理が実行されてしまう問題が
あるため、リモートの攻撃者により、細工された
X-Forwarded-For ヘッダーの送信を介して、サービス拒否
攻撃を可能とする脆弱性が存在します。(CVE-2023-50269)
- Squid の HTTP ヘッダーの解析処理には、
request_header_max_size パラメーター、および
reply_header_max_size パラメーターがデフォルト値の場合
におけるメモリ破壊の問題があるため、リモートの攻撃者に
より、非常に大きなヘッダーを持つように細工された HTTP
メッセージの送信を介して、サービス拒否攻撃を可能とする
脆弱性が存在します。(CVE-2024-25617)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2023-46724
Squid is a caching proxy for the Web. Due to an Improper Validation of Specified Index bug, Squid versions 3.3.0.1 through 5.9 and 6.0 prior to 6.4 compiled using `--with-openssl` are vulnerable to a Denial of Service attack against SSL Certificate validation. This problem allows a remote server to perform Denial of Service against Squid Proxy by initiating a TLS Handshake with a specially crafted SSL Certificate in a server certificate chain. This attack is limited to HTTPS and SSL-Bump. This bug is fixed in Squid version 6.4. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. Those who you use a prepackaged version of Squid should refer to the package vendor for availability information on updated packages.
Squid is a caching proxy for the Web. Due to an Improper Validation of Specified Index bug, Squid versions 3.3.0.1 through 5.9 and 6.0 prior to 6.4 compiled using `--with-openssl` are vulnerable to a Denial of Service attack against SSL Certificate validation. This problem allows a remote server to perform Denial of Service against Squid Proxy by initiating a TLS Handshake with a specially crafted SSL Certificate in a server certificate chain. This attack is limited to HTTPS and SSL-Bump. This bug is fixed in Squid version 6.4. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. Those who you use a prepackaged version of Squid should refer to the package vendor for availability information on updated packages.
CVE-2023-46728
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a NULL pointer dereference bug Squid is vulnerable to a Denial of Service attack against Squid's Gopher gateway. The gopher protocol is always available and enabled in Squid prior to Squid 6.0.1. Responses triggering this bug are possible to be received from any gopher server, even those without malicious intent. Gopher support has been removed in Squid version 6.0.1. Users are advised to upgrade. Users unable to upgrade should reject all gopher URL requests.
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a NULL pointer dereference bug Squid is vulnerable to a Denial of Service attack against Squid's Gopher gateway. The gopher protocol is always available and enabled in Squid prior to Squid 6.0.1. Responses triggering this bug are possible to be received from any gopher server, even those without malicious intent. Gopher support has been removed in Squid version 6.0.1. Users are advised to upgrade. Users unable to upgrade should reject all gopher URL requests.
CVE-2023-49285
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a Buffer Overread bug Squid is vulnerable to a Denial of Service attack against Squid HTTP Message processing. This bug is fixed by Squid version 6.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a Buffer Overread bug Squid is vulnerable to a Denial of Service attack against Squid HTTP Message processing. This bug is fixed by Squid version 6.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2023-49286
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to an Incorrect Check of Function Return Value bug Squid is vulnerable to a Denial of Service attack against its Helper process management. This bug is fixed by Squid version 6.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to an Incorrect Check of Function Return Value bug Squid is vulnerable to a Denial of Service attack against its Helper process management. This bug is fixed by Squid version 6.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2023-50269
Squid is a caching proxy for the Web. Due to an Uncontrolled Recursion bug in versions 2.6 through 2.7.STABLE9, versions 3.1 through 5.9, and versions 6.0.1 through 6.5, Squid may be vulnerable to a Denial of Service attack against HTTP Request parsing. This problem allows a remote client to perform Denial of Service attack by sending a large X-Forwarded-For header when the follow_x_forwarded_for feature is configured. This bug is fixed by Squid version 6.6. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives.
Squid is a caching proxy for the Web. Due to an Uncontrolled Recursion bug in versions 2.6 through 2.7.STABLE9, versions 3.1 through 5.9, and versions 6.0.1 through 6.5, Squid may be vulnerable to a Denial of Service attack against HTTP Request parsing. This problem allows a remote client to perform Denial of Service attack by sending a large X-Forwarded-For header when the follow_x_forwarded_for feature is configured. This bug is fixed by Squid version 6.6. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives.
CVE-2024-25617
Squid is an open source caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a Collapse of Data into Unsafe Value bug ,Squid may be vulnerable to a Denial of Service attack against HTTP header parsing. This problem allows a remote client or a remote server to perform Denial of Service when sending oversized headers in HTTP messages. In versions of Squid prior to 6.5 this can be achieved if the request_header_max_size or reply_header_max_size settings are unchanged from the default. In Squid version 6.5 and later, the default setting of these parameters is safe. Squid will emit a critical warning in cache.log if the administrator is setting these parameters to unsafe values. Squid will not at this time prevent these settings from being changed to unsafe values. Users are advised to upgrade to version 6.5. There are no known workarounds for this vulnerability. This issue is also tracked as SQUID-2024:2
Squid is an open source caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a Collapse of Data into Unsafe Value bug ,Squid may be vulnerable to a Denial of Service attack against HTTP header parsing. This problem allows a remote client or a remote server to perform Denial of Service when sending oversized headers in HTTP messages. In versions of Squid prior to 6.5 this can be achieved if the request_header_max_size or reply_header_max_size settings are unchanged from the default. In Squid version 6.5 and later, the default setting of these parameters is safe. Squid will emit a critical warning in cache.log if the administrator is setting these parameters to unsafe values. Squid will not at this time prevent these settings from being changed to unsafe values. Users are advised to upgrade to version 6.5. There are no known workarounds for this vulnerability. This issue is also tracked as SQUID-2024:2
追加情報:
N/A
ダウンロード:
SRPMS
- squid-3.5.20-17.el7.10.src.rpm
MD5: ea25f988436c183fec8f74e17b89575e
SHA-256: d7623c2a8e555bd1ba5227ad79cc7e5b7ada94dbc5ddb45cb2c7039357e0dc4b
Size: 2.36 MB
Asianux Server 7 for x86_64
- squid-3.5.20-17.el7.10.x86_64.rpm
MD5: 5160809a45c59abe686457c0ee59113d
SHA-256: 43503880447e03bb7acbbd450914f4ebcfcbd76910d9a659df601e6a5c26050b
Size: 3.13 MB - squid-migration-script-3.5.20-17.el7.10.x86_64.rpm
MD5: 918f1a5d7b7ed518a5af72502f031046
SHA-256: 5ec340e2381619af784c2c188327cb2e196016d485ad6da08cb172e1f52dcac1
Size: 51.09 kB
English