USN-6500-1: Squid vulnerabilities

Releases

• Ubuntu 23.10
• Ubuntu 23.04
• Ubuntu 22.04 LTS
• Ubuntu 20.04 LTS

Packages

• squid - Web proxy cache server

Details

Joshua Rogers discovered that Squid incorrectly handled validating certain
SSL certificates. A remote attacker could possibly use this issue to cause
Squid to crash, resulting in a denial of service. This issue only affected
Ubuntu 22.04 LTS, Ubuntu 23.04, and Ubuntu 23.10. (CVE-2023-46724)

Joshua Rogers discovered that Squid incorrectly handled the Gopher
protocol. A remote attacker could possibly use this issue to cause Squid to
crash, resulting in a denial of service. Gopher support has been disabled
in this update. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04
LTS, and Ubuntu 23.04. (CVE-2023-46728)

Keran Mu and Jianjun Chen discovered that Squid incorrectly handled the
chunked decoder. A remote attacker could possibly use this issue to perform
HTTP request smuggling attacks. (CVE-2023-46846)

Joshua Rogers discovered that Squid incorrectly handled HTTP Digest
Authentication. A remote attacker could possibly use this issue to cause
Squid to crash, resulting in a denial of service. (CVE-2023-46847)

Joshua Rogers discovered that Squid incorrectly handled certain FTP urls.
A remote attacker could possibly use this issue to cause Squid to crash,
resulting in a denial of service. (CVE-2023-46848)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 23.10

• squid - 6.1-2ubuntu1.1

Ubuntu 23.04

• squid - 5.7-1ubuntu3.1

Ubuntu 22.04

• squid - 5.7-0ubuntu0.22.04.2

Ubuntu 20.04

• squid - 4.10-1ubuntu1.8

In general, a standard system update will make all the necessary changes.

References

• CVE-2023-46724
• CVE-2023-46848
• CVE-2023-46846
• CVE-2023-46847
• CVE-2023-46728

Related notices

• USN-6500-2: squid3, squid